diff --git a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple index f451d15db..ecfbbc139 100644 --- a/tests/linux/2021.XMR-Stak/1b1a56.elf.simple +++ b/tests/linux/2021.XMR-Stak/1b1a56.elf.simple @@ -1,6 +1,7 @@ # linux/2021.XMR-Stak/1b1a56.elf: critical 3P/TTC-CERT/kittipongk_cryptominer_xmr: high 3P/elastic/cryptominer_stak: critical +3P/sekoia/miner_lin_xmrig: critical c2/addr/http_dynamic: medium c2/addr/ip: medium c2/addr/url: low diff --git a/tests/linux/2022.bpfdoor/bpfdoor_1.simple b/tests/linux/2022.bpfdoor/bpfdoor_1.simple index 32a1b647d..db6f48346 100644 --- a/tests/linux/2022.bpfdoor/bpfdoor_1.simple +++ b/tests/linux/2022.bpfdoor/bpfdoor_1.simple @@ -1,5 +1,6 @@ # linux/2022.bpfdoor/bpfdoor_1: critical 3P/elastic/bpfdoor: critical +3P/sekoia/backdoor_lin_bpfdoor: critical 3P/sig_base/redmenshen_bpfdoor: critical data/random/insecure: low exec/program: medium diff --git a/tests/linux/2024.Gelsemium/dbus.simple b/tests/linux/2024.Gelsemium/dbus.simple index fb6afb772..ec3c9c48d 100644 --- a/tests/linux/2024.Gelsemium/dbus.simple +++ b/tests/linux/2024.Gelsemium/dbus.simple @@ -1,4 +1,5 @@ # linux/2024.Gelsemium/dbus: critical +3P/sekoia/gelsemium_firewood_backdoor: critical anti-static/elf/multiple: medium crypto/decrypt: low crypto/encrypt: medium diff --git a/tests/linux/2024.Gelsemium/kde.simple b/tests/linux/2024.Gelsemium/kde.simple index f282e2770..c1529ab37 100644 --- a/tests/linux/2024.Gelsemium/kde.simple +++ b/tests/linux/2024.Gelsemium/kde.simple @@ -1,4 +1,5 @@ # linux/2024.Gelsemium/kde: critical +3P/sekoia/gelsemium_wolfsbane_launcher: critical crypto/rc4: low discover/process/name: medium evasion/file/location/dev_shm: high diff --git a/tests/linux/2024.Gelsemium/libselinux.so.simple b/tests/linux/2024.Gelsemium/libselinux.so.simple index e8a77072b..4bbd4dfba 100644 --- a/tests/linux/2024.Gelsemium/libselinux.so.simple +++ b/tests/linux/2024.Gelsemium/libselinux.so.simple @@ -1,4 +1,5 @@ # linux/2024.Gelsemium/libselinux.so: critical +3P/sekoia/gelsemium_wolfsbane_rootkit: critical anti-static/obfuscation/hidden_literals: medium anti-static/xor/commands: high anti-static/xor/paths: high diff --git a/tests/linux/2024.Gelsemium/udevd.simple b/tests/linux/2024.Gelsemium/udevd.simple index 8b0c60d66..ca089e038 100644 --- a/tests/linux/2024.Gelsemium/udevd.simple +++ b/tests/linux/2024.Gelsemium/udevd.simple @@ -1,4 +1,5 @@ # linux/2024.Gelsemium/udevd: critical +3P/sekoia/gelsemium_wolfsbane_backdoor: critical anti-static/elf/multiple: medium c2/addr/ip: medium c2/addr/url: low diff --git a/tests/linux/2024.Gelsemium/udevd_multi.simple b/tests/linux/2024.Gelsemium/udevd_multi.simple index 44a47ae05..59749f6a3 100644 --- a/tests/linux/2024.Gelsemium/udevd_multi.simple +++ b/tests/linux/2024.Gelsemium/udevd_multi.simple @@ -1,4 +1,5 @@ # linux/2024.Gelsemium/udevd_multi: critical +3P/sekoia/gelsemium_wolfsbane_backdoor: critical anti-static/elf/multiple: medium c2/addr/ip: medium c2/addr/url: low diff --git a/tests/linux/2024.chisel/crondx.simple b/tests/linux/2024.chisel/crondx.simple index 6e2646fb4..40bfdc504 100644 --- a/tests/linux/2024.chisel/crondx.simple +++ b/tests/linux/2024.chisel/crondx.simple @@ -1,4 +1,5 @@ # linux/2024.chisel/crondx: critical +3P/sekoia/chisel_strings: critical c2/addr/ip: high c2/addr/url: low c2/tool_transfer/arch: low diff --git a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff index 00f6b179e..19dde72ff 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff and b/tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff index 6a76d5292..1a670ea08 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff and b/tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple index 25fc2cb5d..ed33bcce6 100644 --- a/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple +++ b/tests/macOS/2023.3CX/libffmpeg.dirty.dylib.simple @@ -1,6 +1,9 @@ # macOS/2023.3CX/libffmpeg.dirty.dylib: critical +3P/sekoia/downloader_smooth_operator: critical 3P/sig_base/3cxdesktopapp_backdoor: critical 3P/sig_base/nk_3cx_dylib: critical +3P/sig_base/susp_xored_mozilla: critical +3P/volexity/iconic: critical anti-static/xor/user_agent: critical c2/addr/url: low c2/tool_transfer/arch: low diff --git a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff index 6a76d5292..1a670ea08 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff and b/tests/macOS/2023.3CX/libffmpeg.dirty.mdiff differ diff --git a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff index 6a76d5292..1a670ea08 100644 Binary files a/tests/macOS/2023.3CX/libffmpeg.increase.mdiff and b/tests/macOS/2023.3CX/libffmpeg.increase.mdiff differ diff --git a/third_party/yara/YARAForge/RELEASE b/third_party/yara/YARAForge/RELEASE index 6f2cf7ace..8f5ae44e8 100644 --- a/third_party/yara/YARAForge/RELEASE +++ b/third_party/yara/YARAForge/RELEASE @@ -1 +1 @@ -20241222 +20241223 diff --git a/third_party/yara/YARAForge/yara-rules-full.yar b/third_party/yara/YARAForge/yara-rules-full.yar index da678bb34..1b626e0f9 100644 --- a/third_party/yara/YARAForge/yara-rules-full.yar +++ b/third_party/yara/YARAForge/yara-rules-full.yar @@ -12,15 +12,15 @@ * Force Exclude Importance Level: 0 * Minimum Age (in days): 0 * Minimum Score: 40 - * Creation Date: 2024-12-22 - * Number of Rules: 12313 - * Skipped: 0 (age), 222 (quality), 7 (score), 0 (importance) + * Creation Date: 2024-12-23 + * Number of Rules: 13071 + * Skipped: 0 (age), 226 (quality), 7 (score), 0 (importance) */ /* * YARA Rule Set * Repository Name: ReversingLabs * Repository: https://github.com/reversinglabs/reversinglabs-yara-rules/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 9bcb61c86aa4583e393269828225349a81ea08a4 * Number of Rules: 1218 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -55,13 +55,13 @@ rule REVERSINGLABS_Win32_Exploit_CVE20200601 : TC_DETECTION MALICIOUS EXPLOIT CV meta: description = "Yara rule that detects CVE-2020-0601 exploit." author = "ReversingLabs" - id = "c97026c5-0147-569b-a369-8eaa747f213f" + id = "6a03fd5e-3b7f-5b71-b897-5cac81721a56" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/exploit/Win32.Exploit.CVE20200601.yara#L3-L253" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e4d915560ad72e0fde63276f9ffece00535c7983125efaa8298adc11d5e54817" + logic_hash = "e4d915560ad72e0fde63276f9ffece00535c7983125efaa8298adc11d5e54817" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, EXPLOIT, CVE-2020-0601, FILE" @@ -281,13 +281,13 @@ rule REVERSINGLABS_Linux_Backdoor_GTPDOOR : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects GTPDOOR backdoor." author = "ReversingLabs" - id = "4c2a886c-7a59-5e99-972f-8513d229f4d9" + id = "9e6df856-fe54-504c-8530-321adc91cd5a" date = "2024-09-10" modified = "2024-09-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.GTPDOOR.yara#L1-L264" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b7b4b33b7838142e34c6d02260b6585305c4730c90e12b1adc099f9aeecf071a" + logic_hash = "b7b4b33b7838142e34c6d02260b6585305c4730c90e12b1adc099f9aeecf071a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -511,13 +511,13 @@ rule REVERSINGLABS_Win64_Backdoor_Voldemort : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Voldemort backdoor." author = "ReversingLabs" - id = "6c681727-7dd8-5780-9545-0750a5163bb1" + id = "d770bd79-5141-50a0-8cf7-bca1cf5f23e1" date = "2024-10-09" modified = "2024-10-09" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.Voldemort.yara#L1-L208" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1fe2abe17436d2965e34d1f10223af50d9600809fdef234e7d89c74fa33228a9" + logic_hash = "1fe2abe17436d2965e34d1f10223af50d9600809fdef234e7d89c74fa33228a9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -700,13 +700,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Njrat : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects NjRAT backdoor." author = "ReversingLabs" - id = "28f657a1-3290-599f-b2fc-677f07520873" + id = "578c813f-4bba-52cd-bcc7-4de2c3943cf7" date = "2024-07-31" modified = "2024-07-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.NjRAT.yara#L1-L266" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_eeecf90965e6952d8b9efc9d1e96eaa47709b1d69fc7d435f4aebaaf0191f317" + logic_hash = "eeecf90965e6952d8b9efc9d1e96eaa47709b1d69fc7d435f4aebaaf0191f317" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -930,13 +930,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Agentracoon : TC_DETECTION MALICIOUS M meta: description = "Yara rule that detects AgentRacoon backdoor." author = "ReversingLabs" - id = "f8b49ced-5a19-5837-b446-b6934e4ff6df" + id = "ad74d530-ffbd-589f-b941-3a5d9ec737b6" date = "2023-12-15" modified = "2023-12-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.AgentRacoon.yara#L1-L128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3ba73f19f59c2e5880df820c52f16997047d7299eb14d421ae2ed8f3790bcfe9" + logic_hash = "3ba73f19f59c2e5880df820c52f16997047d7299eb14d421ae2ed8f3790bcfe9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1043,13 +1043,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Limerat : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects LimeRAT backdoor." author = "ReversingLabs" - id = "7d124765-4fef-5f39-920c-447302378ff8" + id = "c2ef6f27-3fb8-55f4-97a6-9e25a3d1ce49" date = "2024-03-04" modified = "2024-03-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.LimeRAT.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_03eaa2ac41950f036601222b32a28c03aae3b3445501e988e2f87e231a1a1522" + logic_hash = "03eaa2ac41950f036601222b32a28c03aae3b3445501e988e2f87e231a1a1522" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1123,13 +1123,13 @@ rule REVERSINGLABS_Win32_Backdoor_Konni : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Konni backdoor." author = "ReversingLabs" - id = "3adee6b6-f4a2-56fb-9de9-07b61006faa9" + id = "6fe230b1-357a-54f7-a9a8-15d0369fec71" date = "2023-12-07" modified = "2023-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win32.Backdoor.Konni.yara#L1-L190" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7907a657d804d485718ba13bb23513de0b909e7d455c2b3ee193b5329edd3ac6" + logic_hash = "7907a657d804d485718ba13bb23513de0b909e7d455c2b3ee193b5329edd3ac6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1298,13 +1298,13 @@ rule REVERSINGLABS_Win64_Backdoor_Sidetwist : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects SideTwist backdoor." author = "ReversingLabs" - id = "37766cd5-d063-5994-b1ca-fe511e60d4db" + id = "979b442e-8739-54a8-b486-39fc5673791e" date = "2024-03-18" modified = "2024-03-18" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.SideTwist.yara#L1-L154" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_811fa73ede59493c71435743848a3fce3a1604ec4065ffcb0b43e9715dfa5c31" + logic_hash = "811fa73ede59493c71435743848a3fce3a1604ec4065ffcb0b43e9715dfa5c31" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1433,13 +1433,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Orcusrat : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects OrcusRAT backdoor." author = "ReversingLabs" - id = "2045e507-5dd2-5b84-babb-ed28fc3993fc" + id = "d4700cd1-73a4-552d-bc27-7408508a28e7" date = "2024-09-10" modified = "2024-09-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.OrcusRAT.yara#L1-L134" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_17a85613e9e4c862ce81fee49065c250381dbf8a50cf07d496f5fd2c1b82d92e" + logic_hash = "17a85613e9e4c862ce81fee49065c250381dbf8a50cf07d496f5fd2c1b82d92e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1550,13 +1550,13 @@ rule REVERSINGLABS_Win32_Backdoor_Minodo : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Minodo backdoor." author = "ReversingLabs" - id = "c215948c-79af-5f96-b975-0d3dcf304fad" + id = "0eeff863-1a46-5b25-8780-5cd887e3b1e2" date = "2023-06-07" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.Minodo.yara#L1-L110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_807408699fe00c8d1170598050e533dd0d79bb170f2538b6b6227cda7410060b" + logic_hash = "807408699fe00c8d1170598050e533dd0d79bb170f2538b6b6227cda7410060b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1646,13 +1646,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Asyncrat : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects AsyncRAT backdoor." author = "ReversingLabs" - id = "80672778-cc1f-5bd5-a997-0ab67ac3dece" + id = "78ff36e1-1620-50f4-8abd-adcf8b1242da" date = "2024-05-22" modified = "2024-05-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.AsyncRAT.yara#L1-L149" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_53a13975cd53b571910f951adc44707c11b86c003eeb7b88dbe701253645ac89" + logic_hash = "53a13975cd53b571910f951adc44707c11b86c003eeb7b88dbe701253645ac89" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1770,13 +1770,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Backdoor_Menorah : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects Menorah backdoor." author = "ReversingLabs" - id = "97f0b6c1-baa3-5d5b-8475-79ab46b109dc" + id = "4f13a6c6-bd97-58aa-ac3b-399866b5c63b" date = "2024-05-10" modified = "2024-05-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/ByteCode.MSIL.Backdoor.Menorah.yara#L1-L169" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_770aefca192ceb3a778c0b1259105ace8e64cb35d0c34acb15c45fb6f22ad94b" + logic_hash = "770aefca192ceb3a778c0b1259105ace8e64cb35d0c34acb15c45fb6f22ad94b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -1929,13 +1929,13 @@ rule REVERSINGLABS_Linux_Backdoor_Krasue : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Krasue backdoor." author = "ReversingLabs" - id = "06135c47-e3d8-5599-9c74-f7958e82f445" + id = "3187eebf-ef70-585f-85cf-5813025c785e" date = "2024-03-04" modified = "2024-03-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.Krasue.yara#L1-L127" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e2daa35ef9e0793062c9fb3bd8e4838e1e81ee3d228d8117b1c3b0e72eb8e151" + logic_hash = "e2daa35ef9e0793062c9fb3bd8e4838e1e81ee3d228d8117b1c3b0e72eb8e151" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2040,13 +2040,13 @@ rule REVERSINGLABS_Linux_Trojan_Chinaz : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects ChinaZ trojan." author = "ReversingLabs" - id = "bb31f71d-f8e7-57fb-b745-e7f727a9b6a8" + id = "f99c224b-db54-5cae-b5fb-8939ebee3250" date = "2024-07-31" modified = "2024-07-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Trojan.ChinaZ.yara#L1-L246" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d8d08f4f3f36ecc7b219b6b1aae3c76d26e8fb3a44444763929190c6124532ff" + logic_hash = "d8d08f4f3f36ecc7b219b6b1aae3c76d26e8fb3a44444763929190c6124532ff" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2250,13 +2250,13 @@ rule REVERSINGLABS_Linux_Backdoor_Noodrat : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects NoodRAT backdoor." author = "ReversingLabs" - id = "8a2bded9-1c95-584d-ab0a-f654373db615" + id = "ac5eae27-dc42-5060-b639-c23c0bbabb50" date = "2024-08-26" modified = "2024-08-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.NoodRAT.yara#L1-L162" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2ec4a8ba7428054edb4dcdb6a00015b9758badf515f2c210bb946ba5402674d2" + logic_hash = "2ec4a8ba7428054edb4dcdb6a00015b9758badf515f2c210bb946ba5402674d2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2397,13 +2397,13 @@ rule REVERSINGLABS_Win64_Backdoor_Konni : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Konni backdoor." author = "ReversingLabs" - id = "4e42748c-63d0-504f-8200-0e2956842dbe" + id = "c45c23c6-be15-58cc-ae4d-631bed4a3bb2" date = "2023-12-07" modified = "2023-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Win64.Backdoor.Konni.yara#L1-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_37c45e3ed23ca9f4de876f666c9f6d9bf7eee5cb1650b02cdd9f58e2ccc4b5cb" + logic_hash = "37c45e3ed23ca9f4de876f666c9f6d9bf7eee5cb1650b02cdd9f58e2ccc4b5cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2586,13 +2586,13 @@ rule REVERSINGLABS_Linux_Backdoor_Linodas : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Linodas backdoor." author = "ReversingLabs" - id = "59e8249b-b374-596c-aebb-6f77f2bf5ca5" + id = "2b197346-abce-5cff-938f-bb8742e03168" date = "2024-05-22" modified = "2024-05-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/backdoor/Linux.Backdoor.Linodas.yara#L1-L216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_12445771106e36b74b1ea292a8a25cab66bcaf0a08cf88d39a9f1bb13c6f525b" + logic_hash = "12445771106e36b74b1ea292a8a25cab66bcaf0a08cf88d39a9f1bb13c6f525b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2767,13 +2767,13 @@ rule REVERSINGLABS_Win32_Downloader_Dlmarlboro : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects dlMarlboro downloader." author = "ReversingLabs" - id = "cb634c2d-9bd2-5d9e-9a94-084c1b958fef" + id = "4c99b5a4-dc6b-579b-b1bd-bd4c93c6e68c" date = "2020-07-23" modified = "2020-07-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/downloader/Win32.Downloader.dlMarlboro.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_465a3b3a9686889001ac0b929d0349e44b6015eaeed3386361366def5013164a" + logic_hash = "465a3b3a9686889001ac0b929d0349e44b6015eaeed3386361366def5013164a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2849,13 +2849,13 @@ rule REVERSINGLABS_Win32_PUA_Domaiq : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Domaiq potentially unwanted application." author = "ReversingLabs" - id = "b4a275a4-b66e-55fe-88ac-08bcaaaddb53" + id = "44129e4b-7dc2-5af0-b466-80dc4f4d6388" date = "2020-07-28" modified = "2020-07-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/pua/Win32.PUA.Domaiq.yara#L1-L169" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e291a639aa027a2257eec2853e40a222afabf23b32898326a1d5b48be823202c" + logic_hash = "e291a639aa027a2257eec2853e40a222afabf23b32898326a1d5b48be823202c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -2993,13 +2993,13 @@ rule REVERSINGLABS_Win32_Trojan_Trickbot : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects TrickBot trojan." author = "ReversingLabs" - id = "3e2397ba-02cf-509f-8767-397770d07585" + id = "4ed253cc-0398-542b-a2b7-c42a0b9431fb" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.TrickBot.yara#L1-L46" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e10f16c70f1ff7cf11d3e25f06e4c5d9e20c51688582d2b51322f768a8e06d7e" + logic_hash = "e10f16c70f1ff7cf11d3e25f06e4c5d9e20c51688582d2b51322f768a8e06d7e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3037,13 +3037,13 @@ rule REVERSINGLABS_Linux_Trojan_Bibiwiper : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects BiBiWiper trojan." author = "ReversingLabs" - id = "02f6df69-b20d-5341-af11-78bcb31d3412" + id = "c370dde0-71ff-5832-b131-6d61beb02b9b" date = "2023-11-28" modified = "2023-11-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Linux.Trojan.BiBiWiper.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8f290141d5da660463dede6df571d774448e136e2993a0a4c706245464e1239e" + logic_hash = "8f290141d5da660463dede6df571d774448e136e2993a0a4c706245464e1239e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3113,13 +3113,13 @@ rule REVERSINGLABS_Win32_Trojan_Emotet : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Emotet trojan." author = "ReversingLabs" - id = "7b53dbaf-9563-5400-ad3f-9f4fd82ba3fb" + id = "9742743d-753a-582b-9701-7278c8ed0e4e" date = "2021-11-16" modified = "2021-11-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.Emotet.yara#L1-L182" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_747d603c9849a66782c95050a4a634ffdb4ce2882adcfc5d63e1f1ea1651b25e" + logic_hash = "747d603c9849a66782c95050a4a634ffdb4ce2882adcfc5d63e1f1ea1651b25e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3259,13 +3259,13 @@ rule REVERSINGLABS_Win32_Trojan_Dridex : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Dridex trojan." author = "ReversingLabs" - id = "bab5036c-68a3-5fb5-a48d-e0d065eb69a0" + id = "bc68aca1-69e6-57e6-9277-70c89fda1e5d" date = "2020-09-16" modified = "2020-09-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.Dridex.yara#L1-L80" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7eddc8f33846dfb61302b7d7fddd8dec59a1bde05b14135c14131a02e2c19600" + logic_hash = "7eddc8f33846dfb61302b7d7fddd8dec59a1bde05b14135c14131a02e2c19600" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3332,13 +3332,13 @@ rule REVERSINGLABS_Linux_Trojan_Acidrain : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects AcidRain trojan." author = "ReversingLabs" - id = "2b4638c1-6d93-5513-8063-80efe3c43815" + id = "802c7eb7-d407-5b07-a6b4-4648d3ad80e9" date = "2024-05-10" modified = "2024-05-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Linux.Trojan.AcidRain.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5b47a0de8bda09d217f8a148e561f3da7ce4945f011f4a9b5dbbca88157d3080" + logic_hash = "5b47a0de8bda09d217f8a148e561f3da7ce4945f011f4a9b5dbbca88157d3080" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3393,13 +3393,13 @@ rule REVERSINGLABS_Win32_Trojan_Isaacwiper : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects IsaacWiper trojan." author = "ReversingLabs" - id = "d4b32bc7-dc28-5977-8620-688cfb1202ff" + id = "c0924e5e-a942-57a3-a9f9-e6be6efa4c73" date = "2022-03-02" modified = "2022-03-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.IsaacWiper.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c9fa43f44c33816a66f61255d101294da63df1afc5a27ed5817072040cd1eec5" + logic_hash = "c9fa43f44c33816a66f61255d101294da63df1afc5a27ed5817072040cd1eec5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3471,13 +3471,13 @@ rule REVERSINGLABS_Win32_Trojan_Bibiwiper : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects BiBiWiper trojan." author = "ReversingLabs" - id = "98a2bc59-6e22-54bb-979f-0f5b10790580" + id = "8462ceb8-ec54-5f92-a3e7-c96e52647ca7" date = "2023-11-28" modified = "2023-11-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.BiBiWiper.yara#L1-L102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d75954c05a8f82ad90a4adf6a2a3748928488ddebe40d8f8a790bfcde0b02a11" + logic_hash = "d75954c05a8f82ad90a4adf6a2a3748928488ddebe40d8f8a790bfcde0b02a11" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3569,13 +3569,13 @@ rule REVERSINGLABS_Win32_Trojan_Hermeticwiper : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects HermeticWiper trojan." author = "ReversingLabs" - id = "167e4cda-7bb8-565e-99ec-b82d3e9f10d9" + id = "252dfb3d-9d4e-51a4-80c9-64e17922d997" date = "2022-02-24" modified = "2022-02-24" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.HermeticWiper.yara#L1-L50" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0fa519ce8285ffe4e49c2a301e8a0fd0516a05dc6b41ee0b010fdc76dd6e195e" + logic_hash = "0fa519ce8285ffe4e49c2a301e8a0fd0516a05dc6b41ee0b010fdc76dd6e195e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3622,13 +3622,13 @@ rule REVERSINGLABS_Win32_Trojan_Caddywiper : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects CaddyWiper trojan." author = "ReversingLabs" - id = "4d605eea-b7d0-5095-91e6-f29b42720522" + id = "ad437f29-4ad8-5a88-a0b6-03de55e7375f" date = "2022-03-15" modified = "2022-03-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/trojan/Win32.Trojan.CaddyWiper.yara#L1-L95" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_178ff4171c09866f6b303bdff234beff1116d268995ee4dc236332e472d645b1" + logic_hash = "178ff4171c09866f6b303bdff234beff1116d268995ee4dc236332e472d645b1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3709,13 +3709,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dualshot : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Dualshot ransomware." author = "ReversingLabs" - id = "1c060c6b-b231-538e-b103-143b53b53276" + id = "17828c85-0f1b-581b-842a-24e6f26e0b4d" date = "2020-11-20" modified = "2020-11-20" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Dualshot.yara#L1-L112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a401369357901f42ad83227b025d3b14b3acd1f50705da82afbe8e4f85501919" + logic_hash = "a401369357901f42ad83227b025d3b14b3acd1f50705da82afbe8e4f85501919" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3813,13 +3813,13 @@ rule REVERSINGLABS_Win64_Ransomware_Seedlocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects SeedLocker ransomware." author = "ReversingLabs" - id = "afdf575a-4c54-5e6d-adbe-34f8168db3c2" + id = "efa3dd2e-faf4-5882-aef8-85189e65f0f9" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.SeedLocker.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a478efcfb03e3eeebe72d9a71629456cf061c3c779fbdde99539854caf8c7c33" + logic_hash = "a478efcfb03e3eeebe72d9a71629456cf061c3c779fbdde99539854caf8c7c33" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -3906,13 +3906,13 @@ rule REVERSINGLABS_Win32_Ransomware_Hentaioniichan : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects Hentai Oniichan ransomware." author = "ReversingLabs" - id = "963df5fd-ffe0-5a40-aa44-90ade5e7ff5b" + id = "cd5e916f-7195-5bb6-abff-b08231053f9a" date = "2021-03-05" modified = "2021-03-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HentaiOniichan.yara#L1-L140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_153526e5a2f05bc8e3f77d83eefce6b4cd962ea093b6f1c0ab8fcabe8d8a7ad9" + logic_hash = "153526e5a2f05bc8e3f77d83eefce6b4cd962ea093b6f1c0ab8fcabe8d8a7ad9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4034,13 +4034,13 @@ rule REVERSINGLABS_Win32_Ransomware_Knot : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Knot ransomware." author = "ReversingLabs" - id = "da7ae347-ceaf-5150-bf77-2457dd40d52e" + id = "4dfe9da5-7ab1-57dc-95fc-b05777f235b8" date = "2021-03-19" modified = "2021-03-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Knot.yara#L1-L118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a7a3e13139d68314e583ec225a5d56373a551e67d46984dcf9a228a1f7275f14" + logic_hash = "a7a3e13139d68314e583ec225a5d56373a551e67d46984dcf9a228a1f7275f14" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4144,13 +4144,13 @@ rule REVERSINGLABS_Win32_Ransomware_Serpent : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Serpent ransomware." author = "ReversingLabs" - id = "b421570c-73d7-5754-8ebc-62e66a8200ae" + id = "0757ad7c-b2b1-5323-960a-55ffe3eaed12" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Serpent.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5e1917e8d23a5edc65ac423f3d18cc78c3848bd6c1ccc67d052eb37172857081" + logic_hash = "5e1917e8d23a5edc65ac423f3d18cc78c3848bd6c1ccc67d052eb37172857081" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4268,13 +4268,13 @@ rule REVERSINGLABS_Win64_Ransomware_Rook : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Rook ransomware." author = "ReversingLabs" - id = "f0d22841-c3e0-54ec-9a32-b9ad96717fd2" + id = "60bbfd57-18bb-58b3-9abc-ab30943bbddd" date = "2022-01-17" modified = "2022-01-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Rook.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dc8b37e55b634de52855dd851dbaaf3e690adfb2e875d0e0c9ef5f4846c6ff30" + logic_hash = "dc8b37e55b634de52855dd851dbaaf3e690adfb2e875d0e0c9ef5f4846c6ff30" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4378,13 +4378,13 @@ rule REVERSINGLABS_Win32_Ransomware_Farattack : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects FarAttack ransomware." author = "ReversingLabs" - id = "0d886f84-d417-5c45-b279-2c677d98fcae" + id = "7ee7121a-4ca2-513c-96dc-53b5c48d719f" date = "2022-06-21" modified = "2022-06-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FarAttack.yara#L1-L93" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_af22b8110c2b545f083b443c7a1fa7e7639324e9188eefadfe1fe70ebb1bb7fb" + logic_hash = "af22b8110c2b545f083b443c7a1fa7e7639324e9188eefadfe1fe70ebb1bb7fb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4464,13 +4464,13 @@ rule REVERSINGLABS_Win32_Ransomware_Winword64 : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects WinWord64 ransomware." author = "ReversingLabs" - id = "626128d7-7a36-5d82-aa87-b46f525a68dc" + id = "a5f7967d-58f4-5fdd-b67f-5f5dbfec0f4b" date = "2021-02-11" modified = "2021-02-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WinWord64.yara#L1-L215" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_73d8c4f1b3bed365320b26332f1f1b49404d8e6536f3e25042f5f64e5bc09bd4" + logic_hash = "73d8c4f1b3bed365320b26332f1f1b49404d8e6536f3e25042f5f64e5bc09bd4" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4666,13 +4666,13 @@ rule REVERSINGLABS_Win32_Ransomware_Princesslocker : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects PrincessLocker ransomware." author = "ReversingLabs" - id = "765d0f55-b40f-57cd-8441-23e3079c8cff" + id = "b76ef137-aa0b-5fd3-9876-2459cb6535ff" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.PrincessLocker.yara#L1-L92" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5be4ca3bd0b0afed1d2f3a59e2951d74a8de94c5a4d5a2c6cc29add49eab9ec0" + logic_hash = "5be4ca3bd0b0afed1d2f3a59e2951d74a8de94c5a4d5a2c6cc29add49eab9ec0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4761,13 +4761,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ouroboros : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Ouroboros ransomware." author = "ReversingLabs" - id = "b1396afd-627a-5a77-b461-fa9705b69cb2" + id = "af0b9311-a7dd-56e8-a004-0828af5af5ef" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ouroboros.yara#L1-L175" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b573f303318452010ff46f21a02b6290820f9a27bf4c51b72f6ed15263b5f433" + logic_hash = "b573f303318452010ff46f21a02b6290820f9a27bf4c51b72f6ed15263b5f433" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4920,13 +4920,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Cring : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects Cring ransomware." author = "ReversingLabs" - id = "b4417071-575b-5c0f-b957-af762dbc00ee" + id = "76530a6d-145b-5316-8200-4b191d0754fd" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Cring.yara#L1-L66" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_05cf60ad39c9dcc592345f13b63c99b153b9253297a8ad9e52e0439081d8c796" + logic_hash = "05cf60ad39c9dcc592345f13b63c99b153b9253297a8ad9e52e0439081d8c796" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -4983,13 +4983,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Harpoonlocker : TC_DETECTION MALICIO meta: description = "Yara rule that detects HarpoonLocker ransomware." author = "ReversingLabs" - id = "b1dfc37c-d721-5edf-9628-d50526aa0798" + id = "3605d354-5a33-54b1-83ad-ad514c78357b" date = "2022-01-27" modified = "2022-01-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.HarpoonLocker.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_20587f9dce5981934498d9979843a090224ba649def8b694adf7799b7060cc25" + logic_hash = "20587f9dce5981934498d9979843a090224ba649def8b694adf7799b7060cc25" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5072,13 +5072,13 @@ rule REVERSINGLABS_Win32_Ransomware_Rokku : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Rokku ransomware." author = "ReversingLabs" - id = "d6709e78-3cd0-538a-aa63-56b973b29bee" + id = "8722ed4a-b480-57ec-bba7-ce7d0f3704b9" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Rokku.yara#L1-L147" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fefb342f8a9afac3b40c343b830f334225ff4198d55504846aa855acf5dfc9ba" + logic_hash = "fefb342f8a9afac3b40c343b830f334225ff4198d55504846aa855acf5dfc9ba" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5210,13 +5210,13 @@ rule REVERSINGLABS_Win32_Ransomware_Medusalocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects MedusaLocker ransomware." author = "ReversingLabs" - id = "991bd5c5-6b0f-547c-9daf-bea5dbb30ee4" + id = "8bfcfe13-b519-5c03-9770-cf245b01c395" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MedusaLocker.yara#L1-L174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_73f915d476d1411d2e008d00c5ffa03596e3b62bcdbc4d91dc7226599a066c08" + logic_hash = "73f915d476d1411d2e008d00c5ffa03596e3b62bcdbc4d91dc7226599a066c08" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5363,13 +5363,13 @@ rule REVERSINGLABS_Win32_Ransomware_Termite : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Termite ransomware." author = "ReversingLabs" - id = "cacfa08f-2fbb-5743-a2d6-c9d0a6b5d474" + id = "350011fa-1e3c-5079-8fe7-968340a3aca0" date = "2020-08-31" modified = "2020-08-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Termite.yara#L1-L151" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_df273de81fc58cb0bacf021ee539ec6dbfa1f1a3e13bd46519ee313595cafb4c" + logic_hash = "df273de81fc58cb0bacf021ee539ec6dbfa1f1a3e13bd46519ee313595cafb4c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5507,13 +5507,13 @@ rule REVERSINGLABS_Win64_Ransomware_Blackbasta : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects BlackBasta ransomware." author = "ReversingLabs" - id = "fceb40c0-723e-567b-9d3e-15926eb486d7" + id = "7a4ad567-0612-5a9c-8a06-4d615bc7e24a" date = "2022-12-13" modified = "2022-12-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.BlackBasta.yara#L1-L293" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_79c81a4470e9eabbd714b1a91621c7b2bbe42d5371ba2c799529662d5f5c479a" + logic_hash = "79c81a4470e9eabbd714b1a91621c7b2bbe42d5371ba2c799529662d5f5c479a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5754,13 +5754,13 @@ rule REVERSINGLABS_Win32_Ransomware_Garrantydecrypt : TC_DETECTION MALICIOUS MAL meta: description = "Yara rule that detects GarrantyDecrypt ransomware." author = "ReversingLabs" - id = "f89cab43-4e85-5a80-a7ab-9e1ab699d30f" + id = "0aa05f06-1773-5ce8-892d-04468f5deccc" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GarrantyDecrypt.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7194c1e0e15a89f2c691a7d586b9db68295cc52a5f042d0f7eb558c326430444" + logic_hash = "7194c1e0e15a89f2c691a7d586b9db68295cc52a5f042d0f7eb558c326430444" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5836,13 +5836,13 @@ rule REVERSINGLABS_Win64_Ransomware_Albabat : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Albabat ransomware." author = "ReversingLabs" - id = "ea9bb46e-2790-503e-88da-8bd6270124b4" + id = "11941c0d-45fb-5746-bbad-f43f336d4b1d" date = "2024-03-18" modified = "2024-03-18" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Albabat.yara#L1-L139" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_38ec8388b9006f6ab9a397858b89f4bfd7def2ffcf525cfc736abae49bc6034a" + logic_hash = "38ec8388b9006f6ab9a397858b89f4bfd7def2ffcf525cfc736abae49bc6034a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -5963,14 +5963,14 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Oct : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Oct ransomware." author = "ReversingLabs" - id = "d054239a-564e-5f1a-a380-62dadb020d8d" - date = "2024-10-22" - date = "2024-10-22" + id = "e811a0ba-52df-5e88-ab71-df91d5cb584a" + date = "2024-10-23" + date = "2024-10-23" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Oct.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3973794d6bf26eaa752cfc70a217c059a190c63a0dd92b06de7c0893d92d9e88" + logic_hash = "3973794d6bf26eaa752cfc70a217c059a190c63a0dd92b06de7c0893d92d9e88" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6025,13 +6025,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Policerecords : TC_DETECTION MALICIO meta: description = "Yara rule that detects PoliceRecords ransomware." author = "ReversingLabs" - id = "ec46da8b-cc38-5c6d-925a-b88da22095cc" + id = "bacd3f98-a069-58ca-8423-01fcef7d4062" date = "2022-08-02" modified = "2022-08-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.PoliceRecords.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_55cb1a5d030c47abb1a9ca9970fb19b3124128e409bc9515c173c33b2bb49a16" + logic_hash = "55cb1a5d030c47abb1a9ca9970fb19b3124128e409bc9515c173c33b2bb49a16" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6094,13 +6094,13 @@ rule REVERSINGLABS_Win32_Ransomware_Delphimorix : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Delphimorix ransomware." author = "ReversingLabs" - id = "3630e7d1-e9a2-5abb-b1ca-7dd87a87932b" + id = "1f964601-9819-5597-ba6e-db3a30e3aa5a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Delphimorix.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6d401d488d57b2d75e93a1dfd47ece687a5791d1f0a52768300f4af8a8787212" + logic_hash = "6d401d488d57b2d75e93a1dfd47ece687a5791d1f0a52768300f4af8a8787212" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6158,13 +6158,13 @@ rule REVERSINGLABS_Win32_Ransomware_Denizkizi : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects DenizKizi ransomware." author = "ReversingLabs" - id = "dbc4d6fd-4983-520e-99cb-76b19e95c65e" + id = "e16a00d6-d5b8-5702-9cd7-d037b0ff46a3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DenizKizi.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fbeb01263d6f68141e094ba8fb1c1a54c601ab24292f5c6b0eb8cb0c49f46afc" + logic_hash = "fbeb01263d6f68141e094ba8fb1c1a54c601ab24292f5c6b0eb8cb0c49f46afc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6240,13 +6240,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Apis : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects Apis ransomware." author = "ReversingLabs" - id = "55ff2db5-a9fd-55d8-90ca-749cb60b464c" + id = "63791250-e21e-53d1-932c-9b5d16a7cad9" date = "2021-11-25" modified = "2021-11-25" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Apis.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0915469884a268f124da348d6a182eb4a0f69063d4041b46628794ab011227ef" + logic_hash = "0915469884a268f124da348d6a182eb4a0f69063d4041b46628794ab011227ef" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6309,13 +6309,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Ghostbin : TC_DETECTION MALICIOUS MA meta: description = "Yara rule that detects Ghostbin ransomware." author = "ReversingLabs" - id = "548c3089-cc4b-56d9-9109-529fca0f4f72" + id = "4d576854-7a30-527d-9a7a-f22018183540" date = "2021-09-06" modified = "2021-09-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara#L1-L61" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3881e1c83ac2a31fdd8a081d3e6e6ea759771dbc183c3af9528930619bcddf9e" + logic_hash = "3881e1c83ac2a31fdd8a081d3e6e6ea759771dbc183c3af9528930619bcddf9e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6364,13 +6364,13 @@ rule REVERSINGLABS_Win32_Ransomware_Tblocker : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects TBLocker ransomware." author = "ReversingLabs" - id = "822548b4-9389-51ab-aec3-c300b1b0cd79" + id = "91793018-baf6-5e70-83b6-8793482c3bec" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TBLocker.yara#L1-L85" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_81f0077655ac0e59cd8dc05be602ae500c938668bd57d3cf4a51fbff2a5b6b83" + logic_hash = "81f0077655ac0e59cd8dc05be602ae500c938668bd57d3cf4a51fbff2a5b6b83" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6444,13 +6444,13 @@ rule REVERSINGLABS_Win32_Ransomware_Clop : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Clop ransomware." author = "ReversingLabs" - id = "5d7a4d58-6836-5110-be34-05c4fddccdeb" + id = "0ea63119-3773-5404-b332-8e3966fd35df" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Clop.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0b63db16a4b1cae27a97d0ff9df692a63f1a11120ffac69c05a5c71fbd224007" + logic_hash = "0b63db16a4b1cae27a97d0ff9df692a63f1a11120ffac69c05a5c71fbd224007" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6545,13 +6545,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dearcry : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects DearCry ransomware." author = "ReversingLabs" - id = "64304d23-9ba6-526c-abde-17840142e65e" + id = "6e2097e0-6495-5185-bbbc-e8168fa0ca7f" date = "2021-03-12" modified = "2021-03-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DearCry.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_40dde232255018e1bc0aadf2378a7a86a99327d13dda58d8ffc5bb38e164de26" + logic_hash = "40dde232255018e1bc0aadf2378a7a86a99327d13dda58d8ffc5bb38e164de26" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6637,13 +6637,13 @@ rule REVERSINGLABS_Win32_Ransomware_Kovter : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Kovter ransomware." author = "ReversingLabs" - id = "6786410f-59ba-555c-b633-9ef0a6ad531e" + id = "9362ac5a-0b6c-5ac5-ac2b-59dcc1191dc6" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Kovter.yara#L1-L141" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3082e036b54a73ce8397cfa6e8dc2a807c587d9f17286e75af6cdbe622fae1e1" + logic_hash = "3082e036b54a73ce8397cfa6e8dc2a807c587d9f17286e75af6cdbe622fae1e1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6779,13 +6779,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_EAF : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects EAF ransomware." author = "ReversingLabs" - id = "8f7a1015-41b8-5a53-bc16-bfd870856cb5" + id = "6903030e-b1a1-5238-b377-ce8e4b18d3f3" date = "2022-07-22" modified = "2022-07-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.EAF.yara#L1-L89" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3d10c852f95e8aa9bcd3543b96650b98ac57bcd2aa2b374e0badb63b5a4c0396" + logic_hash = "3d10c852f95e8aa9bcd3543b96650b98ac57bcd2aa2b374e0badb63b5a4c0396" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6860,13 +6860,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Cobralocker : TC_DETECTION MALICIOUS meta: description = "Yara rule that detects CobraLocker ransomware." author = "ReversingLabs" - id = "d32a3414-b8e5-589e-84ac-46a94d57457d" + id = "dada6370-3ae3-5931-ba9f-da56ebbcd8c8" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara#L1-L59" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_95f4c645c7c237d23b5028f824f78a5f9f8f0a4737b391d877582afe08264d7e" + logic_hash = "95f4c645c7c237d23b5028f824f78a5f9f8f0a4737b391d877582afe08264d7e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -6917,13 +6917,13 @@ rule REVERSINGLABS_Win32_Ransomware_Plague17 : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Plague17 ransomware." author = "ReversingLabs" - id = "a91de3a9-225f-5450-8e42-4e2b1b10842f" + id = "065c47b5-f459-529e-8046-7394a742b50a" date = "2021-02-19" modified = "2021-02-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Plague17.yara#L1-L263" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e0e518fc83a62d70b83df273c6ba469e6f0fdf9c035126428ec7561e04437b6f" + logic_hash = "e0e518fc83a62d70b83df273c6ba469e6f0fdf9c035126428ec7561e04437b6f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7163,13 +7163,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ransomexx : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Ransomexx ransomware." author = "ReversingLabs" - id = "b5dc5ed0-12f5-5bcb-83e0-469f061d4324" + id = "5e62660d-2696-56c7-9322-fed6ce9d36ff" date = "2020-11-26" modified = "2020-11-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ransomexx.yara#L1-L147" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_27b4132b7f16cafc40687e96a552ce59cc24ebf7679575680f170e3beee8a0a9" + logic_hash = "27b4132b7f16cafc40687e96a552ce59cc24ebf7679575680f170e3beee8a0a9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7300,13 +7300,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Khonsari : TC_DETECTION MALICIOUS MA meta: description = "Yara rule that detects Khonsari ransomware." author = "ReversingLabs" - id = "a1e5a56e-361a-59b6-b7a2-35e31607b41f" + id = "c3c64256-af1f-5a9d-8a59-8d72993bb8da" date = "2022-01-27" modified = "2022-01-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f1003b7863215bcd8e5cdce8ce40551105fb668ea2b8ac765909f9fa5373e6ca" + logic_hash = "f1003b7863215bcd8e5cdce8ce40551105fb668ea2b8ac765909f9fa5373e6ca" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7362,13 +7362,13 @@ rule REVERSINGLABS_Win32_Ransomware_Wsir : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects WsIR ransomware." author = "ReversingLabs" - id = "f4364c88-f9ff-549f-add9-69ae98993c09" + id = "cb4ab736-9421-5b92-b4a5-c5db0b61725a" date = "2022-08-02" modified = "2022-08-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WsIR.yara#L1-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c22c01f93945c7721ebfe5e7a09c3bf2b9d0ad95740bc0a76b4e61741f61d82c" + logic_hash = "c22c01f93945c7721ebfe5e7a09c3bf2b9d0ad95740bc0a76b4e61741f61d82c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7429,13 +7429,13 @@ rule REVERSINGLABS_Win32_Ransomware_Lorenz : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Lorenz ransomware." author = "ReversingLabs" - id = "3d89b04b-b752-5086-b1be-cab417c385c5" + id = "cc97dd15-d518-5d9f-9384-3dcf81e34e81" date = "2022-10-24" modified = "2022-10-24" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Lorenz.yara#L1-L252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b8668fcc560d264c37e3fbb52d5a5f1223a282abd9e984b3109efe9ab454be9f" + logic_hash = "b8668fcc560d264c37e3fbb52d5a5f1223a282abd9e984b3109efe9ab454be9f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7641,13 +7641,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ophionlocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects OphionLocker ransomware." author = "ReversingLabs" - id = "2e2ff287-c593-5923-833e-c83da7f3237b" + id = "75335749-66bd-539e-92b3-dd92c0b332d8" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.OphionLocker.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3c54a948a6a45ec5f5bc32fbbdbc8822f402b1332e9109b20b90635464dbe2ac" + logic_hash = "3c54a948a6a45ec5f5bc32fbbdbc8822f402b1332e9109b20b90635464dbe2ac" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7746,13 +7746,13 @@ rule REVERSINGLABS_Win64_Ransomware_Curator : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Curator ransomware." author = "ReversingLabs" - id = "ed64eaea-054c-5063-8878-7f66ded9cfd0" + id = "401f1d64-afd9-55b1-8e87-b808d4679e9a" date = "2021-04-22" modified = "2021-04-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Curator.yara#L1-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8bd29195cea0f1194e27c48ed07c52100abb7dd3de2ef7f51a645d32c3527eb3" + logic_hash = "8bd29195cea0f1194e27c48ed07c52100abb7dd3de2ef7f51a645d32c3527eb3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7833,13 +7833,13 @@ rule REVERSINGLABS_Win64_Ransomware_Pandora : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Pandora ransomware." author = "ReversingLabs" - id = "62ed0685-edc2-5c48-9a09-f9fedbac615c" + id = "18182bbe-1678-5d0b-a7ee-80c4bbaee99e" date = "2022-06-01" modified = "2022-06-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Pandora.yara#L1-L95" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6576bde36ae9a9bc2e9dd878db788c608083b84d96d31e6898f48a264c6b7f1a" + logic_hash = "6576bde36ae9a9bc2e9dd878db788c608083b84d96d31e6898f48a264c6b7f1a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -7923,13 +7923,13 @@ rule REVERSINGLABS_Win32_Ransomware_Wannacry : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects WannaCry ransomware." author = "ReversingLabs" - id = "4ae1a076-eff1-5692-93b6-eb7c6cf952ae" + id = "61734d47-2525-5e3a-94b4-60493dfe2b93" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WannaCry.yara#L3-L135" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fed58b533a9f7c3eb1b3e4f8fbe1f519aab94d1c066ae6937c21876693be0eac" + logic_hash = "fed58b533a9f7c3eb1b3e4f8fbe1f519aab94d1c066ae6937c21876693be0eac" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8049,13 +8049,13 @@ rule REVERSINGLABS_Linux_Ransomware_Kraken : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Kraken ransomware." author = "ReversingLabs" - id = "4415659c-7465-5982-862b-4b4b29ecba20" + id = "7c302c2e-6ffc-5f51-90f4-c4ebd6c1c28b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Kraken.yara#L1-L151" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4a3867aba4dbdce5d008331a3058f57b00db246975fc4d77b79ab49d5f0bbb15" + logic_hash = "4a3867aba4dbdce5d008331a3058f57b00db246975fc4d77b79ab49d5f0bbb15" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8188,13 +8188,13 @@ rule REVERSINGLABS_Win32_Ransomware_Reveton : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Reveton ransomware." author = "ReversingLabs" - id = "8f4a8a63-426e-5253-8c17-f13faba15a57" + id = "14446b94-cd57-5930-b0af-b21091b61f68" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Reveton.yara#L1-L118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2d316c558cdb5591788ef89c6e20327882a118f2928f4a31fb5b8b3083931ac5" + logic_hash = "2d316c558cdb5591788ef89c6e20327882a118f2928f4a31fb5b8b3083931ac5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8300,13 +8300,13 @@ rule REVERSINGLABS_Win64_Ransomware_Solaso : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Solaso ransomware." author = "ReversingLabs" - id = "ff512105-0f98-51e4-a8f1-4eb60e1e63a0" + id = "53f56ad8-ccdf-58f0-a5d9-e58f2c18ac76" date = "2021-11-02" modified = "2021-11-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Solaso.yara#L1-L171" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_368a80a9f2e264d17c61d6ed4c22baec838ba0b0bc2e5c79344830bf861aa5a2" + logic_hash = "368a80a9f2e264d17c61d6ed4c22baec838ba0b0bc2e5c79344830bf861aa5a2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8462,13 +8462,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Pacman : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects Pacman ransomware." author = "ReversingLabs" - id = "2df67e17-4ecd-54f9-9691-8426f2338d58" + id = "a440769b-030b-5b72-a6f2-cf478dd7acd2" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Pacman.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0634303a4db2631edb40a9435444f3bdc4bc6eb745c7e43a54478e54e7507403" + logic_hash = "0634303a4db2631edb40a9435444f3bdc4bc6eb745c7e43a54478e54e7507403" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8533,13 +8533,13 @@ rule REVERSINGLABS_Win32_Ransomware_Marsjoke : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects MarsJoke ransomware." author = "ReversingLabs" - id = "eb5030ca-99ea-5891-9a2f-8d60dc473805" + id = "8164c586-f548-5414-9df8-61e0c51cbe29" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MarsJoke.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_298b2fd99793a15b3537853289e1337648d3fa84f12038e6f6831741404b7c5c" + logic_hash = "298b2fd99793a15b3537853289e1337648d3fa84f12038e6f6831741404b7c5c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8693,13 +8693,13 @@ rule REVERSINGLABS_Win32_Ransomware_Lechiffre : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects LeChiffre ransomware." author = "ReversingLabs" - id = "98839690-ee79-5bf4-88d7-7ff727ef659c" + id = "5d2698fe-9a0b-549d-9a83-72e2ccfc1966" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.LeChiffre.yara#L1-L123" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0b96f5f48700f2cba22da91187b3111946074e9cc58a502f25d7b96059a043cb" + logic_hash = "0b96f5f48700f2cba22da91187b3111946074e9cc58a502f25d7b96059a043cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8816,13 +8816,13 @@ rule REVERSINGLABS_Win32_Ransomware_Encoded01 : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Encoded01 ransomware." author = "ReversingLabs" - id = "f449107a-d02c-5901-86b4-0d32f11317a4" + id = "923d987e-f888-5b6a-9ebd-ee1257124aed" date = "2021-12-16" modified = "2021-12-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Encoded01.yara#L1-L141" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f6f872290f15f4c564911bb099824c47cb13164457e1bcdb02dee441bc2d6b6a" + logic_hash = "f6f872290f15f4c564911bb099824c47cb13164457e1bcdb02dee441bc2d6b6a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -8945,13 +8945,13 @@ rule REVERSINGLABS_Win32_Ransomware_Acepy : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Acepy ransomware." author = "ReversingLabs" - id = "7793fb34-bc87-5750-991e-5ae216541779" + id = "3ffb45b1-6bde-5bf8-957e-433b9488ba91" date = "2022-08-04" modified = "2022-08-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Acepy.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_92c543a0b8c3c884f83647119d32c7b46f5fe839694bb8a8de0146c5c77bc587" + logic_hash = "92c543a0b8c3c884f83647119d32c7b46f5fe839694bb8a8de0146c5c77bc587" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9008,13 +9008,13 @@ rule REVERSINGLABS_Win32_Ransomware_Archiveus : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Archiveus ransomware." author = "ReversingLabs" - id = "2fc61910-e1d4-5016-8204-28d877f89225" + id = "89e5af93-1153-5367-a539-6af77c99c214" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Archiveus.yara#L3-L50" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b8a42b98ab3e8b97d2e226e979f342a6a72f21d8f068f59c21ad95764077f8a" + logic_hash = "2b8a42b98ab3e8b97d2e226e979f342a6a72f21d8f068f59c21ad95764077f8a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9057,13 +9057,13 @@ rule REVERSINGLABS_Win32_Ransomware_Meow : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Meow ransomware." author = "ReversingLabs" - id = "b4170467-44e2-5364-bff6-0bb09943c21f" + id = "7cebb04d-1cda-5ad1-b412-8b38df7b2550" date = "2022-10-24" modified = "2022-10-24" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Meow.yara#L1-L84" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b00753d2b150a815279297ddf40d70051d25de1c32bb90f5b706ea7fd36bb871" + logic_hash = "b00753d2b150a815279297ddf40d70051d25de1c32bb90f5b706ea7fd36bb871" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9134,13 +9134,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dragon : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Dragon ransomware." author = "ReversingLabs" - id = "ba8cbb0e-d70f-5bae-9106-ea598e893276" + id = "dbeab955-f1fe-57eb-a9a4-c8c885ab7fad" date = "2020-10-30" modified = "2020-10-30" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Dragon.yara#L1-L149" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7298c5681deaf04abb6a656cefc09b5ee4096ff7a5028caab1d7b107e97be90a" + logic_hash = "7298c5681deaf04abb6a656cefc09b5ee4096ff7a5028caab1d7b107e97be90a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9270,13 +9270,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptojoker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects CryptoJoker ransomware." author = "ReversingLabs" - id = "f4c5dba6-49e0-5600-950e-6ff2bed86b7a" + id = "50a9280b-a352-5a2b-acee-5690e509dfd7" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoJoker.yara#L1-L140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_42ee1e63ada1ae986f43a1300eda0b1fa7b54c26be31ef5637bb321defffbe40" + logic_hash = "42ee1e63ada1ae986f43a1300eda0b1fa7b54c26be31ef5637bb321defffbe40" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9407,13 +9407,13 @@ rule REVERSINGLABS_Win32_Ransomware_Thanatos : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Thanatos ransomware." author = "ReversingLabs" - id = "31e0482f-8f39-5393-a03d-8b4b1c0f33b5" + id = "190adbd0-30a7-5619-ab70-3ab031ece2f7" date = "2020-11-13" modified = "2020-11-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Thanatos.yara#L1-L85" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a51fa9cf1a08e4cd252a8b385be3bfde909585e2a799baaede977e40ecff5313" + logic_hash = "a51fa9cf1a08e4cd252a8b385be3bfde909585e2a799baaede977e40ecff5313" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9489,13 +9489,13 @@ rule REVERSINGLABS_Win32_Ransomware_Bandarchor : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects BandarChor ransomware." author = "ReversingLabs" - id = "3d7334cf-9035-58d2-bbd8-94facaf44413" + id = "c645a081-7ff6-58fc-af8e-55f43f56d0ea" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BandarChor.yara#L1-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1c0c33ef7de089fc7ed6b364c7693499d1a93f79a48d6f2a5c375e47aea176bc" + logic_hash = "1c0c33ef7de089fc7ed6b364c7693499d1a93f79a48d6f2a5c375e47aea176bc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -9584,13 +9584,13 @@ rule REVERSINGLABS_Win32_Ransomware_Teslacrypt : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Teslacrypt ransomware." author = "ReversingLabs" - id = "5b78ea5c-7327-5930-a21e-caf59e9bfb45" + id = "842dae76-573c-564d-b658-ccdda451df21" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Teslacrypt.yara#L1-L665" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cc054be68d833d9f29a4ebd1c202922881b0d22a2605edc7def1048dc08f6325" + logic_hash = "cc054be68d833d9f29a4ebd1c202922881b0d22a2605edc7def1048dc08f6325" score = 75 quality = 65 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10177,13 +10177,13 @@ rule REVERSINGLABS_Win32_Ransomware_Zhen : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Zhen ransomware." author = "ReversingLabs" - id = "381ddd93-8849-5d84-81ba-f846d3308630" + id = "ce6bc48d-934b-582c-8ce7-3dd595cbf5dd" date = "2021-04-28" modified = "2021-04-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zhen.yara#L1-L176" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_17b24e7baeccd90b8695eb8d21d9ee4a317806ed7713252d315d06bee3f93e65" + logic_hash = "17b24e7baeccd90b8695eb8d21d9ee4a317806ed7713252d315d06bee3f93e65" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10342,13 +10342,13 @@ rule REVERSINGLABS_Win32_Ransomware_Afrodita : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Afrodita ransomware." author = "ReversingLabs" - id = "9f0e2173-c44d-5084-a666-26f146f55c53" + id = "513963fd-5f3d-5d31-a65a-37f6f5c72260" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Afrodita.yara#L1-L119" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ce7cc445d4c1f59c25b9505fc1f7f9dd0d286ab80510e2977b50ff15433aea60" + logic_hash = "ce7cc445d4c1f59c25b9505fc1f7f9dd0d286ab80510e2977b50ff15433aea60" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10448,13 +10448,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ragnarok : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Ragnarok ransomware." author = "ReversingLabs" - id = "3e4094cc-3408-5299-82f4-0edae31a0d6a" + id = "263a671e-dfdb-5ab8-9bb9-355c76a88c10" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ragnarok.yara#L1-L110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aaa17ab98b59a5c8c71a2b82a9bf29dd3a1a1719deaf08a3bafa77895bc10311" + logic_hash = "aaa17ab98b59a5c8c71a2b82a9bf29dd3a1a1719deaf08a3bafa77895bc10311" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10550,13 +10550,13 @@ rule REVERSINGLABS_Win32_Ransomware_Guscrypter : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects GusCrypter ransomware." author = "ReversingLabs" - id = "c166a4e9-bec1-5e14-9885-320fdc75e017" + id = "64aa468c-ec24-58aa-8ea9-23f0cebed227" date = "2020-11-26" modified = "2020-11-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GusCrypter.yara#L1-L129" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cfe6005028c0e5f5d713af2a549574203678bab2ee48acc1727702bcf91522b1" + logic_hash = "cfe6005028c0e5f5d713af2a549574203678bab2ee48acc1727702bcf91522b1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10670,13 +10670,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sherminator : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Sherminator ransomware." author = "ReversingLabs" - id = "a3783699-c093-537d-a676-1537c04b9428" + id = "99792a22-8027-557f-927f-30eac4d1e690" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sherminator.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_22ac61b95f6ca4530e81a23fdd05be93e368647ca7100097a94eae3c6ce3b7d1" + logic_hash = "22ac61b95f6ca4530e81a23fdd05be93e368647ca7100097a94eae3c6ce3b7d1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10816,13 +10816,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ladon : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Ladon ransomware." author = "ReversingLabs" - id = "6a9ae2c4-3ce4-523f-80ed-7a1514ccc18e" + id = "ebc8f957-cdcf-54eb-bd02-74088cf51768" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ladon.yara#L1-L101" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_979e3f3bf6a67bf10b6bfdd2eeb722d8836096076b7e88c6d4aca041a1a9eecb" + logic_hash = "979e3f3bf6a67bf10b6bfdd2eeb722d8836096076b7e88c6d4aca041a1a9eecb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -10910,13 +10910,13 @@ rule REVERSINGLABS_Win32_Ransomware_Gibon : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Gibon ransomware." author = "ReversingLabs" - id = "70b6f314-cc26-5112-83de-58ce2d9f0475" + id = "3f1a5bee-8fc0-5596-b898-e97073731930" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Gibon.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cace0f35529307487f39aace6ae8989c7b878f82ebe890b256dfac563551a099" + logic_hash = "cace0f35529307487f39aace6ae8989c7b878f82ebe890b256dfac563551a099" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11027,13 +11027,13 @@ rule REVERSINGLABS_Win32_Ransomware_Satan : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Satan ransomware." author = "ReversingLabs" - id = "4f3d1d04-0ae0-5718-a041-933afcfcbce3" + id = "7ec379d8-172c-52ee-9284-6898dd446468" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Satan.yara#L1-L152" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0074090c2a6cc483deffdc83dc1c0bfbd150e201c27e54f998dd2c0a7660f917" + logic_hash = "0074090c2a6cc483deffdc83dc1c0bfbd150e201c27e54f998dd2c0a7660f917" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11171,13 +11171,13 @@ rule REVERSINGLABS_Win32_Ransomware_MZP : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects MZP ransomware." author = "ReversingLabs" - id = "e249b807-3ef2-568e-b7c5-eebdc60d917f" + id = "c08a4080-fa26-5b7b-869d-5f59096b1a12" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MZP.yara#L1-L147" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_724ae1033bfb8ff494b30e6b3333e6c848375f1b001b75e71c9444c9f9f31251" + logic_hash = "724ae1033bfb8ff494b30e6b3333e6c848375f1b001b75e71c9444c9f9f31251" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11302,13 +11302,13 @@ rule REVERSINGLABS_Win32_Ransomware_Braincrypt : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects BrainCrypt ransomware." author = "ReversingLabs" - id = "98889b01-942e-569f-aabf-a64355631bc3" + id = "190798d5-594d-5b80-aa0e-8d7ff167f1c0" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BrainCrypt.yara#L1-L121" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_85866d6ffa136bf3ed27bbab55ae5430af4a1363930ebacab0df9ad24f8734cb" + logic_hash = "85866d6ffa136bf3ed27bbab55ae5430af4a1363930ebacab0df9ad24f8734cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11422,13 +11422,13 @@ rule REVERSINGLABS_Win32_Ransomware_Magniber : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Magniber ransomware." author = "ReversingLabs" - id = "350da96b-7f4b-5893-9dda-00e0fd1f4cb4" + id = "07b6c938-aa25-5ff6-95d2-9e0f84c41b41" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Magniber.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_05b516f9b466489ea3a30e2fe5eb08290e85ece7a63e29e8bbbeb81c87d0a6f1" + logic_hash = "05b516f9b466489ea3a30e2fe5eb08290e85ece7a63e29e8bbbeb81c87d0a6f1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11532,13 +11532,13 @@ rule REVERSINGLABS_Win32_Ransomware_Desucrypt : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects DesuCrypt ransomware." author = "ReversingLabs" - id = "1ca7dbed-d5ed-5887-af4f-010c962186c8" + id = "b9b3ce2b-f184-5bfa-8e1c-a7b996ac708a" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DesuCrypt.yara#L1-L93" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bd3ba8ea0fc16aad859a73628d0eda180d49298162fe239acf81c7c4e371eaad" + logic_hash = "bd3ba8ea0fc16aad859a73628d0eda180d49298162fe239acf81c7c4e371eaad" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11625,13 +11625,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptowall : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects CryptoWall ransomware." author = "ReversingLabs" - id = "eaa68024-0428-5461-a6a9-8b9f0a8efdbc" + id = "06d8b106-d69a-526a-8e16-c95d39eb2993" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoWall.yara#L3-L312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_74baa04ee506732e0bb64a77cfd2d2216fcc978f13447ef07862e0116c093c14" + logic_hash = "74baa04ee506732e0bb64a77cfd2d2216fcc978f13447ef07862e0116c093c14" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11912,13 +11912,13 @@ rule REVERSINGLABS_Win32_Ransomware_Flamingo : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Flamingo ransomware." author = "ReversingLabs" - id = "74b8a575-df86-55a1-ab91-d481ffd88134" + id = "333ef1f9-ac54-5a3d-9b2b-50483eeb93e1" date = "2021-04-14" modified = "2021-04-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Flamingo.yara#L1-L54" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_446c0d332af01c0fceb0356d5ab273eb55764869cc8343468b75625e5d4d1036" + logic_hash = "446c0d332af01c0fceb0356d5ab273eb55764869cc8343468b75625e5d4d1036" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -11964,13 +11964,13 @@ rule REVERSINGLABS_Win32_Ransomware_Good : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Good ransomware." author = "ReversingLabs" - id = "e0f3fb76-021b-5e71-b687-c2ee1766b04a" + id = "e0f97200-7fe9-5811-b6cd-708ecc3a2fbc" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Good.yara#L1-L82" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6737853a77a6008f9fd2141bb6b13d595f1cb7e832be944596f709e1fcdf8003" + logic_hash = "6737853a77a6008f9fd2141bb6b13d595f1cb7e832be944596f709e1fcdf8003" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12040,13 +12040,13 @@ rule REVERSINGLABS_Win32_Ransomware_Fenixlocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects FenixLocker ransomware." author = "ReversingLabs" - id = "92b5822a-2539-56e2-819b-256c0966f76f" + id = "4868ced4-885d-548c-993c-ae25ab188172" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FenixLocker.yara#L1-L143" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_72712616df2c73c5c17696a7c5cb93f767910acf5f49cda27373fccfa29c5a4d" + logic_hash = "72712616df2c73c5c17696a7c5cb93f767910acf5f49cda27373fccfa29c5a4d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12183,13 +12183,13 @@ rule REVERSINGLABS_Win32_Ransomware_Infodot : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects InfoDot ransomware." author = "ReversingLabs" - id = "5e4ce52c-2366-5910-9066-096d44fdd705" + id = "2f6447f4-523b-5ea1-a16d-d68bb9bcc79d" date = "2021-02-16" modified = "2021-02-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.InfoDot.yara#L1-L115" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24a1c25c1d70c21323417ae0892c613361c4bfc829737ef86b6fa7616ae668c6" + logic_hash = "24a1c25c1d70c21323417ae0892c613361c4bfc829737ef86b6fa7616ae668c6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12293,13 +12293,13 @@ rule REVERSINGLABS_Win32_Ransomware_Techandstrat : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects TechandStrat ransomware." author = "ReversingLabs" - id = "73d7d56b-a692-5a04-b447-306aff43e4da" + id = "525d0b48-2018-5848-b9e7-def8395254eb" date = "2021-05-17" modified = "2021-05-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TechandStrat.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_80e201cf91adeee100e05af3ba5227fc61968bb6e0ce602107ba1217a7a62856" + logic_hash = "80e201cf91adeee100e05af3ba5227fc61968bb6e0ce602107ba1217a7a62856" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12390,13 +12390,13 @@ rule REVERSINGLABS_Win32_Ransomware_Jemd : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Jemd ransomware." author = "ReversingLabs" - id = "5f055fc7-1694-5d47-8606-b5a9f4b26169" + id = "ef981ffa-8801-50f0-9441-5f2bfcf44133" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Jemd.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_552e0fc118031e953dee2e7c6bf8234a5a90de8c34b0e2724dfe99f2b28b8c51" + logic_hash = "552e0fc118031e953dee2e7c6bf8234a5a90de8c34b0e2724dfe99f2b28b8c51" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12487,13 +12487,13 @@ rule REVERSINGLABS_Win32_Ransomware_Blackmoon : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects BlackMoon ransomware." author = "ReversingLabs" - id = "2f4bac0f-186b-5182-9401-7a6094893ca0" + id = "95ebb6c4-b0c9-5f9a-8424-a2f4d33953eb" date = "2020-11-11" modified = "2020-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlackMoon.yara#L1-L70" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_428409096a8637978bf2a1efb3238e4ba87715a909693b0cd26c0f689d567a09" + logic_hash = "428409096a8637978bf2a1efb3238e4ba87715a909693b0cd26c0f689d567a09" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12554,13 +12554,13 @@ rule REVERSINGLABS_Win32_Ransomware_Pay2Key : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Pay2Key ransomware." author = "ReversingLabs" - id = "e37df21a-02bf-55df-8622-6b4e64015a36" + id = "2e482222-0483-5fe3-bb87-cfadda8e7e7a" date = "2021-04-14" modified = "2021-04-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Pay2Key.yara#L1-L99" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2497504f3afc99523cb29e51652a24f4374316d57d4baf5cde8d22e75a425585" + logic_hash = "2497504f3afc99523cb29e51652a24f4374316d57d4baf5cde8d22e75a425585" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12645,13 +12645,13 @@ rule REVERSINGLABS_Linux_Ransomware_Redalert : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects RedAlert ransomware." author = "ReversingLabs" - id = "4adbf149-d96c-5299-ba96-fa3ee0848cf6" + id = "ec7567bf-2c39-529f-ae93-74270a161827" date = "2022-09-01" modified = "2022-09-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.RedAlert.yara#L1-L146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fe0d10c2ef1dacdb5374f319e470274b91f4f171db49de8c89e8aaa9aa75a45c" + logic_hash = "fe0d10c2ef1dacdb5374f319e470274b91f4f171db49de8c89e8aaa9aa75a45c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12779,13 +12779,13 @@ rule REVERSINGLABS_Win32_Ransomware_Velso : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Velso ransomware." author = "ReversingLabs" - id = "cddd3bea-33e4-5abd-ba2b-9363f50aa900" + id = "72c7baaa-4f83-54c5-ba71-2b45e5eeefd2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Velso.yara#L1-L230" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_602be848a26106a1bd46cfc515578f0628687e6cb352e609a274220a61bcb620" + logic_hash = "602be848a26106a1bd46cfc515578f0628687e6cb352e609a274220a61bcb620" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -12992,13 +12992,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Zerolocker : TC_DETECTION MALICIOUS meta: description = "Yara rule that detects ZeroLocker ransomware." author = "ReversingLabs" - id = "f527aa4d-48d8-5c20-9530-3afc3a8257d1" + id = "291b5640-387c-54d9-97a6-13823932fa60" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.ZeroLocker.yara#L1-L70" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_147e4b390bcfaff8f05059c1d9a98b50f544fc32e820406417894fe5046e0f71" + logic_hash = "147e4b390bcfaff8f05059c1d9a98b50f544fc32e820406417894fe5046e0f71" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13065,13 +13065,13 @@ rule REVERSINGLABS_Win32_Ransomware_HDMR : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects HDMR ransomware." author = "ReversingLabs" - id = "4f928d8b-7df6-5ea7-8d07-642dfaa9ac1a" + id = "97b5020c-6cb1-5ec6-84a4-2f35eae761c2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HDMR.yara#L1-L161" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_035c6596db8dc14a663679c1f7e682b85963927cc034b01e390cc22fdee3334a" + logic_hash = "035c6596db8dc14a663679c1f7e682b85963927cc034b01e390cc22fdee3334a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13215,13 +13215,13 @@ rule REVERSINGLABS_Win32_Ransomware_Conti : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Conti ransomware." author = "ReversingLabs" - id = "4a148961-2c6f-53ed-a5ad-25af113aeb17" + id = "548b8836-83cb-560c-af5f-33bdb24d15ed" date = "2020-12-14" modified = "2020-12-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Conti.yara#L1-L74" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4f2b96c8eaf8d112a7bb60647db49616935a336396c705d39d5bb51dfd90c60b" + logic_hash = "4f2b96c8eaf8d112a7bb60647db49616935a336396c705d39d5bb51dfd90c60b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13286,13 +13286,13 @@ rule REVERSINGLABS_Win32_Ransomware_Crypmic : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Crypmic ransomware." author = "ReversingLabs" - id = "8ef9aef9-7673-52f3-8665-7ec394c48bca" + id = "0d5c2141-c0ca-53c8-91fd-ec2d5f163df2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Crypmic.yara#L1-L56" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ee97c4d35cee68e080a4e9e0a21ecd3698da638463881a58f5daaf906ef86f75" + logic_hash = "ee97c4d35cee68e080a4e9e0a21ecd3698da638463881a58f5daaf906ef86f75" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13343,13 +13343,13 @@ rule REVERSINGLABS_Win32_Ransomware_District : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects District ransomware." author = "ReversingLabs" - id = "1e9ed54c-9415-5233-88a0-82fad7ad6c9f" + id = "fc6abbc7-66f9-56e6-8106-5f360f25b092" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.District.yara#L1-L194" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9ce395636fd7719f503726df82998e1ac72e9e80fd7a4534bd2251ac9283af38" + logic_hash = "9ce395636fd7719f503726df82998e1ac72e9e80fd7a4534bd2251ac9283af38" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13521,13 +13521,13 @@ rule REVERSINGLABS_Win32_Ransomware_Atlas : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Atlas ransomware." author = "ReversingLabs" - id = "28069774-438c-5150-87df-9e7c3ec3dcd1" + id = "2c702b24-4b7e-505c-a694-0d915cc47315" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Atlas.yara#L1-L99" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1486f931ec096a00d913de0568ddd8aa5a091256445bc28aba90e3e194ebd045" + logic_hash = "1486f931ec096a00d913de0568ddd8aa5a091256445bc28aba90e3e194ebd045" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13621,13 +13621,13 @@ rule REVERSINGLABS_Win32_Ransomware_Defray : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Defray ransomware." author = "ReversingLabs" - id = "de8a10a9-835c-51f4-9816-8fc63dd05aa0" + id = "bc9e2dfe-168b-5b99-8523-07bfdcba44f2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Defray.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_82d883c77f49e50edbc7af05a108d4d54a46dca7661e4d0cd8aeffa19cb8df98" + logic_hash = "82d883c77f49e50edbc7af05a108d4d54a46dca7661e4d0cd8aeffa19cb8df98" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13762,13 +13762,13 @@ rule REVERSINGLABS_Win32_Ransomware_Motocos : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Motocos ransomware." author = "ReversingLabs" - id = "4bc92f3f-e8b7-5be5-903c-d1e08d1fc785" + id = "cda44b86-c747-5b48-acd8-e68311ab24a3" date = "2021-09-17" modified = "2021-09-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Motocos.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_34b99847f029a291808f08ba6e6ae62a54e6fed5acc928fe4828054801786881" + logic_hash = "34b99847f029a291808f08ba6e6ae62a54e6fed5acc928fe4828054801786881" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13831,13 +13831,13 @@ rule REVERSINGLABS_Win32_Ransomware_Zeoticus : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Zeoticus ransomware." author = "ReversingLabs" - id = "f27a220f-5072-5605-8b2b-3f4204444470" + id = "483b20a4-2c16-5509-a503-2462a53d4d31" date = "2021-03-19" modified = "2021-03-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zeoticus.yara#L1-L90" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_adf42b96139ad98f4253f3eba2c4af1be9545825605e0851185cc15284d9e9a0" + logic_hash = "adf42b96139ad98f4253f3eba2c4af1be9545825605e0851185cc15284d9e9a0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -13914,13 +13914,13 @@ rule REVERSINGLABS_Win32_Ransomware_Maktub : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Maktub ransomware." author = "ReversingLabs" - id = "165affc7-9b68-5058-b0c0-145e2372f386" + id = "23ca4232-77ff-5519-b6b0-ccec6cb35fe1" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Maktub.yara#L1-L116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ee3213213e9521f7d19ce6340cd2f98057c22b1188ceefc30c17c18b6ec54e20" + logic_hash = "ee3213213e9521f7d19ce6340cd2f98057c22b1188ceefc30c17c18b6ec54e20" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14033,13 +14033,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dmalocker : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects DMALocker ransomware." author = "ReversingLabs" - id = "5b236427-3f05-5a6c-9726-84e85aeb99db" + id = "3ddef0f1-61c9-59f6-a02c-35768c2cd4d6" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DMALocker.yara#L1-L149" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_107dbc4cacd9d451e9c6fe8aa91cd612f70ac767ee70f74f3a77d1e5548b054f" + logic_hash = "107dbc4cacd9d451e9c6fe8aa91cd612f70ac767ee70f74f3a77d1e5548b054f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14174,13 +14174,13 @@ rule REVERSINGLABS_Win32_Ransomware_Henry : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Henry ransomware." author = "ReversingLabs" - id = "c308ea61-2ccd-51a0-b00b-7f4b3d4e1852" + id = "63627f2b-3205-5790-ba97-8e0d1da39d7c" date = "2021-06-14" modified = "2021-06-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Henry.yara#L1-L80" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e6ab2a8a344d40407118e29ff78f5a0144f42a0fbdee19a80b341b59f056d292" + logic_hash = "e6ab2a8a344d40407118e29ff78f5a0144f42a0fbdee19a80b341b59f056d292" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14244,13 +14244,13 @@ rule REVERSINGLABS_Win32_Ransomware_Darkside : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects DarkSide ransomware." author = "ReversingLabs" - id = "4cc1e6bc-4b97-52df-8ab3-9378008ef9b7" + id = "061b00cb-9b70-521f-ab3f-7e6b3c129194" date = "2021-05-17" modified = "2021-05-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DarkSide.yara#L1-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_128af9a1b143e4b0928dd2b243e69497be906175f44815cc5703f17cce48ec9d" + logic_hash = "128af9a1b143e4b0928dd2b243e69497be906175f44815cc5703f17cce48ec9d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14328,13 +14328,13 @@ rule REVERSINGLABS_Win32_Ransomware_MRAC : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects MRAC ransomware." author = "ReversingLabs" - id = "9dc78634-5a27-5daa-a307-dfc9b0b9cd63" + id = "135c3dc9-bf08-5f00-bade-7054d9f33830" date = "2022-02-21" modified = "2022-02-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MRAC.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_04e8364dc9c726f4bb2d3035e5b7e8dab4cae124b2f047be6f11b865fab557a7" + logic_hash = "04e8364dc9c726f4bb2d3035e5b7e8dab4cae124b2f047be6f11b865fab557a7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14391,13 +14391,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Ghostencryptor : TC_DETECTION MALICI meta: description = "Yara rule that detects GhosTEncryptor ransomware." author = "ReversingLabs" - id = "6992ae36-f5a1-5a8c-a1f6-ad0755c93d38" + id = "9f035e39-e0fe-54f3-8206-08fbbd9206b4" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_85c1f6e5acf746388b0a9ddeb1f0ad1d2219fff7358c9a981849863155c13e3c" + logic_hash = "85c1f6e5acf746388b0a9ddeb1f0ad1d2219fff7358c9a981849863155c13e3c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14452,13 +14452,13 @@ rule REVERSINGLABS_Win32_Ransomware_Hakunamatata : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects HakunaMatata ransomware." author = "ReversingLabs" - id = "8ec11cae-346e-5486-82ba-6084d1d29803" + id = "17438fcd-7a51-5fb6-96ac-38523bc1744f" date = "2020-11-11" modified = "2020-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HakunaMatata.yara#L1-L373" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e363ff93fce286d60a3f5ea20ba3ec03564b7a5321c3f6448cc82187f23e8a9f" + logic_hash = "e363ff93fce286d60a3f5ea20ba3ec03564b7a5321c3f6448cc82187f23e8a9f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14813,13 +14813,13 @@ rule REVERSINGLABS_Win32_Ransomware_Crysis : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Crysis ransomware." author = "ReversingLabs" - id = "dd48f136-bfe6-5734-a28e-46e6a0926569" + id = "bba2bbf5-ff77-5ec4-ae7f-afae1b564fb7" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Crysis.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3c9250206f94ac65c1fc24e83cf8cdd76d10066086ef1f34ec14791d237c0263" + logic_hash = "3c9250206f94ac65c1fc24e83cf8cdd76d10066086ef1f34ec14791d237c0263" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -14917,13 +14917,13 @@ rule REVERSINGLABS_Win32_Ransomware_Marlboro : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Marlboro ransomware." author = "ReversingLabs" - id = "8663cc6c-8bb4-5187-93a3-e196ce3aca33" + id = "7cd3b436-47e3-5711-9b59-cef70efe3b45" date = "2020-07-23" modified = "2020-07-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Marlboro.yara#L1-L117" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d36c3cf52af47e9f638f58aabc19298e8c58831c3083f82e4c194319503eeaaa" + logic_hash = "d36c3cf52af47e9f638f58aabc19298e8c58831c3083f82e4c194319503eeaaa" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15029,13 +15029,13 @@ rule REVERSINGLABS_Win64_Ransomware_Seth : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Seth ransomware." author = "ReversingLabs" - id = "8489530f-f881-50c3-8bd0-872de4df79ea" + id = "001de900-4556-5428-a243-7ec07a7ed05e" date = "2021-04-02" modified = "2021-04-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Seth.yara#L1-L122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_72a9d902eea2381f40d42faa7f1686c4ca54d364af0cbd8711697bbc1a235646" + logic_hash = "72a9d902eea2381f40d42faa7f1686c4ca54d364af0cbd8711697bbc1a235646" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15143,13 +15143,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dharma : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Dharma ransomware." author = "ReversingLabs" - id = "3a66c2bd-d806-5c29-8e03-fdf5d63da420" + id = "8157b20b-717c-581f-83c1-5fc8d2312238" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Dharma.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6f33281523b462aaff68bb04f2f6869c3e6cd60cd9306ed80bb0c3e3b699f315" + logic_hash = "6f33281523b462aaff68bb04f2f6869c3e6cd60cd9306ed80bb0c3e3b699f315" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15252,13 +15252,13 @@ rule REVERSINGLABS_Win32_Ransomware_Saturn : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Saturn ransomware." author = "ReversingLabs" - id = "7624b920-beb6-5c96-81c9-6d980d4ac506" + id = "70a8d937-aee5-54d8-9409-c5d2d0830a2b" date = "2020-10-19" modified = "2020-10-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Saturn.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_efa748346ad8c46e654542d302e81d633a2d12f421636c477431a12a34636132" + logic_hash = "efa748346ad8c46e654542d302e81d633a2d12f421636c477431a12a34636132" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15352,13 +15352,13 @@ rule REVERSINGLABS_Win32_Ransomware_Gpcode : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Gpcode ransomware." author = "ReversingLabs" - id = "1fc4c6ae-d8c8-5b6a-96a0-fb483d49965a" + id = "168833dd-44ab-59e1-a610-b9219b2907ff" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Gpcode.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_329309873977f73a8ebe758018ebc8ba42e15c3c7cbb9a65865631d235f5bb48" + logic_hash = "329309873977f73a8ebe758018ebc8ba42e15c3c7cbb9a65865631d235f5bb48" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15417,13 +15417,13 @@ rule REVERSINGLABS_Win32_Ransomware_Bluelocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects BlueLocker ransomware." author = "ReversingLabs" - id = "53f13a5c-9f46-53e5-b4f6-49e46f0f89c9" + id = "145ff05e-c90d-598a-a3d5-220bd6df718a" date = "2022-08-04" modified = "2022-08-04" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlueLocker.yara#L1-L130" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fbe5f246f4554e63b5da6a0aca169e8221a84fce18fd437ae7ad9b068e9ca576" + logic_hash = "fbe5f246f4554e63b5da6a0aca169e8221a84fce18fd437ae7ad9b068e9ca576" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15538,13 +15538,13 @@ rule REVERSINGLABS_Win32_Ransomware_Wasplocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects WaspLocker ransomware." author = "ReversingLabs" - id = "f0b53b72-a2d6-59b1-972b-ee81b9614fc5" + id = "596bf965-700a-58f5-b0e5-61ec57c23a3e" date = "2022-06-28" modified = "2022-06-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.WaspLocker.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_852ec52328fca36d651e3176ac33a57ce26cefecadc2aad27235548e5b9813c1" + logic_hash = "852ec52328fca36d651e3176ac33a57ce26cefecadc2aad27235548e5b9813c1" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15608,13 +15608,13 @@ rule REVERSINGLABS_Linux_Ransomware_Luckyjoe : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects LuckyJoe ransomware." author = "ReversingLabs" - id = "9e1cfe30-04d8-5c20-9617-1157f032c3dc" + id = "8dc98d71-b79d-5b09-9383-11f2b57baeb5" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.LuckyJoe.yara#L1-L146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1e7df2c45bee072af233cf8f355a84ec931fe96afa3fbdcd225dded1b75ea961" + logic_hash = "1e7df2c45bee072af233cf8f355a84ec931fe96afa3fbdcd225dded1b75ea961" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15744,13 +15744,13 @@ rule REVERSINGLABS_Win32_Ransomware_Shadowcryptor : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects ShadowCryptor ransomware." author = "ReversingLabs" - id = "b2253d8f-9cf8-5f6b-8173-73f0f9523e8e" + id = "983e8927-4829-540f-9697-886226fd54ce" date = "2021-02-11" modified = "2021-02-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ShadowCryptor.yara#L1-L89" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_875150db9fc36cd992988bba7d0c05487418b901980bf428ebd427c82fbcacd7" + logic_hash = "875150db9fc36cd992988bba7d0c05487418b901980bf428ebd427c82fbcacd7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15826,13 +15826,13 @@ rule REVERSINGLABS_Win32_Ransomware_Networm : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Networm ransomware." author = "ReversingLabs" - id = "41e4e5e7-ae32-5baf-9478-3a58ec724cdc" + id = "3b17b97d-c882-5f65-8b89-847e2300873c" date = "2021-07-05" modified = "2021-07-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Networm.yara#L1-L103" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ff9bcb9868522f9d4abf2ab9f94d5b7c9b009e5c6d0cf832c7d052f18e048b31" + logic_hash = "ff9bcb9868522f9d4abf2ab9f94d5b7c9b009e5c6d0cf832c7d052f18e048b31" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -15921,13 +15921,13 @@ rule REVERSINGLABS_Win32_Ransomware_Bam2021 : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Bam2021 ransomware." author = "ReversingLabs" - id = "4eb74707-9fec-5d76-b47e-4c4f73467735" + id = "31ae99e3-223c-51fb-97c1-353ff063057f" date = "2021-09-17" modified = "2021-09-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Bam2021.yara#L1-L167" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5b717510991b78f07806e88f3dfe1c27d6ec1ec21af61a7c4f1edf7c915785d5" + logic_hash = "5b717510991b78f07806e88f3dfe1c27d6ec1ec21af61a7c4f1edf7c915785d5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16071,13 +16071,13 @@ rule REVERSINGLABS_Win32_Ransomware_Vegalocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects VegaLocker ransomware." author = "ReversingLabs" - id = "55ca45a5-74bd-566d-91f7-32a8741696b9" + id = "53eec8d1-bab0-5556-92c0-1b70eb763fa5" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.VegaLocker.yara#L1-L100" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8616e72fc435676179e83a304d4111c8f29ebf3cd79ff5b2d229cca8fc97c2a3" + logic_hash = "8616e72fc435676179e83a304d4111c8f29ebf3cd79ff5b2d229cca8fc97c2a3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16167,13 +16167,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Moisha : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects Moisha ransomware." author = "ReversingLabs" - id = "55148aa0-0685-56ec-b854-127f9a54b878" + id = "c72f654f-955e-5ff6-ac91-19fbb858265c" date = "2022-10-11" modified = "2022-10-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Moisha.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_89cefbbb8ec722216721bb43eb14cc33fcd4671585051359a06b62236cbf3a6c" + logic_hash = "89cefbbb8ec722216721bb43eb14cc33fcd4671585051359a06b62236cbf3a6c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16245,13 +16245,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Timecrypt : TC_DETECTION MALICIOUS M meta: description = "Yara rule that detects TimeCrypt ransomware." author = "ReversingLabs" - id = "a705b8f2-f9b9-537f-bb5c-fcaba3d37d11" + id = "38a0c383-8be6-5258-aa93-0cf09b18e5f7" date = "2021-12-06" modified = "2021-12-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6849d6d5010d7bcb4052c10d5bd7cc29320ffc986f36289b272a1e9a8d14fab9" + logic_hash = "6849d6d5010d7bcb4052c10d5bd7cc29320ffc986f36289b272a1e9a8d14fab9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16304,13 +16304,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Eternity : TC_DETECTION MALICIOUS MA meta: description = "Yara rule that detects Eternity ransomware." author = "ReversingLabs" - id = "3a85c694-9b64-5b12-a206-1b8effff0c83" + id = "7bb0f3b0-a8c0-5239-a1b4-532d403f59bc" date = "2022-07-22" modified = "2022-07-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara#L1-L74" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a2298a26e9bbe2b779eb2afeeda28d4321bc2d26db46bbb377bf86abaf8fa929" + logic_hash = "a2298a26e9bbe2b779eb2afeeda28d4321bc2d26db46bbb377bf86abaf8fa929" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16368,13 +16368,13 @@ rule REVERSINGLABS_Win64_Ransomware_DST : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects DST ransomware." author = "ReversingLabs" - id = "9c58c08d-73f3-5481-9e38-713314578c91" + id = "bcc9933d-14eb-5f83-a136-5f009c7a3282" date = "2021-12-06" modified = "2021-12-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.DST.yara#L1-L170" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b658093232a2265d425e3b38758268c116bbac51fa5eed372b5b4f00de4c6880" + logic_hash = "b658093232a2265d425e3b38758268c116bbac51fa5eed372b5b4f00de4c6880" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16527,13 +16527,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Retis : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects Retis ransomware." author = "ReversingLabs" - id = "90889c95-ba2e-5081-907c-818b8f3a92e3" + id = "3d1de7c2-abb7-5411-a598-6bc68229a22a" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Retis.yara#L1-L74" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3e3429041acc5730b009916efbcd35c7cfd2b2877dc1d2cf980f7fb7d399d532" + logic_hash = "3e3429041acc5730b009916efbcd35c7cfd2b2877dc1d2cf980f7fb7d399d532" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16598,13 +16598,13 @@ rule REVERSINGLABS_Win32_Ransomware_Zeppelin : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Zeppelin ransomware." author = "ReversingLabs" - id = "a05a39f6-c12a-5565-9ec3-ffc5bc26873f" + id = "f5cf514d-4dd0-58b7-82d0-5cb516a139a3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zeppelin.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8fb07e49d2ff9d497fb36a5d901748315ae519f5ef845d1a5ec6341d0eb1f68c" + logic_hash = "8fb07e49d2ff9d497fb36a5d901748315ae519f5ef845d1a5ec6341d0eb1f68c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16696,13 +16696,13 @@ rule REVERSINGLABS_Win32_Ransomware_Kawaiilocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects KawaiiLocker ransomware." author = "ReversingLabs" - id = "f2b6e9d8-5020-56fd-9076-5bfa1525e890" + id = "8c368e2d-3c6f-5c4b-880b-ebdb06dcf901" date = "2020-08-17" modified = "2020-08-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.KawaiiLocker.yara#L1-L135" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d86b41ef1c43da55869ad26facd5efdf232277f0e33483690a69a04c4ba8f7da" + logic_hash = "d86b41ef1c43da55869ad26facd5efdf232277f0e33483690a69a04c4ba8f7da" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16833,13 +16833,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cuba : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Cuba ransomware." author = "ReversingLabs" - id = "a1ea23a4-ef35-56a2-8bbb-971fb26a31d3" + id = "b2c81849-9fa6-58b6-b6fe-4d9a5f0923ea" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cuba.yara#L1-L126" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0a8dea6e38a6407897b994ea119bc8b0712a94363b7b3942dcd32c65ee5548d4" + logic_hash = "0a8dea6e38a6407897b994ea119bc8b0712a94363b7b3942dcd32c65ee5548d4" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -16951,13 +16951,13 @@ rule REVERSINGLABS_Win32_Ransomware_Telecrypt : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects TeleCrypt ransomware." author = "ReversingLabs" - id = "27a18ed0-6f9b-5624-aa49-5c94e8428230" + id = "c4eada2d-72c0-5efe-bf2b-8f053348d89d" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TeleCrypt.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9d856eae4369cd7ba1d88bd6ef37931e069127e2c05a84a44f5274f681e83fc0" + logic_hash = "9d856eae4369cd7ba1d88bd6ef37931e069127e2c05a84a44f5274f681e83fc0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17061,13 +17061,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dirtydecrypt : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects DirtyDecrypt ransomware." author = "ReversingLabs" - id = "fd29d316-d249-5c1c-8985-e001782b46ce" + id = "f4d69c3e-a082-5bc9-bf72-4cc330d3de74" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DirtyDecrypt.yara#L3-L112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_eb6a1c376b0739848b523e741d0d1ebdbc87056d51931fb94c744aa094d6479f" + logic_hash = "eb6a1c376b0739848b523e741d0d1ebdbc87056d51931fb94c744aa094d6479f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17167,13 +17167,13 @@ rule REVERSINGLABS_Win64_Ransomware_Awesomescott : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects AwesomeScott ransomware." author = "ReversingLabs" - id = "8cffdd89-8188-54e6-bbcf-2c4dc6ae830e" + id = "36d3b801-dbdb-585a-ac80-1827a6749c87" date = "2020-09-16" modified = "2020-09-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.AwesomeScott.yara#L1-L101" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ed8096a4abbd015f79f4ec7239cd4070194ad70fa03da6714e499a41f9fb9423" + logic_hash = "ed8096a4abbd015f79f4ec7239cd4070194ad70fa03da6714e499a41f9fb9423" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17270,13 +17270,13 @@ rule REVERSINGLABS_Win64_Ransomware_Nokoyawa : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Nokoyawa ransomware." author = "ReversingLabs" - id = "c960ed63-5b79-5def-9957-26b583bfa5ed" + id = "31470ce4-381f-50d2-bbca-03c592e62a7d" date = "2022-06-06" modified = "2022-06-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Nokoyawa.yara#L1-L104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_85b7d93db06007d0043b1489b532410ccc700cf082b641fff8a09de2ffe9101d" + logic_hash = "85b7d93db06007d0043b1489b532410ccc700cf082b641fff8a09de2ffe9101d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17367,13 +17367,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Timetime : TC_DETECTION MALICIOUS MA meta: description = "Yara rule that detects TimeTime ransomware." author = "ReversingLabs" - id = "5ce2657d-32d2-5c4c-aa14-63d5ee30c11f" + id = "27bff941-01ce-5bf7-a9d8-d01d2db3bfd3" date = "2022-02-21" modified = "2022-02-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_43867dd793bc84e6f39ca2de1aff4047a742b295dc4df94cd337bd2ef89e4a62" + logic_hash = "43867dd793bc84e6f39ca2de1aff4047a742b295dc4df94cd337bd2ef89e4a62" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17432,13 +17432,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sifrelendi : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Sifrelendi ransomware." author = "ReversingLabs" - id = "d1aca0b5-47a2-53f2-83c4-795d91e66b5f" + id = "b9083b7c-eb09-52da-a240-39b51df892f9" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sifrelendi.yara#L1-L67" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_430d3877c10c86fcb19b5624dd8886d61e54ccd0453678329309b49712c6d5c6" + logic_hash = "430d3877c10c86fcb19b5624dd8886d61e54ccd0453678329309b49712c6d5c6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17497,13 +17497,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sarbloh : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Sarbloh ransomware." author = "ReversingLabs" - id = "61207ca2-c42f-5e2e-881d-e3093bfbd654" + id = "532abd77-f091-5c54-87a3-7e8be5253efd" date = "2021-05-21" modified = "2021-05-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sarbloh.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7259aa9d1fe657db220ee50f1610e6439ff61673d92f46ebc3b8cadd990f002c" + logic_hash = "7259aa9d1fe657db220ee50f1610e6439ff61673d92f46ebc3b8cadd990f002c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17581,13 +17581,13 @@ rule REVERSINGLABS_Win32_Ransomware_Gomer : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Gomer ransomware." author = "ReversingLabs" - id = "0b9421a2-ae37-5abc-8003-4779be8ab886" + id = "b76ac856-2abe-531d-b093-461569b9afb7" date = "2020-10-08" modified = "2020-10-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Gomer.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a53d37fcb877a12a4969a6ea1aaa67fc4106c3fbdd80a4fd39ad5a66a9df47fc" + logic_hash = "a53d37fcb877a12a4969a6ea1aaa67fc4106c3fbdd80a4fd39ad5a66a9df47fc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17679,13 +17679,13 @@ rule REVERSINGLABS_Win32_Ransomware_Badblock : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects BadBlock ransomware." author = "ReversingLabs" - id = "7b160f80-7450-5fc9-972e-e9c4a2e21cbf" + id = "a5afb7d6-4bc1-5465-a35d-fe40e7f11c3e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BadBlock.yara#L1-L100" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_421e6a3772eeec6ef0cbb2427b7e044b450a2b2146cee2ca7d8c3a3a92918557" + logic_hash = "421e6a3772eeec6ef0cbb2427b7e044b450a2b2146cee2ca7d8c3a3a92918557" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17777,13 +17777,13 @@ rule REVERSINGLABS_Win32_Ransomware_Torrentlocker : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects TorrentLocker ransomware." author = "ReversingLabs" - id = "1415bb79-c0cb-5cb3-833d-a304b908133e" + id = "64bdb0db-ea0c-5a0d-9d3e-db1df86c132b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TorrentLocker.yara#L1-L98" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f1aa523fa95e142b7e421286d26918e3da4bd3e268fef3f98f00820296291bfc" + logic_hash = "f1aa523fa95e142b7e421286d26918e3da4bd3e268fef3f98f00820296291bfc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17873,13 +17873,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ransoc : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Ransoc ransomware." author = "ReversingLabs" - id = "7d9244ff-d20c-5dc5-a37d-a8d16fbd5e30" + id = "a990754e-eafa-5501-a123-bcbd5aa26ca6" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ransoc.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1f48f1b713c18b099e863d8a11e872ae84df0ea355f01cba765e8333d8d98575" + logic_hash = "1f48f1b713c18b099e863d8a11e872ae84df0ea355f01cba765e8333d8d98575" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -17989,13 +17989,13 @@ rule REVERSINGLABS_Win32_Ransomware_Avaddon : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Avaddon ransomware." author = "ReversingLabs" - id = "4e67c4c4-1a0c-59dc-9c88-ea2b270eddfe" + id = "f3a57482-5799-594b-bcfa-1137ca04dfd5" date = "2020-10-19" modified = "2020-10-19" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Avaddon.yara#L1-L148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1b2c449d5bad02dd06cb4a980fcca1feaf02b1d8127096bb39deecbc544272a6" + logic_hash = "1b2c449d5bad02dd06cb4a980fcca1feaf02b1d8127096bb39deecbc544272a6" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18122,13 +18122,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryakl : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Cryakl ransomware." author = "ReversingLabs" - id = "c9687951-e436-5e67-8771-d0df5e829222" + id = "5c668278-458e-5b13-83c4-63beab5249ed" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cryakl.yara#L1-L64" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_51d50ab1ce021e2facbca3a35af372186287a8d69b66651c9804234a409d9932" + logic_hash = "51d50ab1ce021e2facbca3a35af372186287a8d69b66651c9804234a409d9932" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18187,13 +18187,13 @@ rule REVERSINGLABS_Win32_Ransomware_Jamper : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Jamper ransomware." author = "ReversingLabs" - id = "1472d212-2676-5fd9-ba49-21bdc4d3c905" + id = "9ba9358e-8f67-5d0e-a9bc-b3b10cd3a8b2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Jamper.yara#L1-L110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_826f8fa7cc92b279c609a9ab6a87c32940e37b4c2476854af75bbed29cb3eaf2" + logic_hash = "826f8fa7cc92b279c609a9ab6a87c32940e37b4c2476854af75bbed29cb3eaf2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18290,13 +18290,13 @@ rule REVERSINGLABS_Win32_Ransomware_5Ss5C : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects 5ss5c ransomware." author = "ReversingLabs" - id = "3abf3e50-c374-51de-939d-008799856a45" + id = "c69f44de-8e48-518d-87bf-d21d11223a2f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.5ss5c.yara#L1-L267" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_74fcec568906a01dade7091c63cffbe4afa49c4705d9c1f21d10b4eee655a805" + logic_hash = "74fcec568906a01dade7091c63cffbe4afa49c4705d9c1f21d10b4eee655a805" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18540,13 +18540,13 @@ rule REVERSINGLABS_Win32_Ransomware_Wastedlocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects WastedLocker ransomware." author = "ReversingLabs" - id = "92e2ebe8-5c29-5fd1-a30f-eb7b130c4939" + id = "68090960-9878-5836-8caa-bf8f408a474e" date = "2020-12-07" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Wastedlocker.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0899d3cc3bcea8eae60689a54f34e57bdc52088c879c8420b8e6d0b1969cb186" + logic_hash = "0899d3cc3bcea8eae60689a54f34e57bdc52088c879c8420b8e6d0b1969cb186" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18622,13 +18622,13 @@ rule REVERSINGLABS_Win32_Ransomware_Lolkek : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Lolkek ransomware." author = "ReversingLabs" - id = "96c1a4c0-2b33-569b-92bc-321cc3d0f683" + id = "441badd6-3708-5f74-90f3-4d3a0fc45aff" date = "2020-10-23" modified = "2020-10-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Lolkek.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d18545b25a33bba1a6e01ab37768bd4f15fb125dcb8cbe7909d9a8bbe08e63fa" + logic_hash = "d18545b25a33bba1a6e01ab37768bd4f15fb125dcb8cbe7909d9a8bbe08e63fa" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18720,13 +18720,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Tarrak : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects TaRRaK ransomware." author = "ReversingLabs" - id = "f92f25f2-2187-5c7c-bdf8-d50ab90b9b5b" + id = "a783df87-0c9b-5868-9af0-c32b11e8b71b" date = "2021-09-06" modified = "2021-09-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.TaRRaK.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a8c4c4a501d94da94ae4a2e1eb2846e841249659be64dd45f46584885d000635" + logic_hash = "a8c4c4a501d94da94ae4a2e1eb2846e841249659be64dd45f46584885d000635" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18802,13 +18802,13 @@ rule REVERSINGLABS_Win32_Ransomware_Redeemer : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Redeemer ransomware." author = "ReversingLabs" - id = "af98af44-30d0-57f6-92d1-05bdae9e807f" + id = "080ab595-862b-5dc2-aaff-a0efd819a9fa" date = "2022-01-17" modified = "2022-01-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Redeemer.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_28287f6620a2f7a90057d1f97947e065721119e26398fe659331dc5fe99761de" + logic_hash = "28287f6620a2f7a90057d1f97947e065721119e26398fe659331dc5fe99761de" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18899,13 +18899,13 @@ rule REVERSINGLABS_Win32_Ransomware_Koxic : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Koxic ransomware." author = "ReversingLabs" - id = "1b90094f-407f-58de-b956-a0c315d4ef95" + id = "73c4afb0-cfa8-5bc5-bca3-49a7710f4ab9" date = "2022-04-21" modified = "2022-04-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Koxic.yara#L1-L87" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_739faf047b95fd538422a42943fcaad6538549bf4cf33ed91385c61365af4f09" + logic_hash = "739faf047b95fd538422a42943fcaad6538549bf4cf33ed91385c61365af4f09" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -18979,13 +18979,13 @@ rule REVERSINGLABS_Win32_Ransomware_Nefilim : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Nefilim ransomware." author = "ReversingLabs" - id = "2c8eec2d-fa30-53d6-b90d-d130eb4cfa52" + id = "aec298c1-abf8-5446-9dbb-795f9fcf8e94" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Nefilim.yara#L1-L150" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fae0350e51aee2777475d2222848b30fd39fa39ceea260132b0c7fbc536b3a86" + logic_hash = "fae0350e51aee2777475d2222848b30fd39fa39ceea260132b0c7fbc536b3a86" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19115,13 +19115,13 @@ rule REVERSINGLABS_Win32_Ransomware_Paradise : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Paradise ransomware." author = "ReversingLabs" - id = "eaed8348-f339-5336-84c9-ea106cb4a722" + id = "9a92a05c-5f26-59ed-9934-a24bb7c31d8d" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Paradise.yara#L1-L81" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fc029bee999ec72416ac91d8386d4d270070035ad078bcab1dec11eea032c10b" + logic_hash = "fc029bee999ec72416ac91d8386d4d270070035ad078bcab1dec11eea032c10b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19198,13 +19198,13 @@ rule REVERSINGLABS_Win32_Ransomware_Revil : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Revil ransomware." author = "ReversingLabs" - id = "ae170044-52fd-5494-8f4e-871e7b536a2b" + id = "67c2f49e-b9dc-5900-a89d-49ba41088ac3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Revil.yara#L1-L101" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24a79477eb797d7a7121d1248ebbece833ccd256de55729ff96084135ce8d426" + logic_hash = "24a79477eb797d7a7121d1248ebbece833ccd256de55729ff96084135ce8d426" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19289,13 +19289,13 @@ rule REVERSINGLABS_Win32_Ransomware_Killdisk : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects KillDisk ransomware." author = "ReversingLabs" - id = "3ea3a2c4-c5b1-56c2-b6c9-fdc383b96a9f" + id = "bd04ac88-987a-58f0-8f0a-508662b3c930" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.KillDisk.yara#L1-L80" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6148e6fc1363ff8995a9100e07139bfa658c72892db4d30a973bad0f2b3e6c3f" + logic_hash = "6148e6fc1363ff8995a9100e07139bfa658c72892db4d30a973bad0f2b3e6c3f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19372,13 +19372,13 @@ rule REVERSINGLABS_Win32_Ransomware_Makop : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Makop ransomware." author = "ReversingLabs" - id = "aa48c700-4ae7-5e21-98a4-554d80bb6d5a" + id = "9b7d42f3-0417-5228-8b25-244224cbc414" date = "2020-10-30" modified = "2020-10-30" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Makop.yara#L1-L99" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ff4739d32b4a775d07a5f22d551ed67025681d4986e4404c9a01ad4078468f3" + logic_hash = "0ff4739d32b4a775d07a5f22d551ed67025681d4986e4404c9a01ad4078468f3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19464,13 +19464,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Goodwill : TC_DETECTION MALICIOUS MA meta: description = "Yara rule that detects GoodWill ransomware." author = "ReversingLabs" - id = "d1687ecf-5483-50e8-895a-d2e0aac14de6" + id = "66358802-450b-5276-8088-b3550519b1e8" date = "2022-06-28" modified = "2022-06-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.GoodWill.yara#L1-L89" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_94e2950f415ba737fe5ca9d32a3d850dd5744e547c4ca094ad28545e19033cb2" + logic_hash = "94e2950f415ba737fe5ca9d32a3d850dd5744e547c4ca094ad28545e19033cb2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19542,13 +19542,13 @@ rule REVERSINGLABS_Win32_Ransomware_Prometey : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Prometey ransomware." author = "ReversingLabs" - id = "e817c47a-ece1-5859-b34e-90f03b91645a" + id = "a5902fc6-2752-520f-be84-df9ea7b1e27d" date = "2021-06-07" modified = "2021-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Prometey.yara#L1-L156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f14c9605e2d375176b461fd396be66754b0ace7dcaada8ca33ad86f6eda10b73" + logic_hash = "f14c9605e2d375176b461fd396be66754b0ace7dcaada8ca33ad86f6eda10b73" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19690,13 +19690,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptolocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects CryptoLocker ransomware." author = "ReversingLabs" - id = "81baddbc-6483-549f-a924-b93f80bdd855" + id = "8cc3ac4b-9179-5e2c-97e1-65304f9dfe22" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoLocker.yara#L3-L154" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_08430b0c5689840d592bdda5dbc2ed06e0d0fa1e2c0f19aff4316580c6a0b23d" + logic_hash = "08430b0c5689840d592bdda5dbc2ed06e0d0fa1e2c0f19aff4316580c6a0b23d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19830,13 +19830,13 @@ rule REVERSINGLABS_Win32_Ransomware_Nanolocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects NanoLocker ransomware." author = "ReversingLabs" - id = "ea1f8987-3112-507e-8e4e-84b2f3d8a187" + id = "a31dad2e-2738-527b-a6e9-322757e2ec30" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.NanoLocker.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7fdb021f22d97bf8a00fd856ef913695a0d6fbaad1138b5a5cc2cc8768b130be" + logic_hash = "7fdb021f22d97bf8a00fd856ef913695a0d6fbaad1138b5a5cc2cc8768b130be" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -19910,13 +19910,13 @@ rule REVERSINGLABS_Win32_Ransomware_Alcatraz : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Alcatraz ransomware." author = "ReversingLabs" - id = "1703e33f-493a-5921-9487-392b67b089ca" + id = "7ff37483-ae63-5c82-a355-81ef68e2f663" date = "2020-07-28" modified = "2020-07-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Alcatraz.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ddd35c8da0c08bce17cacfba8bb8a8b8a8c08c3e59261a88a79c63b03d29000f" + logic_hash = "ddd35c8da0c08bce17cacfba8bb8a8b8a8c08c3e59261a88a79c63b03d29000f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20006,13 +20006,13 @@ rule REVERSINGLABS_Win32_Ransomware_Bitcrypt : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects BitCrypt ransomware." author = "ReversingLabs" - id = "ced7d4d8-cbf5-5bb5-9f9f-6e41a183630e" + id = "f00a0fd8-31a9-5ee6-b560-09ccf6fe490b" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BitCrypt.yara#L3-L112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_66cfe16a182e7f20d6358be9569ada5e6c36c94d44781d8c741638e1b174d44e" + logic_hash = "66cfe16a182e7f20d6358be9569ada5e6c36c94d44781d8c741638e1b174d44e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20113,13 +20113,13 @@ rule REVERSINGLABS_Win32_Ransomware_Lockbit : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects LockBit ransomware." author = "ReversingLabs" - id = "c51b16bb-3e7b-56a6-ab9c-83e6ea0f782d" + id = "9a6405dc-da1f-5426-a424-a73bceb1928c" date = "2022-03-31" modified = "2022-03-31" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.LockBit.yara#L1-L282" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_030222bd659c7e0e03858fa062067b1483aca3b7973cce19a1e7cdbb48d4405c" + logic_hash = "030222bd659c7e0e03858fa062067b1483aca3b7973cce19a1e7cdbb48d4405c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20356,13 +20356,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sevensevenseven : TC_DETECTION MALICIOUS MAL meta: description = "Yara rule that detects SevenSevenSeven ransomware." author = "ReversingLabs" - id = "30629ea0-ba08-5455-b408-2a5077212cf6" + id = "049531bd-9505-5da1-9512-980383c8c5ec" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.SevenSevenSeven.yara#L1-L148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_583a8ac746cd749bd3927f10c864a3ac84f82f8bbd8d0ebf117e22b016d7ca94" + logic_hash = "583a8ac746cd749bd3927f10c864a3ac84f82f8bbd8d0ebf117e22b016d7ca94" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20481,13 +20481,13 @@ rule REVERSINGLABS_Linux_Ransomware_Gwisinlocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects GwisinLocker ransomware." author = "ReversingLabs" - id = "e8e7151a-bc99-5280-8791-13ec0c052a4c" + id = "9f00e1b4-3692-5824-b614-724073532c1f" date = "2022-10-11" modified = "2022-10-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.GwisinLocker.yara#L1-L354" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c23c0b73bbefbd644ffe1398e1f14eec3a89945cb3c3ccbc6f46c57046b53505" + logic_hash = "c23c0b73bbefbd644ffe1398e1f14eec3a89945cb3c3ccbc6f46c57046b53505" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -20790,13 +20790,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cicada3301 : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Cicada3301 ransomware." author = "ReversingLabs" - id = "65af6436-83c2-5d93-b08b-bd067ed78f8d" + id = "c1a60870-0b68-5f2f-a74f-34e493a5e251" date = "2024-10-09" modified = "2024-10-09" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cicada3301.yara#L1-L309" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9479667fd4c7f865607ece6af985ab6fa7b62f98738c338e4155059551db8a21" + logic_hash = "9479667fd4c7f865607ece6af985ab6fa7b62f98738c338e4155059551db8a21" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21073,13 +21073,13 @@ rule REVERSINGLABS_Win32_Ransomware_Teslarvng : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Teslarvng ransomware." author = "ReversingLabs" - id = "060b098c-64fb-5f81-8311-4474be306bf9" + id = "7045b13e-95a5-54da-b540-75d464e7673d" date = "2020-12-14" modified = "2020-12-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Teslarvng.yara#L1-L137" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_670621aa196a80fbb694e4b1690d7da60e881c5b826133939e61cd6c2406ea98" + logic_hash = "670621aa196a80fbb694e4b1690d7da60e881c5b826133939e61cd6c2406ea98" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21201,13 +21201,13 @@ rule REVERSINGLABS_Win32_Ransomware_FCT : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects FCT ransomware." author = "ReversingLabs" - id = "d50f50ce-42e7-5532-9606-236d3b6823d5" + id = "ea3d5514-d6f2-5fd0-9247-a3f6b920d8d9" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FCT.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b158ad56c92a926f7398a27b3576c259e39c9716ef192fa5944ce3cffdc6d7d0" + logic_hash = "b158ad56c92a926f7398a27b3576c259e39c9716ef192fa5944ce3cffdc6d7d0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21283,13 +21283,13 @@ rule REVERSINGLABS_Win32_Ransomware_Hydracrypt : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects HydraCrypt ransomware." author = "ReversingLabs" - id = "4a24ea1f-08f8-594f-93c6-c03cc0213d04" + id = "2e780f7c-8d6d-51c8-b65e-330cc3b17bb7" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HydraCrypt.yara#L1-L174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_910a6f23f06cecb8d3115ebfed42a66412dbd0d3a519e39f21df81b0c2028f48" + logic_hash = "910a6f23f06cecb8d3115ebfed42a66412dbd0d3a519e39f21df81b0c2028f48" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21439,13 +21439,13 @@ rule REVERSINGLABS_Win32_Ransomware_Xorist : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Xorist ransomware." author = "ReversingLabs" - id = "4c1710ed-be11-5d31-b0dc-01c41e23c5b9" + id = "804ae039-fc3b-5f19-860e-df9efe87ee4d" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Xorist.yara#L1-L150" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c428838cdd103f62508a23c9333b08567625291e110aa437324ecf37c62dca36" + logic_hash = "c428838cdd103f62508a23c9333b08567625291e110aa437324ecf37c62dca36" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21572,13 +21572,13 @@ rule REVERSINGLABS_Win32_Ransomware_Nemty : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Nemty ransomware." author = "ReversingLabs" - id = "da3216eb-b3bd-5656-976b-6e7cd21cfcdb" + id = "c56ecd32-5903-5bcc-aa69-a070f2c247c4" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Nemty.yara#L1-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dc8cfdcdea8ecb2018b1b04bb1b645f6dbdc6c07357719100677c75945edef40" + logic_hash = "dc8cfdcdea8ecb2018b1b04bb1b645f6dbdc6c07357719100677c75945edef40" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21757,13 +21757,13 @@ rule REVERSINGLABS_Win32_Ransomware_Notpetya : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects NotPetya ransomware." author = "ReversingLabs" - id = "61a218f3-1c98-5204-af76-34dede62cfbb" + id = "ea655048-4ef7-5dd7-872e-f1c2e38234cf" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.NotPetya.yara#L1-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_328f0e527fee2145879ee13c003d375db832f7f3eacf7a1eb303393c1c8b5a36" + logic_hash = "328f0e527fee2145879ee13c003d375db832f7f3eacf7a1eb303393c1c8b5a36" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21831,13 +21831,13 @@ rule REVERSINGLABS_Win32_Ransomware_Jsworm : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects JSWorm ransomware." author = "ReversingLabs" - id = "ccdfa97c-ca84-5741-b00f-26cb9b2b4ee3" + id = "a4702cc3-1e08-5631-b832-5d28cb92a819" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.JSWorm.yara#L1-L93" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8ba5e2f29f5f06e6e6714bbba1129862da8c3a83bf7f296818eddee2593cae38" + logic_hash = "8ba5e2f29f5f06e6e6714bbba1129862da8c3a83bf7f296818eddee2593cae38" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -21925,13 +21925,13 @@ rule REVERSINGLABS_Win32_Ransomware_Babuk : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Babuk ransomware." author = "ReversingLabs" - id = "74ae99f1-4046-504f-adfb-e11775adb15e" + id = "8a96f400-193f-5fd1-ba03-4da464345e1c" date = "2021-01-26" modified = "2021-01-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Babuk.yara#L1-L117" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_70327b3f9d0b0505ade7ee6de6d7facf56820c7e8477bd172f738f374311144f" + logic_hash = "70327b3f9d0b0505ade7ee6de6d7facf56820c7e8477bd172f738f374311144f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22034,13 +22034,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Invert : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects Invert ransomware." author = "ReversingLabs" - id = "4b14fa6d-14bd-5e50-8c95-94f5f3ed262c" + id = "7ef77946-a902-5dc6-9b3c-b7b6a687eb96" date = "2021-11-11" modified = "2021-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Invert.yara#L1-L66" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1608b8bbfc03b18a79752e60f211da7d7703862bc06b2ddf094074ae5efd0d14" + logic_hash = "1608b8bbfc03b18a79752e60f211da7d7703862bc06b2ddf094074ae5efd0d14" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22094,13 +22094,13 @@ rule REVERSINGLABS_Win32_Ransomware_Jormungand : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Jormungand ransomware." author = "ReversingLabs" - id = "9299fd4c-e337-5c60-b685-b5cdf5ba6fa9" + id = "418c3d9f-2338-593f-a8ec-a1e25afa50d4" date = "2021-10-22" modified = "2021-10-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Jormungand.yara#L1-L135" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_049eb4533b37d8d72e50dd1e803a897758386643770d47b3e7690f58e44d5236" + logic_hash = "049eb4533b37d8d72e50dd1e803a897758386643770d47b3e7690f58e44d5236" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22217,13 +22217,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ragnarlocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects RagnarLocker ransomware." author = "ReversingLabs" - id = "69f546bd-78e1-50f7-880d-d7b3eadeb9fa" + id = "3bc3765a-f1f8-59bc-bbe8-6821654b334f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RagnarLocker.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_398f0e5e003f87edf90cdea718be6b10470df317214d00db4dc6c4cccc5b6748" + logic_hash = "398f0e5e003f87edf90cdea718be6b10470df317214d00db4dc6c4cccc5b6748" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22319,13 +22319,13 @@ rule REVERSINGLABS_Win32_Ransomware_Erica : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Erica ransomware." author = "ReversingLabs" - id = "f556e8fd-4948-5cc3-ac3f-0b6209bde869" + id = "38f57157-bd49-5a63-8c69-497eb9efe274" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Erica.yara#L1-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_93512091943f3a3b395c38fa3b0f5ecdbbf1cdf967ccfea4d7145c940076e046" + logic_hash = "93512091943f3a3b395c38fa3b0f5ecdbbf1cdf967ccfea4d7145c940076e046" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22392,13 +22392,13 @@ rule REVERSINGLABS_Win32_Ransomware_NB65 : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects NB65 ransomware." author = "ReversingLabs" - id = "a239df8f-f3ea-587e-b35c-5ce8a0253115" + id = "1aba009e-8065-5fb0-98e7-a595cb324076" date = "2022-06-01" modified = "2022-06-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.NB65.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f8a0e265fc72a9f017b37ce4b6dbb878285a5d298ab1b8c69f9fde7159426981" + logic_hash = "f8a0e265fc72a9f017b37ce4b6dbb878285a5d298ab1b8c69f9fde7159426981" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22454,13 +22454,13 @@ rule REVERSINGLABS_Win32_Ransomware_Juicylemon : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects JuicyLemon ransomware." author = "ReversingLabs" - id = "4c0f3f01-29e4-5bba-8258-9fa9757800c0" + id = "35e4bbd6-422b-562e-98fc-fe932270dbb8" date = "2020-08-17" modified = "2020-08-17" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.JuicyLemon.yara#L1-L116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_596d89843793307f4940dbb85b2e7081f02250f6adfdcd01f2d3c5f2b8b90875" + logic_hash = "596d89843793307f4940dbb85b2e7081f02250f6adfdcd01f2d3c5f2b8b90875" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22573,13 +22573,13 @@ rule REVERSINGLABS_Win32_Ransomware_Crypren : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Crypren ransomware." author = "ReversingLabs" - id = "e19efa6c-afc4-53ea-b72a-9ec01f75290e" + id = "9a6ff190-b26b-5b75-9103-95a3b2e80701" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Crypren.yara#L1-L144" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7047d48782762e42544063fde6f2be62eb19f22853ea84abb5bce67c962da172" + logic_hash = "7047d48782762e42544063fde6f2be62eb19f22853ea84abb5bce67c962da172" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22705,13 +22705,13 @@ rule REVERSINGLABS_Win32_Ransomware_Mountlocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects MountLocker ransomware." author = "ReversingLabs" - id = "463dedc6-95e7-5d3c-aa77-a91e7dbb5f7c" + id = "8ce7e5c4-9eca-5dd2-ab92-39b915900d72" date = "2021-03-25" modified = "2021-03-25" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.MountLocker.yara#L1-L86" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d203217c229d54802e96e19dc66d38ecb0443d19e0492efe337df471a99559dc" + logic_hash = "d203217c229d54802e96e19dc66d38ecb0443d19e0492efe337df471a99559dc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22787,13 +22787,13 @@ rule REVERSINGLABS_Win32_Ransomware_Vhdlocker : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects VHDLocker ransomware." author = "ReversingLabs" - id = "33ecee3f-b31f-5b96-bb66-178f11643df4" + id = "696f8145-342b-5da5-b9ec-6f0d16afc465" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.VHDLocker.yara#L1-L152" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_39d1fbfc79d5ea866498bb1e40d2290469df774ce65b1da04a85c0e4e5b4493c" + logic_hash = "39d1fbfc79d5ea866498bb1e40d2290469df774ce65b1da04a85c0e4e5b4493c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -22929,13 +22929,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Wildfire : TC_DETECTION MALICIOUS MA meta: description = "Yara rule that detects WildFire ransomware." author = "ReversingLabs" - id = "1df2a243-2ba1-5198-8da8-0d6dc31d8621" + id = "0c44f017-703c-5db7-b777-62fcd181af9a" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.WildFire.yara#L1-L77" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d3be2eac7967853aae6e1317d9c22d95a3dc4b3e5bf8acbe97a7bbeabc9eab38" + logic_hash = "d3be2eac7967853aae6e1317d9c22d95a3dc4b3e5bf8acbe97a7bbeabc9eab38" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23008,13 +23008,13 @@ rule REVERSINGLABS_Win32_Ransomware_Fuxsocy : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects FuxSocy ransomware." author = "ReversingLabs" - id = "04f68f21-3158-5248-a160-5b66bd75befc" + id = "f4a45469-9d51-523f-8238-c7044f353cf6" date = "2021-03-01" modified = "2021-03-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FuxSocy.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8b3c04eb5d60fcc82e47cb8e78da0a98642666546d6799baef24b56926e3aceb" + logic_hash = "8b3c04eb5d60fcc82e47cb8e78da0a98642666546d6799baef24b56926e3aceb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23117,13 +23117,13 @@ rule REVERSINGLABS_Win32_Ransomware_Major : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Major ransomware." author = "ReversingLabs" - id = "76b0e4bc-47c2-586f-9bb5-88996b6be84e" + id = "0c85aff8-1fb5-5e47-ae49-72445a000eaa" date = "2021-01-26" modified = "2021-01-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Major.yara#L1-L261" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_16fb7763e3806fca6937fef7e8b3d8bccd61cb39549061d359d630c7d266c270" + logic_hash = "16fb7763e3806fca6937fef7e8b3d8bccd61cb39549061d359d630c7d266c270" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23364,13 +23364,13 @@ rule REVERSINGLABS_Win32_Ransomware_Blackcat : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects BlackCat ransomware." author = "ReversingLabs" - id = "145b65fa-267e-58be-9e65-0b63f07b686c" + id = "e623340d-8df8-5f13-b75f-379bd0038f64" date = "2022-02-14" modified = "2022-02-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlackCat.yara#L1-L109" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24932baa625aedd14b5776ba3209c9ee330e84538c5267eeb5e09e352f655835" + logic_hash = "24932baa625aedd14b5776ba3209c9ee330e84538c5267eeb5e09e352f655835" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23461,13 +23461,13 @@ rule REVERSINGLABS_Win32_Ransomware_Matsnu : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Matsnu ransomware." author = "ReversingLabs" - id = "4f81e07e-2260-521c-a683-29d70e15556e" + id = "2f0bddd5-bd48-5d38-84f4-2dbccbe04a46" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Matsnu.yara#L1-L116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_76ef1b4a292f27ccd904e80f0279a7a327f7399a21f2266ef3ea959e5339ffac" + logic_hash = "76ef1b4a292f27ccd904e80f0279a7a327f7399a21f2266ef3ea959e5339ffac" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23578,13 +23578,13 @@ rule REVERSINGLABS_Win32_Ransomware_Buran : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Buran ransomware." author = "ReversingLabs" - id = "74865ff1-dcf3-5571-94b1-e9019d1a1fd7" + id = "c2a36a8b-5c21-5c31-994d-b424c038dd21" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Buran.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5606e0acecd99ccf2feaa995353211302903a09bb2c4ec65903566215e2d5ca4" + logic_hash = "5606e0acecd99ccf2feaa995353211302903a09bb2c4ec65903566215e2d5ca4" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23662,13 +23662,13 @@ rule REVERSINGLABS_Win32_Ransomware_Spora : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Spora ransomware." author = "ReversingLabs" - id = "2c01082a-d96f-5816-b00c-0cab015a270b" + id = "f07ee1d4-d99b-5cbf-a1f0-a3802d9e3b47" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Spora.yara#L1-L124" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4e18bb42277ce9194bf75fa45d95ea7e2bd51c5d7791d3d6e013fc07626e65b0" + logic_hash = "4e18bb42277ce9194bf75fa45d95ea7e2bd51c5d7791d3d6e013fc07626e65b0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23785,13 +23785,13 @@ rule REVERSINGLABS_Win32_Ransomware_IFN643 : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects IFN643 ransomware." author = "ReversingLabs" - id = "713e6789-9353-57c2-ae66-8a9e3dbb5fbc" + id = "a4d211a7-6735-541e-885d-555bbc11e2cf" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.IFN643.yara#L1-L90" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ced234018f1f05601dd3be55eaecd2a1e116ad0b7bb9e0292434f11f19916ebe" + logic_hash = "ced234018f1f05601dd3be55eaecd2a1e116ad0b7bb9e0292434f11f19916ebe" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23877,13 +23877,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Venom : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects Venom ransomware." author = "ReversingLabs" - id = "e6d9fcb4-2483-5517-9582-116d435bfc82" + id = "72149ec2-888e-5bed-baf1-0ec44e48328e" date = "2022-06-06" modified = "2022-06-06" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Venom.yara#L1-L68" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5817ece6a1cc304835f7fc243c4cfdc3c7cacd2251a9ac294a6662b58d2552e8" + logic_hash = "5817ece6a1cc304835f7fc243c4cfdc3c7cacd2251a9ac294a6662b58d2552e8" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -23939,13 +23939,13 @@ rule REVERSINGLABS_Win64_Ransomware_Ako : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Ako ransomware." author = "ReversingLabs" - id = "6c33e546-a1f6-56bb-8d3e-a7ae355c86e3" + id = "fce98a6a-f7bd-52ee-a2b8-31b48f6134ca" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Ako.yara#L1-L173" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8321a4ace66ae48e3a6896daf02c184fa7767fa6bd10cd83b322ad01698008cf" + logic_hash = "8321a4ace66ae48e3a6896daf02c184fa7767fa6bd10cd83b322ad01698008cf" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24102,13 +24102,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Chupacabra : TC_DETECTION MALICIOUS meta: description = "Yara rule that detects ChupaCabra ransomware." author = "ReversingLabs" - id = "baf9bd45-3e5b-5dde-8908-6e0c91323154" + id = "e44a101d-53c3-51f2-84ca-f6a5858c169b" date = "2021-10-12" modified = "2021-10-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.ChupaCabra.yara#L1-L90" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7f247778e0bd8057670abf42b2d1011ebae891ffcb21ebad50060f9a7986bf93" + logic_hash = "7f247778e0bd8057670abf42b2d1011ebae891ffcb21ebad50060f9a7986bf93" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24184,13 +24184,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cybervolk : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects CyberVolk ransomware." author = "ReversingLabs" - id = "bd76fc9e-c52f-5be3-be3e-db6321f20734" + id = "4d8bf096-d5c9-5a77-99e6-2c66e480da36" date = "2024-11-27" modified = "2024-11-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CyberVolk.yara#L1-L293" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_59ed7c4f576fa7cd4cceb724d14f258598c140e434ed309fe2e599c3aaa667d9" + logic_hash = "59ed7c4f576fa7cd4cceb724d14f258598c140e434ed309fe2e599c3aaa667d9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24450,13 +24450,13 @@ rule REVERSINGLABS_Win32_Ransomware_Mafia : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Mafia ransomware." author = "ReversingLabs" - id = "c1408b50-2233-5a66-a081-aed696fb99dd" + id = "67f09000-751f-539a-b222-25b1502c2728" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Mafia.yara#L1-L142" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5c17b799f0b4f1f8f72a2e4203a6606f7783ceec2034694f8a21ff65e5afdb26" + logic_hash = "5c17b799f0b4f1f8f72a2e4203a6606f7783ceec2034694f8a21ff65e5afdb26" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24582,13 +24582,13 @@ rule REVERSINGLABS_Win64_Ransomware_Vovalex : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Vovalex ransomware." author = "ReversingLabs" - id = "06cfa4bf-a8d6-5945-a822-71fbba681ce2" + id = "dd4d7969-1afc-5e5d-9324-89f432523173" date = "2021-03-12" modified = "2021-03-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Vovalex.yara#L1-L81" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0c0f065224988bcba45b5aba2dceb080479b0bab235d544daabc3cae72e48318" + logic_hash = "0c0f065224988bcba45b5aba2dceb080479b0bab235d544daabc3cae72e48318" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24660,13 +24660,13 @@ rule REVERSINGLABS_Win32_Ransomware_Dogecrypt : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects DogeCrypt ransomware." author = "ReversingLabs" - id = "02134ccd-416a-5fd0-801d-4edea616554c" + id = "e0ca22a5-70bb-5d2c-bce4-bac49c2a81d2" date = "2021-04-28" modified = "2021-04-28" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DogeCrypt.yara#L1-L114" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1c19862884cf1e59d12c84f5ff6f799a4087ddc8bd887e0d2ce7da053642b851" + logic_hash = "1c19862884cf1e59d12c84f5ff6f799a4087ddc8bd887e0d2ce7da053642b851" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24767,13 +24767,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptofortress : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects CryptoFortress ransomware." author = "ReversingLabs" - id = "34f8c19c-2ce3-53f0-ae30-64d0fcc3660c" + id = "460289b1-f775-5e0b-8c44-4f6e5c92da60" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoFortress.yara#L1-L162" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_474893b63523de5ff9eb8a0c91b0677b99ce65056af7f5d02a73e43fa65453c9" + logic_hash = "474893b63523de5ff9eb8a0c91b0677b99ce65056af7f5d02a73e43fa65453c9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -24915,13 +24915,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ferrlock : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Ferrlock ransomware." author = "ReversingLabs" - id = "d2c00d5c-e9b0-57d6-9337-75c05da100b7" + id = "745ce529-46d0-56ed-a8fa-b41b26b068f4" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ferrlock.yara#L1-L131" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b94bc77489dbb74573813631009e605bc848e17995a0a512d08b194ee3020b75" + logic_hash = "b94bc77489dbb74573813631009e605bc848e17995a0a512d08b194ee3020b75" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25033,13 +25033,13 @@ rule REVERSINGLABS_Win64_Ransomware_Antiwar : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects AntiWar ransomware." author = "ReversingLabs" - id = "695dff11-4454-5247-bdf0-58f2a4ece393" + id = "3113ec26-e149-527b-9478-4dd86c7fa464" date = "2022-04-21" modified = "2022-04-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.AntiWar.yara#L1-L146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2d885f35454aaf7cb33f03c30b6681aa16cbe8353003bbae0b1e9fdecb2ff8a7" + logic_hash = "2d885f35454aaf7cb33f03c30b6681aa16cbe8353003bbae0b1e9fdecb2ff8a7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25167,13 +25167,13 @@ rule REVERSINGLABS_Win64_Ransomware_Redroman : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects RedRoman ransomware." author = "ReversingLabs" - id = "0cc3a539-d201-58f3-b91d-ad0ebb6cd199" + id = "c860586a-fa50-5bb4-a3b4-13506f9d6030" date = "2021-05-10" modified = "2021-05-10" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.RedRoman.yara#L1-L82" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6fb2ac0e7f7ac095766e27c057e5124406dc493c08d01a7e5381403d794c7240" + logic_hash = "6fb2ac0e7f7ac095766e27c057e5124406dc493c08d01a7e5381403d794c7240" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25246,13 +25246,13 @@ rule REVERSINGLABS_Win32_Ransomware_Kangaroo : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Kangaroo ransomware." author = "ReversingLabs" - id = "6d04fc64-f4de-5d28-8c1c-932c771817c0" + id = "ec4342c1-adc9-5ddb-b403-83c2b1ce5899" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Kangaroo.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1078fb3d47ad737548419e5ee66e686f705c02fea27a58c0097446547325772c" + logic_hash = "1078fb3d47ad737548419e5ee66e686f705c02fea27a58c0097446547325772c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25330,13 +25330,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Povlsomware : TC_DETECTION MALICIOUS meta: description = "Yara rule that detects Povlsomware ransomware." author = "ReversingLabs" - id = "013359d7-6904-5ac0-bf46-76b75bee6555" + id = "317d7cca-4fe8-55ab-8f5f-e42be727ec26" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara#L1-L64" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_465dc1b1d7e9eb3091f36efb51029cd3383d05ece054e814b18f379e58c7e457" + logic_hash = "465dc1b1d7e9eb3091f36efb51029cd3383d05ece054e814b18f379e58c7e457" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25388,13 +25388,13 @@ rule REVERSINGLABS_Win32_Ransomware_Blackbasta : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects BlackBasta ransomware." author = "ReversingLabs" - id = "eb74273e-c6ac-5094-a012-afe5645ddeff" + id = "7c451fde-b8b1-5a35-855e-7e30f3e75cbb" date = "2022-12-13" modified = "2022-12-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BlackBasta.yara#L1-L531" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c68671e51489af00e9e0cf28373e5ec01bda042653dbcca8843357eede41f27f" + logic_hash = "c68671e51489af00e9e0cf28373e5ec01bda042653dbcca8843357eede41f27f" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25792,13 +25792,13 @@ rule REVERSINGLABS_Win32_Ransomware_Bananacrypt : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects BananaCrypt ransomware." author = "ReversingLabs" - id = "d0677fd0-6654-5db4-abe8-d1168dd7e842" + id = "9e47d094-d7fc-57dd-826c-5321d0219273" date = "2020-09-14" modified = "2020-09-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BananaCrypt.yara#L1-L103" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6bde4430e438947b0d7f10c4de11216929ec03af81b3d74f8b7bb8ed134d08d2" + logic_hash = "6bde4430e438947b0d7f10c4de11216929ec03af81b3d74f8b7bb8ed134d08d2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25890,13 +25890,13 @@ rule REVERSINGLABS_Win64_Ransomware_Hotcoffee : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects HotCoffee ransomware." author = "ReversingLabs" - id = "3ffb7dc9-c571-51a8-bd51-c08189dfa69f" + id = "11b26b91-96ae-58d3-8a8a-02a3e7d0b82e" date = "2021-11-25" modified = "2021-11-25" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.HotCoffee.yara#L1-L111" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_15ae428c37fcc5a09d324fd9be5a8df3a812e6459cb1ce8eec56eabf785b4c05" + logic_hash = "15ae428c37fcc5a09d324fd9be5a8df3a812e6459cb1ce8eec56eabf785b4c05" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -25990,13 +25990,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Fantom : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects Fantom ransomware." author = "ReversingLabs" - id = "e6a91181-dbbf-5d6d-b20c-add58f1b0098" + id = "cd32de8b-2c14-5fb4-be79-365d9848f341" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Fantom.yara#L1-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f2aaa9776b7ca302052b3303d45df24cc151a4efc7ea9f4bb3c1f53d10ded03a" + logic_hash = "f2aaa9776b7ca302052b3303d45df24cc151a4efc7ea9f4bb3c1f53d10ded03a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26082,13 +26082,13 @@ rule REVERSINGLABS_Win32_Ransomware_Outsider : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Outsider ransomware." author = "ReversingLabs" - id = "23f5d65c-d318-5f0d-94b8-fb1254fe67f4" + id = "44edccb1-9e2a-5ff9-b4b5-72ceec2f7947" date = "2020-10-23" modified = "2020-10-23" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Outsider.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_80c5a93b5b72b7b66e36f1726486b0c7620588d05bd925510d76f020a40b124c" + logic_hash = "80c5a93b5b72b7b66e36f1726486b0c7620588d05bd925510d76f020a40b124c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26163,13 +26163,13 @@ rule REVERSINGLABS_Win32_Ransomware_DMR : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects DMR ransomware." author = "ReversingLabs" - id = "27cefe87-afb3-53cc-886c-6a55e0e37d0c" + id = "45d8f91f-d2d0-5c6e-a29e-b8c9c29dc296" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.DMR.yara#L1-L214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_55e19f3017c2cc8355c27f9a516e611b58b108f15bfed41b88d5662b55677a59" + logic_hash = "55e19f3017c2cc8355c27f9a516e611b58b108f15bfed41b88d5662b55677a59" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26366,13 +26366,13 @@ rule REVERSINGLABS_Win32_Ransomware_Chichi : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects ChiChi ransomware." author = "ReversingLabs" - id = "822cfd19-71f4-5303-a544-dc8ff1093e5b" + id = "95062789-a55d-5c1c-a359-206b58f311e5" date = "2022-02-14" modified = "2022-02-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ChiChi.yara#L1-L66" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_863a30e4c708e13ea0f4c6ad42a919de463926508783d6552c0cec746730baa5" + logic_hash = "863a30e4c708e13ea0f4c6ad42a919de463926508783d6552c0cec746730baa5" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26426,13 +26426,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Wormlocker : TC_DETECTION MALICIOUS meta: description = "Yara rule that detects WormLocker ransomware." author = "ReversingLabs" - id = "2b49e09a-17ac-5080-b183-efd5a74faa42" + id = "6d7b55b7-2e1b-56e0-950f-07a2d3fa17ae" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara#L1-L69" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_87a4f805de78d7e7dffb176302407453108ca01552c682aeee38f8d0201263c9" + logic_hash = "87a4f805de78d7e7dffb176302407453108ca01552c682aeee38f8d0201263c9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26488,13 +26488,13 @@ rule REVERSINGLABS_Win32_Ransomware_Montserrat : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Montserrat ransomware." author = "ReversingLabs" - id = "9204116c-399d-50e9-87e9-fae2ce6da73f" + id = "deeb5f1a-1329-5964-93e1-8ca6a20fcd89" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Montserrat.yara#L1-L118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c8782a8cb2b87e76ff1f804ee8affd01405827d0914ea725bb0e9ddace7dde10" + logic_hash = "c8782a8cb2b87e76ff1f804ee8affd01405827d0914ea725bb0e9ddace7dde10" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26597,13 +26597,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sage : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Sage ransomware." author = "ReversingLabs" - id = "f5f41fd2-5c17-58ef-a2f6-99998fd076dd" + id = "81f4c666-93f9-51bb-8dda-431ef7a81b74" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sage.yara#L1-L77" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_69079b7176050096cdbaaaff30dd0359366b3a6a74e8bc17db348794388f71ba" + logic_hash = "69079b7176050096cdbaaaff30dd0359366b3a6a74e8bc17db348794388f71ba" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26668,13 +26668,13 @@ rule REVERSINGLABS_Win32_Ransomware_Satana : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Satana ransomware." author = "ReversingLabs" - id = "75c4a0cd-dfd0-5b8b-99fb-39f00da5ce7a" + id = "8dc5bf7c-d4cb-5961-804b-035676dacbc0" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Satana.yara#L1-L123" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5deb6ac2e8b64fb6f7af8c41a9b9e695668ca66c96c65f0c7350b11cd4ae0c50" + logic_hash = "5deb6ac2e8b64fb6f7af8c41a9b9e695668ca66c96c65f0c7350b11cd4ae0c50" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26783,13 +26783,13 @@ rule REVERSINGLABS_Win32_Ransomware_Globeimposter : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects GlobeImposter ransomware." author = "ReversingLabs" - id = "7dc040e8-e5f8-5ed1-ac83-13394951a161" + id = "6634a554-b4bb-503d-a4f1-9997b4caa1f0" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GlobeImposter.yara#L1-L171" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4345a767f270428f3b509fdad5a96bf9b494b190d3a836c4bf53dfd75da5bacb" + logic_hash = "4345a767f270428f3b509fdad5a96bf9b494b190d3a836c4bf53dfd75da5bacb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -26935,14 +26935,14 @@ rule REVERSINGLABS_Win32_Ransomware_ONI : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Oni ransomware." author = "ReversingLabs" - id = "dff47f41-92e1-5a62-933e-cada3a698604" - date = "2024-12-22" - date = "2024-12-22" + id = "9190aee2-1119-546e-82ca-a7aba44a9d7f" + date = "2024-12-23" + date = "2024-12-23" modified = "2020-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Oni.yara#L1-L82" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_685abf5a5edba5bae19faaf6521ce617370cdab1404fe84d846e82a60182dfff" + logic_hash = "685abf5a5edba5bae19faaf6521ce617370cdab1404fe84d846e82a60182dfff" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27011,13 +27011,13 @@ rule REVERSINGLABS_Linux_Ransomware_Killdisk : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects KillDisk ransomware." author = "ReversingLabs" - id = "7c9c113f-2e7d-5b1e-a6e9-3cdae37c9499" + id = "af6652dd-c668-5ae1-b51b-e272cb440c20" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Linux.Ransomware.KillDisk.yara#L1-L144" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3ed1fb2b7b24cd4d5100d93ed53a9ab28e1482bd0998a0538d8710a962ee839f" + logic_hash = "3ed1fb2b7b24cd4d5100d93ed53a9ab28e1482bd0998a0538d8710a962ee839f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27150,13 +27150,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ransomplus : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects RansomPlus ransomware." author = "ReversingLabs" - id = "02e8240a-c6d6-559f-bc7a-d80c802a1373" + id = "ee96eab6-104d-560f-adae-6d5f0ba5d469" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RansomPlus.yara#L1-L95" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8ab18c6bcb939eac0e74f015dea773141b5086c5fcb4783666eeac1f395bc208" + logic_hash = "8ab18c6bcb939eac0e74f015dea773141b5086c5fcb4783666eeac1f395bc208" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27247,13 +27247,13 @@ rule REVERSINGLABS_Win32_Ransomware_Hermes : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Hermes ransomware." author = "ReversingLabs" - id = "3e1dcb0e-59e6-5dbb-b48c-17a754fc5c5c" + id = "1f1f363a-5be0-59e5-b1c1-5e277922790c" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Hermes.yara#L1-L284" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6db95c422ee2f9dd8a1795031ee8d7d5ed84e16cde47512becc006b6a849e890" + logic_hash = "6db95c422ee2f9dd8a1795031ee8d7d5ed84e16cde47512becc006b6a849e890" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27499,13 +27499,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ryuk : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Ryuk ransomware." author = "ReversingLabs" - id = "14332f05-2428-5c37-8edb-b165e9d0b582" + id = "179c9277-0bdc-522a-a822-cf93febff408" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ryuk.yara#L1-L199" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bf93892b281be20917656e242cbb0f3b3694439556b7e5e40a424ba1aa909105" + logic_hash = "bf93892b281be20917656e242cbb0f3b3694439556b7e5e40a424ba1aa909105" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27686,13 +27686,13 @@ rule REVERSINGLABS_Win32_Ransomware_Antefrigus : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects AnteFrigus ransomware." author = "ReversingLabs" - id = "79657c2b-611e-56cd-82b8-a5ea9d78dcc2" + id = "903ac92c-1a4a-5645-92db-d00b3bfd6ada" date = "2021-03-05" modified = "2021-03-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.AnteFrigus.yara#L1-L210" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b84c01da0ee97a4eb8bf099c71094f994feb4c7185ad75b8b2ccda5eee283a92" + logic_hash = "b84c01da0ee97a4eb8bf099c71094f994feb4c7185ad75b8b2ccda5eee283a92" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27883,13 +27883,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cryptobit : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects CryptoBit ransomware." author = "ReversingLabs" - id = "89e39f4f-6bcd-577e-be63-6ddeebbb7886" + id = "8566e516-9884-5b20-90c4-7ed38fa96999" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.CryptoBit.yara#L1-L113" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ccc8a0f1c5e11211649992d0f2b309968c97b49f1c7359e62d622f364e117429" + logic_hash = "ccc8a0f1c5e11211649992d0f2b309968c97b49f1c7359e62d622f364e117429" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -27988,13 +27988,13 @@ rule REVERSINGLABS_Win32_Ransomware_Hddcryptor : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects HDDCryptor ransomware." author = "ReversingLabs" - id = "9d9d7c94-2850-589e-8224-93af2a20a8b7" + id = "2c6a8ca3-0f7a-52b7-af6d-74fa9407feca" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HDDCryptor.yara#L1-L157" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_47915f315bb4956507362f56024f5632cb1bcec569ceaf77fe9d7cb9c25d1d8a" + logic_hash = "47915f315bb4956507362f56024f5632cb1bcec569ceaf77fe9d7cb9c25d1d8a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28116,13 +28116,13 @@ rule REVERSINGLABS_Win32_Ransomware_Bkransomware : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects BKRansomware ransomware." author = "ReversingLabs" - id = "12f8e9a3-70c6-51ed-bee3-346fa751b0fe" + id = "88dc5c4a-046a-52e2-b108-0a90b91d4fb6" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.BKRansomware.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3118098f05a13bd161af0cb1ec322878b371ff70b9f3815a04115a214c0965a2" + logic_hash = "3118098f05a13bd161af0cb1ec322878b371ff70b9f3815a04115a214c0965a2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28192,13 +28192,13 @@ rule REVERSINGLABS_Win32_Ransomware_Armage : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Armage ransomware." author = "ReversingLabs" - id = "f5773231-475a-5775-8848-404b6e017280" + id = "94cf639b-7d9e-51ca-b547-e0d591581df2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Armage.yara#L1-L128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aa8ddcbb0fdcad15e603e000db1d4f86eae7d42efce1c1d21dc3dd57ee9f4319" + logic_hash = "aa8ddcbb0fdcad15e603e000db1d4f86eae7d42efce1c1d21dc3dd57ee9f4319" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28311,13 +28311,13 @@ rule REVERSINGLABS_Win32_Ransomware_Targetcompany : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects TargetCompany ransomware." author = "ReversingLabs" - id = "534b1b27-933f-55fd-a223-ee6b2343902d" + id = "7e6983f9-2aca-5cfa-aad6-38aa64fa2062" date = "2021-09-27" modified = "2021-09-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.TargetCompany.yara#L1-L141" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_05fa81afa8aa1e3b9955ad24a274ddef4fb32d678902af7aae6d6c67ed3bf0fd" + logic_hash = "05fa81afa8aa1e3b9955ad24a274ddef4fb32d678902af7aae6d6c67ed3bf0fd" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28439,13 +28439,13 @@ rule REVERSINGLABS_Win32_Ransomware_Howareyou : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects HowAreYou ransomware." author = "ReversingLabs" - id = "1224d329-1fd2-5829-9871-0f07ab947ce0" + id = "998fbebe-099d-5779-ad4a-91b7b6c8ad6b" date = "2021-06-14" modified = "2021-06-14" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.HowAreYou.yara#L1-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_90568365aac61d120886f9efa9822ccc23df79a1a55e522c81db6e77477c4f04" + logic_hash = "90568365aac61d120886f9efa9822ccc23df79a1a55e522c81db6e77477c4f04" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28631,13 +28631,13 @@ rule REVERSINGLABS_Win32_Ransomware_Retmydata : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects RetMyData ransomware." author = "ReversingLabs" - id = "deedb074-eae8-5330-a994-016aae9dd6d0" + id = "f7a091d9-7ace-5aad-95b4-d5101fa7fdea" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RetMyData.yara#L1-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_54ce38d75e9ab82a77b9c338f75e180e19ac745f149289c7478a4aa3b44d70fd" + logic_hash = "54ce38d75e9ab82a77b9c338f75e180e19ac745f149289c7478a4aa3b44d70fd" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28704,13 +28704,13 @@ rule REVERSINGLABS_Win32_Ransomware_Monalisa : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Monalisa ransomware." author = "ReversingLabs" - id = "eee02601-2cc3-5a69-a0bd-9e4125f6115c" + id = "34addb63-2426-59a2-b79b-052a9161d361" date = "2022-05-13" modified = "2022-05-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Monalisa.yara#L1-L83" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0bcb79dff111ec05ac93bbe9a777546bd6234dc60d9f6982c03cd0bc3b26b038" + logic_hash = "0bcb79dff111ec05ac93bbe9a777546bd6234dc60d9f6982c03cd0bc3b26b038" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28777,13 +28777,13 @@ rule REVERSINGLABS_Win64_Ransomware_Wintenzz : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Wintenzz ransomware." author = "ReversingLabs" - id = "92035bb8-06bc-5338-b0b9-249636741402" + id = "6bf569e8-b050-51ef-a948-0eb294248d63" date = "2021-11-02" modified = "2021-11-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Wintenzz.yara#L1-L83" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ff4bdf2f6ee185b98d0014b3066806fe7e25ea94f46837948bc5262440bf8a56" + logic_hash = "ff4bdf2f6ee185b98d0014b3066806fe7e25ea94f46837948bc5262440bf8a56" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28853,13 +28853,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sepsis : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Sepsis ransomware." author = "ReversingLabs" - id = "4f36609d-23d5-5aa7-a573-4ebe20cfab44" + id = "0c26d6e0-1d64-5f47-8e21-6710a531bc74" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sepsis.yara#L1-L126" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_171ad074a780b45195c6e02b111b3883c58a4028e635c4d6b8ce27c5e05e35d7" + logic_hash = "171ad074a780b45195c6e02b111b3883c58a4028e635c4d6b8ce27c5e05e35d7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -28970,13 +28970,13 @@ rule REVERSINGLABS_Win32_Ransomware_Ako : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Ako ransomware." author = "ReversingLabs" - id = "abfc6e91-5850-5ef7-934e-c01c612d098a" + id = "00d67696-998c-5bc3-95e7-0320ca558cdb" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Ako.yara#L1-L152" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_488e9b528f75fcfaa8dd19859801e6e5a73575c33cd70c98ebaa9ae93025018b" + logic_hash = "488e9b528f75fcfaa8dd19859801e6e5a73575c33cd70c98ebaa9ae93025018b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29111,13 +29111,13 @@ rule REVERSINGLABS_Win32_Ransomware_FLKR : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects FLKR ransomware." author = "ReversingLabs" - id = "05157ff7-f17e-5d29-94a8-0b75bb10026b" + id = "7f3abcd0-8dfa-5914-9ad0-566c16c2e2ab" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.FLKR.yara#L1-L71" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4ab00ba82baceec9899556d3a774ec08c83c10930cec194e18e3b4e16ebacb58" + logic_hash = "4ab00ba82baceec9899556d3a774ec08c83c10930cec194e18e3b4e16ebacb58" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29185,13 +29185,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sanwai : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Sanwai ransomware." author = "ReversingLabs" - id = "6cf7b717-e235-5500-8481-c44526159b8a" + id = "01912621-4a34-5e34-8542-5b561e8da567" date = "2021-11-11" modified = "2021-11-11" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sanwai.yara#L1-L71" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a7a95b2403fe539dce0d856cc1c04d15440677ea39c0a22e818b42333a64e92c" + logic_hash = "a7a95b2403fe539dce0d856cc1c04d15440677ea39c0a22e818b42333a64e92c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29250,13 +29250,13 @@ rule REVERSINGLABS_Win64_Ransomware_Whiteblackcrypt : TC_DETECTION MALICIOUS MAL meta: description = "Yara rule that detects WhiteBlackCrypt ransomware." author = "ReversingLabs" - id = "a4edb094-8984-5491-9db7-bf8db4994b7c" + id = "9855c10d-563d-54e0-bc79-945daef947de" date = "2021-07-05" modified = "2021-07-05" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.WhiteBlackCrypt.yara#L1-L91" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_37b95cc3412f2f2d02d19c4c15b529c4f67453cb195627b5bab2f353e7602354" + logic_hash = "37b95cc3412f2f2d02d19c4c15b529c4f67453cb195627b5bab2f353e7602354" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29334,13 +29334,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Hog : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Hog ransomware." author = "ReversingLabs" - id = "ffd17025-4aa9-57cd-a0c8-d564e61087c8" + id = "b4f26acf-5ff1-5c49-8cfa-8f619af84efd" date = "2021-10-12" modified = "2021-10-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Hog.yara#L1-L70" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c5cbc79fee9083ed3befa6b0d348f2d38064bb9012b8f0ca11afd7137243866d" + logic_hash = "c5cbc79fee9083ed3befa6b0d348f2d38064bb9012b8f0ca11afd7137243866d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29397,13 +29397,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Thanos : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects Thanos ransomware." author = "ReversingLabs" - id = "4c3a7afd-e2a6-5ed5-8830-78dcf6e4e56f" + id = "e607255d-45a6-573d-956e-f6faa2aa7e9f" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Thanos.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f6bc0c2188a04d2fb2a82a6b6d6cdf7763c32047bec725fe07f01415edf0b4cd" + logic_hash = "f6bc0c2188a04d2fb2a82a6b6d6cdf7763c32047bec725fe07f01415edf0b4cd" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29495,13 +29495,13 @@ rule REVERSINGLABS_Win32_Ransomware_Cincoo : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Cincoo ransomware." author = "ReversingLabs" - id = "888eb475-1f81-5769-b8a7-e62e739e6ca0" + id = "c7c2773c-5056-5127-8af7-7f5c5a8ea8a1" date = "2022-06-21" modified = "2022-06-21" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Cincoo.yara#L1-L78" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6a7562cae90754ea75a9fb98ce73ebdb9acf1ad7f28f2240abe6cb592d717ca3" + logic_hash = "6a7562cae90754ea75a9fb98ce73ebdb9acf1ad7f28f2240abe6cb592d717ca3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29567,13 +29567,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Namaste : TC_DETECTION MALICIOUS MAL meta: description = "Yara rule that detects Namaste ransomware." author = "ReversingLabs" - id = "0e9afc57-2a0a-54ef-a1c6-eda77c9ce559" + id = "e85d7ec3-367b-5bde-a570-8caa1f6cd61b" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Namaste.yara#L1-L81" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5a952276f41b5524bcb82a9ceb076983d2faf2864b3bbd0a06d49bbd5edc1e0e" + logic_hash = "5a952276f41b5524bcb82a9ceb076983d2faf2864b3bbd0a06d49bbd5edc1e0e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29643,13 +29643,13 @@ rule REVERSINGLABS_Win32_Ransomware_Regretlocker : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects RegretLocker ransomware." author = "ReversingLabs" - id = "77d0d3e5-816b-596f-accb-1c8e8d994ff4" + id = "c4e515cc-b0c2-57b2-a230-619ec01ac8d4" date = "2021-04-02" modified = "2021-04-02" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.RegretLocker.yara#L1-L206" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3927dfecacd74f60a169f82b68df5747daa90eaba77f24c5e730ce4c48d426a3" + logic_hash = "3927dfecacd74f60a169f82b68df5747daa90eaba77f24c5e730ce4c48d426a3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29837,13 +29837,13 @@ rule REVERSINGLABS_Win32_Ransomware_Badbeeteam : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Badbeeteam ransomware." author = "ReversingLabs" - id = "a32fad99-9ebe-526e-abbd-5e2cde7bb262" + id = "39490b21-34b9-51cb-a3ed-672b3186a233" date = "2020-11-13" modified = "2020-11-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Badbeeteam.yara#L1-L137" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9b5367655c7c70958332d31524833d96d03027aab693393b19f478a80482abd0" + logic_hash = "9b5367655c7c70958332d31524833d96d03027aab693393b19f478a80482abd0" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -29965,13 +29965,13 @@ rule REVERSINGLABS_Win64_Ransomware_Hermeticransom : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects HermeticRansom ransomware." author = "ReversingLabs" - id = "780dc0e8-9acc-5a99-80d8-5a897e39866f" + id = "6aaf89f4-0cf8-5f0e-b89d-01ac7edd06c0" date = "2022-05-13" modified = "2022-05-13" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.HermeticRansom.yara#L1-L105" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_123d569a9d9b9d855b3baafd6194f102d82a594fd7a2bba073843a8654a317cb" + logic_hash = "123d569a9d9b9d855b3baafd6194f102d82a594fd7a2bba073843a8654a317cb" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -30063,13 +30063,13 @@ rule REVERSINGLABS_Win32_Ransomware_Horsedeal : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Horsedeal ransomware." author = "ReversingLabs" - id = "f720a697-a862-59a2-b7e8-59bdf6ee9269" + id = "c722bc5b-756e-5d46-8530-e20ebb73737c" date = "2020-10-01" modified = "2020-10-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Horsedeal.yara#L1-L106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fa8c425b08606399b5dc7673f3898e3dba7efb6a62e56db8f500cf5072bb590b" + logic_hash = "fa8c425b08606399b5dc7673f3898e3dba7efb6a62e56db8f500cf5072bb590b" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -30158,13 +30158,13 @@ rule REVERSINGLABS_Win32_Ransomware_Gandcrab : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects GandCrab ransomware." author = "ReversingLabs" - id = "1c6a2318-4d84-53ab-8b9a-e15944627277" + id = "a09ed7e6-f3a6-5f44-9d5b-a9c529cf1190" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GandCrab.yara#L1-L892" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_79381635681482fc90defe4e10e97bf16d534837518fc06ae579822e9d77b461" + logic_hash = "79381635681482fc90defe4e10e97bf16d534837518fc06ae579822e9d77b461" score = 75 quality = 88 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31008,13 +31008,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sifreli : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Sifreli ransomware." author = "ReversingLabs" - id = "ca2b2e89-8703-59c5-8365-fe9d438c0762" + id = "974f81e2-6907-54da-97e3-3116c41b5ed4" date = "2020-10-08" modified = "2020-10-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sifreli.yara#L1-L119" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_48f6cc678bea81afece0ae203fb27b61e2c6e4f7188a3bd260190f568c9a8a06" + logic_hash = "48f6cc678bea81afece0ae203fb27b61e2c6e4f7188a3bd260190f568c9a8a06" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31119,13 +31119,13 @@ rule REVERSINGLABS_Win32_Ransomware_Petya : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Petya ransomware." author = "ReversingLabs" - id = "43994b48-374a-5d79-83c8-c3de6444d4ac" + id = "93d9fb33-88d1-50ec-bf99-1888201c0ec2" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Petya.yara#L3-L58" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d2adafcb21b627d614eab79e64e2b96ad09fae796d0670452a19490d8781ce99" + logic_hash = "d2adafcb21b627d614eab79e64e2b96ad09fae796d0670452a19490d8781ce99" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31176,13 +31176,13 @@ rule REVERSINGLABS_Win32_Ransomware_Blitzkrieg : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects Blitzkrieg ransomware." author = "ReversingLabs" - id = "80cb1024-622e-5a10-b14b-afbc3634e570" + id = "078f7f9d-edd4-52b4-a30e-e968542da95c" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Blitzkrieg.yara#L1-L127" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_22dd16c886a1982186fe927e633be9951da7d7e664e877e11fa976696b2bc86f" + logic_hash = "22dd16c886a1982186fe927e633be9951da7d7e664e877e11fa976696b2bc86f" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31293,13 +31293,13 @@ rule REVERSINGLABS_Win32_Ransomware_PXJ : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects PXJ ransomware." author = "ReversingLabs" - id = "1a02dc4e-340e-5a77-8bdf-c9adc516d122" + id = "c1549905-5b31-55c0-a275-0ab8133b3504" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.PXJ.yara#L1-L158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e88d27dcd7ad3af459bd7e34fcc827822365441446b0e4e7bbec399c9a948cb7" + logic_hash = "e88d27dcd7ad3af459bd7e34fcc827822365441446b0e4e7bbec399c9a948cb7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31441,13 +31441,13 @@ rule REVERSINGLABS_Win32_Ransomware_Gpgqwerty : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects GPGQwerty ransomware." author = "ReversingLabs" - id = "6f9ee028-57a5-591b-8aea-4ac5e59941bc" + id = "8848e00a-a695-575b-a29d-fc9521859e12" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.GPGQwerty.yara#L1-L83" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e59adadd66b4d242ac7337ce4b3c3ec6c60724f4cf5b86305f1e31b88745928c" + logic_hash = "e59adadd66b4d242ac7337ce4b3c3ec6c60724f4cf5b86305f1e31b88745928c" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31521,13 +31521,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Janelle : TC_DETECTION MALICIOUS MAL meta: description = "Yara rule that detects Janelle ransomware." author = "ReversingLabs" - id = "555fbf4b-0b65-5b54-8020-ab2f4b02e3f7" + id = "4fef3be5-8332-5ce2-b1e9-3993e6963331" date = "2021-12-16" modified = "2021-12-16" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Janelle.yara#L1-L96" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_49f1eac82930606183ab9cf1d5c6c42534d58735876134793e9712e78eb5a4c7" + logic_hash = "49f1eac82930606183ab9cf1d5c6c42534d58735876134793e9712e78eb5a4c7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31610,13 +31610,13 @@ rule REVERSINGLABS_Win32_Ransomware_Zerocrypt : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects ZeroCrypt ransomware." author = "ReversingLabs" - id = "8a3f47dd-1f5c-54a4-8326-2c2387a357cf" + id = "89e47d7f-1ac4-570d-8ae1-30f0acc21462" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ZeroCrypt.yara#L1-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_947925206ded187eac31c5046d75ab017869ae3f8dc906f2e5536d4db219f108" + logic_hash = "947925206ded187eac31c5046d75ab017869ae3f8dc906f2e5536d4db219f108" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31707,13 +31707,13 @@ rule REVERSINGLABS_Win32_Ransomware_Zoldon : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Zoldon ransomware." author = "ReversingLabs" - id = "50620a61-7c84-5473-b19c-a0afd811ed5b" + id = "5d28e6f0-9d6b-54f4-81ed-aadb58352c80" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Zoldon.yara#L1-L107" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4821b8506e7ba00987978f2744da1c532e03d73f3275cb15e39cdf87f6018223" + logic_hash = "4821b8506e7ba00987978f2744da1c532e03d73f3275cb15e39cdf87f6018223" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31806,13 +31806,13 @@ rule REVERSINGLABS_Win32_Ransomware_Loocipher : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects LooCipher ransomware." author = "ReversingLabs" - id = "821433b8-14bb-5ccb-a164-bffa78c1d2d1" + id = "b5aa2bd0-72b0-5013-a60e-9b4f1ee1de1f" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.LooCipher.yara#L1-L87" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aa0598d63b5fad6aea0945a0aa2030d3d6e2cd9f1fea16f3dd17cdceb68323e3" + logic_hash = "aa0598d63b5fad6aea0945a0aa2030d3d6e2cd9f1fea16f3dd17cdceb68323e3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31887,13 +31887,13 @@ rule REVERSINGLABS_Win32_Ransomware_Skystars : TC_DETECTION MALICIOUS MALWARE FI meta: description = "Yara rule that detects Skystars ransomware." author = "ReversingLabs" - id = "90529d44-8741-58f7-ac0d-0e54f22fb26d" + id = "9dc19bda-c5bd-58fb-8c4f-a7d8a6fbbce9" date = "2020-11-20" modified = "2020-11-20" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Skystars.yara#L1-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_352d22183b0974908ce684725fe85b4714ac5959c3bddf093b54383195881a5a" + logic_hash = "352d22183b0974908ce684725fe85b4714ac5959c3bddf093b54383195881a5a" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -31977,13 +31977,13 @@ rule REVERSINGLABS_Win32_Ransomware_Sigrun : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Sigrun ransomware." author = "ReversingLabs" - id = "7d92db58-2e6d-53b1-902c-509d97b5912a" + id = "fa627192-ed80-5115-a028-014f67f4571d" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Sigrun.yara#L1-L111" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ea29ec64cdfc0c714fe0acdce5878cb1302dd5aa916811121c644948ce275935" + logic_hash = "ea29ec64cdfc0c714fe0acdce5878cb1302dd5aa916811121c644948ce275935" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32079,13 +32079,13 @@ rule REVERSINGLABS_Win32_Ransomware_Asn1Encoder : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects ASN1Encoder ransomware." author = "ReversingLabs" - id = "85d76df8-15d9-5bdb-951a-d8b676b04480" + id = "5fa361e5-4ab0-5856-92b2-6f434e33c350" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.ASN1Encoder.yara#L1-L136" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_000fd846fa5f09af19ead4623bb5a8eb51cdb4c751013569bf070710d3e0d61d" + logic_hash = "000fd846fa5f09af19ead4623bb5a8eb51cdb4c751013569bf070710d3e0d61d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32207,13 +32207,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Mcburglar : TC_DETECTION MALICIOUS M meta: description = "Yara rule that detects McBurglar ransomware." author = "ReversingLabs" - id = "eddcf970-f4d2-5108-9c5a-68c1f2f53dd0" + id = "11816401-87c3-5aff-b161-da0fa4eb4bca" date = "2021-09-27" modified = "2021-09-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara#L1-L75" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_57fefcdc1528fc1c8da36a431cd09774e33ea08a394ac4f8d19a27504e72676d" + logic_hash = "57fefcdc1528fc1c8da36a431cd09774e33ea08a394ac4f8d19a27504e72676d" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32271,13 +32271,13 @@ rule REVERSINGLABS_Win64_Ransomware_Cactus : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Cactus ransomware." author = "ReversingLabs" - id = "232248f9-f977-551f-a622-6a3b2f41ca0f" + id = "f391919a-b433-5f8d-8051-f0467118fa1b" date = "2023-12-15" modified = "2023-12-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win64.Ransomware.Cactus.yara#L1-L190" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2953b67e926cb653df0de208b098da3d5c16e6690842ab28fbf8c37cd16f54d7" + logic_hash = "2953b67e926cb653df0de208b098da3d5c16e6690842ab28fbf8c37cd16f54d7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32446,13 +32446,13 @@ rule REVERSINGLABS_Win32_Ransomware_Balaclava : TC_DETECTION MALICIOUS MALWARE F meta: description = "Yara rule that detects Balaclava ransomware." author = "ReversingLabs" - id = "16ac2306-466b-531f-af08-ca4821a10051" + id = "1a17f2e8-f161-55bc-b44e-f8f47ebd9869" date = "2020-10-01" modified = "2020-10-01" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.Balaclava.yara#L1-L113" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_01b43e6ea7ceebdbdda7e1f7c5bd2439a460b8aed4a1837755fa3679e9893ff3" + logic_hash = "01b43e6ea7ceebdbdda7e1f7c5bd2439a460b8aed4a1837755fa3679e9893ff3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32551,13 +32551,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Ransomware_Dusk : TC_DETECTION MALICIOUS MALWAR meta: description = "Yara rule that detects Dusk ransomware." author = "ReversingLabs" - id = "749bbb5f-4702-5696-8bd1-088e15261e90" + id = "cde30f40-f13c-53da-8656-cc293433aa36" date = "2021-08-12" modified = "2021-08-12" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/ByteCode.MSIL.Ransomware.Dusk.yara#L1-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b6b0b3be7c17115dc5f225a13228f8a4811d84ae095c3ceba2d89f569f2d40c7" + logic_hash = "b6b0b3be7c17115dc5f225a13228f8a4811d84ae095c3ceba2d89f569f2d40c7" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32617,13 +32617,13 @@ rule REVERSINGLABS_Win32_Ransomware_Avoslocker : TC_DETECTION MALICIOUS MALWARE meta: description = "Yara rule that detects AvosLocker ransomware." author = "ReversingLabs" - id = "201b3e77-4989-5b00-a5e8-8d5ede6b7f13" + id = "a803283d-6424-5a64-89e6-c73a3322ba1e" date = "2021-10-22" modified = "2021-10-22" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/ransomware/Win32.Ransomware.AvosLocker.yara#L1-L108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4d81b801a95a54a35989c4a985d92578971568d1412f625bca911d0fa1eee1fe" + logic_hash = "4d81b801a95a54a35989c4a985d92578971568d1412f625bca911d0fa1eee1fe" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -32717,13 +32717,13 @@ rule REVERSINGLABS_Cert_Blocklist_05E2E6A4Cd09Ea54D665B075Fe22A256 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "74e54dc0-a87e-504b-8b84-b9c5250d5460" + id = "824c6b2f-081a-5f38-b949-d802f59e6ced" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L27-L43" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_43da21d9c7ae9bfcc7fe4ee69f9d46cbce1954785d56c1d424b36deb8afe592e" + logic_hash = "43da21d9c7ae9bfcc7fe4ee69f9d46cbce1954785d56c1d424b36deb8afe592e" score = 75 quality = 90 tags = "INFO, FILE" @@ -32742,13 +32742,13 @@ rule REVERSINGLABS_Cert_Blocklist_77019A082385E4B73F569569C9F87Bb8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4c18a7c7-23b4-5dcb-8afa-f6005be9510e" + id = "4046a31b-d7c8-5c63-b5b2-2179b0817b03" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L45-L61" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8613986005bdd30d92e633fa2058be5c43f1c530b9dc6d80ec953f12f6d66ce7" + logic_hash = "8613986005bdd30d92e633fa2058be5c43f1c530b9dc6d80ec953f12f6d66ce7" score = 75 quality = 90 tags = "INFO, FILE" @@ -32767,13 +32767,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F2Ef29Ca5F96E5777B82C62F34Fd3A6 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "3affd4a4-b6e1-50ee-8412-50d98c4e6a93" + id = "6cfb6ae0-8eba-503b-8bb7-ac72746d9aa2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L63-L79" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e8f27c4a72f416a16acabb1de606fdde7dc694256809fdb952a25313dda0d34e" + logic_hash = "e8f27c4a72f416a16acabb1de606fdde7dc694256809fdb952a25313dda0d34e" score = 75 quality = 90 tags = "INFO, FILE" @@ -32792,13 +32792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Cc1Db2Ad0A290A4Bfe7A5F336D6800C : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "11e119de-9832-5370-9198-fa9162a490eb" + id = "89bc7c99-dea2-50ce-a0d2-4292c14d049e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L81-L97" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c9f91edb525a02041bc20dff25ec58323f8fabd4d2a2eca63238ecb10ccef2a6" + logic_hash = "c9f91edb525a02041bc20dff25ec58323f8fabd4d2a2eca63238ecb10ccef2a6" score = 75 quality = 90 tags = "INFO, FILE" @@ -32817,13 +32817,13 @@ rule REVERSINGLABS_Cert_Blocklist_13C8351Aece71C731158980F575F4133 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aa38231a-6f8f-5b0c-b903-bd6c9e6e4af5" + id = "b6a1eb97-f0da-571e-951c-57f49cf62057" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L99-L115" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f96723845adc8030b72c119311103d5c2cf136e79de226d31141d8b925ce8e75" + logic_hash = "f96723845adc8030b72c119311103d5c2cf136e79de226d31141d8b925ce8e75" score = 75 quality = 90 tags = "INFO, FILE" @@ -32842,13 +32842,13 @@ rule REVERSINGLABS_Cert_Blocklist_4531954F6265304055F66Ce4F624F95B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b4f36de6-9443-5726-a866-80089e115f46" + id = "da1aaa4c-ac71-5c4c-b663-3d1b57d69040" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L117-L133" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_58d3a2a5e3f6730f329bddb171ad6332794fa95848825b892c3b8324f503ae89" + logic_hash = "58d3a2a5e3f6730f329bddb171ad6332794fa95848825b892c3b8324f503ae89" score = 75 quality = 90 tags = "INFO, FILE" @@ -32867,13 +32867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0E808F231515Bc519Eea1A73Cdf3266F : INFO FILE meta: description = "Certificate used for digitally signing Careto malware." author = "ReversingLabs" - id = "374ab19a-66be-5467-ad4a-eb084c1ab343" + id = "1f1eb5c2-bfef-58df-b51e-c558d87cd5d2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L135-L151" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_05e466e304ed7a8f5c1c93aac4a4b7019d6fb1e07aeb45d078b657f838d1f3bd" + logic_hash = "05e466e304ed7a8f5c1c93aac4a4b7019d6fb1e07aeb45d078b657f838d1f3bd" score = 75 quality = 90 tags = "INFO, FILE" @@ -32892,13 +32892,13 @@ rule REVERSINGLABS_Cert_Blocklist_36Be4Ad457F062Fa77D87595B8Ccc8Cf : INFO FILE meta: description = "Certificate used for digitally signing Careto malware." author = "ReversingLabs" - id = "b256c13b-c6ad-50f2-a785-717e3be04b61" + id = "224ec8ed-e4f0-5d1b-8cdd-a669a7e3e859" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L153-L169" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d19a6f22a1e702a4da69c867195722adf8f1dd84539f2c584af428fe4b1caf79" + logic_hash = "d19a6f22a1e702a4da69c867195722adf8f1dd84539f2c584af428fe4b1caf79" score = 75 quality = 90 tags = "INFO, FILE" @@ -32917,13 +32917,13 @@ rule REVERSINGLABS_Cert_Blocklist_75A38507Bf403B152125B8F5Ce1B97Ad : INFO FILE meta: description = "Certificate used for digitally signing Zeus malware." author = "ReversingLabs" - id = "16f81122-d09c-505c-982a-40c994160ab6" + id = "6805abd8-217e-5179-ab5a-297e2a17e65e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L171-L187" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_af21cee3ee92268c3aa0106a245e5a00c5ba892fca3e4fd2dc55e302ed5d470a" + logic_hash = "af21cee3ee92268c3aa0106a245e5a00c5ba892fca3e4fd2dc55e302ed5d470a" score = 75 quality = 90 tags = "INFO, FILE" @@ -32942,13 +32942,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Effa8B216E24B16202940C1Bc2Fa8A5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "294f1385-486e-5485-a706-20cac8669695" + id = "541a169e-a263-5901-9d8e-768306b8b8ba" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L189-L205" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b5282fc85bbbee50c5307fff923e9e477fed8c011288e2ebd61c4b3ee801bc62" + logic_hash = "b5282fc85bbbee50c5307fff923e9e477fed8c011288e2ebd61c4b3ee801bc62" score = 75 quality = 90 tags = "INFO, FILE" @@ -32967,13 +32967,13 @@ rule REVERSINGLABS_Cert_Blocklist_57D7153A89Bbf4729Be87F3C927043Aa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fabbf43e-6750-57ad-9245-3d69db57235c" + id = "9b778a20-8a0c-5c9f-8cc3-9e5054713e13" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L207-L223" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a8de7951bd25c8a9346ef341d8bf9c9147f9fa6913e952be40fb43d3d7a370c1" + logic_hash = "a8de7951bd25c8a9346ef341d8bf9c9147f9fa6913e952be40fb43d3d7a370c1" score = 75 quality = 90 tags = "INFO, FILE" @@ -32992,13 +32992,13 @@ rule REVERSINGLABS_Cert_Blocklist_028E1Deccf93D38Ecf396118Dfe908B4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e43c15c5-be2c-544a-b400-503e4c4122cc" + id = "6dfb0181-299f-5a28-b647-137d75f747a6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L225-L241" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b07c797652ef19c7e0b23c3eddbbbf2700160d743d71a0005b950160474638d8" + logic_hash = "b07c797652ef19c7e0b23c3eddbbbf2700160d743d71a0005b950160474638d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -33017,13 +33017,13 @@ rule REVERSINGLABS_Cert_Blocklist_40575Df73Eaa1B6140C7Ef62C08Bf216 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bb03fea5-e0c2-523b-9072-119c08b1c836" + id = "6a6e6320-8e01-5ec7-8119-3e90f1eacc4e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L243-L259" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7da8e98f38413e5cbb18e3c7771c530afb766dd9fbeb8fdd2264617aff24f920" + logic_hash = "7da8e98f38413e5cbb18e3c7771c530afb766dd9fbeb8fdd2264617aff24f920" score = 75 quality = 90 tags = "INFO, FILE" @@ -33042,13 +33042,13 @@ rule REVERSINGLABS_Cert_Blocklist_049Ce8C47F1F0E650Cb086F0Cfa7Ca53 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6622f335-30b2-57ad-b141-af3eb2a942a3" + id = "aebba591-2024-584a-bba6-9a27049cf4b8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L261-L277" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9ae4a236e1252afc1db6fae4e388a53ebde7e724cc07c213d4bfc176cf0a0096" + logic_hash = "9ae4a236e1252afc1db6fae4e388a53ebde7e724cc07c213d4bfc176cf0a0096" score = 75 quality = 90 tags = "INFO, FILE" @@ -33067,13 +33067,13 @@ rule REVERSINGLABS_Cert_Blocklist_29F42680E653Cf8Fafd0E935553F7E86 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dd513a20-68ca-5a36-9e7e-fc15495c47c0" + id = "f616e92c-ed9f-581c-aa15-970bddfb073a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L279-L295" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6c726e4c2933a6472d256a18ea5265660ff035d05036ab9cae3409ab5a7c7598" + logic_hash = "6c726e4c2933a6472d256a18ea5265660ff035d05036ab9cae3409ab5a7c7598" score = 75 quality = 90 tags = "INFO, FILE" @@ -33092,13 +33092,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C15 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0ca07a33-8f75-543d-8c28-870e32f67295" + id = "4a7a5404-1a20-53a7-9670-6f5215582c9d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L297-L313" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1ee88813270dddeeedd90edbce9be2ce74303a6799ee64b0e9bfaea7377d3b2d" + logic_hash = "1ee88813270dddeeedd90edbce9be2ce74303a6799ee64b0e9bfaea7377d3b2d" score = 75 quality = 90 tags = "INFO, FILE" @@ -33117,13 +33117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C0F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "06caf6bc-a9a4-5f11-9d39-3adae6e38d55" + id = "919a62ba-2902-5088-ad92-9f1bae23e68f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L315-L331" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0f8fda07dc362b7e04892446f1abe1e5f5717ee715824a2c1f6550096c366701" + logic_hash = "0f8fda07dc362b7e04892446f1abe1e5f5717ee715824a2c1f6550096c366701" score = 75 quality = 90 tags = "INFO, FILE" @@ -33142,13 +33142,13 @@ rule REVERSINGLABS_Cert_Blocklist_06A164Ec5978497741Ee6Cec9966871B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8962c47c-53b4-5050-9e03-6e90d2b0f143" + id = "6c73206d-3d5c-5540-a2e1-d00138d7e1b5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L333-L349" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8a27015d94a3bd8543a8ca9202831ffc9c9e65f61bf26ed6825c3e746b6af0d4" + logic_hash = "8a27015d94a3bd8543a8ca9202831ffc9c9e65f61bf26ed6825c3e746b6af0d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -33167,13 +33167,13 @@ rule REVERSINGLABS_Cert_Blocklist_1121Ed568764E75Be35574448Feadefcd3Bc : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a6fc788c-bbdc-5c78-8234-0ea986aa3be5" + id = "44fa007f-f5f7-5001-8b92-eb4a657ea756" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L351-L367" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3316a2536920c5aa9dd627cec7678e6fe33c722b4830dd740009c20dd013c9ab" + logic_hash = "3316a2536920c5aa9dd627cec7678e6fe33c722b4830dd740009c20dd013c9ab" score = 75 quality = 90 tags = "INFO, FILE" @@ -33192,13 +33192,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Ed2450Ceac0F72E73Fda1727E66E654 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d7c40af6-ece5-5c1a-8ec0-e34a0dbb31ee" + id = "c19ddbde-eec0-5ebb-8f11-1e7dcb489bc8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L369-L385" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0e5af7795c825367d441c8abc2aa835fa83083eb8ee1f723c7d2dacff1ca88ff" + logic_hash = "0e5af7795c825367d441c8abc2aa835fa83083eb8ee1f723c7d2dacff1ca88ff" score = 75 quality = 90 tags = "INFO, FILE" @@ -33217,13 +33217,13 @@ rule REVERSINGLABS_Cert_Blocklist_32665079C5A5854A6833623Ca77Ff5Ac : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3d98324d-4605-5613-995a-ba53c4b4deea" + id = "7078e95f-8bbe-5446-b9cb-c079f8448cb1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L387-L403" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6b734ca733c5fbadcb490ffd4c19c951e0fc17dd9b660eca948b126038c42cdb" + logic_hash = "6b734ca733c5fbadcb490ffd4c19c951e0fc17dd9b660eca948b126038c42cdb" score = 75 quality = 90 tags = "INFO, FILE" @@ -33242,13 +33242,13 @@ rule REVERSINGLABS_Cert_Blocklist_01A90094C83412C00Cf98Dd2Eb0D7042 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6d2c33f9-4b0b-5eea-b866-ffce6b67b1aa" + id = "e5059974-9ea2-5497-a728-c21a6cdd30e4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L405-L421" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5a3de0e6de5cda39e40988f9e2324cbee3e059aff5ceaf7fd819de8bf7215808" + logic_hash = "5a3de0e6de5cda39e40988f9e2324cbee3e059aff5ceaf7fd819de8bf7215808" score = 75 quality = 90 tags = "INFO, FILE" @@ -33267,13 +33267,13 @@ rule REVERSINGLABS_Cert_Blocklist_55Efe24B9674855Baf16E67716479C71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d1074848-c9a1-5400-a6b2-459b92679b1c" + id = "c1a4102e-ce78-5a4d-95ea-b9e394df0c28" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L423-L439" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2cf7a76ae3c3a698564013ff545c74d0319face5aa19416c93bf10f45f84f8c9" + logic_hash = "2cf7a76ae3c3a698564013ff545c74d0319face5aa19416c93bf10f45f84f8c9" score = 75 quality = 90 tags = "INFO, FILE" @@ -33292,13 +33292,13 @@ rule REVERSINGLABS_Cert_Blocklist_094Bf19D509D3074913995160B195B6C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c306f52d-270c-5ccf-a430-d792f804b7b8" + id = "8241e2c6-e4e7-581c-b759-6314d2e28a4d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L441-L457" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3c1ed012716f36876d9375838befb9821b87cafc6aca57a0f18392f80f5ba325" + logic_hash = "3c1ed012716f36876d9375838befb9821b87cafc6aca57a0f18392f80f5ba325" score = 75 quality = 90 tags = "INFO, FILE" @@ -33317,13 +33317,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A77Cf3Ba49B64E6Cbe5Fb4A6A6Aacc6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6bae9d83-fffc-53c1-b61a-4cb97a5216d3" + id = "4fb06917-ccbd-514c-a936-e337c31c6e65" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L459-L475" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3bebc4a36b57526505167d8f075d468e4775d66c81ce08644c506d9be94efba0" + logic_hash = "3bebc4a36b57526505167d8f075d468e4775d66c81ce08644c506d9be94efba0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33342,13 +33342,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F4C22Da1107D20C1Eda04569D58E573 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "68bcabbb-8ad3-549c-b4f0-11089f66addf" + id = "4ff75d18-926e-51aa-8e1c-b9699669bbd0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L477-L493" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fe19c4b21c3b70ec571461ca6d9c370a971c01f2d68e3c3916aa1fa0f13b20f8" + logic_hash = "fe19c4b21c3b70ec571461ca6d9c370a971c01f2d68e3c3916aa1fa0f13b20f8" score = 75 quality = 90 tags = "INFO, FILE" @@ -33367,13 +33367,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fe68D48634893D18De040D8F1C289D2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "49ec12c2-7573-5695-8669-207c77c1893d" + id = "40aed582-2960-5b42-acde-7350a2595b4b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L495-L511" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_41feebc8800a084ac369b5c5721b1362d371bd503b67823986bad2839157a4b0" + logic_hash = "41feebc8800a084ac369b5c5721b1362d371bd503b67823986bad2839157a4b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33392,13 +33392,13 @@ rule REVERSINGLABS_Cert_Blocklist_6767Def972D6Ea702D8C8A53Af1832D3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df69d46c-a443-5e33-b261-e1389f2eb03c" + id = "c60497b4-5abe-52b0-aac9-88953ea6cdf1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L513-L529" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aa7f997449b4b8dcf488cfb7f45ee98ca540d39fb861f5b01ff4bb4aa1875b72" + logic_hash = "aa7f997449b4b8dcf488cfb7f45ee98ca540d39fb861f5b01ff4bb4aa1875b72" score = 75 quality = 90 tags = "INFO, FILE" @@ -33417,13 +33417,13 @@ rule REVERSINGLABS_Cert_Blocklist_06477E3425F1448995Ced539789E6842 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55acdab2-95ad-542e-9abb-aeeed6bc1715" + id = "21da6056-bf4e-5fc4-bef5-37010ebe8f05" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L531-L547" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c0bc7808bb6bcc8273a887203c1b47d1a49fcb7719863e6bc97b5c7404a254f7" + logic_hash = "c0bc7808bb6bcc8273a887203c1b47d1a49fcb7719863e6bc97b5c7404a254f7" score = 75 quality = 90 tags = "INFO, FILE" @@ -33442,13 +33442,13 @@ rule REVERSINGLABS_Cert_Blocklist_0450A7C1C36951Da09C8Ad0E7F716Ff2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b29f9623-4cbb-5900-90d7-a76db41d20a5" + id = "b4a56bbe-f2ba-52df-832d-35b92ab73683" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L549-L565" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cb594607ceef1b8d79145ad3905fb2c38d2ed3f3e6c8a0a793fc2dc9d0a21855" + logic_hash = "cb594607ceef1b8d79145ad3905fb2c38d2ed3f3e6c8a0a793fc2dc9d0a21855" score = 75 quality = 90 tags = "INFO, FILE" @@ -33467,13 +33467,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F9Fbdab9B39645Cf3211F87Abb5Ddb7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9898f0b7-5f4b-51aa-8d4d-0efe3bb91b70" + id = "ad24d2e9-ae3d-5fae-b58d-965bd1de2a99" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L567-L583" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ba5885c7769b5ead261815880033b0df50dc4f7684fdb37398ab01bfebda0e37" + logic_hash = "ba5885c7769b5ead261815880033b0df50dc4f7684fdb37398ab01bfebda0e37" score = 75 quality = 90 tags = "INFO, FILE" @@ -33492,13 +33492,13 @@ rule REVERSINGLABS_Cert_Blocklist_4211D2E4F0E87127319302C55B85Bcf2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "99752033-2532-52ed-8988-10023b7a8606" + id = "dbe2a945-cf13-564a-a95a-24534c70a723" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L585-L601" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_edf9bbface7fe943dfa4f5a6e8469802ccdbd3de9d3e6b8fabebb024c21bb9a9" + logic_hash = "edf9bbface7fe943dfa4f5a6e8469802ccdbd3de9d3e6b8fabebb024c21bb9a9" score = 75 quality = 90 tags = "INFO, FILE" @@ -33517,13 +33517,13 @@ rule REVERSINGLABS_Cert_Blocklist_07B44Cdbfffb78De05F4261672A67312 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "616aa3ba-163a-55d0-9918-a707abde1948" + id = "18787692-1233-5ea8-869c-feb530d06237" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L603-L619" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c88a8543782fc49d8aa68f3fc8052bd3316d10118dfb2ef2eef5006de657b6f1" + logic_hash = "c88a8543782fc49d8aa68f3fc8052bd3316d10118dfb2ef2eef5006de657b6f1" score = 75 quality = 90 tags = "INFO, FILE" @@ -33542,13 +33542,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F8B9A1Ba5E60C754Dbb40Ddee7905E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "004c2d1c-b1b7-5408-88a9-a16663236135" + id = "9b6ba6bb-a796-59e1-a38b-04d4b60a99a6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L621-L637" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2a0d07d47cd41db5dc170a29607b6c1f2e3b7c0785f83b211f68f9cb9368e350" + logic_hash = "2a0d07d47cd41db5dc170a29607b6c1f2e3b7c0785f83b211f68f9cb9368e350" score = 75 quality = 90 tags = "INFO, FILE" @@ -33567,13 +33567,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A389B95Ee736Dd13Bc0Ed743Fd74D2F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b08f2c25-ac0f-5bfa-8522-26c78e54eca9" + id = "43cce248-2322-5607-8706-aeab046a30b9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L639-L655" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8b83e4aa47cea7cadf4b4a9f4e044478a62f4233e082fb52f9ed906d80a552aa" + logic_hash = "8b83e4aa47cea7cadf4b4a9f4e044478a62f4233e082fb52f9ed906d80a552aa" score = 75 quality = 90 tags = "INFO, FILE" @@ -33592,13 +33592,13 @@ rule REVERSINGLABS_Cert_Blocklist_1A3Faaeb3A8B93B2394Fec36345996E6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4c9abece-37fd-52f3-b86a-dfe3fdbc75d5" + id = "343e4dbe-21a6-5758-be81-e5e7918c54fa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L657-L673" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a3bd9aaba8dbdb340b5d3013684584524eb08b11339985ba6ca0291b8c8bc692" + logic_hash = "a3bd9aaba8dbdb340b5d3013684584524eb08b11339985ba6ca0291b8c8bc692" score = 75 quality = 90 tags = "INFO, FILE" @@ -33617,13 +33617,13 @@ rule REVERSINGLABS_Cert_Blocklist_1A35Acce5B0C77206B1C3Dc2A6A2417C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c15c09d8-5a52-5830-8cff-b2292c5641c7" + id = "0e42ffb8-07f2-55e4-977d-7760e923d76d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L675-L691" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ce161fdd511e0efa042516ead09c6ab5f8dcf54f2087cdccbfed8e7cdfbd25b2" + logic_hash = "ce161fdd511e0efa042516ead09c6ab5f8dcf54f2087cdccbfed8e7cdfbd25b2" score = 75 quality = 90 tags = "INFO, FILE" @@ -33642,13 +33642,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Eb40Ea11Eaac847B050De9B59E25Bdc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "983ebcbf-1ae2-5476-9c1e-351dd1393800" + id = "e9f94ae9-0158-5789-b4d2-88f750442274" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L693-L709" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d0e7ab78fb42c9a8f19cba8e6a8b15d584651a23f1088e1f311589d46145e963" + logic_hash = "d0e7ab78fb42c9a8f19cba8e6a8b15d584651a23f1088e1f311589d46145e963" score = 75 quality = 90 tags = "INFO, FILE" @@ -33667,13 +33667,13 @@ rule REVERSINGLABS_Cert_Blocklist_6724340Ddbc7252F7Fb714B812A5C04D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c129e911-dd5f-5a03-8706-56db1c553c58" + id = "2b61de88-9fea-5c3f-a7ab-db91e90b4965" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L711-L727" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bc72c2ca5f81198684233e23260831da5b9ef4e7ac5a25abbdb303eecc38bd53" + logic_hash = "bc72c2ca5f81198684233e23260831da5b9ef4e7ac5a25abbdb303eecc38bd53" score = 75 quality = 90 tags = "INFO, FILE" @@ -33692,13 +33692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0813Ee9B7B9D7C46001D6Bc8784Df1Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9afe28b5-b524-520a-9f8c-7f748fa48f65" + id = "0915fae0-ac6f-5a92-ab44-80f840fd5061" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L729-L745" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1a25a2f25fa8d5075113cbafb73e80e741268d6b2f9e629fd54ffca9e82409b0" + logic_hash = "1a25a2f25fa8d5075113cbafb73e80e741268d6b2f9e629fd54ffca9e82409b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33717,13 +33717,13 @@ rule REVERSINGLABS_Cert_Blocklist_530591C61B5E1212F659138B7Cea0A97 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3866d6a5-c700-5695-864f-f1229f4e04ec" + id = "71cf0653-5aab-5d5c-aa3a-f42f40196412" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L747-L763" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ef01e542d145475713bbd373bdcdae5f25bfd823a60e7d40fe9a6b6039c83e0" + logic_hash = "0ef01e542d145475713bbd373bdcdae5f25bfd823a60e7d40fe9a6b6039c83e0" score = 75 quality = 90 tags = "INFO, FILE" @@ -33742,13 +33742,13 @@ rule REVERSINGLABS_Cert_Blocklist_07270Ff9 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "eb2c068b-f175-541b-911e-fe193af2aeb1" + id = "fcd2d82a-b51d-53ff-bfae-3c83147c1903" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L765-L781" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8f0da7c330464184fa1d5bf8d51dd8ad2e8637710a36972dcab03629cb57e910" + logic_hash = "8f0da7c330464184fa1d5bf8d51dd8ad2e8637710a36972dcab03629cb57e910" score = 75 quality = 90 tags = "INFO, FILE" @@ -33767,13 +33767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0727100D : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "b5f61bb9-bb58-5064-84ee-963744c6fd31" + id = "1ee866ec-a445-5a79-b824-37f28a49f20b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L783-L799" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a09f4004ed002b90d67a3baddde74832e6c7b70e8b330347ef169460750aa344" + logic_hash = "a09f4004ed002b90d67a3baddde74832e6c7b70e8b330347ef169460750aa344" score = 75 quality = 90 tags = "INFO, FILE" @@ -33792,13 +33792,13 @@ rule REVERSINGLABS_Cert_Blocklist_07271003 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "457c2218-ad90-5e68-b97a-a54bfbaa7648" + id = "7573c436-5bf9-5522-9952-e30dbbccd092" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L801-L817" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_14c201b4fdda5b3553732a173a3d6705129c54f2a50d26997d63a77be8504285" + logic_hash = "14c201b4fdda5b3553732a173a3d6705129c54f2a50d26997d63a77be8504285" score = 75 quality = 90 tags = "INFO, FILE" @@ -33817,13 +33817,13 @@ rule REVERSINGLABS_Cert_Blocklist_013134Bf : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "4e73717a-91a7-5f63-b6b4-009b582e5d12" + id = "a3292707-c481-56a8-abf9-e1a762c76cb6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L819-L835" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1ade100c310c22bce25bcc6687855bd4eb6364b64cf31514b2548509a16e4a36" + logic_hash = "1ade100c310c22bce25bcc6687855bd4eb6364b64cf31514b2548509a16e4a36" score = 75 quality = 90 tags = "INFO, FILE" @@ -33842,13 +33842,13 @@ rule REVERSINGLABS_Cert_Blocklist_01314476 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "43aafa3a-ffdd-5a29-8b58-104948bfbd3c" + id = "e0a52ad1-cebd-5ffc-953f-e0b09fc6d710" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L837-L853" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6f2f3f3ae009fbb9ebe589fc6b640be89c4a7b734eda515f182c7e9c9ffb4779" + logic_hash = "6f2f3f3ae009fbb9ebe589fc6b640be89c4a7b734eda515f182c7e9c9ffb4779" score = 75 quality = 90 tags = "INFO, FILE" @@ -33867,13 +33867,13 @@ rule REVERSINGLABS_Cert_Blocklist_013169B0 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "2e16665b-3764-5ff0-b667-e269a7ece222" + id = "a5f68c0a-635a-5aa9-94d2-7628999f06c2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L855-L871" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_354421ebad7fd0b73c9ba63630c91d481901ca9ec39be3c6b66843221e4b5aad" + logic_hash = "354421ebad7fd0b73c9ba63630c91d481901ca9ec39be3c6b66843221e4b5aad" score = 75 quality = 90 tags = "INFO, FILE" @@ -33892,13 +33892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C76Da9C910C4E2C9Efe15D058933C4C : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "008bc831-2634-56f3-82bb-d1cd19b3c263" + id = "a9b06d49-1ab2-539e-bd1f-16da40b654b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L873-L889" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_883e93bff42161ba68f69fb17f7e78377d7f3cb6b6cdf72cffb4166466f8bc7b" + logic_hash = "883e93bff42161ba68f69fb17f7e78377d7f3cb6b6cdf72cffb4166466f8bc7b" score = 75 quality = 90 tags = "INFO, FILE" @@ -33917,13 +33917,13 @@ rule REVERSINGLABS_Cert_Blocklist_469C2Caf : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "9d379a33-fe23-5627-8513-1f196869678e" + id = "12d7c4a8-0a84-502a-855b-674972a2e2e1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L891-L907" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2490dbd74a5d3eede494d284f96af835c270d2fb0752b887aadbaf92bf34e6d4" + logic_hash = "2490dbd74a5d3eede494d284f96af835c270d2fb0752b887aadbaf92bf34e6d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -33942,13 +33942,13 @@ rule REVERSINGLABS_Cert_Blocklist_469C3Cc9 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "af049b58-3b7d-52ed-b005-5bb37dc39ccf" + id = "36d76a9f-d18f-56bf-b00a-f7320f04f39a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L909-L925" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7327b7cbeb616bc46c82975aed6b3ea1caafa74fd431e2d98ca55b00851e22c8" + logic_hash = "7327b7cbeb616bc46c82975aed6b3ea1caafa74fd431e2d98ca55b00851e22c8" score = 75 quality = 90 tags = "INFO, FILE" @@ -33967,13 +33967,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A82Bd1E144E8814D75B1A5527Bebf3E : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "ffabaf6b-264e-5961-b70a-3144f9b06d01" + id = "f3d7d714-8085-524a-814c-ab8cc59ceb4f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L927-L943" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2534e58ce1e5adbb10dbacb664d40cc32faec341bdb93b926cc85b666cc7b77e" + logic_hash = "2534e58ce1e5adbb10dbacb664d40cc32faec341bdb93b926cc85b666cc7b77e" score = 75 quality = 90 tags = "INFO, FILE" @@ -33992,13 +33992,13 @@ rule REVERSINGLABS_Cert_Blocklist_469C2Cb0 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "7c3d2b3c-3ca4-5f78-9171-739e2502da30" + id = "dd19b988-747d-55b9-825b-2ada1ca83691" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L945-L961" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_67ff84475cbe231f97daa3ce623689e7936db8e56be562778f8a4c1ebf7bf316" + logic_hash = "67ff84475cbe231f97daa3ce623689e7936db8e56be562778f8a4c1ebf7bf316" score = 75 quality = 90 tags = "INFO, FILE" @@ -34017,13 +34017,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C0E636A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dc06d595-041d-50aa-b430-43308496227b" + id = "beb2039c-3b0e-5649-96ca-40175493e62c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L963-L979" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_20169cf9ce3f271a22d1376bcf0ff0914f43937738c9ed61fd8e40179405136b" + logic_hash = "20169cf9ce3f271a22d1376bcf0ff0914f43937738c9ed61fd8e40179405136b" score = 75 quality = 90 tags = "INFO, FILE" @@ -34042,13 +34042,13 @@ rule REVERSINGLABS_Cert_Blocklist_072714A9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ba228fe2-0b8a-5a2d-944d-a4526b547430" + id = "15ad6936-78a4-58b1-8c68-27ec4ed38649" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L981-L997" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8bea4cfb60056446043ef90a7d01ecc52d82d9e7005a145a4daa61a522ecd2ae" + logic_hash = "8bea4cfb60056446043ef90a7d01ecc52d82d9e7005a145a4daa61a522ecd2ae" score = 75 quality = 90 tags = "INFO, FILE" @@ -34067,13 +34067,13 @@ rule REVERSINGLABS_Cert_Blocklist_00D8F35F4Eb7872B2Dab0692E315382Fb0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "744f2f0f-44bd-5620-bcc8-16641a58133c" + id = "2c051732-76d7-5562-a79e-c5bbdc8373b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L999-L1017" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_463757c59c32859163ea80e694e1f39239c857124aad3895f22f83b47645910c" + logic_hash = "463757c59c32859163ea80e694e1f39239c857124aad3895f22f83b47645910c" score = 75 quality = 90 tags = "INFO, FILE" @@ -34092,13 +34092,13 @@ rule REVERSINGLABS_Cert_Blocklist_750E40Ff97F047Edf556C7084Eb1Abfd : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "4d02b423-cf06-5ec8-9b15-d5bfa989e479" + id = "7ae4ba81-82be-57f9-aa8c-0e5c30e412c6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1019-L1035" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_21c2468905514e1725a206814b0c61c576cf7f97f184bac857bca9283f49a957" + logic_hash = "21c2468905514e1725a206814b0c61c576cf7f97f184bac857bca9283f49a957" score = 75 quality = 90 tags = "INFO, FILE" @@ -34117,13 +34117,13 @@ rule REVERSINGLABS_Cert_Blocklist_1B5190F73724399C9254Cd424637996A : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "3d4ef9bc-22e7-59fa-b20b-451c2cee7015" + id = "dfb08450-c35c-5b7b-9d04-2c9a6af9bcf8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1037-L1053" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_08f287ccda93e03a7e796d5625ab35ef0de782d07e5db4e2264f612fc5ebaa21" + logic_hash = "08f287ccda93e03a7e796d5625ab35ef0de782d07e5db4e2264f612fc5ebaa21" score = 75 quality = 90 tags = "INFO, FILE" @@ -34142,13 +34142,13 @@ rule REVERSINGLABS_Cert_Blocklist_00Ebaa11D62E2481081820 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "ff10274b-a6d0-5656-8def-f5559770f147" + id = "e192d271-b5de-5acc-a04f-02a26d9231ac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1055-L1072" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2fafc6775ec88b5a1000afbc7234fbef6b03e9eaf866dae660dd2d749996cb5c" + logic_hash = "2fafc6775ec88b5a1000afbc7234fbef6b03e9eaf866dae660dd2d749996cb5c" score = 75 quality = 90 tags = "INFO, FILE" @@ -34167,13 +34167,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Aab11Dee52F1B19D056 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "1e4cdde4-b43a-55ad-91c6-b9ba3ba845bb" + id = "c6334520-7f93-59d0-8a22-721b928c14d1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1074-L1089" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1f1215143dc828596e6d7eeff99983755b17eaeb3ab9d7643abdbb48e9957c78" + logic_hash = "1f1215143dc828596e6d7eeff99983755b17eaeb3ab9d7643abdbb48e9957c78" score = 75 quality = 90 tags = "INFO, FILE" @@ -34192,13 +34192,13 @@ rule REVERSINGLABS_Cert_Blocklist_6102B01900000000002F : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "ff0a4a7b-333d-55c5-94ca-593d10688a64" + id = "b98769c6-805e-5cd0-96f1-67418fec40a6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1091-L1106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6c42daa8b8730541bb422ac860ec4b0830e00fdb732e4bb503054dbcae1ff6d4" + logic_hash = "6c42daa8b8730541bb422ac860ec4b0830e00fdb732e4bb503054dbcae1ff6d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -34217,13 +34217,13 @@ rule REVERSINGLABS_Cert_Blocklist_01E2B4F759811C64379Fca0Be76D2Dce : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "6b784721-6d07-547c-ac1c-0e38bbacfb33" + id = "00effc8a-066c-54ff-891e-c635d161b171" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1108-L1124" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0dff7a9f2e152c20427ea231449b942a040e964cb7dad90271d2865290535326" + logic_hash = "0dff7a9f2e152c20427ea231449b942a040e964cb7dad90271d2865290535326" score = 75 quality = 90 tags = "INFO, FILE" @@ -34242,13 +34242,13 @@ rule REVERSINGLABS_Cert_Blocklist_03E5A010B05C9287F823C2585F547B80 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ee32b812-6dac-56ff-93ea-b3d4aae159b8" + id = "14ad79c7-f669-59a6-94d1-978a13fbb337" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1126-L1142" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1d57b640ee313ad4d53dc64ce4df3e4ed57976e7750cfd80d62bf9982d964d26" + logic_hash = "1d57b640ee313ad4d53dc64ce4df3e4ed57976e7750cfd80d62bf9982d964d26" score = 75 quality = 90 tags = "INFO, FILE" @@ -34267,13 +34267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fe7Df6C4B9A33B83D04E23E98A77Cce : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce9f5342-e720-5ad0-bb91-1f5f5bee0b93" + id = "47a10658-c5c4-58b6-b154-7babcfbc50a2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1144-L1160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_da5ed07def8d0c04ea58aacd90f9fa5588f868f6d0057b9148587f2f0b381f25" + logic_hash = "da5ed07def8d0c04ea58aacd90f9fa5588f868f6d0057b9148587f2f0b381f25" score = 75 quality = 90 tags = "INFO, FILE" @@ -34292,13 +34292,13 @@ rule REVERSINGLABS_Cert_Blocklist_065569A3E261409128A40Affa90D6D10 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "60acfe13-e39a-52bf-beb9-c377f8489e31" + id = "924c210b-f72a-51eb-af2a-9897faf8f677" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1162-L1178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f8d68758704e41325e95ec69334aaf7fabe08a6d5557e0a81bac2f02d3ab5977" + logic_hash = "f8d68758704e41325e95ec69334aaf7fabe08a6d5557e0a81bac2f02d3ab5977" score = 75 quality = 90 tags = "INFO, FILE" @@ -34317,13 +34317,13 @@ rule REVERSINGLABS_Cert_Blocklist_0979616733E062C544Df0Abd315E3B92 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "243c4f32-f5eb-5fbd-9677-2633dd97994e" + id = "73222a8d-df63-5784-b5a2-0d936db8ddcb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1180-L1196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_034b233d6b6dd82ad9fa1ec99db1effa3daaa5bb478d448133c479ac728117ad" + logic_hash = "034b233d6b6dd82ad9fa1ec99db1effa3daaa5bb478d448133c479ac728117ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -34342,13 +34342,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D3250B27E0547C77307030491B42802 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c31fb253-84cf-5eee-a1e9-abbddd807792" + id = "54073485-e9a5-5a0b-a907-0e8a528da85d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1198-L1214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_65f036921dfb9cbce3275aefb7111711e50874440096b2e3c3b55190cfc14ddb" + logic_hash = "65f036921dfb9cbce3275aefb7111711e50874440096b2e3c3b55190cfc14ddb" score = 75 quality = 90 tags = "INFO, FILE" @@ -34367,13 +34367,13 @@ rule REVERSINGLABS_Cert_Blocklist_00D1836Bd37C331A67 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "41ce0e19-5660-5215-b867-de902db14615" + id = "4d99e2ee-823e-568d-88b1-48aaf6d44286" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1216-L1234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8af1d10085c5be8924eb6e4ea3a9b8e936c7706d8ec43d42f24a9a293c7f9d27" + logic_hash = "8af1d10085c5be8924eb6e4ea3a9b8e936c7706d8ec43d42f24a9a293c7f9d27" score = 75 quality = 90 tags = "INFO, FILE" @@ -34392,13 +34392,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Ca028D1A4De0Eb743135Edecf74D7Af : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "4c9908c1-7367-54e3-9833-291d817c98d3" + id = "19e1bce7-ad37-5223-b934-b20e78dfd071" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1236-L1252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_60b6351194e23153d425eaa0c25f840080a29abb5eb1bbcd41bb76a3d4130edd" + logic_hash = "60b6351194e23153d425eaa0c25f840080a29abb5eb1bbcd41bb76a3d4130edd" score = 75 quality = 90 tags = "INFO, FILE" @@ -34417,13 +34417,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dbb14Dcf973Eada14Ece7Ea79C895C11 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "531f7801-9e3f-56cf-8081-3d978eebd169" + id = "139f2e4f-7997-5cfd-aba2-dcf8d7525f5e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1254-L1270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c73c83f5cb6d840b887e1aa41e96a29529f975434ac27a5aa57f2e14b342f63d" + logic_hash = "c73c83f5cb6d840b887e1aa41e96a29529f975434ac27a5aa57f2e14b342f63d" score = 75 quality = 90 tags = "INFO, FILE" @@ -34442,13 +34442,13 @@ rule REVERSINGLABS_Cert_Blocklist_F8C2239De3977B8D4A3Dcbedc9031A51 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "a21a6ab5-b747-5a4a-ae19-a5c0b4c12059" + id = "3e102d0a-30e3-5f0a-9b67-a5fd15117e69" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1272-L1288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aa4f39790bc58b0a50e05e7670abad654d7f3d73e500bd5f054fece4a979ebfa" + logic_hash = "aa4f39790bc58b0a50e05e7670abad654d7f3d73e500bd5f054fece4a979ebfa" score = 75 quality = 90 tags = "INFO, FILE" @@ -34467,13 +34467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Caad8222705D3Fb3430E114A31C8C6A4 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "d68cb2b0-387d-55fe-a82d-90b36e4c8655" + id = "d95b5e25-679c-57f8-b790-8f5633a23e4b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1290-L1306" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_35c4f46322da4f5b9f938c1098c8e57effc8abfc03db865190c343df7b8990ea" + logic_hash = "35c4f46322da4f5b9f938c1098c8e57effc8abfc03db865190c343df7b8990ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -34492,13 +34492,13 @@ rule REVERSINGLABS_Cert_Blocklist_B191812516E6618D49E6Ccf5E63Dc343 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "9ad59c1f-392a-5920-ab3d-1021f6cea138" + id = "8f316011-9a29-5366-a26a-1fe20651ef17" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1308-L1324" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_40c03e683b4b8e8a23ca84da7dfd3bd998d3708b27b7df7a22f25fb364c3a69b" + logic_hash = "40c03e683b4b8e8a23ca84da7dfd3bd998d3708b27b7df7a22f25fb364c3a69b" score = 75 quality = 90 tags = "INFO, FILE" @@ -34517,13 +34517,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Ba7Fb8Ee1Deff8F4A1525E1E0580057 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "b6d24664-ba2f-51e1-a82f-c3488b9e650c" + id = "af912c64-334d-51f5-8ca4-707fcec512ba" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1326-L1342" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_324157b9fec2653cb8874c7a1a5b6e39b121992cd52856b8c4a2a8b7cee86a69" + logic_hash = "324157b9fec2653cb8874c7a1a5b6e39b121992cd52856b8c4a2a8b7cee86a69" score = 75 quality = 90 tags = "INFO, FILE" @@ -34542,13 +34542,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Df9F7Eb6Cdc5Ca243B33122E3941E25 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "ff708876-f157-5593-a542-1be2599454a8" + id = "da1895fd-ec29-513d-b8ae-2317f84b8280" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1344-L1360" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_703eccd5573fe42f03ec82887660d50e942156d840394746c90ba87d82507803" + logic_hash = "703eccd5573fe42f03ec82887660d50e942156d840394746c90ba87d82507803" score = 75 quality = 90 tags = "INFO, FILE" @@ -34567,13 +34567,13 @@ rule REVERSINGLABS_Cert_Blocklist_58A541D50F9E2Fab4380C6A2Ed433B82 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "58f91572-9ced-5a82-a71c-a963c482ac8e" + id = "19a26581-5c94-5c8d-8e3e-b2ef1d770968" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1362-L1378" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_69ddc58b6fec159d6eded8c78237a6a0626b1aedb58b0c9867b758fd09db46ad" + logic_hash = "69ddc58b6fec159d6eded8c78237a6a0626b1aedb58b0c9867b758fd09db46ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -34592,13 +34592,13 @@ rule REVERSINGLABS_Cert_Blocklist_5F273626859Ae4Bc4Becbbeb71E2Ab2D : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "57d60f5b-fcc0-512a-9835-522ec65c7305" + id = "a80dcaba-73f9-51d0-a75a-b6348fd305c6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1380-L1396" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c8be504f075041508f299b1df03d9cb9e58d9a89f49b7a926676033d18b108ba" + logic_hash = "c8be504f075041508f299b1df03d9cb9e58d9a89f49b7a926676033d18b108ba" score = 75 quality = 90 tags = "INFO, FILE" @@ -34617,13 +34617,13 @@ rule REVERSINGLABS_Cert_Blocklist_B1Ad46Ce4Db160B348C24F66C9663178 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "1b72ffa5-4977-5cc5-b554-13d8ca51b5b7" + id = "df34eb28-18ec-568b-8257-0b2f7959868c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1398-L1414" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_59ce2b7a2e881853d07446b3dda74b296f2be09651364d0e131552cf76dab751" + logic_hash = "59ce2b7a2e881853d07446b3dda74b296f2be09651364d0e131552cf76dab751" score = 75 quality = 90 tags = "INFO, FILE" @@ -34642,13 +34642,13 @@ rule REVERSINGLABS_Cert_Blocklist_256541E204619033F8B09F9Eb7C88Ef8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c6e4f2ef-ab4f-505e-bae3-f128da97eca9" + id = "d4a5eb19-2964-5d3a-b4c5-ee4396e76814" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1416-L1432" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e33cedf1dd24ac73f77461de0cef25cad57909be2a69469fec450ead7da85c65" + logic_hash = "e33cedf1dd24ac73f77461de0cef25cad57909be2a69469fec450ead7da85c65" score = 75 quality = 90 tags = "INFO, FILE" @@ -34667,13 +34667,13 @@ rule REVERSINGLABS_Cert_Blocklist_00E8Cc18Cf100B6B27443Ef26319398734 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "fcb5a1d8-0e7d-5aac-bc39-a9d6a845fac9" + id = "f7e80c51-9dcf-599a-8164-c07cf4c9c5ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1434-L1452" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_68e9df056109cae41d981090c7a98ddc192a445647d7475569ddbe4118e570c5" + logic_hash = "68e9df056109cae41d981090c7a98ddc192a445647d7475569ddbe4118e570c5" score = 75 quality = 90 tags = "INFO, FILE" @@ -34692,13 +34692,13 @@ rule REVERSINGLABS_Cert_Blocklist_62Af28A7657Ba8Ab10Fa8E2D47250C69 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "9bea3365-e4fa-5b00-b6c7-9324820be295" + id = "cba20a1b-5d24-5a1f-8f2f-8c47add846d6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1454-L1470" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c3c034cb4e2c65e2269fbfd9c045eb294badde60389ae62ed694ea4d61c5eb35" + logic_hash = "c3c034cb4e2c65e2269fbfd9c045eb294badde60389ae62ed694ea4d61c5eb35" score = 75 quality = 90 tags = "INFO, FILE" @@ -34717,13 +34717,13 @@ rule REVERSINGLABS_Cert_Blocklist_04C8Eca7243208A110Dea926C7Ad89Ce : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "ccfee04c-4877-5d99-9702-9bd39fc379b8" + id = "484d0aa6-0447-5e60-946b-89b01a5e43dd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1472-L1488" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0012436e83704397026a8b2e500e5d61915e0f4c8ad4100176e200a975562e8f" + logic_hash = "0012436e83704397026a8b2e500e5d61915e0f4c8ad4100176e200a975562e8f" score = 75 quality = 90 tags = "INFO, FILE" @@ -34742,13 +34742,13 @@ rule REVERSINGLABS_Cert_Blocklist_157C3A4A6Bcf35Cf8453E6B6C0072E1D : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "fb93889c-6c83-5507-bc86-29b8c1e9bcd5" + id = "4bae3fb2-7e30-598e-8708-b985697bf63a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1490-L1506" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2a68051ab6d0b967f08e44d91b9f13d75587ea0f16e2a5536ccf5898445e1a58" + logic_hash = "2a68051ab6d0b967f08e44d91b9f13d75587ea0f16e2a5536ccf5898445e1a58" score = 75 quality = 90 tags = "INFO, FILE" @@ -34767,13 +34767,13 @@ rule REVERSINGLABS_Cert_Blocklist_04422F12037Bc2032521Dbb6Ae02Ea0E : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "83d38930-0699-5eb5-a766-9275641d6d2a" + id = "0dc659e8-1f3b-5130-a776-dd9e4141f5f3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1508-L1524" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_381d749d24121d6634656fd33adcda5c3e500ee77a6333f525f351a2ee589e2c" + logic_hash = "381d749d24121d6634656fd33adcda5c3e500ee77a6333f525f351a2ee589e2c" score = 75 quality = 90 tags = "INFO, FILE" @@ -34792,13 +34792,13 @@ rule REVERSINGLABS_Cert_Blocklist_65Eae6C98111Dc40Bf4F962Bf27227F2 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "5a974cb1-238b-5ad9-90c5-90d50a76f8a3" + id = "34275efd-b941-56f5-8e1b-30a43f1936e2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1526-L1542" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_20c0f4e9783586e68ff363fe6a72398f6ea27aef5d25f98872d1203ce1a0c9bd" + logic_hash = "20c0f4e9783586e68ff363fe6a72398f6ea27aef5d25f98872d1203ce1a0c9bd" score = 75 quality = 90 tags = "INFO, FILE" @@ -34817,13 +34817,13 @@ rule REVERSINGLABS_Cert_Blocklist_12D5A4B29Fe6156D4195Fba55Ae0D9A9 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "b126cd79-33ba-5ef6-ade0-3b03bff21451" + id = "45c37c98-1006-51e4-8832-b8e5c9fba416" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1544-L1560" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_860550745f6dbcd7dd0925d9b8f04e8e08e8b7c06343a4c070e131a815c42e12" + logic_hash = "860550745f6dbcd7dd0925d9b8f04e8e08e8b7c06343a4c070e131a815c42e12" score = 75 quality = 90 tags = "INFO, FILE" @@ -34842,13 +34842,13 @@ rule REVERSINGLABS_Cert_Blocklist_0087D60D1E2B9374Eb7A735Dce4Bbdae56 : INFO FILE meta: description = "Certificate used for digitally signing GovRAT malware." author = "ReversingLabs" - id = "714b862e-0b97-5aaa-ae20-841b5351bbdd" + id = "8759a40a-648e-548e-a519-bedc812aefe4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1562-L1580" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d6e0d22e926a237f1cc6b71c6f8ce01e497723032c9efba1e6af7327a786b608" + logic_hash = "d6e0d22e926a237f1cc6b71c6f8ce01e497723032c9efba1e6af7327a786b608" score = 75 quality = 90 tags = "INFO, FILE" @@ -34867,13 +34867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0860C8A7Ed18C3F030A32722Fd2B220C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d8fe70e7-ee11-5658-8862-d09e5404bee8" + id = "335a1cd3-520a-5f0f-abda-6ec8a122de4b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1582-L1598" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3c777fb157a6669bfdf3143e77f69265e09458a2b42b75b72680eb043da71e85" + logic_hash = "3c777fb157a6669bfdf3143e77f69265e09458a2b42b75b72680eb043da71e85" score = 75 quality = 90 tags = "INFO, FILE" @@ -34892,13 +34892,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Fdadd0740572270203F8138692C4A83 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2d02db0c-d06e-5a94-840c-21337c36ffbc" + id = "0b289c4e-c564-5513-a1a5-42e8551c6218" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1600-L1616" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_18ce7ed721a454c5bb3cd6ab26df703b1e08b94b8c518055feffa38ad42afa50" + logic_hash = "18ce7ed721a454c5bb3cd6ab26df703b1e08b94b8c518055feffa38ad42afa50" score = 75 quality = 90 tags = "INFO, FILE" @@ -34917,13 +34917,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fc13D6220C629043A26F81B1Cad72D8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f06763f5-afd3-5ff6-b59a-f1d6c5bb67c4" + id = "c2573adc-6580-58aa-a58c-c21bf6b79364" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1618-L1634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5572c278f6c9be62b2bba09ea610fd170438c6893ee5283ff4a5b3bb2852b07b" + logic_hash = "5572c278f6c9be62b2bba09ea610fd170438c6893ee5283ff4a5b3bb2852b07b" score = 75 quality = 90 tags = "INFO, FILE" @@ -34942,13 +34942,13 @@ rule REVERSINGLABS_Cert_Blocklist_3457A918C6D3701B2Eaca6A92474A7Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bf526f41-0408-5a7d-941b-2b30fa1bc6f6" + id = "12526715-7b54-5c31-aa2a-b77ed067e3ee" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1636-L1652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_70d4bece52a86bfe8958f6d4195b833cea609596e3b68bb90087c262501bd462" + logic_hash = "70d4bece52a86bfe8958f6d4195b833cea609596e3b68bb90087c262501bd462" score = 75 quality = 90 tags = "INFO, FILE" @@ -34967,13 +34967,13 @@ rule REVERSINGLABS_Cert_Blocklist_621Ed8265B0Ad872D9F4B4Ed6D560513 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2d4a10e4-caad-55ec-bc65-7b226bd26385" + id = "b64e640c-264f-597c-90a5-d0ad57aa5075" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1654-L1670" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c133d6eea5d27e597d0a656c7c930a5ca84adb46aa2fec66381b6b5c759e22aa" + logic_hash = "c133d6eea5d27e597d0a656c7c930a5ca84adb46aa2fec66381b6b5c759e22aa" score = 75 quality = 90 tags = "INFO, FILE" @@ -34992,13 +34992,13 @@ rule REVERSINGLABS_Cert_Blocklist_56E22B992B4C7F1Afeac1D63B492Bf54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1bfd81bf-caad-5825-8b32-b3ff2a55c333" + id = "28609e75-47cb-5017-bb92-046a9e8931c6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1672-L1688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ef058c0ec352260fa3db0fc74331d1da3c9eb8d161cef7635632fd7c569198c6" + logic_hash = "ef058c0ec352260fa3db0fc74331d1da3c9eb8d161cef7635632fd7c569198c6" score = 75 quality = 90 tags = "INFO, FILE" @@ -35017,13 +35017,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Bc3Bae4118D46F3Fdd9Beeeab749Fee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fe41ed11-1a14-5c04-a43c-315c59b9fed2" + id = "0d2f1f5f-119a-5069-abcb-e4e93d9964c3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1690-L1706" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fcbda27f8bf4dca8aa32103bb344380c82f0c701c25766df94c182ef94805a12" + logic_hash = "fcbda27f8bf4dca8aa32103bb344380c82f0c701c25766df94c182ef94805a12" score = 75 quality = 90 tags = "INFO, FILE" @@ -35042,13 +35042,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F0449F7691E5B4C8E74E71Cae822179 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f5e27b65-c048-5191-a9f6-fc57d92836c2" + id = "17c99772-f2f9-56bc-be01-d9f62626a9ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1708-L1724" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f8d3593b357f27240a4399e877ae9044f783bb944ad47ec9fe8bbecc63be864c" + logic_hash = "f8d3593b357f27240a4399e877ae9044f783bb944ad47ec9fe8bbecc63be864c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35067,13 +35067,13 @@ rule REVERSINGLABS_Cert_Blocklist_43Db4448D870D7Bdc275F36A01Fba36F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f334b4de-c598-5bdf-926a-ce730f287b68" + id = "47b3e681-87ae-5e70-8d02-18aa0daab0dc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1726-L1742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_951e35e2c3f1bd90a33f8b76b6ede5686ee9b9c97a4c71df5b9dff15956209c5" + logic_hash = "951e35e2c3f1bd90a33f8b76b6ede5686ee9b9c97a4c71df5b9dff15956209c5" score = 75 quality = 90 tags = "INFO, FILE" @@ -35092,13 +35092,13 @@ rule REVERSINGLABS_Cert_Blocklist_2880A7F7Ff2D334Aa08744A8754Fab2C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a18bfeee-ba7a-5441-9611-51e68f8a6405" + id = "b079b564-9284-59b6-9703-4e33f2b2c44d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1744-L1760" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_03c7e1251c44e8824ae3b648a95cf34f4c56db65d76806306a062a343981d87f" + logic_hash = "03c7e1251c44e8824ae3b648a95cf34f4c56db65d76806306a062a343981d87f" score = 75 quality = 90 tags = "INFO, FILE" @@ -35117,13 +35117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0492F5C18E26Fa0Cd7E15067674Aff1C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "23736437-4673-5dfa-8fc4-cf92d4e7df77" + id = "6a176d4a-5d3e-5184-b923-12d561e7034a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1762-L1778" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d47d59d7680000d6c35181be2d9b034c2ecb7ca754a39c8e11750ddd7246b47c" + logic_hash = "d47d59d7680000d6c35181be2d9b034c2ecb7ca754a39c8e11750ddd7246b47c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35142,13 +35142,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Aa668Cd6A9De1Fdd476Ea8225326937 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cb6b18e3-8d93-50a3-9418-1a646eedaa0a" + id = "bfff2210-8545-594d-8674-243e57e3dd09" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1780-L1796" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_706e16995af40a6c9176dcbca07fb406f2efe4d47dbd9629d1a6b1ab1d09b045" + logic_hash = "706e16995af40a6c9176dcbca07fb406f2efe4d47dbd9629d1a6b1ab1d09b045" score = 75 quality = 90 tags = "INFO, FILE" @@ -35167,13 +35167,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb06Dccb482255728671Ea12Ac41620 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "623e6bb6-9746-5727-b0d9-491f37afa268" + id = "5a7f61a4-15ba-5f5c-89e1-b8b986e13f19" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1798-L1814" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e0867ffe2ddd28282fe78b27b3b12ebac525b33a27dd242bc6f55bcd2e066a18" + logic_hash = "e0867ffe2ddd28282fe78b27b3b12ebac525b33a27dd242bc6f55bcd2e066a18" score = 75 quality = 90 tags = "INFO, FILE" @@ -35192,13 +35192,13 @@ rule REVERSINGLABS_Cert_Blocklist_370C2467C41D6019Bbecd72E00C5D73D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ae5a04c0-6ee1-5841-8924-50b7734c99d4" + id = "18c5d1bb-21b8-5157-a03b-8bcbdc74c0cd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1816-L1832" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b99522b75ee83d85b30146cb292b5a8a46dc300fb43dd9d39d9ca96c9d32d9b" + logic_hash = "2b99522b75ee83d85b30146cb292b5a8a46dc300fb43dd9d39d9ca96c9d32d9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35217,13 +35217,13 @@ rule REVERSINGLABS_Cert_Blocklist_5067339614C5Cc219C489D40420F3Bf9 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "5a889259-0acd-52c1-9b6c-f2f18cb3e299" + id = "6e0cb6f9-0a92-5eb2-b13f-f9c4eb0ae6b1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1834-L1850" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1716087285a093a3467583f79d7ae9bee641997227e6d4f95047905aedcc97c6" + logic_hash = "1716087285a093a3467583f79d7ae9bee641997227e6d4f95047905aedcc97c6" score = 75 quality = 90 tags = "INFO, FILE" @@ -35242,13 +35242,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E32531Ae83992F0573120A5E78De271 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "24b36182-58c1-5ade-b23a-8bd848bdd713" + id = "37fc58ea-63d4-569d-968f-f4775403b0bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1852-L1868" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b6d54ea8395c3666906b2e60c30b970c2c1b6f55ded874cbcc22dc79391fb34" + logic_hash = "2b6d54ea8395c3666906b2e60c30b970c2c1b6f55ded874cbcc22dc79391fb34" score = 75 quality = 90 tags = "INFO, FILE" @@ -35267,13 +35267,13 @@ rule REVERSINGLABS_Cert_Blocklist_6967A89Bcf6Efef160Aaeebbff376C0A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b6d9fdf7-b919-5bb9-b124-8553547dd059" + id = "d6714f50-600b-5437-8be6-097f7dd93dc7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1870-L1886" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_deb7465e453aa5838f81e15e270abc958a65e1a6051a88a5910244edbe874451" + logic_hash = "deb7465e453aa5838f81e15e270abc958a65e1a6051a88a5910244edbe874451" score = 75 quality = 90 tags = "INFO, FILE" @@ -35292,13 +35292,13 @@ rule REVERSINGLABS_Cert_Blocklist_7473D95405D2B0B3A8F28785Ce6E74Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "83f29658-690a-54ff-81e2-b7dad3797467" + id = "7f44b9d8-917b-5fc4-9651-cce89358e415" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1888-L1904" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e15b990b13617017ca2d1f8caf03d8ff3785ca9b860bf11f81af5dadf17a9be5" + logic_hash = "e15b990b13617017ca2d1f8caf03d8ff3785ca9b860bf11f81af5dadf17a9be5" score = 75 quality = 90 tags = "INFO, FILE" @@ -35317,13 +35317,13 @@ rule REVERSINGLABS_Cert_Blocklist_04F380F97579F1702A85E0169Bbdfd78 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1c240ac4-fa7e-5cba-a8b8-a7d28ad3681c" + id = "860027ff-2df2-5519-afde-60ebee270290" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1906-L1922" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_73dc6e36fdaf5c80b33f20f2a9157805ce1d0218f3898104de16522ee9cfd51b" + logic_hash = "73dc6e36fdaf5c80b33f20f2a9157805ce1d0218f3898104de16522ee9cfd51b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35342,13 +35342,13 @@ rule REVERSINGLABS_Cert_Blocklist_04D6B8Cc6Dce353Fcf3Ae8A532Be7255 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9178b6ac-b2cd-58d2-bce1-ad079d97294a" + id = "937dd780-52f7-5f27-ac2e-a0245997d449" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1924-L1940" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a316ad7f554428d02a850fb3bb04f349d30ecd2ccd4597e7a63461bf5e866e6f" + logic_hash = "a316ad7f554428d02a850fb3bb04f349d30ecd2ccd4597e7a63461bf5e866e6f" score = 75 quality = 90 tags = "INFO, FILE" @@ -35367,13 +35367,13 @@ rule REVERSINGLABS_Cert_Blocklist_191322A00200F793 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "81fe75a6-fd0d-5d4a-aebb-8bfccff1edeb" + id = "4011e54c-ca28-536f-8759-077fcce6d45f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1942-L1958" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1b816785f86189817c124636e50a0f369ec85cfd898223c4ba43758a877f1cf3" + logic_hash = "1b816785f86189817c124636e50a0f369ec85cfd898223c4ba43758a877f1cf3" score = 75 quality = 90 tags = "INFO, FILE" @@ -35392,13 +35392,13 @@ rule REVERSINGLABS_Cert_Blocklist_451C9D0B413E6E8Df175 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "83e818ef-bf03-5469-a47d-54109422196e" + id = "adc832c0-166d-52d1-aeec-2fc92ff52d02" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1960-L1976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7c94d87f79c9add4d7bf2a63d0774449319aa56cbc631dd9b0f19ed9bb9837d4" + logic_hash = "7c94d87f79c9add4d7bf2a63d0774449319aa56cbc631dd9b0f19ed9bb9837d4" score = 75 quality = 90 tags = "INFO, FILE" @@ -35417,13 +35417,13 @@ rule REVERSINGLABS_Cert_Blocklist_03943858218F35Adb7073A6027555621 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e8b490f2-7b49-5a32-96de-7f43d4c99bc2" + id = "fbaf4c7a-5f20-57f7-b6b7-143fdbf0e5c2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1978-L1994" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_93369d51b73591559494a48fafa5e4f7d46301ecaa379d8de70a70ac4d2d2728" + logic_hash = "93369d51b73591559494a48fafa5e4f7d46301ecaa379d8de70a70ac4d2d2728" score = 75 quality = 90 tags = "INFO, FILE" @@ -35442,13 +35442,13 @@ rule REVERSINGLABS_Cert_Blocklist_09813Ee7318452C28A1F6426D1Cee12D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f0cd893e-80c6-5142-a7a5-97f75e8cc515" + id = "db3c1992-b6a1-5aaf-ae3a-c626b531529a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L1996-L2012" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_89eb019192f822f9fe070403161d81e425fb8acdbc80e55fa516b5607eb8f8c7" + logic_hash = "89eb019192f822f9fe070403161d81e425fb8acdbc80e55fa516b5607eb8f8c7" score = 75 quality = 90 tags = "INFO, FILE" @@ -35467,13 +35467,13 @@ rule REVERSINGLABS_Cert_Blocklist_476Bf24A4B1E9F4Bc2A61B152115E1Fe : INFO FILE meta: description = "Certificate used for digitally signing Derusbi malware." author = "ReversingLabs" - id = "59f6775d-4344-5a5e-b50a-e4c6ae345d79" + id = "a41e8196-f5ad-5046-82ac-38c6fe753bdb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2014-L2030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ec0f44d2a7a53ad5653334378b631abde1834ebfcf72efcdcce353c6b9ae17d" + logic_hash = "0ec0f44d2a7a53ad5653334378b631abde1834ebfcf72efcdcce353c6b9ae17d" score = 75 quality = 90 tags = "INFO, FILE" @@ -35492,13 +35492,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Bd55818C5971B63Dc45Cf57Cbeb950B : INFO FILE meta: description = "Certificate used for digitally signing Derusbi malware." author = "ReversingLabs" - id = "4146c8d8-2f8d-5d52-8d34-6e8c4b4579d9" + id = "9269cc5c-039e-5d98-ac13-c7b99606e7fa" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2032-L2048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5aa41a2d6a86a30559b36818602e1bdf2bfd38b799a4869c26c150052d6d788c" + logic_hash = "5aa41a2d6a86a30559b36818602e1bdf2bfd38b799a4869c26c150052d6d788c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35517,13 +35517,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C0B2E9D2Ef909D15270D4Dd7Fa5A4A5 : INFO FILE meta: description = "Certificate used for digitally signing Derusbi malware." author = "ReversingLabs" - id = "7ea27d85-e09b-5cac-ac23-dc8e57f6e172" + id = "97005464-1219-56d7-bd5c-f047558be1dc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2050-L2066" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9c74eb025bb413503b97ffdba6f19eadecf3789ce3a5d5419f84e32e25c9b5b1" + logic_hash = "9c74eb025bb413503b97ffdba6f19eadecf3789ce3a5d5419f84e32e25c9b5b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -35542,13 +35542,13 @@ rule REVERSINGLABS_Cert_Blocklist_5E3D76Dc7E273E2F313Fc0775847A2A2 : INFO FILE meta: description = "Certificate used for digitally signing Sakula and Derusbi malware." author = "ReversingLabs" - id = "56a5288c-ae62-5bd0-8038-16aa46815469" + id = "93707307-a250-526d-a3d4-32ed5d2a63a6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2068-L2084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b943057fc3e97cfccadb4b8f61289a93b659aacf2a40217fcf519d4882e70708" + logic_hash = "b943057fc3e97cfccadb4b8f61289a93b659aacf2a40217fcf519d4882e70708" score = 75 quality = 90 tags = "INFO, FILE" @@ -35567,13 +35567,13 @@ rule REVERSINGLABS_Cert_Blocklist_47D5D5372Bcb1562B4C9F4C2Bdf13587 : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "7cd3951c-9caa-5350-b364-a526a6e28fc9" + id = "d888478e-3883-5d9d-a2b3-d59b57409b8d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2086-L2102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fb4994647a2ed95c73625d90315c9b6deb6fb3b81b4aa6e847b0193f0a76650c" + logic_hash = "fb4994647a2ed95c73625d90315c9b6deb6fb3b81b4aa6e847b0193f0a76650c" score = 75 quality = 90 tags = "INFO, FILE" @@ -35592,13 +35592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ac10E68F1Ce519E84Ddcd28B11Fa542 : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "5d642fc9-a444-53bf-b03f-3306ca56ec90" + id = "9cc0e518-84c8-5b23-b8cb-e0e0fe7849bd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2104-L2120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dac3b6b7609ec1e82afe4f9c6c14e2d32b6f5d8d49c59d6c605f2a94d71bc107" + logic_hash = "dac3b6b7609ec1e82afe4f9c6c14e2d32b6f5d8d49c59d6c605f2a94d71bc107" score = 75 quality = 90 tags = "INFO, FILE" @@ -35617,13 +35617,13 @@ rule REVERSINGLABS_Cert_Blocklist_31062E483E0106B18C982F0053185C36 : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "bfeaaaac-f8d7-5e76-abbe-4a18ef5f5eb7" + id = "84bce7c1-efba-5a76-8865-dcfcc8e50d41" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2122-L2138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e45fc5b4d1b9f5cd35c56aad381e26e30675a9d99747cd318f3c77ea2af0e14a" + logic_hash = "e45fc5b4d1b9f5cd35c56aad381e26e30675a9d99747cd318f3c77ea2af0e14a" score = 75 quality = 90 tags = "INFO, FILE" @@ -35642,13 +35642,13 @@ rule REVERSINGLABS_Cert_Blocklist_20D0Ee42Fc901E6B3A8Fefe8C1E6087A : INFO FILE meta: description = "Certificate used for digitally signing Sakula malware." author = "ReversingLabs" - id = "8dff7c52-d6aa-5540-a094-252437eb9e1b" + id = "ba37919a-584b-5ff7-b4d5-5b711cc87b1f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2140-L2156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2225302de1e8fe9f2ad064e19b2b1d9faf90c7cafbebff6ddd0921bf57c5f9e6" + logic_hash = "2225302de1e8fe9f2ad064e19b2b1d9faf90c7cafbebff6ddd0921bf57c5f9e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -35667,13 +35667,13 @@ rule REVERSINGLABS_Cert_Blocklist_127251B32B9A50Bd : INFO FILE meta: description = "Certificate used for digitally signing OSX DokSpy backdoor." author = "ReversingLabs" - id = "831d550b-c18b-5434-92aa-e749ac26d471" + id = "3581085c-a6e7-571f-8253-f8d9e90e78fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2158-L2174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8552ce9e9ab8d6b1025ab3c6e7b2485ef855236114c426475fde0b5f2e231ec9" + logic_hash = "8552ce9e9ab8d6b1025ab3c6e7b2485ef855236114c426475fde0b5f2e231ec9" score = 75 quality = 90 tags = "INFO, FILE" @@ -35692,13 +35692,13 @@ rule REVERSINGLABS_Cert_Blocklist_48Cad4E6966E22D6 : INFO FILE meta: description = "Certificate used for digitally signing OSX DokSpy backdoor." author = "ReversingLabs" - id = "b276bbaa-0b32-577b-9529-c70fdd7520e8" + id = "22d62d7e-3f76-5f6b-a3f1-a6b087fb63e2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2176-L2192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7733b8a97d9f3538db04309a2e3f9df6cb64930b0b6f7f241c3e629be2dd7804" + logic_hash = "7733b8a97d9f3538db04309a2e3f9df6cb64930b0b6f7f241c3e629be2dd7804" score = 75 quality = 90 tags = "INFO, FILE" @@ -35717,13 +35717,13 @@ rule REVERSINGLABS_Cert_Blocklist_5E15205F180442Cc6C3C0F03E1A33D9F : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "bae1b19d-3d31-5e27-9ceb-20f004146bdc" + id = "4a0d995a-37df-52a4-a66f-4bc6c290c10a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2194-L2210" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1ca238b5da4ff9940425c99f55542c931ccdf0ea3b0a2acbf00ffbbb54171ae0" + logic_hash = "1ca238b5da4ff9940425c99f55542c931ccdf0ea3b0a2acbf00ffbbb54171ae0" score = 75 quality = 90 tags = "INFO, FILE" @@ -35742,13 +35742,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C8E3B1613F73542F7106F272094Eb23 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "fb0ad329-cccb-50d4-8312-d01d01447004" + id = "06f79efe-134e-5941-80fe-3b6482ac9668" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2212-L2228" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_15c21b783409d904a0b4971dbdcbd0740083d13f3c633ee77c87df46d3aca748" + logic_hash = "15c21b783409d904a0b4971dbdcbd0740083d13f3c633ee77c87df46d3aca748" score = 75 quality = 90 tags = "INFO, FILE" @@ -35767,13 +35767,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Ce2Bd0Ad3Cfde9Ea73Eec7Ca30400Da : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "e26cfb12-4584-583b-8657-3b6d8533fe32" + id = "b7439b38-c8b7-5dcb-8d10-952862ce3465" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2230-L2246" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a879ecd957acd29e8a5bad6c97cd10453ab857949680b522735bd77eb561d2ee" + logic_hash = "a879ecd957acd29e8a5bad6c97cd10453ab857949680b522735bd77eb561d2ee" score = 75 quality = 90 tags = "INFO, FILE" @@ -35792,13 +35792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fbc30Db127A536C34D7A0Fa81B48193 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "cc5c248c-9c05-5353-b6c6-30b4c8d9fe9e" + id = "c755a6c1-e113-5513-9a61-87bf6d7dcb3e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2248-L2264" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6b109b5636aa297a6e07f9d9213f7f07a7767b58442d03dc2f34f8a9b3eaba2b" + logic_hash = "6b109b5636aa297a6e07f9d9213f7f07a7767b58442d03dc2f34f8a9b3eaba2b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35817,13 +35817,13 @@ rule REVERSINGLABS_Cert_Blocklist_08448Bd6Ee9105Ae31228Ea5Fe496F63 : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "3d7713f2-4a5e-53ec-aefa-6d1c8737f83d" + id = "489ffe25-43cf-55b6-b249-17d251b9774e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2266-L2282" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9bc044b4fdf381274a2c31bc997dcdfd553595d92de7b33dc472353a00011711" + logic_hash = "9bc044b4fdf381274a2c31bc997dcdfd553595d92de7b33dc472353a00011711" score = 75 quality = 90 tags = "INFO, FILE" @@ -35842,13 +35842,13 @@ rule REVERSINGLABS_Cert_Blocklist_02F17566Ef568Dc06C9A379Ea2F4Faea : INFO FILE meta: description = "The digital certificate has leaked." author = "ReversingLabs" - id = "f329536b-17a3-57be-a082-0c49edc1d74f" + id = "a14e16ff-844c-53ff-9297-8760265da747" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2284-L2300" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e3ec8a6de817354862880301e78a999f45f02c2fa8512bba6d27c9776f1a3417" + logic_hash = "e3ec8a6de817354862880301e78a999f45f02c2fa8512bba6d27c9776f1a3417" score = 75 quality = 90 tags = "INFO, FILE" @@ -35867,13 +35867,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D824Ba1F7F730319C50D64C9A7Ed507 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "23dd5d56-ac05-5324-902d-3305796eff9a" + id = "4372aea7-a25b-5211-befd-9e0bcfb09199" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2302-L2318" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_407611603974c910d9a6a0ed71ecdf54ddcc59abb0f48c60846e61d6d4191933" + logic_hash = "407611603974c910d9a6a0ed71ecdf54ddcc59abb0f48c60846e61d6d4191933" score = 75 quality = 90 tags = "INFO, FILE" @@ -35892,13 +35892,13 @@ rule REVERSINGLABS_Cert_Blocklist_77A64759F12766E363D779998C71Bdc9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d90085b5-e6c7-53b3-b34c-f8d1bc8acd5e" + id = "98acd01b-c452-530d-8814-2591810ecd53" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2320-L2336" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2bf3d99ddec6b76da1ca60a9285767a5b34b84455db58195fc5d8fd8a22c9f8a" + logic_hash = "2bf3d99ddec6b76da1ca60a9285767a5b34b84455db58195fc5d8fd8a22c9f8a" score = 75 quality = 90 tags = "INFO, FILE" @@ -35917,13 +35917,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B0D17Ec1449B4B2D38Fcb0F20Fbcd3A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c2479c2b-7fdb-5adf-8bb2-5933188ff0f8" + id = "4484b00d-8fad-5f8f-9030-67216f2820a3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2338-L2354" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3121f2c49d0d4c396023924521f2c980045b6f07d082e49447429e9cd640e0ef" + logic_hash = "3121f2c49d0d4c396023924521f2c980045b6f07d082e49447429e9cd640e0ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -35942,13 +35942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fe9404Dc73Cf1C2Ba1450B8398305557 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "478b502f-562a-5ca8-bea5-c77c991538b0" + id = "17700719-81ea-58d4-87f5-4d5c1b19bf64" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2356-L2374" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c0132d71de1384f6e534dd154eba88c4a51c43b7dfe984f3064ba4feffa4dd5a" + logic_hash = "c0132d71de1384f6e534dd154eba88c4a51c43b7dfe984f3064ba4feffa4dd5a" score = 75 quality = 90 tags = "INFO, FILE" @@ -35967,13 +35967,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb2D523A6Bf7A066642C578De1C9Be4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "35b4c6d5-2441-5981-b780-ea7b090ab62a" + id = "d2c87c29-cb64-5d43-847b-64c888421c1f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2376-L2392" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5a786b9ade5a59b8a1e0bbef1eb3dcb65404dcee19d572dc60f9ec9f45e4755b" + logic_hash = "5a786b9ade5a59b8a1e0bbef1eb3dcb65404dcee19d572dc60f9ec9f45e4755b" score = 75 quality = 90 tags = "INFO, FILE" @@ -35992,13 +35992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A6Ccabb1C62F3Be3Eb03869Fa43Dc4A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1dae33e9-147c-54bf-b075-11940a4efc00" + id = "b16f7bb7-88fe-5f8f-9592-8d309f556419" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2394-L2410" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ccb603c8a5f4fb63876e78d763f80a97098c23aa10673c7b04a48026268f57d3" + logic_hash = "ccb603c8a5f4fb63876e78d763f80a97098c23aa10673c7b04a48026268f57d3" score = 75 quality = 90 tags = "INFO, FILE" @@ -36017,13 +36017,13 @@ rule REVERSINGLABS_Cert_Blocklist_864196F01971Dbec7002B48642A7013A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c8763456-02b4-5c88-b2f3-0fc3d5cffb3f" + id = "80478430-ce01-5fae-bcaf-2b7a445bc20d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2412-L2430" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a3173bb08e673caaa64ab22854840a135e891044b165bbc67733c951ec6aa991" + logic_hash = "a3173bb08e673caaa64ab22854840a135e891044b165bbc67733c951ec6aa991" score = 75 quality = 90 tags = "INFO, FILE" @@ -36042,13 +36042,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fda1E121B61Adeca936A6Aebe079303 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3b3f1366-16ad-522e-a490-35c42ac0209f" + id = "fba98d6b-dc09-5294-ad86-2f4e0d8ad320" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2432-L2448" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_70a04c83e79c98024bacf1688bb46d80c9b8491e25dd32d6d92bf3cf61c62e48" + logic_hash = "70a04c83e79c98024bacf1688bb46d80c9b8491e25dd32d6d92bf3cf61c62e48" score = 75 quality = 90 tags = "INFO, FILE" @@ -36067,13 +36067,13 @@ rule REVERSINGLABS_Cert_Blocklist_03866Deb183Abfbf4Ff458D4De7Bd73A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "48f082bc-c58d-579d-a19d-41b1861ab660" + id = "2641eb86-94f0-537c-a82a-6a5e1596ee84" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2450-L2466" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_90d09d0d2d01500e0670277d0e8de574feecf7443cf4d077912b1166a9c14c43" + logic_hash = "90d09d0d2d01500e0670277d0e8de574feecf7443cf4d077912b1166a9c14c43" score = 75 quality = 90 tags = "INFO, FILE" @@ -36092,13 +36092,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Be41B34127Ca9E6270830D2070Db426 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e44afe7f-3a7c-50ff-bd18-1ff1b0b5f4a3" + id = "bee69e9d-db8e-5d4e-8e97-b3791b4f717d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2468-L2484" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b66c4b9264be70d53838442a3112c4bacbdf2dda90840d71c3eb949e630b3f17" + logic_hash = "b66c4b9264be70d53838442a3112c4bacbdf2dda90840d71c3eb949e630b3f17" score = 75 quality = 90 tags = "INFO, FILE" @@ -36117,13 +36117,13 @@ rule REVERSINGLABS_Cert_Blocklist_9B108B8A1Daa0D5581F59Fcee0447901 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3dac7711-674e-5d9c-8099-e15f5fa33a51" + id = "cacb2af8-dbc6-5d61-a2d5-641c5c09bc79" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2486-L2504" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_696e3da511f74f9cfb10b96130a36ae9f48c22f1e0deb76092db1262980ab3ac" + logic_hash = "696e3da511f74f9cfb10b96130a36ae9f48c22f1e0deb76092db1262980ab3ac" score = 75 quality = 90 tags = "INFO, FILE" @@ -36142,13 +36142,13 @@ rule REVERSINGLABS_Cert_Blocklist_5F8203C430Fc7Db4E61F6684F6829Ffc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "11194d47-3c2a-552f-ae67-e00497f9b656" + id = "975cd500-2f08-55c9-a821-4dde3a54ae0c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2506-L2522" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cd22d1beea12d1f6c50f69e76074c2582ce5567887056c43d4d6c87d33fce1bf" + logic_hash = "cd22d1beea12d1f6c50f69e76074c2582ce5567887056c43d4d6c87d33fce1bf" score = 75 quality = 90 tags = "INFO, FILE" @@ -36167,13 +36167,13 @@ rule REVERSINGLABS_Cert_Blocklist_6B6Daef5Be29F20Ddce4B0F5E9Fa6Ea5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "005428ab-00bf-5d2f-8cc1-1cfcf047f4b1" + id = "55611c9a-d45d-55fa-8e5e-a5621223cc9d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2524-L2540" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_edd2f302d2fac65f6a93372a24c3f80757f2b175af661032917366e9629c5491" + logic_hash = "edd2f302d2fac65f6a93372a24c3f80757f2b175af661032917366e9629c5491" score = 75 quality = 90 tags = "INFO, FILE" @@ -36192,13 +36192,13 @@ rule REVERSINGLABS_Cert_Blocklist_57D6Dff1Ef96F01B9430666B2733Cc87 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6fc6e7dd-85d9-54eb-9f88-b86d44875ad7" + id = "c20b81a1-7331-57a9-9daf-007ec516a473" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2542-L2558" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_40d22137e9c5345859c5f000166da2a3117bcfcc19b4c5e81083cad80dfa6ee4" + logic_hash = "40d22137e9c5345859c5f000166da2a3117bcfcc19b4c5e81083cad80dfa6ee4" score = 75 quality = 90 tags = "INFO, FILE" @@ -36217,13 +36217,13 @@ rule REVERSINGLABS_Cert_Blocklist_0166B65038D61E5435B48204Cae4795A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "10ee6bc5-947a-589e-b83a-7fef1e204a13" + id = "04bdefc5-ee4e-5a46-94d6-e3a5d8b56ce0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2560-L2576" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4e289eda4d5381250bcd6e36daade6f1e1803b6d16578d7eaee4454cef6981d0" + logic_hash = "4e289eda4d5381250bcd6e36daade6f1e1803b6d16578d7eaee4454cef6981d0" score = 75 quality = 90 tags = "INFO, FILE" @@ -36242,13 +36242,13 @@ rule REVERSINGLABS_Cert_Blocklist_784F226B45C3Bd8E4089243D747D1F59 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2eb740f6-c2e1-51e4-8006-3814067890ff" + id = "f2a979e0-2027-5143-8cb4-ffcfd19faf45" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2578-L2594" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_df8ca35a07ec6815d1efb68fa6fbf8f80c57032ecb99d0b038da0604ceffe8cf" + logic_hash = "df8ca35a07ec6815d1efb68fa6fbf8f80c57032ecb99d0b038da0604ceffe8cf" score = 75 quality = 90 tags = "INFO, FILE" @@ -36267,13 +36267,13 @@ rule REVERSINGLABS_Cert_Blocklist_11690F05604445Fae0De539Eeeeec584 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3d816e2d-2a75-5be6-a250-3af16851109a" + id = "e6513bd1-2524-5baa-8484-b7e0f2f0c02a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2596-L2612" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b66257f562f698559910eb9576f8fdf0ce3a750cc0a96a27e2ec1a18872ad13f" + logic_hash = "b66257f562f698559910eb9576f8fdf0ce3a750cc0a96a27e2ec1a18872ad13f" score = 75 quality = 90 tags = "INFO, FILE" @@ -36292,13 +36292,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa146Bff4B832Bdbfe30B84580356763 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "94b31fa1-925a-52c9-b36b-f47e5c7ec4a5" + id = "90fab567-f39f-5d0b-b0d9-a93693a05a01" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2614-L2632" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_37abe7a4fd773fd34f5d7dbe725ba4edcfb8ebb501dc41f386b8b0629161051f" + logic_hash = "37abe7a4fd773fd34f5d7dbe725ba4edcfb8ebb501dc41f386b8b0629161051f" score = 75 quality = 90 tags = "INFO, FILE" @@ -36317,13 +36317,13 @@ rule REVERSINGLABS_Cert_Blocklist_E86F46B60142092Aae81B8F6Fa3D9C7C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b146164-3cb1-51ce-a08d-e75afb3f4e3d" + id = "fde17cc1-a968-5134-b12b-d65cb34c086f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2634-L2652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6de16a44bc84fbf8f1d3d82526e1d7f8fd4ae3da6deaa471c77d2c8df47a14b0" + logic_hash = "6de16a44bc84fbf8f1d3d82526e1d7f8fd4ae3da6deaa471c77d2c8df47a14b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -36342,13 +36342,13 @@ rule REVERSINGLABS_Cert_Blocklist_1A0Fd2A4Ef4C2A36Ab9C5E8F792A35E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "067b1ce8-a011-5ca6-8cff-e9192b02adbe" + id = "7148a21a-97d6-59a2-a1cf-442c271bc0b5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2654-L2670" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8e768415998a6a92961986cb0a9d310514d928be93b3e5a9aaa9ec71bf5886ad" + logic_hash = "8e768415998a6a92961986cb0a9d310514d928be93b3e5a9aaa9ec71bf5886ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -36367,13 +36367,13 @@ rule REVERSINGLABS_Cert_Blocklist_53Bb753B79A99E61A6E822Ac52460C70 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "017d6bcb-9f94-52ad-8de7-83976d9ce58b" + id = "6339d548-775b-52b9-84c5-a79de23a16b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2672-L2688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24ff4f46fa6e85c25e130459f9b8d6907cf6cd51098e0cf45ec11d54d7de509b" + logic_hash = "24ff4f46fa6e85c25e130459f9b8d6907cf6cd51098e0cf45ec11d54d7de509b" score = 75 quality = 90 tags = "INFO, FILE" @@ -36392,13 +36392,13 @@ rule REVERSINGLABS_Cert_Blocklist_83F68Fc6834Bf8Bd2C801A2D1F1Acc76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b539502e-a25a-57af-a4e3-d657db6f581b" + id = "763d4faf-19af-5349-a643-4773055df47a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2690-L2708" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_35552242f9f0a56b45e30e6f376877446f33e24690ff5d7b03dc776fab178afd" + logic_hash = "35552242f9f0a56b45e30e6f376877446f33e24690ff5d7b03dc776fab178afd" score = 75 quality = 90 tags = "INFO, FILE" @@ -36417,13 +36417,13 @@ rule REVERSINGLABS_Cert_Blocklist_F385E765Acfb95605C9B35Ca4C32F80E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0af9dec6-2a34-53dc-b7fa-9b8ced50d772" + id = "865f8daf-35c4-5437-9c97-9b9fc48d7d70" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2710-L2728" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c73c8f1913d3423a52f5e77751813460ae9200eb3cb1cc6e2ec30f37f0da8152" + logic_hash = "c73c8f1913d3423a52f5e77751813460ae9200eb3cb1cc6e2ec30f37f0da8152" score = 75 quality = 90 tags = "INFO, FILE" @@ -36442,13 +36442,13 @@ rule REVERSINGLABS_Cert_Blocklist_F62C9C4Efc81Caf0D5A2608009D48018 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d4f1d184-2083-54c5-a2fd-c8338cafcd1b" + id = "176434ae-7162-5b35-91f7-888536250884" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2730-L2748" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_08fcff795297c0608b1a1d71465279cbf76d4dff06de2a2262a58debbb2f9e0d" + logic_hash = "08fcff795297c0608b1a1d71465279cbf76d4dff06de2a2262a58debbb2f9e0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -36467,13 +36467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cc8D902Da36587C9B2113Cd76C3C3F8D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "12e62503-d8b6-5cd1-b798-2ef500a8f338" + id = "f9e542aa-eaa5-50a5-95dc-fb55f8575c89" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2750-L2768" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_25e524d23ccc1c06f602a086369ffd44b8c97b76c29f068764081339556b3465" + logic_hash = "25e524d23ccc1c06f602a086369ffd44b8c97b76c29f068764081339556b3465" score = 75 quality = 90 tags = "INFO, FILE" @@ -36492,13 +36492,13 @@ rule REVERSINGLABS_Cert_Blocklist_328Bdcc0F679C4649147Fbb3Eb0E9Bc6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1645c47d-5cee-5f64-9157-ee834fdad420" + id = "8e2c2204-8905-5e05-9ec8-e1577ae4c2cb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2770-L2786" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6d9e1f25ca252ca9dda7714c52a2e57fd3b5dca08cd2a45c9dec18a31d3bb342" + logic_hash = "6d9e1f25ca252ca9dda7714c52a2e57fd3b5dca08cd2a45c9dec18a31d3bb342" score = 75 quality = 90 tags = "INFO, FILE" @@ -36517,13 +36517,13 @@ rule REVERSINGLABS_Cert_Blocklist_5F78149Eb4F75Eb17404A8143Aaeaed7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "84bc0de2-7527-53ca-900f-a981ce4cf763" + id = "4c9d3bba-4e7f-5bf5-ab90-f2b900ec0b2a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2788-L2804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0c7c9e8d2a9304e0407b8a1a29977312a9ba766a4052c6b874855fa187c85585" + logic_hash = "0c7c9e8d2a9304e0407b8a1a29977312a9ba766a4052c6b874855fa187c85585" score = 75 quality = 90 tags = "INFO, FILE" @@ -36542,13 +36542,13 @@ rule REVERSINGLABS_Cert_Blocklist_629D120Dd84F9C1688D4Da40366Fab7A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f73eb563-ac88-5f3e-b2e8-75bd296e2fcf" + id = "7e6249ba-3a4f-5096-be32-779e73c88221" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2806-L2822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_187f6ef0de869500526d1b0d5c6f6762b0a939e06781e633a602834687c64023" + logic_hash = "187f6ef0de869500526d1b0d5c6f6762b0a939e06781e633a602834687c64023" score = 75 quality = 90 tags = "INFO, FILE" @@ -36567,13 +36567,13 @@ rule REVERSINGLABS_Cert_Blocklist_039E5D0E3297F574Db99E1D9503853D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a459a5e-86f8-5789-aac9-f4fa8872a0b3" + id = "969ffa17-de06-58d5-a74e-c115b49a9a6c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2824-L2840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2f150f60b7dce583fc68705f0b29a7c8684f1b69020275b2ec1ac6beeaa63952" + logic_hash = "2f150f60b7dce583fc68705f0b29a7c8684f1b69020275b2ec1ac6beeaa63952" score = 75 quality = 90 tags = "INFO, FILE" @@ -36592,13 +36592,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bc32Bbe5Bbb4F06F490C50651Cd5Da50 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b7c548c-06e6-5ba2-a970-0cee3e4df71e" + id = "eb6ccc6d-2a66-5113-8b78-c32012431123" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2842-L2860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_104be481b7d4b1cb3c43c72314afc3641983838b5177c34a88d6da0d0e7b89c9" + logic_hash = "104be481b7d4b1cb3c43c72314afc3641983838b5177c34a88d6da0d0e7b89c9" score = 75 quality = 90 tags = "INFO, FILE" @@ -36617,13 +36617,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E1656Dfcaacfed7C2D2564355698Aa3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "39a5f43e-930b-5d48-a5ba-c3a0984eb592" + id = "57b75eaa-2cb2-5713-8eb3-065f90a1fdd5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2862-L2878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ba7cca8d71f571644cabd3d491cddefffd05ca7a838f262a343a01e4a09bb72a" + logic_hash = "ba7cca8d71f571644cabd3d491cddefffd05ca7a838f262a343a01e4a09bb72a" score = 75 quality = 90 tags = "INFO, FILE" @@ -36642,13 +36642,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Bf1D68E926E2Dd8966008C44F95Ea1C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "00726514-4782-54a2-b0f6-832e0f92e468" + id = "c82170a4-911c-5206-bae8-6503a5449df9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2880-L2896" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_44b5aae8380e3590ebb6e2365e89b3827432e8330e5290dc8f8603a00bcf62f6" + logic_hash = "44b5aae8380e3590ebb6e2365e89b3827432e8330e5290dc8f8603a00bcf62f6" score = 75 quality = 90 tags = "INFO, FILE" @@ -36667,13 +36667,13 @@ rule REVERSINGLABS_Cert_Blocklist_149C12083C145E28155510Cfc19Db0Fe : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e7eb69ce-63fd-5396-9057-8baf9db87c4e" + id = "8d9b0b1c-df7c-560a-8d51-bc8738952457" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2898-L2914" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f616fc470e223d65ac4c984394a38d566265ab37829ff566012de0a1527396c2" + logic_hash = "f616fc470e223d65ac4c984394a38d566265ab37829ff566012de0a1527396c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -36692,13 +36692,13 @@ rule REVERSINGLABS_Cert_Blocklist_77E0117E8B2B8Faa84Bed961019D5Ef8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a23972fb-9c83-5282-b77f-820c2dab2f74" + id = "2733cc5b-bc1f-5ba9-a2f4-50f472fc288e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2916-L2932" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bea94b9da8c176f22a66fe7a4545dcc3a38f727a75a0bc7920d9aece8e24b9b7" + logic_hash = "bea94b9da8c176f22a66fe7a4545dcc3a38f727a75a0bc7920d9aece8e24b9b7" score = 75 quality = 90 tags = "INFO, FILE" @@ -36717,13 +36717,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F3Feb4Baf377Aea90A463C5Dee63884 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "510e999b-73d5-5303-a9d1-adab22b9254e" + id = "8de9bcf3-d705-590f-8898-52218f937571" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2934-L2950" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_56c37e758db33aa40e9a2c1c5a4eb14c2c370f614e838d86bf20c64f79e2a746" + logic_hash = "56c37e758db33aa40e9a2c1c5a4eb14c2c370f614e838d86bf20c64f79e2a746" score = 75 quality = 90 tags = "INFO, FILE" @@ -36742,13 +36742,13 @@ rule REVERSINGLABS_Cert_Blocklist_3D2580E89526F7852B570654Efd9A8Bf : INFO FILE meta: description = "Certificate used for digitally signing LockerGoga ransomware." author = "ReversingLabs" - id = "3cdd0cfa-a4f3-5083-9fd0-957759004e50" + id = "0514759c-2d10-5b29-aa2f-d16eb45b2816" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2952-L2968" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0f46fcfc8ee06756646899450daa254d3e5261bdc5c2339f20d01971608fff7b" + logic_hash = "0f46fcfc8ee06756646899450daa254d3e5261bdc5c2339f20d01971608fff7b" score = 75 quality = 90 tags = "INFO, FILE" @@ -36767,13 +36767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fffe432A53Ff03B9223F88Be1B83D9D : INFO FILE meta: description = "Certificate used for digitally signing BabyShark malware." author = "ReversingLabs" - id = "86e4473e-82ef-5692-bed1-e109f74ed660" + id = "25a4c68b-5774-51a2-9aba-1326c85a5251" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2970-L2986" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e7dbe6b95877f9473661ccf26fa6e5142147609adfe0a9bb8b493875325710af" + logic_hash = "e7dbe6b95877f9473661ccf26fa6e5142147609adfe0a9bb8b493875325710af" score = 75 quality = 90 tags = "INFO, FILE" @@ -36792,13 +36792,13 @@ rule REVERSINGLABS_Cert_Blocklist_832E161Aea5206D815F973E5A1Feb3E7 : INFO FILE meta: description = "Certificate used for digitally signing SeedLocker ransomware." author = "ReversingLabs" - id = "eaec6895-edf7-57f9-b656-4daa3ec78f7d" + id = "ecaa250b-d4ac-5cc9-9e5e-5d6f45db18ad" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L2988-L3006" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_da908de031c78aa012809988e44dea564d32b88b65a2010925c1af85d578a68a" + logic_hash = "da908de031c78aa012809988e44dea564d32b88b65a2010925c1af85d578a68a" score = 75 quality = 90 tags = "INFO, FILE" @@ -36817,13 +36817,13 @@ rule REVERSINGLABS_Cert_Blocklist_09Aecea45Bfd40Ce7D62D7D711916D7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "da012503-3863-526e-9ab3-112314dec526" + id = "421425b1-13ad-5d80-b044-8bd43c60b3ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3008-L3024" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d1c6bfb10a244ba866c8aabdff6055388afa8096fd4bd77bb21f781794333e9b" + logic_hash = "d1c6bfb10a244ba866c8aabdff6055388afa8096fd4bd77bb21f781794333e9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -36842,13 +36842,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Ff4Eda5Fa641E70162713426401F438 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "833dd5cb-1b1a-5c15-a2f1-56f60f011d62" + id = "3e34aa1b-a4b1-593d-bd93-0f5913ab96b9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3026-L3042" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_58f5e163d9807520497ba55e42c048020f6b7653ed71f3954e7ffb490f4de0e4" + logic_hash = "58f5e163d9807520497ba55e42c048020f6b7653ed71f3954e7ffb490f4de0e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -36867,13 +36867,13 @@ rule REVERSINGLABS_Cert_Blocklist_067Dffc5E3026Eb4C62971C98Ac8A900 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "43e9f762-5589-5d3a-abab-ef281c9feb6b" + id = "9b9771bb-c2a4-5a6e-8fdb-b3e98f62f9b1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3044-L3060" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b7c4cded14afd8ba3feabb6debaa1317917b811b44e22aa8a0b3ea00d689141" + logic_hash = "2b7c4cded14afd8ba3feabb6debaa1317917b811b44e22aa8a0b3ea00d689141" score = 75 quality = 90 tags = "INFO, FILE" @@ -36892,13 +36892,13 @@ rule REVERSINGLABS_Cert_Blocklist_B1Da219688E51Fd0Bfac2C891D56Cbb8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6ec59dff-13fc-5d56-8411-cae3b4e5b807" + id = "245c582a-b168-53ce-9a3c-b291ae5bc2a0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3062-L3080" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_03549214940a8689213bd2eb891da1c1991627c81c8b7f26860141c397409d46" + logic_hash = "03549214940a8689213bd2eb891da1c1991627c81c8b7f26860141c397409d46" score = 75 quality = 90 tags = "INFO, FILE" @@ -36917,13 +36917,13 @@ rule REVERSINGLABS_Cert_Blocklist_7289B0F9Bd641E3E352Dc3183F8De6Be : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6e0ea548-67a2-58f6-8e43-ec98c7e71af1" + id = "dc8a745f-7150-57b7-9ddc-e5a1721d8c02" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3082-L3098" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_42b068e85b3aff5e6dd5ec4979f546dc5338ebf8719d86c0641ffb8353959af9" + logic_hash = "42b068e85b3aff5e6dd5ec4979f546dc5338ebf8719d86c0641ffb8353959af9" score = 75 quality = 90 tags = "INFO, FILE" @@ -36942,13 +36942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fd7B7A8678A67181A54Bc7499Eba44Da : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b74f6f5f-dc93-5d86-b5b8-43f39e374385" + id = "d6456cb6-e950-54be-a7f4-5c1d622c6aab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3100-L3118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f1e26ea26890043be2c8b9c35ba2e6758b60fe173f00bf4c77cc5289ce0d5600" + logic_hash = "f1e26ea26890043be2c8b9c35ba2e6758b60fe173f00bf4c77cc5289ce0d5600" score = 75 quality = 90 tags = "INFO, FILE" @@ -36967,13 +36967,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ebbdd6Cdeda40Ca64513280Ecd625C54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7229d413-ec61-57ae-a8a7-9f8ae7e84fdf" + id = "2cf769dc-5108-5f18-a51e-e152180a2b66" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3120-L3138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1d419f2fe2a9bf744bdde48adc50e0bc48746f1576f96570385a2a1c9ba92d21" + logic_hash = "1d419f2fe2a9bf744bdde48adc50e0bc48746f1576f96570385a2a1c9ba92d21" score = 75 quality = 90 tags = "INFO, FILE" @@ -36992,13 +36992,13 @@ rule REVERSINGLABS_Cert_Blocklist_61Da676C1Dcfcf188276E2C70D68082E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "301c714e-5628-5353-af01-fcbf3195bafc" + id = "d974b740-38fa-564d-b4c6-8955568a4e77" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3140-L3156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4f8af4a5c9812e6559218e387e32bc02cb0adcd40d9d4963fefc929f6101ae9a" + logic_hash = "4f8af4a5c9812e6559218e387e32bc02cb0adcd40d9d4963fefc929f6101ae9a" score = 75 quality = 90 tags = "INFO, FILE" @@ -37017,13 +37017,13 @@ rule REVERSINGLABS_Cert_Blocklist_767436921B2698Bd18400A24B01341B6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3b388db4-7903-598b-9168-5cb45804ea94" + id = "3e3b2b75-9416-5c4f-ad47-88f92039f532" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3158-L3174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_759bbbc5929463ad68d5dcd28b30401b9ff680f522172ed8d5d7dd3772e07587" + logic_hash = "759bbbc5929463ad68d5dcd28b30401b9ff680f522172ed8d5d7dd3772e07587" score = 75 quality = 90 tags = "INFO, FILE" @@ -37042,13 +37042,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E795531B3265510F935187Eca59920A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cd8cc713-44a9-55b9-95b9-2eea20336687" + id = "953434f4-cc19-5a0a-923b-4deaadacef00" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3176-L3192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d597e88314f9f20283b40058dd74167d0d72f7518277a57f26c15e44b670b386" + logic_hash = "d597e88314f9f20283b40058dd74167d0d72f7518277a57f26c15e44b670b386" score = 75 quality = 90 tags = "INFO, FILE" @@ -37067,13 +37067,13 @@ rule REVERSINGLABS_Cert_Blocklist_8F40B1485309A064A28B96Bfa3F55F36 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dc978d9d-136f-53ef-8af0-62964dc74502" + id = "bad5b57e-185a-5872-9817-a7d688e24fe7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3194-L3212" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_58dd47bfd2acd698bc27fb03eb51e4b8598ef6c71f7193e3cc4eea63982855f0" + logic_hash = "58dd47bfd2acd698bc27fb03eb51e4b8598ef6c71f7193e3cc4eea63982855f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -37092,13 +37092,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2120Facadbb92Cc0A176759604C6A0F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1ae77175-2d5d-58ee-8cc7-eed2f773b257" + id = "8a90cc61-4d39-58eb-a102-c22d096d99ae" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3214-L3232" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_08462b1bd3d45824aeea901a4db19365c28d8b8b0f594657df7a59250111729b" + logic_hash = "08462b1bd3d45824aeea901a4db19365c28d8b8b0f594657df7a59250111729b" score = 75 quality = 90 tags = "INFO, FILE" @@ -37117,13 +37117,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F407Eb50803845Cc43937823E1344C0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "492ee284-80da-58a0-8dbd-53f3883461d3" + id = "6989cda1-f28e-58b7-8572-a7dc2e84d9e3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3234-L3250" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4d5a2b0619be902d8a437f204ae1b87222c73d3186930809b1f694bad429aea8" + logic_hash = "4d5a2b0619be902d8a437f204ae1b87222c73d3186930809b1f694bad429aea8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37142,13 +37142,13 @@ rule REVERSINGLABS_Cert_Blocklist_6922Bb5De88E4127E1Ac6969E6A199F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cc5bcb85-418b-53cf-8cd9-72ec5014c935" + id = "86e16068-8b0b-5f0f-af5e-5ee9f518a915" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3252-L3268" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_39dbaa232ea9125934b3682d780e3821d12e771f2b844d027d99a432fe249d9f" + logic_hash = "39dbaa232ea9125934b3682d780e3821d12e771f2b844d027d99a432fe249d9f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37167,13 +37167,13 @@ rule REVERSINGLABS_Cert_Blocklist_73065Efa163B7901Fa1Ccb0A54E80540 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "00f13686-9393-5529-8243-10e40a63201c" + id = "949f55a9-7aa0-50de-bb81-fed5d27c3d24" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3270-L3286" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e420c37c04aa676c266a4c2c228063239815c173a83c39d426c5a674648f1934" + logic_hash = "e420c37c04aa676c266a4c2c228063239815c173a83c39d426c5a674648f1934" score = 75 quality = 90 tags = "INFO, FILE" @@ -37192,13 +37192,13 @@ rule REVERSINGLABS_Cert_Blocklist_4842Afad00904Ed8C98811E652Ccb3B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d39aa4dc-dfc6-52d2-b7c6-ba612bfabda0" + id = "f09723aa-85a6-5d96-a71e-94f0e0a0f23c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3288-L3304" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b5c7c13369c7b89f1ea5474de3644a12bf6412cb3fa8ade5b66de280fb10cbf" + logic_hash = "2b5c7c13369c7b89f1ea5474de3644a12bf6412cb3fa8ade5b66de280fb10cbf" score = 75 quality = 90 tags = "INFO, FILE" @@ -37217,13 +37217,13 @@ rule REVERSINGLABS_Cert_Blocklist_5A59A686B4A904D0Fca07153Ea6Db6Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8bbe8d3e-87ed-5e4c-b116-c8aeac58f1f5" + id = "018e511f-191d-5fd4-8ab0-0e5bbff44d58" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3306-L3322" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7597b2ba870ec58ac0786a97fb92956406fe019c81f6176cc1a581988d3a9632" + logic_hash = "7597b2ba870ec58ac0786a97fb92956406fe019c81f6176cc1a581988d3a9632" score = 75 quality = 90 tags = "INFO, FILE" @@ -37242,13 +37242,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B6D8152F4A06Ba781C6677Eea5Ab74B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b548f16e-fcf1-563c-a1df-2406a2eae0b3" + id = "dacac5fe-00dc-5080-a725-9ef69473c45e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3324-L3340" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bd20cf8e4cab2117361dbe05ae2efe813e7f55667b1f3825cd893313d98dcb5f" + logic_hash = "bd20cf8e4cab2117361dbe05ae2efe813e7f55667b1f3825cd893313d98dcb5f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37267,13 +37267,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ad60Cea73E1Dd1A3E6C02D9B339C380 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "999a4198-027f-5246-91c3-fd25b5155bdc" + id = "80b39632-29a7-5932-a47b-736a9e8ed686" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3342-L3358" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fb83cf25be19e7cccd2c8369c3a37a90af72cb2f76db3619b8311d2a851335a8" + logic_hash = "fb83cf25be19e7cccd2c8369c3a37a90af72cb2f76db3619b8311d2a851335a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37292,13 +37292,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Df2Dfed47C6Fd6542131847Cffbc102 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1ce1cf4c-a9b6-504d-ad47-a41eea02fd0c" + id = "306444d8-7573-58c6-b6fe-14d701942275" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3360-L3376" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fc6adbfd45ff6ac465aecb3db862421f02170e977fc044017f3ddc306a9f7a37" + logic_hash = "fc6adbfd45ff6ac465aecb3db862421f02170e977fc044017f3ddc306a9f7a37" score = 75 quality = 90 tags = "INFO, FILE" @@ -37317,13 +37317,13 @@ rule REVERSINGLABS_Cert_Blocklist_74Fedf0F8398060Fa8378C6D174465C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b49bf14f-bf2f-580a-8ba0-fa7e2ccb97b5" + id = "eea46214-d0f5-5e92-b678-4a1df09025ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3378-L3394" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_406821c7990f05fdad91704f6418304f53dd4800bc4b41912177a1695858fade" + logic_hash = "406821c7990f05fdad91704f6418304f53dd4800bc4b41912177a1695858fade" score = 75 quality = 90 tags = "INFO, FILE" @@ -37342,13 +37342,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Bd6A5Bba28E7C1Ca44880159Dace237 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "38b29b2e-eaff-520d-a6d1-e48f7510fe36" + id = "c80245bd-908a-5b89-92e3-af0dd7bed63a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3396-L3412" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f885c782148947d09133a3cc65319e02204c21d6c6d911b360840f25f37601dc" + logic_hash = "f885c782148947d09133a3cc65319e02204c21d6c6d911b360840f25f37601dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -37367,13 +37367,13 @@ rule REVERSINGLABS_Cert_Blocklist_C04F8F1E00C69E96A51Bf14Aab1C6Ae0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b19746b5-a4bd-5581-9c3a-35cee7153387" + id = "6513160e-ece5-500b-8b0b-4b8a6e04c0af" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3414-L3432" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c2b5ffa305b761b57dd91c0acea0d8f82bec6b7d3608be10a20ea63621f3f3e8" + logic_hash = "c2b5ffa305b761b57dd91c0acea0d8f82bec6b7d3608be10a20ea63621f3f3e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37392,13 +37392,13 @@ rule REVERSINGLABS_Cert_Blocklist_23F537Ce13C6Cccdfd3F8Ce81Fb981Cb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4141d035-98ce-5ea7-963c-040799b808eb" + id = "f48b7818-5b34-5609-822a-39a2e7fb44c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3434-L3450" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d347bce3eddd0cac276a7504955f0342ae44fd93d238e514af5b1fdc208b68fc" + logic_hash = "d347bce3eddd0cac276a7504955f0342ae44fd93d238e514af5b1fdc208b68fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -37417,13 +37417,13 @@ rule REVERSINGLABS_Cert_Blocklist_73Ecfdbb99Aec176Ddfcf7958D120E1A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "73865e3c-6827-5002-899c-e13e8d73e6d9" + id = "84e20878-e4ea-53a5-9c1b-04f3c66276de" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3452-L3468" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d911156707cef97acf79c096b5d4a4db166ddf05237168f1ecffb0c0a2ebd8fa" + logic_hash = "d911156707cef97acf79c096b5d4a4db166ddf05237168f1ecffb0c0a2ebd8fa" score = 75 quality = 90 tags = "INFO, FILE" @@ -37442,13 +37442,13 @@ rule REVERSINGLABS_Cert_Blocklist_675129Bb174A5B05E330Cc09F8Bbd70A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c20b2560-7210-5469-a417-0e671bb1d814" + id = "97046206-efc4-58dd-a9df-4966bad3902d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3470-L3486" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d989ea5233e8a64bffa0e29645c3458ef1f5173158ced7814c3b473b92ef49f4" + logic_hash = "d989ea5233e8a64bffa0e29645c3458ef1f5173158ced7814c3b473b92ef49f4" score = 75 quality = 90 tags = "INFO, FILE" @@ -37467,13 +37467,13 @@ rule REVERSINGLABS_Cert_Blocklist_De13Fe2Dbb8F890287E1780Aff6Ffd22 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7a7dfcd-3663-56cf-81ce-71de38a030c9" + id = "d2b15920-76ae-54e4-988c-278a3622ec52" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3488-L3504" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ebd983bcfa1e5d54af9d9e07d80d05f4752040eab92e63cd986db789fa07026f" + logic_hash = "ebd983bcfa1e5d54af9d9e07d80d05f4752040eab92e63cd986db789fa07026f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37492,13 +37492,13 @@ rule REVERSINGLABS_Cert_Blocklist_Da000D18949C247D4Ddfc2585Cc8Bd0F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0f73c82e-6a30-5650-b293-b8e4d08081d3" + id = "3e939b73-abe4-5941-93ab-18bcde854aaf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3506-L3524" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3453f13e633a2c233f78d0389c655bb5304e567407b3e0c5c47e5e7127c345ca" + logic_hash = "3453f13e633a2c233f78d0389c655bb5304e567407b3e0c5c47e5e7127c345ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -37517,13 +37517,13 @@ rule REVERSINGLABS_Cert_Blocklist_06E842D3Ea6249D783D6B55E29C060C7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e78168d4-cb46-57cd-a68c-f251d93791b7" + id = "37829f07-c569-5e46-8b7a-2137c4c801e8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3526-L3542" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9f71de0119527c8580f9e47e3fba07242814c5a537d727d4541fd7a802b0cb86" + logic_hash = "9f71de0119527c8580f9e47e3fba07242814c5a537d727d4541fd7a802b0cb86" score = 75 quality = 90 tags = "INFO, FILE" @@ -37542,13 +37542,13 @@ rule REVERSINGLABS_Cert_Blocklist_06473C3C19D9E1A9429B58B6Faec2967 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f21f11d8-aa91-5766-af64-dd54e7b185fb" + id = "01eba681-8c98-5553-b369-941b6dba11e2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3544-L3560" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f9ca49ce65d213dce803806956c0ce1da0c4068bea173daae9cb06dab0a86268" + logic_hash = "f9ca49ce65d213dce803806956c0ce1da0c4068bea173daae9cb06dab0a86268" score = 75 quality = 90 tags = "INFO, FILE" @@ -37567,13 +37567,13 @@ rule REVERSINGLABS_Cert_Blocklist_39F56251Df2088223Cc03494084E6081 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "297c6614-6d5d-5231-932e-794dfb5cf5a2" + id = "0c475e89-9729-53b9-a301-7a9faa0fef91" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3562-L3578" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c87850f91758a5bb3bdf6f6d7de9a3f53077d64cebdde541ac0742d3cea4f4e0" + logic_hash = "c87850f91758a5bb3bdf6f6d7de9a3f53077d64cebdde541ac0742d3cea4f4e0" score = 75 quality = 90 tags = "INFO, FILE" @@ -37592,13 +37592,13 @@ rule REVERSINGLABS_Cert_Blocklist_1362E56D34Dc7B501E17Fa1Ac3C3E3D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3ac3d879-1b81-58d9-89c5-17c52e4da99c" + id = "9dccd009-eca1-5f21-b5ef-1a75f9d93c7d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3580-L3596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0415c5a49076bab23dfc29ef2d6168b93d6bfde07a89ccb0368d2c967422407a" + logic_hash = "0415c5a49076bab23dfc29ef2d6168b93d6bfde07a89ccb0368d2c967422407a" score = 75 quality = 90 tags = "INFO, FILE" @@ -37617,13 +37617,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B83593Fc78D92Cfaa9Bdf3F97383964 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8f8cdd7c-a21e-533f-a366-180d7c52ac03" + id = "8b5a8a8e-16f5-5098-83e5-72820f4f548a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3598-L3614" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_775e41fc102cbaeb9374984380b0e073de2a0075b9a200f8ab644bd1369ba015" + logic_hash = "775e41fc102cbaeb9374984380b0e073de2a0075b9a200f8ab644bd1369ba015" score = 75 quality = 90 tags = "INFO, FILE" @@ -37642,13 +37642,13 @@ rule REVERSINGLABS_Cert_Blocklist_C7505E7464E00Ec1Dccd8D1B466D15Ff : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5534af7d-71c8-5c30-9b4c-b45d4207531a" + id = "a75cc09f-de73-5db4-9ace-189e8da99053" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3616-L3634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7c5c84cb9071eff6a1bd7062506b807466bb4a432d1ed073961898c6c08cc4bd" + logic_hash = "7c5c84cb9071eff6a1bd7062506b807466bb4a432d1ed073961898c6c08cc4bd" score = 75 quality = 90 tags = "INFO, FILE" @@ -37667,13 +37667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cbf91988Fb83511De1B3A7A520712E9C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9713b4eb-9489-5757-967c-db95f54f4d7c" + id = "d2d71058-f7b9-594f-b099-75aa4774306f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3636-L3654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5862a8ec43d2e545f36b815ada2bb31c4384a8161c6956a31f3bd517532923fd" + logic_hash = "5862a8ec43d2e545f36b815ada2bb31c4384a8161c6956a31f3bd517532923fd" score = 75 quality = 90 tags = "INFO, FILE" @@ -37692,13 +37692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ce3675Ae4Abfe688870Bcacb63060F4F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "84702e36-0b27-5ed8-a891-54f983a0b526" + id = "586c9de9-e1b0-5d17-9783-c9e18dfdf463" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3656-L3674" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0c6f2ef55bef283a3f915fd8c1ced27c3c665f7f490caeea0f180c2d7fa2b2b5" + logic_hash = "0c6f2ef55bef283a3f915fd8c1ced27c3c665f7f490caeea0f180c2d7fa2b2b5" score = 75 quality = 90 tags = "INFO, FILE" @@ -37717,13 +37717,13 @@ rule REVERSINGLABS_Cert_Blocklist_9813229Efe0046D23542Cc7569D5A403 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "36aebce1-04f7-5d10-8adc-163ff92294a0" + id = "0cf7573f-290d-58ac-989f-f82e9313d54e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3676-L3694" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0d8f0df83572b8d31f29cb76f44d524fd1ae0467d2d99af959e45694524d18e8" + logic_hash = "0d8f0df83572b8d31f29cb76f44d524fd1ae0467d2d99af959e45694524d18e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -37742,13 +37742,13 @@ rule REVERSINGLABS_Cert_Blocklist_86E5A9B9E89E5075C475006D0Ca03832 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "800de760-3157-5b1c-8a37-fcefc26bfb9c" + id = "f3058f56-dcbb-532a-b914-5ac0e6d70e6e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3696-L3714" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5ba0b0f1b104eb11023590b8ef2b9cc747372bc9310a754694d45d3b3ce293e9" + logic_hash = "5ba0b0f1b104eb11023590b8ef2b9cc747372bc9310a754694d45d3b3ce293e9" score = 75 quality = 90 tags = "INFO, FILE" @@ -37767,13 +37767,13 @@ rule REVERSINGLABS_Cert_Blocklist_075Dca9Ca84B93E8A89B775128F90302 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ae702caf-abbe-5bc1-8730-50a515d652ae" + id = "2fa6b400-7c6c-5bc4-9cac-78d52003a24e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3716-L3732" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_32af21e71fb3475c50de4cd8a24fa0aec1ee67bc01c1a3720c12f9ce822833c3" + logic_hash = "32af21e71fb3475c50de4cd8a24fa0aec1ee67bc01c1a3720c12f9ce822833c3" score = 75 quality = 90 tags = "INFO, FILE" @@ -37792,13 +37792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ddce8Cdc91B5B649Bb4B45Ffbba6C6C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e86eaa00-a5fe-561d-b6ad-227a27c9ab70" + id = "9de11ec8-f408-593c-895f-08dff703ff10" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3734-L3750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_622e6ed08ca26908539519f37cf493f8030100bd5e88cb05e851b7d56b0f4c0d" + logic_hash = "622e6ed08ca26908539519f37cf493f8030100bd5e88cb05e851b7d56b0f4c0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -37817,13 +37817,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Bd614D5869Bb66C96B67E154D517384 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b0bf3e33-70b7-50c0-8f14-afed558fc172" + id = "eb42b516-aac6-5bee-af1d-70e0e66700f5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3752-L3770" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d9eea38a1340797cef129b12cf2bb46c444e6f312db7356260f0ac0d9e63183d" + logic_hash = "d9eea38a1340797cef129b12cf2bb46c444e6f312db7356260f0ac0d9e63183d" score = 75 quality = 90 tags = "INFO, FILE" @@ -37842,13 +37842,13 @@ rule REVERSINGLABS_Cert_Blocklist_540Cea639D5D48669B7F2F64 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b0c0ddc6-91c9-5ee3-bc36-c9c51385f138" + id = "bfc514b6-43ef-5343-b5f2-d39168ba3e8d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3772-L3788" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3d3774f10ff9949ea13a7892662438b84b3eb895fc986092649fa9b192170d48" + logic_hash = "3d3774f10ff9949ea13a7892662438b84b3eb895fc986092649fa9b192170d48" score = 75 quality = 90 tags = "INFO, FILE" @@ -37867,13 +37867,13 @@ rule REVERSINGLABS_Cert_Blocklist_03A7748A4355020A652466B5E02E07De : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e8a92f1c-79a4-5873-b666-e1f7260e3a6d" + id = "10134543-04fa-5a2f-8f77-98444ad1d7f0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3790-L3806" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6dc6d0fd2b702939847981ff31c2d8103227ccd0c19f999849ff89c64a90f92f" + logic_hash = "6dc6d0fd2b702939847981ff31c2d8103227ccd0c19f999849ff89c64a90f92f" score = 75 quality = 90 tags = "INFO, FILE" @@ -37892,13 +37892,13 @@ rule REVERSINGLABS_Cert_Blocklist_B881A72D4117Bbc38B81D3C65C792C1A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1d6b118d-4d7f-5629-91f3-0289e578924e" + id = "593c1799-a5df-5b3e-8a8b-826d808a14f0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3808-L3826" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bad2a06090f077ebc635d21446b47c9f115fe477567afb3d5994043f5a7883b1" + logic_hash = "bad2a06090f077ebc635d21446b47c9f115fe477567afb3d5994043f5a7883b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -37917,13 +37917,13 @@ rule REVERSINGLABS_Cert_Blocklist_08653Ef2Ed9E6Ebb56Ffa7E93F963235 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f0b58bac-69b4-51d4-80d5-3cb01ce29ecd" + id = "9ac976c0-260f-5207-ae39-bbb722c38a92" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3828-L3844" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5ae8d2fb03cd0f945c2f5eb86de4e5da4fbb1cdf233d8a808157304538ced872" + logic_hash = "5ae8d2fb03cd0f945c2f5eb86de4e5da4fbb1cdf233d8a808157304538ced872" score = 75 quality = 90 tags = "INFO, FILE" @@ -37942,13 +37942,13 @@ rule REVERSINGLABS_Cert_Blocklist_9C4816D900A6Ecdbe54Adf72B19Ebcf5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "489d1dbd-64fc-5a71-9a81-a74a5307b6af" + id = "bd22372d-774b-5e25-b4e5-47d34fe1c40b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3846-L3864" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_92e8130f444417d5bc3788721280338bbed33e3362104de0cf27bc7c1fc30d0e" + logic_hash = "92e8130f444417d5bc3788721280338bbed33e3362104de0cf27bc7c1fc30d0e" score = 75 quality = 90 tags = "INFO, FILE" @@ -37967,13 +37967,13 @@ rule REVERSINGLABS_Cert_Blocklist_269174F9Fe7C6Ed4E1D19B26C3F5B35F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "542a6f40-afbf-5f00-91a6-f8a63833a517" + id = "fbcf1f18-f612-5516-9a67-2564de76c456" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3866-L3882" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_95c9720d6311c2fe7026b6cac092d59967479e6c9382eac1d26f7745efa92860" + logic_hash = "95c9720d6311c2fe7026b6cac092d59967479e6c9382eac1d26f7745efa92860" score = 75 quality = 90 tags = "INFO, FILE" @@ -37992,13 +37992,13 @@ rule REVERSINGLABS_Cert_Blocklist_523Fb4036368Dc26192D68827F2D889B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6f36517e-1177-52fb-be01-0778dc4f226d" + id = "bfce2ea9-cbe0-5b58-b7f8-39d2dad28db6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3884-L3900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f1886a046305637d335c493972560de56d8186bf99183aed5e2040b2e530fc22" + logic_hash = "f1886a046305637d335c493972560de56d8186bf99183aed5e2040b2e530fc22" score = 75 quality = 90 tags = "INFO, FILE" @@ -38017,13 +38017,13 @@ rule REVERSINGLABS_Cert_Blocklist_84F842F6D33Cd2F25B88Dd1710E21137 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5bf7d159-35af-517b-ab52-737213324f9c" + id = "202593d3-d63a-5852-b680-516504d92031" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3902-L3920" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5aad8e95d1306626b63d767fce4706104330dd776b75c09cc404227863564307" + logic_hash = "5aad8e95d1306626b63d767fce4706104330dd776b75c09cc404227863564307" score = 75 quality = 90 tags = "INFO, FILE" @@ -38042,13 +38042,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Fbcaa289Ba925B4E247809B6B028202 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4b372679-4789-5587-8d86-36b39cb1b38c" + id = "d0c4c6c0-d8e3-5efc-a87b-01d1f98a2c18" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3922-L3938" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c41a4f9ccda54b9735313edf9042b831e6eaca149c089f74a823cee6719e1064" + logic_hash = "c41a4f9ccda54b9735313edf9042b831e6eaca149c089f74a823cee6719e1064" score = 75 quality = 90 tags = "INFO, FILE" @@ -38067,13 +38067,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F2E8Effbb08C7Dbcc7A7F2D835457B5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a6ab629a-a720-5cca-8d10-e18b593fd74f" + id = "cf032593-e742-56d5-a579-3f38a31e2c0c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3940-L3956" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0b446641617d435c3d312592957e19c3d391b0149eafcf9ac2da51e8d9080eb4" + logic_hash = "0b446641617d435c3d312592957e19c3d391b0149eafcf9ac2da51e8d9080eb4" score = 75 quality = 90 tags = "INFO, FILE" @@ -38092,13 +38092,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aeba4C39306Fdd022849867801645814 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "256a339d-9540-518e-b7bf-fec5c903bd5f" + id = "f8cb78cf-541c-5038-b7af-83679c978ec8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3958-L3976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_82c149f1d8ef93a0df2035690c5cdca935236687bc36a35a84c3d6610eb6902c" + logic_hash = "82c149f1d8ef93a0df2035690c5cdca935236687bc36a35a84c3d6610eb6902c" score = 75 quality = 90 tags = "INFO, FILE" @@ -38117,13 +38117,13 @@ rule REVERSINGLABS_Cert_Blocklist_028D50Ae0C554B49148E82Db5B1C2699 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "12d55d8a-d086-5ee9-9bbd-a318841e38dc" + id = "76ccda8a-bdea-5db2-a3a4-11292bfb3c95" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3978-L3994" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e3cc0066cad56d78a3f42e092befa3b0855b2ed33c8465c5ecbb19fec082d35e" + logic_hash = "e3cc0066cad56d78a3f42e092befa3b0855b2ed33c8465c5ecbb19fec082d35e" score = 75 quality = 90 tags = "INFO, FILE" @@ -38142,13 +38142,13 @@ rule REVERSINGLABS_Cert_Blocklist_684F478C7259Dde0Cfe2260112Ca9846 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4a23a94a-ef9f-5a47-bbe6-56247a926206" + id = "840af428-47e0-529e-9db9-8ab9c968f2e3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L3996-L4012" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_59654ba1df27029a04ef3b1a1bb54f6c15b727f2013923a11a729752b8829743" + logic_hash = "59654ba1df27029a04ef3b1a1bb54f6c15b727f2013923a11a729752b8829743" score = 75 quality = 90 tags = "INFO, FILE" @@ -38167,13 +38167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B7C32208A954A483Dd102E1Be094867 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "41984ca7-7514-5cfb-aa55-db2b8fd6e6ff" + id = "d16e74d8-2c46-508b-b518-a542603ca726" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4014-L4030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_49e2208a7d2b5684283c1dfc9856f864d16b50f951f58e0252c97419819a46ec" + logic_hash = "49e2208a7d2b5684283c1dfc9856f864d16b50f951f58e0252c97419819a46ec" score = 75 quality = 90 tags = "INFO, FILE" @@ -38192,13 +38192,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E72Daf2B9A4449E946009E5084A8E76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "40757a7e-f776-5151-ad11-3364533d5988" + id = "aa7c6cbe-0794-59e3-a675-93beeccc9784" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4032-L4048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f1a7bf6c18e0ebf8aef53feb7d7789ce87c96e00962c64e07a37d968702d2fa5" + logic_hash = "f1a7bf6c18e0ebf8aef53feb7d7789ce87c96e00962c64e07a37d968702d2fa5" score = 75 quality = 90 tags = "INFO, FILE" @@ -38217,13 +38217,13 @@ rule REVERSINGLABS_Cert_Blocklist_11Edd343E21C36Ac985555D85C16135F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0da68966-6e67-5098-ac1b-fc88fdc5eee7" + id = "219f709f-4e05-5d0e-97a4-eca1e65153a3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4050-L4066" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_17feeed4be074a30572eb12fc81dc15d1b06f2d3f7b4b4fb4443391c62ac4d9b" + logic_hash = "17feeed4be074a30572eb12fc81dc15d1b06f2d3f7b4b4fb4443391c62ac4d9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -38242,13 +38242,13 @@ rule REVERSINGLABS_Cert_Blocklist_093Fe63D1A5F68F14Ecaac871A03F7A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5e39a81b-20a1-5ef6-b3c2-d1b6514a6a9a" + id = "ce0b23fd-5f79-5b90-8d5c-2ff59ac39df6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4068-L4084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_333c58a9af2d94604b637ab0a7280b6688a89ff73e30a93a8daed040fab7f620" + logic_hash = "333c58a9af2d94604b637ab0a7280b6688a89ff73e30a93a8daed040fab7f620" score = 75 quality = 90 tags = "INFO, FILE" @@ -38267,13 +38267,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bb26B7B6634D5Db548C437B5085B01C1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6912d4e9-c0e8-54af-a391-75d9fa3d1663" + id = "443a876a-dfd7-5a9e-bb15-a44a53363494" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4086-L4104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_58d574b196f84416eb04000205cd8f4817618003f2948bb0eb7d951c282ef6ff" + logic_hash = "58d574b196f84416eb04000205cd8f4817618003f2948bb0eb7d951c282ef6ff" score = 75 quality = 90 tags = "INFO, FILE" @@ -38292,13 +38292,13 @@ rule REVERSINGLABS_Cert_Blocklist_29128A56E7B3Bfb230742591Ac8B4718 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0012272c-b784-5dd0-85a4-e3e27331de7c" + id = "b868d2f2-3852-57a3-be01-32cc16eb2ff7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4106-L4122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5a89fec015e56ddddaed75be91a87288dcd27841937d26e3416187913c4f0b85" + logic_hash = "5a89fec015e56ddddaed75be91a87288dcd27841937d26e3416187913c4f0b85" score = 75 quality = 90 tags = "INFO, FILE" @@ -38317,13 +38317,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Bfbfdfef43608730Ee14779Ee3Ee2Cb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a5e8ad86-5720-5c1c-90f0-dc4f8d7c4efa" + id = "fdc2f6a0-8fae-537e-812f-b0c292f76b1e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4124-L4140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f8f233b78e9d3558b0cd7978e3c5fa32645a3bb706c6fdec7f1e4195cf513f10" + logic_hash = "f8f233b78e9d3558b0cd7978e3c5fa32645a3bb706c6fdec7f1e4195cf513f10" score = 75 quality = 90 tags = "INFO, FILE" @@ -38342,13 +38342,13 @@ rule REVERSINGLABS_Cert_Blocklist_62205361A758B00572D417Cba014F007 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f8f94762-be3b-5b36-8fd4-3df51025c0b1" + id = "85da8e0e-d791-5fed-b9ea-c681462651a6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4142-L4158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ebf28921c81191bcf6130baf6532122bb320cc916e38ab225f0acdcb57ea00f3" + logic_hash = "ebf28921c81191bcf6130baf6532122bb320cc916e38ab225f0acdcb57ea00f3" score = 75 quality = 90 tags = "INFO, FILE" @@ -38367,13 +38367,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B47D18Dbea57Abd1563Ddf89F87A6C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e5409489-1391-5abb-b325-6388cf6f2dc5" + id = "689c1f80-3b3c-5bd7-9129-4f508cad7fb4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4160-L4176" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2e464f4e9bfe0c9510a78552acffb241d2435ea9bf3f5f2501353d7f8f280d78" + logic_hash = "2e464f4e9bfe0c9510a78552acffb241d2435ea9bf3f5f2501353d7f8f280d78" score = 75 quality = 90 tags = "INFO, FILE" @@ -38392,13 +38392,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be41E2C7Bb2493044B9241Abb732599D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "98a353c0-7b68-5ce7-aa32-492c835577e5" + id = "81e5a8f3-0893-534a-ab4f-5c2c47078b40" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4178-L4196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_eb5d94b80fd030d14dc26878895c61761825f3c77209ca0280e88dcd1800f9c2" + logic_hash = "eb5d94b80fd030d14dc26878895c61761825f3c77209ca0280e88dcd1800f9c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -38417,13 +38417,13 @@ rule REVERSINGLABS_Cert_Blocklist_15C5Af15Afecf1C900Cbab0Ca9165629 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8dbaaf3b-8ff2-5b47-b82b-4cb8d0657f03" + id = "de734943-e735-5895-b76e-5f8588a77540" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4198-L4214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5c54f32dbac271b2b60ec40bd052b5566a512cd2bcb4255057b21262806882d2" + logic_hash = "5c54f32dbac271b2b60ec40bd052b5566a512cd2bcb4255057b21262806882d2" score = 75 quality = 90 tags = "INFO, FILE" @@ -38442,13 +38442,13 @@ rule REVERSINGLABS_Cert_Blocklist_476De2F108D20B43Ba3Bae6F331Af8F1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55d2d0d6-b485-5379-af98-552acf0be063" + id = "5a741e6d-9b58-5536-8987-b3c36cdfcd5f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4216-L4232" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e5edf3e15b2139ba6cd85f2cfea63b53f7fa36a3fd7224a4a9ccbe5de6eb6f1d" + logic_hash = "e5edf3e15b2139ba6cd85f2cfea63b53f7fa36a3fd7224a4a9ccbe5de6eb6f1d" score = 75 quality = 90 tags = "INFO, FILE" @@ -38467,13 +38467,13 @@ rule REVERSINGLABS_Cert_Blocklist_08Ddcc67F8Cad6929607E4Cda29B3503 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a8e97bdd-2493-5847-9014-5fb2b950cd6b" + id = "3563547f-556b-56e3-ad25-cfec0294fe93" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4234-L4250" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4cd975312ca825b51f34f5c89184a56526877436224c1e7407d715b28ebfd9d5" + logic_hash = "4cd975312ca825b51f34f5c89184a56526877436224c1e7407d715b28ebfd9d5" score = 75 quality = 90 tags = "INFO, FILE" @@ -38492,13 +38492,13 @@ rule REVERSINGLABS_Cert_Blocklist_052242Ace583Adf2A3B96Adcb04D0812 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "69994d14-e9eb-5973-af2d-5c88e7b84ca3" + id = "22104929-e2c5-565c-975c-826f666e78e2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4252-L4268" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e1593a2bf375912e411d5f19d9e232c6b87f0897bb6f1c0b0539380b34b05af5" + logic_hash = "e1593a2bf375912e411d5f19d9e232c6b87f0897bb6f1c0b0539380b34b05af5" score = 75 quality = 90 tags = "INFO, FILE" @@ -38517,13 +38517,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bebef5C533Ce92Efc402Fab8605C43Ec : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5622523b-f857-5b50-95ac-98f6b2fb67bf" + id = "59d3dd01-47bc-59ee-8fe7-fd5b1af8f9f4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4270-L4288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_daa57ad622799467c60693060e6c9eea18bdf0bb26f178e8b03453aab486ccf4" + logic_hash = "daa57ad622799467c60693060e6c9eea18bdf0bb26f178e8b03453aab486ccf4" score = 75 quality = 90 tags = "INFO, FILE" @@ -38542,13 +38542,13 @@ rule REVERSINGLABS_Cert_Blocklist_1D3F39F481Fe067F8A9289Bb49E05A04 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7b414d16-5a8d-5261-830d-b7f960a62f36" + id = "0c4b6efb-c793-5505-bcd6-f62266c984c6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4290-L4306" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2fdf8b59d302d2ce81a1e9a5715138adc1ec45bd86871c4c2e46412407e329f9" + logic_hash = "2fdf8b59d302d2ce81a1e9a5715138adc1ec45bd86871c4c2e46412407e329f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -38567,13 +38567,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Be35D025E65Cc7A4Ee01F72 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "607807ef-57b2-5d52-81d3-17a599f93d07" + id = "533bcad1-b589-5a05-8f35-32fcb79c7f68" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4308-L4324" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dad7ab834a67d36c0b63e45922aea566dc0aaf922be2b74161616b3caea83fdc" + logic_hash = "dad7ab834a67d36c0b63e45922aea566dc0aaf922be2b74161616b3caea83fdc" score = 75 quality = 90 tags = "INFO, FILE" @@ -38592,13 +38592,13 @@ rule REVERSINGLABS_Cert_Blocklist_351Fe2Efdc0Ac56A0C822Cf8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db24fc4a-3524-5d62-a78b-f2bf377dd185" + id = "ac6b7c6d-781b-5c91-80fe-b822ee00ea7f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4326-L4342" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_46b87c3531e01ba150f056ec3270564426363ef8c58256eeedbcab247c7625e4" + logic_hash = "46b87c3531e01ba150f056ec3270564426363ef8c58256eeedbcab247c7625e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -38617,13 +38617,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Cfbb4C69008821Aaacecde97Ee149Ab : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "961033b2-afeb-5fe1-8885-070e08a72d2d" + id = "a8ba633b-fbbe-51ca-9f67-fb91ce9ac2f7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4344-L4362" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d74b13eeb5d0a57c5dd3257480230c504a68a8422e77a46bb2e101abb2c7f282" + logic_hash = "d74b13eeb5d0a57c5dd3257480230c504a68a8422e77a46bb2e101abb2c7f282" score = 75 quality = 90 tags = "INFO, FILE" @@ -38642,13 +38642,13 @@ rule REVERSINGLABS_Cert_Blocklist_C04F5D17Af872Cb2C37E3367Fe761D0D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7486c321-fbcd-597e-a4dd-69db39976dce" + id = "d7ef2bdf-afba-5254-bef2-78f4b6d5ecea" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4364-L4382" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4a4d60aa3722a710fe23d5e11c55a28bfe721bb4e797b041d58f62a994487799" + logic_hash = "4a4d60aa3722a710fe23d5e11c55a28bfe721bb4e797b041d58f62a994487799" score = 75 quality = 90 tags = "INFO, FILE" @@ -38667,13 +38667,13 @@ rule REVERSINGLABS_Cert_Blocklist_02C5351936Abe405Ac760228A40387E8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ddc0932b-e324-5c3e-bd07-f159f8c207cf" + id = "6a1e5115-ac72-57a3-8418-7c81f38f76af" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4384-L4400" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5a990f8d1a3f467cdafa0f625bc162745d9201e15ce43fdc93cd6b1730572e89" + logic_hash = "5a990f8d1a3f467cdafa0f625bc162745d9201e15ce43fdc93cd6b1730572e89" score = 75 quality = 90 tags = "INFO, FILE" @@ -38692,13 +38692,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ecd829Adcc55D9D6Afe30Dc371Ebda6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8dde377c-5237-5f3d-b195-df746fbf6e8b" + id = "db9f022b-f650-5d40-ae84-4df92b0f3a96" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4402-L4420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_02955f4df7deccab52cdd82fd04d5012db7440f85c87d750fa9f81ff85e2dab0" + logic_hash = "02955f4df7deccab52cdd82fd04d5012db7440f85c87d750fa9f81ff85e2dab0" score = 75 quality = 90 tags = "INFO, FILE" @@ -38717,13 +38717,13 @@ rule REVERSINGLABS_Cert_Blocklist_B0167124Ca59149E64D292Eb4B142014 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "76a1bbba-740c-5109-98ae-a10136f0e88f" + id = "384ce73e-3ad5-54d9-a140-cb242f9a91e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4422-L4440" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_10d980d4a71dab4679376f5a6d6a6999e0b59af4f25587a7b8d1ef52a7808cc9" + logic_hash = "10d980d4a71dab4679376f5a6d6a6999e0b59af4f25587a7b8d1ef52a7808cc9" score = 75 quality = 90 tags = "INFO, FILE" @@ -38742,13 +38742,13 @@ rule REVERSINGLABS_Cert_Blocklist_112613B7B5F696Cf377680F6463Fcc8C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "af4bd5aa-75f5-5549-bcc8-af494c62fa7d" + id = "c0015521-b163-51ab-8c27-da3b1a8df084" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4442-L4458" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_50fd35617e059a5fe9d9e0fdb4b880c20e406357bbb2d037f9e6e9db47b8e49f" + logic_hash = "50fd35617e059a5fe9d9e0fdb4b880c20e406357bbb2d037f9e6e9db47b8e49f" score = 75 quality = 90 tags = "INFO, FILE" @@ -38767,13 +38767,13 @@ rule REVERSINGLABS_Cert_Blocklist_B3F906E5E6B2Cf61C5E51Be79B4E8777 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4e585a68-e9fa-5d5f-a7d5-2b2740917940" + id = "dc826355-bd15-58b3-adcb-55b704f03c0d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4460-L4478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_037e154854c1128fb73d2221c2b7d7211d977492378614fcf4fde959207e34b3" + logic_hash = "037e154854c1128fb73d2221c2b7d7211d977492378614fcf4fde959207e34b3" score = 75 quality = 90 tags = "INFO, FILE" @@ -38792,13 +38792,13 @@ rule REVERSINGLABS_Cert_Blocklist_566Ac16A57B132D3F64Dced14De790Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c82cb6c1-0e5a-51c4-8d62-5743bfca578e" + id = "cb2ebbd5-5036-52f6-a064-11609f02309f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4480-L4496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_48f4d334614f6c413907d51f4d6312554b13c4f5a3c03070ceba48baa13a8247" + logic_hash = "48f4d334614f6c413907d51f4d6312554b13c4f5a3c03070ceba48baa13a8247" score = 75 quality = 90 tags = "INFO, FILE" @@ -38817,13 +38817,13 @@ rule REVERSINGLABS_Cert_Blocklist_D2Caf7908Aaebfa1A8F3E2136Fece024 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fb132f40-2061-5856-97ad-e0745d0c48ff" + id = "6c2c4fc6-5359-55fa-bf79-9202caa5f326" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4498-L4516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cf4d17274ef36d61e78578d34634bf6e5fb0fb857a9a92184916b0f3b8484568" + logic_hash = "cf4d17274ef36d61e78578d34634bf6e5fb0fb857a9a92184916b0f3b8484568" score = 75 quality = 90 tags = "INFO, FILE" @@ -38842,13 +38842,13 @@ rule REVERSINGLABS_Cert_Blocklist_E04A344B397F752A45B128A594A3D6B5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7303068a-202f-522e-8d79-8204455d171b" + id = "b396e08c-b7dc-5498-9c68-2d8cdc5dd3d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4518-L4536" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0489577c6050f0c5d1dad5bda8c4f3c895902b932cd0324087712ccb83f14680" + logic_hash = "0489577c6050f0c5d1dad5bda8c4f3c895902b932cd0324087712ccb83f14680" score = 75 quality = 90 tags = "INFO, FILE" @@ -38867,13 +38867,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Bcaed3Ef678F2F9Bf38D09E149B8D70 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d7873219-f50e-55be-a5b1-87fd9c1d8cc1" + id = "0aea5110-569b-5d9c-a2ce-a6a9fe75b58e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4538-L4554" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dbf85cbd1d92823287749dac312f95576900753f60a694347b31b1e3aaa288a8" + logic_hash = "dbf85cbd1d92823287749dac312f95576900753f60a694347b31b1e3aaa288a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -38892,13 +38892,13 @@ rule REVERSINGLABS_Cert_Blocklist_56D576A062491Ea0A5877Ced418203A1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5d2a7120-f1c5-5700-981e-d6ad672f7385" + id = "3db67353-6310-54ad-b46a-97daf63fee42" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4556-L4572" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_19bd6834b432f3dc8786b449241082b359275559a112a8ef4a51efe185b256dc" + logic_hash = "19bd6834b432f3dc8786b449241082b359275559a112a8ef4a51efe185b256dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -38917,13 +38917,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fcba260Df7Da602Ecf4D4D6Fc89D5Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d9aeca7a-9834-5553-91d6-c0e63e2a9b9e" + id = "ce248602-1f28-5707-b921-640271176e7f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4574-L4590" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4e9a3e516342820248ebf9b3605b8ce2dbf1d9b4255a5b74f7369dd2f1cdd9d8" + logic_hash = "4e9a3e516342820248ebf9b3605b8ce2dbf1d9b4255a5b74f7369dd2f1cdd9d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -38942,13 +38942,13 @@ rule REVERSINGLABS_Cert_Blocklist_4152169F22454Ed604D03555B7Afb175 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "772ba395-c5b3-5744-97a9-baf73d46c1df" + id = "e8975a1a-ac7c-5016-a206-de9ca7eea37f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4592-L4608" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fbb2124b934c270739f564317526d5b23b996364372426485d7c994a83293866" + logic_hash = "fbb2124b934c270739f564317526d5b23b996364372426485d7c994a83293866" score = 75 quality = 90 tags = "INFO, FILE" @@ -38967,13 +38967,13 @@ rule REVERSINGLABS_Cert_Blocklist_01C88Ccbd219500139D1Af138A9E898E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cfb21b7f-c6cf-5db2-8f38-1d25349fd282" + id = "e3bd6be6-461c-56fd-8dfd-8205845f731e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4610-L4626" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d1acb0a7d6e20158797e77c066be42548cee9293fa94f24f936a95977ac16d91" + logic_hash = "d1acb0a7d6e20158797e77c066be42548cee9293fa94f24f936a95977ac16d91" score = 75 quality = 90 tags = "INFO, FILE" @@ -38992,13 +38992,13 @@ rule REVERSINGLABS_Cert_Blocklist_41D05676E0D31908Be4Dead3486Aeae3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2118e870-a77c-5fc7-9acb-d1a76379f16d" + id = "bca4533d-e721-5f23-984a-3b741ca8b53f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4628-L4644" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c4905f02c74df6d05b3f9a6fe2c4f5f32a02bb10da4db929314be043be76d703" + logic_hash = "c4905f02c74df6d05b3f9a6fe2c4f5f32a02bb10da4db929314be043be76d703" score = 75 quality = 90 tags = "INFO, FILE" @@ -39017,13 +39017,13 @@ rule REVERSINGLABS_Cert_Blocklist_8Cff807Edaf368A60E4106906D8Df319 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "58612562-39c3-5e83-9d77-10622049eb6c" + id = "c964a540-6124-52f0-b17f-692cd4b9b3af" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4646-L4664" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6fc98519faf218d90bb4e01821e6014e009c0b525cfd3c906a64ef82bc20beda" + logic_hash = "6fc98519faf218d90bb4e01821e6014e009c0b525cfd3c906a64ef82bc20beda" score = 75 quality = 90 tags = "INFO, FILE" @@ -39042,13 +39042,13 @@ rule REVERSINGLABS_Cert_Blocklist_A3E62Be1572293Ad618F58A8Aa32857F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "52f393d6-2980-5b99-b788-10c185e6e135" + id = "2f67abf3-390a-5c67-afed-e586e20692af" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4666-L4684" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f849898465bc651f19f6f1b54315c061466d8c5860ecf1a07f54c8c8292f6a95" + logic_hash = "f849898465bc651f19f6f1b54315c061466d8c5860ecf1a07f54c8c8292f6a95" score = 75 quality = 90 tags = "INFO, FILE" @@ -39067,13 +39067,13 @@ rule REVERSINGLABS_Cert_Blocklist_672D4428450Afcc24Fc60969A5063A3E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ac0efb69-27cb-5857-b114-9abf2343b1a8" + id = "fcd8e808-dbd6-5903-868a-0aa4541e6321" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4686-L4702" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8f5927e96109184bad7de4513994fd1021fe1cc5977e60fa72d808df95cb4516" + logic_hash = "8f5927e96109184bad7de4513994fd1021fe1cc5977e60fa72d808df95cb4516" score = 75 quality = 90 tags = "INFO, FILE" @@ -39092,13 +39092,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df479E14A70C7970A4De3Dd3E4Bb0318 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "19f54736-9c4b-5ef0-bbdd-90f6091460b8" + id = "465fc41c-920d-55e6-8616-a51d1f77b158" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4704-L4722" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_35b1f04cf5d5d1d89db537bf75737e3af5945e594f4d4231e9ae3e7fba52fc0d" + logic_hash = "35b1f04cf5d5d1d89db537bf75737e3af5945e594f4d4231e9ae3e7fba52fc0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -39117,13 +39117,13 @@ rule REVERSINGLABS_Cert_Blocklist_2924785Fd7990B2D510675176Dae2Bed : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f29bd774-edd2-5ab5-a158-3a3e7894530a" + id = "6898e95c-ee31-57a3-b764-99bf9008d0fe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4724-L4740" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e308ca5f24ed5811e947289caf9aa820a16b08ea183c7aa9826f8a726fb5c3cf" + logic_hash = "e308ca5f24ed5811e947289caf9aa820a16b08ea183c7aa9826f8a726fb5c3cf" score = 75 quality = 90 tags = "INFO, FILE" @@ -39142,13 +39142,13 @@ rule REVERSINGLABS_Cert_Blocklist_F4D2Def53Bccb0Dd2B7D54E4853A2Fc5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6f45e4d0-d986-5f01-b2ff-21ba6dbcc3d2" + id = "3c1bec34-9eac-5c7c-bb36-2e24b6ee52dc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4742-L4760" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9991f44b8e984bd79269c44999481258d94bec9c21b154b63c6c30ae52344b3c" + logic_hash = "9991f44b8e984bd79269c44999481258d94bec9c21b154b63c6c30ae52344b3c" score = 75 quality = 90 tags = "INFO, FILE" @@ -39167,13 +39167,13 @@ rule REVERSINGLABS_Cert_Blocklist_03Bf9Ef4Cf037A2385649026C3Da9D3E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dcb7b9cb-c66d-5a83-aa37-857601ca0f10" + id = "d7396af1-2eae-594a-9933-3d148503c0ea" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4762-L4778" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_14196bad586b1349e6e8a1eb5621ce0d8d346ff8021c8ef80804de1533fd40d9" + logic_hash = "14196bad586b1349e6e8a1eb5621ce0d8d346ff8021c8ef80804de1533fd40d9" score = 75 quality = 90 tags = "INFO, FILE" @@ -39192,13 +39192,13 @@ rule REVERSINGLABS_Cert_Blocklist_790177A54209D55560A55Db97C5900D6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ed9d5c65-db03-55a6-bebd-1b00eafa42c8" + id = "cc49f477-269a-55af-8344-39d2f24c1e7f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4780-L4796" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_07c8e21fe604b481beebae784eb49e32bebee70e749581a55313bfbc757752e2" + logic_hash = "07c8e21fe604b481beebae784eb49e32bebee70e749581a55313bfbc757752e2" score = 75 quality = 90 tags = "INFO, FILE" @@ -39217,13 +39217,13 @@ rule REVERSINGLABS_Cert_Blocklist_048F7B5F67D8E2B3030F75Eb7Be2713D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ea29c2b9-8c88-588b-8105-446031c9389d" + id = "e746516a-c51f-5cb8-8157-a5fe1f2c7abe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4798-L4814" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6d1b47f3c9d7b90a5470f83a848adeebff2cf9341a1eb41ca8b45d08b469b17f" + logic_hash = "6d1b47f3c9d7b90a5470f83a848adeebff2cf9341a1eb41ca8b45d08b469b17f" score = 75 quality = 90 tags = "INFO, FILE" @@ -39242,13 +39242,13 @@ rule REVERSINGLABS_Cert_Blocklist_082023879112289Bf351D297Cc8Efcfc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "01554ff6-0f1c-5e97-b707-8a7124f698b8" + id = "94a4e3d6-2d0a-5e5d-9ae8-574ef9be017e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4816-L4832" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_58bec160445765ce45a26bf9d96ba6cfe61eee31e0953009d40a7ec64920c677" + logic_hash = "58bec160445765ce45a26bf9d96ba6cfe61eee31e0953009d40a7ec64920c677" score = 75 quality = 90 tags = "INFO, FILE" @@ -39267,13 +39267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0D53690631Dd186C56Be9026Eb931Ae2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6c909943-5384-5782-baa1-76affce18202" + id = "4f60613c-4162-5b3d-989f-f79a06450f4d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4834-L4850" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3d0a80c062800f935fa3837755e8a91245e01a4e2450a05fecab5564cb62c15c" + logic_hash = "3d0a80c062800f935fa3837755e8a91245e01a4e2450a05fecab5564cb62c15c" score = 75 quality = 90 tags = "INFO, FILE" @@ -39292,13 +39292,13 @@ rule REVERSINGLABS_Cert_Blocklist_32119925A6Ce4710Aecc4006C28E749F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "72c416c8-99f9-51a0-aa6c-2b8e51c478e0" + id = "cfd51cb8-bd04-5ede-a73e-e924815a01f0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4852-L4868" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ca812cdfbb7ca984fae1e16159eb0eeb1e65767fcc6aa07eeb84966853146f9d" + logic_hash = "ca812cdfbb7ca984fae1e16159eb0eeb1e65767fcc6aa07eeb84966853146f9d" score = 75 quality = 90 tags = "INFO, FILE" @@ -39317,13 +39317,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C90Eaf4De3Afc03Ba924C719435C2A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a9972b24-0e02-5a5a-a729-2d285bdf6ed9" + id = "06edc1a3-65b1-5a69-ab6b-4ffc3963513c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4870-L4888" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5bb78a5e39f9d023cf63edabdc83d4965fc79f6f04f9fea9bcf2a53223fbd4ca" + logic_hash = "5bb78a5e39f9d023cf63edabdc83d4965fc79f6f04f9fea9bcf2a53223fbd4ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -39342,13 +39342,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aff762E907F0644E76Ed8A7485Fb12A1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e1d0cb25-f7d4-5995-b11f-3c397ddb9589" + id = "3b3bbbdd-9c2d-5c80-a121-3e3ad13e9ac6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4890-L4908" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ad05389e0eb30cb894b03842d213b8c956f66357a913c73d8d8b79f8336bf980" + logic_hash = "ad05389e0eb30cb894b03842d213b8c956f66357a913c73d8d8b79f8336bf980" score = 75 quality = 90 tags = "INFO, FILE" @@ -39367,13 +39367,13 @@ rule REVERSINGLABS_Cert_Blocklist_D8530214Ca0F512946496B5164C61201 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "082a3ba4-8e82-5463-8322-4809854047f2" + id = "0125a67a-d5e7-5c93-a58c-cacb6d8fa60b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4910-L4928" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_377962915586c9f5a5737c24b698c96efc2e819e52ee16109c405f9af2d57e7f" + logic_hash = "377962915586c9f5a5737c24b698c96efc2e819e52ee16109c405f9af2d57e7f" score = 75 quality = 90 tags = "INFO, FILE" @@ -39392,13 +39392,13 @@ rule REVERSINGLABS_Cert_Blocklist_661Ba8F3C9D1B348413484E9A49502F7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "260d2578-6792-5d10-ae4b-2cea417ab65d" + id = "a0c501c9-a856-55b6-b845-aeab4db5ab51" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4930-L4948" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4840b311c1e2c0ae14bb2cf6fa8d96ab1a434ceac861db540697f3aed1a6833f" + logic_hash = "4840b311c1e2c0ae14bb2cf6fa8d96ab1a434ceac861db540697f3aed1a6833f" score = 75 quality = 90 tags = "INFO, FILE" @@ -39417,13 +39417,13 @@ rule REVERSINGLABS_Cert_Blocklist_51Aead5A9Ab2D841B449Fa82De3A8A00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "394a7fee-ff73-5c8b-be4e-12e857376fe3" + id = "c4909945-f2f1-53b2-b438-edf411fda7ed" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4950-L4966" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e53095aab9d6c2745125e8cd933334ebc2e51a9725714d31a46baa74b8e42ed9" + logic_hash = "e53095aab9d6c2745125e8cd933334ebc2e51a9725714d31a46baa74b8e42ed9" score = 75 quality = 90 tags = "INFO, FILE" @@ -39442,13 +39442,13 @@ rule REVERSINGLABS_Cert_Blocklist_03B630F9645531F8868Dae8Ac0F8Cfe6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bc1540b2-9af0-57fa-b148-8f1d0813ad52" + id = "be945687-9b8c-5d84-9992-fd317eddae54" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4968-L4984" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6d2f4346760bf52a438c4c996e92a2641bebfd536248776383d7c8394e094e6a" + logic_hash = "6d2f4346760bf52a438c4c996e92a2641bebfd536248776383d7c8394e094e6a" score = 75 quality = 90 tags = "INFO, FILE" @@ -39467,13 +39467,13 @@ rule REVERSINGLABS_Cert_Blocklist_6F8373Cf89F1B49138F4328118487F9E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "af7f1735-37f8-5780-9593-0380744a40b9" + id = "80c5d205-7f5e-5e06-b490-f33205154974" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L4986-L5002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f926c2f73d47d463721a0cad48d9866192df55d71867941a40cba7e0b7725102" + logic_hash = "f926c2f73d47d463721a0cad48d9866192df55d71867941a40cba7e0b7725102" score = 75 quality = 90 tags = "INFO, FILE" @@ -39492,13 +39492,13 @@ rule REVERSINGLABS_Cert_Blocklist_E38259Cf24Cc702Ce441B683Ad578911 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "81e206c2-db07-55aa-8d39-546d2115636e" + id = "fc5df86f-b8c9-58b1-bd41-e03ed50829dd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5004-L5022" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2428df14a18f4aed1a3db85c1fb43a847fae8a922c6dc948f3bc514dc4cae09c" + logic_hash = "2428df14a18f4aed1a3db85c1fb43a847fae8a922c6dc948f3bc514dc4cae09c" score = 75 quality = 90 tags = "INFO, FILE" @@ -39517,13 +39517,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bdc81Bc76090Dae0Eee2E1Eb744A4F9A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aee6afc4-0984-5c5c-b62f-9ad6c7b34cb4" + id = "66feefd2-9cec-56fc-a1c1-11004363462d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5024-L5042" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4fc3e57bedb6fb7c96e6a1ee2ad2aec3860716ac714d52ea58b86be4bbda4660" + logic_hash = "4fc3e57bedb6fb7c96e6a1ee2ad2aec3860716ac714d52ea58b86be4bbda4660" score = 75 quality = 90 tags = "INFO, FILE" @@ -39542,13 +39542,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2E730B0526F36Faf7D093D48D6D9997 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "48c46ca2-d884-53e4-a1d8-2befa2402d28" + id = "eb82e05b-9aee-5ea7-88a5-8d186b8aafb8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5044-L5062" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f74cc94428d7739abf6ee76f6cbd53aa47cea815a014de0d786fe53b15f66201" + logic_hash = "f74cc94428d7739abf6ee76f6cbd53aa47cea815a014de0d786fe53b15f66201" score = 75 quality = 90 tags = "INFO, FILE" @@ -39567,13 +39567,13 @@ rule REVERSINGLABS_Cert_Blocklist_7156Ec47Ef01Ab8359Ef4304E5Af1A05 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e6f0b220-5a00-5687-8c8e-fa92ad1aa4c2" + id = "b285a407-7f71-5c7e-baae-bfa111a50101" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5064-L5080" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7bb093287dd309ce12859eca9a9fc98095b3d52ec860626fe6e743bace262fde" + logic_hash = "7bb093287dd309ce12859eca9a9fc98095b3d52ec860626fe6e743bace262fde" score = 75 quality = 90 tags = "INFO, FILE" @@ -39592,13 +39592,13 @@ rule REVERSINGLABS_Cert_Blocklist_13794371C052Ec0559E9B492Abb25C26 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "da20a58f-046f-5489-b19c-db68755337ad" + id = "31f119a3-e0da-5875-826f-68c40c6f8b88" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5082-L5098" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7383d1fb1fa6e49f8fa9e1eecfe3fcedb8a11702fbd3700630a11b12da29fedf" + logic_hash = "7383d1fb1fa6e49f8fa9e1eecfe3fcedb8a11702fbd3700630a11b12da29fedf" score = 75 quality = 90 tags = "INFO, FILE" @@ -39617,13 +39617,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C7E78F53C31D6Aa5B45De14B47Eb5C4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "26a806f4-656e-53e2-83fc-30d3e2fc89d0" + id = "5906107a-03ce-5ca4-b0a7-12b0b45359dd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5100-L5116" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7521abc5c93f0336af4fab95268962aa3d3fb48fed6a8ba7fdb98e373158b327" + logic_hash = "7521abc5c93f0336af4fab95268962aa3d3fb48fed6a8ba7fdb98e373158b327" score = 75 quality = 90 tags = "INFO, FILE" @@ -39642,13 +39642,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dadf44E4046372313Ee97B8E394C4079 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a227de3a-1860-5261-a930-bf227b58ab63" + id = "bebfbbd7-8d42-50a3-8efa-85b641eb069a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5118-L5136" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_170533935b91776ec2413106c55ed4a01c33f32a469a855824cac796f2e132a0" + logic_hash = "170533935b91776ec2413106c55ed4a01c33f32a469a855824cac796f2e132a0" score = 75 quality = 90 tags = "INFO, FILE" @@ -39667,13 +39667,13 @@ rule REVERSINGLABS_Cert_Blocklist_F8C2E08438Bb0E9Adc955E4B493E5821 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "448840e4-a3e5-5d56-886d-61a0d81881d0" + id = "65297530-2482-5773-8914-461fb56cb41d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5138-L5156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5dbe554032c945c46ffd61ef1e0deb59d396a70dd63994bf44c65d849ec8220a" + logic_hash = "5dbe554032c945c46ffd61ef1e0deb59d396a70dd63994bf44c65d849ec8220a" score = 75 quality = 90 tags = "INFO, FILE" @@ -39692,13 +39692,13 @@ rule REVERSINGLABS_Cert_Blocklist_70E1Ebd170Db8102D8C28E58392E5632 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "918eb26d-3409-54cc-aa07-0da48b17a599" + id = "e3b0f68c-8cc9-5275-988a-8d955ea25a47" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5158-L5174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e1738eddc1da0876a373ee7f35bff155d56c1b98a23cb117c0e7a966f8fa3c92" + logic_hash = "e1738eddc1da0876a373ee7f35bff155d56c1b98a23cb117c0e7a966f8fa3c92" score = 75 quality = 90 tags = "INFO, FILE" @@ -39717,13 +39717,13 @@ rule REVERSINGLABS_Cert_Blocklist_09C89De6F64A7Fdf657E69353C5Fdd44 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "106589b2-3cda-519e-a7a4-504df7869845" + id = "f86eafb5-ec59-58c5-b5f9-01a6704fb555" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5176-L5192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1cb57cd68cda91754307d2e4d94ea011975bbfff0f15134081a5aa11870b0db1" + logic_hash = "1cb57cd68cda91754307d2e4d94ea011975bbfff0f15134081a5aa11870b0db1" score = 75 quality = 90 tags = "INFO, FILE" @@ -39742,13 +39742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ffff2Ce862378B26440Df49Ca9175B70 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4f1c541b-eee3-5281-bb00-a3b86936b3f9" + id = "d5d1e84d-328f-53ac-adb6-3824fa77a47d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5194-L5212" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8ed7b0643b07ce4954f570157e1534ee1ed647717cce00fe7f2b572c9b5d0042" + logic_hash = "8ed7b0643b07ce4954f570157e1534ee1ed647717cce00fe7f2b572c9b5d0042" score = 75 quality = 90 tags = "INFO, FILE" @@ -39767,13 +39767,13 @@ rule REVERSINGLABS_Cert_Blocklist_3223B4616C2687C04865Bee8321726A8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "69605fb5-7f3d-5e5f-b3df-6e0305480853" + id = "089aae56-4f46-563c-800a-dbf57db2bde6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5214-L5230" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fcb0a14866b3612c5ec5a7db7a3333e20a4605695b3d019eef84de85d7b3ea4d" + logic_hash = "fcb0a14866b3612c5ec5a7db7a3333e20a4605695b3d019eef84de85d7b3ea4d" score = 75 quality = 90 tags = "INFO, FILE" @@ -39792,13 +39792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7709D2Df39E9A4F7Db2F3Cbc29B49743 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d18eb0bd-beef-52b2-b7b2-4bb546208096" + id = "7227daa3-453d-5bb8-804c-8a97cd0d81c6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5232-L5248" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c9ade45e0f9fb737a08ffa94d1fff89471a1cbcbacc139730fab88e382226d0b" + logic_hash = "c9ade45e0f9fb737a08ffa94d1fff89471a1cbcbacc139730fab88e382226d0b" score = 75 quality = 90 tags = "INFO, FILE" @@ -39817,13 +39817,13 @@ rule REVERSINGLABS_Cert_Blocklist_E29690E14518874D2Dcf00234Ae94F1F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "59c7ef55-cf69-5912-93d0-e0304d7de478" + id = "6b4f26d3-b943-5a2e-bfb9-0e290031926a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5250-L5268" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ef84815798b213dc49a142e3076cc6dd680dccabe72643fc86234024a46468f9" + logic_hash = "ef84815798b213dc49a142e3076cc6dd680dccabe72643fc86234024a46468f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -39842,13 +39842,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cfac705C7E6845904F99995324F7562C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4815ecf9-b51c-5f5c-9a26-20a3a7e6ce87" + id = "42aa3105-a077-5962-8d5d-50429254582b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5270-L5288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_68bcfe60c2e7154f427c20d0471ede99e55c8200149a4438d5a2a75982fcd419" + logic_hash = "68bcfe60c2e7154f427c20d0471ede99e55c8200149a4438d5a2a75982fcd419" score = 75 quality = 90 tags = "INFO, FILE" @@ -39867,13 +39867,13 @@ rule REVERSINGLABS_Cert_Blocklist_A7989F8Be0C82D35A19E7B3Dd4Be30E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "48b9b712-a872-52e2-816a-70c498e36bdc" + id = "21d54d40-442e-50f5-a561-41b3d6239bac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5290-L5308" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a50129908a471e6692bcf663abd5ef52861d4a46fdf528f39efe816ee6150edf" + logic_hash = "a50129908a471e6692bcf663abd5ef52861d4a46fdf528f39efe816ee6150edf" score = 75 quality = 90 tags = "INFO, FILE" @@ -39892,13 +39892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fa13Ae98E17Ae23Fcfe7Ae873D0C120 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6185be58-f0df-57e5-9317-331743162e15" + id = "87a47456-4d90-5a7d-af9d-7a6d5fb8efac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5310-L5326" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_415f39f82b6a45acd196ccf246ec660806a8d66c61df8c7d2850e5b244118d04" + logic_hash = "415f39f82b6a45acd196ccf246ec660806a8d66c61df8c7d2850e5b244118d04" score = 75 quality = 90 tags = "INFO, FILE" @@ -39917,13 +39917,13 @@ rule REVERSINGLABS_Cert_Blocklist_3696883055975D571199C6B5D48F3Cd5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5f943a91-a036-5be7-8e35-65a104dd5c70" + id = "f68338f9-8614-5793-981d-70547dbc65ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5328-L5344" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d6f77b9ca928167341a35b83e353886d4db8dfcecf45cde0f0f93d65059b5200" + logic_hash = "d6f77b9ca928167341a35b83e353886d4db8dfcecf45cde0f0f93d65059b5200" score = 75 quality = 90 tags = "INFO, FILE" @@ -39942,13 +39942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ee678930D5Bdfaa2Ab0172Fa4C10Ae07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0335af6e-6318-54c2-824b-89656e70bd82" + id = "e2c2c34a-6177-5457-9ed9-fa34f82ee4cd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5346-L5364" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f1e254450fdbe94172a4fa2d2727c3ade5ae436cf4c0c1153a15e9a2f64f2452" + logic_hash = "f1e254450fdbe94172a4fa2d2727c3ade5ae436cf4c0c1153a15e9a2f64f2452" score = 75 quality = 90 tags = "INFO, FILE" @@ -39967,13 +39967,13 @@ rule REVERSINGLABS_Cert_Blocklist_D7C432E8D4Edef515Bfb9D1C214Ff0F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cfc7779c-da9c-50dd-b781-5a36701f0678" + id = "5aed508e-2da1-52a0-98f3-52e903e95b7d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5366-L5384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_63741513f3ab2f51ecd66dc973239c9dc194b86504fe26b2dd4a7f31299e5497" + logic_hash = "63741513f3ab2f51ecd66dc973239c9dc194b86504fe26b2dd4a7f31299e5497" score = 75 quality = 90 tags = "INFO, FILE" @@ -39992,13 +39992,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B440A47E8Ce3Dd202271E5C7A666C78 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e551053a-c705-5752-bb9b-e0d336126492" + id = "6f9852cb-277d-5942-b3f7-525593a41027" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5386-L5402" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_eb4387d58e391c356ed774d8c13bb4bbb2befed585bb44674459d3ef519aec58" + logic_hash = "eb4387d58e391c356ed774d8c13bb4bbb2befed585bb44674459d3ef519aec58" score = 75 quality = 90 tags = "INFO, FILE" @@ -40017,13 +40017,13 @@ rule REVERSINGLABS_Cert_Blocklist_B82C6553B2186C219797621Aaa233Edb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "83f2f813-f4a6-5a22-8d82-1ced318dfe03" + id = "e1dd9783-078f-582e-8493-7c493cda9c62" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5404-L5422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_72e3e1740a4adc4315d2dd9c9f7b8cee2d89c3006014dec663b70d3419f43ca3" + logic_hash = "72e3e1740a4adc4315d2dd9c9f7b8cee2d89c3006014dec663b70d3419f43ca3" score = 75 quality = 90 tags = "INFO, FILE" @@ -40042,13 +40042,13 @@ rule REVERSINGLABS_Cert_Blocklist_F360F7Ad0Ed065Fec0B44F98E04481A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3b575e56-f1c0-5f65-9466-6b1b6a13b562" + id = "96219c86-f463-5f11-950d-ca2af75d5559" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5424-L5442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2a25f1121f492dec461e570ff56acb0e3957cdf9100002f2ff0b6c3d3b35fee5" + logic_hash = "2a25f1121f492dec461e570ff56acb0e3957cdf9100002f2ff0b6c3d3b35fee5" score = 75 quality = 90 tags = "INFO, FILE" @@ -40067,13 +40067,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fe41941464B9992A69B7317418Ae8Eb7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a74708bc-69a8-589b-b7ae-0ae63b8fd31b" + id = "dd84a6b2-e616-5f93-af50-1a4fc15f3c45" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5444-L5462" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bd5131f2b44deec6a7a68577b80ef4d066c331da2976539ce52ac6cff8d5560e" + logic_hash = "bd5131f2b44deec6a7a68577b80ef4d066c331da2976539ce52ac6cff8d5560e" score = 75 quality = 90 tags = "INFO, FILE" @@ -40092,13 +40092,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C14B611A44A1Bae0E8C7581651845B6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c3ab1646-ccbb-5856-a562-a1dca8ee8d36" + id = "116beeac-49c6-56b0-a1c0-855623f604d9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5464-L5480" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7f6028181e33e4ba8264ee367169e7259e19ff49dcae9a337a4ba78c06b459e6" + logic_hash = "7f6028181e33e4ba8264ee367169e7259e19ff49dcae9a337a4ba78c06b459e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -40117,13 +40117,13 @@ rule REVERSINGLABS_Cert_Blocklist_690910Dc89D7857C3500Fb74Bed2B08D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "35111140-4028-588c-bf7a-22e2c03109ec" + id = "7c427b1a-fbe9-5e97-9810-87863c70988d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5482-L5498" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3c5da6238279296854eb95ecaed802f453e80c6bceb71c3fa587df0f7d40cf96" + logic_hash = "3c5da6238279296854eb95ecaed802f453e80c6bceb71c3fa587df0f7d40cf96" score = 75 quality = 90 tags = "INFO, FILE" @@ -40142,13 +40142,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fd41E6Bd7428D3008C8A05F68C9Ac6F2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2414f272-96ca-52a6-9488-86a71d9dfedb" + id = "ef59a76a-3b59-55a2-9da5-c3ba844bbe77" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5500-L5518" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e387664dc9aa746e127b4efb2ef43675f8fb6df66e99d33ef765e8fa306a4f18" + logic_hash = "e387664dc9aa746e127b4efb2ef43675f8fb6df66e99d33ef765e8fa306a4f18" score = 75 quality = 90 tags = "INFO, FILE" @@ -40167,13 +40167,13 @@ rule REVERSINGLABS_Cert_Blocklist_C7079866C0E48B01246Ba0C148E70D4D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4dc4393b-7cdc-5dcd-b70b-5d17d535b14c" + id = "2c985bd9-cb2a-553a-af63-a2a0a80cc641" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5520-L5538" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cc144760e0ca21fd98b55ac222db540900def61f54e9644f8cab5f711ec7bf24" + logic_hash = "cc144760e0ca21fd98b55ac222db540900def61f54e9644f8cab5f711ec7bf24" score = 75 quality = 90 tags = "INFO, FILE" @@ -40192,13 +40192,13 @@ rule REVERSINGLABS_Cert_Blocklist_D591Da22F33C800A7024Aecff2Cd6C6D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "10b5234f-79c6-5528-ae98-50b7c5b08527" + id = "294cbf90-cd1f-5743-a51a-46e1d04ef34e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5540-L5558" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_30e421d5ea3c5693c5c9bd0e3dd997ceda9755d17e3fb16d2a8e6c4a327ae32f" + logic_hash = "30e421d5ea3c5693c5c9bd0e3dd997ceda9755d17e3fb16d2a8e6c4a327ae32f" score = 75 quality = 90 tags = "INFO, FILE" @@ -40217,13 +40217,13 @@ rule REVERSINGLABS_Cert_Blocklist_B36E0F2053Caee9C3B966F7Be0B40Fc3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "46fac83d-9624-5da9-b892-d61e7cb6b42e" + id = "8ed732ae-1c25-59fc-8ebe-50a1eb81e4a9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5560-L5578" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2444c78aefdb9e8c8004598a318db016d7e781ede6da2ba3ee85316456c3e77b" + logic_hash = "2444c78aefdb9e8c8004598a318db016d7e781ede6da2ba3ee85316456c3e77b" score = 75 quality = 90 tags = "INFO, FILE" @@ -40242,13 +40242,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B320A2F46C99C1Ba1357Bee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cf2fc150-b922-573b-877c-0fab4d7a2f6c" + id = "3912fdfc-7a84-51ce-abd2-977ad183af26" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5580-L5596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_12797f80bce9d64c6c07e185aa309a0c4f910835745a7f2cc1874fb1211624d8" + logic_hash = "12797f80bce9d64c6c07e185aa309a0c4f910835745a7f2cc1874fb1211624d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -40267,13 +40267,13 @@ rule REVERSINGLABS_Cert_Blocklist_08D4352185317271C1Cec9D05C279Af7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1b80cb3a-0253-53e6-b702-1fe45555481d" + id = "0165920f-5f4d-5b35-990d-120786b4c5ba" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5598-L5614" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b240962ab23729b241413ed1e53ac6541bf6b8a673c57522efd0cfe0c7eb9dd4" + logic_hash = "b240962ab23729b241413ed1e53ac6541bf6b8a673c57522efd0cfe0c7eb9dd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -40292,13 +40292,13 @@ rule REVERSINGLABS_Cert_Blocklist_B514E4C5309Ef9F27Add05Bedd4339A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c44f6ae2-cd2a-592f-b36f-3d7e375e9e77" + id = "4b5abcfe-259e-5029-822b-c191b8d2c607" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5616-L5634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_665b280218528bbe3d5c65d043266469e5288587ed9d85d01797bef7ce132a6f" + logic_hash = "665b280218528bbe3d5c65d043266469e5288587ed9d85d01797bef7ce132a6f" score = 75 quality = 90 tags = "INFO, FILE" @@ -40317,13 +40317,13 @@ rule REVERSINGLABS_Cert_Blocklist_13C7B92282Aae782Bfb00Baf879935F4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5bd724e9-23e6-55bc-a596-747f22f45526" + id = "cc147c06-e0cf-5536-be3c-17e838b346a9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5636-L5652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d4edbb446a51e5153ba88d6757d5fb610303eac3fd4bdd3b987b508dc618d2dc" + logic_hash = "d4edbb446a51e5153ba88d6757d5fb610303eac3fd4bdd3b987b508dc618d2dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -40342,13 +40342,13 @@ rule REVERSINGLABS_Cert_Blocklist_D627F1000D12485995514Bfbdefc55D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "51581274-6fa7-5ab4-a7f6-b65a879a8518" + id = "4696fc12-16b7-575f-b90f-aa0a5cc12852" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5654-L5672" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7ca590d71997879d17054a936238dd5273a52f3438d1b231a75927abfb118ffd" + logic_hash = "7ca590d71997879d17054a936238dd5273a52f3438d1b231a75927abfb118ffd" score = 75 quality = 90 tags = "INFO, FILE" @@ -40367,13 +40367,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fb6Bae8834Edd8D3D58818Edc86D7D7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "684fb349-5bc7-5d21-8908-75493f906561" + id = "52b11933-f22c-53ea-88b7-75b3242907dd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5674-L5690" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a8cec0479bfd53f34e291d56538187c05375e80d20af7f0af08f0db8e1d6ed22" + logic_hash = "a8cec0479bfd53f34e291d56538187c05375e80d20af7f0af08f0db8e1d6ed22" score = 75 quality = 90 tags = "INFO, FILE" @@ -40392,13 +40392,13 @@ rule REVERSINGLABS_Cert_Blocklist_E5Ad42C509A7C24605530D35832C091E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "79dc96a7-8487-5fa0-bd72-78de55318816" + id = "29b1803e-90ee-5390-9548-20b24a3de218" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5692-L5710" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2d57d1c171734d0da167ce7eba47aecd88cd15063488d79659804c6c2fae00a2" + logic_hash = "2d57d1c171734d0da167ce7eba47aecd88cd15063488d79659804c6c2fae00a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -40417,13 +40417,13 @@ rule REVERSINGLABS_Cert_Blocklist_8E3D89C682F7C0Dad70110Cb7B7C8263 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b52e4c48-7914-550c-ab64-be9024f490bf" + id = "1adc776c-1549-5149-bd2f-81920a8d7255" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5712-L5730" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a0f42c5492469e7f132b000aead2d674fed4ea9c0e168579fd55a6c89b45ae4d" + logic_hash = "a0f42c5492469e7f132b000aead2d674fed4ea9c0e168579fd55a6c89b45ae4d" score = 75 quality = 90 tags = "INFO, FILE" @@ -40442,13 +40442,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ef2D35F2Ae82A767A16Be582Ab0D1Ba0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fe8a01ed-8aa4-5007-bf7c-00824b6ad418" + id = "dc8f49b8-fda2-510c-8374-3261e75d11a9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5732-L5750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0709290aeb18bcb855518e150c2768c24ab311f5c727cdc4c40145b879ff88b6" + logic_hash = "0709290aeb18bcb855518e150c2768c24ab311f5c727cdc4c40145b879ff88b6" score = 75 quality = 90 tags = "INFO, FILE" @@ -40467,13 +40467,13 @@ rule REVERSINGLABS_Cert_Blocklist_039668034826Df47E6207Ec9Daed57C3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ec11ced8-d3c2-52c2-9f8e-c3867df7edcd" + id = "c2a3477a-a4cf-586e-ba70-555cc577ab2c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5752-L5768" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_792860feec6e599ba22ae3869ef132cf5b7be2e0572e23503e293444fd7c382d" + logic_hash = "792860feec6e599ba22ae3869ef132cf5b7be2e0572e23503e293444fd7c382d" score = 75 quality = 90 tags = "INFO, FILE" @@ -40492,13 +40492,13 @@ rule REVERSINGLABS_Cert_Blocklist_07Bb6A9D1C642C5973C16D5353B17Ca4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0fc2d7f4-30ae-5186-b86b-b4fed5f50deb" + id = "094a02ee-394b-5989-9f73-6b942aca5500" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5770-L5786" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b98dcd4f0ebe870a9dad55cac5b0db81be6062216337b75a74a0aff8436df57f" + logic_hash = "b98dcd4f0ebe870a9dad55cac5b0db81be6062216337b75a74a0aff8436df57f" score = 75 quality = 90 tags = "INFO, FILE" @@ -40517,13 +40517,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A1Dc99E4D5264C45A5090F93242A30A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "62e4dbb6-2219-5cc4-81b7-b01b4329e595" + id = "9b85ed8d-ddda-51d0-bfac-5cdc6e4fd94f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5788-L5804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1985c9c4f4a93c3088eaec3031df93cf87a9d7ee36b94322330caf3c21982f3c" + logic_hash = "1985c9c4f4a93c3088eaec3031df93cf87a9d7ee36b94322330caf3c21982f3c" score = 75 quality = 90 tags = "INFO, FILE" @@ -40542,13 +40542,13 @@ rule REVERSINGLABS_Cert_Blocklist_018093Cfad72Cdf402Eecbe18B33Ec71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7f7ff64b-121b-55fc-965b-edf459426f9e" + id = "d9ab2e5c-a107-53c1-9b8d-b4625eed03b0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5806-L5822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ac398ef89e691158742598777c320832a750a7410904448778afc7ef3c63c255" + logic_hash = "ac398ef89e691158742598777c320832a750a7410904448778afc7ef3c63c255" score = 75 quality = 90 tags = "INFO, FILE" @@ -40567,13 +40567,13 @@ rule REVERSINGLABS_Cert_Blocklist_569E03988Af60D80Ce60728940850D9B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1aa7e141-490c-5a78-923e-8446ac855d8f" + id = "a4432990-8c2f-523c-8a9d-cba578aaefc5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5824-L5842" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3ea894d9e088c2123f9ec87cbf097e2275fae18cad26e926641fe64921808b1e" + logic_hash = "3ea894d9e088c2123f9ec87cbf097e2275fae18cad26e926641fe64921808b1e" score = 75 quality = 90 tags = "INFO, FILE" @@ -40592,13 +40592,13 @@ rule REVERSINGLABS_Cert_Blocklist_418F6D959A8A0F82Bef07Ceba3603E52 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ee093467-9c08-588a-af31-0511680357c1" + id = "ecfb72ef-04c4-55b6-b9e0-e95053e03425" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5844-L5862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6c13c5e85d6e053319193d1d94f216eeec64405c86d15971419078a1ce6c8ac9" + logic_hash = "6c13c5e85d6e053319193d1d94f216eeec64405c86d15971419078a1ce6c8ac9" score = 75 quality = 90 tags = "INFO, FILE" @@ -40617,13 +40617,13 @@ rule REVERSINGLABS_Cert_Blocklist_5378C5Bbeba0D3309A35Bb47F63037F7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "22d08e9d-8daf-5893-bb58-7c37fa7b5e92" + id = "7f367505-d7c1-5b8c-83bd-df3fec789d12" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5864-L5882" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a96acf93ca6da4d3bf5177b51996825cd3ea70443577622deccdd11fde579c31" + logic_hash = "a96acf93ca6da4d3bf5177b51996825cd3ea70443577622deccdd11fde579c31" score = 75 quality = 90 tags = "INFO, FILE" @@ -40642,13 +40642,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Bab6A2Aa84B495D9E554A4C42C0126D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5ceb1dd7-79c8-57b9-a62c-2983a7d8c5d5" + id = "7b6d364c-3e27-5314-b604-d44bb408fc4e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5884-L5900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_79b6df421c78fd3e2f05a60f7d875e02519297a0278614c9f63dff8b1b2a2d18" + logic_hash = "79b6df421c78fd3e2f05a60f7d875e02519297a0278614c9f63dff8b1b2a2d18" score = 75 quality = 90 tags = "INFO, FILE" @@ -40667,13 +40667,13 @@ rule REVERSINGLABS_Cert_Blocklist_6314001C3235Cd59Bcc3F5278C518804 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "62f6454f-80cd-531e-8bdc-65ccd7f7a3b2" + id = "aff0fb76-587b-5493-810c-ac32a6ba9576" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5902-L5918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4320f3884c0f7e4939e8988a4e83b8028a5e01fb425ae4faa2273134db835813" + logic_hash = "4320f3884c0f7e4939e8988a4e83b8028a5e01fb425ae4faa2273134db835813" score = 75 quality = 90 tags = "INFO, FILE" @@ -40692,13 +40692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ed8Ade5D73B73Dade6943D557Ff87E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c5e5a2e5-acc0-5bde-9ebf-2fa7b74a399e" + id = "dbfae40c-2f81-5daf-8655-d06ae38ffa8f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5920-L5936" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7796b6e7da900be8634e7f1e51cda1275ab1e7c2709af7ecaa8777ab0b518494" + logic_hash = "7796b6e7da900be8634e7f1e51cda1275ab1e7c2709af7ecaa8777ab0b518494" score = 75 quality = 90 tags = "INFO, FILE" @@ -40717,13 +40717,13 @@ rule REVERSINGLABS_Cert_Blocklist_0292C7D574132Ba5C0441D1C7Ffcb805 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "93fa72d6-2863-5e2d-bc37-bcb4054294b7" + id = "ef58cf01-9c54-5dbb-99a7-d3ca42663133" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5938-L5954" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d2bcf72f4c5829d161bc40e820eb0b1a85deaa49b749422d5429e27b7fb2b1fe" + logic_hash = "d2bcf72f4c5829d161bc40e820eb0b1a85deaa49b749422d5429e27b7fb2b1fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -40742,13 +40742,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F23F001458716D435Cca1A55D660Ec5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "de5eeaeb-2a15-5d68-8e61-0c460a447bef" + id = "16614e20-1cf1-55c0-a04c-d99c06fb29a2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5956-L5972" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bacfb4b7900ab57d23474e0422bd74fff113296b8db37e8eae3bd456443d28d6" + logic_hash = "bacfb4b7900ab57d23474e0422bd74fff113296b8db37e8eae3bd456443d28d6" score = 75 quality = 90 tags = "INFO, FILE" @@ -40767,13 +40767,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E0Ccbdfb4777E10Ea6221B90Dc350C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8ae9183f-4c6e-523c-8126-40cb52c978a8" + id = "64007bd7-b273-5579-8224-68337f1bc54d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5974-L5990" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_08a1ff7cc3a7680fdbb3235a7b46709cd4ba530a9afeab4344671db9fe893cc4" + logic_hash = "08a1ff7cc3a7680fdbb3235a7b46709cd4ba530a9afeab4344671db9fe893cc4" score = 75 quality = 90 tags = "INFO, FILE" @@ -40792,13 +40792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ed1847A2Ae5D71Def1E833Fddd33D38 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d8664e3-42e1-5362-be0d-4bfb367d74fc" + id = "11fd3bbe-5d15-57b7-a461-fc9c90046dbc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L5992-L6008" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ec5eb8ff1f630284fabfba5c58dd563d471343ace718f79dad08cfe75c3070d" + logic_hash = "0ec5eb8ff1f630284fabfba5c58dd563d471343ace718f79dad08cfe75c3070d" score = 75 quality = 90 tags = "INFO, FILE" @@ -40817,13 +40817,13 @@ rule REVERSINGLABS_Cert_Blocklist_97Df46Acb26B7C81A13Cc467B47688C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "22d4bd7a-016c-5cf9-ad0f-d332eb51e508" + id = "68e2fdc7-61cd-5e0a-8bc7-5e0ca96271c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6010-L6028" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6f6e0e175caee83eaec2dacedaf564b642195a8815cfd0d4564f581070b0c545" + logic_hash = "6f6e0e175caee83eaec2dacedaf564b642195a8815cfd0d4564f581070b0c545" score = 75 quality = 90 tags = "INFO, FILE" @@ -40842,13 +40842,13 @@ rule REVERSINGLABS_Cert_Blocklist_186D49Fac34Ce99775B8E7Ffbf50679D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c5fa77aa-cd3a-561c-a325-3d3d74b5c425" + id = "9279d4ee-3f53-5d68-aaa1-af6ed579310f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6030-L6046" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0444a5052ee384451ebd85918bbc6bf6d6a75334899a63a8b5828ef06cb9c7ca" + logic_hash = "0444a5052ee384451ebd85918bbc6bf6d6a75334899a63a8b5828ef06cb9c7ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -40867,13 +40867,13 @@ rule REVERSINGLABS_Cert_Blocklist_B1Aea98Bf0Ce789B6C952310F14Edde0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2a85ccf9-18fc-5296-87e9-d9b9f5b1c6aa" + id = "f039f379-e3d5-56bd-83b7-016881538017" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6048-L6066" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6e78750d6aca91e9e6d8f2651a5682ccdab5cd20ee3a74e1f8582eb7bc45d614" + logic_hash = "6e78750d6aca91e9e6d8f2651a5682ccdab5cd20ee3a74e1f8582eb7bc45d614" score = 75 quality = 90 tags = "INFO, FILE" @@ -40892,13 +40892,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Dcd0699Da08915Dde6D044Cb474157C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5190ab6a-bf05-5a95-aa94-b19d57df462a" + id = "e1f56719-e726-5f81-99d4-937e343cbcc9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6068-L6084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e1a3f27b8b9b642fe1ca73ec54d225f4470b53d0d06f2eea55ad1ad43ec67b39" + logic_hash = "e1a3f27b8b9b642fe1ca73ec54d225f4470b53d0d06f2eea55ad1ad43ec67b39" score = 75 quality = 90 tags = "INFO, FILE" @@ -40917,13 +40917,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B03Cabe6A0481F17A2Dbeb9Aefad425 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1942f9f9-4428-5a99-b310-6a22f8ed04fa" + id = "30108ce3-b133-5e1d-924f-7caaf390e836" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6086-L6102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6986e7bd90842647ec6a168c30dca2d5ae8ae5b1c1014f966dd596a78859ac6e" + logic_hash = "6986e7bd90842647ec6a168c30dca2d5ae8ae5b1c1014f966dd596a78859ac6e" score = 75 quality = 90 tags = "INFO, FILE" @@ -40942,13 +40942,13 @@ rule REVERSINGLABS_Cert_Blocklist_64Cd303Fa289790Afa03C403E9240002 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "74c285a3-b700-5c43-9b06-802e04887ec7" + id = "86644ef8-4218-5a04-9655-c7d51729872d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6104-L6120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f51556a8a12affbd7f7633bf8daa50e6332fa3d3448ea08853cf8ed28e593680" + logic_hash = "f51556a8a12affbd7f7633bf8daa50e6332fa3d3448ea08853cf8ed28e593680" score = 75 quality = 90 tags = "INFO, FILE" @@ -40967,13 +40967,13 @@ rule REVERSINGLABS_Cert_Blocklist_07Cef66A71C35Bc3Aed6D100C6493863 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0aaf99d0-ad47-59c8-9d82-9ed62318f4e2" + id = "9c16c370-a382-54f7-ba2e-3b738740966f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6122-L6138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e741fc13fe4d03b145ed1d86e738b415a7260eae5b0908c6991c9ea9896f14cf" + logic_hash = "e741fc13fe4d03b145ed1d86e738b415a7260eae5b0908c6991c9ea9896f14cf" score = 75 quality = 90 tags = "INFO, FILE" @@ -40992,13 +40992,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be77Fe5C58B7A360Add6A3Fced4E8334 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "feeb21fc-4c02-58dd-b17a-93a6a3992967" + id = "1bbaebe9-b3ca-5ee2-91ac-b2343ca8bb86" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6140-L6158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cea0d217206562c0045843405802d3b2fad01bdb2a4cfb52057625b43f5f8eee" + logic_hash = "cea0d217206562c0045843405802d3b2fad01bdb2a4cfb52057625b43f5f8eee" score = 75 quality = 90 tags = "INFO, FILE" @@ -41017,13 +41017,13 @@ rule REVERSINGLABS_Cert_Blocklist_F097E59809Ae2E771B7B9Ae5Fc3408D7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d8857d67-34e0-5362-917c-f4defa214f3d" + id = "1eed6f30-0648-5b8e-81ff-9f3af0f1c91d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6160-L6178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9e23ff26d3e1ea181e48fc23383e3717804858bc517a31ec508fa0753730c78e" + logic_hash = "9e23ff26d3e1ea181e48fc23383e3717804858bc517a31ec508fa0753730c78e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41042,13 +41042,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Cf1Ed2A6Ff4Bee621Efdf725Ea174B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5273b2bc-85f6-52ba-824f-c2f84e22afbe" + id = "7f7ecbcd-7a92-526d-99a8-d849fffa19cb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6180-L6196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7030c122905105c72833cfcb41692bd9a67cf456e3309afce0b8f9e65c6aa5c1" + logic_hash = "7030c122905105c72833cfcb41692bd9a67cf456e3309afce0b8f9e65c6aa5c1" score = 75 quality = 90 tags = "INFO, FILE" @@ -41067,13 +41067,13 @@ rule REVERSINGLABS_Cert_Blocklist_1249Aa2Ada4967969B71Ce63Bf187C38 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9dc5db74-7ec6-519f-8a17-29f9ca337702" + id = "5b2876a2-8dfa-5456-a615-4ea69df53422" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6198-L6214" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f84568cfe6304af0307a34bfed6dd346a74e714005b5e6f22a354b14f853ec65" + logic_hash = "f84568cfe6304af0307a34bfed6dd346a74e714005b5e6f22a354b14f853ec65" score = 75 quality = 90 tags = "INFO, FILE" @@ -41092,13 +41092,13 @@ rule REVERSINGLABS_Cert_Blocklist_D59A05955A4A421500F9561Ce983Aac4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "73bdc59f-cea6-5046-a950-92e017752d55" + id = "088f0f98-328b-50fa-b1e4-1d80023b3c09" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6216-L6234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b7ed87a03f20872669369cc3cad4eae40ba597f06222194bd67262c094083ec1" + logic_hash = "b7ed87a03f20872669369cc3cad4eae40ba597f06222194bd67262c094083ec1" score = 75 quality = 90 tags = "INFO, FILE" @@ -41117,13 +41117,13 @@ rule REVERSINGLABS_Cert_Blocklist_539015999E304A5952985A994F9C3A53 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1104a05f-9503-5630-b8df-c5d2752cf171" + id = "ccb4da10-3178-5d8f-be17-9c689e794418" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6236-L6252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_feeb1710bd5b048c689a2e45575529624cd1622dcc73db8fe7de6c133fdc5698" + logic_hash = "feeb1710bd5b048c689a2e45575529624cd1622dcc73db8fe7de6c133fdc5698" score = 75 quality = 90 tags = "INFO, FILE" @@ -41142,13 +41142,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B1926A5E8Ae50A0Efa504F005F93869 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b3a67595-5683-5dcf-a516-dd5c909002c8" + id = "ce437144-0f99-5c41-8d15-edeceb34de4d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6254-L6270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1cbdf39a873c83d2b55723215fb4930a3ce23b6cab2d71a6cd5f16b2721e30f9" + logic_hash = "1cbdf39a873c83d2b55723215fb4930a3ce23b6cab2d71a6cd5f16b2721e30f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -41167,13 +41167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A23B660E7322E54D7Bd0E5Acc890966 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e2aa285b-7943-59eb-a438-f597914587c8" + id = "daae5f42-59ff-5838-9444-93357eaa9d60" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6272-L6288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_17996dd0ec81623dbd4eeea98f9bbe37c11c911ca840833ecb9301bb0a9ddb52" + logic_hash = "17996dd0ec81623dbd4eeea98f9bbe37c11c911ca840833ecb9301bb0a9ddb52" score = 75 quality = 90 tags = "INFO, FILE" @@ -41192,13 +41192,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Cfa5050C819C4Acbb8Fa75979688Dff : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b26e366d-dffd-5dd4-8987-f591633c0237" + id = "f91ecc17-7406-552a-8864-c9e1657a5ca9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6290-L6308" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cffc234be78446191dd5f5990db9f17c7e28eeaa3e16f1eb8ad4ed1e58fdc25e" + logic_hash = "cffc234be78446191dd5f5990db9f17c7e28eeaa3e16f1eb8ad4ed1e58fdc25e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41217,13 +41217,13 @@ rule REVERSINGLABS_Cert_Blocklist_044E05Bb1A01A1Cbb50Cfb6Cd24E5D6B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7a0d5e9f-0c4e-5ab5-aef3-422334696734" + id = "c0796bc3-96cd-5d12-a0ee-97d8ed4a3076" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6310-L6326" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_40c80d3b6bedb0b3454e14501745a6e82b6ea9ac202748867a2e937fb79c6f6c" + logic_hash = "40c80d3b6bedb0b3454e14501745a6e82b6ea9ac202748867a2e937fb79c6f6c" score = 75 quality = 90 tags = "INFO, FILE" @@ -41242,13 +41242,13 @@ rule REVERSINGLABS_Cert_Blocklist_B7F19B13De9Bee8A52Ff365Ced6F67Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5a8069a3-0730-5a3f-a69b-d147fca8efbf" + id = "0e7e235e-3f0b-5396-9c19-9336d9cbb95a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6328-L6346" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a8d2a92b44cdd7b123907a6a77ba0fc9fde4961f9ac846b36f1e87730a1efae6" + logic_hash = "a8d2a92b44cdd7b123907a6a77ba0fc9fde4961f9ac846b36f1e87730a1efae6" score = 75 quality = 90 tags = "INFO, FILE" @@ -41267,13 +41267,13 @@ rule REVERSINGLABS_Cert_Blocklist_B61B8E71514059Adc604Da05C283E514 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "517683e3-bcfb-50b8-86eb-2f3b7e3de30f" + id = "2587d30d-e9c8-599c-9cc4-4d4a7aa83c34" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6348-L6366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1255cef74082c9cad41ac8e7d62e740f69e6ba44171bb45655a68ee5db204e57" + logic_hash = "1255cef74082c9cad41ac8e7d62e740f69e6ba44171bb45655a68ee5db204e57" score = 75 quality = 90 tags = "INFO, FILE" @@ -41292,13 +41292,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ece6Cbf67Dc41635A5E5D075F286Af23 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "68d0e8ba-d4f2-5702-9393-c999e66a1a77" + id = "3e451a5a-835b-572d-ab17-ff52d3614a86" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6368-L6386" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f560e6f4a65eaac8db1d8accb0748de17048e66ccf989468e6350a3ec1d70dc8" + logic_hash = "f560e6f4a65eaac8db1d8accb0748de17048e66ccf989468e6350a3ec1d70dc8" score = 75 quality = 90 tags = "INFO, FILE" @@ -41317,13 +41317,13 @@ rule REVERSINGLABS_Cert_Blocklist_014A98D697B44F43Ded21F18Eb6Ad0Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "08ee4154-90be-5f9b-95b9-98e85cf1e398" + id = "4fcd4e89-658c-593b-8f94-edd5df19da6e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6388-L6404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9f1cc61b944974696113912bc1d1a0b45b9911fa4d6de382a48c0d22d2d20953" + logic_hash = "9f1cc61b944974696113912bc1d1a0b45b9911fa4d6de382a48c0d22d2d20953" score = 75 quality = 90 tags = "INFO, FILE" @@ -41342,13 +41342,13 @@ rule REVERSINGLABS_Cert_Blocklist_063A7D09107Eddd8Aa1F733634C6591B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "73472fa3-59d5-5822-a861-7434e981f5ce" + id = "0169cf47-72b0-53ec-bc8f-c2a80febad3a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6406-L6422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_19f11e1d9ce95eb4bc75387a0118c230388a13cd07b02e00ea1d65cdcc0b2bd7" + logic_hash = "19f11e1d9ce95eb4bc75387a0118c230388a13cd07b02e00ea1d65cdcc0b2bd7" score = 75 quality = 90 tags = "INFO, FILE" @@ -41367,13 +41367,13 @@ rule REVERSINGLABS_Cert_Blocklist_1E74Cfe7De8C5F57840A61034414Ca9F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0c266fed-d400-57c0-aaee-95ba0470af38" + id = "d7fd0c3f-0292-5d27-b8e6-559b829440b4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6424-L6442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d82220d908283f1707ec15882503b02cb8dc80095279a9e7d6cbdd113c25d8ae" + logic_hash = "d82220d908283f1707ec15882503b02cb8dc80095279a9e7d6cbdd113c25d8ae" score = 75 quality = 90 tags = "INFO, FILE" @@ -41392,13 +41392,13 @@ rule REVERSINGLABS_Cert_Blocklist_75Cf729F8A740Bbdef183A1C4D86A02F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f3bdebaa-8cb2-534a-b7f9-055bafd40d51" + id = "e96fdf57-3884-526e-a704-93e783c95241" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6444-L6460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_691fadaa653ecd29e60f2db39b7c5154d7c85f388f72eccd0a4b5fe42eaee0dd" + logic_hash = "691fadaa653ecd29e60f2db39b7c5154d7c85f388f72eccd0a4b5fe42eaee0dd" score = 75 quality = 90 tags = "INFO, FILE" @@ -41417,13 +41417,13 @@ rule REVERSINGLABS_Cert_Blocklist_2F64677254D3844Efdac2922123D05D1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "00110f99-1e0e-5321-b93a-e13633036387" + id = "de9ef02d-a723-5013-9f91-e394edc23855" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6462-L6478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f9f1f629e03563ece0fe5186b199e2f030dce7f58fb259de1aeb7387c76fa902" + logic_hash = "f9f1f629e03563ece0fe5186b199e2f030dce7f58fb259de1aeb7387c76fa902" score = 75 quality = 90 tags = "INFO, FILE" @@ -41442,13 +41442,13 @@ rule REVERSINGLABS_Cert_Blocklist_32Fbf8Cfa43Dca3F85Efabe96Dfefa49 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b2b8d763-5834-547f-ad84-a068f9e30f1b" + id = "22bd8590-7a95-564c-ad77-fb20569de51d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6480-L6496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_73d80e6a0dc2316524a55a9627792b9b4488d238ef529f1767de182956b0865e" + logic_hash = "73d80e6a0dc2316524a55a9627792b9b4488d238ef529f1767de182956b0865e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41467,13 +41467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ef9D0Cf071D463Cd63D13083046A7B8D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "450aa178-3e80-58ee-9680-2b7915092e4f" + id = "8751f71b-0ebb-5820-927c-684a5ae5ee7b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6498-L6516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2923979811504f78a79a2480600285a2697845e51870a44ed231a81e79807121" + logic_hash = "2923979811504f78a79a2480600285a2697845e51870a44ed231a81e79807121" score = 75 quality = 90 tags = "INFO, FILE" @@ -41492,13 +41492,13 @@ rule REVERSINGLABS_Cert_Blocklist_115Cf1353A0E33E19099A4867A4C750A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3dab0eed-8672-5a8a-8ee3-4da89572b508" + id = "c2564461-6731-5d7b-8dbb-560929b568d0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6518-L6536" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2a3353c655531b113dc019a86288310881e3bbcb6c03670a805f22b185e09e6c" + logic_hash = "2a3353c655531b113dc019a86288310881e3bbcb6c03670a805f22b185e09e6c" score = 75 quality = 90 tags = "INFO, FILE" @@ -41517,13 +41517,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Cf3778Bb11115A884E192A7Cb807599 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df43930a-ff33-59ba-a912-691f26637be9" + id = "cd643ad5-254a-5c53-a6f2-b263ff539cd3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6538-L6556" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4242ef4a30bb09463ec5a6df9367915788a2aa782df6c463bcf966d2aad63c1d" + logic_hash = "4242ef4a30bb09463ec5a6df9367915788a2aa782df6c463bcf966d2aad63c1d" score = 75 quality = 90 tags = "INFO, FILE" @@ -41542,13 +41542,13 @@ rule REVERSINGLABS_Cert_Blocklist_82Cb93593B658100Cdd7A00C874287F2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1999de58-2fe1-5c7e-a126-09aa5dac4285" + id = "85df653a-a4a3-5d0e-86f4-cad0249cd3d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6558-L6576" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c77881e0365c9fc398097d0b6e077330a5f0fcbb53279bfde96b3c01df914c55" + logic_hash = "c77881e0365c9fc398097d0b6e077330a5f0fcbb53279bfde96b3c01df914c55" score = 75 quality = 90 tags = "INFO, FILE" @@ -41567,13 +41567,13 @@ rule REVERSINGLABS_Cert_Blocklist_9A8Bcfd05F86B15D0C99F50Cf414Bd00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b3722fe3-978b-58ca-b339-4714f8c95eb2" + id = "4446aead-9505-545a-8d3a-6ad844d348d3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6578-L6596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_803d70dddeff51b753b577ea196b12570847c6875ae676a2d12cf1ca9323be34" + logic_hash = "803d70dddeff51b753b577ea196b12570847c6875ae676a2d12cf1ca9323be34" score = 75 quality = 90 tags = "INFO, FILE" @@ -41592,13 +41592,13 @@ rule REVERSINGLABS_Cert_Blocklist_95E5793F2Abe0B4Ec9Be54Fd24F76Ae5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9359d701-b0c2-5595-ab91-76e0b5611619" + id = "6b992971-6a1f-53e3-8651-f25a6b761c41" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6598-L6616" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bd198665ae952e11c91adc329908e3cd55a55365875200cd81d2f71fd092f1fe" + logic_hash = "bd198665ae952e11c91adc329908e3cd55a55365875200cd81d2f71fd092f1fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -41617,13 +41617,13 @@ rule REVERSINGLABS_Cert_Blocklist_133565779808C3B79D8E3F70A9C3Ffac : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d46ef07a-26fd-563c-8fb8-b8e0af962358" + id = "bc3f54a6-723d-5de5-9a59-2be8a005cedc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6618-L6634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b9fb2e3cc150b0278e67c673f7c01174c30b2cc4458c9c5e573661071795b793" + logic_hash = "b9fb2e3cc150b0278e67c673f7c01174c30b2cc4458c9c5e573661071795b793" score = 75 quality = 90 tags = "INFO, FILE" @@ -41642,13 +41642,13 @@ rule REVERSINGLABS_Cert_Blocklist_7E0Ccda0Ef37Acef6C2Ebe4538627E5C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "332c96a9-61e2-5659-9800-279181ac7d29" + id = "4668ceb3-8bf2-5be4-9a1a-d0d902c35cf0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6636-L6654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f13f9b70a2a3187522e4fff45a8a425863ad6242f82592aa9319c8d5fddeeefa" + logic_hash = "f13f9b70a2a3187522e4fff45a8a425863ad6242f82592aa9319c8d5fddeeefa" score = 75 quality = 90 tags = "INFO, FILE" @@ -41667,13 +41667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bad35Fd70025D46C56B89E32B1A3954C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b24603c-89a1-551f-b2b8-d739d3479fc1" + id = "871e399f-8498-5d66-ab5e-24e48491124f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6656-L6674" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1020250fc5030e50bc1e7d0f0c5a77e462a53f47bfcc4383c682b34fed567492" + logic_hash = "1020250fc5030e50bc1e7d0f0c5a77e462a53f47bfcc4383c682b34fed567492" score = 75 quality = 90 tags = "INFO, FILE" @@ -41692,13 +41692,13 @@ rule REVERSINGLABS_Cert_Blocklist_7B91468122273Aa32B7Cfc80C331Ea13 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7e57e4f4-8fe8-5504-8603-e2937c7407f5" + id = "2a949015-3b7b-5123-8df1-f2199ef636c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6676-L6692" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_49d6fd8b325df4bc688275a09cee35e1040172eb6f3680aa2b6f0f3640c0782e" + logic_hash = "49d6fd8b325df4bc688275a09cee35e1040172eb6f3680aa2b6f0f3640c0782e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41717,13 +41717,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E267B5D14Cdf1F645C1Ec545Cec3Aee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e3f62fc2-6097-5583-9812-e8f6b2199685" + id = "adff6ae2-076c-5c97-9fea-f95d770a3821" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6694-L6710" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e36ae57d715a71aa7d26dd003d647dfa7ab16d64e5411b6c49831544fc482645" + logic_hash = "e36ae57d715a71aa7d26dd003d647dfa7ab16d64e5411b6c49831544fc482645" score = 75 quality = 90 tags = "INFO, FILE" @@ -41742,13 +41742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ae6D3C0269Ef6497E14379C51A8507Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "da66796a-51d0-50d8-bcb3-a9933004ea3c" + id = "5b8e7730-cb8b-5c51-9784-d944453bc898" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6712-L6730" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_23570962c80bddce28a3dee9d4d864cf3cf64018eec6fbcbdd3ca2658c9f660f" + logic_hash = "23570962c80bddce28a3dee9d4d864cf3cf64018eec6fbcbdd3ca2658c9f660f" score = 75 quality = 90 tags = "INFO, FILE" @@ -41767,13 +41767,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fd8C468Cc1B45C9Cfb41Cbd8C835Cc9E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "caf6d703-96b7-5a2f-ae8e-f2383b25d893" + id = "f0050a52-65d5-54b2-b06d-08812af98948" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6732-L6750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_230d33f0d1d31d4cb76bf3b13f109d3cc9ace846daef145e1dc7666b33c8a42a" + logic_hash = "230d33f0d1d31d4cb76bf3b13f109d3cc9ace846daef145e1dc7666b33c8a42a" score = 75 quality = 90 tags = "INFO, FILE" @@ -41792,13 +41792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7C061Baa3118327255161F6A7Fa4E21D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5d276cfb-42b6-5b29-b34c-8f1069e1ba40" + id = "f597956a-d11b-54e4-91b6-0572c0b10279" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6752-L6770" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4193fce69af03b3521a3cc442b762c52f8585b44fa6b0bd78b9ace171b807ed4" + logic_hash = "4193fce69af03b3521a3cc442b762c52f8585b44fa6b0bd78b9ace171b807ed4" score = 75 quality = 90 tags = "INFO, FILE" @@ -41817,13 +41817,13 @@ rule REVERSINGLABS_Cert_Blocklist_04332C16724Ffeda5868D22Af56Aea43 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ec2f13ef-a438-5190-9bd8-b194f42a9107" + id = "1e5a2708-2875-50ab-af6b-3be91f38e13f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6772-L6788" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6b62d5c7a3c6e3096797cd2f515d86045fa77682638bda44175d05c5b6c5bbc0" + logic_hash = "6b62d5c7a3c6e3096797cd2f515d86045fa77682638bda44175d05c5b6c5bbc0" score = 75 quality = 90 tags = "INFO, FILE" @@ -41842,13 +41842,13 @@ rule REVERSINGLABS_Cert_Blocklist_030012F134E64347669F3256C7D050C5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6d973548-cab8-5c36-b2a0-5323663a2826" + id = "1e61a781-d5fb-5f05-81c4-3cc697ece13c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6790-L6806" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1a55856bfa4c632b2b0404686dc7ba5e7238b619dd4d2eb68c3d291bc86e52c4" + logic_hash = "1a55856bfa4c632b2b0404686dc7ba5e7238b619dd4d2eb68c3d291bc86e52c4" score = 75 quality = 90 tags = "INFO, FILE" @@ -41867,13 +41867,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fa3Dcac19B884B44Ef4F81541184D6B0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b5efea26-c8b2-5273-b9c2-59451c9153e9" + id = "574ee0d4-ba7c-5c74-b711-222f92196f4a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6808-L6826" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_324de84cb8c2f5402c9326749e3456e11312828df2523954fd84f7fb3298fdf3" + logic_hash = "324de84cb8c2f5402c9326749e3456e11312828df2523954fd84f7fb3298fdf3" score = 75 quality = 90 tags = "INFO, FILE" @@ -41892,13 +41892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0E6F4Cb8B06E01C3Bd296Ace3A95F814 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df6abd9b-ca8b-54bc-8749-5979618dd991" + id = "7a829a63-eeb4-50ef-829d-fc13572c1148" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6828-L6844" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f3184a9d1fe2a1cf2dcc04d26c284aa9a651d2f00aa28642d7f951550a050138" + logic_hash = "f3184a9d1fe2a1cf2dcc04d26c284aa9a651d2f00aa28642d7f951550a050138" score = 75 quality = 90 tags = "INFO, FILE" @@ -41917,13 +41917,13 @@ rule REVERSINGLABS_Cert_Blocklist_085B70224253486624Fc36Fa658A1E32 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0a6afccd-bfaa-554b-9eaa-78da192fb6ee" + id = "7d27604e-4ecd-559c-9180-4914e7f1f6c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6846-L6862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_50ff48a421a109f8c6bf92032691d9b673945bc591005004ff17dc18c97d4aea" + logic_hash = "50ff48a421a109f8c6bf92032691d9b673945bc591005004ff17dc18c97d4aea" score = 75 quality = 90 tags = "INFO, FILE" @@ -41942,13 +41942,13 @@ rule REVERSINGLABS_Cert_Blocklist_51Cd5393514F7Ace2B407C3Dbfb09D8D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0c0f003d-cd67-5de7-961b-a9be194cf9a1" + id = "ac86893f-2edd-5f1c-96eb-4cb140e8e001" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6864-L6880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4cd08b9113a7c1f4f2d438ac59ad0be503daded3a08b8c8e8ce3e0dfdddf259e" + logic_hash = "4cd08b9113a7c1f4f2d438ac59ad0be503daded3a08b8c8e8ce3e0dfdddf259e" score = 75 quality = 90 tags = "INFO, FILE" @@ -41967,13 +41967,13 @@ rule REVERSINGLABS_Cert_Blocklist_B72179C027B9037Ee220E81Ab18Fe56D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2af1644b-568a-5107-97e7-c3c3d025766a" + id = "85639e74-80b0-59c6-b31b-5b3d9587b37a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6882-L6900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1416768011ff824307d112bdeecce1ad50d1f673e92bef8fddbbeb58ff98b1b1" + logic_hash = "1416768011ff824307d112bdeecce1ad50d1f673e92bef8fddbbeb58ff98b1b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -41992,13 +41992,13 @@ rule REVERSINGLABS_Cert_Blocklist_07B74C70C4Aa092648B7F0D1A8A3A28F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2601f8bb-e6bf-5671-93c5-231e84031109" + id = "f941b7d6-f168-57aa-881a-54679a2b948c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6902-L6918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_97759fa2e519936115f0493e251f9abc0cce3ada437776a5a370388512235491" + logic_hash = "97759fa2e519936115f0493e251f9abc0cce3ada437776a5a370388512235491" score = 75 quality = 90 tags = "INFO, FILE" @@ -42017,13 +42017,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C8Def294478B7D59Ee95C61Fae3D965 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8efb6f0e-2465-5ec6-b76e-6ce2d8e17477" + id = "549249df-690c-5b75-ac1a-77b509c9e163" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6920-L6936" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3b7b10afa5f0212bd494ba8fe32bef18f2bbd77c8ab2ad498b9557a0575cc177" + logic_hash = "3b7b10afa5f0212bd494ba8fe32bef18f2bbd77c8ab2ad498b9557a0575cc177" score = 75 quality = 90 tags = "INFO, FILE" @@ -42042,13 +42042,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D36Cbb64Bc9Add17Ba71737D3Ecceca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8f00c4b7-856d-562f-9729-75006a919a18" + id = "ce10840c-150d-5ecd-ab9a-7bc96092ebfd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6938-L6954" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5874860582ed5be6908dca38e6ecae831eeeb0c2b768e8065ada9fd5ac2bda89" + logic_hash = "5874860582ed5be6908dca38e6ecae831eeeb0c2b768e8065ada9fd5ac2bda89" score = 75 quality = 90 tags = "INFO, FILE" @@ -42067,13 +42067,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ad255D4Ebefa751F3782587396C08629 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e5d743e6-c7a3-5c5b-a6cf-33bf6f0ce105" + id = "e42d2881-efda-5aa0-b455-dabbd3a77e97" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6956-L6974" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_43f44cbedf37094416628c9df23767be3b036519f93222812597777a146ecb24" + logic_hash = "43f44cbedf37094416628c9df23767be3b036519f93222812597777a146ecb24" score = 75 quality = 90 tags = "INFO, FILE" @@ -42092,13 +42092,13 @@ rule REVERSINGLABS_Cert_Blocklist_262Ca7Ae19D688138E75932832B18F9D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6de10413-2adc-5eb8-a5fe-acb05a26e25b" + id = "7151fd62-7f6c-59d7-800b-65e5b4db279b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6976-L6992" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a5bb946c6199cd47a087ac26f0a996261318d1830191ea7c0e7797ff03984558" + logic_hash = "a5bb946c6199cd47a087ac26f0a996261318d1830191ea7c0e7797ff03984558" score = 75 quality = 90 tags = "INFO, FILE" @@ -42117,13 +42117,13 @@ rule REVERSINGLABS_Cert_Blocklist_59A57E8Ba3Dcf2B6F59981Fda14B03 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0fc1fb74-a611-507a-a17a-c01e7c84fd83" + id = "12c80895-57fd-5341-b3ef-d59c25d4c234" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L6994-L7010" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6e77c7d0bd7e5e9bc8880cc6ffc3f5f4f738e3dde22c270ad7a6f6672a99de53" + logic_hash = "6e77c7d0bd7e5e9bc8880cc6ffc3f5f4f738e3dde22c270ad7a6f6672a99de53" score = 75 quality = 90 tags = "INFO, FILE" @@ -42142,13 +42142,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aebe117A13B8Bca21685Df48C74F584D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "23642318-b818-541d-ac1c-14ec4f2cbaf5" + id = "ec525737-9770-585e-922a-43f14e0a4a37" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7012-L7030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e7fbc1f32adec39c94dc046933e152cd6d3946da4a168306484b7b6bc7f26fb6" + logic_hash = "e7fbc1f32adec39c94dc046933e152cd6d3946da4a168306484b7b6bc7f26fb6" score = 75 quality = 90 tags = "INFO, FILE" @@ -42167,13 +42167,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Dcd19A94535F034Ee36Af4676740633 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "071c2510-f192-5641-996e-ad37b46b1e05" + id = "c09778b6-17c9-5b24-8977-1bd998083c23" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7032-L7048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7079d4f1973ad4de21e1f88282c94b11c4d63f8bad12b35ef76a481e154d9da3" + logic_hash = "7079d4f1973ad4de21e1f88282c94b11c4d63f8bad12b35ef76a481e154d9da3" score = 75 quality = 90 tags = "INFO, FILE" @@ -42192,13 +42192,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ca4822E6905Aa4Fca9E28523F04F14A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ec232099-a3ae-51e0-8f89-05b89abfc76f" + id = "004454a0-20f9-58f5-8c24-8097f7586c5b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7050-L7068" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9633f3494e9ece3a698d47c5ba2b7ee7f82cee4be36ac418c969c36285c4963c" + logic_hash = "9633f3494e9ece3a698d47c5ba2b7ee7f82cee4be36ac418c969c36285c4963c" score = 75 quality = 90 tags = "INFO, FILE" @@ -42217,13 +42217,13 @@ rule REVERSINGLABS_Cert_Blocklist_24C1Ef800F275Ab2780280C595De3464 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a2cdb857-e4ea-516f-b7a3-68d910b6eff5" + id = "251212a5-95ce-5d9f-aec0-e6d3dd099349" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7070-L7086" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7536ec92f388234bea3b33bee4af52e0e0ce9cd86b1c8321a503f70bfe5faa76" + logic_hash = "7536ec92f388234bea3b33bee4af52e0e0ce9cd86b1c8321a503f70bfe5faa76" score = 75 quality = 90 tags = "INFO, FILE" @@ -42242,13 +42242,13 @@ rule REVERSINGLABS_Cert_Blocklist_6401831B46588B9D872B02076C3A7B00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4cc51dd8-afb9-562e-8fd2-4bc3ecf5eae6" + id = "61b67e68-9e15-5848-b12a-437a0ad8399e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7088-L7104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cb84b27391fa0260061bc5444039967e83f2134f7b56f9cccf6a421d4a65a577" + logic_hash = "cb84b27391fa0260061bc5444039967e83f2134f7b56f9cccf6a421d4a65a577" score = 75 quality = 90 tags = "INFO, FILE" @@ -42267,13 +42267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A01A91Cce63Ede5Eaa3Dac4883Aea05 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "119ceb6b-e993-5996-a81b-9ef445880bd8" + id = "a1efbce8-3cca-5e07-a652-d67007c72a18" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7106-L7122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_58a26b44e485814fa645bfa490f3442745884026bb7a70327d4f51645ad3f69c" + logic_hash = "58a26b44e485814fa645bfa490f3442745884026bb7a70327d4f51645ad3f69c" score = 75 quality = 90 tags = "INFO, FILE" @@ -42292,13 +42292,13 @@ rule REVERSINGLABS_Cert_Blocklist_54Cd7Ae1C27F1421136Ed25088F4979A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d59e680a-c103-50b1-aae6-29fd19b36d29" + id = "76999ae0-966e-5c52-8e00-a3af8afd8fae" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7124-L7140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c7cd84a225216ff1464a147c2572de2b0a2f69f7a315cdebef5ad2bab843b72a" + logic_hash = "c7cd84a225216ff1464a147c2572de2b0a2f69f7a315cdebef5ad2bab843b72a" score = 75 quality = 90 tags = "INFO, FILE" @@ -42317,13 +42317,13 @@ rule REVERSINGLABS_Cert_Blocklist_F2D693Aad63E6920782A0027Dfc97D91 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f23c393d-66df-5995-beef-2c35b0e005d4" + id = "c4876bdd-35bc-5a3f-9f55-9a730e7ff5c8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7142-L7160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8f29e65b39608518d16f708faef68db37b6e179c567819dccb6681adcec262e3" + logic_hash = "8f29e65b39608518d16f708faef68db37b6e179c567819dccb6681adcec262e3" score = 75 quality = 90 tags = "INFO, FILE" @@ -42342,13 +42342,13 @@ rule REVERSINGLABS_Cert_Blocklist_F8E8F6C92Ba666B0688A8Cacce9Acccf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d67c6d53-18b2-5bd5-827e-5c01e4bf551b" + id = "909d0ce9-406c-539f-9d0e-d7ab1b277ee3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7162-L7180" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aa419bc044be55d4c94481998be4e9c0310416740084eb8376842cf5416d78bf" + logic_hash = "aa419bc044be55d4c94481998be4e9c0310416740084eb8376842cf5416d78bf" score = 75 quality = 90 tags = "INFO, FILE" @@ -42367,13 +42367,13 @@ rule REVERSINGLABS_Cert_Blocklist_E3D5089D4B8F01Aadce2731062Fb0Cce : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0086651c-e772-502f-bff3-2ded048cd26a" + id = "25df791f-1128-51f9-90da-9977262d00c7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7182-L7200" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7f10b86f156ccac695f480661dfea8bcc455477afd9575230c2f8510327d1996" + logic_hash = "7f10b86f156ccac695f480661dfea8bcc455477afd9575230c2f8510327d1996" score = 75 quality = 90 tags = "INFO, FILE" @@ -42392,13 +42392,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ed801843Fa001B8Add52D3A97B25931 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "24e20d47-6820-54f2-b87e-51cc3dee342d" + id = "7c685bb7-3201-5ffc-856b-657d824595ab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7202-L7218" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b7c9424520afe16bd4769e1be84163ac37b8fb37433931f2e362d90cacc01093" + logic_hash = "b7c9424520afe16bd4769e1be84163ac37b8fb37433931f2e362d90cacc01093" score = 75 quality = 90 tags = "INFO, FILE" @@ -42417,13 +42417,13 @@ rule REVERSINGLABS_Cert_Blocklist_D9E834182Dec62C654E775E809Ac1D1B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55d4d3b4-161f-5ba4-aff0-977e0f6d6e2d" + id = "30831e91-c2aa-50bc-a0e9-ee7574fc58f4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7220-L7238" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3d8075e34fa3dc221bc2abc2630a93f32efbdde6df270a77b1d6b64d8ce56133" + logic_hash = "3d8075e34fa3dc221bc2abc2630a93f32efbdde6df270a77b1d6b64d8ce56133" score = 75 quality = 90 tags = "INFO, FILE" @@ -42442,13 +42442,13 @@ rule REVERSINGLABS_Cert_Blocklist_801689896Ed339237464A41A2900A969 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a27d8232-38e3-55d2-9f84-88e037a06339" + id = "0ef4ce5c-b2a1-59e8-8d39-3cf7ab9fd0e1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7240-L7258" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a371092cbf5a1a0c8051ba2b4c9dd758d829a2f0c21c86d1920164a0ae7751e6" + logic_hash = "a371092cbf5a1a0c8051ba2b4c9dd758d829a2f0c21c86d1920164a0ae7751e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -42467,13 +42467,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Fd3661533Eef209153C9Afec3Ba4D8A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2b0380b4-af5a-5287-9538-d3692e26a194" + id = "e45d66b0-58ae-5054-b0a7-47a001daac7a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7260-L7276" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ce6c07b8ae54db03e4fa2739856a8d3dc2051c051a10c3c73501dad4296dde97" + logic_hash = "ce6c07b8ae54db03e4fa2739856a8d3dc2051c051a10c3c73501dad4296dde97" score = 75 quality = 90 tags = "INFO, FILE" @@ -42492,13 +42492,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ced87Bd70B092Cb93B182Fac32655F6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "483fa837-20b3-5dbc-8c45-9861bea04d6e" + id = "b9e6a35f-08c2-5f29-9bcf-07a3cddf0fbe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7278-L7294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4e2c967b9502d9009c61831f019ba19367b866e898ca1246a1099d75ad0eb4d5" + logic_hash = "4e2c967b9502d9009c61831f019ba19367b866e898ca1246a1099d75ad0eb4d5" score = 75 quality = 90 tags = "INFO, FILE" @@ -42517,13 +42517,13 @@ rule REVERSINGLABS_Cert_Blocklist_047801D5B55C800B48411Fd8C320Ca5B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "761cb2c1-6d64-5412-886c-7f0fe00a1edb" + id = "602b8c18-3dad-55b9-bb47-3f9835a049ac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7296-L7312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ef26b4e3c658f53f3048d10bd1b7a2a198cd402e1b7c60e84adadb4f236ccb5d" + logic_hash = "ef26b4e3c658f53f3048d10bd1b7a2a198cd402e1b7c60e84adadb4f236ccb5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -42542,13 +42542,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F0Ed5318848703405D40F7C62D0F39A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b4fce387-661c-54c1-b35a-b89f901bf0e1" + id = "30e3a977-caa3-5ae0-9cd0-6b2ce62ccebd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7314-L7330" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_484932ddfe614fd5ab22361ab281cda62803c98279f938aa5237237fae6a95d6" + logic_hash = "484932ddfe614fd5ab22361ab281cda62803c98279f938aa5237237fae6a95d6" score = 75 quality = 90 tags = "INFO, FILE" @@ -42567,13 +42567,13 @@ rule REVERSINGLABS_Cert_Blocklist_4E7545C9Fc5938F5198Ab9F1749Ca31C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "46428d7a-661d-58bf-97fb-497a94bb98f2" + id = "d5f810ee-127a-5df0-9299-ffeaddf369ee" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7332-L7348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f6be57eb6744ad6d239a0a2cc1ec8c39c9dfd4e4eeb3be9e699516c259f617f0" + logic_hash = "f6be57eb6744ad6d239a0a2cc1ec8c39c9dfd4e4eeb3be9e699516c259f617f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -42592,13 +42592,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ddd3796A427B42F2E52D7C7Af0Ca54F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3753b9e7-a428-52a5-81cc-5152d7b5b864" + id = "5c2e1f5b-5ff7-51d7-9642-0a527856814c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7350-L7366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_804ab8c44e5d97d8e14f852d61094e90d1e3ace66316781e9e79ab46fc7db8e7" + logic_hash = "804ab8c44e5d97d8e14f852d61094e90d1e3ace66316781e9e79ab46fc7db8e7" score = 75 quality = 90 tags = "INFO, FILE" @@ -42617,13 +42617,13 @@ rule REVERSINGLABS_Cert_Blocklist_03B27D7F4Ee21A462A064A17Eef70D6C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bc251583-4a5d-5325-aa8c-94acd1be5be2" + id = "9d32947c-778f-5e2d-b0b1-4a17a108035e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7368-L7384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b303751e354c346f73368de94b66a960dd12efa0730d2ab14af743810669ac81" + logic_hash = "b303751e354c346f73368de94b66a960dd12efa0730d2ab14af743810669ac81" score = 75 quality = 90 tags = "INFO, FILE" @@ -42642,13 +42642,13 @@ rule REVERSINGLABS_Cert_Blocklist_B0A308Fc2E71Ac4Ac40677B9C27Ccbad : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5ee289f4-eb64-5887-8d15-767bf47fd2bd" + id = "7e13e257-a264-5a40-b670-889045504acf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7386-L7404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_21fd7625399c939b6d03100b731709616d206a3811197af2b86991be9d89b4eb" + logic_hash = "21fd7625399c939b6d03100b731709616d206a3811197af2b86991be9d89b4eb" score = 75 quality = 90 tags = "INFO, FILE" @@ -42667,13 +42667,13 @@ rule REVERSINGLABS_Cert_Blocklist_61B11Ef9726Ab2E78132E01Bd791B336 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bfbbbbae-9cf9-536b-a9ce-a91bad4b4f52" + id = "573a024e-11f0-5cf9-8f0d-a946cdca34c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7406-L7422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1a8e72f31039a5a5602d0314f017a2596a23e4a796dc66167dfefc0c9790e3e3" + logic_hash = "1a8e72f31039a5a5602d0314f017a2596a23e4a796dc66167dfefc0c9790e3e3" score = 75 quality = 90 tags = "INFO, FILE" @@ -42692,13 +42692,13 @@ rule REVERSINGLABS_Cert_Blocklist_8Fe807310D98357A59382090634B93F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "51470200-7dca-5c81-8174-83d8dfe5fad6" + id = "690e7919-0344-5bd1-849f-e7bfe2f19276" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7424-L7442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ec56bd4783c854efef863050ff729fd99efa98b7b19e04e56a080ee3e75cd90" + logic_hash = "0ec56bd4783c854efef863050ff729fd99efa98b7b19e04e56a080ee3e75cd90" score = 75 quality = 90 tags = "INFO, FILE" @@ -42717,13 +42717,13 @@ rule REVERSINGLABS_Cert_Blocklist_B97F66Bb221772Dc07Ef1D4Bed8F6085 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "912d2a87-6b24-5565-906c-dfc8183e69da" + id = "c83918d8-fe90-59dc-8f4e-0e7b10238780" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7444-L7462" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_794dc27ff9b2588d3f2c31cdb83e53616c604aa41da7d8c895034e1cf9da5dd8" + logic_hash = "794dc27ff9b2588d3f2c31cdb83e53616c604aa41da7d8c895034e1cf9da5dd8" score = 75 quality = 90 tags = "INFO, FILE" @@ -42742,13 +42742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fed006Fbf85Cd1C6Ba6B4345B198E1E6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e33e1257-5f4c-57bb-81ae-ef95c80c87d4" + id = "ab84282d-9c35-5e52-a117-1d85c03cc6f4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7464-L7482" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0360c6760f1018f9388ef5639ab2306879134f33da12677f954fa31b8a71aa16" + logic_hash = "0360c6760f1018f9388ef5639ab2306879134f33da12677f954fa31b8a71aa16" score = 75 quality = 90 tags = "INFO, FILE" @@ -42767,13 +42767,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa28C9Bd16D9D304F18Af223B27Bfa1E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b467480-7e8a-58c3-9f29-762013c630f2" + id = "facb8bba-a8cc-5b2a-9ef6-ba290cbf9b24" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7484-L7502" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_feaa8d645eea46c7cbbba4ba86c92184df7515a50f1f905ab818c59079a0c96a" + logic_hash = "feaa8d645eea46c7cbbba4ba86c92184df7515a50f1f905ab818c59079a0c96a" score = 75 quality = 90 tags = "INFO, FILE" @@ -42792,13 +42792,13 @@ rule REVERSINGLABS_Cert_Blocklist_19Beff8A6C129663E5E8C18953Dc1F67 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ace301b4-39ca-56d9-b308-734dc724c9ca" + id = "300d9e11-9283-500e-9716-5b628ef41853" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7504-L7520" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ec031c781ebad7447cfc53ce791aacc8f24e38f039c84e2ee547de64729ae76" + logic_hash = "0ec031c781ebad7447cfc53ce791aacc8f24e38f039c84e2ee547de64729ae76" score = 75 quality = 90 tags = "INFO, FILE" @@ -42817,13 +42817,13 @@ rule REVERSINGLABS_Cert_Blocklist_029685Cda1C8233D2409A31206F78F9F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f3c15b8b-1cc8-55e4-b244-f41ae10598fe" + id = "f7894a48-459b-574f-9df3-8505578de42b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7522-L7538" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d541ce73e5039541ea221f27cc4d033f0c477e41a148206c26cc39ae07c4caaa" + logic_hash = "d541ce73e5039541ea221f27cc4d033f0c477e41a148206c26cc39ae07c4caaa" score = 75 quality = 90 tags = "INFO, FILE" @@ -42842,13 +42842,13 @@ rule REVERSINGLABS_Cert_Blocklist_D609B6C95428954A999A8A99D4F198Af : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5d607298-89f6-5d2a-998b-9fbddb3de942" + id = "4ce9b2ce-5dda-5741-bd29-cadae44c3b28" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7540-L7558" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a124f80d599051ecd7c17e6818d181ea018db14c9f0514bbcc5b677ba3656d65" + logic_hash = "a124f80d599051ecd7c17e6818d181ea018db14c9f0514bbcc5b677ba3656d65" score = 75 quality = 90 tags = "INFO, FILE" @@ -42867,13 +42867,13 @@ rule REVERSINGLABS_Cert_Blocklist_D3356318924C8C42959Bf1D1574E6482 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "18728003-5574-55f3-815d-0db5a9f4fee0" + id = "36b12300-6535-5644-9145-9f532b49a421" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7560-L7578" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a672054a776d0715fc888578bcb559d24ef54b4c523f7d49a39ded2586c3140a" + logic_hash = "a672054a776d0715fc888578bcb559d24ef54b4c523f7d49a39ded2586c3140a" score = 75 quality = 90 tags = "INFO, FILE" @@ -42892,13 +42892,13 @@ rule REVERSINGLABS_Cert_Blocklist_31D852F5Fca1A5966B5Ed08A14825C54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f4a33ae2-d2d7-5018-9a0a-6c77c831b1f4" + id = "362a6eb7-f49e-502b-9870-522aea13e04b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7580-L7596" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8c98b856d53e6862e94042bb133f5739bddcec2e208e43961b23e244584c6ee4" + logic_hash = "8c98b856d53e6862e94042bb133f5739bddcec2e208e43961b23e244584c6ee4" score = 75 quality = 90 tags = "INFO, FILE" @@ -42917,13 +42917,13 @@ rule REVERSINGLABS_Cert_Blocklist_17D99Cc2F5B29522D422332E681F3E18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "54e13971-67ad-5c8a-8e5a-99266e2e95fe" + id = "0d0a58a4-353d-51f9-a739-a135d77357c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7598-L7614" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_55cc1634cdc5209d68b98fdb0d9e97e0a34346cdcb10f243d13217cda01195f1" + logic_hash = "55cc1634cdc5209d68b98fdb0d9e97e0a34346cdcb10f243d13217cda01195f1" score = 75 quality = 90 tags = "INFO, FILE" @@ -42942,13 +42942,13 @@ rule REVERSINGLABS_Cert_Blocklist_6A568F85De2061F67Ded98707D4988Df : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "44810935-f0a4-5962-a1de-55553621d466" + id = "962c3096-2c3d-5137-9637-b45d00b2ee9b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7616-L7632" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_793be308a4df55c3b325e1ee3185159c4155f6dfabc311216d3763bd43680bd4" + logic_hash = "793be308a4df55c3b325e1ee3185159c4155f6dfabc311216d3763bd43680bd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -42967,13 +42967,13 @@ rule REVERSINGLABS_Cert_Blocklist_038Fc745523B41B40D653B83Aa381B80 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3954b7a9-b19f-513f-b7f4-9f1a0eeb8bb8" + id = "3f7f9d58-3a7a-5f84-bf6e-795a9c8bcd38" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7634-L7650" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_016ca6dcb5c7c56c80e4486b84d97fb3869a959ef3e8392e4376a0a0de06092f" + logic_hash = "016ca6dcb5c7c56c80e4486b84d97fb3869a959ef3e8392e4376a0a0de06092f" score = 75 quality = 90 tags = "INFO, FILE" @@ -42992,13 +42992,13 @@ rule REVERSINGLABS_Cert_Blocklist_30Af0D0E6D8201A5369664C5Ebbb010F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cdb7da47-0e0b-58b6-9abe-c355bb8ae9f8" + id = "aaa31642-a0f4-5652-b3cd-c81cfb1ab127" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7652-L7668" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_018e5a0fbeeaded2569b83e2f91230e0055a5ffa2059b7a064a5c2eda55ed2de" + logic_hash = "018e5a0fbeeaded2569b83e2f91230e0055a5ffa2059b7a064a5c2eda55ed2de" score = 75 quality = 90 tags = "INFO, FILE" @@ -43017,13 +43017,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ac0A7B9420B369Af3Ddb748385B981 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e400c27f-bf0d-535c-839f-11eff4c05d0f" + id = "82d6c0f5-80d1-5003-a5c9-9eadd9654460" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7670-L7688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2bc31eaa64be487cb85873a64b7462d90d1c28839def070ce5db7ae555383421" + logic_hash = "2bc31eaa64be487cb85873a64b7462d90d1c28839def070ce5db7ae555383421" score = 75 quality = 90 tags = "INFO, FILE" @@ -43042,13 +43042,13 @@ rule REVERSINGLABS_Cert_Blocklist_C167F04B338B1E8747B92C2197403C43 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7d933c6-7472-5235-82d4-7420523b95ae" + id = "0bf561ac-0283-557f-a685-4603e2b58273" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7690-L7708" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8e0a11efc739baefe23a3d77e4eefc9dc23c74821c91fc219822dbc5dbb468b1" + logic_hash = "8e0a11efc739baefe23a3d77e4eefc9dc23c74821c91fc219822dbc5dbb468b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -43067,13 +43067,13 @@ rule REVERSINGLABS_Cert_Blocklist_9272607Cfc982B782A5D36C4B78F5E7B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "57378d08-6fcb-5174-a133-61ed5f8f9bd4" + id = "e3ad8f20-d12f-54e9-a6da-7aad28a10287" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7710-L7728" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b1d6f27fb513542589a5c9011e501a9d298282bba6882eac0fc7bf3e6ebb291" + logic_hash = "2b1d6f27fb513542589a5c9011e501a9d298282bba6882eac0fc7bf3e6ebb291" score = 75 quality = 90 tags = "INFO, FILE" @@ -43092,13 +43092,13 @@ rule REVERSINGLABS_Cert_Blocklist_45Eb9187A2505D8E6C842E6D366Ad0C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9b2481d7-736e-59be-b998-43d02c38c65c" + id = "1b8390aa-16b9-558b-aee8-e30fc7100af4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7730-L7746" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4ae755e814ae2488d4bd6b8136ab6d78e4809a2ddacb7f88cf1d2b64c1488898" + logic_hash = "4ae755e814ae2488d4bd6b8136ab6d78e4809a2ddacb7f88cf1d2b64c1488898" score = 75 quality = 90 tags = "INFO, FILE" @@ -43117,13 +43117,13 @@ rule REVERSINGLABS_Cert_Blocklist_56Fff139Df5Ae7E788E5D72196Dd563A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a20aba17-47b3-55cf-ae9b-a7e3018d53e6" + id = "4f34fd37-908c-573c-ba53-5ab622589e88" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7748-L7764" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4b58c83901605d8b43519f1bc2d4ac8dc10c794f027681378b2bee2a8ff81604" + logic_hash = "4b58c83901605d8b43519f1bc2d4ac8dc10c794f027681378b2bee2a8ff81604" score = 75 quality = 90 tags = "INFO, FILE" @@ -43142,13 +43142,13 @@ rule REVERSINGLABS_Cert_Blocklist_E161F76Da3B5E4623892C8E6Fda1Ea3D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9dea3f43-78f2-5463-bcbf-df2fe8444b66" + id = "386c81ef-87aa-514e-81d7-dddfb90e0dc2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7766-L7784" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_883545593b48aa11c11f7fa1a1f77c62321ea86067f1ed108dcd00c8c6cd3495" + logic_hash = "883545593b48aa11c11f7fa1a1f77c62321ea86067f1ed108dcd00c8c6cd3495" score = 75 quality = 90 tags = "INFO, FILE" @@ -43167,13 +43167,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Ae5B177Ac3A7Ce2Aadf1C891B574924 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "09f43ef4-6a6d-5fd1-bdf5-068c88fad28e" + id = "c72b8b2a-3e49-5ac3-ab4d-55b86ce7f061" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7786-L7804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_03ac299459a1aaf2e4a2e62884cd321e16100fee78b4b0e271acdd8a4e32525c" + logic_hash = "03ac299459a1aaf2e4a2e62884cd321e16100fee78b4b0e271acdd8a4e32525c" score = 75 quality = 90 tags = "INFO, FILE" @@ -43192,13 +43192,13 @@ rule REVERSINGLABS_Cert_Blocklist_A03Ea3A4Fa772B17037A0B80F1F968Aa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9952dd19-b161-5c61-a7e9-7447e67a8919" + id = "cbc0c6ca-fab2-531e-b368-4d3fdc72509f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7806-L7824" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e2044c6ddb80f3add13dfc3b623d0460ce8e9a66c5a98582f80d906edbbbd829" + logic_hash = "e2044c6ddb80f3add13dfc3b623d0460ce8e9a66c5a98582f80d906edbbbd829" score = 75 quality = 90 tags = "INFO, FILE" @@ -43217,13 +43217,13 @@ rule REVERSINGLABS_Cert_Blocklist_333Ca7D100B139B0D9C1A97Cb458E226 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "497527ff-24bc-5f47-8732-78d675ca438a" + id = "c2c32499-4b0d-51ad-a10e-1ddd7218df84" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7826-L7842" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b3a31a54132fd8ca2c11b7806503207a4197f16af78693387bac56879b5e1448" + logic_hash = "b3a31a54132fd8ca2c11b7806503207a4197f16af78693387bac56879b5e1448" score = 75 quality = 90 tags = "INFO, FILE" @@ -43242,13 +43242,13 @@ rule REVERSINGLABS_Cert_Blocklist_9245D1511923F541844Faa3C6Bfebcbe : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9202c913-a805-56bf-9965-80feb9c8e420" + id = "7d4033b8-da1d-55f5-aa80-f96636650633" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7844-L7862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b965e897b42c39841e663cc144cf6e4a81fc9bcb64ce3a15a7ca021e95866b08" + logic_hash = "b965e897b42c39841e663cc144cf6e4a81fc9bcb64ce3a15a7ca021e95866b08" score = 75 quality = 90 tags = "INFO, FILE" @@ -43267,13 +43267,13 @@ rule REVERSINGLABS_Cert_Blocklist_2888Cf0F953A4A3640Ee4Cfc6304D9D4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "407aac59-d305-59a7-8e92-59e7f34adf09" + id = "75ec52c5-4c59-51d8-bd9b-928c75d3521a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7864-L7880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a9ee8534d89b8ac8705bb1777718513a28e4531ed398f482f46a72f2760af161" + logic_hash = "a9ee8534d89b8ac8705bb1777718513a28e4531ed398f482f46a72f2760af161" score = 75 quality = 90 tags = "INFO, FILE" @@ -43292,13 +43292,13 @@ rule REVERSINGLABS_Cert_Blocklist_C8Edcfe8Be174C2F204D858C5B91Dea5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "702f3959-4902-53ba-a614-ac6b9b6a7bbf" + id = "92baa26f-1352-53ed-bb9f-0a632e471dd5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7882-L7900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b3e6927abfce69548374bfd430a3ae3a1c5a8d05f0f40e43091b4d12025c5b1a" + logic_hash = "b3e6927abfce69548374bfd430a3ae3a1c5a8d05f0f40e43091b4d12025c5b1a" score = 75 quality = 90 tags = "INFO, FILE" @@ -43317,13 +43317,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Faf8705A3Eaef9340800Cc4Fd38597C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f888f349-cc02-513b-b4f8-6b3d84ec0c9d" + id = "d2988928-4ef3-56bf-a407-f735756c7f81" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7902-L7920" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_66a340f169e401705ba229d2d4548cef1a57bf1d2d320b108d12b2049b063b92" + logic_hash = "66a340f169e401705ba229d2d4548cef1a57bf1d2d320b108d12b2049b063b92" score = 75 quality = 90 tags = "INFO, FILE" @@ -43342,13 +43342,13 @@ rule REVERSINGLABS_Cert_Blocklist_0940Fa9A4080F35052B2077333769C2F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "88f81b92-a692-51d1-aa24-678d4d737149" + id = "358391b7-649b-5792-b4bd-d97b388c5d12" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7922-L7938" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_45636ea33751fea61572539fe6f28bccd05df9b6b9e7f2d77bb738f7c69c53a2" + logic_hash = "45636ea33751fea61572539fe6f28bccd05df9b6b9e7f2d77bb738f7c69c53a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -43367,13 +43367,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ea720222D92Dc8D48E3B3C3B0Fc360A6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d318623b-67f0-5e89-b241-e2330f4433fb" + id = "8415406b-ede8-5404-8208-34eb649f7325" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7940-L7958" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c60e1ccf178f03f930a3bc41e9a92be20df0362f067ed1fcfc7c93627a056d75" + logic_hash = "c60e1ccf178f03f930a3bc41e9a92be20df0362f067ed1fcfc7c93627a056d75" score = 75 quality = 90 tags = "INFO, FILE" @@ -43392,13 +43392,13 @@ rule REVERSINGLABS_Cert_Blocklist_4743E140C05B33F0449023946Bd05Acb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "72753fbf-e9b7-525c-894f-e960080736cd" + id = "f783bad3-f350-5a74-8e3f-5b7220e4de8f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7960-L7976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_69ce1512d7df4926ee2b470b18fbe51a2aa81e07b37b2536617d6353045e0d19" + logic_hash = "69ce1512d7df4926ee2b470b18fbe51a2aa81e07b37b2536617d6353045e0d19" score = 75 quality = 90 tags = "INFO, FILE" @@ -43417,13 +43417,13 @@ rule REVERSINGLABS_Cert_Blocklist_A496Bc774575C31Abec861B68C36Dcb6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "272be425-6aec-5075-b3a8-739922e8597d" + id = "51941c0d-a7a1-5c17-bef8-290e5db66fb7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7978-L7996" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f82214f982c9972e547f77966c44e935e9de701cc9108ceca34a4fede850d243" + logic_hash = "f82214f982c9972e547f77966c44e935e9de701cc9108ceca34a4fede850d243" score = 75 quality = 90 tags = "INFO, FILE" @@ -43442,13 +43442,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A55C15F733Bf1633E9Ffae8A6E3B37D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "849d3fa9-4cb9-5445-9b2a-d6ce5e231416" + id = "32cefe84-b305-5542-a5d3-1832dcbf6d61" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L7998-L8014" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_89ca9f1c5cf0b029748528d8c5bb65f89ee05877bfdc13b4ce3d2d3e7feafb5d" + logic_hash = "89ca9f1c5cf0b029748528d8c5bb65f89ee05877bfdc13b4ce3d2d3e7feafb5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -43467,13 +43467,13 @@ rule REVERSINGLABS_Cert_Blocklist_C650Ae531100A91389A7F030228B3095 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e5eef96b-65d1-55b6-80ed-c3dc1ced8d0a" + id = "5d506480-96ca-5e71-9fb2-185b2f8ddc6c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8016-L8034" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_186b66283491cfebcaade57b1010ce4304c08ddb131153984210c2c7025961aa" + logic_hash = "186b66283491cfebcaade57b1010ce4304c08ddb131153984210c2c7025961aa" score = 75 quality = 90 tags = "INFO, FILE" @@ -43492,13 +43492,13 @@ rule REVERSINGLABS_Cert_Blocklist_3990362C34015Ce4C23Ecc3377Fd3C06 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6371f3d4-7afb-55d9-94f0-6afcb7260214" + id = "453b5da2-ae26-5005-8a56-1105a960fde6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8036-L8052" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0625800fcb166b56cab2e16d0d757983a6f880b68627ed8c3c38419dd9a32999" + logic_hash = "0625800fcb166b56cab2e16d0d757983a6f880b68627ed8c3c38419dd9a32999" score = 75 quality = 90 tags = "INFO, FILE" @@ -43517,13 +43517,13 @@ rule REVERSINGLABS_Cert_Blocklist_121Fca3Cfa4Bd011669F5Cc4E053Aa3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2e4ba9f0-2a1f-5c0a-a59e-73eeaa98b4c1" + id = "ebc47e1e-e6fe-581c-86b3-22e2e67a0b81" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8054-L8070" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1edd5be3f970202be15080cd7ef19c0cce7fcba73cb6120d7cb7d518e877cf85" + logic_hash = "1edd5be3f970202be15080cd7ef19c0cce7fcba73cb6120d7cb7d518e877cf85" score = 75 quality = 90 tags = "INFO, FILE" @@ -43542,13 +43542,13 @@ rule REVERSINGLABS_Cert_Blocklist_D338F8A490E37E6C2Be80A0E349929Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "05925b7d-d54c-5e2e-b86c-0466d3d56b0e" + id = "93ca450e-7278-5c6c-aba8-e90728570e0c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8072-L8090" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_39d9695803e96508b5ad12a7d9f8b65d13288dbe94b21a4952e096dd576e11ce" + logic_hash = "39d9695803e96508b5ad12a7d9f8b65d13288dbe94b21a4952e096dd576e11ce" score = 75 quality = 90 tags = "INFO, FILE" @@ -43567,13 +43567,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C1Ee9B583310B5E34A1Ee6945A34B26 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1ccc0dfe-5436-5bde-9243-5a70cc748946" + id = "70fc063e-f032-5e63-ae53-65a25d5a29c3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8092-L8108" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7752e49e8848863d78c5de03c3d194498765d80da00a84c5164c7a9010d13474" + logic_hash = "7752e49e8848863d78c5de03c3d194498765d80da00a84c5164c7a9010d13474" score = 75 quality = 90 tags = "INFO, FILE" @@ -43592,13 +43592,13 @@ rule REVERSINGLABS_Cert_Blocklist_D875B3E3F2Db6C3Eb426E24946066111 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0157634c-26ee-5caf-a9bd-b741c293040c" + id = "4aedeb77-181b-5422-bec4-93c84412bae4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8110-L8128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9e181271d46c828b9ec266331e077b3b4891a193c71173447da383fad91ae878" + logic_hash = "9e181271d46c828b9ec266331e077b3b4891a193c71173447da383fad91ae878" score = 75 quality = 90 tags = "INFO, FILE" @@ -43617,13 +43617,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ad0A958Cdf188Bed43154A54Bf23Afba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "24e8cf1c-d69b-5200-aeab-ee99cd82c349" + id = "183d9d02-885b-5f2f-b455-dd72af7bc5a6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8130-L8148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_07e53e59f90aa3cd3a98dbca2627672606f6c6f8f3bda8456e32122463729c4b" + logic_hash = "07e53e59f90aa3cd3a98dbca2627672606f6c6f8f3bda8456e32122463729c4b" score = 75 quality = 90 tags = "INFO, FILE" @@ -43642,13 +43642,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Cee26C125B8C188F316C3Fa78D9C2F1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8d6f8d4e-b7ff-508c-aa36-8a0b296d5bb0" + id = "79989b9b-60e4-577d-97e2-cb447c38baf3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8150-L8166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5c64f8e40c31822ce8d2e34f96ccc977085e429f0c068a5f6b44099117837de1" + logic_hash = "5c64f8e40c31822ce8d2e34f96ccc977085e429f0c068a5f6b44099117837de1" score = 75 quality = 90 tags = "INFO, FILE" @@ -43667,13 +43667,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C687A0022C36F89E253F91D1F6954E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b8b8af69-a7f3-5fb0-9233-c78a432ac795" + id = "c45a2125-dd7c-5ff1-89a8-35cbe1d924d7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8168-L8184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_287c0c7a25e33e0e7def6efa23dbd2efba7c4ac3aa8f5deb8568a60a95e08bbe" + logic_hash = "287c0c7a25e33e0e7def6efa23dbd2efba7c4ac3aa8f5deb8568a60a95e08bbe" score = 75 quality = 90 tags = "INFO, FILE" @@ -43692,13 +43692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ca646B4275406Df639Cf603756F63D77 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "251b669d-e2fe-565d-90b0-28890842e81a" + id = "b176b7f8-e3d1-593c-91c3-03e781f6ef7b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8186-L8204" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a690e3f6a656835984e47d999271fe441a5fbf424208da8d5b3c9ddcef47b70e" + logic_hash = "a690e3f6a656835984e47d999271fe441a5fbf424208da8d5b3c9ddcef47b70e" score = 75 quality = 90 tags = "INFO, FILE" @@ -43717,13 +43717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Addbec454B5479Cabd940A72Df4500Af : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b2f37561-38bd-59c3-9b19-13ad83a706d1" + id = "f2488d44-5a9a-5ab6-be6f-f3444f72444a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8206-L8224" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_799629791646c524d170b900339b87474aed73b7156a8c4dd20f7c13cbe97929" + logic_hash = "799629791646c524d170b900339b87474aed73b7156a8c4dd20f7c13cbe97929" score = 75 quality = 90 tags = "INFO, FILE" @@ -43742,13 +43742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ac307E5257Bb814B818D3633B630326F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "863241ce-ecaa-5aff-bfb3-bd0b5ac8ea5e" + id = "c33d798a-854c-5fab-afbe-e94d142befa7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8226-L8244" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_10819bd2194fface6db812f8c6770c306c183386d2d9ba97467a5b55fd997194" + logic_hash = "10819bd2194fface6db812f8c6770c306c183386d2d9ba97467a5b55fd997194" score = 75 quality = 90 tags = "INFO, FILE" @@ -43767,13 +43767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0D83E7F47189Cdbfc7Fa3E5F58882329 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5a075334-2608-5dce-86dd-3f4cecf148ec" + id = "d6bda332-06fc-5b1a-99fb-fc9578dc5326" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8246-L8262" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b344f9fd6d8378b7d77a34b14c5f37eea253f3d13a8eb0777925f195fb3cf502" + logic_hash = "b344f9fd6d8378b7d77a34b14c5f37eea253f3d13a8eb0777925f195fb3cf502" score = 75 quality = 90 tags = "INFO, FILE" @@ -43792,13 +43792,13 @@ rule REVERSINGLABS_Cert_Blocklist_58Aa64564A50E8B2D6E31D5Cd6250Fde : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d6085b1b-ed30-508a-b4f1-88e165230881" + id = "00e096f6-2955-5936-9a75-f537c2da3621" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8264-L8280" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f6b50ebf707b67650fe832d81c6fe8d2411cd83432ef94432d181db0c29aa48b" + logic_hash = "f6b50ebf707b67650fe832d81c6fe8d2411cd83432ef94432d181db0c29aa48b" score = 75 quality = 90 tags = "INFO, FILE" @@ -43817,13 +43817,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Aa0Ae245B487C8926C88Ee6D736D1Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "302f4685-6b40-54b5-9e8c-27f07f10a385" + id = "d2d61fd7-2392-5d75-9c5b-4e4fddfc7a83" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8282-L8298" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5a362175600552983ae838ca18aa378dc748b8b68bd8b67a9387794d983ed1a2" + logic_hash = "5a362175600552983ae838ca18aa378dc748b8b68bd8b67a9387794d983ed1a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -43842,13 +43842,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Aec3D3F752A38617C1D7A677D0B5591 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fea0592d-c3f2-561f-9e18-c08ea85e991a" + id = "02f2bf36-e573-502c-8ecc-843a6e627c2b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8300-L8316" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b299833a19944ca6943ba9c974ec95369c57cd61acc8b2e1b5310edd077762c2" + logic_hash = "b299833a19944ca6943ba9c974ec95369c57cd61acc8b2e1b5310edd077762c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -43867,13 +43867,13 @@ rule REVERSINGLABS_Cert_Blocklist_A7E1Dc5352C3852C5523030F57F2425C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "58488ca8-d1a5-54c0-bd78-57e6025cc819" + id = "a2795796-2897-55ad-936c-456c3b93bf14" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8318-L8336" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_79c42c9a4eeeb69a62a16590e2b0b63818785509a40d543c7efe27ec6baaa19e" + logic_hash = "79c42c9a4eeeb69a62a16590e2b0b63818785509a40d543c7efe27ec6baaa19e" score = 75 quality = 90 tags = "INFO, FILE" @@ -43892,13 +43892,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bbd4Dc3768A51Aa2B3059C1Bad569276 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "28e4f24a-7973-5ffb-8223-c89ccf73351d" + id = "ee861c79-fea2-5931-873d-b76e5bdef593" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8338-L8356" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f336570834e0663c6e589fa22b3541f4f79c40ff945dd91f1fd1258a96adeceb" + logic_hash = "f336570834e0663c6e589fa22b3541f4f79c40ff945dd91f1fd1258a96adeceb" score = 75 quality = 90 tags = "INFO, FILE" @@ -43917,13 +43917,13 @@ rule REVERSINGLABS_Cert_Blocklist_08622B9Dd9D78E67678Ecc21E026522E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f186d873-7485-5d73-ac59-b91d986f66b3" + id = "66d942c7-ceb9-54e5-bccc-1adf641fd70e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8358-L8374" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_09507b09b035195b74434f56041588f67245fa097183228dffc612bb4901825b" + logic_hash = "09507b09b035195b74434f56041588f67245fa097183228dffc612bb4901825b" score = 75 quality = 90 tags = "INFO, FILE" @@ -43942,13 +43942,13 @@ rule REVERSINGLABS_Cert_Blocklist_E69A6De0074Ece38C2F30F0D4A808456 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d2387e7e-d2af-5678-9b64-6c596ecda458" + id = "17571f1e-1dce-5216-8f45-467e5d77ccf1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8376-L8394" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_21d8641d2394120847044f0e6f4d868095a1e30c0b594a3d045877ab9b3808a1" + logic_hash = "21d8641d2394120847044f0e6f4d868095a1e30c0b594a3d045877ab9b3808a1" score = 75 quality = 90 tags = "INFO, FILE" @@ -43967,13 +43967,13 @@ rule REVERSINGLABS_Cert_Blocklist_8385684419Ab26A3F2640B1496E1Fe94 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "341e483e-73ae-52a4-a6ca-9337addea867" + id = "03e861a0-156e-5366-a312-dc2aa73b0393" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8396-L8414" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24f75badc335160a8053a4c7e8bbd8ddbd3266c3a18059a937d5989df97ae9d9" + logic_hash = "24f75badc335160a8053a4c7e8bbd8ddbd3266c3a18059a937d5989df97ae9d9" score = 75 quality = 90 tags = "INFO, FILE" @@ -43992,13 +43992,13 @@ rule REVERSINGLABS_Cert_Blocklist_21E3Cae5B77C41528658Ada08509C392 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "730833d4-db48-5890-b44a-ae80c9e3ad71" + id = "fdb1903b-15c1-5cb7-892f-58957303d3b4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8416-L8432" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2e24ed0bd0bf3c36cae4bf106a2c17386bfb58b76372068be9745c2d501f30fc" + logic_hash = "2e24ed0bd0bf3c36cae4bf106a2c17386bfb58b76372068be9745c2d501f30fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -44017,13 +44017,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Abd2Eef14D480Dfea9Ca9Fdd823Cf03 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e8d0936e-8189-5f6f-a6ea-b4c034780854" + id = "d6cb1371-113d-5155-aed2-c575321f0973" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8434-L8450" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2dfc220c44d3dda28a253e5115ae9a087b6ddbf1a7ca1e9bcae5bd9ac5b2e1a0" + logic_hash = "2dfc220c44d3dda28a253e5115ae9a087b6ddbf1a7ca1e9bcae5bd9ac5b2e1a0" score = 75 quality = 90 tags = "INFO, FILE" @@ -44042,13 +44042,13 @@ rule REVERSINGLABS_Cert_Blocklist_86909B91F07F9316984D888D1E28Ab76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f2518af1-f3e2-5097-87aa-ba404b12ba83" + id = "3cde0016-14d8-5b3a-860e-f5128f899542" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8452-L8470" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_abd84492ed008125688a53e20d51780fa0b8c2309dcf751ff76a03d6f337beaa" + logic_hash = "abd84492ed008125688a53e20d51780fa0b8c2309dcf751ff76a03d6f337beaa" score = 75 quality = 90 tags = "INFO, FILE" @@ -44067,13 +44067,13 @@ rule REVERSINGLABS_Cert_Blocklist_D1B8F1Fe56381Befdb2E73Ffef2A4B28 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a1bc09ab-3a56-576d-9b2b-cb30ba0cae57" + id = "226371ea-670f-52f2-8dfc-78b30a29a5cc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8472-L8490" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c118cb46914e7a6df8dd33dd14d5f9cf2692d98311503ec850cc66f02c20839e" + logic_hash = "c118cb46914e7a6df8dd33dd14d5f9cf2692d98311503ec850cc66f02c20839e" score = 75 quality = 90 tags = "INFO, FILE" @@ -44092,13 +44092,13 @@ rule REVERSINGLABS_Cert_Blocklist_D4Ef1Ab6Ab5D3Cb35E4Efb7984Def7A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f2dbfdb3-6dd9-5b25-8ae5-81099d3edf90" + id = "41b2e05f-1dcd-5ebc-97da-275512deaf72" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8492-L8510" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ecc2f6bfda1a0afd016f0a5183c0d1cdfe5d5e06c893a7d9a3d7cb7f9bc4bf16" + logic_hash = "ecc2f6bfda1a0afd016f0a5183c0d1cdfe5d5e06c893a7d9a3d7cb7f9bc4bf16" score = 75 quality = 90 tags = "INFO, FILE" @@ -44117,13 +44117,13 @@ rule REVERSINGLABS_Cert_Blocklist_066276Af2F2C7E246D3B1Cab1B4Aa42E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a8423f22-a442-5500-b963-e511116dd148" + id = "97f791d5-7a73-5da7-984e-32bb94d0e83f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8512-L8528" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_30d4fa2cbc75d3a6258cdf0374159f25ea152c39784f8b7e9c461978df865dc0" + logic_hash = "30d4fa2cbc75d3a6258cdf0374159f25ea152c39784f8b7e9c461978df865dc0" score = 75 quality = 90 tags = "INFO, FILE" @@ -44142,13 +44142,13 @@ rule REVERSINGLABS_Cert_Blocklist_65Cd323C2483668B90A44A711D2A6B98 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a1059af-af43-5558-aaf9-2eaea84a4283" + id = "e2ed910d-2264-58c1-a1a0-3c131020a2cf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8530-L8546" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_653aff6f3913f1bf51e90e7a835dbb5441457175797cefdddd234a6c2c0f11ad" + logic_hash = "653aff6f3913f1bf51e90e7a835dbb5441457175797cefdddd234a6c2c0f11ad" score = 75 quality = 90 tags = "INFO, FILE" @@ -44167,13 +44167,13 @@ rule REVERSINGLABS_Cert_Blocklist_5A17D5De74Fd8F09Df596Df3123139Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "678a3c0c-64ab-5f00-86aa-ff1485e1d505" + id = "4a3ffa4a-c080-5d76-9655-010cde091ae2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8548-L8564" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7ed62740fe191d961ad32b2a79463cc9cbce557ea757e413860f7b4974904c03" + logic_hash = "7ed62740fe191d961ad32b2a79463cc9cbce557ea757e413860f7b4974904c03" score = 75 quality = 90 tags = "INFO, FILE" @@ -44192,13 +44192,13 @@ rule REVERSINGLABS_Cert_Blocklist_15Da61D7E1A631803431561674Fb9B90 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1ef26a79-29f9-519b-abbf-ea8618b184ef" + id = "07518dc2-bd6c-5a4c-b537-68f5a462cdc2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8566-L8582" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_75d2c3b47fe9c863812f2c98fc565af9050b909a03528e2ea4a96542a3ec0c0d" + logic_hash = "75d2c3b47fe9c863812f2c98fc565af9050b909a03528e2ea4a96542a3ec0c0d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44217,13 +44217,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ab21306B11Ff280A93Fc445876988Ab : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1a3b5130-8d6d-51d0-bb3b-69d97e65d28d" + id = "656bb2a6-bb41-5190-af10-280351e64c66" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8584-L8600" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0cda954aa807336a6737716d0fa43d696376c240ab7be9d8477baf8800604bf1" + logic_hash = "0cda954aa807336a6737716d0fa43d696376c240ab7be9d8477baf8800604bf1" score = 75 quality = 90 tags = "INFO, FILE" @@ -44242,13 +44242,13 @@ rule REVERSINGLABS_Cert_Blocklist_634E16E38F12E9A71Aca08E4C6B2Dbb9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "be400dee-54c0-54c1-a20a-9c4376c7cc2c" + id = "4aa7bea7-06fb-5d90-bac4-c8ca1ca5c02f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8602-L8618" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_08950f276e5cf3fe4b5f7421ba671dfd72585aac3bbed7868fdb0e5aa90ec10e" + logic_hash = "08950f276e5cf3fe4b5f7421ba671dfd72585aac3bbed7868fdb0e5aa90ec10e" score = 75 quality = 90 tags = "INFO, FILE" @@ -44267,13 +44267,13 @@ rule REVERSINGLABS_Cert_Blocklist_289051A83F350A2C600187C99B6C0A73 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b1b5584-d564-5e91-b131-d0f3a9ece262" + id = "55497d57-7d4f-50e1-85a6-e60786084e3f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8620-L8636" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cd5d6f95f0cfdbf8d37ea78d061ce00512b6cb7c899152b1640673494d539dd1" + logic_hash = "cd5d6f95f0cfdbf8d37ea78d061ce00512b6cb7c899152b1640673494d539dd1" score = 75 quality = 90 tags = "INFO, FILE" @@ -44292,13 +44292,13 @@ rule REVERSINGLABS_Cert_Blocklist_818631110B5D14331Dac7E6Ad998B902 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b0a0e69a-2644-5526-890d-4c5982e94ed8" + id = "6a8f3abd-199c-5e2f-a60e-46e869831445" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8638-L8656" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5e0de3848adf933632c2eb8cf5ead61d6470237386ba8b48d57a278d99dba324" + logic_hash = "5e0de3848adf933632c2eb8cf5ead61d6470237386ba8b48d57a278d99dba324" score = 75 quality = 90 tags = "INFO, FILE" @@ -44317,13 +44317,13 @@ rule REVERSINGLABS_Cert_Blocklist_277Cd16De5D61B9398B645Afe41C09C7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "27967cb8-6026-5f8f-8090-2aeca34d0004" + id = "d863faac-7b6e-5e1d-960f-8379347c6838" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8658-L8674" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_696467d699dec060b205f36f53dbe157b241823757d72798b35235d6530fd193" + logic_hash = "696467d699dec060b205f36f53dbe157b241823757d72798b35235d6530fd193" score = 75 quality = 90 tags = "INFO, FILE" @@ -44342,13 +44342,13 @@ rule REVERSINGLABS_Cert_Blocklist_D0Eda76C13D30C97015708790Bb94214 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "faa2e47c-3370-5de9-af17-a3f239ad1ba5" + id = "aa323bac-a9f5-560f-b44a-3cf2b26351bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8676-L8694" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2112ebfb7c9ebbbccb20cefcd23bb49142da770feb16ee8eef5eb27646226785" + logic_hash = "2112ebfb7c9ebbbccb20cefcd23bb49142da770feb16ee8eef5eb27646226785" score = 75 quality = 90 tags = "INFO, FILE" @@ -44367,13 +44367,13 @@ rule REVERSINGLABS_Cert_Blocklist_6333Ed618F88A05B4D82Ad7Bf66Cb0Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e696c6fa-2cc4-5ac9-9119-09db0063cac4" + id = "c4d3603e-57e2-57df-a055-c43d449242c7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8696-L8712" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b088ac4b74a8cf3dddb67c8de2b7c3c5f537287a0454c0030c0eb4069c465c7d" + logic_hash = "b088ac4b74a8cf3dddb67c8de2b7c3c5f537287a0454c0030c0eb4069c465c7d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44392,13 +44392,13 @@ rule REVERSINGLABS_Cert_Blocklist_3B777165B125Bccc181D0Bac3F5B55B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ed7f7ee9-78ec-5336-b438-f30e6201789d" + id = "f065e99f-9cce-55cb-a592-60b89c26028a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8714-L8730" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_80aff3d6f45f5847d5d39b170b9d0e70168d02569ca6d86a2c39150399d290fc" + logic_hash = "80aff3d6f45f5847d5d39b170b9d0e70168d02569ca6d86a2c39150399d290fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -44417,13 +44417,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B37Ac3479283B6F9D75Ddf0F8742D06 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c440013d-942a-5056-911b-67b7c0389a82" + id = "cc124d3f-2446-57a2-a206-0a5e569fc703" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8732-L8748" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b7abd389ac31cd970e6611c7c303714fdd658f45d4857ad524f5e8368edbb875" + logic_hash = "b7abd389ac31cd970e6611c7c303714fdd658f45d4857ad524f5e8368edbb875" score = 75 quality = 90 tags = "INFO, FILE" @@ -44442,13 +44442,13 @@ rule REVERSINGLABS_Cert_Blocklist_3112C69D460C781Fd649C71E61Bfec82 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b6b1a06c-a014-55cf-9201-ea672531a63f" + id = "f4d2f240-49a7-51f3-8db1-1c569aa63177" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8750-L8766" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ed31b0a24d18a451163867f0f49df12af3ca0768f250ac8ce66d41405393130d" + logic_hash = "ed31b0a24d18a451163867f0f49df12af3ca0768f250ac8ce66d41405393130d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44467,13 +44467,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A5B4F67Ad8B22Afc2Debe6Ce5F8F679 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "14b2c6d6-7a44-5316-9653-c5bad26483b7" + id = "7dd5ba42-2d04-52d7-b15a-2bdba2e742fb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8768-L8784" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_938efb7ee19970484aded5cd46b2ff730f8882706bec3f062bdebde3cc9a4799" + logic_hash = "938efb7ee19970484aded5cd46b2ff730f8882706bec3f062bdebde3cc9a4799" score = 75 quality = 90 tags = "INFO, FILE" @@ -44492,13 +44492,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df45B36C9D0Bd248C3F9494E7Ca822 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "831ec8a5-9b0e-5409-a700-4db2eba0453e" + id = "d7d0d1c4-b341-5651-8179-4035f537ba98" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8786-L8804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9c03522376b0d807cd36a0641e474d770bc3b4f8221f26d232878d2d320d072b" + logic_hash = "9c03522376b0d807cd36a0641e474d770bc3b4f8221f26d232878d2d320d072b" score = 75 quality = 90 tags = "INFO, FILE" @@ -44517,13 +44517,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ae3C4Eccecda2127D43Be390A850Dda : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cecfde0c-3737-5f70-a119-23d76c41f5d3" + id = "a9d8906b-64f6-5c5d-80e0-ab916e83b613" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8806-L8822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8a2ff4f7a5ac996127778b1670e79291bddcb5dee6e7da2b540fd254537ee27e" + logic_hash = "8a2ff4f7a5ac996127778b1670e79291bddcb5dee6e7da2b540fd254537ee27e" score = 75 quality = 90 tags = "INFO, FILE" @@ -44542,13 +44542,13 @@ rule REVERSINGLABS_Cert_Blocklist_2E36360538624C9B1Afd78A2Fb756028 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f30dbe31-50bc-5d0c-9adb-75b6e5f8e3d0" + id = "549a566b-0c94-516c-9231-a5e54136785f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8824-L8840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9cbb50c7d383048fd506506fa9ee8bf7c6d82feaf21bcde4008ab99b82e234a7" + logic_hash = "9cbb50c7d383048fd506506fa9ee8bf7c6d82feaf21bcde4008ab99b82e234a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -44567,13 +44567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Addb899F8229Fd53E6435E08Bbd3A733 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "302fbb48-ed03-5b04-b466-5165302af1a8" + id = "1e5f0577-ba05-5e43-a817-c75f65547c3d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8842-L8860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ecb8e31b8c56b92cef601618e0adc2f6d88999318805b92389693aa9e8050d18" + logic_hash = "ecb8e31b8c56b92cef601618e0adc2f6d88999318805b92389693aa9e8050d18" score = 75 quality = 90 tags = "INFO, FILE" @@ -44592,13 +44592,13 @@ rule REVERSINGLABS_Cert_Blocklist_C1A1Db95D7Bf80290Aa6E82D8F8F996A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d470433f-0996-58a3-8d27-84e083231c3f" + id = "c04a2731-5eb8-5db4-9e88-cab9b61952e4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8862-L8880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_84c7c0e53facadcdfd752e9cf3811fbfd6aac4bef4109acf430a67b6dcd37bfc" + logic_hash = "84c7c0e53facadcdfd752e9cf3811fbfd6aac4bef4109acf430a67b6dcd37bfc" score = 75 quality = 90 tags = "INFO, FILE" @@ -44617,13 +44617,13 @@ rule REVERSINGLABS_Cert_Blocklist_C667Ffe3A5B0A5Ae7Cf3A9E41682E91B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df9450a7-a3a1-5dd4-8877-1c75ba8f420a" + id = "83a5e5c2-0932-526b-80aa-800b37088bbd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8882-L8900" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_be2cd688f2d7c458ee764bd7a7250e0116328702db5585b444d631f05cdc701b" + logic_hash = "be2cd688f2d7c458ee764bd7a7250e0116328702db5585b444d631f05cdc701b" score = 75 quality = 90 tags = "INFO, FILE" @@ -44642,13 +44642,13 @@ rule REVERSINGLABS_Cert_Blocklist_E0A83917660D05Cf476374659D3C7B85 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7271b540-9fd0-58e9-9d5b-0a898cfb52a6" + id = "3387f396-01f7-58b1-a5bd-b308105c66d6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8902-L8920" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f60753ecb775d664e07e78611568799eaf06fb4742bcef3bf0c28202daf98c50" + logic_hash = "f60753ecb775d664e07e78611568799eaf06fb4742bcef3bf0c28202daf98c50" score = 75 quality = 90 tags = "INFO, FILE" @@ -44667,13 +44667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Afc5522898143Aafaab7Fd52304Cf00C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9213d2e1-dd3c-59e9-8c6a-f361b98f4ca5" + id = "016ad027-bd6a-58e0-9099-341b81dd6f70" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8922-L8940" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bfcf2fbbd9be97202eeb44c0f81f0a0713d4d30c466f2b170231c7f9df0e9e6d" + logic_hash = "bfcf2fbbd9be97202eeb44c0f81f0a0713d4d30c466f2b170231c7f9df0e9e6d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44692,13 +44692,13 @@ rule REVERSINGLABS_Cert_Blocklist_8B3333D32B2C2A1D33B41Ba5Db9D4D2D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "06a8c9dd-8e8d-5bb6-ab02-736515352d87" + id = "f7f72cd2-0bf4-5aa7-804e-4ae354eda055" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8942-L8960" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cdb3f1983ed17df22d17c6321bc2ead2c391d70fdca4a9f6f4784f62196b85d0" + logic_hash = "cdb3f1983ed17df22d17c6321bc2ead2c391d70fdca4a9f6f4784f62196b85d0" score = 75 quality = 90 tags = "INFO, FILE" @@ -44717,13 +44717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fbb1198Bd8Bddb0D693Eb72A8613Fe3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "28db12e1-979d-5ce3-97c3-98ef7e0e4cf2" + id = "f9983426-9f05-56e2-8ad0-1c5a48ab04be" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8962-L8980" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2e004116d0f8df5a625b190127655926336fc74b4cce4ae40cd516a135e5d719" + logic_hash = "2e004116d0f8df5a625b190127655926336fc74b4cce4ae40cd516a135e5d719" score = 75 quality = 90 tags = "INFO, FILE" @@ -44742,13 +44742,13 @@ rule REVERSINGLABS_Cert_Blocklist_846F77D9919Fc4405Aefe1701309Bd67 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7ac97a9f-926f-5c02-887c-e52af634b072" + id = "c326fbf0-2d95-5aa1-9ae4-6cb04b9c2212" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L8982-L9000" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6739049a61183d506daf9aaf44a3b15cbf2234c6af307ec95bc07fa3d8501105" + logic_hash = "6739049a61183d506daf9aaf44a3b15cbf2234c6af307ec95bc07fa3d8501105" score = 75 quality = 90 tags = "INFO, FILE" @@ -44767,13 +44767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0939C2Bad859C0432E8E98A6C0162C02 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aa1e7585-ad21-51db-8dd2-474fe0eae075" + id = "5dba4570-51d8-5c23-85a5-5de9a048793f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9002-L9018" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3c48241e52e58600bfa0385742831dba59d9cbd959cd6853fe8e030f5df79c23" + logic_hash = "3c48241e52e58600bfa0385742831dba59d9cbd959cd6853fe8e030f5df79c23" score = 75 quality = 90 tags = "INFO, FILE" @@ -44792,13 +44792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Fba0E19919Ac50D700Ba60250D02C8B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4bf10cfc-d821-5019-8bab-0dac957182c4" + id = "8828c863-2800-5f66-968e-96a41a071218" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9020-L9036" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8c803111df930056bdc3ef7560f07bf4d255b93286d01ecc55f790e72565ba5d" + logic_hash = "8c803111df930056bdc3ef7560f07bf4d255b93286d01ecc55f790e72565ba5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -44817,13 +44817,13 @@ rule REVERSINGLABS_Cert_Blocklist_A758504E7971869D0Aec2775Fffa03D5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "65aa9412-2ace-53f8-9a45-ea96755902c5" + id = "cc8c0cca-1848-5a5e-a421-c5ecdea6ba53" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9038-L9056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dcb1ac4c7dcbebd0a432515da82e4a97be6c6c2a54f9d642aa8c1a2bcbdce5de" + logic_hash = "dcb1ac4c7dcbebd0a432515da82e4a97be6c6c2a54f9d642aa8c1a2bcbdce5de" score = 75 quality = 90 tags = "INFO, FILE" @@ -44842,13 +44842,13 @@ rule REVERSINGLABS_Cert_Blocklist_37A67Cf754Ee5Ae284B4Cf8B9D651604 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "248b06e8-f98e-5b47-bd24-268fe141fffe" + id = "e85434e1-1ef5-5660-8ba6-b35cbbe7510d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9058-L9074" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_22cb71eebbb212a4436847c11c7ca9cefaf118086b024014c12498a6a5953af5" + logic_hash = "22cb71eebbb212a4436847c11c7ca9cefaf118086b024014c12498a6a5953af5" score = 75 quality = 90 tags = "INFO, FILE" @@ -44867,13 +44867,13 @@ rule REVERSINGLABS_Cert_Blocklist_119Acead668Bad57A48B4F42F294F8F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8af769e1-adbb-5795-8b7e-f5ec901220e7" + id = "7ec33498-b299-58e0-be42-9e4fb9549e28" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9076-L9092" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_61c49c60fc4fd5d654a6376fcee43e986a5351f085a5652a3c8888774557e053" + logic_hash = "61c49c60fc4fd5d654a6376fcee43e986a5351f085a5652a3c8888774557e053" score = 75 quality = 90 tags = "INFO, FILE" @@ -44892,13 +44892,13 @@ rule REVERSINGLABS_Cert_Blocklist_7A6D30A6Eb2Fa0C3369283725704Ac4C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f1598928-45c7-5d0e-9450-cb9228692304" + id = "b7830a3a-ddcc-54ef-84dd-5d4b13863f90" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9094-L9110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_788abb53ed7974d87c1b1bdbe31dcd3e852ea64745d94780d78d1217ee0206fe" + logic_hash = "788abb53ed7974d87c1b1bdbe31dcd3e852ea64745d94780d78d1217ee0206fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -44917,13 +44917,13 @@ rule REVERSINGLABS_Cert_Blocklist_670C3494206B9F0C18714Fdcffaaa42F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8b1fc707-d8d4-5f20-bdb4-384839df9696" + id = "210a0c72-7eb7-5c78-bf5b-1ac292e7fa11" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9112-L9128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3b1e244b5f543a05beb2475020aa20dfc723f4dce3a5a0a963db1672d3295721" + logic_hash = "3b1e244b5f543a05beb2475020aa20dfc723f4dce3a5a0a963db1672d3295721" score = 75 quality = 90 tags = "INFO, FILE" @@ -44942,13 +44942,13 @@ rule REVERSINGLABS_Cert_Blocklist_0E8Aa328Af207Ce8Bcae1Dc15C626188 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c57f8e6c-b111-5afb-983e-5d5d116b6a46" + id = "9718f290-6ecd-5d67-9013-af99f98fffef" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9130-L9146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4022abb8efbda944e35ff529c5b3b3c9f6370127a945f3eec1310149bb5d06e4" + logic_hash = "4022abb8efbda944e35ff529c5b3b3c9f6370127a945f3eec1310149bb5d06e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -44967,13 +44967,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cfad6Be1D823B4Eacb803B720F525A7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3c8fc16c-b1ee-5ce6-85d2-40c212555fbe" + id = "844e295f-b22f-5eb0-9f98-0d6e574d2954" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9148-L9166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d8005774e6011d8198039a6588834cd0b13dd728103b63c3ea8b6e0dc3878f05" + logic_hash = "d8005774e6011d8198039a6588834cd0b13dd728103b63c3ea8b6e0dc3878f05" score = 75 quality = 90 tags = "INFO, FILE" @@ -44992,13 +44992,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Ebcb54B7E0E6410B28610De0743D4Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "74eb9b2b-fb4c-5842-83b5-55ca31f4b768" + id = "84140bbd-23a0-5355-9d1a-918cc93c3352" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9168-L9184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c9444ff9e13192bf300afac12554bc4cc2defb37bb5b57906b6163db378c515a" + logic_hash = "c9444ff9e13192bf300afac12554bc4cc2defb37bb5b57906b6163db378c515a" score = 75 quality = 90 tags = "INFO, FILE" @@ -45017,13 +45017,13 @@ rule REVERSINGLABS_Cert_Blocklist_01106Cc293772Ca905A2B6Eff02Bf0F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "191ee551-e54a-5872-b46e-5443696ae90d" + id = "1ec81090-91a1-5019-be91-14f60d6722fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9186-L9202" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_81e19c06de4546a2cee974230ef7aa15291f20f2e6b6f89c9b12107c26836b5e" + logic_hash = "81e19c06de4546a2cee974230ef7aa15291f20f2e6b6f89c9b12107c26836b5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -45042,13 +45042,13 @@ rule REVERSINGLABS_Cert_Blocklist_05Bb162F6Efe852B7Bd4712Fd737A61E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0692b7f4-6281-5bef-8c97-014564b200c5" + id = "82b2198e-140a-54d0-afa8-ad89980c7899" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9204-L9220" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d2fcbce0826c1478338827376d2c7869e5b38dc6d5e737a2f986600c6f71b1e6" + logic_hash = "d2fcbce0826c1478338827376d2c7869e5b38dc6d5e737a2f986600c6f71b1e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -45067,13 +45067,13 @@ rule REVERSINGLABS_Cert_Blocklist_6171990Ba1C8E71049Ebb296A35Bd160 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f023524a-768c-54e7-803d-3d93616f443d" + id = "f81697ca-e49a-5a3d-9e0f-6192159e098b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9222-L9238" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e922bb850b7c5c70db80e6a2b99310eac48d3b10b94a7259899facd681916bfa" + logic_hash = "e922bb850b7c5c70db80e6a2b99310eac48d3b10b94a7259899facd681916bfa" score = 75 quality = 90 tags = "INFO, FILE" @@ -45092,13 +45092,13 @@ rule REVERSINGLABS_Cert_Blocklist_2114Ca3Bd2Afd63D7Fa29D744992B043 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2a86dea8-52e9-56f8-b5c4-ea8b8435c0ad" + id = "7d112cb8-a29f-5560-9c3c-cd8891623d96" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9240-L9256" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_241fe5a9f233fa36a665d22b38fd360bee21bc9832c15ac9c9d9b17adc3bb306" + logic_hash = "241fe5a9f233fa36a665d22b38fd360bee21bc9832c15ac9c9d9b17adc3bb306" score = 75 quality = 90 tags = "INFO, FILE" @@ -45117,13 +45117,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Aaa62208A3A78Bfac1443007D031E61 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "49d98081-3018-5c24-9eec-b531c5442a2c" + id = "dd6dca76-ff5b-51a8-9318-20a88eb44ffb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9258-L9274" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7ba7f69514230fe636efc0a12fb9ac489a5a80ca1f5bcdb050dd30ee8f69659c" + logic_hash = "7ba7f69514230fe636efc0a12fb9ac489a5a80ca1f5bcdb050dd30ee8f69659c" score = 75 quality = 90 tags = "INFO, FILE" @@ -45142,13 +45142,13 @@ rule REVERSINGLABS_Cert_Blocklist_09450B8F73Ea43E39D2Cdd56049Dbe40 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "95f035e3-1b06-5a4b-b024-8709d69f4aab" + id = "e6914a29-f6f7-56fc-8606-95666d31cf33" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9276-L9292" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_22b344b8befc00b0154d225603c81c6058399770f54cb6a09d0f7908c5c8188c" + logic_hash = "22b344b8befc00b0154d225603c81c6058399770f54cb6a09d0f7908c5c8188c" score = 75 quality = 90 tags = "INFO, FILE" @@ -45167,13 +45167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Efd9Bd4B4281C6522D96011Df46C9C4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "08379b10-f8d2-5432-b730-9aaf98f5f02a" + id = "7bd6616b-fef7-56aa-a78a-606601afa4f3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9294-L9310" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8f8a5e3457c05c5e70e33041c5b0b971cf8f19313d47055fd760ed17d94c8794" + logic_hash = "8f8a5e3457c05c5e70e33041c5b0b971cf8f19313d47055fd760ed17d94c8794" score = 75 quality = 90 tags = "INFO, FILE" @@ -45192,13 +45192,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Dd7D4A785990584D8C0837659173272 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e2c57c59-465a-5d2c-bddd-9d933d36350e" + id = "d5e3d85b-cc4e-5522-8558-f2703c38c4e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9312-L9328" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d18a479f07f2bdb890437e2bcb0213abdfb0eb684cdaf17c5eb0583039f2edb4" + logic_hash = "d18a479f07f2bdb890437e2bcb0213abdfb0eb684cdaf17c5eb0583039f2edb4" score = 75 quality = 90 tags = "INFO, FILE" @@ -45217,13 +45217,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C59D46580F039Af2C4Ab6Ba0Ffed197 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8c1e8d24-4f14-5999-bd68-a367e5897a4a" + id = "969e05a1-8ae1-5ea6-9607-5bf164f34e7b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9330-L9346" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_32eea2a436f386ef44a00ef72be8be7d4070b02f84ba71c7ee1ca407fddce8ec" + logic_hash = "32eea2a436f386ef44a00ef72be8be7d4070b02f84ba71c7ee1ca407fddce8ec" score = 75 quality = 90 tags = "INFO, FILE" @@ -45242,13 +45242,13 @@ rule REVERSINGLABS_Cert_Blocklist_0448Ec8D26597F99912138500Cc41C1B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "906c899a-dd49-5dfb-af3f-ade4103c957b" + id = "0c306a1f-e810-5988-a44c-964b6a67c918" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9348-L9364" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_001556c31cfb0d94978adc48dc0d24c83666512348c65508975cc9e1a119aeae" + logic_hash = "001556c31cfb0d94978adc48dc0d24c83666512348c65508975cc9e1a119aeae" score = 75 quality = 90 tags = "INFO, FILE" @@ -45267,13 +45267,13 @@ rule REVERSINGLABS_Cert_Blocklist_0108Cbaee60728F5Bf06E45A56D6F170 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3dbc0172-eb09-590c-b162-b27d84231f1c" + id = "2be3a0d2-2c6a-5c66-856a-d3a70a490ba3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9366-L9382" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_52027548e20c819e73ea5e9afd87faaca4498bc39e54dd30ad99a24e3ace57fd" + logic_hash = "52027548e20c819e73ea5e9afd87faaca4498bc39e54dd30ad99a24e3ace57fd" score = 75 quality = 90 tags = "INFO, FILE" @@ -45292,13 +45292,13 @@ rule REVERSINGLABS_Cert_Blocklist_038D56A12153E8B5C74C69Bff65Cbe3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3ecee8d7-f540-532d-89d5-0c5fd8979aeb" + id = "48162554-a95b-5cd3-9bbb-bcf6a1d96592" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9384-L9400" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ed3a81231f93f9d2ae462481503ba37072c3800dd1379baae11737f093a27af1" + logic_hash = "ed3a81231f93f9d2ae462481503ba37072c3800dd1379baae11737f093a27af1" score = 75 quality = 90 tags = "INFO, FILE" @@ -45317,13 +45317,13 @@ rule REVERSINGLABS_Cert_Blocklist_060D94E2Ccae84536654D9Daf39Fef1E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a375e694-3feb-5e9c-a04c-43c8227263f8" + id = "ac5d29ef-fd52-536b-bcbc-44433dda8a21" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9402-L9418" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_49000f3a3ce1ad9aef87162d7527b8f062e0aa12276b82c7335f0ccc14b7d38a" + logic_hash = "49000f3a3ce1ad9aef87162d7527b8f062e0aa12276b82c7335f0ccc14b7d38a" score = 75 quality = 90 tags = "INFO, FILE" @@ -45342,13 +45342,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Bc9B800F480691Bd6B60963466B0C75 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3cbcc1a0-695e-5dc9-9e64-f02fca12324d" + id = "614f88ca-183a-548b-99f1-30cf4c4027ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9420-L9436" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6a498fd30c611976e9aad2f9b85b13c3c29246582cdfefc800615db88e40dac2" + logic_hash = "6a498fd30c611976e9aad2f9b85b13c3c29246582cdfefc800615db88e40dac2" score = 75 quality = 90 tags = "INFO, FILE" @@ -45367,13 +45367,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C4324Ff41F0A7B16Ffcc93Dffa8Fa99 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0721b19a-7ec9-55ec-bc0e-b1509d377513" + id = "34594a57-f9fd-5b9d-afb6-691be33da9b5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9438-L9454" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d3ce83fb0497c533a5474d46300c341677ec243686723783798bfbaec4f6e369" + logic_hash = "d3ce83fb0497c533a5474d46300c341677ec243686723783798bfbaec4f6e369" score = 75 quality = 90 tags = "INFO, FILE" @@ -45392,13 +45392,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B980Fc8783E4F158E41829Ab21Bab81 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "58bfa9eb-3470-57d2-b7f3-76acab259dd7" + id = "f7358f71-421f-57fa-abdf-ab479f4b7007" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9456-L9472" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b0f43caec1cfc5b2d1512d7fcf0bcf1e02fc81764b4376b081f38c4de328eab2" + logic_hash = "b0f43caec1cfc5b2d1512d7fcf0bcf1e02fc81764b4376b081f38c4de328eab2" score = 75 quality = 90 tags = "INFO, FILE" @@ -45417,13 +45417,13 @@ rule REVERSINGLABS_Cert_Blocklist_D8F515715Aeffef0A0E4E37F16C254Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "08c4940b-614e-5b56-aef4-86283bcbf161" + id = "50ffd0a0-d861-53d7-a7dc-f74ccc49eff8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9474-L9492" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3c7d57a655f76a6e5ef6b0e770db7c91d0830b6b0b37caef5ef9e3e78ad1fd75" + logic_hash = "3c7d57a655f76a6e5ef6b0e770db7c91d0830b6b0b37caef5ef9e3e78ad1fd75" score = 75 quality = 90 tags = "INFO, FILE" @@ -45442,13 +45442,13 @@ rule REVERSINGLABS_Cert_Blocklist_D79739187C585E453C00Afc11D77B523 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "65c25440-c800-5b7e-89fe-01565d807d7a" + id = "ed427336-6833-5e09-8ebe-039c8cd50846" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9494-L9512" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6d6db87227d7be559afa67c4f2b65b01f26741fdf337d920241a633bb036426f" + logic_hash = "6d6db87227d7be559afa67c4f2b65b01f26741fdf337d920241a633bb036426f" score = 75 quality = 90 tags = "INFO, FILE" @@ -45467,13 +45467,13 @@ rule REVERSINGLABS_Cert_Blocklist_961Cecb0227845317549E9343A980E91 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8d75a136-bcb9-575f-be49-80ac55e376fc" + id = "f319592a-5f08-5f2c-b840-5f897695e054" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9514-L9532" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c74512e95e2d6aedecb1dbd30fac6fde40d1e9520c89b785519694d9bc9ba854" + logic_hash = "c74512e95e2d6aedecb1dbd30fac6fde40d1e9520c89b785519694d9bc9ba854" score = 75 quality = 90 tags = "INFO, FILE" @@ -45492,13 +45492,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ef6392B2993A6F67578299659467Ea8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bb6cf84e-48c7-551e-a3fe-8e5b63a7a67d" + id = "123e5aed-0ef4-5146-81bb-5d455a9cf92e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9534-L9550" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f6b454a575ea7635d5edebffe3c9c83e95312ee33245e733987532348258733e" + logic_hash = "f6b454a575ea7635d5edebffe3c9c83e95312ee33245e733987532348258733e" score = 75 quality = 90 tags = "INFO, FILE" @@ -45517,13 +45517,13 @@ rule REVERSINGLABS_Cert_Blocklist_A918455C0D4Da7Ca474F41F11A7Cf38C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f1eca1c5-a687-575e-8dd5-760ffe7bad59" + id = "959b10fe-fbd0-5642-a5d9-4ac2e0474666" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9552-L9570" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ea30d85c057f9363ce29d4c024097c50a8752dd2095481181322fe5d5c92bb4b" + logic_hash = "ea30d85c057f9363ce29d4c024097c50a8752dd2095481181322fe5d5c92bb4b" score = 75 quality = 90 tags = "INFO, FILE" @@ -45542,13 +45542,13 @@ rule REVERSINGLABS_Cert_Blocklist_936Bc256D2057Ca9B9Ec3034C3Ed0Ee6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e9ef9ac3-2d79-58c5-b3fa-b19cde79a8d8" + id = "4dbe7db7-2f61-558c-a6dc-875ba87322c7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9572-L9590" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7e90c29bcfe4632e70b61a0cf2ab48a3de986bd5c6c730f64a363f4f3d79a3f4" + logic_hash = "7e90c29bcfe4632e70b61a0cf2ab48a3de986bd5c6c730f64a363f4f3d79a3f4" score = 75 quality = 90 tags = "INFO, FILE" @@ -45567,13 +45567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Afe8Fee94B41422E01E4897Bcd52D0A4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "637f35cb-a3e8-52e4-9e7a-45cb5b4e7b48" + id = "83d08ca6-2a0b-5da3-8d53-7bf8bcc361cf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9592-L9610" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_02c55b182bc9843334baed9c0a7cca2c88cd1de00ca9b47b10ec79b7a5acf9bb" + logic_hash = "02c55b182bc9843334baed9c0a7cca2c88cd1de00ca9b47b10ec79b7a5acf9bb" score = 75 quality = 90 tags = "INFO, FILE" @@ -45592,13 +45592,13 @@ rule REVERSINGLABS_Cert_Blocklist_718E89Ddb33257Ea77Ba74Be7F2Baf1D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dd6c1ffd-9446-552e-b6ad-88ddcb68bee7" + id = "d173c2b2-2b76-521a-aac1-ae69fdf5b16b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9612-L9628" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2f0defa1e1d905d937677e96f2a0955d9737f6976596932cc093fdecfea3fdb0" + logic_hash = "2f0defa1e1d905d937677e96f2a0955d9737f6976596932cc093fdecfea3fdb0" score = 75 quality = 90 tags = "INFO, FILE" @@ -45617,13 +45617,13 @@ rule REVERSINGLABS_Cert_Blocklist_4D3E38F4Aebbc32257450726B29Be117 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "15fbb08b-8913-5a89-b3c9-37f5ef089d50" + id = "173f89ca-e7b3-507b-96c1-325dd06210f8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9630-L9646" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f618547942fcd9b3d1104cb5bedeecec8596fa7cc34bca838b6120085b305d73" + logic_hash = "f618547942fcd9b3d1104cb5bedeecec8596fa7cc34bca838b6120085b305d73" score = 75 quality = 90 tags = "INFO, FILE" @@ -45642,13 +45642,13 @@ rule REVERSINGLABS_Cert_Blocklist_8F4C49Dae1F1Ff0Ebe9104C6F73242Bd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d4dd5229-77ee-50a0-9843-c164d743502e" + id = "b7731056-1674-5375-a3cb-69632670d6d9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9648-L9666" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a8c99cc30b791a76fe3cd48184bf95ee47abb30bd200128efd2f5295ee18f7b1" + logic_hash = "a8c99cc30b791a76fe3cd48184bf95ee47abb30bd200128efd2f5295ee18f7b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -45667,13 +45667,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ac3C05F1Cb9453De8E7110F589Fb32C0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "51f2c464-6986-5ecd-95ec-20479dec5fcc" + id = "2578655e-6420-5a67-9116-cab5cf5bc195" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9668-L9686" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6328fd5dbb497c69ddc9151f85754669760b709ecbff3e8f320a40a62ca0dd2c" + logic_hash = "6328fd5dbb497c69ddc9151f85754669760b709ecbff3e8f320a40a62ca0dd2c" score = 75 quality = 90 tags = "INFO, FILE" @@ -45692,13 +45692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fbb96A90B6718810311767Ca25Ab1E48 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "28fb7fa8-1c00-515e-8341-8bde5eb0f113" + id = "77319b9c-6075-5ac7-958c-d76916873e85" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9688-L9706" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_431e3364a42b272d9b71b92dee44cc185ef034a45a0b72bbda82cf7e9b29c355" + logic_hash = "431e3364a42b272d9b71b92dee44cc185ef034a45a0b72bbda82cf7e9b29c355" score = 75 quality = 90 tags = "INFO, FILE" @@ -45717,13 +45717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cfd38423Aef875A10B16644D058297E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b82c88c5-810d-5ea1-8e36-b0c566509199" + id = "f53e4f44-dde2-5f7a-8cab-71e91ff75d28" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9708-L9726" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a2f67cbf31c9db2891892c31a7ed4ce7eccd834bfb10ae70f58e46f8e68e7c17" + logic_hash = "a2f67cbf31c9db2891892c31a7ed4ce7eccd834bfb10ae70f58e46f8e68e7c17" score = 75 quality = 90 tags = "INFO, FILE" @@ -45742,13 +45742,13 @@ rule REVERSINGLABS_Cert_Blocklist_E6C05C5A2222Bf92818324A3A7374Ad3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f3484e62-c689-5ea2-8c56-655dfe572689" + id = "2b5b79d8-e8fa-5593-b4c4-89af1f711152" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9728-L9746" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bea8fea49144abc109e33a5964bb8e113aa61b4cd70c72a43183cb0840429571" + logic_hash = "bea8fea49144abc109e33a5964bb8e113aa61b4cd70c72a43183cb0840429571" score = 75 quality = 90 tags = "INFO, FILE" @@ -45767,13 +45767,13 @@ rule REVERSINGLABS_Cert_Blocklist_75Ce08Bdbad44123299Dbe9D7C1D20De : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "42b8d51b-f00d-50ec-90fd-6c3bb3e0436d" + id = "e8e2d3b6-077f-56ba-9f2a-1941bf2ebdeb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9748-L9764" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8ba66ab55f9a6755e11a7f39152aa26917271c7f6bc5ffdb42d07ad791fb47d7" + logic_hash = "8ba66ab55f9a6755e11a7f39152aa26917271c7f6bc5ffdb42d07ad791fb47d7" score = 75 quality = 90 tags = "INFO, FILE" @@ -45792,13 +45792,13 @@ rule REVERSINGLABS_Cert_Blocklist_333705C20B56E57F60B5Eb191Eef0D90 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "698935da-4df5-558d-98b1-5bffc4501633" + id = "7f98e550-fca6-564f-bbad-40e153f17adc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9766-L9782" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_30eeec467b837f6b1759cd0fd6a8bc2e8942f2400df170c671287f4159652479" + logic_hash = "30eeec467b837f6b1759cd0fd6a8bc2e8942f2400df170c671287f4159652479" score = 75 quality = 90 tags = "INFO, FILE" @@ -45817,13 +45817,13 @@ rule REVERSINGLABS_Cert_Blocklist_A2A0Ba281262Acce7A00119E25564386 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d05d0457-bdd3-538e-b659-115949ef6dbd" + id = "ab0c7b78-5e7e-5cb9-ae61-d88f3f8d9684" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9784-L9802" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f5e3c16f6caaf5f3152d90dc48895d0bbcdb296c368beeebb96157f03a8ded40" + logic_hash = "f5e3c16f6caaf5f3152d90dc48895d0bbcdb296c368beeebb96157f03a8ded40" score = 75 quality = 90 tags = "INFO, FILE" @@ -45842,13 +45842,13 @@ rule REVERSINGLABS_Cert_Blocklist_338483Cc174C16Ebc454A3803Ffd4217 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fb23d49d-d0de-51bd-bd62-157cfdc6cb38" + id = "ce30ace6-c2c2-5f3e-a2f7-1f08825d44eb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9804-L9820" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7d7dd55eaab15cf458e5e57f0e5fbebdcc9313aee05394310a5cf9d9b4def153" + logic_hash = "7d7dd55eaab15cf458e5e57f0e5fbebdcc9313aee05394310a5cf9d9b4def153" score = 75 quality = 90 tags = "INFO, FILE" @@ -45867,13 +45867,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be89936C26Cd0D845074F6B7B47F480C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "91cb0b68-e8cb-5949-82e3-71d749e6fdeb" + id = "3ff8149b-4a90-5593-b12a-d815b04fce7e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9822-L9840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_348df24620bfe6322c410cb593f5caad67492b0b5af234ee89b0411beb4b48f9" + logic_hash = "348df24620bfe6322c410cb593f5caad67492b0b5af234ee89b0411beb4b48f9" score = 75 quality = 90 tags = "INFO, FILE" @@ -45892,13 +45892,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F20A5155E53Ce20Bb644F646Ed6A2Fd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4699ca3c-cb63-55a5-9ab0-fb31541c6126" + id = "d52066d5-9bc1-5f72-8e97-7efda88c14b2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9842-L9858" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_70d57f2c24d4ae6f17339bfb998589a3b10f5dd4b19ac8a5bc99e082145c4ed0" + logic_hash = "70d57f2c24d4ae6f17339bfb998589a3b10f5dd4b19ac8a5bc99e082145c4ed0" score = 75 quality = 90 tags = "INFO, FILE" @@ -45917,13 +45917,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ea734E1Dfb6E69Ed2Bc55E513Bf95B5E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4305355e-43e1-5a90-8536-b9c159475957" + id = "8e059a2a-c436-5247-b395-a2f594c1c9a9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9860-L9878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a18d1c1e5e22c1aa041a4b2d23d2aefcbedbd3517a079d578e1a143ecadb4533" + logic_hash = "a18d1c1e5e22c1aa041a4b2d23d2aefcbedbd3517a079d578e1a143ecadb4533" score = 75 quality = 90 tags = "INFO, FILE" @@ -45942,13 +45942,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ba67B0De51Ebb9B1179804E75357Ab26 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5c23cb5f-e702-5550-ab0f-0c9bf109a098" + id = "63938a97-2cb3-52b0-9717-c8949e3fae46" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9880-L9898" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_69b9012fc4ab9636d159de49ff452f054030c1157cf70a95512b2a0748dad7c0" + logic_hash = "69b9012fc4ab9636d159de49ff452f054030c1157cf70a95512b2a0748dad7c0" score = 75 quality = 90 tags = "INFO, FILE" @@ -45967,13 +45967,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cff2B275Ba8A1Dde83Ac7Ff858399A62 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7147d5e4-ce86-54bd-be45-b76070b82f49" + id = "50cc539a-1f00-566d-a83f-b4d8459506d8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9900-L9918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d37e1d94048339a86b8fa173d3ab753fc5e79329b73df9fda5815cd622c57745" + logic_hash = "d37e1d94048339a86b8fa173d3ab753fc5e79329b73df9fda5815cd622c57745" score = 75 quality = 90 tags = "INFO, FILE" @@ -45992,13 +45992,13 @@ rule REVERSINGLABS_Cert_Blocklist_D22E026C5B5966F1Cf6Ef00A7C06682E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "57401f7a-7e4c-528f-a708-284384f40b53" + id = "a72a0001-a272-506d-b610-c028ed8ac6da" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9920-L9938" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_33a05d46b40ffdf49bfa5facca41ebdf6bedcabc1cb1f5b9bf2d043ad1c869b0" + logic_hash = "33a05d46b40ffdf49bfa5facca41ebdf6bedcabc1cb1f5b9bf2d043ad1c869b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -46017,13 +46017,13 @@ rule REVERSINGLABS_Cert_Blocklist_3054F940C931Bad7B238A24376C6A5Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "58541366-547c-5e0c-9838-573686e8f4cc" + id = "e5643d08-5957-58b0-8b46-d5e339dfba9c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9940-L9956" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_21c8e8f10d1e4b9eb917c86ac868de2afcd5776a9c1d59149df1d07d8c3e14b9" + logic_hash = "21c8e8f10d1e4b9eb917c86ac868de2afcd5776a9c1d59149df1d07d8c3e14b9" score = 75 quality = 90 tags = "INFO, FILE" @@ -46042,13 +46042,13 @@ rule REVERSINGLABS_Cert_Blocklist_A617E23D6Ca8F34E2F7413Cd299Fc72B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "18e4d04b-ef20-5119-beab-023532f8329a" + id = "3ffb592c-eec5-51b1-9840-b6b72269fc31" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9958-L9976" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f307a0b598f0876c003aa43db50e024698b6f93931e626c085f98553c14ec2ae" + logic_hash = "f307a0b598f0876c003aa43db50e024698b6f93931e626c085f98553c14ec2ae" score = 75 quality = 90 tags = "INFO, FILE" @@ -46067,13 +46067,13 @@ rule REVERSINGLABS_Cert_Blocklist_387Eeb89B8Bf626Bbf4C7C9F5B998B40 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7897e88e-2e46-5aed-99a9-9c193d48de42" + id = "2f4a26f2-689a-57bd-8028-d3554e339e60" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9978-L9994" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2377eeb5316d25752443735e78d0ad7de398a2677f5a0fd45fd6e6c87720d49b" + logic_hash = "2377eeb5316d25752443735e78d0ad7de398a2677f5a0fd45fd6e6c87720d49b" score = 75 quality = 90 tags = "INFO, FILE" @@ -46092,13 +46092,13 @@ rule REVERSINGLABS_Cert_Blocklist_292Eb1133507F42E6F36C5549C189D5E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d575f9c6-b681-532a-9292-27ba900ebb05" + id = "b557864d-c573-5789-9959-8df3036d5ac5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L9996-L10012" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bc3ef217455b74900cae114d25b02325d2bef25c11873342df1dd2369cbce76a" + logic_hash = "bc3ef217455b74900cae114d25b02325d2bef25c11873342df1dd2369cbce76a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46117,13 +46117,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fbf16A33D26390A15F046C310030Cf0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "95d4810c-e3af-5a7a-8afa-abd412da7820" + id = "620c04df-e613-5319-aa00-646c7e0c8031" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10014-L10030" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24bee3563e0867ef6702e7f57bbce7075f766410650ae5ce1e2e8c7b14a3eaca" + logic_hash = "24bee3563e0867ef6702e7f57bbce7075f766410650ae5ce1e2e8c7b14a3eaca" score = 75 quality = 90 tags = "INFO, FILE" @@ -46142,13 +46142,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F007898Afcba5F8Af8Ae65D01803617 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d9a85882-ffea-50c7-a86c-dc897b63cf46" + id = "6678bd73-bf4d-5576-8bf2-b721ee288da7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10032-L10048" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_27610bb3bf069991803611474abf44a3bf82fc9283d0412a1c24ae46a3f5352e" + logic_hash = "27610bb3bf069991803611474abf44a3bf82fc9283d0412a1c24ae46a3f5352e" score = 75 quality = 90 tags = "INFO, FILE" @@ -46167,13 +46167,13 @@ rule REVERSINGLABS_Cert_Blocklist_E55Be88Ddbd93C423220468D430905Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7d539b9-ab81-5286-b993-f4042163c7b2" + id = "37e60515-0395-51a5-8bfa-35e3e336d60c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10050-L10068" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_05b2f297454e7080591b85991b224193eb89fc5074eb3c2e484ceadad2de4cb7" + logic_hash = "05b2f297454e7080591b85991b224193eb89fc5074eb3c2e484ceadad2de4cb7" score = 75 quality = 90 tags = "INFO, FILE" @@ -46192,13 +46192,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Bcb74291D96096577Bdb1E165Dce85 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e43ddd3d-d507-5ac1-9537-e6ba4e869ba0" + id = "da483b60-d400-54ef-84e0-ea00b299b466" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10070-L10086" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_00b7ff8f3cbc04c48c71433c384d7a7884b856f261850e33ea4413a12cf5a1b5" + logic_hash = "00b7ff8f3cbc04c48c71433c384d7a7884b856f261850e33ea4413a12cf5a1b5" score = 75 quality = 90 tags = "INFO, FILE" @@ -46217,13 +46217,13 @@ rule REVERSINGLABS_Cert_Blocklist_C8442A8185082Ef1Ed7Dc3Fff2176Aa7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1f4aecf7-2be1-505f-8e97-4c4a7395128d" + id = "2a56ff80-584b-5b8b-80ae-e763339cd17a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10088-L10106" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_74b1b48f0179187ea7bb8ef4663bf13da47f5c6405ecc5589706184564c05727" + logic_hash = "74b1b48f0179187ea7bb8ef4663bf13da47f5c6405ecc5589706184564c05727" score = 75 quality = 90 tags = "INFO, FILE" @@ -46242,13 +46242,13 @@ rule REVERSINGLABS_Cert_Blocklist_0406C4A1521A38C8D0C4Aa214388E4Dc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b33acd6e-5bcf-5d3f-bcf6-1c7de4b4e23e" + id = "9019330e-5ab5-5d37-85a1-0e882dbd68ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10108-L10124" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f6780751ae553771eb57201a8672847a24512e6279b6a4fd843d8ee2f326860a" + logic_hash = "f6780751ae553771eb57201a8672847a24512e6279b6a4fd843d8ee2f326860a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46267,13 +46267,13 @@ rule REVERSINGLABS_Cert_Blocklist_12705Fb66Bc22C68372A1C4E5Fa662E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e567de47-c085-5798-8903-0af2a870fc78" + id = "78f9fdf0-d8c6-5316-8053-42f77adf95d1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10126-L10142" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f10316a26e2d34400b7c2e403eab18ab6c1cc94b35f0ac8a3f490d101d29dc8d" + logic_hash = "f10316a26e2d34400b7c2e403eab18ab6c1cc94b35f0ac8a3f490d101d29dc8d" score = 75 quality = 90 tags = "INFO, FILE" @@ -46292,13 +46292,13 @@ rule REVERSINGLABS_Cert_Blocklist_3B0914E2982Be8980Aa23F49848555E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b28819ae-6c3d-5502-b9b8-9ea65249e0c0" + id = "88ca65c4-ba0d-5676-979b-4fac737d4f21" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10144-L10160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ea7d9fa7817751fef775765b54be5dd4d00c15ca50ac10fb40fb46cc3634c7b0" + logic_hash = "ea7d9fa7817751fef775765b54be5dd4d00c15ca50ac10fb40fb46cc3634c7b0" score = 75 quality = 90 tags = "INFO, FILE" @@ -46317,13 +46317,13 @@ rule REVERSINGLABS_Cert_Blocklist_029Bf7E1Cb09Fe277564Bd27C267De5A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6d59b221-d608-5c17-b23b-f43aeb6d1866" + id = "1e66d13c-3345-592c-9bf8-b8a566c8b9e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10162-L10178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3f64372d11d61c669580d90cdf2201e7f2904fb3d73d27be2ff1559c9c37614a" + logic_hash = "3f64372d11d61c669580d90cdf2201e7f2904fb3d73d27be2ff1559c9c37614a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46342,13 +46342,13 @@ rule REVERSINGLABS_Cert_Blocklist_D3Aee8Abb9948844A3Ac1C04Cc7E6Bdf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d1a109c0-a904-52f6-906c-b4e1e76b8d02" + id = "6da50886-7f15-5565-9a1a-f6fb25a729ac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10180-L10198" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3f3f1d5c871d2b73627d4281ac5bcd08799fb47f94155e82795d97c87de35e40" + logic_hash = "3f3f1d5c871d2b73627d4281ac5bcd08799fb47f94155e82795d97c87de35e40" score = 75 quality = 90 tags = "INFO, FILE" @@ -46367,13 +46367,13 @@ rule REVERSINGLABS_Cert_Blocklist_734819463C1195Bd6E135Ce4D5Bf49Bc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "207ac3ef-4fb6-5c0f-974a-b2481001650f" + id = "f7dd21fa-1501-50b2-bd9c-c33cfd932a6b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10200-L10216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a63c05cca23b61ba6eabda2b60c617b966a2669fd3a0da30354792e5c1ae2140" + logic_hash = "a63c05cca23b61ba6eabda2b60c617b966a2669fd3a0da30354792e5c1ae2140" score = 75 quality = 90 tags = "INFO, FILE" @@ -46392,13 +46392,13 @@ rule REVERSINGLABS_Cert_Blocklist_Db95B22362D46A73C39E0Ac924883C5B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3e0e19be-bfab-5598-8bf3-cb5033ad0b5a" + id = "527b7963-340e-5d8f-b7e1-1269c0073ec9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10218-L10236" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_895983bcb7f3a0c5ce54504f4a2ff8d652137434b8951380d756de6556d0844e" + logic_hash = "895983bcb7f3a0c5ce54504f4a2ff8d652137434b8951380d756de6556d0844e" score = 75 quality = 90 tags = "INFO, FILE" @@ -46417,13 +46417,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C48732873Ac8Ccebaf8F0E1E8329Cec : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "74c0953c-e661-59f1-b9d9-6d05ce318dc8" + id = "b531341a-e8ac-5b56-a202-3c072f5d2ce0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10238-L10254" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7c9476a4119e013c8bb3c14b607090d592feaa5f2fc0f78d810555681d4a3733" + logic_hash = "7c9476a4119e013c8bb3c14b607090d592feaa5f2fc0f78d810555681d4a3733" score = 75 quality = 90 tags = "INFO, FILE" @@ -46442,13 +46442,13 @@ rule REVERSINGLABS_Cert_Blocklist_C51F4Cf4D82Bc920421E1Ad93E39D490 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a8eba8f4-e96d-5480-92ac-b14ac82a7bf7" + id = "727aba82-c908-51a6-9f1f-7fd8df424d8c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10256-L10274" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cef717e7fe3eb0fb958d405caaf98fa51b22b150ccbf1286d3b4634e9df81ade" + logic_hash = "cef717e7fe3eb0fb958d405caaf98fa51b22b150ccbf1286d3b4634e9df81ade" score = 75 quality = 90 tags = "INFO, FILE" @@ -46467,13 +46467,13 @@ rule REVERSINGLABS_Cert_Blocklist_C96086F1894E6420D2B4Bdeea834C4D7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b9975050-82fa-5606-93e0-4950d495fb3f" + id = "1268461b-676c-59b8-80c1-c54dbe1a265f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10276-L10294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_949bbd41ad4c83a05c1f004786cd296e2af80a3a559955ec90a4675cdfa04258" + logic_hash = "949bbd41ad4c83a05c1f004786cd296e2af80a3a559955ec90a4675cdfa04258" score = 75 quality = 90 tags = "INFO, FILE" @@ -46492,13 +46492,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Fa27A121Cc82230C3013Ee634B6C62 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ca88f7ec-57ff-5e4e-9ccb-1d97dc2aff26" + id = "4520e544-7a41-5dde-b90b-46cf3349297c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10296-L10312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_23ac7a97e7632536ed27cf9078b6bc1a734f1e991a20a228734b45117582f367" + logic_hash = "23ac7a97e7632536ed27cf9078b6bc1a734f1e991a20a228734b45117582f367" score = 75 quality = 90 tags = "INFO, FILE" @@ -46517,13 +46517,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Dd3B2F7957Ba99F4B04Fcdbe03B7Aac : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "96da816e-c564-51f6-89c0-1b8fa54250c5" + id = "25229478-e891-5e0a-b738-6ca1fdd0012c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10314-L10332" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d4f1b75dddd47fe8a19bd8e794b4930bdcaf54d63db57422db0a9b631d4f488d" + logic_hash = "d4f1b75dddd47fe8a19bd8e794b4930bdcaf54d63db57422db0a9b631d4f488d" score = 75 quality = 90 tags = "INFO, FILE" @@ -46542,13 +46542,13 @@ rule REVERSINGLABS_Cert_Blocklist_061051Ff2A8Afab10347A6F1Ff08Ecb6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1670f233-0aa8-5076-8314-345c2b2b3610" + id = "4e23648f-9770-53ad-9c62-6e6239a02aa7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10334-L10350" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_db3ac3ee326c60e9abc94a2fb53d801637f044e7ab72d69e53958799e48747b7" + logic_hash = "db3ac3ee326c60e9abc94a2fb53d801637f044e7ab72d69e53958799e48747b7" score = 75 quality = 90 tags = "INFO, FILE" @@ -46567,13 +46567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Eda2429083Bfafb04E6E7Bdda1B08834 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce1ecadb-7f9d-506f-b82a-ac5967108595" + id = "0f5852c4-7866-5e12-97e9-c73972def6c5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10352-L10370" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4f7d5c6929fe364c8868fddb28dd7bbf7cdcf3896d57836466af1a538190d11c" + logic_hash = "4f7d5c6929fe364c8868fddb28dd7bbf7cdcf3896d57836466af1a538190d11c" score = 75 quality = 90 tags = "INFO, FILE" @@ -46592,13 +46592,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A590154B5980E566314122987Dea548 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c559c6e7-25e4-5aa1-95b1-d5d69666378c" + id = "fd2a2165-494b-5655-a322-73f033643c74" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10372-L10388" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d5fdf2bc61fadf3e73bcf1695c48ebc465e614cdd2310f9e5f40648d9615afc4" + logic_hash = "d5fdf2bc61fadf3e73bcf1695c48ebc465e614cdd2310f9e5f40648d9615afc4" score = 75 quality = 90 tags = "INFO, FILE" @@ -46617,13 +46617,13 @@ rule REVERSINGLABS_Cert_Blocklist_69A72F5591Ad78A0825Fbb9402Ab9543 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "47c47734-b299-50bf-8f47-db30eb25acdf" + id = "938cdd31-433d-5df7-b00e-54a7e440810b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10390-L10406" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_72ca07b7722f9506c5c42b5e58c5ce9b3a7d607164a5f265015769f2831cd588" + logic_hash = "72ca07b7722f9506c5c42b5e58c5ce9b3a7d607164a5f265015769f2831cd588" score = 75 quality = 90 tags = "INFO, FILE" @@ -46642,13 +46642,13 @@ rule REVERSINGLABS_Cert_Blocklist_0883Db137021B51F3A2A08A76A4Bc066 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "13158822-8817-5f37-b7eb-0565fb4f0f30" + id = "792111be-7c8a-53f5-9ec3-e1f25f083666" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10408-L10424" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5e3c8654169830790665992f5d7669d0ca6c1c8048580b3ae70331ad2a763a6c" + logic_hash = "5e3c8654169830790665992f5d7669d0ca6c1c8048580b3ae70331ad2a763a6c" score = 75 quality = 90 tags = "INFO, FILE" @@ -46667,13 +46667,13 @@ rule REVERSINGLABS_Cert_Blocklist_2B921Aaaba777B5A99507196C6F1C46C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "26dbc0cd-c6a5-5f05-8e94-6e75ca475882" + id = "0cb5be9e-a0b7-5785-87f3-ad097d4ab479" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10426-L10442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a00eb9837f7700d83862dff2077d85c68c24621d7aacf857b42587dc37976465" + logic_hash = "a00eb9837f7700d83862dff2077d85c68c24621d7aacf857b42587dc37976465" score = 75 quality = 90 tags = "INFO, FILE" @@ -46692,13 +46692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0332D5C942869Bdcabf5A8266197Cd14 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f3ab27d5-3661-52dd-838d-5effe5315deb" + id = "b1c650bb-b53f-5cca-8cc2-4d3498285d31" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10444-L10460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_726ac44dd8109fcd0a9120f6c0673b8ecf7d5b3a4bb81976f48402e21502201a" + logic_hash = "726ac44dd8109fcd0a9120f6c0673b8ecf7d5b3a4bb81976f48402e21502201a" score = 75 quality = 90 tags = "INFO, FILE" @@ -46717,13 +46717,13 @@ rule REVERSINGLABS_Cert_Blocklist_4679C5398A279318365Fd77A84445699 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "791a842f-af74-5500-b3c3-a93a19c1efd7" + id = "8d1810e7-9b64-52b3-91c6-f03832d61d3a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10462-L10478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bdb68be92b3ba6b5eaa6e8e963529c0b9213942ba2552c687496ad5d12d5b472" + logic_hash = "bdb68be92b3ba6b5eaa6e8e963529c0b9213942ba2552c687496ad5d12d5b472" score = 75 quality = 90 tags = "INFO, FILE" @@ -46742,13 +46742,13 @@ rule REVERSINGLABS_Cert_Blocklist_101D6A5A29D9A77807553Ceac669D853 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce9b507c-03cf-5965-bc76-f6cc2df1bab1" + id = "918fa696-5c92-551b-a87b-6410a6dc718a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10480-L10496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bce92750f71477ecfa7b8213724344708066c0e6133a47cd6758bbd9f8f9da5f" + logic_hash = "bce92750f71477ecfa7b8213724344708066c0e6133a47cd6758bbd9f8f9da5f" score = 75 quality = 90 tags = "INFO, FILE" @@ -46767,13 +46767,13 @@ rule REVERSINGLABS_Cert_Blocklist_6000F8C02B0A15B1E53B8399845Faddf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f14ad762-0a8e-524c-93d2-438d38250311" + id = "b025fe73-89fa-55f2-8b3a-cb46251669e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10498-L10514" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_00ceb241555154cab97ef616042dbd966f3a8fae257e142dfe6bad9559bd1724" + logic_hash = "00ceb241555154cab97ef616042dbd966f3a8fae257e142dfe6bad9559bd1724" score = 75 quality = 90 tags = "INFO, FILE" @@ -46792,13 +46792,13 @@ rule REVERSINGLABS_Cert_Blocklist_121070Be1E782F206985543Bc7Bc58B6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6ac0c735-d903-5cb7-9a4b-0002a7356381" + id = "3f5eee11-4106-5923-9563-84f81199bea0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10516-L10532" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a5d603cf64c8a16fa12daf9c6b5d0850e6145fb39b38442ed724ec0f849b8be9" + logic_hash = "a5d603cf64c8a16fa12daf9c6b5d0850e6145fb39b38442ed724ec0f849b8be9" score = 75 quality = 90 tags = "INFO, FILE" @@ -46817,13 +46817,13 @@ rule REVERSINGLABS_Cert_Blocklist_5226A724Cfa0B4Bc0164Ecda3F02A3Dc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4de027e4-fce6-54d6-af6c-eb3f38b29e4b" + id = "5a4abffb-ac0d-5e70-8193-0cd1a83377ac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10534-L10550" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ba1155b30761f48674aaa82a70a06fea30cced6518f089f3f9f173a4eb06a09" + logic_hash = "0ba1155b30761f48674aaa82a70a06fea30cced6518f089f3f9f173a4eb06a09" score = 75 quality = 90 tags = "INFO, FILE" @@ -46842,13 +46842,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A7Be7722B65A866Ebcd3Bd7F8F10825 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4bcefc41-f1a6-578e-8b59-305b1e007bd5" + id = "2b177573-8b9f-538f-8d07-b7baede1148d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10552-L10568" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c4aa22241ef72d454db4ec0fb0933abfa7b1d8d1029b45410475832cda4a2af4" + logic_hash = "c4aa22241ef72d454db4ec0fb0933abfa7b1d8d1029b45410475832cda4a2af4" score = 75 quality = 90 tags = "INFO, FILE" @@ -46867,13 +46867,13 @@ rule REVERSINGLABS_Cert_Blocklist_05634456Dbedb3556Ca8415E64815C5D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4382f846-0ce0-5b1f-a69f-b52e9f3dfab3" + id = "c9a05c35-2aed-5944-aad7-65ae2c290c6c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10570-L10586" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f5941c74821c0cd76633393d0346a9de2c7bccc666dc20b34c5b4d733faefc8f" + logic_hash = "f5941c74821c0cd76633393d0346a9de2c7bccc666dc20b34c5b4d733faefc8f" score = 75 quality = 90 tags = "INFO, FILE" @@ -46892,13 +46892,13 @@ rule REVERSINGLABS_Cert_Blocklist_2E07A8D6E3B25Ae010C8Ed2C4Ab0Fb37 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e297b902-b471-5c8c-9733-f7058b5c83fe" + id = "39d23cbf-862f-5a3d-9e30-b3f0929963d5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10588-L10604" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bad2144c9cde02a75fa968e3c24178f3ba73b0addb2b4967f24733b933e0eeb6" + logic_hash = "bad2144c9cde02a75fa968e3c24178f3ba73b0addb2b4967f24733b933e0eeb6" score = 75 quality = 90 tags = "INFO, FILE" @@ -46917,13 +46917,13 @@ rule REVERSINGLABS_Cert_Blocklist_30B4Eeebd88Fd205Acc8577Bbaed8655 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d443322d-3193-518a-aabd-fb087867e02d" + id = "27c60ade-41e1-5ba4-be8d-275edc01b5ba" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10606-L10622" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_673ec5a1cacb9a7be101a4a533baf5a1eab4e6dd8721c69e56636701c5303c72" + logic_hash = "673ec5a1cacb9a7be101a4a533baf5a1eab4e6dd8721c69e56636701c5303c72" score = 75 quality = 90 tags = "INFO, FILE" @@ -46942,13 +46942,13 @@ rule REVERSINGLABS_Cert_Blocklist_B3391A6C1B3C6836533959E2384Ab4Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "59d20f81-c017-50cf-b36c-6b7f3be01ff2" + id = "ab274ae3-0884-517a-a221-2c952fc9d74c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10624-L10642" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_38e38acfbfbf63b7179d2f8656f70224afa9269a7bdecd10ccbbbd92a6a216d3" + logic_hash = "38e38acfbfbf63b7179d2f8656f70224afa9269a7bdecd10ccbbbd92a6a216d3" score = 75 quality = 90 tags = "INFO, FILE" @@ -46967,13 +46967,13 @@ rule REVERSINGLABS_Cert_Blocklist_05D50A0E09Bb9A836Ffb90A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0f5e412a-bafc-5518-bca6-0d72ba076778" + id = "f2e0959f-3bc6-5552-8f7a-f84672fb597d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10644-L10660" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1bd1960cd6dd8bf83472dc2b1809b84ceb3db68a5e6c3ba68f28ad922230b2ed" + logic_hash = "1bd1960cd6dd8bf83472dc2b1809b84ceb3db68a5e6c3ba68f28ad922230b2ed" score = 75 quality = 90 tags = "INFO, FILE" @@ -46992,13 +46992,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A2787Fbb4627C91611573E323584113 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4ce05212-6d22-558f-8eb9-e1a405f7493c" + id = "64848927-6a60-5ea9-bae5-7d15c3f35ca6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10662-L10678" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_efa352beafb56b95a89554bc8929f8e01a4da46eef1f6cf8a1487a2a06bc1b3e" + logic_hash = "efa352beafb56b95a89554bc8929f8e01a4da46eef1f6cf8a1487a2a06bc1b3e" score = 75 quality = 90 tags = "INFO, FILE" @@ -47017,13 +47017,13 @@ rule REVERSINGLABS_Cert_Blocklist_1D36C4F439D651503589318F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e6fb66f9-acf1-5fe0-bda2-e408a68f6fc6" + id = "f72b8e2c-b799-5aec-a69a-e42cdb3e2ae1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10680-L10696" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_73dc3c01041d50100a8d5519afe1a80f470c30175f9ad1bf76ac287ac199a959" + logic_hash = "73dc3c01041d50100a8d5519afe1a80f470c30175f9ad1bf76ac287ac199a959" score = 75 quality = 90 tags = "INFO, FILE" @@ -47042,13 +47042,13 @@ rule REVERSINGLABS_Cert_Blocklist_26F855A25890B749578F13E4B9459768 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cce72c4a-e100-5dc2-ad42-963afb837443" + id = "d873b0d4-dff5-5ee2-a70f-b067602b217e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10698-L10714" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_35bfa39ef8f03d10af884f288278ea6ad3aff31cbae111057c2b619c6dc0a752" + logic_hash = "35bfa39ef8f03d10af884f288278ea6ad3aff31cbae111057c2b619c6dc0a752" score = 75 quality = 90 tags = "INFO, FILE" @@ -47067,13 +47067,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F1Ae2239Bb96C5Aef49D0Ae50266912 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b0664ef1-2178-5e89-82aa-eebc9ef2d2bb" + id = "44c878ab-75b2-5cd3-a019-94982a508e0f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10716-L10732" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4f88df4fc2f4cd89aa177ce09caab3e2660267ae883f7ab54c22a9ba1657bad0" + logic_hash = "4f88df4fc2f4cd89aa177ce09caab3e2660267ae883f7ab54c22a9ba1657bad0" score = 75 quality = 90 tags = "INFO, FILE" @@ -47092,13 +47092,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Deea179F5757Fe529043577762419Df : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0f606b37-21db-5153-875b-00599fc32fdb" + id = "ef29c813-e914-5766-990f-76c14d18ec79" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10734-L10750" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_67c3d3496caf54ca0b1afc4d1dcc902e2f3632ac6708f85e163d427b567d098f" + logic_hash = "67c3d3496caf54ca0b1afc4d1dcc902e2f3632ac6708f85e163d427b567d098f" score = 75 quality = 90 tags = "INFO, FILE" @@ -47117,13 +47117,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B1F9Ec88D185631Ab032Dbfd5166C0D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eade6cd2-4b87-5a82-a666-d1c48645e6e8" + id = "51c596cd-3033-51ef-914f-310d2bbfbd5f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10752-L10768" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dec9d43c6911deb5f35c45692bfd6ef47f85d955f5e59041e58a1f0d2fc306e3" + logic_hash = "dec9d43c6911deb5f35c45692bfd6ef47f85d955f5e59041e58a1f0d2fc306e3" score = 75 quality = 90 tags = "INFO, FILE" @@ -47142,13 +47142,13 @@ rule REVERSINGLABS_Cert_Blocklist_58Af00Ce542760Fc116B41Fa92E18589 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "acd28f30-2705-5456-85ac-cdfeed62b18d" + id = "bb58ae8d-ef28-5644-abe8-2d4d8c892e95" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10770-L10786" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ff773d252e5e0402171ae15d7ab43bcfd313eb8c326ed5f128a89ec43386a52" + logic_hash = "0ff773d252e5e0402171ae15d7ab43bcfd313eb8c326ed5f128a89ec43386a52" score = 75 quality = 90 tags = "INFO, FILE" @@ -47167,13 +47167,13 @@ rule REVERSINGLABS_Cert_Blocklist_25Ba18A267D6D8E08Ebc6E2457D58D1E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "02a02f47-26a5-5947-b6e8-4cfa74caf29f" + id = "eb06576e-11ea-58ba-aa19-68c161f6aa68" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10788-L10804" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_174fe170c26a8197486e7b390d9fce4da61fb68ee5dc9486d43dbeb3cf659c3a" + logic_hash = "174fe170c26a8197486e7b390d9fce4da61fb68ee5dc9486d43dbeb3cf659c3a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47192,13 +47192,13 @@ rule REVERSINGLABS_Cert_Blocklist_12Df5Ff3460979Cec1288D874A9Fbf83 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fedd2fd6-1a04-5110-a9ed-eea4a52fee73" + id = "9158c9a5-37fc-54bc-9601-3aa347a421ab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10806-L10822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3d4b5e56962d04bc35451eeab4c1870c8653c9afcbb28dc6bad7cfb1711e9df1" + logic_hash = "3d4b5e56962d04bc35451eeab4c1870c8653c9afcbb28dc6bad7cfb1711e9df1" score = 75 quality = 90 tags = "INFO, FILE" @@ -47217,13 +47217,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df2547B2Cab5689A81D61De80Eaaa3A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a23a764d-09e1-5fe5-b28a-392ff98ea1a9" + id = "1e76a088-b0f2-54d6-b730-77552c74d7bd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10824-L10842" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cde89ae5b77ff6833fe642bdd74e81763ef068e31c07e7881906e4e4a5939942" + logic_hash = "cde89ae5b77ff6833fe642bdd74e81763ef068e31c07e7881906e4e4a5939942" score = 75 quality = 90 tags = "INFO, FILE" @@ -47242,13 +47242,13 @@ rule REVERSINGLABS_Cert_Blocklist_28B691272719B1Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9bc8c99e-6b00-597f-a7b3-58064657235e" + id = "8f1d125a-de0f-525b-8dac-702bc123cc53" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10844-L10860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0bd973f415b7cfa0858c705c4486da9f181c7259af01d1cff486fb6b8e8e775b" + logic_hash = "0bd973f415b7cfa0858c705c4486da9f181c7259af01d1cff486fb6b8e8e775b" score = 75 quality = 90 tags = "INFO, FILE" @@ -47267,13 +47267,13 @@ rule REVERSINGLABS_Cert_Blocklist_1C897216E58E83Cbe74Ad03284E1Fb82 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4616de7a-eb1c-5ba4-aad0-e69320438333" + id = "8805805d-312d-5bd4-94da-c18270ac26bf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10862-L10878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6b3b2708d3a442fa6425e60ae900c94fc22fbfdb47f290ff56e9d349d99fd85f" + logic_hash = "6b3b2708d3a442fa6425e60ae900c94fc22fbfdb47f290ff56e9d349d99fd85f" score = 75 quality = 90 tags = "INFO, FILE" @@ -47292,13 +47292,13 @@ rule REVERSINGLABS_Cert_Blocklist_5A364C4957D93406F76321C2316F42F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "98154f77-c7f8-5982-9dd6-9bdec66eadf6" + id = "49e36ae5-25f0-5e1d-82f0-c7ada2b4d914" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10880-L10896" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fe3a2b906debb3f03e6a403829fca02c751754e9a02442a962c66defb84aed83" + logic_hash = "fe3a2b906debb3f03e6a403829fca02c751754e9a02442a962c66defb84aed83" score = 75 quality = 90 tags = "INFO, FILE" @@ -47317,13 +47317,13 @@ rule REVERSINGLABS_Cert_Blocklist_E7E7F7180666546Ce7A8Da32119F5Ce1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d461f01-a0bf-53b5-bbde-329b1b6f692c" + id = "8984ac03-2646-54a1-a6d3-4c2cc72806e7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10898-L10916" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_940f6508208998593f309ffeeeda20ab475d427c952a14871b6e58e17d2a4c85" + logic_hash = "940f6508208998593f309ffeeeda20ab475d427c952a14871b6e58e17d2a4c85" score = 75 quality = 90 tags = "INFO, FILE" @@ -47342,13 +47342,13 @@ rule REVERSINGLABS_Cert_Blocklist_062B2827500C5Df35A83F661B3Af5Dd3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ea1caf0b-8f2f-5ba3-941f-0412e8b054e8" + id = "784c58d9-9a13-5402-867e-c1b144512957" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10918-L10934" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4edc263b08b21428b5f2f4f14f9582c0f96f79cb49fbba563c103bf8bb2037a6" + logic_hash = "4edc263b08b21428b5f2f4f14f9582c0f96f79cb49fbba563c103bf8bb2037a6" score = 75 quality = 90 tags = "INFO, FILE" @@ -47367,13 +47367,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Bf27695Fd20B588F2B2F173B6Caf2Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7730635c-c41d-56f4-a1c2-e38d4a6232f7" + id = "a3e6923a-f2c4-5d7c-aeab-bdb7fe03c597" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10936-L10952" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_94d8739761b6a8ee91550be47432b046609b076aab6e57996de123a0fcaba73e" + logic_hash = "94d8739761b6a8ee91550be47432b046609b076aab6e57996de123a0fcaba73e" score = 75 quality = 90 tags = "INFO, FILE" @@ -47392,13 +47392,13 @@ rule REVERSINGLABS_Cert_Blocklist_1B248C8508042D36Bbd5D92D189C61D8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9698b60c-11a8-5dbe-ab8b-0ce827ca2fd8" + id = "4ad05207-10d1-53c5-8383-a3c71a447ed6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10954-L10970" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2c063d0878a8bf6cd637e1dac2cb9164beb52c951e01858a7c3c9c4c1a853f54" + logic_hash = "2c063d0878a8bf6cd637e1dac2cb9164beb52c951e01858a7c3c9c4c1a853f54" score = 75 quality = 90 tags = "INFO, FILE" @@ -47417,13 +47417,13 @@ rule REVERSINGLABS_Cert_Blocklist_032660Ee1D49Ad35086027473E2614E5E724 : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7b2a0ae-aeea-553d-b195-de6ba4f46047" + id = "29cb9255-0a34-58e8-88b2-fad988c7d229" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10972-L10988" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8d1435d2fa70db12cde2f9098e35ca1737f5aac36bac91329b28f03aad090e90" + logic_hash = "8d1435d2fa70db12cde2f9098e35ca1737f5aac36bac91329b28f03aad090e90" score = 75 quality = 90 tags = "INFO, FILE" @@ -47442,13 +47442,13 @@ rule REVERSINGLABS_Cert_Blocklist_043052956E1E6Dbd5F6Ae3D8B82Cad2A2Ed8 : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1f0d8573-6497-573c-95f5-e6c3bcf7997e" + id = "ac09f8ac-fbdd-5989-a7e7-07373a69213b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L10990-L11006" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c29fb109c741437a3739f1c42aadace8f612ef1e3ea90e3e2bdd8a92c85e766a" + logic_hash = "c29fb109c741437a3739f1c42aadace8f612ef1e3ea90e3e2bdd8a92c85e766a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47467,13 +47467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dbc03Ca7E6Ae6Db6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0873c226-3eb9-5734-8288-bba401b5ee23" + id = "a5ac5da6-0bb0-5327-ac3a-b53d2f103fe6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11008-L11026" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0077b9c46ddd98a4929878ba4ba9476ed7fb1d7bf6e30c3ae0f950445d01e8f3" + logic_hash = "0077b9c46ddd98a4929878ba4ba9476ed7fb1d7bf6e30c3ae0f950445d01e8f3" score = 75 quality = 90 tags = "INFO, FILE" @@ -47492,13 +47492,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D27332C3Cb3A382A4Fd232C5C66A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "66d89af3-9849-5604-a230-c06b62f8748d" + id = "d8390528-ff27-514d-ab89-fd563a19ce3c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11028-L11044" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c1c50015db7f97b530819b40e2578463a6021bfff8e2582858a4c3fbd1a9b9bc" + logic_hash = "c1c50015db7f97b530819b40e2578463a6021bfff8e2582858a4c3fbd1a9b9bc" score = 75 quality = 90 tags = "INFO, FILE" @@ -47517,13 +47517,13 @@ rule REVERSINGLABS_Cert_Blocklist_82D224323Efa65060B641F51Fadfef02 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a84518d6-7f16-58c4-8cea-8e437991316f" + id = "166949cf-dbff-5713-950e-46d1f3edc61f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11046-L11064" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9d361c91ed24b6c20a7b35957e26f208ce8e0a3d79c5a6fed6278acd826ccf49" + logic_hash = "9d361c91ed24b6c20a7b35957e26f208ce8e0a3d79c5a6fed6278acd826ccf49" score = 75 quality = 90 tags = "INFO, FILE" @@ -47542,13 +47542,13 @@ rule REVERSINGLABS_Cert_Blocklist_890570B6B0E2868A53Be3F8F904A88Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e066c464-2128-557a-b663-7d8fdd5a3f30" + id = "681d233c-d5a2-5f25-bdb9-125149a291c4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11066-L11084" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fb7af8ec09da2fecaaaed8c7770966f11ef8a44a131553a9d1412387db2fb7ea" + logic_hash = "fb7af8ec09da2fecaaaed8c7770966f11ef8a44a131553a9d1412387db2fb7ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -47567,13 +47567,13 @@ rule REVERSINGLABS_Cert_Blocklist_2642Fe865F7566Ce3123A5142C207094 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "15111c86-572b-54fd-a67b-b28d53ab3465" + id = "508d9c00-c209-55b2-9a40-b62ff4d866c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11086-L11102" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1ad4adf8b05a6cc065d289e6963480d37a92712a318744a30a16aad22380f238" + logic_hash = "1ad4adf8b05a6cc065d289e6963480d37a92712a318744a30a16aad22380f238" score = 75 quality = 90 tags = "INFO, FILE" @@ -47592,13 +47592,13 @@ rule REVERSINGLABS_Cert_Blocklist_4A2E337Fff23E5B2A1321Ffde56D1759 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c05ce577-3aeb-54a3-aea0-294fd001bd69" + id = "e5cae614-eff1-5c3d-a7f6-c41b0a2c412e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11104-L11120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bc2df95ddf1ef3d5f83d14852e1cf6cbf4b71bfbe88fc97c2a4553e8581ddf47" + logic_hash = "bc2df95ddf1ef3d5f83d14852e1cf6cbf4b71bfbe88fc97c2a4553e8581ddf47" score = 75 quality = 90 tags = "INFO, FILE" @@ -47617,13 +47617,13 @@ rule REVERSINGLABS_Cert_Blocklist_92D9B92F8Cf7A1Ba8B2C025Be730C300 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c37d9ae5-047c-5c28-993e-9c5b36b49a6f" + id = "bc37efaa-9ceb-5079-999f-b3d17c585b1c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11122-L11140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2a0be6157e589705ad19756971bd865edad2d54760d03c2e6f47a461b402ad68" + logic_hash = "2a0be6157e589705ad19756971bd865edad2d54760d03c2e6f47a461b402ad68" score = 75 quality = 90 tags = "INFO, FILE" @@ -47642,13 +47642,13 @@ rule REVERSINGLABS_Cert_Blocklist_B8164F7143E1A313003Ab0C834562F1F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cb0d2973-96e7-5168-b3ae-787210db1e6a" + id = "50d50330-4098-59dd-b2da-0714eefdfc66" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11142-L11160" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a42fec2e0e8d37948420f16907f39c3d502c535be98024d04a777dfbc633004d" + logic_hash = "a42fec2e0e8d37948420f16907f39c3d502c535be98024d04a777dfbc633004d" score = 75 quality = 90 tags = "INFO, FILE" @@ -47667,13 +47667,13 @@ rule REVERSINGLABS_Cert_Blocklist_24E4A2B3Db6Be1007B9Ddc91995Bc0C8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "61a16cf2-4d9e-55c2-ac52-b65f1f840051" + id = "8e533ebf-a124-53a9-8647-6f4b40aaa066" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11162-L11178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_861691ce7bae4366f3b35d01c84bb0031b54653869f52eaccf20808b1b55d2af" + logic_hash = "861691ce7bae4366f3b35d01c84bb0031b54653869f52eaccf20808b1b55d2af" score = 75 quality = 90 tags = "INFO, FILE" @@ -47692,13 +47692,13 @@ rule REVERSINGLABS_Cert_Blocklist_881573Fc67Ff7395Dde5Bccfbce5B088 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ef82de35-ba21-5c31-8f66-a6253e50b719" + id = "d188c65c-ee7b-586f-95f0-8de5b506c325" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11180-L11198" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ce489a4a2f07181d6fbf295f426deeaf51310e061bac2e56d65b37eeb397ff9a" + logic_hash = "ce489a4a2f07181d6fbf295f426deeaf51310e061bac2e56d65b37eeb397ff9a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47717,13 +47717,13 @@ rule REVERSINGLABS_Cert_Blocklist_53E1F226Cb77574F8Fbeb5682Da091Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "42e639e5-ea97-55a6-b8f5-87b48e5c5868" + id = "fe3abe27-c8c8-54b8-b031-0546c9bfda90" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11200-L11216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_591846225d5faf3ee8f3102acaad066f0187219044077bbdaf32345613b00965" + logic_hash = "591846225d5faf3ee8f3102acaad066f0187219044077bbdaf32345613b00965" score = 75 quality = 90 tags = "INFO, FILE" @@ -47742,13 +47742,13 @@ rule REVERSINGLABS_Cert_Blocklist_0772B4D1D63233D2B8771997Bc8Da5C4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5b905af3-6089-5038-84b2-21cd410cfbf7" + id = "fe602ac3-fa34-5056-a2cc-5ae9de728559" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11218-L11234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_30586a643b29f3c943b3f35bb1639c5b9fa48ecbd776775086e35af502aa4a7a" + logic_hash = "30586a643b29f3c943b3f35bb1639c5b9fa48ecbd776775086e35af502aa4a7a" score = 75 quality = 90 tags = "INFO, FILE" @@ -47767,13 +47767,13 @@ rule REVERSINGLABS_Cert_Blocklist_02B6656292310B84022Db5541Bc48Faf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aec042ca-6aea-527b-948c-fc3ed29066e6" + id = "d679238f-a697-5322-815c-9986c9d24032" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11236-L11252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_40b570b28e10ebd2a1ba515dc3fa45bdb5c0b76044e4dda7a6819976072a67a2" + logic_hash = "40b570b28e10ebd2a1ba515dc3fa45bdb5c0b76044e4dda7a6819976072a67a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -47792,13 +47792,13 @@ rule REVERSINGLABS_Cert_Blocklist_64C2505C7306639Fc8Eae544B0305338 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6fb26699-60f0-513b-b417-54d3a21e8dcb" + id = "b0e4057f-a0e7-5e2e-a47f-dc8188b6b506" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11254-L11270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9b6fb002d603135391958668be0ef805e441928a035c9c4da4bb9915aa3086e8" + logic_hash = "9b6fb002d603135391958668be0ef805e441928a035c9c4da4bb9915aa3086e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -47817,13 +47817,13 @@ rule REVERSINGLABS_Cert_Blocklist_2F96A89Bfec6E44Dd224E8Fd7E72D9Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9668c591-b961-5921-a2e7-f61d3f403f09" + id = "bdca8435-c1fd-598d-bd82-20a3a3b2a959" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11272-L11288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c0c8e5c0e2e120ee6b055e9a6b2af3d424bed0832c2619beab658fe01757f69f" + logic_hash = "c0c8e5c0e2e120ee6b055e9a6b2af3d424bed0832c2619beab658fe01757f69f" score = 75 quality = 90 tags = "INFO, FILE" @@ -47842,13 +47842,13 @@ rule REVERSINGLABS_Cert_Blocklist_B649A966410F62999C939384Af553919 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1ff1c322-c041-55c0-80c2-a06e4a5b736d" + id = "03533c22-eb16-546c-af55-675af9c833ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11290-L11308" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_623a2f931198eacf44fd233065e96a4dcadb5b3bbc7ca56df2b6ae9eafc4faa5" + logic_hash = "623a2f931198eacf44fd233065e96a4dcadb5b3bbc7ca56df2b6ae9eafc4faa5" score = 75 quality = 90 tags = "INFO, FILE" @@ -47867,13 +47867,13 @@ rule REVERSINGLABS_Cert_Blocklist_45245Eef53Fcf38169C715Cf68F44452 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1f7a8ecb-4d3d-51ba-8d0f-121da70d4114" + id = "514eac5a-9264-58ef-b4ee-65ec24b43e5a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11310-L11326" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7e0c3147e657802e457f6df271b7f5a64c81fd13f936a8935aa991022e4ab238" + logic_hash = "7e0c3147e657802e457f6df271b7f5a64c81fd13f936a8935aa991022e4ab238" score = 75 quality = 90 tags = "INFO, FILE" @@ -47892,13 +47892,13 @@ rule REVERSINGLABS_Cert_Blocklist_1895433Ee9E2Bd48619D75132262616F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a96f1811-2456-5197-b87f-884a6f661b82" + id = "d7bf59df-708c-5260-bc98-1a86b2c9c988" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11328-L11344" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f00a29ff5dddae40225ab62cb2d4b9dec1539ad58c8cd27d686480eecdb3e31d" + logic_hash = "f00a29ff5dddae40225ab62cb2d4b9dec1539ad58c8cd27d686480eecdb3e31d" score = 75 quality = 90 tags = "INFO, FILE" @@ -47917,13 +47917,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Ffc9825644Caf5B1F521780C5C7F42C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db9bd835-6aa4-5799-95df-15f7fee0e20a" + id = "3d806d90-e029-5521-b191-6967e2691c0f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11346-L11362" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1a9263c809f5633d01d4d4d0091c8dc214bad73af0eff3c9a94b33bca513f26d" + logic_hash = "1a9263c809f5633d01d4d4d0091c8dc214bad73af0eff3c9a94b33bca513f26d" score = 75 quality = 90 tags = "INFO, FILE" @@ -47942,13 +47942,13 @@ rule REVERSINGLABS_Cert_Blocklist_8D52Fb12A2511E86Bbb0Ba75C517Eab0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2e7965a0-5739-5a3a-afd0-1ac7a851cbe5" + id = "1bc9d36c-381e-5359-bba4-8dd870ed9267" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11364-L11382" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_023830ab3d71ed8ecf8f0e271c56dc267dcd000f5ff156c70d31089cd7010da8" + logic_hash = "023830ab3d71ed8ecf8f0e271c56dc267dcd000f5ff156c70d31089cd7010da8" score = 75 quality = 90 tags = "INFO, FILE" @@ -47967,13 +47967,13 @@ rule REVERSINGLABS_Cert_Blocklist_332Bd5801E8415585E72C87E0E2Ec71D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "13af634e-c483-50d2-ad81-61c9956705cd" + id = "d251afda-7582-5a00-a100-fd3acff2f995" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11384-L11400" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3648c3a8dbcdbd24746b9fa8cb3071d5f5019e5917848d88437158c6cb165445" + logic_hash = "3648c3a8dbcdbd24746b9fa8cb3071d5f5019e5917848d88437158c6cb165445" score = 75 quality = 90 tags = "INFO, FILE" @@ -47992,13 +47992,13 @@ rule REVERSINGLABS_Cert_Blocklist_E3B80C0932B52A708477939B0D32186F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d0af87c-0d2f-593e-b64b-c5e63b5c83a4" + id = "e7cdf040-3fe2-55ed-8f66-702fb4455653" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11402-L11420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_acdfce4dc25cbc9e9817453d5cf56c7d319bebdf7a039ea47412ec3b2f68cb02" + logic_hash = "acdfce4dc25cbc9e9817453d5cf56c7d319bebdf7a039ea47412ec3b2f68cb02" score = 75 quality = 90 tags = "INFO, FILE" @@ -48017,13 +48017,13 @@ rule REVERSINGLABS_Cert_Blocklist_C79F817F082986Bef3209F6723C8Da97 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a33e037e-771a-57d8-8f13-8110ea6d4e98" + id = "b3978831-57d6-5f25-a271-fa4f449d37b3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11422-L11440" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a5960f4c2ed768ccc5779d3754f51463c7b14a3a887c690944add23fba464f1a" + logic_hash = "a5960f4c2ed768ccc5779d3754f51463c7b14a3a887c690944add23fba464f1a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48042,13 +48042,13 @@ rule REVERSINGLABS_Cert_Blocklist_1E5Efa53A14599Cc82F56F0790E20B17 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "be062650-19f7-54f9-85ff-ed0a4719b570" + id = "f87dac0c-4b46-5b30-a715-f21e7c3a98e0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11442-L11458" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_78cbfeb5d7b58029a5b4107f2a59e892ff9d71788cf74e88ac823cb85ba35a94" + logic_hash = "78cbfeb5d7b58029a5b4107f2a59e892ff9d71788cf74e88ac823cb85ba35a94" score = 75 quality = 90 tags = "INFO, FILE" @@ -48067,13 +48067,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Cf2D0B5Bfdd68Cf777A0C12F806A569 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cdb94df6-21f7-5032-bb76-2cda0df1fafd" + id = "2900c6ae-9e61-5bad-a7b4-b8eca925a1ea" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11460-L11476" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4d8fd52cd12f9512c0b148f9915860152f108884d29617a5fbfd62500d3a14c4" + logic_hash = "4d8fd52cd12f9512c0b148f9915860152f108884d29617a5fbfd62500d3a14c4" score = 75 quality = 90 tags = "INFO, FILE" @@ -48092,13 +48092,13 @@ rule REVERSINGLABS_Cert_Blocklist_F675139Ea68B897A865A98F8E4611F00 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d972345a-5f3c-59c7-b8c0-3a34fe98e4f4" + id = "3bac20a3-1415-53af-9d04-a30aa7488dd7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11478-L11496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2306e90d376f5de8a4eb6d4a696bc1781686d7094cb0a2db48019ee93c1bf60a" + logic_hash = "2306e90d376f5de8a4eb6d4a696bc1781686d7094cb0a2db48019ee93c1bf60a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48117,13 +48117,13 @@ rule REVERSINGLABS_Cert_Blocklist_4728189Fa0F57793484Cdf764F5E283D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "52ee03fb-d843-5946-b313-9bbeff513ba0" + id = "fd1b83aa-bfcc-590c-8f97-875badf09698" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11498-L11514" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9ec7e84c77583bd52ccfb8d6d5831f3634ed0a401d8103376c4775b7f2c43d81" + logic_hash = "9ec7e84c77583bd52ccfb8d6d5831f3634ed0a401d8103376c4775b7f2c43d81" score = 75 quality = 90 tags = "INFO, FILE" @@ -48142,13 +48142,13 @@ rule REVERSINGLABS_Cert_Blocklist_9Bd81A9Adaf71F1Ff081C1F4A05D7Fd7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4f23229b-d59e-50b8-bd6f-00a04e3f5e23" + id = "727167de-5678-558d-b948-8a40839d0500" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11516-L11534" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e275a1fd2eb931030fa8b5fc11cd1b335835aaa553a42455053cb93fef5e6e72" + logic_hash = "e275a1fd2eb931030fa8b5fc11cd1b335835aaa553a42455053cb93fef5e6e72" score = 75 quality = 90 tags = "INFO, FILE" @@ -48167,13 +48167,13 @@ rule REVERSINGLABS_Cert_Blocklist_C81319D20C6F1F1Aec3398522189D90C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ff0ab7f9-c8fd-5012-960a-d1d8106a4c52" + id = "0a196a18-002e-58e4-bff2-83d1a67a82ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11536-L11554" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2a9f13f5e79a12f7e9d9d4a0dcaac065e1fc5167c67bc9f3fd7ba1c374b26d96" + logic_hash = "2a9f13f5e79a12f7e9d9d4a0dcaac065e1fc5167c67bc9f3fd7ba1c374b26d96" score = 75 quality = 90 tags = "INFO, FILE" @@ -48192,13 +48192,13 @@ rule REVERSINGLABS_Cert_Blocklist_C318D876768258A696Ab9Dd825E27Acd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b5ae8c40-659c-52ca-a1b0-258722255725" + id = "c6e93547-5be0-5303-b537-655db3d78ad4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11556-L11574" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_691b57929c93d14f8700e0e61170b9248499fd36b80aec90f2054c32d6a3a9eb" + logic_hash = "691b57929c93d14f8700e0e61170b9248499fd36b80aec90f2054c32d6a3a9eb" score = 75 quality = 90 tags = "INFO, FILE" @@ -48217,13 +48217,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Df5C318759D6Ea9D090Bfb2Faf1D94 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d44d8da2-8b08-5830-bf55-4231a6164e7b" + id = "a61e61c1-9fa0-5fd9-b197-bb9d1b68c8f4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11576-L11592" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5f151ee5781a15cca4394fdd8200162eae47e9d088a0b1551c9ed22ce11473a2" + logic_hash = "5f151ee5781a15cca4394fdd8200162eae47e9d088a0b1551c9ed22ce11473a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -48242,13 +48242,13 @@ rule REVERSINGLABS_Cert_Blocklist_02De1Cc6C487954592F1Bf574Ca2B000 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ed675082-efc7-5af7-a92f-3d5aed9c3627" + id = "2a15d527-7f42-5c56-9740-9c2503a66f4f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11594-L11610" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_40b78005d343684d08bb93e92c51eee10e674e8deb9eec290bc9ffe3b23061b1" + logic_hash = "40b78005d343684d08bb93e92c51eee10e674e8deb9eec290bc9ffe3b23061b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -48267,13 +48267,13 @@ rule REVERSINGLABS_Cert_Blocklist_A32B8B4F1Be43C23Eb2848Ab4Ef06Bb2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e1f3cd90-6e0d-5dfd-a58d-a43987d41163" + id = "2ced71bb-622c-5597-91c3-210b9b5f3a4e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11612-L11630" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dd7d44349baaf4a2e2f61b38cef31f288110bb03944fd4593f52a0ab03b9d172" + logic_hash = "dd7d44349baaf4a2e2f61b38cef31f288110bb03944fd4593f52a0ab03b9d172" score = 75 quality = 90 tags = "INFO, FILE" @@ -48292,13 +48292,13 @@ rule REVERSINGLABS_Cert_Blocklist_626735Ed30E50E3E0553986D806Bfc54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "67900877-237c-5132-92d0-7281d809c465" + id = "e0cfc0e6-b36e-5d4e-bfe6-21f13499dc0c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11632-L11648" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0a2acf8528a12fd05cf58c2ed5224f7472d14251b342ce4df6d9c10c6a6decfc" + logic_hash = "0a2acf8528a12fd05cf58c2ed5224f7472d14251b342ce4df6d9c10c6a6decfc" score = 75 quality = 90 tags = "INFO, FILE" @@ -48317,13 +48317,13 @@ rule REVERSINGLABS_Cert_Blocklist_34D42E871Ddb1C92Fa20B55B384E1259 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "57fabc29-a599-598d-b898-07cab35c0595" + id = "98a8f4b0-08d0-5e09-b46e-74b46f4df223" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11650-L11666" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8af5f4abe6425713b7c1fd17deaa78b2cfd6ef73ad960bce883e95661c2dbb56" + logic_hash = "8af5f4abe6425713b7c1fd17deaa78b2cfd6ef73ad960bce883e95661c2dbb56" score = 75 quality = 90 tags = "INFO, FILE" @@ -48342,13 +48342,13 @@ rule REVERSINGLABS_Cert_Blocklist_08D4Dc90047B8470Ccaf3924Dfbd8B5F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "62cd657f-836e-5569-b960-8f61efee5eea" + id = "2abe218a-1d93-5efe-9878-4314cf9ecdf7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11668-L11684" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_569db2f6d6f4da9985c57812a03f91bce88f2150b17659249e0f746a0d15150b" + logic_hash = "569db2f6d6f4da9985c57812a03f91bce88f2150b17659249e0f746a0d15150b" score = 75 quality = 90 tags = "INFO, FILE" @@ -48367,13 +48367,13 @@ rule REVERSINGLABS_Cert_Blocklist_C2Fc83D458E653837Fcfc132C9B03062 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "897fe729-78d0-570d-bc6c-91bf6adb0ce0" + id = "135d638c-9ee5-52cf-a6e7-c12e4feef594" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11686-L11704" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_836cec8d8396680dd64f95d4dd41f7f5876cb4268d983238a01d2e0990cce74a" + logic_hash = "836cec8d8396680dd64f95d4dd41f7f5876cb4268d983238a01d2e0990cce74a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48392,13 +48392,13 @@ rule REVERSINGLABS_Cert_Blocklist_54C793D2224Bdd6Ca527Bb2B7B9Dfe9D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ab6f81d5-d8b0-591b-ae39-e539bb769c11" + id = "80e92980-f4eb-5ac2-9f68-14c352758791" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11706-L11722" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_81c9c1d841d4aae3de229cc499ee84920d89928590a3eb157f7a7a7fbc46b4a8" + logic_hash = "81c9c1d841d4aae3de229cc499ee84920d89928590a3eb157f7a7a7fbc46b4a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -48417,13 +48417,13 @@ rule REVERSINGLABS_Cert_Blocklist_8Cece6Df54Cf6Ad63596546D77Ba3581 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55d885c1-2f77-5910-b67e-5f391cbcc788" + id = "bde12eeb-c4f8-5da3-8493-0f94cb1bf1f7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11724-L11742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d6b5bca36ef492ce9b79be905c86c66d43ef38701dafeed977229034119bd00d" + logic_hash = "d6b5bca36ef492ce9b79be905c86c66d43ef38701dafeed977229034119bd00d" score = 75 quality = 90 tags = "INFO, FILE" @@ -48442,13 +48442,13 @@ rule REVERSINGLABS_Cert_Blocklist_984E84Cfe362E278F558E2C70Aaafac2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ec27ad99-875c-57a7-a7d5-2dbbedcda07c" + id = "180f1209-7031-50fb-b1fc-3d357f2b73a1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11744-L11762" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e7a8f3dff77121df53d5f932f861e15208b0607ba77712f40927bc14b17a53cd" + logic_hash = "e7a8f3dff77121df53d5f932f861e15208b0607ba77712f40927bc14b17a53cd" score = 75 quality = 90 tags = "INFO, FILE" @@ -48467,13 +48467,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ff52Eb011Bb748Fee75153Cbe1E50Dd6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b91076c1-3d05-5bfe-964c-cd514c430809" + id = "acd29c6d-27ed-587a-b17c-989e69082434" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11764-L11782" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8c80ed4e4f77df34ff9fcc712deda4c1bbedc588f2b01d02aa705e368fb98c5e" + logic_hash = "8c80ed4e4f77df34ff9fcc712deda4c1bbedc588f2b01d02aa705e368fb98c5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -48492,13 +48492,13 @@ rule REVERSINGLABS_Cert_Blocklist_84A4A0D0657E217B176B455E2465Aee0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "12cd8fe8-8ea5-561a-83af-24dc36223814" + id = "1484a28d-ce7c-506f-8cbb-73ac541a0907" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11784-L11802" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_92f6e90bd21182bece68ac1651105f96a18c5b1497d30e0040a978e349341bdb" + logic_hash = "92f6e90bd21182bece68ac1651105f96a18c5b1497d30e0040a978e349341bdb" score = 75 quality = 90 tags = "INFO, FILE" @@ -48517,13 +48517,13 @@ rule REVERSINGLABS_Cert_Blocklist_B8F726508Cf1D7B7913Bf4Bbd1E5C19C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "87f4f7ec-ef6d-50c7-b152-230c9b682ef9" + id = "eb441b57-0f28-5609-b987-157e1f026b0c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11804-L11822" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ec05c7e41e309aff00ae819c63f5bdc8e4172c611779da345efd211e48c9efb1" + logic_hash = "ec05c7e41e309aff00ae819c63f5bdc8e4172c611779da345efd211e48c9efb1" score = 75 quality = 90 tags = "INFO, FILE" @@ -48542,13 +48542,13 @@ rule REVERSINGLABS_Cert_Blocklist_6A241Ffe96A6349Df608D22C02942268 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "04b9ed66-a10b-5b04-be34-e48f21286c02" + id = "8a8decfe-c91a-562c-9376-462cab598373" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11824-L11840" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_79db8be7ca3ed80eb1e3a9401e8fec2b83da8b95b16789ed0b59bb7f4639a94d" + logic_hash = "79db8be7ca3ed80eb1e3a9401e8fec2b83da8b95b16789ed0b59bb7f4639a94d" score = 75 quality = 90 tags = "INFO, FILE" @@ -48567,13 +48567,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa1D84779792B57F91Fe7A4Bde041942 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d68e973c-9d18-5641-a8b2-ed024aab9668" + id = "8ec25296-2e51-53ec-a2f5-a25961079c27" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11842-L11860" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_682af8c799acaca531724c5b3184b855e64ec4531fcc333a485ba2f63331cdae" + logic_hash = "682af8c799acaca531724c5b3184b855e64ec4531fcc333a485ba2f63331cdae" score = 75 quality = 90 tags = "INFO, FILE" @@ -48592,13 +48592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3C98B6872Fbb1F4Ae37A4Caa749D24C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "432a3407-6e11-5e85-b87e-74bdc9e04324" + id = "f4cc9c94-eb96-5380-9e12-cab5ec010ab8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11862-L11878" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c534ad306f85e12eca2336e998120deb4ba8d0d63b8331986ec7fe4ac69ba65a" + logic_hash = "c534ad306f85e12eca2336e998120deb4ba8d0d63b8331986ec7fe4ac69ba65a" score = 75 quality = 90 tags = "INFO, FILE" @@ -48617,13 +48617,13 @@ rule REVERSINGLABS_Cert_Blocklist_E4E795Fd1Fd25595B869Ce22Aa7Dc49F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c6e80a3e-99b9-585f-8064-ff9db4c31d15" + id = "9c6d2be7-093c-5ce2-83af-6ab9b46603bc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11880-L11898" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ced47bd69b58de9e6b2aa7518ccceca088884acb79c0803c3defe6b115a0abb6" + logic_hash = "ced47bd69b58de9e6b2aa7518ccceca088884acb79c0803c3defe6b115a0abb6" score = 75 quality = 90 tags = "INFO, FILE" @@ -48642,13 +48642,13 @@ rule REVERSINGLABS_Cert_Blocklist_E953Ada7E8F1438E5F7680Ff599Ae43E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5a81c0df-5a12-55e1-91d4-730b26e3df61" + id = "2bce88d4-24e6-59e5-ae02-5284ec43cfa4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11900-L11918" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7cb7d77abefd35f0756c5aa0983f7403cca4cbacd94dcc6b510c929bc96c8309" + logic_hash = "7cb7d77abefd35f0756c5aa0983f7403cca4cbacd94dcc6b510c929bc96c8309" score = 75 quality = 90 tags = "INFO, FILE" @@ -48667,13 +48667,13 @@ rule REVERSINGLABS_Cert_Blocklist_28C57Df09Ce7Cc3Fde2243Beb4D00101 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "feb45241-c3a1-5e5c-83ec-aacb03fc7367" + id = "63e2edab-11a4-55ba-b042-c88b6d2750a5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11920-L11936" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_84402dc0a58fca36424d8d6d13c60b80342bb3792f4e32e23878530264358726" + logic_hash = "84402dc0a58fca36424d8d6d13c60b80342bb3792f4e32e23878530264358726" score = 75 quality = 90 tags = "INFO, FILE" @@ -48692,13 +48692,13 @@ rule REVERSINGLABS_Cert_Blocklist_2D8Cfcf04209Dc7F771D8D18E462C35A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dd246d9a-57a1-5cb1-9719-796f6a194b36" + id = "5ce5c076-87de-50f0-9fa1-a3efef8dd7f8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11938-L11954" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b784e46268d78046365400ef914d7ca673503c93962d0b0740ca2ac9faf7857" + logic_hash = "2b784e46268d78046365400ef914d7ca673503c93962d0b0740ca2ac9faf7857" score = 75 quality = 90 tags = "INFO, FILE" @@ -48717,13 +48717,13 @@ rule REVERSINGLABS_Cert_Blocklist_016836311Fc39Fbb8E6F308Bb03Cc2B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f354d7bd-8f9c-5a17-9c98-0d87f4d9b579" + id = "2c4061e8-0b8e-5c33-a746-6557449b17ed" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11956-L11972" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c5f6372a207d02283840e745619e93194d954eedff7bae34aadcb645b1cb78fc" + logic_hash = "c5f6372a207d02283840e745619e93194d954eedff7bae34aadcb645b1cb78fc" score = 75 quality = 90 tags = "INFO, FILE" @@ -48742,13 +48742,13 @@ rule REVERSINGLABS_Cert_Blocklist_435Abf46053A0A445C54217A8C233A7F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "881fed2a-69c9-5a0c-b11f-710864626229" + id = "538d7405-be17-519e-beb5-fbef3beaedd3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11974-L11990" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_839f55e8fe7a86aad406e657fdef48925543b5d3884927104fd3786444a8fccc" + logic_hash = "839f55e8fe7a86aad406e657fdef48925543b5d3884927104fd3786444a8fccc" score = 75 quality = 90 tags = "INFO, FILE" @@ -48767,13 +48767,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2F9C693A2E6634565F63C79B01Dd8F8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9bc8ada3-10ff-585f-887e-56ceb7403c21" + id = "c094666a-0bb3-5cb6-82a8-3074b9eed32b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L11992-L12010" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f5ec67c082be21a2495ef90fd0a6d4fc4b1379c4903dcc051d39cf1913d5cf20" + logic_hash = "f5ec67c082be21a2495ef90fd0a6d4fc4b1379c4903dcc051d39cf1913d5cf20" score = 75 quality = 90 tags = "INFO, FILE" @@ -48792,13 +48792,13 @@ rule REVERSINGLABS_Cert_Blocklist_54A6D33F73129E0Ef059Ccf51Be0C35E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "62b0e468-c1c1-5ff1-b14a-b77215bbf838" + id = "1cf2bda8-05e6-5f0a-a28a-2f5fa02775c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12012-L12028" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6fbed9c8537ea2baeb58044a934fc9741730b8a3ae4d059c23b033973d7ff7d3" + logic_hash = "6fbed9c8537ea2baeb58044a934fc9741730b8a3ae4d059c23b033973d7ff7d3" score = 75 quality = 90 tags = "INFO, FILE" @@ -48817,13 +48817,13 @@ rule REVERSINGLABS_Cert_Blocklist_142Aac4217E22B525C8587589773Ba9B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2d2e7993-68c0-5235-8181-a9f7caf682d0" + id = "488be2f7-e3d4-51e3-b7bb-142caa7b2bd5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12030-L12046" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f169925c27f5e0f8d5f658b83d1b9fa4548c4443b16bd4d7f87aa2b8e44bf06b" + logic_hash = "f169925c27f5e0f8d5f658b83d1b9fa4548c4443b16bd4d7f87aa2b8e44bf06b" score = 75 quality = 90 tags = "INFO, FILE" @@ -48842,13 +48842,13 @@ rule REVERSINGLABS_Cert_Blocklist_239664C12Baeb5A6D787912888051392 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0ce448fd-88ba-5685-bf12-b248d0246278" + id = "4d24a880-6fa5-5c22-875e-29f4985e3750" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12048-L12064" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ab2c228088a4c11b3a0f1a5f0acf181cc31e548781cb3f1205475bfbe39c7236" + logic_hash = "ab2c228088a4c11b3a0f1a5f0acf181cc31e548781cb3f1205475bfbe39c7236" score = 75 quality = 90 tags = "INFO, FILE" @@ -48867,13 +48867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0218Ebfd5A9Bfd55D2F661F0D18D1D71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6c943e3c-e449-5602-86ae-7a809a1477b0" + id = "d03619c7-c4e8-57bd-a19e-1452ab7a76df" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12066-L12082" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4aabe3beab0055b6ef8f6114c5236940f5693b44e94efd14132b450bb9232c03" + logic_hash = "4aabe3beab0055b6ef8f6114c5236940f5693b44e94efd14132b450bb9232c03" score = 75 quality = 90 tags = "INFO, FILE" @@ -48892,13 +48892,13 @@ rule REVERSINGLABS_Cert_Blocklist_35590Ebe4A02Dc23317D8Ce47A947A9B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "88c6aaf7-cf17-5d14-9d21-75ab65e18702" + id = "2f72a686-c30c-572d-a78c-03747ac325b6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12084-L12100" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2d4bc88943cdc8af00effab745e64e60ef662c668a0b2193c256d11831ef1554" + logic_hash = "2d4bc88943cdc8af00effab745e64e60ef662c668a0b2193c256d11831ef1554" score = 75 quality = 90 tags = "INFO, FILE" @@ -48917,13 +48917,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aa07D4F2857119Cee514A0Bd412F8201 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7037358-2bb2-52e6-8644-f7c9f5089211" + id = "6bb83f26-90f5-587f-8c69-fa06beaead3e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12102-L12120" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fbbea89f2070b2a527bba6199022fbffd269e664b000988a59adf4ca0d4a9f22" + logic_hash = "fbbea89f2070b2a527bba6199022fbffd269e664b000988a59adf4ca0d4a9f22" score = 75 quality = 90 tags = "INFO, FILE" @@ -48942,13 +48942,13 @@ rule REVERSINGLABS_Cert_Blocklist_40F5660A90301E7A8A8C3B42 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0b41b94c-b144-5daf-bc7a-9a9553348216" + id = "c47bb4f0-d60b-5948-ac10-6083606ed46a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12122-L12138" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3573d1d5f11df106f1f6f44f8b0164992f2a50707c6df7b08b05ed9ea7d9173b" + logic_hash = "3573d1d5f11df106f1f6f44f8b0164992f2a50707c6df7b08b05ed9ea7d9173b" score = 75 quality = 90 tags = "INFO, FILE" @@ -48967,13 +48967,13 @@ rule REVERSINGLABS_Cert_Blocklist_0400C7614F86D75Fe4Ee3F6192B6Feda : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c4fd7da9-8811-5288-8c4d-af4fb4e1f55e" + id = "500c9604-cc07-52b1-8c46-09894d132205" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12140-L12156" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_47735267e9a0fb8107f6c4008bacc8aada1705f6714a0447dacc3928fc20cad6" + logic_hash = "47735267e9a0fb8107f6c4008bacc8aada1705f6714a0447dacc3928fc20cad6" score = 75 quality = 90 tags = "INFO, FILE" @@ -48992,13 +48992,13 @@ rule REVERSINGLABS_Cert_Blocklist_E573D9C8B403C41Bd59Ffa0A8Efd4168 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c83ef41c-6a99-575c-b301-7f6b801881b6" + id = "2e799dd9-d143-55a7-9d07-d5f289477b24" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12158-L12176" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_425126b90fe2ab7c1ec7bf2fd5a91e4438a81992f20f99ed87ec62e7f20043cd" + logic_hash = "425126b90fe2ab7c1ec7bf2fd5a91e4438a81992f20f99ed87ec62e7f20043cd" score = 75 quality = 90 tags = "INFO, FILE" @@ -49017,13 +49017,13 @@ rule REVERSINGLABS_Cert_Blocklist_B06Bc166Fc765Dacd2F7448C8Cdd9205 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8ec2b868-8380-5bbe-aa66-cc4bc34e4879" + id = "4b27c958-58f1-5fbd-8a39-aedfe4dafe39" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12178-L12196" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2c47166f02c7f94bb4f82296e3220ff7ca3c6c53566d855b2fe77cb842a5fb43" + logic_hash = "2c47166f02c7f94bb4f82296e3220ff7ca3c6c53566d855b2fe77cb842a5fb43" score = 75 quality = 90 tags = "INFO, FILE" @@ -49042,13 +49042,13 @@ rule REVERSINGLABS_Cert_Blocklist_E9268Ed63A7D7E9Dfd40A664Ddfbaf18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c81a9978-cd84-5148-8b0b-6b24389d59c3" + id = "a93b0a98-cfec-5e32-9fd8-b3d6c4353558" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12198-L12216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fc840c0b37867c3b0aa80d4dc609feaaab77d3f0c6f84c8bb2ea7c5a6461ebb8" + logic_hash = "fc840c0b37867c3b0aa80d4dc609feaaab77d3f0c6f84c8bb2ea7c5a6461ebb8" score = 75 quality = 90 tags = "INFO, FILE" @@ -49067,13 +49067,13 @@ rule REVERSINGLABS_Cert_Blocklist_425Dc3E0Ca8Bcdce19D00D87E3F0Ba28 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2c04cd8b-05ae-5616-b717-3e22e0f2b23f" + id = "df6e1403-c300-5d97-b57d-dc70d61b2229" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12218-L12234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_67a975f2806825bf0da27fcaf33c2ff497fe9bb2af12c22ff505b49070516960" + logic_hash = "67a975f2806825bf0da27fcaf33c2ff497fe9bb2af12c22ff505b49070516960" score = 75 quality = 90 tags = "INFO, FILE" @@ -49092,13 +49092,13 @@ rule REVERSINGLABS_Cert_Blocklist_Afc0Ddb7Bdc8207E8C3B7204018Eecd3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "14f74bb2-4c87-5913-a73e-d27e65d05171" + id = "73f4d6e2-6924-59fa-8ec1-305f2d5dc5a3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12236-L12254" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_302e2d6b31ca5c2c33c4ec7294630fd88a9c40f70ddecdc606ccff27b24e1cd4" + logic_hash = "302e2d6b31ca5c2c33c4ec7294630fd88a9c40f70ddecdc606ccff27b24e1cd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -49117,13 +49117,13 @@ rule REVERSINGLABS_Cert_Blocklist_38989Ec61Ecdb7391Ff5647F7D58Ad18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9bce9c96-4e4e-517a-98ab-6f6d485f31c8" + id = "1841bbd1-4c7a-5b89-8c63-58d8a3ae1cef" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12256-L12272" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1795812d4daa458b157280cac7a9b13e9b67a2d78eac077691bbce2bf8aeec34" + logic_hash = "1795812d4daa458b157280cac7a9b13e9b67a2d78eac077691bbce2bf8aeec34" score = 75 quality = 90 tags = "INFO, FILE" @@ -49142,13 +49142,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bc6C43D206A360F2D6B58537C456B709 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d334902e-8ee4-58c7-8bba-88c82d2884df" + id = "fd19ce61-056b-549a-946e-72543ff1f7c0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12274-L12292" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_eb5288d2b96ff7a7783c2b2b02f9f1168784352ed84ad6463dce00c12daca6cb" + logic_hash = "eb5288d2b96ff7a7783c2b2b02f9f1168784352ed84ad6463dce00c12daca6cb" score = 75 quality = 90 tags = "INFO, FILE" @@ -49167,13 +49167,13 @@ rule REVERSINGLABS_Cert_Blocklist_4929Ab561C812Af93Ddb9758B545F546 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "111aa066-48be-5dfc-b3bc-3aa20788952b" + id = "6e8ffb39-d00d-54ca-a4be-68f6dd92d798" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12294-L12310" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_12235e324b92b83e9cfaed7cbcff5d093b8b1d7528dd5ac327159cde6e9a4d1f" + logic_hash = "12235e324b92b83e9cfaed7cbcff5d093b8b1d7528dd5ac327159cde6e9a4d1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -49192,13 +49192,13 @@ rule REVERSINGLABS_Cert_Blocklist_25C6Dbce3D5499F65D9Df16E9007465D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fc20b80a-d556-55b6-b214-29763d101909" + id = "f6d0808d-4748-5b9f-9be2-7753292a6209" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12312-L12328" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_978f05f86734c63afe1e5929a58f3cfff75ef749ffda07252db90b6fe12508ec" + logic_hash = "978f05f86734c63afe1e5929a58f3cfff75ef749ffda07252db90b6fe12508ec" score = 75 quality = 90 tags = "INFO, FILE" @@ -49217,13 +49217,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bc6A1812E001362469541108973Bbd52 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "159aa768-7dfe-537e-a1d8-025f969607c6" + id = "ac5ac6d7-898b-5547-8d35-a483f20edcd6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12330-L12348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9b678e9fb1e1eda3ac8e027b5e449af446de4379fea46ef7ff820240c73795ee" + logic_hash = "9b678e9fb1e1eda3ac8e027b5e449af446de4379fea46ef7ff820240c73795ee" score = 75 quality = 90 tags = "INFO, FILE" @@ -49242,13 +49242,13 @@ rule REVERSINGLABS_Cert_Blocklist_Bde1D6Dc3622724F427A39E6A34F5124 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f15afc5b-4f70-5f63-b05e-954111ee4bb8" + id = "6b6958c0-3b43-5c17-9354-d0e2326b97fd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12350-L12368" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f1cf0b6855269a771447a0b38f4a02996b6527d7df4b143b69598ed591719ca0" + logic_hash = "f1cf0b6855269a771447a0b38f4a02996b6527d7df4b143b69598ed591719ca0" score = 75 quality = 90 tags = "INFO, FILE" @@ -49267,13 +49267,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C9F5F96726A6E6Fc3B8Bb153Ac82Af2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "934a96ce-f689-5298-b18b-788bd1fa89a9" + id = "f7619c39-33a0-5f99-b911-9d8a61a4683d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12370-L12386" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a61bcc4a90a75a429366e3f93929005b67325eccc6cad3df6b7a0c3692597828" + logic_hash = "a61bcc4a90a75a429366e3f93929005b67325eccc6cad3df6b7a0c3692597828" score = 75 quality = 90 tags = "INFO, FILE" @@ -49292,13 +49292,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E889Bb3B7F7194B674C6A0335A608E0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6ae78275-2be3-59bb-88ec-93208909baaf" + id = "d164846d-9552-5108-8b01-1b4b3e7c0b60" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12388-L12404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fa2a47f4fb822089fcc958850ce516c8c5d95a6d9b575f3b1d1d4a2ceb2537e4" + logic_hash = "fa2a47f4fb822089fcc958850ce516c8c5d95a6d9b575f3b1d1d4a2ceb2537e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -49317,13 +49317,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F62F760704Bdf8Dc30C7Baa7376F484 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "634f9d1f-d240-56bc-be19-ce74592a9159" + id = "fe326fb9-fe1e-5fc9-8599-6b4cfd6506dd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12406-L12422" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d54d52e116b9404782ce80664f218d2e142577dac672c53c41b82f0466c7375a" + logic_hash = "d54d52e116b9404782ce80664f218d2e142577dac672c53c41b82f0466c7375a" score = 75 quality = 90 tags = "INFO, FILE" @@ -49342,13 +49342,13 @@ rule REVERSINGLABS_Cert_Blocklist_071202Dbfda40B629C5E7Acac947C2D3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7097c3a6-0d4d-59ca-b12e-f9e5779e86f7" + id = "4206c383-0e6d-5129-8e6a-05bd54c48e65" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12424-L12440" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cc51b0ae6a59f68e61ee0b4ff33ea0e1ee9ef04e4c994e1c98da6befab62a5b9" + logic_hash = "cc51b0ae6a59f68e61ee0b4ff33ea0e1ee9ef04e4c994e1c98da6befab62a5b9" score = 75 quality = 90 tags = "INFO, FILE" @@ -49367,13 +49367,13 @@ rule REVERSINGLABS_Cert_Blocklist_98Ab9585C04D7F0E4Cf4De98C14B684D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3e67a2b3-3330-5c2a-998d-1895eb8c7587" + id = "445bb30e-e021-5a75-a47e-29fa567acfa5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12442-L12460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ba43dd15b13623bb99d88c93fb9e751deb95a546325a1142d9137b25430d07fd" + logic_hash = "ba43dd15b13623bb99d88c93fb9e751deb95a546325a1142d9137b25430d07fd" score = 75 quality = 90 tags = "INFO, FILE" @@ -49392,13 +49392,13 @@ rule REVERSINGLABS_Cert_Blocklist_4631713E66E91347F0388B98Cf747794 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3edec0d8-76ac-51fe-af6d-d9b178dc6246" + id = "6c541522-98ab-5acb-af84-c005c9721e1f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12462-L12478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cb517cda67150b7e17ee3bd946903e8e8eca81742a362032249a2f2387e71c50" + logic_hash = "cb517cda67150b7e17ee3bd946903e8e8eca81742a362032249a2f2387e71c50" score = 75 quality = 90 tags = "INFO, FILE" @@ -49417,13 +49417,13 @@ rule REVERSINGLABS_Cert_Blocklist_E963F8983D21B4C1A69C66A9D37498E5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7c0d882a-3925-539d-8e9f-8fe84707f98e" + id = "4cbc6cc9-1795-5d43-84a1-dd835d7ef349" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12480-L12498" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b7c715e28f003351d10ba53657e9e667b635a0e4433276d91d26f4482a61191d" + logic_hash = "b7c715e28f003351d10ba53657e9e667b635a0e4433276d91d26f4482a61191d" score = 75 quality = 90 tags = "INFO, FILE" @@ -49442,13 +49442,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E44Fcedd49F22F7A28Cecc99104F61A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dda8c05f-ecc7-5b55-a454-6ab57e7cefd5" + id = "b69a4e06-a732-5462-b2b1-bdde3fd34e31" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12500-L12516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_caff0cbca45c0dffb673367585824783371f2f4e31a0c9629afb7de708098892" + logic_hash = "caff0cbca45c0dffb673367585824783371f2f4e31a0c9629afb7de708098892" score = 75 quality = 90 tags = "INFO, FILE" @@ -49467,13 +49467,13 @@ rule REVERSINGLABS_Cert_Blocklist_35B49Ee870Aea532E6Ef0A4987105C8F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "14dcc331-43e4-5ee7-ae1c-d62b802f8308" + id = "88dedb69-52f4-59d3-b397-6a091a866cc5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12518-L12534" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a9d8e9db453f40e32a0cb6412db8885db54053fdf3d7908b884361a493f97b1f" + logic_hash = "a9d8e9db453f40e32a0cb6412db8885db54053fdf3d7908b884361a493f97b1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -49492,13 +49492,13 @@ rule REVERSINGLABS_Cert_Blocklist_063Dcd7D7B0Bc77Cac844C7213Be3989 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dd4dea05-3c12-5659-831f-90f5b4a80d39" + id = "1bf4b84b-4a32-5908-8ccb-9fce2e5944e6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12536-L12552" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_091d00b0731f0a3d9917eee945249f001e4b5b1b603cad2fc21eed70ec86aa99" + logic_hash = "091d00b0731f0a3d9917eee945249f001e4b5b1b603cad2fc21eed70ec86aa99" score = 75 quality = 90 tags = "INFO, FILE" @@ -49517,13 +49517,13 @@ rule REVERSINGLABS_Cert_Blocklist_6F8777Aa866142Ad7120E5E1C9321E37 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9a49260d-870d-5ae2-af26-ad38a93e5a05" + id = "ace8a8b4-5288-56c4-bd47-9eb42ea41ecb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12554-L12570" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ca3ff0c7192ba90932d35d053712816555dea051ce15d29a7ccf4e37da989899" + logic_hash = "ca3ff0c7192ba90932d35d053712816555dea051ce15d29a7ccf4e37da989899" score = 75 quality = 90 tags = "INFO, FILE" @@ -49542,13 +49542,13 @@ rule REVERSINGLABS_Cert_Blocklist_4A7F07C5D4Ad2E23F9E8E03F0E229Dd4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5b1caafb-229f-5223-b8a8-bfb713f4ab47" + id = "76be58d9-d1a3-5dec-807e-941714be80f9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12572-L12588" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6dc2bfac77117e294cacc772f7bfaea8b2e3caa26a0afd3729d517e91ca20ea5" + logic_hash = "6dc2bfac77117e294cacc772f7bfaea8b2e3caa26a0afd3729d517e91ca20ea5" score = 75 quality = 90 tags = "INFO, FILE" @@ -49567,13 +49567,13 @@ rule REVERSINGLABS_Cert_Blocklist_F5F9C8F8C33E4Ce84Dd48Fcb03Ccb075 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4faae355-3ea8-55f2-a9f6-81c299cc5aa1" + id = "74203aa1-e5d0-59d9-b9f8-b79f5fbe271e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12590-L12608" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ac3bab3f5a93099f39b0862b419346d1eb3d0f75d86e121ba30626d496c46c57" + logic_hash = "ac3bab3f5a93099f39b0862b419346d1eb3d0f75d86e121ba30626d496c46c57" score = 75 quality = 90 tags = "INFO, FILE" @@ -49592,13 +49592,13 @@ rule REVERSINGLABS_Cert_Blocklist_57Fc55239F21F139978609E323097132 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb9c8793-ec97-5560-ae2c-effbe1ed269d" + id = "e71d575c-5a30-5158-80ee-3508cdaf5636" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12610-L12626" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_030bb847e524e672ee382e0284ba3f027920f60c70bbd153d4b9cdd2669e6a99" + logic_hash = "030bb847e524e672ee382e0284ba3f027920f60c70bbd153d4b9cdd2669e6a99" score = 75 quality = 90 tags = "INFO, FILE" @@ -49617,13 +49617,13 @@ rule REVERSINGLABS_Cert_Blocklist_Eeefec4308Abe63323600E1608F5E6F2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "32582f0b-e953-58a0-962e-2bab71fdf07b" + id = "265f70f4-f8cf-52cf-8d9b-ddfefb8a1b79" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12628-L12646" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_71ab4bd7e85155bfbc1612941c5f15c409629b116258c38b79bd808512df006a" + logic_hash = "71ab4bd7e85155bfbc1612941c5f15c409629b116258c38b79bd808512df006a" score = 75 quality = 90 tags = "INFO, FILE" @@ -49642,13 +49642,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ecd460Ce14Bd8Ef2926Da2Cd9A44176 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d93de023-ffcf-5fb5-8e38-59795b7bcad8" + id = "94128695-0206-5c04-b792-34400f8ce890" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12648-L12664" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_58fa244c125415ef7a3cf0feb79add4db7c84f94c23e5d27e840fb17c18d67ef" + logic_hash = "58fa244c125415ef7a3cf0feb79add4db7c84f94c23e5d27e840fb17c18d67ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -49667,13 +49667,13 @@ rule REVERSINGLABS_Cert_Blocklist_5E75E997F3D70Bb8C182D56B25B7D836 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3a2f659c-2f27-5684-b524-9a26dcd5925f" + id = "3578b97f-1d87-517a-8ea9-17606017e46a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12666-L12682" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a2c6a57759fb0717951f83a32c00deeae82cad772b6cb7f60fa96232b6b82560" + logic_hash = "a2c6a57759fb0717951f83a32c00deeae82cad772b6cb7f60fa96232b6b82560" score = 75 quality = 90 tags = "INFO, FILE" @@ -49692,13 +49692,13 @@ rule REVERSINGLABS_Cert_Blocklist_D5690D94F15315E143Db10Af35497Dc5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fb55bfd6-6379-598a-aea9-d2a0d46c9b7d" + id = "324b2e2f-bad7-5ac4-864c-044d99fa01dc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12684-L12702" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4ac17d0f0e4ef2bb5f6cda8e7cb07a641d49c83465a0a80c46ff6e0e752d1847" + logic_hash = "4ac17d0f0e4ef2bb5f6cda8e7cb07a641d49c83465a0a80c46ff6e0e752d1847" score = 75 quality = 90 tags = "INFO, FILE" @@ -49717,13 +49717,13 @@ rule REVERSINGLABS_Cert_Blocklist_8223C74185Add0927246F5E33Ebac467 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "55f82f94-9dc5-5797-b5b8-aa3ef760dc79" + id = "dfe87130-7b2f-5f8a-8c2d-8653c2bd0cd3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12704-L12722" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f700b4f7cdfda9f678c3a5259d4293640c50567ec277c5b3db69756534e2007f" + logic_hash = "f700b4f7cdfda9f678c3a5259d4293640c50567ec277c5b3db69756534e2007f" score = 75 quality = 90 tags = "INFO, FILE" @@ -49742,13 +49742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dd9E9E1D7C573714E3F567C5380Ae6D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "84370a16-5c72-5abd-9566-f477145ec696" + id = "72745795-0261-5b7b-b25e-8220bced90ec" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12724-L12742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7bbcdb989d53bafbb2bdb694be72d4f7305323c01e8f1eafcb7cd889df165ff6" + logic_hash = "7bbcdb989d53bafbb2bdb694be72d4f7305323c01e8f1eafcb7cd889df165ff6" score = 75 quality = 90 tags = "INFO, FILE" @@ -49767,13 +49767,13 @@ rule REVERSINGLABS_Cert_Blocklist_3D5E71 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "56e36b31-804c-5b6a-acc2-8ed9dc7fad76" + id = "7180b20d-f367-5260-88cd-dd2a1269f89b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12744-L12760" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aa73ac6569e4bb0084d7b148b2186ec2737a691a133319b21b666aa16bca9f2d" + logic_hash = "aa73ac6569e4bb0084d7b148b2186ec2737a691a133319b21b666aa16bca9f2d" score = 75 quality = 90 tags = "INFO, FILE" @@ -49792,13 +49792,13 @@ rule REVERSINGLABS_Cert_Blocklist_C33187Fe848A65E8484Ea492Cb2Cbb18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a38f32ef-cde0-5b5f-814e-3d218f16ea4f" + id = "fa05113a-a21e-5f21-aae3-b646e5b42dfb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12762-L12780" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b66d67b74d73a143cb5301b232abd5f0f84f058223d4494b924a25dffb49037a" + logic_hash = "b66d67b74d73a143cb5301b232abd5f0f84f058223d4494b924a25dffb49037a" score = 75 quality = 90 tags = "INFO, FILE" @@ -49817,13 +49817,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Fc143Ba34Cabf1De7A4C7F8F4Cdad6D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5aeb7001-676d-5fac-92bf-9f7d9434e9c5" + id = "546692ed-2506-56ad-b678-e74b857380a3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12782-L12798" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ffe25e4478a2245d4e5b330bb9300fb6cb48afb0fe3bd72bd62a589eeee3fe89" + logic_hash = "ffe25e4478a2245d4e5b330bb9300fb6cb48afb0fe3bd72bd62a589eeee3fe89" score = 75 quality = 90 tags = "INFO, FILE" @@ -49842,13 +49842,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Ac6268B2E431A2C1369346D175D0E30 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5d8df872-076c-5ef0-b6da-cb22dcc29e6c" + id = "12664460-19e1-5b73-8299-cfe19dffc0b4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12800-L12816" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_27efaba9bd9cd116f640007c1e951bb77757efbe148b5f953e71d6621d7f16b2" + logic_hash = "27efaba9bd9cd116f640007c1e951bb77757efbe148b5f953e71d6621d7f16b2" score = 75 quality = 90 tags = "INFO, FILE" @@ -49867,13 +49867,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fc4D9178B8Df2C19E269Ac6F43Dd708 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2d88ffcd-a1d0-5c73-a1e9-1321972e771f" + id = "b336ff6c-d94e-5715-bb97-6b60cda90911" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12818-L12834" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_41dfe37b464d337268a8bb0e23124df7b50ab966038e8ad33bda81a4d86040ca" + logic_hash = "41dfe37b464d337268a8bb0e23124df7b50ab966038e8ad33bda81a4d86040ca" score = 75 quality = 90 tags = "INFO, FILE" @@ -49892,13 +49892,13 @@ rule REVERSINGLABS_Cert_Blocklist_E01407871E2146C9Baab1Ae7Ab8Ab172 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "25ed88d0-d7be-5968-bb84-dc02d917940d" + id = "229772ae-68a2-566b-bf61-988cb41d7d8f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12836-L12854" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1801e7f15bd5f916fc08d263a845d296d334ca9de1040008f619719c1b5c0a3b" + logic_hash = "1801e7f15bd5f916fc08d263a845d296d334ca9de1040008f619719c1b5c0a3b" score = 75 quality = 90 tags = "INFO, FILE" @@ -49917,13 +49917,13 @@ rule REVERSINGLABS_Cert_Blocklist_Effc6D19D6Fc85872E4E5B3Ccee6D301 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d3dd893b-56cd-55c8-93d9-def495cabf5b" + id = "56114e31-2e9b-5d16-8435-708bbb2687cc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12856-L12874" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a746c4193f1264cb96eae0ea85c2c76b5caf3b72ca950f76af426b4d68d210b3" + logic_hash = "a746c4193f1264cb96eae0ea85c2c76b5caf3b72ca950f76af426b4d68d210b3" score = 75 quality = 90 tags = "INFO, FILE" @@ -49942,13 +49942,13 @@ rule REVERSINGLABS_Cert_Blocklist_2F4A25D52B16Eb4C9Dfe71Ebbd8121Bb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3b1c49b3-6dc3-5dc2-9c3c-8c36a9c9279e" + id = "1afd5d2b-fd6d-58ca-b966-788d465cd0ed" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12876-L12892" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7b237ae0574afeafcc05f71512c09d3170edbee20e512a1b0af5b431923dc25c" + logic_hash = "7b237ae0574afeafcc05f71512c09d3170edbee20e512a1b0af5b431923dc25c" score = 75 quality = 90 tags = "INFO, FILE" @@ -49967,13 +49967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6889Aab6202Bcc5F11Caedf4D04F435B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d448e02e-84e7-5894-a5f8-2df9068a8595" + id = "d4499a1d-aa8d-5056-ad91-439f27f00c33" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12894-L12910" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b2261ed8001929be8f80f73cc0c5076138f4794c73cbffd63773da5fc44639a8" + logic_hash = "b2261ed8001929be8f80f73cc0c5076138f4794c73cbffd63773da5fc44639a8" score = 75 quality = 90 tags = "INFO, FILE" @@ -49992,13 +49992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Be63083Fbb1787B445Da97583721419 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "98b2800f-0758-54ce-8fa7-03708d35d101" + id = "6839595d-b645-5963-bd96-a668bfdd667f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12912-L12928" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f39f5a632544bc01c3b4c9e2f2dd33f7109c44375f54011a34181e10da79debc" + logic_hash = "f39f5a632544bc01c3b4c9e2f2dd33f7109c44375f54011a34181e10da79debc" score = 75 quality = 90 tags = "INFO, FILE" @@ -50017,13 +50017,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E2D3449272B6B96B8B9F728E87580D5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "85a0a9bd-9a1e-536a-8cc0-a78217eebbaa" + id = "6975acb9-3b37-51f5-8b4d-0d1a090a18e2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12930-L12946" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0155a8c71bf8426bbb980798772b04c145df5b8c4b60ff1a610a1236a47547ef" + logic_hash = "0155a8c71bf8426bbb980798772b04c145df5b8c4b60ff1a610a1236a47547ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -50042,13 +50042,13 @@ rule REVERSINGLABS_Cert_Blocklist_268C0D7028A154Ac3B6349C5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "371c49b7-20f0-5478-9432-1bf04d26abb3" + id = "0e18d9ef-e861-5583-a2a3-5f54fae8d813" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12948-L12964" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8311b36f008e31b7ac27b439fa46da4c90ab4be6c7c89426f8e1939963bc3d7d" + logic_hash = "8311b36f008e31b7ac27b439fa46da4c90ab4be6c7c89426f8e1939963bc3d7d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50067,13 +50067,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Daa8D629Cc0410A9482E62A0F8Bf8Fc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1de1aaa0-4f9f-5050-abb6-c99bd691b37e" + id = "71e627d9-0892-5501-8189-26eae36b7965" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12966-L12982" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cfb2631bc1832f65fb9d77c812bf2a1e05121e825254bd57ae8b21e7b10b2344" + logic_hash = "cfb2631bc1832f65fb9d77c812bf2a1e05121e825254bd57ae8b21e7b10b2344" score = 75 quality = 90 tags = "INFO, FILE" @@ -50092,13 +50092,13 @@ rule REVERSINGLABS_Cert_Blocklist_9A727E200Ea76570 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "949fdd92-afea-592a-95b1-84e10098d532" + id = "d133dac3-3959-50f0-913e-b279ca6a1c2c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L12984-L13002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_337dc486f2bdca1f7682887d5e5c0f82961850a8fd9c9a20b9a43a75334070d8" + logic_hash = "337dc486f2bdca1f7682887d5e5c0f82961850a8fd9c9a20b9a43a75334070d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -50117,13 +50117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0954A3C876Df9262Cde5817F9870F0C6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "519b26fa-8b21-542d-b0c0-d3664cebf0ac" + id = "89f3a334-cd2f-51b9-83b2-2baca3c59ba5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13004-L13020" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_164b064a9df31d4a122236dfee7b713417a44d47a7f304b2bf55686a7f038feb" + logic_hash = "164b064a9df31d4a122236dfee7b713417a44d47a7f304b2bf55686a7f038feb" score = 75 quality = 90 tags = "INFO, FILE" @@ -50142,13 +50142,13 @@ rule REVERSINGLABS_Cert_Blocklist_3C30930E53Bb026F9A5D7440155F7118 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "26789d7f-a24f-58be-878c-d6befe4cc8f2" + id = "ad7d8be0-ecb1-508f-bfce-7a5cecfd4e2f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13022-L13038" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_260a58669043d21ee0ffccbdee95c9d04ef338497685d42f1951660f658a164d" + logic_hash = "260a58669043d21ee0ffccbdee95c9d04ef338497685d42f1951660f658a164d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50167,13 +50167,13 @@ rule REVERSINGLABS_Cert_Blocklist_432Eefc0D4Dc0326Eb277A518Cc4310A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "86b9ef28-588c-5926-9c00-3402963499e9" + id = "eeccb477-0bf7-5b79-94df-710e6e0db78f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13040-L13056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d5a0b7f19f66f18b5ef1c548276b675ead74fed6be94310c303bfad6c85f18be" + logic_hash = "d5a0b7f19f66f18b5ef1c548276b675ead74fed6be94310c303bfad6c85f18be" score = 75 quality = 90 tags = "INFO, FILE" @@ -50192,13 +50192,13 @@ rule REVERSINGLABS_Cert_Blocklist_470D6Ce21A6940320261F09E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "974e28a6-7910-5900-a626-58356be15626" + id = "00b92b5d-59e3-5aae-954d-a90bd8cc1370" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13058-L13074" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cae1d381bf2018a0ce56feb245d01f2bfea55b67894264d32d78dbb41873c792" + logic_hash = "cae1d381bf2018a0ce56feb245d01f2bfea55b67894264d32d78dbb41873c792" score = 75 quality = 90 tags = "INFO, FILE" @@ -50217,13 +50217,13 @@ rule REVERSINGLABS_Cert_Blocklist_7E6Bc7E5A49E2C28E6F5D042 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "07183e92-ea19-579e-839f-b042c76c625c" + id = "a7b815d9-e247-5de1-9bcb-96294b3b91c0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13076-L13092" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f378c490ff4f32fc095c822f75abac44a8d94327404cd97546c63e7441e07632" + logic_hash = "f378c490ff4f32fc095c822f75abac44a8d94327404cd97546c63e7441e07632" score = 75 quality = 90 tags = "INFO, FILE" @@ -50242,13 +50242,13 @@ rule REVERSINGLABS_Cert_Blocklist_4C5020899147C850196C4Ebf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0880fe8f-5e2f-5404-b9b6-78207e3bdc05" + id = "8ac60604-6548-5f11-bf89-ec7e927b20f7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13094-L13110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_112e834a24c50d639f8607740faa609f1a36539058357544e5dbcddf841f3116" + logic_hash = "112e834a24c50d639f8607740faa609f1a36539058357544e5dbcddf841f3116" score = 75 quality = 90 tags = "INFO, FILE" @@ -50267,13 +50267,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Efcf7Adc21F070E590D49Ddb8081397 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "096ea645-4c04-585d-983f-b42884846604" + id = "df467418-9d57-5ad0-b396-2ef519a22989" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13112-L13128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d60a5bbd50484d620ab60cfd40840abc541c2b7bc1005a9076b69ddd1b938652" + logic_hash = "d60a5bbd50484d620ab60cfd40840abc541c2b7bc1005a9076b69ddd1b938652" score = 75 quality = 90 tags = "INFO, FILE" @@ -50292,13 +50292,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cbd37C0A651913Ee25A6860D7D5Ccdf2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0ec676fc-c6e2-5f8d-9ad0-347159dc01ed" + id = "e56205d6-9f02-5a8a-8dd3-b8c323fba4bf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13130-L13148" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_77cc439aea6eaa5a835b6b1aa50904c1df0d5379228e424ab2d68a3cb654834c" + logic_hash = "77cc439aea6eaa5a835b6b1aa50904c1df0d5379228e424ab2d68a3cb654834c" score = 75 quality = 90 tags = "INFO, FILE" @@ -50317,13 +50317,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fe0Ad6B03C57Ab67A352159004Ca3Db : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5d5430c2-503f-5e6f-9259-e55d36a7a4fe" + id = "d1cf11fc-eb30-54fc-9e34-91ad0c67e694" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13150-L13166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6f2489421f2effa2089b744f7e137818935fe2339d9216a42686012c51da677b" + logic_hash = "6f2489421f2effa2089b744f7e137818935fe2339d9216a42686012c51da677b" score = 75 quality = 90 tags = "INFO, FILE" @@ -50342,13 +50342,13 @@ rule REVERSINGLABS_Cert_Blocklist_642Ad8E5Ef8B3Ac767F0D5C1A999Bdaa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7fb35d65-d182-5f7c-b341-3d6639cf7821" + id = "d29e2342-2d38-5939-aa3f-4506fb36c74a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13168-L13184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d42d40ca381b99b68a3384cecf585aab2acca66d4e13503d337b1605d587d0b5" + logic_hash = "d42d40ca381b99b68a3384cecf585aab2acca66d4e13503d337b1605d587d0b5" score = 75 quality = 90 tags = "INFO, FILE" @@ -50367,13 +50367,13 @@ rule REVERSINGLABS_Cert_Blocklist_5333D3079D8Afda715703775E1389991 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "39d90d8b-4515-5c4e-89b0-38e58436eabe" + id = "4db299c6-5be9-5900-a944-07a0a41920a4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13186-L13202" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_98bd9d35c4e196a11943826115ab495833f7ef1d95f9736cc24255d6dd4fd21c" + logic_hash = "98bd9d35c4e196a11943826115ab495833f7ef1d95f9736cc24255d6dd4fd21c" score = 75 quality = 90 tags = "INFO, FILE" @@ -50392,13 +50392,13 @@ rule REVERSINGLABS_Cert_Blocklist_139A7Ee1F1A7735C151089755Df5D373 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dee53db5-9ea8-5b75-8fb7-f32e5c4710c4" + id = "eaab67a1-ed7a-58f3-afb3-3637c3b72020" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13204-L13220" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_86072fef7d1488dc257c3ca8fbb99620ec06f8ecb671b4e20d09d0ce6cc8601d" + logic_hash = "86072fef7d1488dc257c3ca8fbb99620ec06f8ecb671b4e20d09d0ce6cc8601d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50417,13 +50417,13 @@ rule REVERSINGLABS_Cert_Blocklist_74Dbe83082E1B3Dfa29F9C24 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cac2c9d2-d68f-5ff6-865d-7461bbe537af" + id = "dbb75cf2-1b48-52f1-8d06-e35d48c4fea4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13222-L13238" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1fdf6471d0b869df1a8630108cdaf1cc97d33e91d4726073913cdc54c7cf0042" + logic_hash = "1fdf6471d0b869df1a8630108cdaf1cc97d33e91d4726073913cdc54c7cf0042" score = 75 quality = 90 tags = "INFO, FILE" @@ -50442,13 +50442,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A466553A6391Aafd181B400266C7B18 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6c0cb8c7-2a05-592d-8410-b7ae141640db" + id = "ef8ff250-840f-5b55-b0c7-85ca54aadc59" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13240-L13256" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cb21e5759887904d6a38cd1b363610ebc0bfd9a357050c602210468992815cbe" + logic_hash = "cb21e5759887904d6a38cd1b363610ebc0bfd9a357050c602210468992815cbe" score = 75 quality = 90 tags = "INFO, FILE" @@ -50467,13 +50467,13 @@ rule REVERSINGLABS_Cert_Blocklist_0D3Dec8794Fa7228D1Ee40Eeb8187149 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8f66a709-bc85-5f92-b4aa-44aaccc51eb6" + id = "54e9ec00-d054-521b-b60b-81efe3a8ce12" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13258-L13274" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_20084dc0b069d65755f859f5aef4be5599d1f066ba006199d3ce803b0d8f041e" + logic_hash = "20084dc0b069d65755f859f5aef4be5599d1f066ba006199d3ce803b0d8f041e" score = 75 quality = 90 tags = "INFO, FILE" @@ -50492,13 +50492,13 @@ rule REVERSINGLABS_Cert_Blocklist_24Af70B5D17A63Ad053E5821 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f5c8a95e-e126-5a86-bf4f-b7b01c886d6a" + id = "034228b3-1864-5a76-ad9d-531778be10ec" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13276-L13292" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d78f709067c83169484d9dd6e1dd8a88852362da028551d4e55e5703a22e04a7" + logic_hash = "d78f709067c83169484d9dd6e1dd8a88852362da028551d4e55e5703a22e04a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -50517,13 +50517,13 @@ rule REVERSINGLABS_Cert_Blocklist_402E9Fcba61E5Eaf9C0C7B3Bfd6259D9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "21e71b9e-2db9-5c9d-8b41-a11ee9fb9c19" + id = "a24e1201-4a90-5d0f-ac19-4d88a4e4cfe5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13294-L13310" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1bfc2610745a98ebcf0f77504815d9d1c448697fbe407d6c2e075219b401de50" + logic_hash = "1bfc2610745a98ebcf0f77504815d9d1c448697fbe407d6c2e075219b401de50" score = 75 quality = 90 tags = "INFO, FILE" @@ -50542,13 +50542,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C84F9136059E96134F8766670Eacd52 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1a4ebffa-cfaf-525c-ae0e-e021901701d8" + id = "af7eb5ff-570f-5886-b550-3d327d05fabe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13312-L13328" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d6778630dcc3e4fe2816e6dee1b823e616f53de8a924057495c7c252948a71b4" + logic_hash = "d6778630dcc3e4fe2816e6dee1b823e616f53de8a924057495c7c252948a71b4" score = 75 quality = 90 tags = "INFO, FILE" @@ -50567,13 +50567,13 @@ rule REVERSINGLABS_Cert_Blocklist_6716A9C195987D5Cfe53A094779461E7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1b545bd5-678a-505b-808e-ed5dd1b23940" + id = "fbd05f8b-3289-565c-a5f4-a1514d06ae37" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13330-L13346" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_648fd70432a791b3e589f5eda1b1510045b465623914a9762ff3dfb4a3e022f8" + logic_hash = "648fd70432a791b3e589f5eda1b1510045b465623914a9762ff3dfb4a3e022f8" score = 75 quality = 90 tags = "INFO, FILE" @@ -50592,13 +50592,13 @@ rule REVERSINGLABS_Cert_Blocklist_876C00Bd665Df98B35554F67A5C1C32A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "19d10d6d-7238-5064-a737-94be5f56433b" + id = "830af0ac-fb01-5c6a-a7a3-2cf5c9d016fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13348-L13366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_90bde1313db78d4166e8c87e7e4111c576880922b1c983f3a842ea030d38a0da" + logic_hash = "90bde1313db78d4166e8c87e7e4111c576880922b1c983f3a842ea030d38a0da" score = 75 quality = 90 tags = "INFO, FILE" @@ -50617,13 +50617,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B093Cb60D4B992266F550934A4Ac7D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d4a959a9-7bc9-5125-898b-9678625b8fc0" + id = "c459c3ac-205c-5c13-959d-c6b40f81222f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13368-L13384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4b634bc706638d72f2d036d41cf092cac538e930d7d407eebc225b482fd64f51" + logic_hash = "4b634bc706638d72f2d036d41cf092cac538e930d7d407eebc225b482fd64f51" score = 75 quality = 90 tags = "INFO, FILE" @@ -50642,13 +50642,13 @@ rule REVERSINGLABS_Cert_Blocklist_2050B54146B011Ed30F60F61 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3dddd025-25a8-546c-bd5d-aae9bc933664" + id = "0db2d42d-bdc3-50bc-b360-a39ccec4df41" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13386-L13402" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_74749317fcefcdb698046a6f42c6c6e05cc1eab1370b3b1fd7d025f49de4a032" + logic_hash = "74749317fcefcdb698046a6f42c6c6e05cc1eab1370b3b1fd7d025f49de4a032" score = 75 quality = 90 tags = "INFO, FILE" @@ -50667,13 +50667,13 @@ rule REVERSINGLABS_Cert_Blocklist_73E2F34C9C2435F29Bbe0A3C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "333783a1-74b4-560c-b8f0-05efbde714f8" + id = "284c206f-8a0c-5bb6-8f28-d8e5e60efe3e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13404-L13420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_503429e737e8bdad735cf88e2bb2877d1f52b2c38be101a7a129c02db608a347" + logic_hash = "503429e737e8bdad735cf88e2bb2877d1f52b2c38be101a7a129c02db608a347" score = 75 quality = 90 tags = "INFO, FILE" @@ -50692,13 +50692,13 @@ rule REVERSINGLABS_Cert_Blocklist_68C457D7495D2A8D0D7B9042836135C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "308e9d36-ccf1-5af2-9c24-664172583daa" + id = "a8ed2e72-d94e-5141-8ceb-181459a729ad" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13422-L13438" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3eb63f75f258eec611fa4288302f0ce5e47149ca876265a4a4b65dc33313aaa6" + logic_hash = "3eb63f75f258eec611fa4288302f0ce5e47149ca876265a4a4b65dc33313aaa6" score = 75 quality = 90 tags = "INFO, FILE" @@ -50717,13 +50717,13 @@ rule REVERSINGLABS_Cert_Blocklist_6B72Ca367D40Fbef16E73E6Eba6A9A59 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "250ec3fa-977b-53fa-a77a-ad9be23bf02d" + id = "e1cf9568-9a6a-58cb-81a4-25063ccc1ac7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13440-L13456" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b20c16dafcd891c36b28b36093cd3ad3a15f3795f0f2adda61fb0db2835d02d" + logic_hash = "2b20c16dafcd891c36b28b36093cd3ad3a15f3795f0f2adda61fb0db2835d02d" score = 75 quality = 90 tags = "INFO, FILE" @@ -50742,13 +50742,13 @@ rule REVERSINGLABS_Cert_Blocklist_736B7663D322533413F36E3E7E55F920 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5e20c072-62d7-580c-8ec1-1d2e06341d5e" + id = "1991779a-8b5d-5188-8a36-c8451923e88f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13458-L13474" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_44e86319106a4bf8edba6c1be2f90d68b3d1ef4591f0cc23921a0dc4da4a407b" + logic_hash = "44e86319106a4bf8edba6c1be2f90d68b3d1ef4591f0cc23921a0dc4da4a407b" score = 75 quality = 90 tags = "INFO, FILE" @@ -50767,13 +50767,13 @@ rule REVERSINGLABS_Cert_Blocklist_54A170102461Fdc967Acfafe4Bbbc7F0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c838dd21-8414-5d0a-a32c-d4219735f671" + id = "d012df1d-5e85-57b4-8a79-5da91369a14a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13476-L13492" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ddae18d566fa2fd077f51d0afff74fb8a8e525f88f23908c7402a4b2c092ad24" + logic_hash = "ddae18d566fa2fd077f51d0afff74fb8a8e525f88f23908c7402a4b2c092ad24" score = 75 quality = 90 tags = "INFO, FILE" @@ -50792,13 +50792,13 @@ rule REVERSINGLABS_Cert_Blocklist_0C501B8B113209C96C8119Cf7A6B8B79 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7f5cb85-8606-5779-ab0b-43965c1bfc84" + id = "9ec73230-10cd-55ad-9ef7-56a875294cab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13494-L13510" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dca37fda83650979566fb6ffbedaf713955a3c7f03ecc62e2e155475b7ca00e4" + logic_hash = "dca37fda83650979566fb6ffbedaf713955a3c7f03ecc62e2e155475b7ca00e4" score = 75 quality = 90 tags = "INFO, FILE" @@ -50817,13 +50817,13 @@ rule REVERSINGLABS_Cert_Blocklist_0300Ee4A4C52443147821A8186D04309 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "971e1cca-1bec-58c8-9ef8-7fd10e8709e3" + id = "abccf84f-ba18-5644-897c-d23a228facff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13512-L13528" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8476ece98427c1ffd99d820c25fe664397de2c393473f7d5ee0846d8d840fd9e" + logic_hash = "8476ece98427c1ffd99d820c25fe664397de2c393473f7d5ee0846d8d840fd9e" score = 75 quality = 90 tags = "INFO, FILE" @@ -50842,13 +50842,13 @@ rule REVERSINGLABS_Cert_Blocklist_202Cf8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "afeeba5f-e88f-5623-928b-fdea75ca98f7" + id = "1c442ed6-a48a-52f4-b345-300428ec9c76" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13530-L13546" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_671a4b522761fdff75d1c0c608e8cfb21c7ab538c8c30c8620315bc58ed358e6" + logic_hash = "671a4b522761fdff75d1c0c608e8cfb21c7ab538c8c30c8620315bc58ed358e6" score = 75 quality = 90 tags = "INFO, FILE" @@ -50867,13 +50867,13 @@ rule REVERSINGLABS_Cert_Blocklist_6651Cc8B4850D4Dec61961503Ea7956B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "27842d3c-0804-5b5f-8c6a-006300429ef0" + id = "88679114-9c85-5810-af21-d5c2a8dc759e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13548-L13564" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_29bfe9c8b340b55a9daa2644e8d55b2b783cc95c85541732e6e0decca8c10ff6" + logic_hash = "29bfe9c8b340b55a9daa2644e8d55b2b783cc95c85541732e6e0decca8c10ff6" score = 75 quality = 90 tags = "INFO, FILE" @@ -50892,13 +50892,13 @@ rule REVERSINGLABS_Cert_Blocklist_25Bef28467E4750331D2F403458113B8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b4751c6-5176-507f-a920-4fe6c278d46f" + id = "a97723cb-7814-5f08-af94-6244c1cf4145" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13566-L13582" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dc59fdecf60f3781e92cfe8469be2e0c1cb1cfdd3e9f9757d159667437cb37f5" + logic_hash = "dc59fdecf60f3781e92cfe8469be2e0c1cb1cfdd3e9f9757d159667437cb37f5" score = 75 quality = 90 tags = "INFO, FILE" @@ -50917,13 +50917,13 @@ rule REVERSINGLABS_Cert_Blocklist_0296Cf3314F434C5B74D0C3E36616Dd1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "09c6c0df-7d05-5e66-ba01-d3125f639287" + id = "ae7d8c3c-0ac8-5ea5-8013-97ccb2ace4e4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13584-L13600" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_acf3b7460c79fa71c1b131b26a40bbc286c9da0a5fe7071bbe8b386a3ca91de4" + logic_hash = "acf3b7460c79fa71c1b131b26a40bbc286c9da0a5fe7071bbe8b386a3ca91de4" score = 75 quality = 90 tags = "INFO, FILE" @@ -50942,13 +50942,13 @@ rule REVERSINGLABS_Cert_Blocklist_045D57D63E13775C8F812E1864797F5A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e67bff5d-e1ae-5b57-bd1f-05ce5dc4ce96" + id = "c2c37ddc-51bc-58da-b770-df97aebca01d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13602-L13618" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d3e61e9a43f5b17ebb08b71dc39648d1f20273a18214f39605f365f9f0f72c10" + logic_hash = "d3e61e9a43f5b17ebb08b71dc39648d1f20273a18214f39605f365f9f0f72c10" score = 75 quality = 90 tags = "INFO, FILE" @@ -50967,13 +50967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6D633Df9Bb6015Fc3Ecea99Dff309Ee7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e1049977-84ad-58bb-9bd8-133c90772026" + id = "b85bf9c5-f438-5973-83ab-926e44cf2298" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13620-L13636" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_84e2f427ee79b47db8d0e5f1e2217a7e1c1ea64047e01b4ea6db69f529501f36" + logic_hash = "84e2f427ee79b47db8d0e5f1e2217a7e1c1ea64047e01b4ea6db69f529501f36" score = 75 quality = 90 tags = "INFO, FILE" @@ -50992,13 +50992,13 @@ rule REVERSINGLABS_Cert_Blocklist_22E2A66E63B8Cb4Ec6989Bf7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9adb5aa9-330d-5792-a771-05649029e4c7" + id = "5c028a6c-890c-54f1-aea2-ac04ce654907" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13638-L13654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2099c508d1fd986f34f14aa396a5aaa136e2cdd2226099acdca9c14f6f6342eb" + logic_hash = "2099c508d1fd986f34f14aa396a5aaa136e2cdd2226099acdca9c14f6f6342eb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51017,13 +51017,13 @@ rule REVERSINGLABS_Cert_Blocklist_654B406De388Ec2Aec253Ff2Ba4C4Bbd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7c1ac237-d553-5314-a00c-e036010abf6d" + id = "9820112d-d59b-57e7-ae78-7b427f70d529" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13656-L13672" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a1aadaded55c8b0d85ac09ba9ab27fefaeec2969cdabaf26ff0c41bf33422ddc" + logic_hash = "a1aadaded55c8b0d85ac09ba9ab27fefaeec2969cdabaf26ff0c41bf33422ddc" score = 75 quality = 90 tags = "INFO, FILE" @@ -51042,13 +51042,13 @@ rule REVERSINGLABS_Cert_Blocklist_78D1817Ebcf338B4E9C810F9740A726B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6f4ffa0c-ee59-5b71-a94d-863ad6033a22" + id = "3d0a97a4-c45a-5238-a287-867529b470cb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13674-L13690" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_62e59130ef0ac35b17a265bb8bc2031cac6a75c11925ccb21eb4601b8fbe1a63" + logic_hash = "62e59130ef0ac35b17a265bb8bc2031cac6a75c11925ccb21eb4601b8fbe1a63" score = 75 quality = 90 tags = "INFO, FILE" @@ -51067,13 +51067,13 @@ rule REVERSINGLABS_Cert_Blocklist_45Fbcdb1Fbd3D702Fb77257B45D8C58E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "88a693f4-8dcf-5425-b2f0-e19a89f1aa33" + id = "6bfd7c1d-2608-5ca0-8e1e-04c73588895a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13692-L13708" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_441e10f49515d75ee9e8983ba4321377fee13a91ca5eeddc08b393136ce8ccfd" + logic_hash = "441e10f49515d75ee9e8983ba4321377fee13a91ca5eeddc08b393136ce8ccfd" score = 75 quality = 90 tags = "INFO, FILE" @@ -51092,13 +51092,13 @@ rule REVERSINGLABS_Cert_Blocklist_4B5D8Ed5Ca011679F141F124 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb31bd34-1686-5306-8b48-bf35a1e66d98" + id = "c8bc0968-29d0-51a9-8cfe-7c8f447cef3d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13710-L13726" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_39ff0d5fd711524ce181596033d1d51579cd086eb20b87722aebf39623bbaa17" + logic_hash = "39ff0d5fd711524ce181596033d1d51579cd086eb20b87722aebf39623bbaa17" score = 75 quality = 90 tags = "INFO, FILE" @@ -51117,13 +51117,13 @@ rule REVERSINGLABS_Cert_Blocklist_33671F1Bcbd0F5E231Fc386F4895000E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0fcd78eb-4840-5ff1-a60f-780ab0bb87fd" + id = "0863e1ed-7b9c-5a60-82ac-eadc3c23fbd9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13728-L13744" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9199c8d76e3390ec9038808b4e88b803b3f3d6966af6206d0c9968d9ab673f31" + logic_hash = "9199c8d76e3390ec9038808b4e88b803b3f3d6966af6206d0c9968d9ab673f31" score = 75 quality = 90 tags = "INFO, FILE" @@ -51142,13 +51142,13 @@ rule REVERSINGLABS_Cert_Blocklist_32Bc299F0694C19Ec21E71265B1D7E17 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "764143b1-944c-5c75-a157-0e7a674bb73c" + id = "fa2302c3-4002-5bf0-812b-45298abbda8d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13746-L13762" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cb522e3084d382c451a8b040095e75582675f90dbb588e370f2f0054f4c2d14b" + logic_hash = "cb522e3084d382c451a8b040095e75582675f90dbb588e370f2f0054f4c2d14b" score = 75 quality = 90 tags = "INFO, FILE" @@ -51167,13 +51167,13 @@ rule REVERSINGLABS_Cert_Blocklist_7B75C6B0A09Afdb9787F6Dff75Ae7844 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "97238465-4308-5586-927e-25b0937e7105" + id = "0b34c7ce-fa75-5340-a473-fa87fab93b86" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13764-L13780" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8fd125a526b3433fbb8a5c6fa74ce0b0e2de8ff789880c355625d4140cd902a2" + logic_hash = "8fd125a526b3433fbb8a5c6fa74ce0b0e2de8ff789880c355625d4140cd902a2" score = 75 quality = 90 tags = "INFO, FILE" @@ -51192,13 +51192,13 @@ rule REVERSINGLABS_Cert_Blocklist_167Fd1295B3Bb102Dbb37292C838E7Cd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9c773d9a-9397-5b02-bc48-5e79c4a7ec4f" + id = "42cf5f07-4c43-567c-a517-42c898658ab8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13782-L13798" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1cc7d441291fd9c4dc37320d411f94fb362523d47d37ab35c20b3ac9d4cd75cb" + logic_hash = "1cc7d441291fd9c4dc37320d411f94fb362523d47d37ab35c20b3ac9d4cd75cb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51217,13 +51217,13 @@ rule REVERSINGLABS_Cert_Blocklist_253Ad25E39Abe8F8Fda9Fcf6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8c1f98e2-8239-5929-9355-e99e0e4dbcf5" + id = "f09ca101-dd40-54d8-9235-1faf1e774dd4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13800-L13816" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1d46ccaa136cd7be30ffbf0eb09eb6485c543ff4bdbe99fa7ea3846841cbd41b" + logic_hash = "1d46ccaa136cd7be30ffbf0eb09eb6485c543ff4bdbe99fa7ea3846841cbd41b" score = 75 quality = 90 tags = "INFO, FILE" @@ -51242,13 +51242,13 @@ rule REVERSINGLABS_Cert_Blocklist_A9C1523Cb2C73A82771D318124963E87 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3199e7b3-48be-58f9-9911-da72bfcb196b" + id = "b21365d0-eaff-51da-8b8e-6a6ee75a5b95" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13818-L13836" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_87e314d14361f56935b7a8fb93468cfaf2c73e16c25d68a61ec80ad9334d3115" + logic_hash = "87e314d14361f56935b7a8fb93468cfaf2c73e16c25d68a61ec80ad9334d3115" score = 75 quality = 90 tags = "INFO, FILE" @@ -51267,13 +51267,13 @@ rule REVERSINGLABS_Cert_Blocklist_68E1B2C210B19Bb1F2A24176709B165B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b5993d02-70bf-5ce3-be99-edd6675e9410" + id = "e17bf185-3dfc-5a2f-a87f-525ac0e4084b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13838-L13854" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8e88ad992c58d37ff1ac34e2d9cf121f3bc692ae78c0ad79140974abdec2f317" + logic_hash = "8e88ad992c58d37ff1ac34e2d9cf121f3bc692ae78c0ad79140974abdec2f317" score = 75 quality = 90 tags = "INFO, FILE" @@ -51292,13 +51292,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C88313Bd98Bde99C9B9Ac1408A63249 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ce016ba2-fd18-5185-842b-c73e6c697e9c" + id = "5108fa8f-3fe6-518c-9bae-b1c44a0ec7a8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13856-L13872" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f958e46e00bf4ab8ecf071502bcda63a84265029bc9c72cea1eaaf72e9003a84" + logic_hash = "f958e46e00bf4ab8ecf071502bcda63a84265029bc9c72cea1eaaf72e9003a84" score = 75 quality = 90 tags = "INFO, FILE" @@ -51317,13 +51317,13 @@ rule REVERSINGLABS_Cert_Blocklist_7A632A6Ecfc6C49Ec1F42F76 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a291433c-7a77-5e29-bfc1-8f4d423d1275" + id = "863a109c-034f-5168-9470-8fd4945e6e92" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13874-L13890" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_038badeab61c00476b79684308bf91f8a63716641f2be16fe0a3b25ebd3a9a1e" + logic_hash = "038badeab61c00476b79684308bf91f8a63716641f2be16fe0a3b25ebd3a9a1e" score = 75 quality = 90 tags = "INFO, FILE" @@ -51342,13 +51342,13 @@ rule REVERSINGLABS_Cert_Blocklist_F57Df6A6Eee3854D513D0Ba8585049B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8974f324-bba1-537c-b099-b311c2342b10" + id = "b31f73d5-ff9e-5be7-b806-8838ddb5d29d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13892-L13910" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_09d5998960fb65eda56cd698c5ff50d87ba7a811cbb128bc7485c0f124e14cba" + logic_hash = "09d5998960fb65eda56cd698c5ff50d87ba7a811cbb128bc7485c0f124e14cba" score = 75 quality = 90 tags = "INFO, FILE" @@ -51367,13 +51367,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Ac5Ac5D323122E6D8E92D6E191B1432 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a0cd8075-d413-5e90-b579-fe0e6d528591" + id = "9a363a84-c21c-5afe-9812-9ce16962b28a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13912-L13928" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d5e62d3cdfacfaea70f9ee11230501bb9c4099508077d50a2a143cb69476f02a" + logic_hash = "d5e62d3cdfacfaea70f9ee11230501bb9c4099508077d50a2a143cb69476f02a" score = 75 quality = 90 tags = "INFO, FILE" @@ -51392,13 +51392,13 @@ rule REVERSINGLABS_Cert_Blocklist_2433D9Df7Efbccb870Ee5904D62A0101 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1be97331-83f7-5439-8206-3238315a1582" + id = "6cd46771-06ea-51c9-ad84-4b28f4f8442b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13930-L13946" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_92a2effe1b94345f52130e4cb1db181f1990e58eaefb9c74375c14249cc1be22" + logic_hash = "92a2effe1b94345f52130e4cb1db181f1990e58eaefb9c74375c14249cc1be22" score = 75 quality = 90 tags = "INFO, FILE" @@ -51417,13 +51417,13 @@ rule REVERSINGLABS_Cert_Blocklist_462Baada57570F70Df76D10B9E7Bf2B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7a41c7dc-cc78-5286-9345-9c6240c91cdb" + id = "2863a050-ebce-5322-b64a-9160adf6cc21" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13948-L13964" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c48207907339ce3fb7b6bc630097761a24495a9d4e69d421f2bdb36ddc92abcb" + logic_hash = "c48207907339ce3fb7b6bc630097761a24495a9d4e69d421f2bdb36ddc92abcb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51442,13 +51442,13 @@ rule REVERSINGLABS_Cert_Blocklist_83320D93Dd8Cf16D11F99B1078B0A7Cb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6b67bf8e-bae0-5e7d-9bd9-e55532015187" + id = "12ce9be9-4644-5b59-aed2-ce4b04fcc46a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13966-L13984" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_94ec5e05357767cc0c4cd1fc8ff6d1a366359ba699c43f3710204d761e7e707f" + logic_hash = "94ec5e05357767cc0c4cd1fc8ff6d1a366359ba699c43f3710204d761e7e707f" score = 75 quality = 90 tags = "INFO, FILE" @@ -51467,13 +51467,13 @@ rule REVERSINGLABS_Cert_Blocklist_10Bae1D20Cb4Cc36A0Ffac86 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fb5958ba-dee5-52de-a1d9-5ab360bc2158" + id = "a07d1c35-0026-526a-bf08-e6b07008da03" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L13986-L14002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_44e91fbf4da8e81859a21408ee9f1971f1e8f48d22553fcaa6469156d4a0670b" + logic_hash = "44e91fbf4da8e81859a21408ee9f1971f1e8f48d22553fcaa6469156d4a0670b" score = 75 quality = 90 tags = "INFO, FILE" @@ -51492,13 +51492,13 @@ rule REVERSINGLABS_Cert_Blocklist_230716Bfe915Dd6203B2E2A35674C2Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f604eee8-319d-57f8-9e90-7043ce254d26" + id = "849c390e-f81f-558e-88a3-19242c127a56" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14004-L14020" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0197ff46ceb1017488da4383436fd0ddc375904f36cc16c5a8ef21d633ec387c" + logic_hash = "0197ff46ceb1017488da4383436fd0ddc375904f36cc16c5a8ef21d633ec387c" score = 75 quality = 90 tags = "INFO, FILE" @@ -51517,13 +51517,13 @@ rule REVERSINGLABS_Cert_Blocklist_36A77D37E68E02Fd3D043C7197E044Ca : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "958309b7-4e33-5bc1-ba86-a4e95a4340e7" + id = "721e48fb-3046-5b2d-8ad9-ae340e598794" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14022-L14038" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fc13ac5880cc2c8eac9ff8d09f6c5c2055b2de54d460a284936a4f6cd78192e8" + logic_hash = "fc13ac5880cc2c8eac9ff8d09f6c5c2055b2de54d460a284936a4f6cd78192e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -51542,13 +51542,13 @@ rule REVERSINGLABS_Cert_Blocklist_73Bff2Fb714F986C1707165F0B0F2E0E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f10512c5-c954-5026-bfd8-93a661a0c0a5" + id = "f014b446-0ddc-51df-898c-200bd60181a0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14040-L14056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d79ab926cbc0049d39f5f4c6e57afc71b1a30311a4816fdb66a9c2e257cc84af" + logic_hash = "d79ab926cbc0049d39f5f4c6e57afc71b1a30311a4816fdb66a9c2e257cc84af" score = 75 quality = 90 tags = "INFO, FILE" @@ -51567,13 +51567,13 @@ rule REVERSINGLABS_Cert_Blocklist_33B24170694Ca0Cf4D2Bdf4Aadf475A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9dfe1a5f-0958-56a4-8d45-e2e835973c1c" + id = "c02d7aaf-e88a-5aba-a8ee-db34562e53b1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14058-L14074" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_795bcb46b41ded084e4d12d98e335748ec1db3e0abbbb2d933e819d955075138" + logic_hash = "795bcb46b41ded084e4d12d98e335748ec1db3e0abbbb2d933e819d955075138" score = 75 quality = 90 tags = "INFO, FILE" @@ -51592,13 +51592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A9Bdec10E00E780316Baaebfe7A772C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "efb7781a-8c21-5c3d-9b92-f8d05f5a43fa" + id = "56f62454-84a1-5843-b2f4-fa84b37040f3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14076-L14092" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ea9bc11efd2969f6b7112338f2b084ea3551e072e46b1162bd47b08be549cdd4" + logic_hash = "ea9bc11efd2969f6b7112338f2b084ea3551e072e46b1162bd47b08be549cdd4" score = 75 quality = 90 tags = "INFO, FILE" @@ -51617,13 +51617,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Cad9C37F7Affa8F4D8229F97607E265 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a8878a12-98c0-5011-853f-708cf991cdab" + id = "dae6b474-e4f0-5c73-b32e-d2680f508799" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14094-L14110" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0f88989c64bece23e7eccf8022e038fdd9c360766de71268cf71616f74adc56c" + logic_hash = "0f88989c64bece23e7eccf8022e038fdd9c360766de71268cf71616f74adc56c" score = 75 quality = 90 tags = "INFO, FILE" @@ -51642,13 +51642,13 @@ rule REVERSINGLABS_Cert_Blocklist_098A57 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "99ce0cd0-c024-59e2-94dd-bb966c199f35" + id = "4604f1a6-2fdb-5917-943d-f0e2dbaaa29e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14112-L14128" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5e203f87dd4608ba5d583e02ce86fbe230e45fff86a7a697766e149d0cf6f436" + logic_hash = "5e203f87dd4608ba5d583e02ce86fbe230e45fff86a7a697766e149d0cf6f436" score = 75 quality = 90 tags = "INFO, FILE" @@ -51667,13 +51667,13 @@ rule REVERSINGLABS_Cert_Blocklist_5389Cc6286Da3Bfa1Dc4Df498Bf68361 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9590000c-88ea-5dbb-8638-ad885d3066ad" + id = "973aaf33-25a2-5f40-a5a7-d9f77e3589b3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14130-L14146" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d25d998c980f47f4da065155451503dcbc677ad041af85a6ed7060ecadec66b3" + logic_hash = "d25d998c980f47f4da065155451503dcbc677ad041af85a6ed7060ecadec66b3" score = 75 quality = 90 tags = "INFO, FILE" @@ -51692,13 +51692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ed9Caeb7911B31Bd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "af3b48f1-1216-5699-b7b9-aefa2593c70a" + id = "1eeff730-c2ce-5689-a8cb-455618738a82" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14148-L14166" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_02cfdf883212387a465af3e692b29b8d0eb8249e0a260f18bec2f662d775b606" + logic_hash = "02cfdf883212387a465af3e692b29b8d0eb8249e0a260f18bec2f662d775b606" score = 75 quality = 90 tags = "INFO, FILE" @@ -51717,13 +51717,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Fd2B19A941B7009Cc728A37Cb1B10B9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b6c3be89-957c-50ab-84a4-153c8393e0ba" + id = "125c0b95-82bb-5900-8e8c-4359b8cd18ab" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14168-L14184" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6b5cc47f4df9e57c59bc66c32188e02390d4855a1b9e56bd7471fd641a245c3c" + logic_hash = "6b5cc47f4df9e57c59bc66c32188e02390d4855a1b9e56bd7471fd641a245c3c" score = 75 quality = 90 tags = "INFO, FILE" @@ -51742,13 +51742,13 @@ rule REVERSINGLABS_Cert_Blocklist_2D88C0Af1Fe2609961C171213C03Bd23 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2f57c6da-bf7f-513a-b6b8-93126f93847a" + id = "0e844bef-1cfe-5eba-af4d-d8477e55470c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14186-L14202" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2d181b9b517732f14d196c1a6c5661d8de4dbbfe6f120954dd3f9dcad00ff0fe" + logic_hash = "2d181b9b517732f14d196c1a6c5661d8de4dbbfe6f120954dd3f9dcad00ff0fe" score = 75 quality = 90 tags = "INFO, FILE" @@ -51767,13 +51767,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E7Cc176062D91225Cfdcbdf5B5F0Ea5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "97cdb975-6872-5e08-85c6-4890f44bcff7" + id = "cb6ae82f-ac1e-528d-aa17-6dc14019793c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14204-L14220" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1d2ffa7ec3559061432c2aff23f568cb580fb9093d0af7d8a6a0b91add89c9cc" + logic_hash = "1d2ffa7ec3559061432c2aff23f568cb580fb9093d0af7d8a6a0b91add89c9cc" score = 75 quality = 90 tags = "INFO, FILE" @@ -51792,13 +51792,13 @@ rule REVERSINGLABS_Cert_Blocklist_Cecedd2Efc985C2Dbf0019669D270079 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "81437268-91ab-521c-acd4-054c76aba338" + id = "60a3e63c-4f44-5c75-9928-69859d77af3e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14222-L14240" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1dfb5959db6929643126a850de84e54a84d7197518cde475c802987721b71020" + logic_hash = "1dfb5959db6929643126a850de84e54a84d7197518cde475c802987721b71020" score = 75 quality = 90 tags = "INFO, FILE" @@ -51817,13 +51817,13 @@ rule REVERSINGLABS_Cert_Blocklist_61Fe6F00Bd79684210534050Ff46Bc92 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7b22f75c-f94c-5e79-a769-b9ae4d45164a" + id = "b88e0bbf-ab3a-51ac-8542-d4f92116f5e9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14242-L14258" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e8ebc5de081e2d1e653493a2d85699ebfb5227b7fab656468025c2043903f597" + logic_hash = "e8ebc5de081e2d1e653493a2d85699ebfb5227b7fab656468025c2043903f597" score = 75 quality = 90 tags = "INFO, FILE" @@ -51842,13 +51842,13 @@ rule REVERSINGLABS_Cert_Blocklist_0323Cc4E38735B0E6Efba76Ea25C73B7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "01ce740e-4335-5bff-a240-b0ff4d4e1926" + id = "0f3889d5-fb57-5745-999e-7dff0ddf7ee9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14260-L14276" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_48bda7f61c9705ae70add3940f10d65fc7f7a776cec91a244f0e5bde07303831" + logic_hash = "48bda7f61c9705ae70add3940f10d65fc7f7a776cec91a244f0e5bde07303831" score = 75 quality = 90 tags = "INFO, FILE" @@ -51867,13 +51867,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F9Aca069Ac1B6Bfb0E14861Ec857Bf6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8da9feac-18c1-598e-8531-5440be611d28" + id = "b78e3bc2-5b65-507a-9183-148f97baa3e8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14278-L14294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d7c9a471455768a00deeb73900bf80a98f0b2c9da1fd09d568e2998deaf404d2" + logic_hash = "d7c9a471455768a00deeb73900bf80a98f0b2c9da1fd09d568e2998deaf404d2" score = 75 quality = 90 tags = "INFO, FILE" @@ -51892,13 +51892,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E9D26Dcf703Ca3B140D7E7Ad48312E2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4afee2f5-2c00-5f8c-8947-660ffaeb1207" + id = "3ad650b2-45ea-5324-b8dc-b48094ae2376" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14296-L14312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d8f70ba61509f3df34705bea0bfcb4cce3e92a33f0f1b65315d886eb5592f152" + logic_hash = "d8f70ba61509f3df34705bea0bfcb4cce3e92a33f0f1b65315d886eb5592f152" score = 75 quality = 90 tags = "INFO, FILE" @@ -51917,13 +51917,13 @@ rule REVERSINGLABS_Cert_Blocklist_4E2523E76Ea455941E75Fb8240474A75 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1973b4c4-2140-5e54-ba08-d5b81d405168" + id = "be5e6f35-6177-50bb-82ea-55628acda4c2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14314-L14330" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e89f722345fda82fd894d34169d1463997ae1d567d46badbf3138faa04cf8fa4" + logic_hash = "e89f722345fda82fd894d34169d1463997ae1d567d46badbf3138faa04cf8fa4" score = 75 quality = 90 tags = "INFO, FILE" @@ -51942,13 +51942,13 @@ rule REVERSINGLABS_Cert_Blocklist_6102468293Ba7308D17Efb43Ad6Bfb58 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "36991b89-9834-5072-b0c6-e9f9584c3075" + id = "bcf0f1cc-44f2-5498-b9d7-9ad3f38e33bc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14332-L14348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c1ae1562595ac6515a071a16195b46db6fad4ee0fe9757d366ee78b914e1de7f" + logic_hash = "c1ae1562595ac6515a071a16195b46db6fad4ee0fe9757d366ee78b914e1de7f" score = 75 quality = 90 tags = "INFO, FILE" @@ -51967,13 +51967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Ded1A7Ff6Da152A98A57A2F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "125fad94-de39-5947-95f1-ebec16e726dd" + id = "033c9ce3-1676-5ad1-9ec1-08b3ffc585bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14350-L14366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_20ec1e8e0570eb216304fd8453df315a26d9c170224177c325c10cbefc1993fb" + logic_hash = "20ec1e8e0570eb216304fd8453df315a26d9c170224177c325c10cbefc1993fb" score = 75 quality = 90 tags = "INFO, FILE" @@ -51992,13 +51992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ce65Ea057B975D2C17Eaf2C2297B1Eb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c4db1fbd-3bcd-5880-8374-29f8490ecc70" + id = "f86fbd6f-1635-56d7-b390-e067f81b8705" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14368-L14384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e17988cb2503e285cfe2ea74d7bc61c577d828e14fd5d8d8062e469dc75c449e" + logic_hash = "e17988cb2503e285cfe2ea74d7bc61c577d828e14fd5d8d8062e469dc75c449e" score = 75 quality = 90 tags = "INFO, FILE" @@ -52017,13 +52017,13 @@ rule REVERSINGLABS_Cert_Blocklist_5D085A9A288549D09Edc4941 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b1a0b2fb-ba22-5536-ba1f-d175f99e0e16" + id = "8fa1f434-2061-5131-9378-58c584eff447" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14386-L14402" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dff7c2d727acca753b030d05028590e1a5577121bb2b4c0dcfcb70b4c9d77cbf" + logic_hash = "dff7c2d727acca753b030d05028590e1a5577121bb2b4c0dcfcb70b4c9d77cbf" score = 75 quality = 90 tags = "INFO, FILE" @@ -52042,13 +52042,13 @@ rule REVERSINGLABS_Cert_Blocklist_7D20Dec3797A1Ac30649Ebb184265B79 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "471a73e2-bbf5-5b22-af10-8950c7c59eaa" + id = "5344bda2-bc11-5700-a0f7-52792c5bb87a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14404-L14420" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_78c0575a1c9ecf37ef5bac0612c20f96b8641875b0ba786979adc8a77f001a5e" + logic_hash = "78c0575a1c9ecf37ef5bac0612c20f96b8641875b0ba786979adc8a77f001a5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -52067,13 +52067,13 @@ rule REVERSINGLABS_Cert_Blocklist_187D92861076E469B5B7A19E2A9Fd4Ba : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b8bc636f-6119-556a-839d-d5678a2736cb" + id = "0a156a49-c737-5bdb-9178-34121af490d6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14422-L14438" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7383a7fb31a0a913dff1740015ff702642fbb41d8e5a528a8684c80e66026e9d" + logic_hash = "7383a7fb31a0a913dff1740015ff702642fbb41d8e5a528a8684c80e66026e9d" score = 75 quality = 90 tags = "INFO, FILE" @@ -52092,13 +52092,13 @@ rule REVERSINGLABS_Cert_Blocklist_199A9476Feca3C004Ff889D34545De07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "07e338f4-df4c-5a0e-9f2d-195f06ab2256" + id = "4bb98380-70e5-5ad9-adb2-2e6e10f35258" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14440-L14456" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_39c6efefcbd78d5e08ffd8d3989cab3bdf273a1847b2a961f9e68c9ee95e85b6" + logic_hash = "39c6efefcbd78d5e08ffd8d3989cab3bdf273a1847b2a961f9e68c9ee95e85b6" score = 75 quality = 90 tags = "INFO, FILE" @@ -52117,13 +52117,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Efe65 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "494c4607-9ecd-5c55-b171-94b6c8f7a23a" + id = "e402e3b4-a598-504d-85b8-8c1994cb51fc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14458-L14474" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f849b6899b6766807cfddf99ecb809fe923f35f04de09b62235da352ce6e6e24" + logic_hash = "f849b6899b6766807cfddf99ecb809fe923f35f04de09b62235da352ce6e6e24" score = 75 quality = 90 tags = "INFO, FILE" @@ -52142,13 +52142,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Af7E2B6A3Deb99291Dcaf66 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d1a5c8d5-17d4-55c6-9eb6-8d32b57fafa3" + id = "f9c18796-995e-58f8-8406-9adcad143ae7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14476-L14492" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_270b5655a0f54abceb520eaca714ed4f6d4de720883e2759acd5bb2f027dfd2b" + logic_hash = "270b5655a0f54abceb520eaca714ed4f6d4de720883e2759acd5bb2f027dfd2b" score = 75 quality = 90 tags = "INFO, FILE" @@ -52167,13 +52167,13 @@ rule REVERSINGLABS_Cert_Blocklist_45E27C4Dfa5E6175566A13B1B6Ddf3F5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ffbdeff5-4fbc-567d-9563-67c142f384e1" + id = "b4ab6397-5e15-5eb3-9f5d-658c5e3a7e3d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14494-L14510" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9bcbb84207984b259463482f094bf0f3815f0d74317b6b864dab44769ff5e7e8" + logic_hash = "9bcbb84207984b259463482f094bf0f3815f0d74317b6b864dab44769ff5e7e8" score = 75 quality = 90 tags = "INFO, FILE" @@ -52192,13 +52192,13 @@ rule REVERSINGLABS_Cert_Blocklist_37D36A4E61C0Ac68Ceb8Bfcef2Dbf283 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "600fbb01-f65b-51f2-a269-684cc4cb00e6" + id = "8fc73b48-6797-558a-8265-9aca396e899f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14512-L14528" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_41e126600aae5646b808ed0a4294faa9a63e47842e9cde4fee9e5e65919af7ee" + logic_hash = "41e126600aae5646b808ed0a4294faa9a63e47842e9cde4fee9e5e65919af7ee" score = 75 quality = 90 tags = "INFO, FILE" @@ -52217,13 +52217,13 @@ rule REVERSINGLABS_Cert_Blocklist_4321De10738278B93683Ca542407F103 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8b5ecd67-93aa-50db-b753-86e16884ab15" + id = "bf800655-cde4-59fa-9574-1055522fe074" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14530-L14546" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2787375605310877891ef924268f4660d1c8aa020e00674c1b1d7eb3c4f5b2fb" + logic_hash = "2787375605310877891ef924268f4660d1c8aa020e00674c1b1d7eb3c4f5b2fb" score = 75 quality = 90 tags = "INFO, FILE" @@ -52242,13 +52242,13 @@ rule REVERSINGLABS_Cert_Blocklist_2A6B2Df210Be14F4E18E10C7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "33037c70-449b-5f5a-ae73-1cbd0fe4650c" + id = "150773ee-5d85-522d-a693-63bb6a7d1de2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14548-L14564" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24ae1664c35b7947e2e638bf620d9ab572c70df9cdc1403cc00b422a45ff9194" + logic_hash = "24ae1664c35b7947e2e638bf620d9ab572c70df9cdc1403cc00b422a45ff9194" score = 75 quality = 90 tags = "INFO, FILE" @@ -52267,13 +52267,13 @@ rule REVERSINGLABS_Cert_Blocklist_412Ab2A50E8028Ddcbc499Ddf45F2045 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d29ea38d-8442-5982-8bee-60f4f5c4f60a" + id = "aabb3a66-5677-5359-9d81-92c8d4c7d910" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14566-L14582" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a5b85d13dee51d68af28394ecee3dcc2efe7add4d26c2a8033d1855b33ac6271" + logic_hash = "a5b85d13dee51d68af28394ecee3dcc2efe7add4d26c2a8033d1855b33ac6271" score = 75 quality = 90 tags = "INFO, FILE" @@ -52292,13 +52292,13 @@ rule REVERSINGLABS_Cert_Blocklist_0747F6A8C3542F954B113Fd98C7607Cf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "87373ffa-d416-5816-8c6f-c3153e89a588" + id = "de5fbb40-7d41-5f3e-97c9-a6882c19ebb5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14584-L14600" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9d5e5c98f3ef372532cfc4f544d5d3f620dc2e49d8b6e1c96df29d2a38042019" + logic_hash = "9d5e5c98f3ef372532cfc4f544d5d3f620dc2e49d8b6e1c96df29d2a38042019" score = 75 quality = 90 tags = "INFO, FILE" @@ -52317,13 +52317,13 @@ rule REVERSINGLABS_Cert_Blocklist_2572B484Fa0A61Be7288D785D7Bda7D3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d512280-5702-5502-854e-110c0adcc670" + id = "b1d71baa-9100-512d-91f4-7286a740e5f2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14602-L14618" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d6b23ba706a640a1e76ad7ab0a70c845c9366ac8355eea5439f76f6993c9c6be" + logic_hash = "d6b23ba706a640a1e76ad7ab0a70c845c9366ac8355eea5439f76f6993c9c6be" score = 75 quality = 90 tags = "INFO, FILE" @@ -52342,13 +52342,13 @@ rule REVERSINGLABS_Cert_Blocklist_6726Bd04204746C46857887F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6792a104-d47c-523d-890f-eebee8adc6c3" + id = "ef882d82-f535-57c3-9d45-8d47ecc7f607" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14620-L14636" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_11d25dff7e05e6f97725e919cc6c978d7f2e64a91cf04b72461c71d592dfc2dc" + logic_hash = "11d25dff7e05e6f97725e919cc6c978d7f2e64a91cf04b72461c71d592dfc2dc" score = 75 quality = 90 tags = "INFO, FILE" @@ -52367,13 +52367,13 @@ rule REVERSINGLABS_Cert_Blocklist_4463D8B31E0F87C14233D4D0D2C487A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ced47c95-f379-5a36-9c96-a4f12e195c46" + id = "eefd6fa2-7ed7-51d0-bddd-90f0727a93cc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14638-L14654" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_04ce664fceb4a617294e860d5364d8a4ce8e055fd2baebb8be69f258d9c70ac7" + logic_hash = "04ce664fceb4a617294e860d5364d8a4ce8e055fd2baebb8be69f258d9c70ac7" score = 75 quality = 90 tags = "INFO, FILE" @@ -52392,13 +52392,13 @@ rule REVERSINGLABS_Cert_Blocklist_387982605E542D6D52F231Ca6F5657Cc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "aea4f488-2be7-5a28-b119-8de650059a68" + id = "2d5731e1-b18b-544e-ae14-40d70b679618" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14656-L14672" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d55cfd45bc0d330c0ed433a882874e4633ffbaa0d68288bea9058fe269d75ed9" + logic_hash = "d55cfd45bc0d330c0ed433a882874e4633ffbaa0d68288bea9058fe269d75ed9" score = 75 quality = 90 tags = "INFO, FILE" @@ -52417,13 +52417,13 @@ rule REVERSINGLABS_Cert_Blocklist_E0134C41E7Eda6863C4Eee5B003976Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "69fe4f68-a98c-514f-8103-e37f2066eedd" + id = "395c14fd-2fec-53ad-bc8e-2dd4bb3522d2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14674-L14692" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fbe34baf52e3fa7d7cdfcfaef9b8851c4cbeb46d17eeade61750e59cf0c13291" + logic_hash = "fbe34baf52e3fa7d7cdfcfaef9b8851c4cbeb46d17eeade61750e59cf0c13291" score = 75 quality = 90 tags = "INFO, FILE" @@ -52442,13 +52442,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B47A4739Dd8Ffe81D9B5307 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "713a879b-0562-5db0-9ad2-12ceb74aa7fe" + id = "9688b091-9a77-59c2-b7f9-a8b652201b8f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14694-L14710" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5f35f520d4af26fa648553894a5b0db043d0c32302d94f531b6cb48691396a92" + logic_hash = "5f35f520d4af26fa648553894a5b0db043d0c32302d94f531b6cb48691396a92" score = 75 quality = 90 tags = "INFO, FILE" @@ -52467,13 +52467,13 @@ rule REVERSINGLABS_Cert_Blocklist_4F5A9Bf75Da76B949645475473793A7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4c2528be-50e0-56bd-8df0-9e79f7f3d4d2" + id = "90cdf420-bdfc-509a-a64f-f30710f09f3b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14712-L14728" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8c58d30b1b6ef80409d9da5f5f4bc26a8818b01cc388b5966c8b68ed0e4c5a2a" + logic_hash = "8c58d30b1b6ef80409d9da5f5f4bc26a8818b01cc388b5966c8b68ed0e4c5a2a" score = 75 quality = 90 tags = "INFO, FILE" @@ -52492,13 +52492,13 @@ rule REVERSINGLABS_Cert_Blocklist_081Df56C9A48D02571F08907 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2ed5d1fc-93dc-50c5-8dca-29d88ce9c551" + id = "4f4fb099-406a-5def-9a26-46c6807cfe7f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14730-L14746" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_25d91f09e0731ab09a05855442b72589eb30e1c7d5e4c0a7af760eea540d786f" + logic_hash = "25d91f09e0731ab09a05855442b72589eb30e1c7d5e4c0a7af760eea540d786f" score = 75 quality = 90 tags = "INFO, FILE" @@ -52517,13 +52517,13 @@ rule REVERSINGLABS_Cert_Blocklist_77D5C1A3E623575999C74409Dc19753C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1082c8f3-65e8-57e5-8d7d-f45445b7e571" + id = "8f8ce24d-8330-509a-a7a1-2727c6f8bdd9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14748-L14764" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_54921ce39a0876511b33ac6fa088c3342e2ea7fa037423fe72825bfe9c83bce6" + logic_hash = "54921ce39a0876511b33ac6fa088c3342e2ea7fa037423fe72825bfe9c83bce6" score = 75 quality = 90 tags = "INFO, FILE" @@ -52542,13 +52542,13 @@ rule REVERSINGLABS_Cert_Blocklist_E9756B3F38B1172Ea89Fdbdfdba5F979 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e7d23767-3855-5d5f-9afe-05cdb469a430" + id = "77d7470c-0c60-5ef4-b1d9-35642c147afe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14766-L14784" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_997a9433f907896d82f22ae323bf9cfe9aa04a2a49c5505e98adbb34277fcc15" + logic_hash = "997a9433f907896d82f22ae323bf9cfe9aa04a2a49c5505e98adbb34277fcc15" score = 75 quality = 90 tags = "INFO, FILE" @@ -52567,13 +52567,13 @@ rule REVERSINGLABS_Cert_Blocklist_09Fb28 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0dc6599e-9add-5823-89cd-7fe3f84f9a1e" + id = "e7701457-c6cd-5b20-b227-8a9cdcde8213" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14786-L14802" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5ed65d33b73977e869460ba51271aff94811fa2f41e4a2993c47233add2f38dd" + logic_hash = "5ed65d33b73977e869460ba51271aff94811fa2f41e4a2993c47233add2f38dd" score = 75 quality = 90 tags = "INFO, FILE" @@ -52592,13 +52592,13 @@ rule REVERSINGLABS_Cert_Blocklist_197Dc32D915458953562D2Fe78Bf2468 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db15dea9-d670-571d-85b0-c544c570fce0" + id = "9c25410f-6a3d-5e6e-b270-ccec3be34e80" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14804-L14820" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e61284a74765592fe97b90ca1c260efa46ea31286e6d09ab32d6c664b8271f2a" + logic_hash = "e61284a74765592fe97b90ca1c260efa46ea31286e6d09ab32d6c664b8271f2a" score = 75 quality = 90 tags = "INFO, FILE" @@ -52617,13 +52617,13 @@ rule REVERSINGLABS_Cert_Blocklist_7C0Be3D14787351E3156F5F37F2B3663 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1a814dfa-21ed-53c2-b31a-7e6159a0d12c" + id = "14a292da-36c1-5a37-b27e-20c982e44c25" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14822-L14838" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_66c2cd84fccedd2afef00495c49d0c2844e2e5e190e6a859d2970e8ddb4a35c2" + logic_hash = "66c2cd84fccedd2afef00495c49d0c2844e2e5e190e6a859d2970e8ddb4a35c2" score = 75 quality = 90 tags = "INFO, FILE" @@ -52642,13 +52642,13 @@ rule REVERSINGLABS_Cert_Blocklist_05054Fdea356F3Dd7Db479Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "36dd4606-2c92-5718-8bec-850b8e700dab" + id = "c78d42bc-f8ca-579a-af49-ba9c7b63ef07" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14840-L14856" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_02ec52e060a6b8b3edfad0a1f5b1f2d6c409645d5233612d0d353ad74bcd4568" + logic_hash = "02ec52e060a6b8b3edfad0a1f5b1f2d6c409645d5233612d0d353ad74bcd4568" score = 75 quality = 90 tags = "INFO, FILE" @@ -52667,13 +52667,13 @@ rule REVERSINGLABS_Cert_Blocklist_08Aaa069E92517F21Ce67Ca713F6Ea63 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9758a8b0-bf03-526d-9346-d2784f22b5bb" + id = "d468530e-8a51-583e-a108-e409f0144165" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14858-L14874" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_28ad7e9c75a701425003cde4a7eb10fa471394628cd5004412778d8d7cddb50b" + logic_hash = "28ad7e9c75a701425003cde4a7eb10fa471394628cd5004412778d8d7cddb50b" score = 75 quality = 90 tags = "INFO, FILE" @@ -52692,13 +52692,13 @@ rule REVERSINGLABS_Cert_Blocklist_1B7B54E0Dd4D7E45A0B46834De52658D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e8ab312c-e192-507f-97f1-38fbe226be45" + id = "376da749-3cd4-5e37-b1ee-013e839f98ce" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14876-L14892" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5febbce8c39440bfc4846f509f0b1dd4f71a8b4dc24fa18afb561d26e53c2446" + logic_hash = "5febbce8c39440bfc4846f509f0b1dd4f71a8b4dc24fa18afb561d26e53c2446" score = 75 quality = 90 tags = "INFO, FILE" @@ -52717,13 +52717,13 @@ rule REVERSINGLABS_Cert_Blocklist_B63E4299D0B0E2Dcdaeb976167A23235 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6c082d8d-cb84-5bb4-a6d2-7fa935b9d9fc" + id = "44af31cc-e0c9-5f3f-9645-a0453bc81e62" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14894-L14912" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_da7415d0bc0245dea6a4ec325da5140c79c723c20fb7c04ff14f59a3089a5c88" + logic_hash = "da7415d0bc0245dea6a4ec325da5140c79c723c20fb7c04ff14f59a3089a5c88" score = 75 quality = 90 tags = "INFO, FILE" @@ -52742,13 +52742,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Dabae616705F5A51152Eac48423F354 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cceeb5bc-dd0f-5360-ad5a-1c4d60f4ed8b" + id = "8b050402-d5d3-5733-9a72-02386d850a04" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14914-L14930" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0bb14ececa3a78e1a2e71cfdee8bc57678251b15151d156ef5fa754b2438ee35" + logic_hash = "0bb14ececa3a78e1a2e71cfdee8bc57678251b15151d156ef5fa754b2438ee35" score = 75 quality = 90 tags = "INFO, FILE" @@ -52767,13 +52767,13 @@ rule REVERSINGLABS_Cert_Blocklist_50D08F3C9Bf86Fba52Cf592B4Fe6Eacf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c20c204a-2510-5111-92aa-36b38ff4996c" + id = "f315cdda-4b95-534d-94db-9a04e2da6385" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14932-L14948" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ca613e4b45b9bb1ef7564b9fc6321bccc0f683298de692a3db2bf841db9010ef" + logic_hash = "ca613e4b45b9bb1ef7564b9fc6321bccc0f683298de692a3db2bf841db9010ef" score = 75 quality = 90 tags = "INFO, FILE" @@ -52792,13 +52792,13 @@ rule REVERSINGLABS_Cert_Blocklist_7C7Fc3616F3157A28F702Cc1Df275Dcd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7fb866fd-b542-5619-ac6a-5e7d4753922e" + id = "78d2adb9-fc1c-5f48-80cb-3f1bd12b6ba5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14950-L14966" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c2dcea21c7a3e3aef6408f11c23edbce6d8f655f298654552a607a9b0caabb28" + logic_hash = "c2dcea21c7a3e3aef6408f11c23edbce6d8f655f298654552a607a9b0caabb28" score = 75 quality = 90 tags = "INFO, FILE" @@ -52817,13 +52817,13 @@ rule REVERSINGLABS_Cert_Blocklist_73Ed1B2F4Bf8Dd37A8Ad9Bb775774592 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6ae10b54-cef2-59a1-8d76-77a02e22130e" + id = "19c9e100-b017-5b5c-8e8f-c94ea9e228c2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14968-L14984" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_69865935e07ea255a5d690e170911b33574ea61550b00bebc2ceff91ba9a33da" + logic_hash = "69865935e07ea255a5d690e170911b33574ea61550b00bebc2ceff91ba9a33da" score = 75 quality = 90 tags = "INFO, FILE" @@ -52842,13 +52842,13 @@ rule REVERSINGLABS_Cert_Blocklist_211B5Dfe65Bc6F34Bc9D3A54 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "301e01ac-2c13-596b-9a67-11d02eecd0db" + id = "5181b6e4-6a25-58f6-88c5-0eae98250648" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L14986-L15002" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cf2e4c0dd98efb77c28b63641196c83e60afc0d6ab64802743c351581506dbb5" + logic_hash = "cf2e4c0dd98efb77c28b63641196c83e60afc0d6ab64802743c351581506dbb5" score = 75 quality = 90 tags = "INFO, FILE" @@ -52867,13 +52867,13 @@ rule REVERSINGLABS_Cert_Blocklist_5400D1C1406528B1Ef625976 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "23de6ff7-d94d-527c-9fb1-a47aacff6138" + id = "2b35f2db-ebf1-5533-858c-644dbd6dfb2b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15004-L15020" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fbdd37e050d68c4287e897f050a673aea071df105a35b07475d3233da3f03feb" + logic_hash = "fbdd37e050d68c4287e897f050a673aea071df105a35b07475d3233da3f03feb" score = 75 quality = 90 tags = "INFO, FILE" @@ -52892,13 +52892,13 @@ rule REVERSINGLABS_Cert_Blocklist_013472D7D665557Bfa0Dc21B350A361B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d181bff1-6265-5d47-85bf-26cb0f553a25" + id = "9b63f06d-9808-5936-aad2-d387c74eccdd" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15022-L15038" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ab908ef0fca56753bcba8bc85e2fdf5859b4e226c179ec5c6eb6eb3dc4014a8e" + logic_hash = "ab908ef0fca56753bcba8bc85e2fdf5859b4e226c179ec5c6eb6eb3dc4014a8e" score = 75 quality = 90 tags = "INFO, FILE" @@ -52917,13 +52917,13 @@ rule REVERSINGLABS_Cert_Blocklist_66C758A22Bfbbce327616815616Ddd07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "56159231-f06d-57ba-a6fd-b913a027947d" + id = "4a7130ad-8b66-52a1-afd2-6d10776b4451" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15040-L15056" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_37f0f64e2d84ef6591e1f07a05abca35b37827d26c828269fb5f38d8546a60a7" + logic_hash = "37f0f64e2d84ef6591e1f07a05abca35b37827d26c828269fb5f38d8546a60a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -52942,13 +52942,13 @@ rule REVERSINGLABS_Cert_Blocklist_E61B0366D940896430Bcfe3E93Baac5B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9025cf63-6274-597f-9c54-5adbd3f40eaf" + id = "24eb38c1-48a5-5d9b-a42d-345c4fda6c36" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15058-L15076" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1b1fd0c2237446ab22c7359d1e89d822a4b9b6ad345447740154d7d52635c2ea" + logic_hash = "1b1fd0c2237446ab22c7359d1e89d822a4b9b6ad345447740154d7d52635c2ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -52967,13 +52967,13 @@ rule REVERSINGLABS_Cert_Blocklist_6294B8Acc35Dea7D32A95Ac5D4536F8F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "88b72c24-de02-50f6-af2f-7d4533a42b6c" + id = "bc380123-20fc-55de-ad1c-4f13ac173cc9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15078-L15094" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ac92ff8e533121071a620ca5280ae66629576f9c4af9831ddac5bb487e4348af" + logic_hash = "ac92ff8e533121071a620ca5280ae66629576f9c4af9831ddac5bb487e4348af" score = 75 quality = 90 tags = "INFO, FILE" @@ -52992,13 +52992,13 @@ rule REVERSINGLABS_Cert_Blocklist_485E4626C32493C16283Cfd9E30D17Ad : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b047f50b-0aaf-55ff-8bbd-0aab08884564" + id = "7e6834e5-ce32-5ba6-82cf-99d7b90fb4f0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15096-L15112" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_faf860786e8473493d24abf6e61cf0b906e98d786516be6d2098181368214020" + logic_hash = "faf860786e8473493d24abf6e61cf0b906e98d786516be6d2098181368214020" score = 75 quality = 90 tags = "INFO, FILE" @@ -53017,13 +53017,13 @@ rule REVERSINGLABS_Cert_Blocklist_D0312F9177Cd46B943Df3Ef22Db4608B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e856c8fb-2c6e-534f-bb30-e469f5ec15f2" + id = "b36ba3c9-4a64-505a-ae27-ec8ee969dc29" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15114-L15132" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2eb955e91c927980cee031c6284e48bad315e891c32cdaf41b844090e841c44d" + logic_hash = "2eb955e91c927980cee031c6284e48bad315e891c32cdaf41b844090e841c44d" score = 75 quality = 90 tags = "INFO, FILE" @@ -53042,13 +53042,13 @@ rule REVERSINGLABS_Cert_Blocklist_202702 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cb88737f-3370-5990-b3c6-a765a9d3ae60" + id = "befb8867-37d6-5b0a-9801-c069b92f8edc" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15134-L15150" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bc097e97c1c4c4a71cbf66be811636fecfa23682cb2cc47ab1fcd680a646fb14" + logic_hash = "bc097e97c1c4c4a71cbf66be811636fecfa23682cb2cc47ab1fcd680a646fb14" score = 75 quality = 90 tags = "INFO, FILE" @@ -53067,13 +53067,13 @@ rule REVERSINGLABS_Cert_Blocklist_369A02E5D90B2649040E7F87 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0442a302-2c79-52e1-accd-44962339af9a" + id = "2b81466f-3eb1-5c12-8878-9257dde968fb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15152-L15168" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e2a2e231914f166410580a42ca9d4aac18c5cba94d1f11d22e7acd6d375851d8" + logic_hash = "e2a2e231914f166410580a42ca9d4aac18c5cba94d1f11d22e7acd6d375851d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -53092,13 +53092,13 @@ rule REVERSINGLABS_Cert_Blocklist_60497070Ff4A83Bc87Bdea24Da5B431D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d80b8435-311e-5a42-a830-1413dc300b28" + id = "510ab702-103b-5863-ac9a-46a917879e72" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15170-L15186" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_30998e3f5299a37cdee83b1232249b84dbb3c154ef99237da5ce1b16f9db5da3" + logic_hash = "30998e3f5299a37cdee83b1232249b84dbb3c154ef99237da5ce1b16f9db5da3" score = 75 quality = 90 tags = "INFO, FILE" @@ -53117,13 +53117,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A333E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ad94e250-1cd1-57c5-8e04-9b9ab98f446d" + id = "5eaac242-ca22-5c73-9027-308d351080bf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15188-L15204" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f76d21e0ae2cf9b28825c813fc509d533c10aba38f8f0c2884365047c1272c1f" + logic_hash = "f76d21e0ae2cf9b28825c813fc509d533c10aba38f8f0c2884365047c1272c1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -53142,13 +53142,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cb6519B2528D006D1Da987153Dad2B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eb68bdc7-bc08-5990-a901-83d6aca820a2" + id = "774e28f7-46ba-533d-a73c-00d2536c7d2b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15206-L15222" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_776402fc3a7de4843373bc1981f965fe9c2a9f1fe2374b142a96952fd05a591b" + logic_hash = "776402fc3a7de4843373bc1981f965fe9c2a9f1fe2374b142a96952fd05a591b" score = 75 quality = 90 tags = "INFO, FILE" @@ -53167,13 +53167,13 @@ rule REVERSINGLABS_Cert_Blocklist_621E696C3A6371E77A678Cbf0Ee34Ab2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d57ef1b-adfa-5139-b594-c838c3e91286" + id = "606749dc-f4ef-526a-8583-486401866759" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15224-L15240" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_67c9fd92681d6dd1172509113e167e74e07f1f86fd62456758b3e3930180b528" + logic_hash = "67c9fd92681d6dd1172509113e167e74e07f1f86fd62456758b3e3930180b528" score = 75 quality = 90 tags = "INFO, FILE" @@ -53192,13 +53192,13 @@ rule REVERSINGLABS_Cert_Blocklist_21B991 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2383e664-f818-5d58-9a52-c47d2a50302e" + id = "333a0901-21e7-5b4a-8daa-6a04fc2c4e86" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15242-L15258" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_54ca9b19adfc9357a3fb74f0670ad929319c4d06a7de7ae400f8285a31052276" + logic_hash = "54ca9b19adfc9357a3fb74f0670ad929319c4d06a7de7ae400f8285a31052276" score = 75 quality = 90 tags = "INFO, FILE" @@ -53217,13 +53217,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Cc37De5Dbed097F98F56Dbc : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e047ff92-dab8-5dd6-a944-da5029f9fd70" + id = "8c362133-a30f-599d-88e0-a1448433178a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15260-L15276" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a2d04275b9fe37308c8f1dca75f4cc3c4a8985930f901e1f46e3ddc2977eea32" + logic_hash = "a2d04275b9fe37308c8f1dca75f4cc3c4a8985930f901e1f46e3ddc2977eea32" score = 75 quality = 90 tags = "INFO, FILE" @@ -53242,13 +53242,13 @@ rule REVERSINGLABS_Cert_Blocklist_50F66Ab0D7Ed19B69D48F635E69572Fa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "104a1b03-f087-5196-9d02-d14de8d21ae5" + id = "9938b4c5-4a2b-5f4a-92a0-28c3519b1ed3" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15278-L15294" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_28f71c0572e769d4a0cb289071912bc79cddfd98a3a8161c5400c7bee7090bf5" + logic_hash = "28f71c0572e769d4a0cb289071912bc79cddfd98a3a8161c5400c7bee7090bf5" score = 75 quality = 90 tags = "INFO, FILE" @@ -53267,13 +53267,13 @@ rule REVERSINGLABS_Cert_Blocklist_11212F502836A784752160351Defb136Cf09 : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "597d0b5d-1be6-585d-8d07-dfb30b500438" + id = "7609083d-145b-5594-a04b-72c2862873eb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15296-L15312" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_63d4c1aaafdf6de14d0ae78035644cf6b0fefab8b0063d2566ca38af9f9498d2" + logic_hash = "63d4c1aaafdf6de14d0ae78035644cf6b0fefab8b0063d2566ca38af9f9498d2" score = 75 quality = 90 tags = "INFO, FILE" @@ -53292,13 +53292,13 @@ rule REVERSINGLABS_Cert_Blocklist_2C16Be9A7Ce2A23Ab7A4B4Eb7Da3400C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9d4c474f-a684-5c02-b4f2-05bbaf36851c" + id = "4e17aed7-fd76-549f-bcf7-84c97efc44e4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15314-L15330" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_917f324cbe91718efc9b2f41ef947fa8f1a501dde319936774d702d57b1e6b37" + logic_hash = "917f324cbe91718efc9b2f41ef947fa8f1a501dde319936774d702d57b1e6b37" score = 75 quality = 90 tags = "INFO, FILE" @@ -53317,13 +53317,13 @@ rule REVERSINGLABS_Cert_Blocklist_22Accad235Fb1Ac7422Ebe5Ea7Ac9Bc5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0d13dc14-2c84-55b0-bd1f-4086f424c257" + id = "218543f3-298f-5038-8fa9-3abeda9e4d8f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15332-L15348" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b348c502aeae036f6d17283260ed4479427f89c8c25f2b6d59e137e90694dbe4" + logic_hash = "b348c502aeae036f6d17283260ed4479427f89c8c25f2b6d59e137e90694dbe4" score = 75 quality = 90 tags = "INFO, FILE" @@ -53342,13 +53342,13 @@ rule REVERSINGLABS_Cert_Blocklist_4D29757C4Fbfc32B97091D96E3723002 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "95edd9f4-cda9-5f87-8d95-c9d995962094" + id = "e1834597-4e45-5866-97f4-e00c79190930" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15350-L15366" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_78ede4b02cb1b07500cd0c4f1f33da598938940d0f58430edda00d79b19b16a5" + logic_hash = "78ede4b02cb1b07500cd0c4f1f33da598938940d0f58430edda00d79b19b16a5" score = 75 quality = 90 tags = "INFO, FILE" @@ -53367,13 +53367,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A949Ef03D9Dd2D150B24B274Ff6D7B4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "41adf049-7cfb-5f5f-bcf4-1ac7d16f6035" + id = "6ea47017-1296-5409-8ff2-ef69434233ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15368-L15384" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_88c63a921a300e1b985d084c3ab1a2485713b4c674dafd419d092e5562f121d7" + logic_hash = "88c63a921a300e1b985d084c3ab1a2485713b4c674dafd419d092e5562f121d7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53392,13 +53392,13 @@ rule REVERSINGLABS_Cert_Blocklist_954D0577D5Ce8999E0387A5364829F66 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "62e9febe-fdf7-5a96-b721-2739e5fc290d" + id = "70e770dd-95fd-5273-b6ee-9bb5eea30e3b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15386-L15404" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_84ddc08a0a55200f644778a0e3482f15e82d74c524f12a7ad91b1c3d4acfc731" + logic_hash = "84ddc08a0a55200f644778a0e3482f15e82d74c524f12a7ad91b1c3d4acfc731" score = 75 quality = 90 tags = "INFO, FILE" @@ -53417,13 +53417,13 @@ rule REVERSINGLABS_Cert_Blocklist_Df5121Dc99D1Ab6B7E5229F6832123Ef : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4448b62d-8c44-5a4b-b887-da4934ba1893" + id = "8dfc50be-7316-5a52-937b-4551aa642b7e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15406-L15424" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3b5e5b81890f1dea3dc0858cade54e7f88a21861818be79c3e7fba066f80d491" + logic_hash = "3b5e5b81890f1dea3dc0858cade54e7f88a21861818be79c3e7fba066f80d491" score = 75 quality = 90 tags = "INFO, FILE" @@ -53442,13 +53442,13 @@ rule REVERSINGLABS_Cert_Blocklist_760Cef386B63406751Ae83A9Eae92342 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "793fbe35-45cd-5105-814f-5a56f1533721" + id = "c2cbd1fd-ef68-5128-9c45-88b73a49130f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15426-L15442" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_43b56736afe081a1215db67b933413d7fbafbfc1be8213b330668578921ebca7" + logic_hash = "43b56736afe081a1215db67b933413d7fbafbfc1be8213b330668578921ebca7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53467,13 +53467,13 @@ rule REVERSINGLABS_Cert_Blocklist_5C2625Fa836A64F4882C56Cc7A45F0Ed : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1c67f200-60d6-5c17-ae27-e83a1fa8aaaa" + id = "db968865-fb1e-57b5-8968-6510e83c02ac" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15444-L15460" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_85e187684d62c33ef6f69323b837ef2d44facab8278b512d7bd6afd49eaed976" + logic_hash = "85e187684d62c33ef6f69323b837ef2d44facab8278b512d7bd6afd49eaed976" score = 75 quality = 90 tags = "INFO, FILE" @@ -53492,13 +53492,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Df6Fa580F84493C414Ee0E431086737 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7a0fabd2-3b29-5414-aa6c-005b57f4f6fc" + id = "27afa64e-0c9e-58ca-a4e1-db97cde66427" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15462-L15478" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ef244587c9eb1e1cb2f8a9c161e5dd9ff70e9764586f16e011334400ee400ed9" + logic_hash = "ef244587c9eb1e1cb2f8a9c161e5dd9ff70e9764586f16e011334400ee400ed9" score = 75 quality = 90 tags = "INFO, FILE" @@ -53517,13 +53517,13 @@ rule REVERSINGLABS_Cert_Blocklist_309D2E115F1Fe2993Ee2E063 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ae735ab8-3c12-5363-afd8-28e1d3cc76bb" + id = "7182f3f2-7b2a-5c29-b7a9-607feafbe570" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15480-L15496" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_15fdb95fe5429cdc0263615c2b7c90d21f37b52954c5ce568c1293cd3a544730" + logic_hash = "15fdb95fe5429cdc0263615c2b7c90d21f37b52954c5ce568c1293cd3a544730" score = 75 quality = 90 tags = "INFO, FILE" @@ -53542,13 +53542,13 @@ rule REVERSINGLABS_Cert_Blocklist_90E33C1068F54913315B6Ce9311141B9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "806002dc-f147-532e-a72a-864a33572755" + id = "61c5d5ed-ca2c-5f71-893b-4c933b37fa27" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15498-L15516" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4a97171c6dfaa8d249ab0be1ce264b596d266ff4697d869a4d1f90cc0e2c49b7" + logic_hash = "4a97171c6dfaa8d249ab0be1ce264b596d266ff4697d869a4d1f90cc0e2c49b7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53567,13 +53567,13 @@ rule REVERSINGLABS_Cert_Blocklist_3F15C3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1e4ebeed-8b68-5253-916d-15a3eb100f5d" + id = "10bee456-21c0-51a0-988b-43daf65e596b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15518-L15534" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_03ea946fa99ed7a6ab23cb26dbf514b6c062d63371c9e2a5ddf999acd1954955" + logic_hash = "03ea946fa99ed7a6ab23cb26dbf514b6c062d63371c9e2a5ddf999acd1954955" score = 75 quality = 90 tags = "INFO, FILE" @@ -53592,13 +53592,13 @@ rule REVERSINGLABS_Cert_Blocklist_285Eccbd1D0000E640B84307Ef88Cd9F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c19afe42-8c78-5f3a-a2d5-ebe662620a69" + id = "4dc1523f-edc8-52e2-99aa-7389c0eb5e54" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15536-L15552" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_267df1c327b65938b2b82a53ec8345290659560c69c9a70f2866fe7bd73513a7" + logic_hash = "267df1c327b65938b2b82a53ec8345290659560c69c9a70f2866fe7bd73513a7" score = 75 quality = 90 tags = "INFO, FILE" @@ -53617,13 +53617,13 @@ rule REVERSINGLABS_Cert_Blocklist_55Ab71A3F9Dde3Ef20C788Dd1D5Ff6C3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5efde272-280e-52d1-9004-8e857cb3bc03" + id = "c8b5b632-26e6-5a78-99be-b50b1240dbec" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15554-L15570" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4bee740eaf359462cd85c6232160c6b1fc3df67acfe731da9978f0b8a304a93f" + logic_hash = "4bee740eaf359462cd85c6232160c6b1fc3df67acfe731da9978f0b8a304a93f" score = 75 quality = 90 tags = "INFO, FILE" @@ -53642,13 +53642,13 @@ rule REVERSINGLABS_Cert_Blocklist_4Beca26210737A5442Ff8B47 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "997a4895-b4c1-5216-8157-a9c4e88cb354" + id = "30570c07-9ba1-5b7c-a369-c6def80f9dc5" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15572-L15588" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7a1130413ae8807dc1ec96a6b1c3bac705a1520f7268db2848b997f6f3f9fc9b" + logic_hash = "7a1130413ae8807dc1ec96a6b1c3bac705a1520f7268db2848b997f6f3f9fc9b" score = 75 quality = 90 tags = "INFO, FILE" @@ -53667,13 +53667,13 @@ rule REVERSINGLABS_Cert_Blocklist_0F203839A9C63B8798A7Cb31 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3d6a258f-e472-5768-86cd-1d2c2db6728a" + id = "dc8428f3-ff28-5fcf-9855-f20c68973afe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15590-L15606" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_604ba3fa671cc98e42caf80d07bc9650d193f898413517b46482f183b0f7008a" + logic_hash = "604ba3fa671cc98e42caf80d07bc9650d193f898413517b46482f183b0f7008a" score = 75 quality = 90 tags = "INFO, FILE" @@ -53692,13 +53692,13 @@ rule REVERSINGLABS_Cert_Blocklist_Dc992Ea8E6Bb4926931Df656D5Eef8A0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "cade3f03-4bc6-50ef-bd18-559d8b062456" + id = "506b217e-ea82-5f14-880e-b6c0cbb001fb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15608-L15626" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2b261624677a1c4a1ef539106bedcef30f272fda3d833d4c8095e9797d592e1f" + logic_hash = "2b261624677a1c4a1ef539106bedcef30f272fda3d833d4c8095e9797d592e1f" score = 75 quality = 90 tags = "INFO, FILE" @@ -53717,13 +53717,13 @@ rule REVERSINGLABS_Cert_Blocklist_41Bd49Bb456644D8183B3Dae72Ec8F22 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6267cf29-61d7-593c-9921-7bbacdcb5eca" + id = "4645eeae-2aea-59aa-a6bf-095bb9d0d711" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15628-L15644" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0516af7b27d244f21c9cea62fe599725d412e385e34f5f3f4f618d565365d321" + logic_hash = "0516af7b27d244f21c9cea62fe599725d412e385e34f5f3f4f618d565365d321" score = 75 quality = 90 tags = "INFO, FILE" @@ -53742,13 +53742,13 @@ rule REVERSINGLABS_Cert_Blocklist_A8D40Da6708679C08Aebddea6D3F6B8A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c7bc8e95-aae7-5341-8dfe-11966ecdf33e" + id = "a4224bf1-1875-5b2c-b79d-998d3766d163" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15646-L15664" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_27ec32791eaeccb8aa95d023c4fc8943f0435c32d8a17bde98d7d0b02ba17e59" + logic_hash = "27ec32791eaeccb8aa95d023c4fc8943f0435c32d8a17bde98d7d0b02ba17e59" score = 75 quality = 90 tags = "INFO, FILE" @@ -53767,13 +53767,13 @@ rule REVERSINGLABS_Cert_Blocklist_307642E1F3A92C6Cc2E7Fb6E18F2Ddcb : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7602e88e-0ce4-5bac-846e-e5ee1d9baf03" + id = "6dd35efb-daea-5668-a01d-f5b80371b04c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15666-L15682" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8c96fbd10672b0b258a80f3abaf0320540c5ff0a4636f011cfe7cfa8ccc482d0" + logic_hash = "8c96fbd10672b0b258a80f3abaf0320540c5ff0a4636f011cfe7cfa8ccc482d0" score = 75 quality = 90 tags = "INFO, FILE" @@ -53792,13 +53792,13 @@ rule REVERSINGLABS_Cert_Blocklist_52379131A1C69263C795A7D398Db0997 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "22b2e5b4-0fe1-5ceb-96de-ddf17c9a330b" + id = "478994c1-c1c4-5f11-b78f-fe237b687bef" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15684-L15700" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_245e994024e08add755ec704b895286c115ac00eb5aeecde98fce96f35f6e9e0" + logic_hash = "245e994024e08add755ec704b895286c115ac00eb5aeecde98fce96f35f6e9e0" score = 75 quality = 90 tags = "INFO, FILE" @@ -53817,13 +53817,13 @@ rule REVERSINGLABS_Cert_Blocklist_44312Cb9A927B4111360762B4D4Bdd6D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "394edc06-9c9e-55f5-b5dd-b0878aff91ec" + id = "9bc1a8f4-36b7-52bd-9a65-fcd8ec2acf92" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15702-L15718" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8e34636ed815812af478dd01eacd5298fa2cfeb420ee2f45e055f557534cae71" + logic_hash = "8e34636ed815812af478dd01eacd5298fa2cfeb420ee2f45e055f557534cae71" score = 75 quality = 90 tags = "INFO, FILE" @@ -53842,13 +53842,13 @@ rule REVERSINGLABS_Cert_Blocklist_123A5074069162F4Ed68Fc7D48F464C2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "3c45d36b-2cb1-5666-a4f6-94180cd4a926" + id = "601ddd98-8cd5-5c52-a59a-d4a0556fc316" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15720-L15736" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f55835c7404edab96bc5c8fe3844f3380f1f6bc8b43da1d51213de899629e8f5" + logic_hash = "f55835c7404edab96bc5c8fe3844f3380f1f6bc8b43da1d51213de899629e8f5" score = 75 quality = 90 tags = "INFO, FILE" @@ -53867,13 +53867,13 @@ rule REVERSINGLABS_Cert_Blocklist_64Eb04B8Def382B5Efa75F63E0E85Ad0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c6b4bed3-1086-59e8-b59e-f7a05add5d98" + id = "5f4da614-3bc8-5ae8-b04b-e4b3972522ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15738-L15754" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_03adb8a9bf2a8f0633b34d5c39816b47e60b9e598208f7de79ad9d9a7ab8cc5e" + logic_hash = "03adb8a9bf2a8f0633b34d5c39816b47e60b9e598208f7de79ad9d9a7ab8cc5e" score = 75 quality = 90 tags = "INFO, FILE" @@ -53892,13 +53892,13 @@ rule REVERSINGLABS_Cert_Blocklist_76D8D908Eed2F9857Dc5676A680Ceac9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dbc78450-e2a4-55f2-89ba-0b398f5f8c08" + id = "f7eae73e-6b12-5507-846e-d3b409243adf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15756-L15772" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_87f9930967d5832d3003672eeb89669b54feed1ca2ea5eec478c50e3cb7a7571" + logic_hash = "87f9930967d5832d3003672eeb89669b54feed1ca2ea5eec478c50e3cb7a7571" score = 75 quality = 90 tags = "INFO, FILE" @@ -53917,13 +53917,13 @@ rule REVERSINGLABS_Cert_Blocklist_083E3F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f9e36ab4-57b1-58da-9cac-95a3865d6e23" + id = "b9a1b1a7-2333-5a6f-85c9-6c19d34c4aa4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15774-L15790" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6977d48a2e31235d780cba1b84b39a90e409ee8ea5555e01cbc34989ecd3882d" + logic_hash = "6977d48a2e31235d780cba1b84b39a90e409ee8ea5555e01cbc34989ecd3882d" score = 75 quality = 90 tags = "INFO, FILE" @@ -53942,13 +53942,13 @@ rule REVERSINGLABS_Cert_Blocklist_79227311Acdd575759198Dbd3544Cca7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4d5710b5-578d-5ed6-8dd9-82c2e85455d9" + id = "350f7c25-f20f-5e8f-aa52-163cf3de3be1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15792-L15808" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_73e920d51faf7150329ce189d1693c29a2285a02d54fee27e5af5afe3238295b" + logic_hash = "73e920d51faf7150329ce189d1693c29a2285a02d54fee27e5af5afe3238295b" score = 75 quality = 90 tags = "INFO, FILE" @@ -53967,13 +53967,13 @@ rule REVERSINGLABS_Cert_Blocklist_13Ae38C9Ae21A8576C0D024D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "434e8e84-dc01-55a9-b7b6-7e632252a202" + id = "416c5eb3-bc6d-5fb0-a7fe-58cdd6c7c39d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15810-L15826" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7be892eaf9e2e31442f7ef5ffd296dd17696d6c95d20eb2758ede2c553b05f38" + logic_hash = "7be892eaf9e2e31442f7ef5ffd296dd17696d6c95d20eb2758ede2c553b05f38" score = 75 quality = 90 tags = "INFO, FILE" @@ -53992,13 +53992,13 @@ rule REVERSINGLABS_Cert_Blocklist_557B0Abf44045827F1F36Efbc96271Ec : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "61b66c82-103f-5f49-a570-00beb3694491" + id = "64db0b43-b73f-594d-9f04-2cdf76df7c9b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15828-L15844" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_633e8d6b44d62443d991738fa82b9742ac5634051bba5d0cdb3d6b35d66bdc8f" + logic_hash = "633e8d6b44d62443d991738fa82b9742ac5634051bba5d0cdb3d6b35d66bdc8f" score = 75 quality = 90 tags = "INFO, FILE" @@ -54017,13 +54017,13 @@ rule REVERSINGLABS_Cert_Blocklist_7903870184E18A80899740845A15E2B2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d01a0062-8bd9-5dd0-9bd0-05f9248a7c29" + id = "a55bed5b-906f-5c9d-bddd-b4d53d6351de" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15846-L15862" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ad32491b463d0b3b4c85ed78e81bb69802e5f90ae835f73e270b28f02b36f840" + logic_hash = "ad32491b463d0b3b4c85ed78e81bb69802e5f90ae835f73e270b28f02b36f840" score = 75 quality = 90 tags = "INFO, FILE" @@ -54042,13 +54042,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Fba9B373F812C16Aef531D4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e05740d2-9f9d-5d48-b04c-2dcfcf262737" + id = "129e981a-064a-5930-bd45-d03ed008451c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15864-L15880" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8b7340359778e3aa56f6ea300973af74eb77efd54108d2ca2b6b8f04d89a1c39" + logic_hash = "8b7340359778e3aa56f6ea300973af74eb77efd54108d2ca2b6b8f04d89a1c39" score = 75 quality = 90 tags = "INFO, FILE" @@ -54067,13 +54067,13 @@ rule REVERSINGLABS_Cert_Blocklist_616A5205238590B01D7B761E444E4Ad9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0dfc5744-d4e7-5ad1-bd75-5ac7292a0d3d" + id = "09e9e481-c767-53d3-9af1-11dec636cafb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15882-L15898" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_463ccd3ace9021569a7a6d5fcbaadf34b15d2b07baf3df526b271b547cf2bbc5" + logic_hash = "463ccd3ace9021569a7a6d5fcbaadf34b15d2b07baf3df526b271b547cf2bbc5" score = 75 quality = 90 tags = "INFO, FILE" @@ -54092,13 +54092,13 @@ rule REVERSINGLABS_Cert_Blocklist_29Be2278113Dd062Eadca32De6B242D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fe82288d-f41e-57aa-a395-a9ef9f8bfdf4" + id = "a2dfd6e0-4475-537a-859e-126dd4a02af7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15900-L15916" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3df7afba9eda9022a64647ce2a91119d0bdf6fe5b164a1e82b1819409024fbee" + logic_hash = "3df7afba9eda9022a64647ce2a91119d0bdf6fe5b164a1e82b1819409024fbee" score = 75 quality = 90 tags = "INFO, FILE" @@ -54117,13 +54117,13 @@ rule REVERSINGLABS_Cert_Blocklist_05F70A557Afd4A443F44D0Baf0Bc8C60 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f7d24640-2b8a-5738-b07f-639f9b440d0f" + id = "9ce5b6c7-fede-508f-a7d0-f9d0b8838645" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15918-L15934" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3945f515b65ca3ffb6c2b64c884bb2790d703a277e1a5ba128c81bc63ed20a25" + logic_hash = "3945f515b65ca3ffb6c2b64c884bb2790d703a277e1a5ba128c81bc63ed20a25" score = 75 quality = 90 tags = "INFO, FILE" @@ -54142,13 +54142,13 @@ rule REVERSINGLABS_Cert_Blocklist_4E0665D61997072294A70C662F72Eae3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eea7f482-4a5b-532d-80a4-f48fb51b35be" + id = "1370a3b5-a254-5197-ac85-5b33e8d9fa38" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15936-L15952" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f07cdfd522db0a92fe1dba30f158b2c89bb5424bdcdfda50ae42fcfddeac19ba" + logic_hash = "f07cdfd522db0a92fe1dba30f158b2c89bb5424bdcdfda50ae42fcfddeac19ba" score = 75 quality = 90 tags = "INFO, FILE" @@ -54167,13 +54167,13 @@ rule REVERSINGLABS_Cert_Blocklist_74702Dff5D4056B847D009A2265Fb1B3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "715aa8a8-5d61-5e26-84b6-1d3bea017a67" + id = "55f1e321-ce70-519a-9a39-4278162edbef" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15954-L15970" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8acc57bbf334a48043dbee6fab7b7a54a44801b2ccd0ccd9d14194689c75c021" + logic_hash = "8acc57bbf334a48043dbee6fab7b7a54a44801b2ccd0ccd9d14194689c75c021" score = 75 quality = 90 tags = "INFO, FILE" @@ -54192,13 +54192,13 @@ rule REVERSINGLABS_Cert_Blocklist_353B1Cf7866Ee0B0Acdd532D0Bb1A220 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f320f38d-8002-59b3-a04d-2ff76a0a0d96" + id = "20b95b80-94a9-51c3-9c6c-2a0ef75b0c0b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15972-L15988" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_aa8f0fe1517134b6e562c2accc46420a4f0afd77c3a7bbe98d551c54e68ed4c7" + logic_hash = "aa8f0fe1517134b6e562c2accc46420a4f0afd77c3a7bbe98d551c54e68ed4c7" score = 75 quality = 90 tags = "INFO, FILE" @@ -54217,13 +54217,13 @@ rule REVERSINGLABS_Cert_Blocklist_093Ff2870Fa33Eaf47259457Ee58C2E0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "fa66acb4-6005-5e8a-bd57-38fbdbafdbaa" + id = "3fd458e6-bf5a-51f3-9b46-344e9f8e0ffe" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L15990-L16006" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1aafe547b8645f07498bac6f0ffd6d5aefbac160aa7a6fb8d1d891e70701ce99" + logic_hash = "1aafe547b8645f07498bac6f0ffd6d5aefbac160aa7a6fb8d1d891e70701ce99" score = 75 quality = 90 tags = "INFO, FILE" @@ -54242,13 +54242,13 @@ rule REVERSINGLABS_Cert_Blocklist_719C17A823839Dca813Ee85888B3B39A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d4eefd60-9a79-5588-9637-b89c4e75023a" + id = "ca5b9ec0-2c46-50db-bc47-b3c6c61e990e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16008-L16024" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a160ada48048e11632082e7538459554d77d31539e53709cd897f3c454af8236" + logic_hash = "a160ada48048e11632082e7538459554d77d31539e53709cd897f3c454af8236" score = 75 quality = 90 tags = "INFO, FILE" @@ -54267,13 +54267,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Dc86Ebf5863568E2237B2D89582D705 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "29879b94-696d-5fac-bc5d-d2447df9cf3f" + id = "24741dc7-6252-5964-a69f-bef4b2dfe1a7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16026-L16042" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f24cdf890bd0b51a83ca333c37bc22068ab1f7e7ef36b36d94a133773097bd37" + logic_hash = "f24cdf890bd0b51a83ca333c37bc22068ab1f7e7ef36b36d94a133773097bd37" score = 75 quality = 90 tags = "INFO, FILE" @@ -54292,13 +54292,13 @@ rule REVERSINGLABS_Cert_Blocklist_214Df59Fe53874Cc011Dd45727035F51 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a57cbe6a-0c6a-5320-85e6-74557bb86c51" + id = "9265bb94-b183-523f-91bf-9bc76ab63d6b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16044-L16060" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_96269f41f82621aee029f343acfce70c781bf7713588dfe78fac35a3d1d3f7cd" + logic_hash = "96269f41f82621aee029f343acfce70c781bf7713588dfe78fac35a3d1d3f7cd" score = 75 quality = 90 tags = "INFO, FILE" @@ -54317,13 +54317,13 @@ rule REVERSINGLABS_Cert_Blocklist_37Ca4F66Fdcc8732992723199859886C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "67f1f0c7-4fb1-502c-ac12-ac67123ab544" + id = "9dd87769-73d0-5299-b6ed-936703abc78e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16062-L16078" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_190dffc36c17c27c43337d7914683b7bab3ff18a50de5278ed2a66f04b9e395d" + logic_hash = "190dffc36c17c27c43337d7914683b7bab3ff18a50de5278ed2a66f04b9e395d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54342,13 +54342,13 @@ rule REVERSINGLABS_Cert_Blocklist_Be2F22C152Bb218B898C4029056816A9 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0bd4fe17-1f1f-5838-b4f8-ed1a1c6e615e" + id = "d5ca9d9d-e80f-56c1-90b7-ef931e61ba92" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16080-L16098" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_cd99e4d97d9a60f409cf072bbae254486c307ae3cb6e34c5cd9648c972615f36" + logic_hash = "cd99e4d97d9a60f409cf072bbae254486c307ae3cb6e34c5cd9648c972615f36" score = 75 quality = 90 tags = "INFO, FILE" @@ -54367,13 +54367,13 @@ rule REVERSINGLABS_Cert_Blocklist_Fc7065Abf8303Fb472B8Af85918F5C24 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "650f86cf-fc1f-565b-ac98-e47cbb84cf02" + id = "1aebd2be-b22c-5102-a449-27025f61cce6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16100-L16118" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f57ae32d7efd9cd4c0a207897e30b871dc32405c5b9ad844c9bb7eee4827cc5a" + logic_hash = "f57ae32d7efd9cd4c0a207897e30b871dc32405c5b9ad844c9bb7eee4827cc5a" score = 75 quality = 90 tags = "INFO, FILE" @@ -54392,13 +54392,13 @@ rule REVERSINGLABS_Cert_Blocklist_698Ff388Adb50B88Afb832E76B0A0Ad1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6a592d2c-427c-5ece-87af-e0e3bb914654" + id = "8a6f4a15-08a5-5ca5-a743-55075726e744" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16120-L16136" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b29bc69c8fd9543dba8f7d2a18d52b1bcbb8a8ae6f553d8b232ca74709b9addc" + logic_hash = "b29bc69c8fd9543dba8f7d2a18d52b1bcbb8a8ae6f553d8b232ca74709b9addc" score = 75 quality = 90 tags = "INFO, FILE" @@ -54417,13 +54417,13 @@ rule REVERSINGLABS_Cert_Blocklist_391Ae38670Ab188A5De26E07 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "01e16423-6364-5ee6-a013-e00e99aaccee" + id = "aca9ac98-1c3b-5231-b6e5-97e3b8fec6de" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16138-L16154" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f7ccfadab650ae3b6f950c9d1b35f86aa4a4e6c05479c014ab18881a405678f0" + logic_hash = "f7ccfadab650ae3b6f950c9d1b35f86aa4a4e6c05479c014ab18881a405678f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -54442,13 +54442,13 @@ rule REVERSINGLABS_Cert_Blocklist_D08D83Ff118Df3777E371C5C482Cce7B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c98cd3f0-18b6-5e6b-9cf1-e488307fee2f" + id = "5acd2e61-1c04-5cc5-8773-25856fc163c4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16156-L16174" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5fdaf01c6a23057ab976e3ad2a8b40558b16693161410b0f30d7b884de7e3985" + logic_hash = "5fdaf01c6a23057ab976e3ad2a8b40558b16693161410b0f30d7b884de7e3985" score = 75 quality = 90 tags = "INFO, FILE" @@ -54467,13 +54467,13 @@ rule REVERSINGLABS_Cert_Blocklist_06Ce209477F1Ac19A2049Bdc5846A831 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "04409e81-53a3-5773-ba92-e397dfd07a81" + id = "21c16e2c-bc0c-5e1d-bc44-6d7c4afc34cb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16176-L16192" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_24474c4033a8cad1690160da64b75a1eec570f56e830967256c19574bde59384" + logic_hash = "24474c4033a8cad1690160da64b75a1eec570f56e830967256c19574bde59384" score = 75 quality = 90 tags = "INFO, FILE" @@ -54492,13 +54492,13 @@ rule REVERSINGLABS_Cert_Blocklist_447F449121B883211663B7B7E2Ead868 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "86d4e9fd-3c05-538f-9042-3ed6cb2ab773" + id = "a3ee3618-0e20-5d9c-a514-9020607bd1b0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16194-L16210" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f473a939d1a27cf53c09d0e4a3753a9444ae3674a55d5b0feafeef6b75dd487f" + logic_hash = "f473a939d1a27cf53c09d0e4a3753a9444ae3674a55d5b0feafeef6b75dd487f" score = 75 quality = 90 tags = "INFO, FILE" @@ -54517,13 +54517,13 @@ rule REVERSINGLABS_Cert_Blocklist_6366A9Ac97Df4De17366943C9B291Aaa : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "0139ec87-00b8-54f8-ba8d-0e933a7fbc65" + id = "77d6756b-e948-5771-9ec1-f5159b0e792c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16212-L16228" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_dcdfb78d4d779b1cabcdf5b2da1fa27aaa9faaed4d4967630ce45f30304fe227" + logic_hash = "dcdfb78d4d779b1cabcdf5b2da1fa27aaa9faaed4d4967630ce45f30304fe227" score = 75 quality = 90 tags = "INFO, FILE" @@ -54542,13 +54542,13 @@ rule REVERSINGLABS_Cert_Blocklist_66E3F0B4459F15Ac7F2A2B44990Dd709 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eaa42b63-e6a2-5cc7-a6d2-e45f1bf3ea23" + id = "2fc1303f-e559-59ba-a1b9-b74a154d8805" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16230-L16246" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a563f1485ae8887c46f45d1366f676894c7db55954671825b37372f786ce0d3d" + logic_hash = "a563f1485ae8887c46f45d1366f676894c7db55954671825b37372f786ce0d3d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54567,13 +54567,13 @@ rule REVERSINGLABS_Cert_Blocklist_610039D6349Ee531E4Caa3A65D100C7D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a15f1b09-678a-505f-b555-4b4c2f5776ef" + id = "de018b47-9fbd-590e-b3d1-b50029496718" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16248-L16264" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e6b6a90cf40283d2e4d2d9c5732a078c9f2f117e3639ab5c0dd6c5323cb7c9ff" + logic_hash = "e6b6a90cf40283d2e4d2d9c5732a078c9f2f117e3639ab5c0dd6c5323cb7c9ff" score = 75 quality = 90 tags = "INFO, FILE" @@ -54592,13 +54592,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Caa0D0Dadf32A2404A75195Ae47820A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e6b48549-c07d-5ef9-a87d-cf973935bf99" + id = "5c1f82a4-c64d-556c-8c7a-213582e7bd5a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16266-L16282" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ab71e485c0b541fae79d246d34b1f4fb146747c1c3fb723aa87a7a32378ff974" + logic_hash = "ab71e485c0b541fae79d246d34b1f4fb146747c1c3fb723aa87a7a32378ff974" score = 75 quality = 90 tags = "INFO, FILE" @@ -54617,13 +54617,13 @@ rule REVERSINGLABS_Cert_Blocklist_140D2C515E8Ee9739Bb5F1B2637Dc478 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "6ac84678-ff45-5ab1-9127-182168715673" + id = "69f3ee46-87d2-5630-ba7c-4ed2924cf650" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16284-L16300" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e6724fe80959592c8741621ce604518d3e964cee5941257a99dda78b9c8bbdac" + logic_hash = "e6724fe80959592c8741621ce604518d3e964cee5941257a99dda78b9c8bbdac" score = 75 quality = 90 tags = "INFO, FILE" @@ -54642,13 +54642,13 @@ rule REVERSINGLABS_Cert_Blocklist_58015Acd501Fc9C344264Eace2Ce5730 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1bc5d209-9243-5b74-8f49-07e4450d4b2d" + id = "28a56bcf-1f13-5478-a6d5-7595464da198" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16302-L16318" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7c1bec5059d40fc326bb08775888ed169abc746228eeb42c897f479992c5acab" + logic_hash = "7c1bec5059d40fc326bb08775888ed169abc746228eeb42c897f479992c5acab" score = 75 quality = 90 tags = "INFO, FILE" @@ -54667,13 +54667,13 @@ rule REVERSINGLABS_Cert_Blocklist_0B7279068Beb15Ffe8060D2C56153C35 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "415507fb-2ce3-50ac-b3d7-13afd351a997" + id = "78bfa550-d85e-5776-a65d-ff0039abd2c4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16320-L16336" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ca00f1adacd6ff16e54b85be38c3a4545a10c76548e0647f7f3f6cfa4dff412d" + logic_hash = "ca00f1adacd6ff16e54b85be38c3a4545a10c76548e0647f7f3f6cfa4dff412d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54692,13 +54692,13 @@ rule REVERSINGLABS_Cert_Blocklist_0Bc0F18Da36702E302Db170D91Dc9202 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ada35248-eb0e-5246-9c51-1798c9f0cc05" + id = "977d9686-d811-5416-b090-d4f45d7935d0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16338-L16354" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d9ee2cf63a4edb28f894ea49a5b4df9b818d5764d9a74721b1d5222f53859462" + logic_hash = "d9ee2cf63a4edb28f894ea49a5b4df9b818d5764d9a74721b1d5222f53859462" score = 75 quality = 90 tags = "INFO, FILE" @@ -54717,13 +54717,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ca9B6F49B8B41204A174C751C73Dc393 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "95cd0496-94b7-54eb-b293-83453e75fce6" + id = "d09658e4-44e4-5c10-a866-ba486000f1b6" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16356-L16374" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0b6558a7a1b78d471aaadced959ba91e411df50e3cc08e447fe9bd97f9e5cced" + logic_hash = "0b6558a7a1b78d471aaadced959ba91e411df50e3cc08e447fe9bd97f9e5cced" score = 75 quality = 90 tags = "INFO, FILE" @@ -54742,13 +54742,13 @@ rule REVERSINGLABS_Cert_Blocklist_Aaf65B8E7A2E68Bc8C9E8F27331B795C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "06ee2521-277f-577a-8ccc-2eccbea2236e" + id = "ccb36b8b-301d-5cc2-9c8e-4956b92c1116" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16376-L16394" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_390d074da09d8e5b4bb2a6f4157a5125474ab5c22de62729d4fc4075edade289" + logic_hash = "390d074da09d8e5b4bb2a6f4157a5125474ab5c22de62729d4fc4075edade289" score = 75 quality = 90 tags = "INFO, FILE" @@ -54767,13 +54767,13 @@ rule REVERSINGLABS_Cert_Blocklist_C6Ed0Efe2844Fa44Aae350C6845C3331 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ecbdbf31-8788-52b1-9b28-cab285826998" + id = "d748bea4-8d2b-53b2-8184-ea0972ad9199" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16396-L16414" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5c4afcd8ceb5cc2f1df2303183ede2081b86365eeee7d4e1319a8ed9a45bbf0b" + logic_hash = "5c4afcd8ceb5cc2f1df2303183ede2081b86365eeee7d4e1319a8ed9a45bbf0b" score = 75 quality = 90 tags = "INFO, FILE" @@ -54792,13 +54792,13 @@ rule REVERSINGLABS_Cert_Blocklist_Ede6Cfbf9Fa18337B0Fdb49C1F693020 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "63f578d7-4542-5c95-a1a8-f74cc5cbd925" + id = "0389d5ba-4535-5277-9c77-bd178e66417f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16416-L16434" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_a7f18d0028cbc0001a196bc915b7881244a5833dd65f96dd7d2e8ab1b0622e0c" + logic_hash = "a7f18d0028cbc0001a196bc915b7881244a5833dd65f96dd7d2e8ab1b0622e0c" score = 75 quality = 90 tags = "INFO, FILE" @@ -54817,13 +54817,13 @@ rule REVERSINGLABS_Cert_Blocklist_Eda0F47B3B38E781Cdf6Ef6Be5D3F6Ee : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "99f7b743-34e1-557a-a8c9-90d7c3c9f166" + id = "308a73cd-a142-56ad-8dca-808ab455b43e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16436-L16454" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_af3cd543a6feec3118ba4e5fdc8455584aa763bd8339f036ab332977fc0fb20e" + logic_hash = "af3cd543a6feec3118ba4e5fdc8455584aa763bd8339f036ab332977fc0fb20e" score = 75 quality = 90 tags = "INFO, FILE" @@ -54842,13 +54842,13 @@ rule REVERSINGLABS_Cert_Blocklist_5Da173Eb1Ac76340Ac058E1Ff4Bf5E1B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b5c4b52d-ea26-5c1d-9863-affcb3700524" + id = "0f9fa6c6-372d-5948-94ba-9e3fee956647" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16456-L16472" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_71da69fca275caead6a822e6587e0a07fc882f712afeafe18f4a595c269f6737" + logic_hash = "71da69fca275caead6a822e6587e0a07fc882f712afeafe18f4a595c269f6737" score = 75 quality = 90 tags = "INFO, FILE" @@ -54867,13 +54867,13 @@ rule REVERSINGLABS_Cert_Blocklist_1380A7Ccf2Bf36Bc496B00D8 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b7908367-65f0-5b9c-ba1f-659549dcdfc1" + id = "dc473451-e1a9-53b4-acf6-9ff8036ecf31" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16474-L16490" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_88708d7d139a9d6e92f78df460b527a1ae6a404d0bcccb801c8c8cb1263a46c6" + logic_hash = "88708d7d139a9d6e92f78df460b527a1ae6a404d0bcccb801c8c8cb1263a46c6" score = 75 quality = 90 tags = "INFO, FILE" @@ -54892,13 +54892,13 @@ rule REVERSINGLABS_Cert_Blocklist_02Eaf27E6F1575E365Fc7Fe4E0Be43F7 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "897993eb-ce09-5ad9-8644-3c90e5499681" + id = "5d1aad80-9444-5cc3-8ff4-b70fb089cda0" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16492-L16508" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_333a43bdfbc400727b8eae1efeb03484b959fc45ed6b8b0dd5e6a553fa27e87f" + logic_hash = "333a43bdfbc400727b8eae1efeb03484b959fc45ed6b8b0dd5e6a553fa27e87f" score = 75 quality = 90 tags = "INFO, FILE" @@ -54917,13 +54917,13 @@ rule REVERSINGLABS_Cert_Blocklist_6Eb02Ac2Beb9611Ed57Eb12E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9c03fe30-fcca-527e-86fb-51876f17d82f" + id = "64350364-fe74-54df-886d-1197146e00e7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16510-L16526" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7f2a6c61ae82fec6829924d11190da776aebdd3d72c7e001fdc29b215649261c" + logic_hash = "7f2a6c61ae82fec6829924d11190da776aebdd3d72c7e001fdc29b215649261c" score = 75 quality = 90 tags = "INFO, FILE" @@ -54942,13 +54942,13 @@ rule REVERSINGLABS_Cert_Blocklist_010000000001297Dba69Dd : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b73a522d-d2fd-5eca-bb3c-a8fce0d47e6f" + id = "f6a63e79-4dde-590f-ad65-ba9cc29ff48c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16528-L16544" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bbc3e740d5043d1811ff44c7366c69192fb78c95215b30fd4f4c782812ad591c" + logic_hash = "bbc3e740d5043d1811ff44c7366c69192fb78c95215b30fd4f4c782812ad591c" score = 75 quality = 90 tags = "INFO, FILE" @@ -54967,13 +54967,13 @@ rule REVERSINGLABS_Cert_Blocklist_7Def22Ef4C645B1Decfb36B6D3539Dbf : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c264def8-feff-5322-adaf-0988887bf460" + id = "aeb10a64-633c-5fc6-87af-360e1a402ad4" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16546-L16562" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_655ed87ee65f937c7cec95085fe612f8d733e0853c87aa50b4aa1fda9e5f7a5d" + logic_hash = "655ed87ee65f937c7cec95085fe612f8d733e0853c87aa50b4aa1fda9e5f7a5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -54992,13 +54992,13 @@ rule REVERSINGLABS_Cert_Blocklist_3E39C2Ccc494438Bb8C2560F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "07c63f08-cef6-5407-9e36-798169eb3f9d" + id = "87477ad5-fc7e-5407-9c6e-bef3d4d8981d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16564-L16580" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_3b4a55149b3895eeea5f96297d1fc9787eb74e2fcef8170148ef1a2ced334311" + logic_hash = "3b4a55149b3895eeea5f96297d1fc9787eb74e2fcef8170148ef1a2ced334311" score = 75 quality = 90 tags = "INFO, FILE" @@ -55017,13 +55017,13 @@ rule REVERSINGLABS_Cert_Blocklist_6E3B09F43C3A0Fd53B7D600F08Fae2B5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "df472d21-5192-583c-bcf5-85287836128b" + id = "66025c6e-5d85-5660-87f1-3094a536bbe2" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16582-L16598" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_86b06519858dce4b77cb870905297a1fd1c767053fd07c0b0469eb7fc3ba6b32" + logic_hash = "86b06519858dce4b77cb870905297a1fd1c767053fd07c0b0469eb7fc3ba6b32" score = 75 quality = 90 tags = "INFO, FILE" @@ -55042,13 +55042,13 @@ rule REVERSINGLABS_Cert_Blocklist_21220646C639D62C16992F46 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e6515650-5853-527f-86e7-f58caafd3519" + id = "b80b1832-6bfa-555b-8462-cd17f9e5e0e1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16600-L16616" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_87202c29867e6410d59c1e3b5ab09a24ebac5c68c61d7b932b91a91dcf3707e2" + logic_hash = "87202c29867e6410d59c1e3b5ab09a24ebac5c68c61d7b932b91a91dcf3707e2" score = 75 quality = 90 tags = "INFO, FILE" @@ -55067,13 +55067,13 @@ rule REVERSINGLABS_Cert_Blocklist_738663F2C9E4Adb3Ad5306Aa5E7Cc548 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "1484186c-d978-5c47-8665-0adb6167f01b" + id = "9fa41321-9736-5e67-b561-005b6d893e3f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16618-L16634" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_518a22e31432ee42e6aceb861815f7f9e84f2430b7fb3a78b498e45c584584ab" + logic_hash = "518a22e31432ee42e6aceb861815f7f9e84f2430b7fb3a78b498e45c584584ab" score = 75 quality = 90 tags = "INFO, FILE" @@ -55092,13 +55092,13 @@ rule REVERSINGLABS_Cert_Blocklist_4280F2C8Ce1D98E5F8Da7Ecb005Eeae5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "51b1dd1e-66cc-5ac1-ab86-8ceffe8f9b85" + id = "559dc522-bc23-5716-b8ad-9e9df102936b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16636-L16652" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4cc8f00a9704f595f3e48375942a19cd6f8d6c0e53afc932a61f5a4326be4bcb" + logic_hash = "4cc8f00a9704f595f3e48375942a19cd6f8d6c0e53afc932a61f5a4326be4bcb" score = 75 quality = 90 tags = "INFO, FILE" @@ -55117,13 +55117,13 @@ rule REVERSINGLABS_Cert_Blocklist_2946397Be9C5Ae44E95C99Af : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "29be00dc-6f70-5626-b4fc-66def0d3498a" + id = "46bc3ade-544c-5ee1-8d5d-4b8a269120c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16654-L16670" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b7b4925482fcc47dea81eb3d84af31cc572f1b19080b98dda330b0bf6d7c80f4" + logic_hash = "b7b4925482fcc47dea81eb3d84af31cc572f1b19080b98dda330b0bf6d7c80f4" score = 75 quality = 90 tags = "INFO, FILE" @@ -55142,13 +55142,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Df453588177Cf1C0C297Ff4 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9979f0cc-69bc-5c71-8017-d9263b3a83b2" + id = "c3a18989-239e-56d7-b1c2-92895c02b7d8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16672-L16688" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b0c82388fd87a89841d190ce4020cc5a2ea21c9d765ceca6bc25d64162479231" + logic_hash = "b0c82388fd87a89841d190ce4020cc5a2ea21c9d765ceca6bc25d64162479231" score = 75 quality = 90 tags = "INFO, FILE" @@ -55167,13 +55167,13 @@ rule REVERSINGLABS_Cert_Blocklist_0619C5E39A4Fc60A32F9B07F6A4Ca328 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "f81cb5f0-7cd8-50f1-9683-3cd4539b5a1f" + id = "ae3ef9cf-4b67-5cb8-9c9b-3edb95da222c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16690-L16706" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_75e3dfd593d7fdc268de54430be617c015957a624f2ca36bc0036d4cbde5b686" + logic_hash = "75e3dfd593d7fdc268de54430be617c015957a624f2ca36bc0036d4cbde5b686" score = 75 quality = 90 tags = "INFO, FILE" @@ -55192,13 +55192,13 @@ rule REVERSINGLABS_Cert_Blocklist_2Bffef48E6A321B418041310Fdb9B0D0 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "7960333c-3d82-5dee-b6bc-72e55184bbcb" + id = "6a29551f-8359-5394-9acd-00c3b25d7064" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16708-L16724" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_30a079b55b75b292f7af4f5ae99184cbb3cca1ce4cf20f2f5c961b533673db00" + logic_hash = "30a079b55b75b292f7af4f5ae99184cbb3cca1ce4cf20f2f5c961b533673db00" score = 75 quality = 90 tags = "INFO, FILE" @@ -55217,13 +55217,13 @@ rule REVERSINGLABS_Cert_Blocklist_34Ec9565805F34204C6966Fb81E36Ba1 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "ec7546b2-6ade-5990-9d91-c8029639020e" + id = "bd032608-8622-5c7a-a3a7-808d73e611d7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16726-L16742" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e434a02f5b9b22a25d8fe7a0bb7bd81b1cd8bc5356b4b626e3bfceb3f554a085" + logic_hash = "e434a02f5b9b22a25d8fe7a0bb7bd81b1cd8bc5356b4b626e3bfceb3f554a085" score = 75 quality = 90 tags = "INFO, FILE" @@ -55242,13 +55242,13 @@ rule REVERSINGLABS_Cert_Blocklist_B2B934B7F01E0Ac1E577814992243709 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2e28d081-d43f-509b-a9ca-298078554509" + id = "19930e7b-09cb-5c04-b838-3d8d73ba194b" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16744-L16762" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_37b254ab76d144c09cc7b622dba59f5e372bf01ae12ce260a06143abb52062f6" + logic_hash = "37b254ab76d144c09cc7b622dba59f5e372bf01ae12ce260a06143abb52062f6" score = 75 quality = 90 tags = "INFO, FILE" @@ -55267,13 +55267,13 @@ rule REVERSINGLABS_Cert_Blocklist_3A1B397Fd9451E3B5891Fc69681Ed73D : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "b79d0be4-f0af-5e5a-8ac0-88ce6054ca3a" + id = "6bdba43f-4003-5807-9adc-20691fbc8d14" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16764-L16780" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ca43c7bacd8cb5a896c3135abf4a131bdb4a7f5093e64c8d1df743fad0c1c64a" + logic_hash = "ca43c7bacd8cb5a896c3135abf4a131bdb4a7f5093e64c8d1df743fad0c1c64a" score = 75 quality = 90 tags = "INFO, FILE" @@ -55292,13 +55292,13 @@ rule REVERSINGLABS_Cert_Blocklist_1Eb816Aa49E4894D9E9F78729E53Cd48 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "d4b117d2-3ef6-568b-9178-7c54d14e541d" + id = "d2e66765-bdf6-59ff-ac6c-1a82ecefa731" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16782-L16798" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_4e22568612aec050c7f78b81ba6749528a9c25c0ba43e14260a581a9bea7a2f0" + logic_hash = "4e22568612aec050c7f78b81ba6749528a9c25c0ba43e14260a581a9bea7a2f0" score = 75 quality = 90 tags = "INFO, FILE" @@ -55317,13 +55317,13 @@ rule REVERSINGLABS_Cert_Blocklist_383Ca88D6D9379C740609560 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bd72a9d8-f1a5-5588-ab24-f09fefe5085b" + id = "46166e9e-515d-530a-a651-59821d979f01" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16800-L16816" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ce41d046a7ca320d034fa226b5e8c22022cc6bfc97eb9ef294b1aca232aaacef" + logic_hash = "ce41d046a7ca320d034fa226b5e8c22022cc6bfc97eb9ef294b1aca232aaacef" score = 75 quality = 90 tags = "INFO, FILE" @@ -55342,13 +55342,13 @@ rule REVERSINGLABS_Cert_Blocklist_6731Cb1430F18B8C0C43Ab40E1154169 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "163f6cc5-b7cd-5674-a64a-db2ec244e4f6" + id = "df2423da-37ec-5adc-8497-2ac975b0b7ff" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16818-L16834" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_c05349166919ffc18ac6ecb61b822a8365f87a82164c5e110ef94345bdc4de6f" + logic_hash = "c05349166919ffc18ac6ecb61b822a8365f87a82164c5e110ef94345bdc4de6f" score = 75 quality = 90 tags = "INFO, FILE" @@ -55367,13 +55367,13 @@ rule REVERSINGLABS_Cert_Blocklist_159505E6456B9A9352F7C47168D89B96 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "eba19907-f92c-5cc3-a86d-8d8d8130334c" + id = "3d078c5d-e469-54f1-bd69-aebeec1c25f1" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16836-L16852" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d6d0d5c86dd88afa29fb3c7cc3c0ab2e3401637a23e062ee9bab693a715cf16f" + logic_hash = "d6d0d5c86dd88afa29fb3c7cc3c0ab2e3401637a23e062ee9bab693a715cf16f" score = 75 quality = 90 tags = "INFO, FILE" @@ -55392,13 +55392,13 @@ rule REVERSINGLABS_Cert_Blocklist_04A0E92B0B9Ebbb797Df6Ef52Bd5Ad05 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "2e7a0b23-ae62-5d9c-b77f-53c5b2868769" + id = "c6ba359e-4883-534d-bc86-8c063e54c92f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16854-L16870" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ff2a2d06c48bd3426fa42526d966152e3e7166c4170b4e08bb65ee5d876eda93" + logic_hash = "ff2a2d06c48bd3426fa42526d966152e3e7166c4170b4e08bb65ee5d876eda93" score = 75 quality = 90 tags = "INFO, FILE" @@ -55417,13 +55417,13 @@ rule REVERSINGLABS_Cert_Blocklist_25F222Ab2613Dc4270B2Aabc2519A101 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "5278ee3b-32d0-5bb2-aa6b-a66cc0506a6d" + id = "4458df2d-82c2-5377-9746-101c2de52913" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16872-L16888" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2c6673f6821c4ba11fc015cf3e9edefeb7c45209bc9dcd18501c4681444a9b9e" + logic_hash = "2c6673f6821c4ba11fc015cf3e9edefeb7c45209bc9dcd18501c4681444a9b9e" score = 75 quality = 90 tags = "INFO, FILE" @@ -55442,13 +55442,13 @@ rule REVERSINGLABS_Cert_Blocklist_212Ca239866F88C3D5B000B3004A569C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "4010ffe7-2b73-5458-bb75-96d6d8c8bd8f" + id = "b433cddc-25c3-5627-99b5-ff9bc7fa73ed" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16890-L16906" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_23ab2343b17dce74fb4166a690ca5dd300b3ed20d3a6b43b922f456410d3035d" + logic_hash = "23ab2343b17dce74fb4166a690ca5dd300b3ed20d3a6b43b922f456410d3035d" score = 75 quality = 90 tags = "INFO, FILE" @@ -55467,13 +55467,13 @@ rule REVERSINGLABS_Cert_Blocklist_18B700A319Aa98Ae71B279D4E8030B82 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "77ac5c41-8b2c-51ea-8f41-0d0863cbe4df" + id = "8d1a98aa-a895-5e79-905c-760166352d4f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16908-L16924" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_e201498acfd9afebc68321887a806bb5c1d74c64a7cd93530feae2a944bd30fa" + logic_hash = "e201498acfd9afebc68321887a806bb5c1d74c64a7cd93530feae2a944bd30fa" score = 75 quality = 90 tags = "INFO, FILE" @@ -55492,13 +55492,13 @@ rule REVERSINGLABS_Cert_Blocklist_169138A86954Be1D9B264F47 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "15f910d8-1283-5271-a378-a9282f8418b8" + id = "56653f72-39af-50e7-9908-e516f9b21084" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16926-L16942" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1584e39b4e2025611bcb7bbbd92b97d25d12ddbb1e5c282db87730a03f7f56b1" + logic_hash = "1584e39b4e2025611bcb7bbbd92b97d25d12ddbb1e5c282db87730a03f7f56b1" score = 75 quality = 90 tags = "INFO, FILE" @@ -55517,13 +55517,13 @@ rule REVERSINGLABS_Cert_Blocklist_33412168Eeb3C0E4C7Dd0508A9Ffecd5 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "22b40c83-1572-55c4-9150-7eb2dcac852b" + id = "db2ae33e-d3af-5200-ad15-824e29434e2c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16944-L16960" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d634af0637c3349fe1718ee807b8a75007ab46b141494331901a22ce54e9fc5d" + logic_hash = "d634af0637c3349fe1718ee807b8a75007ab46b141494331901a22ce54e9fc5d" score = 75 quality = 90 tags = "INFO, FILE" @@ -55542,13 +55542,13 @@ rule REVERSINGLABS_Cert_Blocklist_422Ab71Ac7Fb125Ad7171B0C99510B0E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "8a0209eb-1d20-5d1d-a4fc-a29ed279ea46" + id = "002e344e-a073-5d00-9488-d73fad51c66a" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16962-L16978" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_7366e5064a9a9f66260730575327e404eadea096ba3f6cf28c83c47bef9bca58" + logic_hash = "7366e5064a9a9f66260730575327e404eadea096ba3f6cf28c83c47bef9bca58" score = 75 quality = 90 tags = "INFO, FILE" @@ -55567,13 +55567,13 @@ rule REVERSINGLABS_Cert_Blocklist_6F18946E5B773B7E32D9E7B4Fb8D434C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c0044a6d-3b98-5a14-9ee5-3d88bdceb912" + id = "53205508-568c-5356-9717-2915c8f3806c" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16980-L16996" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fa285c17b43d1acdb05888074ecb16047209ade8f7f6191274f58eca7438dadf" + logic_hash = "fa285c17b43d1acdb05888074ecb16047209ade8f7f6191274f58eca7438dadf" score = 75 quality = 90 tags = "INFO, FILE" @@ -55592,13 +55592,13 @@ rule REVERSINGLABS_Cert_Blocklist_3596Dfc23B9A42C66700982250Da2906 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9215ee37-3c56-54f0-8031-506e51caeb7a" + id = "15c3551f-7b08-5e7f-a540-68b3eccac316" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L16998-L17014" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_1b69bf520fde5255069cf8752d5c67716e9bc297ddde1566551a563a563197ea" + logic_hash = "1b69bf520fde5255069cf8752d5c67716e9bc297ddde1566551a563a563197ea" score = 75 quality = 90 tags = "INFO, FILE" @@ -55617,13 +55617,13 @@ rule REVERSINGLABS_Cert_Blocklist_486Bbddc8C5Ee99F051Ecaeb3F99D2A3 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c6a2a350-8969-5785-af6a-3e2707dbd867" + id = "07b43dd7-e8f1-5b14-a0f4-42294b5b597e" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17016-L17032" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_75855e26ba4e01b56a551a006e789c6032cfb02c6f6125a9bdf8becb848db5b2" + logic_hash = "75855e26ba4e01b56a551a006e789c6032cfb02c6f6125a9bdf8becb848db5b2" score = 75 quality = 90 tags = "INFO, FILE" @@ -55642,13 +55642,13 @@ rule REVERSINGLABS_Cert_Blocklist_11211Eea9D0D1D1A325B5Eae1B2B1951120F : INFO FI meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "43b52d35-93b4-5fea-9d0e-fd0e20b3884d" + id = "09b8b3f3-a4aa-5584-b8d0-751cc87267bf" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17034-L17050" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bafab986605be61d25a6764042937bc5d8c55196ea8ea9aa9360764d9681351b" + logic_hash = "bafab986605be61d25a6764042937bc5d8c55196ea8ea9aa9360764d9681351b" score = 75 quality = 90 tags = "INFO, FILE" @@ -55667,13 +55667,13 @@ rule REVERSINGLABS_Cert_Blocklist_172Fea8Cb06Ffced6Bfac7F2F6B77754 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "25b24b0e-16de-568b-8138-ee26211bbc8c" + id = "0890bf55-ebd5-5b68-8047-14692a5f1ae7" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17052-L17068" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8e1e3e7d002ce084600c5444dc9b0bad8771370cb7919a3bb5ebc899040e4cf2" + logic_hash = "8e1e3e7d002ce084600c5444dc9b0bad8771370cb7919a3bb5ebc899040e4cf2" score = 75 quality = 90 tags = "INFO, FILE" @@ -55692,13 +55692,13 @@ rule REVERSINGLABS_Cert_Blocklist_3Ee50Bb98Fadca2D662A0920E76685A2 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "91cbe98e-d04b-556b-b9af-9c9e5a927587" + id = "5c35c73e-e4f6-5707-ad91-1db7c0a0ec81" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17070-L17086" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_d232923ed962fbf4a9a30890778c2380d6c6967a693c6f77c2f558bb4347e60e" + logic_hash = "d232923ed962fbf4a9a30890778c2380d6c6967a693c6f77c2f558bb4347e60e" score = 75 quality = 90 tags = "INFO, FILE" @@ -55717,13 +55717,13 @@ rule REVERSINGLABS_Cert_Blocklist_21Bfddb6A66435D1Adce2Ceb23Ed7C9A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "c1c1a81c-4cff-5522-a920-0f2cc68b31b2" + id = "2009c47b-8a15-50fd-a229-5e34244ede1f" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17088-L17104" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_22ad68974a1c6729da369c26372ba93c25ddf68df880580c727bf2d3ee2d3a86" + logic_hash = "22ad68974a1c6729da369c26372ba93c25ddf68df880580c727bf2d3ee2d3a86" score = 75 quality = 90 tags = "INFO, FILE" @@ -55742,13 +55742,13 @@ rule REVERSINGLABS_Cert_Blocklist_5B1C3F7Bbaa91Ca49B06A5C1004Ee5Be : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e33a0889-2d9c-51af-b7ce-8dd878e9e958" + id = "b78e7f2b-8122-5df6-ad79-393db9e0498d" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17106-L17122" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9a8d9acc87668a6fbd9fdd52b6ef69d18de8f19d8f3d3ca8eeb630c6e8c25c65" + logic_hash = "9a8d9acc87668a6fbd9fdd52b6ef69d18de8f19d8f3d3ca8eeb630c6e8c25c65" score = 75 quality = 90 tags = "INFO, FILE" @@ -55767,13 +55767,13 @@ rule REVERSINGLABS_Cert_Blocklist_0A2089 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "bcb3dc52-b157-50fe-a3f7-4b212a893f24" + id = "51e603bb-ef21-55e8-8f2b-94865f1213c9" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17124-L17140" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_07ce4d39af1e56fbbfa400cf139956826999043480f93c0fc43ed056f6420d7f" + logic_hash = "07ce4d39af1e56fbbfa400cf139956826999043480f93c0fc43ed056f6420d7f" score = 75 quality = 90 tags = "INFO, FILE" @@ -55792,13 +55792,13 @@ rule REVERSINGLABS_Cert_Blocklist_1F84E030A0Ed10D5Ffe2B81B : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "9332b833-3c37-5bbf-90a3-e73ae63e9b37" + id = "170dae5a-ed7e-5f20-9ccd-94724e4b2084" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17142-L17158" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_097655cb2965ae71efb905ddf20ed30c240d25e03d08a1b6c87b472533ccc9d8" + logic_hash = "097655cb2965ae71efb905ddf20ed30c240d25e03d08a1b6c87b472533ccc9d8" score = 75 quality = 90 tags = "INFO, FILE" @@ -55817,13 +55817,13 @@ rule REVERSINGLABS_Cert_Blocklist_88346267057C0A82E2F39851D1B9694C : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "71f13e2d-4280-5788-8e1d-ba17280d1b5a" + id = "3be920eb-7b71-53c4-94b7-0ffc88d14c59" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17160-L17178" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_60acdbad8ad3e1d4a863ce160d93abd0b5e2b214858cba84f7a1b907d2491486" + logic_hash = "60acdbad8ad3e1d4a863ce160d93abd0b5e2b214858cba84f7a1b907d2491486" score = 75 quality = 90 tags = "INFO, FILE" @@ -55842,13 +55842,13 @@ rule REVERSINGLABS_Cert_Blocklist_A46F9D8784778Baa48167C48Bbc56F30 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "dd7ec730-dba5-5ccb-ad92-a8e1b0e23451" + id = "72d36a5f-6599-5456-ac67-0589e37bd035" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17180-L17198" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fffb6309355bc6764b0ab033db5964599c86c9a2f6d8985975a07f6b3ebb40ed" + logic_hash = "fffb6309355bc6764b0ab033db5964599c86c9a2f6d8985975a07f6b3ebb40ed" score = 75 quality = 90 tags = "INFO, FILE" @@ -55867,13 +55867,13 @@ rule REVERSINGLABS_Cert_Blocklist_525B5529Db20D17A85Be284D6B7952Ea : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "e91e29fb-961d-59ca-8fac-e2b2666e12a9" + id = "52cdf082-7212-53e6-9e55-b86153e6afe8" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17200-L17216" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_8fd406004b634e4826659b1dff88c61074fd321969b9fd63ea45d8e9608b35f1" + logic_hash = "8fd406004b634e4826659b1dff88c61074fd321969b9fd63ea45d8e9608b35f1" score = 75 quality = 90 tags = "INFO, FILE" @@ -55892,13 +55892,13 @@ rule REVERSINGLABS_Cert_Blocklist_70Ae0E517D2Ef6D5Eed06B56730A1A9A : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "a49a5912-d381-586f-a930-c1d9afa8f52d" + id = "98c19385-555e-5827-b03c-59645ad2a101" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17218-L17234" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_017eed878daf706eb96b638a8d1f4428466bc1d00ce27f32628bd249a658a813" + logic_hash = "017eed878daf706eb96b638a8d1f4428466bc1d00ce27f32628bd249a658a813" score = 75 quality = 90 tags = "INFO, FILE" @@ -55917,13 +55917,13 @@ rule REVERSINGLABS_Cert_Blocklist_57C3717C5E2Ce9A2E0Cf0340C03F458E : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "405a5f4b-8f23-5d81-81d6-41c18a310cb7" + id = "47207784-5aee-5fa3-bed9-2c12d9932c38" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17236-L17252" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_fd710146874528c43ad8a9f847b7704c44ba4564cf79e20e6b23aa98b0ee2ea5" + logic_hash = "fd710146874528c43ad8a9f847b7704c44ba4564cf79e20e6b23aa98b0ee2ea5" score = 75 quality = 90 tags = "INFO, FILE" @@ -55942,13 +55942,13 @@ rule REVERSINGLABS_Cert_Blocklist_0761110Efe0B688C469D687512828C1F : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "00c04b44-9b83-59b6-a64f-b27e7b61e65d" + id = "e8575a71-124b-5040-91b1-ccad371e10da" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17254-L17270" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0ba60e1f58c7335ba5aa261031d09ee83a0ee51e05f8f26078b2a5c776ad0add" + logic_hash = "0ba60e1f58c7335ba5aa261031d09ee83a0ee51e05f8f26078b2a5c776ad0add" score = 75 quality = 90 tags = "INFO, FILE" @@ -55967,13 +55967,13 @@ rule REVERSINGLABS_Cert_Blocklist_08Aa03F385F870E3A6D243B74B1Dadf6 : INFO FILE meta: description = "Certificate used for digitally signing malware." author = "ReversingLabs" - id = "db67a5aa-7fa5-5f11-8add-b7cb75ee6c8a" + id = "64aa17fe-676d-5c6e-babc-15b5e8dc72bb" date = "2023-11-08" modified = "2023-11-08" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/certificate/blocklist.yara#L17272-L17288" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ef49a28a93d31c55dd2dfd3bec645f757a0a1a7eb8718ce92cf47bf9af126aed" + logic_hash = "ef49a28a93d31c55dd2dfd3bec645f757a0a1a7eb8718ce92cf47bf9af126aed" score = 75 quality = 90 tags = "INFO, FILE" @@ -55990,13 +55990,13 @@ rule REVERSINGLABS_Bytecode_MSIL_Infostealer_Gomorrahstealer : TC_DETECTION MALI meta: description = "Yara rule that detects GomorrahStealer infostealer." author = "ReversingLabs" - id = "b4125be8-065c-5e79-a077-eb64d74b6c24" + id = "f3c14d23-47a2-5b09-8f48-0c2f9350516a" date = "2024-11-27" modified = "2024-11-27" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/ByteCode.MSIL.Infostealer.GomorrahStealer.yara#L1-L111" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_75d86ea2ef9f24487ef54979508170651cd60abba6daa4c3117e20a77bb3b086" + logic_hash = "75d86ea2ef9f24487ef54979508170651cd60abba6daa4c3117e20a77bb3b086" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56087,13 +56087,13 @@ rule REVERSINGLABS_Win64_Infostealer_Daolpu : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects Daolpu infostealer." author = "ReversingLabs" - id = "3ef2721e-f125-554a-aa22-c324870cca9b" + id = "bf815556-6ccf-506a-b858-5f4c18282c05" date = "2024-08-26" modified = "2024-08-26" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win64.Infostealer.Daolpu.yara#L1-L322" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_5ffd0427c6c8e666cfabc48426e7771595a7024548706f37a1de3538e4e2d559" + logic_hash = "5ffd0427c6c8e666cfabc48426e7771595a7024548706f37a1de3538e4e2d559" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56385,13 +56385,13 @@ rule REVERSINGLABS_Win32_Infostealer_Lumarstealer : TC_DETECTION MALICIOUS MALWA meta: description = "Yara rule that detects LumarStealer infostealer." author = "ReversingLabs" - id = "1f7206a7-3f3f-54f8-b0ff-741ac988d5e1" + id = "a1358846-7cc2-53ac-89a9-c6c99f492284" date = "2023-12-07" modified = "2023-12-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.LumarStealer.yara#L1-L190" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_0bc9e12396b1e85f69b965e9ea50960c59c50aba40317fb4de8f6abd092ec7d2" + logic_hash = "0bc9e12396b1e85f69b965e9ea50960c59c50aba40317fb4de8f6abd092ec7d2" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56560,13 +56560,13 @@ rule REVERSINGLABS_Win32_Infostealer_Stealc : TC_DETECTION MALICIOUS MALWARE FIL meta: description = "Yara rule that detects StealC infostealer." author = "ReversingLabs" - id = "f8e00c44-6860-539b-8a54-09434ea67ef1" + id = "b53bbf15-3e94-513c-91a9-83dda421063b" date = "2023-06-07" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.StealC.yara#L1-L57" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_bea1cf370150387eb185deff726e10e660e7eb571c20d22878def08b36f457bf" + logic_hash = "bea1cf370150387eb185deff726e10e660e7eb571c20d22878def08b36f457bf" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56611,13 +56611,13 @@ rule REVERSINGLABS_Win32_Infostealer_Multigrainpos : TC_DETECTION MALICIOUS MALW meta: description = "Yara rule that detects MultigrainPOS infostealer." author = "ReversingLabs" - id = "867670fd-531e-5ea8-bbf2-3c10f887d1b4" + id = "595c04af-802f-556d-b22b-23cac79b256e" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.MultigrainPOS.yara#L1-L88" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_9808c95b850a54677c4132057b8372cabf0159920b7e0e6834a83f0d39c088fa" + logic_hash = "9808c95b850a54677c4132057b8372cabf0159920b7e0e6834a83f0d39c088fa" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56695,13 +56695,13 @@ rule REVERSINGLABS_Win32_Infostealer_Projecthookpos : TC_DETECTION MALICIOUS MAL meta: description = "Yara rule that detects ProjectHookPOS infostealer." author = "ReversingLabs" - id = "b1dc1c2f-d5f4-53d5-8b1e-699e1878d033" + id = "dcb96a99-c8c0-5878-a3a5-fe3cfeec43c6" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/infostealer/Win32.Infostealer.ProjectHookPOS.yara#L1-L98" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_b7534c9e905256aaf80f04b746a92c50689437b288f7e393ef13fde1740c4a4e" + logic_hash = "b7534c9e905256aaf80f04b746a92c50689437b288f7e393ef13fde1740c4a4e" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56792,13 +56792,13 @@ rule REVERSINGLABS_Win32_Virus_Elerad : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Elerad virus." author = "ReversingLabs" - id = "de786e90-72b0-5eed-a379-f685388f96f4" + id = "0307a136-ea2c-584c-bfda-f41e2c46fd09" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Elerad.yara#L3-L33" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_930594bf99daf55ef02542ce7b393c1c23ead75946b3da3b555102a2e7142e33" + logic_hash = "930594bf99daf55ef02542ce7b393c1c23ead75946b3da3b555102a2e7142e33" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56830,13 +56830,13 @@ rule REVERSINGLABS_Win32_Virus_Mocket : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Mocket virus." author = "ReversingLabs" - id = "d0ef9e50-0964-5811-98df-e2698b7aed0b" + id = "878c2162-9a79-52e6-af7b-95f9667f9e78" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Mocket.yara#L3-L58" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_af16974396efe7a1a46aa39b812482dcc49d0fe95db6640c1703db479e7ea9dc" + logic_hash = "af16974396efe7a1a46aa39b812482dcc49d0fe95db6640c1703db479e7ea9dc" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56892,13 +56892,13 @@ rule REVERSINGLABS_Win32_Virus_Greenp : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Greenp virus." author = "ReversingLabs" - id = "9082ed95-7709-50f3-ac8d-e83588f916b9" + id = "5751e91c-652b-59bd-93b8-ece677ad4911" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Greenp.yara#L3-L46" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_ca6df34ee2ad9d93e35b0d1a2d4765f681f3981ffe2786bbc822c3090212fd02" + logic_hash = "ca6df34ee2ad9d93e35b0d1a2d4765f681f3981ffe2786bbc822c3090212fd02" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -56943,13 +56943,13 @@ rule REVERSINGLABS_Win32_Virus_Cmay : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Cmay virus." author = "ReversingLabs" - id = "e8597e05-e609-5061-8b7a-5baff08ba291" + id = "d61e09f1-1d3f-5e1e-9884-25f1a465e88d" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Cmay.yara#L3-L73" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_f3bdf772eb80c632a913621732d12ae4a02bc7d3ba41f51711aa329be2ca6220" + logic_hash = "f3bdf772eb80c632a913621732d12ae4a02bc7d3ba41f51711aa329be2ca6220" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57019,14 +57019,14 @@ rule REVERSINGLABS_Linux_Virus_Vit : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Vit virus." author = "ReversingLabs" - id = "744a8269-5855-5222-ad8f-525c5d0534e6" - date = "2024-12-22" - date = "2024-12-22" + id = "4515fe43-4c5a-521d-82b7-273823f0c64e" + date = "2024-12-23" + date = "2024-12-23" modified = "2023-06-07" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Linux.Virus.Vit.yara#L3-L36" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_2fba7a081dfca85aee5c7f3b33414b799ed52ca6aa5bbf031da040aaa75acde9" + logic_hash = "2fba7a081dfca85aee5c7f3b33414b799ed52ca6aa5bbf031da040aaa75acde9" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57059,13 +57059,13 @@ rule REVERSINGLABS_Win32_Virus_Deadcode : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects DeadCode virus." author = "ReversingLabs" - id = "56101239-8d9d-519a-9548-2751b7c54e0f" + id = "89ec2e39-a163-5ba6-9b19-9c94b1923d47" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.DeadCode.yara#L3-L76" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_6ac2e48daaed222f0a19afd4d03a02834705e0e3762db3217f68569554171846" + logic_hash = "6ac2e48daaed222f0a19afd4d03a02834705e0e3762db3217f68569554171846" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57132,13 +57132,13 @@ rule REVERSINGLABS_Win32_Virus_Negt : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Negt virus." author = "ReversingLabs" - id = "cf1c0932-76f9-5725-bbe4-37a56fba372b" + id = "80e83105-dd98-5fad-9119-f851ec3199af" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Negt.yara#L3-L94" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_43057ef111fc505678606386c8d428653da391f4b65844d81479ca05e3517346" + logic_hash = "43057ef111fc505678606386c8d428653da391f4b65844d81479ca05e3517346" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57225,13 +57225,13 @@ rule REVERSINGLABS_Win32_Virus_Awfull : TC_DETECTION MALICIOUS MALWARE FILE meta: description = "Yara rule that detects Awfull virus." author = "ReversingLabs" - id = "5effb5c5-8574-5d88-a9f2-97bea792460c" + id = "34104923-b401-5d39-883b-aa9a5a8e64f3" date = "2020-07-15" modified = "2020-07-15" reference = "ReversingLabs" source_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/yara/virus/Win32.Virus.Awfull.yara#L3-L33" license_url = "https://github.com/reversinglabs/reversinglabs-yara-rules//blob/9bcb61c86aa4583e393269828225349a81ea08a4/LICENSE" - logic_hash = "v1_sha256_84a4faee4cbbb3387ad25bd9230c6482b8db461bc008312bc782f23e3df2eae3" + logic_hash = "84a4faee4cbbb3387ad25bd9230c6482b8db461bc008312bc782f23e3df2eae3" score = 75 quality = 90 tags = "TC_DETECTION, MALICIOUS, MALWARE, FILE" @@ -57260,7 +57260,7 @@ rule REVERSINGLABS_Win32_Virus_Awfull : TC_DETECTION MALICIOUS MALWARE FILE * YARA Rule Set * Repository Name: Elastic * Repository: https://github.com/elastic/protections-artifacts/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: c6eb0081d3784ad249bb8c3aa419fbfe54263215 * Number of Rules: 1848 * Skipped: 0 (age), 7 (quality), 0 (score), 0 (importance) @@ -57375,7 +57375,7 @@ rule ELASTIC_Windows_Trojan_Warmcookie_7D32Fa90 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_WarmCookie.yar#L1-L32" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ccde1ded028948f5cd3277d2d4af6b22fa33f53abde84ea2aa01f1872fad1d13" - logic_hash = "v1_sha256_ed3be6e5c6127ef87f9ef6fe35b17815b96706e8e73a393ee9b0a8e3b0cd8f66" + logic_hash = "ed3be6e5c6127ef87f9ef6fe35b17815b96706e8e73a393ee9b0a8e3b0cd8f66" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57416,7 +57416,7 @@ rule ELASTIC_Windows_Trojan_Warmcookie_E8Cd480D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_WarmCookie.yar#L34-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f4d2c9470b322af29b9188a3a590cbe85bacb9cc8fcd7c2e94d82271ded3f659" - logic_hash = "v1_sha256_addbc2e454771592a0ce6e92784ceec3f9c061f2798fe7450ac750cda5734d36" + logic_hash = "addbc2e454771592a0ce6e92784ceec3f9c061f2798fe7450ac750cda5734d36" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57449,7 +57449,7 @@ rule ELASTIC_Linux_Trojan_Truncpx_894D60F8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Truncpx.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2f09f2884fd5d3f5193bfc392656005bce6b935c12b3049ac8eb96862e4645ba" - logic_hash = "v1_sha256_9bc0a7fbddac532b53c72681f349bca0370b1fe6fb2d16f539560085b3ec4be3" + logic_hash = "9bc0a7fbddac532b53c72681f349bca0370b1fe6fb2d16f539560085b3ec4be3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57478,7 +57478,7 @@ rule ELASTIC_Windows_Trojan_Blackshades_9D095C44 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BlackShades.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e58e352edaa8ae7f95ab840c53fcaf7f14eb640df9223475304788533713c722" - logic_hash = "v1_sha256_2a2e6325d3de9289cc8bc26e1fe89a8fa81d9aae50b92ba2cf21c4cc6556ac9e" + logic_hash = "2a2e6325d3de9289cc8bc26e1fe89a8fa81d9aae50b92ba2cf21c4cc6556ac9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57514,7 +57514,7 @@ rule ELASTIC_Windows_Trojan_Blackshades_Be382Dac : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BlackShades.yar#L28-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e58e352edaa8ae7f95ab840c53fcaf7f14eb640df9223475304788533713c722" - logic_hash = "v1_sha256_a13e37e7930d2d1ed1aa4fdeb282f11bfeb7fe008625589e2bfeab0beea43580" + logic_hash = "a13e37e7930d2d1ed1aa4fdeb282f11bfeb7fe008625589e2bfeab0beea43580" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57543,7 +57543,7 @@ rule ELASTIC_Windows_Exploit_Generic_E95Cc41C : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_Generic.yar#L1-L32" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4cce9e39c376f67c16df3bcd69efd9b7472c3b478e2e5ef347e1410f1105c38d" - logic_hash = "v1_sha256_9b620988a6ee84ed0cbb0fb0a3cca633fffc8e6369ed45455e9e1e6c021ea461" + logic_hash = "9b620988a6ee84ed0cbb0fb0a3cca633fffc8e6369ed45455e9e1e6c021ea461" score = 75 quality = 75 tags = "FILE" @@ -57585,7 +57585,7 @@ rule ELASTIC_Windows_Exploit_Generic_008359Cf : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_Generic.yar#L34-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "73225a3a54560965f4c4fae73f7ee234e31217bc06ff8ba1d0b36ebab5e76a87" - logic_hash = "v1_sha256_9514241b5573c8d01ccd012195e29aefc3ef8a12eb982e6dd9ec66b00c064bd8" + logic_hash = "9514241b5573c8d01ccd012195e29aefc3ef8a12eb982e6dd9ec66b00c064bd8" score = 75 quality = 75 tags = "FILE" @@ -57619,7 +57619,7 @@ rule ELASTIC_Windows_Exploit_Generic_8C54846D : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_Generic.yar#L59-L87" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b6ea4815a38e606d4a2d6e6d711e610afec084db6899b7d6fc874491dd939495" - logic_hash = "v1_sha256_0662c8edb449e15b16be3e53a88cf62af46b4a656c1a49b399e131c2ad71b55a" + logic_hash = "0662c8edb449e15b16be3e53a88cf62af46b4a656c1a49b399e131c2ad71b55a" score = 75 quality = 71 tags = "FILE" @@ -57657,7 +57657,7 @@ rule ELASTIC_Windows_Trojan_Donutloader_F40E3759 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Donutloader.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_541a4ca1da41f7cf54dff3fee917b219fadb60fd93a89b93b5efa3c1a57af81d" + logic_hash = "541a4ca1da41f7cf54dff3fee917b219fadb60fd93a89b93b5efa3c1a57af81d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57686,7 +57686,7 @@ rule ELASTIC_Windows_Trojan_Donutloader_5C38878D : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Donutloader.yar#L21-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_897880d13318027ac5008fe8d008f09780d6fa807d6cc828b57975443358750c" + logic_hash = "897880d13318027ac5008fe8d008f09780d6fa807d6cc828b57975443358750c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57715,7 +57715,7 @@ rule ELASTIC_Windows_Trojan_Donutloader_21E801E0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Donutloader.yar#L40-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c3bda62725bb1047d203575bbe033f0f95d4dd6402c05f9d0c69d24bd3224ca6" - logic_hash = "v1_sha256_19ef7bc8c7117024ca72956376954254c36eeb673f9379aa00475f763084a169" + logic_hash = "19ef7bc8c7117024ca72956376954254c36eeb673f9379aa00475f763084a169" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57743,7 +57743,7 @@ rule ELASTIC_Windows_Trojan_Snakekeylogger_Af3Faa65 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SnakeKeylogger.yar#L1-L32" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_54180a642d40b5366f1b400c347c25dc31397d662d6bb8af33c7d2319c97d3fb" + logic_hash = "54180a642d40b5366f1b400c347c25dc31397d662d6bb8af33c7d2319c97d3fb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -57786,7 +57786,7 @@ rule ELASTIC_Windows_Hacktool_Seatbelt_674Fd535 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Seatbelt.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a0e467aacd383727d46e766f1c45b424a6d46248118c155c22c538e8773b3ae7" - logic_hash = "v1_sha256_1bff820ec5cc9e56e7be4b290a48628115cc1ace5e41278fa76898bf39ef893e" + logic_hash = "1bff820ec5cc9e56e7be4b290a48628115cc1ace5e41278fa76898bf39ef893e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -57822,7 +57822,7 @@ rule ELASTIC_Linux_Trojan_Subsevux_E9E80C1E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Subsevux.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a4ccd399ea99d4e31fbf2bbf8017c5368d29e630dc2985e90f07c10c980fa084" - logic_hash = "v1_sha256_8bc38f26da5a3350cbae3e93b890220bb461ff77e83993a842f68db8f757e435" + logic_hash = "8bc38f26da5a3350cbae3e93b890220bb461ff77e83993a842f68db8f757e435" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57851,7 +57851,7 @@ rule ELASTIC_Windows_Trojan_Darkcloud_9905Abce : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DarkCloud.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "500cb8459c19acd5a1144c4b509c14dbddec74ad623896bfe946fde1cd99a571" - logic_hash = "v1_sha256_27d3841d6acf87f5c9c03d643c7859d9eaf42e49ed0241b761f858c669c4e931" + logic_hash = "27d3841d6acf87f5c9c03d643c7859d9eaf42e49ed0241b761f858c669c4e931" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57881,7 +57881,7 @@ rule ELASTIC_Windows_Trojan_Nanocore_D8C4E3C5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Nanocore.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd" - logic_hash = "v1_sha256_fcc13e834cd8a1f86b453fe3c0333cd358e129d6838a339a824f1a095d85552d" + logic_hash = "fcc13e834cd8a1f86b453fe3c0333cd358e129d6838a339a824f1a095d85552d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57920,7 +57920,7 @@ rule ELASTIC_Linux_Trojan_Hiddad_E35Bff7B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Hiddad.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "22a418e660b5a7a2e0cc1c1f3fe1d150831d75c4fedeed9817a221194522efcf" - logic_hash = "v1_sha256_3881222807585dc933cb61473751d13297fa7eb085a50d435d3b680354a35ee9" + logic_hash = "3881222807585dc933cb61473751d13297fa7eb085a50d435d3b680354a35ee9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57949,7 +57949,7 @@ rule ELASTIC_Linux_Ransomware_Erebus_Ead4F55B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Erebus.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6558330f07a7c90c40006346ed09e859b588d031193f8a9679fe11a85c8ccb37" - logic_hash = "v1_sha256_82e81577372298623ee3ed3583bb18b2c0cfff30abbacf2909e7efca35c83bd7" + logic_hash = "82e81577372298623ee3ed3583bb18b2c0cfff30abbacf2909e7efca35c83bd7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -57980,7 +57980,7 @@ rule ELASTIC_Windows_Vulndriver_Echodrv_D17Ff31C : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_EchoDrv.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9" - logic_hash = "v1_sha256_0b2eb3c5da8703749ee63662495d6e8738ccdc353f3ac3df48e25a77312c0da0" + logic_hash = "0b2eb3c5da8703749ee63662495d6e8738ccdc353f3ac3df48e25a77312c0da0" score = 75 quality = 75 tags = "FILE" @@ -58009,7 +58009,7 @@ rule ELASTIC_Windows_Trojan_Deimos_F53Aee03 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Deimos.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c1941847f660a99bbc6de16b00e563f70d900f9dbc40c6734871993961d3d3e" - logic_hash = "v1_sha256_07675844a8790f8485b6545e7466cdef8ac4f92dec4cd8289aeaad2a0a448691" + logic_hash = "07675844a8790f8485b6545e7466cdef8ac4f92dec4cd8289aeaad2a0a448691" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58040,7 +58040,7 @@ rule ELASTIC_Windows_Trojan_Deimos_C70677B4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Deimos.yar#L24-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c1941847f660a99bbc6de16b00e563f70d900f9dbc40c6734871993961d3d3e" - logic_hash = "v1_sha256_c969221f025b114b9d5738d43b6021ab9481dbc6b35eb129ea4f806160b1adc3" + logic_hash = "c969221f025b114b9d5738d43b6021ab9481dbc6b35eb129ea4f806160b1adc3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58069,7 +58069,7 @@ rule ELASTIC_Macos_Infostealer_Mdquerypassw_6125F987 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Infostealer_MdQueryPassw.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_72e0c1a7507733157f93e2bff82e6ec10d50986020eeeb27a02aba5cd8c78a81" + logic_hash = "72e0c1a7507733157f93e2bff82e6ec10d50986020eeeb27a02aba5cd8c78a81" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -58099,7 +58099,7 @@ rule ELASTIC_Linux_Trojan_Rooter_C8D08D3A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rooter.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f55e3aa4d875d8322cdd7caa17aa56e620473fe73c9b5ae0e18da5fbc602a6ba" - logic_hash = "v1_sha256_c91f3112cc61acec08ab3cd59bab2ae833ba0d8ac565ffb26a46982f38af0e71" + logic_hash = "c91f3112cc61acec08ab3cd59bab2ae833ba0d8ac565ffb26a46982f38af0e71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58128,7 +58128,7 @@ rule ELASTIC_Linux_Trojan_Shark_B918Ab75 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Shark.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8b6fe9f496996784e42b75fb42702aa47aefe32eac6f63dd16a0eb55358b6054" - logic_hash = "v1_sha256_16302c29f2ae4109b8679933eb7fd9ef9306b0c215f20e8fff992b0b848974a9" + logic_hash = "16302c29f2ae4109b8679933eb7fd9ef9306b0c215f20e8fff992b0b848974a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58157,7 +58157,7 @@ rule ELASTIC_Windows_Vulndriver_Procexp_Aeb4E5C0 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_ProcExp.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - logic_hash = "v1_sha256_827bb2efb6d3442233f81e87a42a3f5ee5caaeadc459070c6d347c6515866c93" + logic_hash = "827bb2efb6d3442233f81e87a42a3f5ee5caaeadc459070c6d347c6515866c93" score = 75 quality = 75 tags = "FILE" @@ -58188,7 +58188,7 @@ rule ELASTIC_Windows_Trojan_Servhelper_F4Dee200 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_ServHelper.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05d183430a7afe16a3857fc4e87568fcc18518e108823c37eabf0514660aa17c" - logic_hash = "v1_sha256_abab541ebddf36c05e351d506d4f978a30d8a44ff09233a667d62a1692dabe15" + logic_hash = "abab541ebddf36c05e351d506d4f978a30d8a44ff09233a667d62a1692dabe15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58218,7 +58218,7 @@ rule ELASTIC_Windows_Trojan_Servhelper_370C5287 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_ServHelper.yar#L22-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05d183430a7afe16a3857fc4e87568fcc18518e108823c37eabf0514660aa17c" - logic_hash = "v1_sha256_8a2934c28efef6a5fed26dc88d074aee15b0869370c66f6a4d6eaedf070eaa9e" + logic_hash = "8a2934c28efef6a5fed26dc88d074aee15b0869370c66f6a4d6eaedf070eaa9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58247,7 +58247,7 @@ rule ELASTIC_Linux_Exploit_CVE_2018_10561_0F246E33 : FILE MEMORY CVE_2018_10561 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2018_10561.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eac08c105495e6fadd8651d2e9e650b6feba601ec78f537b17fb0e73f2973a1c" - logic_hash = "v1_sha256_2c3785ddfded7128e983f3ec17a9f77c856d903f07e325b08f9f463950576ebe" + logic_hash = "2c3785ddfded7128e983f3ec17a9f77c856d903f07e325b08f9f463950576ebe" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2018-10561" @@ -58275,7 +58275,7 @@ rule ELASTIC_Windows_Ransomware_Thanos_C3522Fd0 : BETA FILE MEMORY reference = "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Thanos.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_00d28aafd242308ad6561547ed8c80dad3086859dacab09ffdd43d436bf9ec52" + logic_hash = "00d28aafd242308ad6561547ed8c80dad3086859dacab09ffdd43d436bf9ec52" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -58306,7 +58306,7 @@ rule ELASTIC_Windows_Ransomware_Thanos_A6C09942 : BETA FILE MEMORY reference = "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Thanos.yar#L24-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_cecdeb21e041c90769b8fd8431fa87943461c1f7faa5ad15918524b91ba5c792" + logic_hash = "cecdeb21e041c90769b8fd8431fa87943461c1f7faa5ad15918524b91ba5c792" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -58336,7 +58336,7 @@ rule ELASTIC_Windows_Ransomware_Thanos_E19Feca1 : BETA FILE MEMORY reference = "https://labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Thanos.yar#L46-L77" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1f5a69b6749e887a5576843abb83388d5364e47601cf11fcac594008ace8e973" + logic_hash = "1f5a69b6749e887a5576843abb83388d5364e47601cf11fcac594008ace8e973" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -58378,7 +58378,7 @@ rule ELASTIC_Windows_Hacktool_Godpotato_5F1Aad81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_GodPotato.yar#L1-L28" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00171bb6e9e4a9b8601e988a8c4ac6f5413e31e1b6d86d24b0b53520cd02184c" - logic_hash = "v1_sha256_3028c84a616d47b37b4ef2d41d35ccef5121c06aa042096bca8ea53b528a1eb9" + logic_hash = "3028c84a616d47b37b4ef2d41d35ccef5121c06aa042096bca8ea53b528a1eb9" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -58416,7 +58416,7 @@ rule ELASTIC_Windows_Trojan_Xworm_732E6C12 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_XWorm.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2" - logic_hash = "v1_sha256_6aa72029eeeb2edd2472bf0db80b9c0ae4033d7d977cbee75ac94414d1cdff7a" + logic_hash = "6aa72029eeeb2edd2472bf0db80b9c0ae4033d7d977cbee75ac94414d1cdff7a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58451,7 +58451,7 @@ rule ELASTIC_Windows_Trojan_Xworm_B7D6Eaa8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_XWorm.yar#L27-L50" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6fc4ff3f025545f7e092408b035066c1138253b972a2e9ef178e871d36f03acd" - logic_hash = "v1_sha256_6a9da68dd1475974e71043a0e5a51d70762473c385d6acef34945019c7016b02" + logic_hash = "6a9da68dd1475974e71043a0e5a51d70762473c385d6acef34945019c7016b02" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58485,7 +58485,7 @@ rule ELASTIC_Windows_Trojan_Xworm_7078E1C8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_XWorm.yar#L52-L70" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "034c8a18c15521069af36595357d9c8413a33544af8d3ea5f0ac7d471841e0ec" - logic_hash = "v1_sha256_4c69648e4a68c8c46cf435f4dcac79176a023d8cd7209f9fa6a6b244797c66f3" + logic_hash = "4c69648e4a68c8c46cf435f4dcac79176a023d8cd7209f9fa6a6b244797c66f3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58514,7 +58514,7 @@ rule ELASTIC_Windows_Backdoor_Teamviewer_Df8E7326 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Backdoor_TeamViewer.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "68d9ffb6e00c2694d0d827108d0410d5a66d4f8cf839afddd17c5887b0149350" - logic_hash = "v1_sha256_3d42c76626c76959e450a81001c73d8d47b52789cab324e0cc7af09303c1367d" + logic_hash = "3d42c76626c76959e450a81001c73d8d47b52789cab324e0cc7af09303c1367d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58548,7 +58548,7 @@ rule ELASTIC_Linux_Ransomware_Agenda_4562A654 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Agenda.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cd27a31e618fe93df37603e5ece3352a91f27671ee73bdc8ce9ad793cad72a0f" - logic_hash = "v1_sha256_9e9adad7640cda1142c31e801d1473e4ddb84574ce1bb1694e40d96850fcb815" + logic_hash = "9e9adad7640cda1142c31e801d1473e4ddb84574ce1bb1694e40d96850fcb815" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58580,7 +58580,7 @@ rule ELASTIC_Macos_Trojan_Kandykorn_A7Bb6944 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_KandyKorn.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "51dd4efcf714e64b4ad472ea556bf1a017f40a193a647b9e28bf356979651077" - logic_hash = "v1_sha256_65decd519dee947894dd684c52d91202ebe5587acfecc0b8b56cd73f2981e387" + logic_hash = "65decd519dee947894dd684c52d91202ebe5587acfecc0b8b56cd73f2981e387" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58618,7 +58618,7 @@ rule ELASTIC_Windows_Trojan_Quasarrat_E52Df647 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Quasarrat.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a58efd253a25cc764d63476931da2ddb305a0328253a810515f6735a6690de1d" - logic_hash = "v1_sha256_41f32e0c9b3b43d10baef10060e064ad860558bcdeb4281a30d30c16615ed21d" + logic_hash = "41f32e0c9b3b43d10baef10060e064ad860558bcdeb4281a30d30c16615ed21d" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -58651,7 +58651,7 @@ rule ELASTIC_Windows_Trojan_Sourshark_F0247Cce : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SourShark.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "07eb88c69437ee6e3ea2fbab5f2fbd8e846125d18c1da7d72bb462e9d083c9fc" - logic_hash = "v1_sha256_0c5d802b5bfc771bdf5df541b18c7ab9de4f420fd3928bfd85b1a71cca2af1bc" + logic_hash = "0c5d802b5bfc771bdf5df541b18c7ab9de4f420fd3928bfd85b1a71cca2af1bc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58682,7 +58682,7 @@ rule ELASTIC_Windows_Trojan_Sourshark_Adee8A17 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SourShark.yar#L23-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "07eb88c69437ee6e3ea2fbab5f2fbd8e846125d18c1da7d72bb462e9d083c9fc" - logic_hash = "v1_sha256_98a4d31849a1828c2154b5032a81580f5dcc8d4a65b96dea3a727e2a82a51666" + logic_hash = "98a4d31849a1828c2154b5032a81580f5dcc8d4a65b96dea3a727e2a82a51666" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58711,7 +58711,7 @@ rule ELASTIC_Windows_Shellcode_Rdi_Edc62A10 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Shellcode_Rdi.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "64485ffc283e981c8b77db5a675c7ba2a04d3effaced522531185aa46eb6a36b" - logic_hash = "v1_sha256_986cb6c28d2d9767a2fd084fdd71edb7a1c36e78ddedf3c562076cf6f5b5afd1" + logic_hash = "986cb6c28d2d9767a2fd084fdd71edb7a1c36e78ddedf3c562076cf6f5b5afd1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58740,7 +58740,7 @@ rule ELASTIC_Windows_Shellcode_Rdi_Eee75D2C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Shellcode_Rdi.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8c4de69e89dcc659d2fff52d695764f1efd7e64e0a80983ce6d0cb9eeddb806c" - logic_hash = "v1_sha256_18cd9be4af210686872610f832ac0ad58a48588a1226fc6093348ceb8371c6b4" + logic_hash = "18cd9be4af210686872610f832ac0ad58a48588a1226fc6093348ceb8371c6b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58769,7 +58769,7 @@ rule ELASTIC_Linux_Hacktool_Ligolong_027C0134 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_LigoloNG.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eda6037bda3ccf6bbbaf105be0826669d5c4ac205273fefe103d8c648271de54" - logic_hash = "v1_sha256_a6f3c1f4c044765d841992758f451666e8bf5225e1a9f02925619c99fe8e03cb" + logic_hash = "a6f3c1f4c044765d841992758f451666e8bf5225e1a9f02925619c99fe8e03cb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58799,7 +58799,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_2Aef46A6 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d2c88774eb5227cf2d133644c648ebe5ba40c7e0acb2b432bc6a1a9da10bfb3f" + logic_hash = "d2c88774eb5227cf2d133644c648ebe5ba40c7e0acb2b432bc6a1a9da10bfb3f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -58828,7 +58828,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_A6572D63 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L20-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2ff33adb421a166895c3816d506a63dff4e1e8fa91f2ac8fb763dc6e8df59d6e" - logic_hash = "v1_sha256_237392fe51c8528cb5ed446facfcd3535b8e1d594d77a542361873bd52426fa7" + logic_hash = "237392fe51c8528cb5ed446facfcd3535b8e1d594d77a542361873bd52426fa7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58856,7 +58856,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_E41143E1 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L40-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_4564bf2019ff5086071ff147c9cf1e16b8627ce5d70cbe8370aecbd518d94b57" + logic_hash = "4564bf2019ff5086071ff147c9cf1e16b8627ce5d70cbe8370aecbd518d94b57" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58885,7 +58885,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_0Eb147Ca : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L59-L77" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45f25d2ffa2fc2566ed0eab6bdaf6989006315bbbbc591288be39b65abf2410b" - logic_hash = "v1_sha256_b20479af0767e5e8579489b5298648b9cc84b3e0778f58d8dc9deb252d0f4806" + logic_hash = "b20479af0767e5e8579489b5298648b9cc84b3e0778f58d8dc9deb252d0f4806" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58914,7 +58914,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_Ba961Ed2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L79-L97" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45f25d2ffa2fc2566ed0eab6bdaf6989006315bbbbc591288be39b65abf2410b" - logic_hash = "v1_sha256_5b486c698c9c61dc126be5dbeea862b1f9bb5a6859c02a0fff125a9890147a6b" + logic_hash = "5b486c698c9c61dc126be5dbeea862b1f9bb5a6859c02a0fff125a9890147a6b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58942,7 +58942,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_2084099A : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L99-L116" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_6674be1438ec290550c9586afda335755279a4aedadde455ffc0b41d1a0e634d" + logic_hash = "6674be1438ec290550c9586afda335755279a4aedadde455ffc0b41d1a0e634d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -58971,7 +58971,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_61C88137 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L118-L136" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "479ef38fa00bb13a3aa8448aa4a4434613c6729975e193eec29fc5047f339111" - logic_hash = "v1_sha256_e999355606ee7389be160ce3e96c6a62d7f9132b95cfec7d9f8b1a670551e6b8" + logic_hash = "e999355606ee7389be160ce3e96c6a62d7f9132b95cfec7d9f8b1a670551e6b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59000,7 +59000,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_Debb98A1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L138-L156" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "494f549e3dd144e8bcb230dd7b3faa8ff5107d86d9548b21b619a0318e362cad" - logic_hash = "v1_sha256_c2e43818fcf18d34a6a3611aaaafde31d96b41867d15dfdb1dec20203f5907eb" + logic_hash = "c2e43818fcf18d34a6a3611aaaafde31d96b41867d15dfdb1dec20203f5907eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59029,7 +59029,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_1D6E10Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L158-L176" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c7851316f01ae84ee64165be3ba910ab9b415d7f0e2f5b7e5c5a0eaefa3c287" - logic_hash = "v1_sha256_01ec1af1ca03173e867113c3bec7911990a0c8c2d9f19b5233715a7f7490f5f1" + logic_hash = "01ec1af1ca03173e867113c3bec7911990a0c8c2d9f19b5233715a7f7490f5f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59058,7 +59058,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_E3Ffbbcc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L178-L196" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "28b7ddf2548411910af033b41982cdc74efd8a6ef059a54fda1b6cbd59faa8f6" - logic_hash = "v1_sha256_54711c2d3e6d73cf4358ba4a65cb19d996adcfa905c0089a18a61fe841fe9a34" + logic_hash = "54711c2d3e6d73cf4358ba4a65cb19d996adcfa905c0089a18a61fe841fe9a34" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59087,7 +59087,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_30F3B4D4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L198-L216" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b15d43d3535965ec9b84334cf9def0e8c3d064ffc022f6890320cd6045175bc" - logic_hash = "v1_sha256_99efc257ff2afb779304451bd9f6f6ce9e88f54954189601ed10e95e2268dd4f" + logic_hash = "99efc257ff2afb779304451bd9f6f6ce9e88f54954189601ed10e95e2268dd4f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59116,7 +59116,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_Ca75589C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L218-L236" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0448c1b2c7c738404ba11ff4b38cdc8f865ccf1e202f6711345da53ce46e7e16" - logic_hash = "v1_sha256_c717e6f85a5b30514803ba43c85d82e2aaa4533b7f74db5345df83d1cc4c6551" + logic_hash = "c717e6f85a5b30514803ba43c85d82e2aaa4533b7f74db5345df83d1cc4c6551" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59145,7 +59145,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_7909Cdd2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L238-L256" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0a4a5874f43adbe71da88dc0ef124f1bf2f4e70d0b1b5461b2788587445f79d9" - logic_hash = "v1_sha256_4b2557ab78d22ae4f46e5813ba5dc4663cd92b945a1add3155f77d3030ccc92d" + logic_hash = "4b2557ab78d22ae4f46e5813ba5dc4663cd92b945a1add3155f77d3030ccc92d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59174,7 +59174,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_2522D611 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L258-L276" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0c2be53e298c285db8b028f563e97bf1cdced0c4564a34e740289b340db2aac1" - logic_hash = "v1_sha256_59f2552809bc48e16719cb9b4d2a7b99999307803fce031ca39eb24e14b88908" + logic_hash = "59f2552809bc48e16719cb9b4d2a7b99999307803fce031ca39eb24e14b88908" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59203,7 +59203,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_56Bd04D3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L278-L296" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d2ce3891851808fb36779a348a83bf4aa9de1a2b2684fd0692434682afac5ec" - logic_hash = "v1_sha256_47a33fcd69dd78cbc6c3274aeaa8dddabe119ae65b59077e1807657b8a67fed3" + logic_hash = "47a33fcd69dd78cbc6c3274aeaa8dddabe119ae65b59077e1807657b8a67fed3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59232,7 +59232,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_F412E4B4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L298-L316" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0e3a3f7973f747fcb23c72289116659c7f158c604d937d6ca7302fbab71851e9" - logic_hash = "v1_sha256_b4e1b193e80aa88b91255df3a5f2e45de7f23fdba4a28d3ceb12db63098e70e5" + logic_hash = "b4e1b193e80aa88b91255df3a5f2e45de7f23fdba4a28d3ceb12db63098e70e5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59261,7 +59261,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_71F8E26C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L318-L336" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "13f873f83b84a0d38eb3437102f174f24a0ad3c5a53b83f0ee51c62c29fb1465" - logic_hash = "v1_sha256_f9f2f22acd4f52cc313e3ecf425604651e0b8c78e33480d4d05bae5b8c9661fb" + logic_hash = "f9f2f22acd4f52cc313e3ecf425604651e0b8c78e33480d4d05bae5b8c9661fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59290,7 +59290,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_1A562D3B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L338-L356" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15731db615b32c49c34f41fe84944eeaf2fc79dafaaa9ad6bf1b07d26482f055" - logic_hash = "v1_sha256_8d3b369bdcecd675f99cedf26dba202256555be0f5feae612404f9b5e109fa93" + logic_hash = "8d3b369bdcecd675f99cedf26dba202256555be0f5feae612404f9b5e109fa93" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59319,7 +59319,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_410256Ac : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L358-L376" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15f44e10ece90dec1a6104d5be1effefa17614d9f0cfb2784305dab85367b741" - logic_hash = "v1_sha256_88227af6d2f365b761961bdf4b94bed81bca79e23d546e69900faa17c3e4dc71" + logic_hash = "88227af6d2f365b761961bdf4b94bed81bca79e23d546e69900faa17c3e4dc71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59348,7 +59348,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_93Fa87F1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L378-L396" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "165b4a28fd6335d4e4dfefb6c40f41f16d8c7d9ab0941ccd23e36cda931f715e" - logic_hash = "v1_sha256_2a1e797d4dd2599b5c67e73e3c909a1803e604edf0b6ba228713ee375ccc9b16" + logic_hash = "2a1e797d4dd2599b5c67e73e3c909a1803e604edf0b6ba228713ee375ccc9b16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59377,7 +59377,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_8677Dca3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L398-L416" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "23813dc4aa56683e1426e5823adc3aab854469c9c0f3ec1a3fad40fa906929f2" - logic_hash = "v1_sha256_9902758dfb61e8b60b281f3f51cda8a10d58eb0cc20743f97998d7bcf120c299" + logic_hash = "9902758dfb61e8b60b281f3f51cda8a10d58eb0cc20743f97998d7bcf120c299" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59406,7 +59406,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_Ebce4304 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L418-L436" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2e06caf864595f2df7f6936bb1ccaa1e0cae325aee8659ee283b2857e6ef1e5b" - logic_hash = "v1_sha256_42fbfc2c2636c2e3a5da5e51c6bf99f6114ec7d00b88371a34e1fdbe81d1264a" + logic_hash = "42fbfc2c2636c2e3a5da5e51c6bf99f6114ec7d00b88371a34e1fdbe81d1264a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59435,7 +59435,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_073E6161 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L438-L456" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2e06caf864595f2df7f6936bb1ccaa1e0cae325aee8659ee283b2857e6ef1e5b" - logic_hash = "v1_sha256_2c98058add77c55ab68491eec041d7670f726a9ec93258ae7bb8f0e6721b4ca3" + logic_hash = "2c98058add77c55ab68491eec041d7670f726a9ec93258ae7bb8f0e6721b4ca3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59464,7 +59464,7 @@ rule ELASTIC_Linux_Trojan_Xorddos_Bef22375 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xorddos.yar#L458-L476" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f47baf48deb71910716beab9da1b1e24dc6de9575963e238735b6bcedfe73122" - logic_hash = "v1_sha256_3991ebdb310338516d5fdd137ba2ac63dc870337785a31d59dcad49135f190e5" + logic_hash = "3991ebdb310338516d5fdd137ba2ac63dc870337785a31d59dcad49135f190e5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59493,7 +59493,7 @@ rule ELASTIC_Windows_Trojan_Dodgebox_095012D2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DodgeBox.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db" - logic_hash = "v1_sha256_f1fe9b05deaebaddd83dda0ad98602b49682f8ba767de8c0ffad761d344c5115" + logic_hash = "f1fe9b05deaebaddd83dda0ad98602b49682f8ba767de8c0ffad761d344c5115" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59526,7 +59526,7 @@ rule ELASTIC_Windows_Trojan_Systembc_5E883723 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SystemBC.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b432805eb6b2b58dd957481aa8a973be58915c26c04630ce395753c6a5196b14" - logic_hash = "v1_sha256_fde2e0b5debd4d26838fb245fdf8e5103ab5aab9feff900cbba00c1950adc61a" + logic_hash = "fde2e0b5debd4d26838fb245fdf8e5103ab5aab9feff900cbba00c1950adc61a" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -59560,7 +59560,7 @@ rule ELASTIC_Windows_Trojan_Systembc_C1B58C2F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SystemBC.yar#L26-L49" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "016fc1db90d9d18fe25ed380606346ef12b886e1db0d80fe58c22da23f6d677d" - logic_hash = "v1_sha256_16ed14dac0c30500c5e91759b0a1b321f3bd53ae6aab1389a685582eba72c222" + logic_hash = "16ed14dac0c30500c5e91759b0a1b321f3bd53ae6aab1389a685582eba72c222" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59594,7 +59594,7 @@ rule ELASTIC_Linux_Trojan_Xhide_7F0A131B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xhide.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0dc35f1a1fe1c59e454cd5645f3a6220b7d85661437253a3e627eed04eca2560" - logic_hash = "v1_sha256_4843042576d1f4f37b5a7cda1b261831030d9145c49b57e9b4c66e2658cc8cf9" + logic_hash = "4843042576d1f4f37b5a7cda1b261831030d9145c49b57e9b4c66e2658cc8cf9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59623,7 +59623,7 @@ rule ELASTIC_Linux_Trojan_Xhide_Cd8489F7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xhide.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0dc35f1a1fe1c59e454cd5645f3a6220b7d85661437253a3e627eed04eca2560" - logic_hash = "v1_sha256_34924260c811f1796ae37faec922bc21bb312ebb0672042d3ec27855f63ed61e" + logic_hash = "34924260c811f1796ae37faec922bc21bb312ebb0672042d3ec27855f63ed61e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59652,7 +59652,7 @@ rule ELASTIC_Linux_Trojan_Xhide_840B27C7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xhide.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0dc35f1a1fe1c59e454cd5645f3a6220b7d85661437253a3e627eed04eca2560" - logic_hash = "v1_sha256_6b0bfe69558399af6e0469a31741dcf2eb91fbe3e130267139240d3458eb8a0d" + logic_hash = "6b0bfe69558399af6e0469a31741dcf2eb91fbe3e130267139240d3458eb8a0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59681,7 +59681,7 @@ rule ELASTIC_Linux_Hacktool_Prochide_7333221A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Prochide.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fad956a6a38abac8a8a0f14cc50f473ec6fc1c9fd204e235b89523183931090b" - logic_hash = "v1_sha256_413f19744240eae0a87d56da1e524e2afa0fe0ec385bd9369218713b13a93495" + logic_hash = "413f19744240eae0a87d56da1e524e2afa0fe0ec385bd9369218713b13a93495" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59710,7 +59710,7 @@ rule ELASTIC_Linux_Trojan_Sfloost_69A5343A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sfloost.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0cd73db5165671c7bbd9493c34d693d25b845a9a21706081e1bf44bf0312ef9" - logic_hash = "v1_sha256_bd3cd33d02c7ca1d3a0364e5e3e2f968f32da8f087f744232f3cb786da6c7875" + logic_hash = "bd3cd33d02c7ca1d3a0364e5e3e2f968f32da8f087f744232f3cb786da6c7875" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59739,7 +59739,7 @@ rule ELASTIC_Linux_Trojan_Iroffer_53692410 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Iroffer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e76508141970efb3e4709bcff83772da9b10169c599e13e58432257a7bb2defa" - logic_hash = "v1_sha256_b8aa25fbde4d9ca36656f583e7601118a06e57703862c8b28b273881eef504fe" + logic_hash = "b8aa25fbde4d9ca36656f583e7601118a06e57703862c8b28b273881eef504fe" score = 60 quality = 23 tags = "FILE, MEMORY" @@ -59768,7 +59768,7 @@ rule ELASTIC_Linux_Trojan_Iroffer_013E07De : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Iroffer.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e76508141970efb3e4709bcff83772da9b10169c599e13e58432257a7bb2defa" - logic_hash = "v1_sha256_ce21de61f94d41aa3abb73b9391a4d9c8ddeea75f1a2b36be58111b70a9590fe" + logic_hash = "ce21de61f94d41aa3abb73b9391a4d9c8ddeea75f1a2b36be58111b70a9590fe" score = 60 quality = 25 tags = "FILE, MEMORY" @@ -59797,7 +59797,7 @@ rule ELASTIC_Linux_Trojan_Iroffer_0De95Cab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Iroffer.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "717bea3902109d1b1d57e57c26b81442c0705af774139cd73105b2994ab89514" - logic_hash = "v1_sha256_adec3e1d3110bcc22262d5f1f2ad14a347616f4a809f29170a9fbb5d1669a4c3" + logic_hash = "adec3e1d3110bcc22262d5f1f2ad14a347616f4a809f29170a9fbb5d1669a4c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59826,7 +59826,7 @@ rule ELASTIC_Linux_Trojan_Iroffer_711259E4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Iroffer.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e76508141970efb3e4709bcff83772da9b10169c599e13e58432257a7bb2defa" - logic_hash = "v1_sha256_a71dbb979bc1f7671ab9958b6aa502e6ded4ee1c1b026080fd377eb772ebb1d5" + logic_hash = "a71dbb979bc1f7671ab9958b6aa502e6ded4ee1c1b026080fd377eb772ebb1d5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59855,7 +59855,7 @@ rule ELASTIC_Linux_Trojan_Iroffer_7478Ddd9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Iroffer.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "20e1509c23d7ef14b15823e4c56b9a590e70c5b7960a04e94b662fc34152266c" - logic_hash = "v1_sha256_e650ee830b735a11088b628e865cd40a15054437ca05849f2eaa7838eac152e3" + logic_hash = "e650ee830b735a11088b628e865cd40a15054437ca05849f2eaa7838eac152e3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59884,7 +59884,7 @@ rule ELASTIC_Windows_Vulndriver_Lha_F72Bff9A : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Lha.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - logic_hash = "v1_sha256_cea05432b47cf14982bda74476c8c8582068c22fe7dec6468c9756c20412dca2" + logic_hash = "cea05432b47cf14982bda74476c8c8582068c22fe7dec6468c9756c20412dca2" score = 75 quality = 75 tags = "FILE" @@ -59914,7 +59914,7 @@ rule ELASTIC_Linux_Worm_Generic_920D273F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Worm_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "04a65bc73fab91f654d448b2d7f8f15ac782965dcdeec586e20b5c7a8cc42d73" - logic_hash = "v1_sha256_d0ed260857ae3002483ea7ef242b82514caaa95c2700b39dd0a03d39fdde090d" + logic_hash = "d0ed260857ae3002483ea7ef242b82514caaa95c2700b39dd0a03d39fdde090d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -59943,7 +59943,7 @@ rule ELASTIC_Linux_Worm_Generic_98Efcd38 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Worm_Generic.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "87507f5cd73fffdb264d76db9b75f30fe21cc113bcf82c524c5386b5a380d4bb" - logic_hash = "v1_sha256_c1a130d2ef8d09cb28adc4e347cbd1a083c78241752ecf3f935b03d774d00a81" + logic_hash = "c1a130d2ef8d09cb28adc4e347cbd1a083c78241752ecf3f935b03d774d00a81" score = 60 quality = 25 tags = "FILE, MEMORY" @@ -59972,7 +59972,7 @@ rule ELASTIC_Linux_Worm_Generic_Bd64472E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Worm_Generic.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b3334a3b61b1a3fc14763dc3d590100ed5e85a97493c89b499b02b76f7a0a7d0" - logic_hash = "v1_sha256_9a7267a0ebc1073d0b1f81a61b963642cc816b563b43ff4d9508dd8bc195a0e1" + logic_hash = "9a7267a0ebc1073d0b1f81a61b963642cc816b563b43ff4d9508dd8bc195a0e1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60001,7 +60001,7 @@ rule ELASTIC_Linux_Worm_Generic_3Ff8F75B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Worm_Generic.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "991175a96b719982f3a846df4a66161a02225c21b12a879e233e19124e90bd35" - logic_hash = "v1_sha256_798e98f286201f1cda18bf1bf433826cf8a949b584f016b24a684425069d1024" + logic_hash = "798e98f286201f1cda18bf1bf433826cf8a949b584f016b24a684425069d1024" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60030,7 +60030,7 @@ rule ELASTIC_Windows_Vulndriver_Asio_5F9F29Be : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_AsIo.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15" - logic_hash = "v1_sha256_a901d81737c7e6d00e87f0eec758dd063eade59d9883e85e04a33bb18f2f99de" + logic_hash = "a901d81737c7e6d00e87f0eec758dd063eade59d9883e85e04a33bb18f2f99de" score = 75 quality = 75 tags = "FILE" @@ -60058,7 +60058,7 @@ rule ELASTIC_Linux_Trojan_Zpevdo_7F563544 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Zpevdo.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_9cbbb5a9166184cef630d1aba8fec721f676b868d22b1f96ffc1430e98ae974c" + logic_hash = "9cbbb5a9166184cef630d1aba8fec721f676b868d22b1f96ffc1430e98ae974c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60087,7 +60087,7 @@ rule ELASTIC_Linux_Cryptominer_Miancha_646803Ef : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Miancha.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c7761c9376ed065887dc6ce852491641419eb2d1f393c37ed0a5cb29bd108d4" - logic_hash = "v1_sha256_8fd386c0e7037565e8ab206642cc8c11f05ca727b365b94ffdd991f4bed95556" + logic_hash = "8fd386c0e7037565e8ab206642cc8c11f05ca727b365b94ffdd991f4bed95556" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60116,7 +60116,7 @@ rule ELASTIC_Windows_Trojan_Babble_0D6C9505 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Babble.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fa292bfcf81223bab0f79d4ce08187e37d68960005629df0241ea22f0b95d7a8" - logic_hash = "v1_sha256_e77a2e865e0a13bf2b5445e21d85d21fb0d1f816ac5c315cefda98cbb6cb7cca" + logic_hash = "e77a2e865e0a13bf2b5445e21d85d21fb0d1f816ac5c315cefda98cbb6cb7cca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60146,7 +60146,7 @@ rule ELASTIC_Windows_Infostealer_Strela_0Dc3E4A1 : MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Infostealer_Strela.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e6991b12e86629b38e178fef129dfda1d454391ffbb236703f8c026d6d55b9a1" - logic_hash = "v1_sha256_ac1b53f2857fd13ba0e33aa94c65f0d5fa22b76d504fff347b3ff0a53f37ee26" + logic_hash = "ac1b53f2857fd13ba0e33aa94c65f0d5fa22b76d504fff347b3ff0a53f37ee26" score = 75 quality = 75 tags = "MEMORY" @@ -60181,7 +60181,7 @@ rule ELASTIC_Windows_Virus_Expiro_84E99Ff0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Virus_Expiro.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "47107836ead700bddbe9e8a0c016b5b1443c785442b2addbb50a70445779bad7" - logic_hash = "v1_sha256_ce4847bf5850c1f30dca9603bfbbfbb69339285f096ac469c6d2d4b04f5562b4" + logic_hash = "ce4847bf5850c1f30dca9603bfbbfbb69339285f096ac469c6d2d4b04f5562b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60211,7 +60211,7 @@ rule ELASTIC_Windows_Virus_Neshta_2A5A14C8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Virus_Neshta.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f298214764ee9ab690cb4b376d8a7893edcd9c05a3c4e6f3a56010974a130bd7" - logic_hash = "v1_sha256_0b5d0603f4c20a2368f697dd84cfe1790a5d0e5904c76066601c9e3d1b5ed1e1" + logic_hash = "0b5d0603f4c20a2368f697dd84cfe1790a5d0e5904c76066601c9e3d1b5ed1e1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -60240,7 +60240,7 @@ rule ELASTIC_Windows_Trojan_Powerseal_D63F5E54 : FILE MEMORY reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PowerSeal.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_523dcff68a51ea8fb022066b5f09394e8174d6c157222a08100de30669898057" + logic_hash = "523dcff68a51ea8fb022066b5f09394e8174d6c157222a08100de30669898057" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60271,7 +60271,7 @@ rule ELASTIC_Windows_Trojan_Powerseal_2E50F393 : FILE MEMORY reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PowerSeal.yar#L24-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_3ca1d4568fea7b2e4e9d30ba03662a2c28ee8623d887a0336e27989b5c98b55f" + logic_hash = "3ca1d4568fea7b2e4e9d30ba03662a2c28ee8623d887a0336e27989b5c98b55f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60302,7 +60302,7 @@ rule ELASTIC_Windows_Vulndriver_Powertool_044A8645 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_PowerTool.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - logic_hash = "v1_sha256_b21c16cb72d003c505aa0ac4cc21b92513a100bad6870460090994c02cad875a" + logic_hash = "b21c16cb72d003c505aa0ac4cc21b92513a100bad6870460090994c02cad875a" score = 75 quality = 75 tags = "FILE" @@ -60332,7 +60332,7 @@ rule ELASTIC_Windows_Trojan_Icedid_1Cd868A6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "68dce9f214e7691db77a2f03af16a669a3cb655699f31a6c1f5aaede041468ff" - logic_hash = "v1_sha256_4765b2b1d463f09d7e21367c2832b3ad668aa67d8078798a14295b6e6c846c1c" + logic_hash = "4765b2b1d463f09d7e21367c2832b3ad668aa67d8078798a14295b6e6c846c1c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60361,7 +60361,7 @@ rule ELASTIC_Windows_Trojan_Icedid_237E9Fb6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L23-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b21f9afc6443548427bf83b5f93e7a54ac3af306d9d71b8348a6f146b2819457" - logic_hash = "v1_sha256_31479eae077b2d78cb1770eef3b37bec941f35c9ceb329e01dd65a32e785fa74" + logic_hash = "31479eae077b2d78cb1770eef3b37bec941f35c9ceb329e01dd65a32e785fa74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60390,7 +60390,7 @@ rule ELASTIC_Windows_Trojan_Icedid_F1Ce2F0A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L45-L65" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b21f9afc6443548427bf83b5f93e7a54ac3af306d9d71b8348a6f146b2819457" - logic_hash = "v1_sha256_a1f1824a7208201616dde40bea514dfc2cdf908bd8ed24b9f96c2bcad2c8107f" + logic_hash = "a1f1824a7208201616dde40bea514dfc2cdf908bd8ed24b9f96c2bcad2c8107f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60419,7 +60419,7 @@ rule ELASTIC_Windows_Trojan_Icedid_08530E24 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L67-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "31db92c7920e82e49a968220480e9f130dea9b386083b78a79985b554ecdc6e4" - logic_hash = "v1_sha256_a63511edde9d873e184ddb4720b4752b0e7df4bdb2114b05c16f2ca0594eb6b8" + logic_hash = "a63511edde9d873e184ddb4720b4752b0e7df4bdb2114b05c16f2ca0594eb6b8" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -60461,7 +60461,7 @@ rule ELASTIC_Windows_Trojan_Icedid_11D24D35 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L101-L121" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b8d794f6449669ff2d11bc635490d9efdd1f4e92fcb3be5cdb4b40e4470c0982" - logic_hash = "v1_sha256_4a5d0f37e3e80e370ae79fd45256dbd274ed8f8bcd021e8d6f95a0bc0bc5321f" + logic_hash = "4a5d0f37e3e80e370ae79fd45256dbd274ed8f8bcd021e8d6f95a0bc0bc5321f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60491,7 +60491,7 @@ rule ELASTIC_Windows_Trojan_Icedid_0B62E783 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L123-L142" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "v1_sha256_aca126529dfa8047ed7dfdc60d970759ab5307448d7d764f88e402cd8d2a016f" + logic_hash = "aca126529dfa8047ed7dfdc60d970759ab5307448d7d764f88e402cd8d2a016f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60520,7 +60520,7 @@ rule ELASTIC_Windows_Trojan_Icedid_91562D18 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L144-L163" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "v1_sha256_81c87d0d6726bc2dde42fe93c77af53cdd29bb6437fe3d47d1b4550140722c88" + logic_hash = "81c87d0d6726bc2dde42fe93c77af53cdd29bb6437fe3d47d1b4550140722c88" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60549,7 +60549,7 @@ rule ELASTIC_Windows_Trojan_Icedid_2086Aecb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L165-L184" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "v1_sha256_561bf7eacfbbf1b4e0c111347f0d6ff4325bdbce8db73bee1ba836b610569c0d" + logic_hash = "561bf7eacfbbf1b4e0c111347f0d6ff4325bdbce8db73bee1ba836b610569c0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60578,7 +60578,7 @@ rule ELASTIC_Windows_Trojan_Icedid_48029E37 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L186-L205" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b9fb0a4c28613c556fb67a0b0e7c9d4c1236b60a161ad935e7387aec5911413a" - logic_hash = "v1_sha256_1fe337d7a0607938aaf57cf25c1373aadf315b7a8cec133d6d30a38bd58e1027" + logic_hash = "1fe337d7a0607938aaf57cf25c1373aadf315b7a8cec133d6d30a38bd58e1027" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60607,7 +60607,7 @@ rule ELASTIC_Windows_Trojan_Icedid_56459277 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L207-L237" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "21b1a635db2723266af4b46539f67253171399830102167c607c6dbf83d6d41c" - logic_hash = "v1_sha256_a18557217c69a3bb8c3da7725d2e0ed849741f8e36341a4ea80eea09d47a5b45" + logic_hash = "a18557217c69a3bb8c3da7725d2e0ed849741f8e36341a4ea80eea09d47a5b45" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60647,7 +60647,7 @@ rule ELASTIC_Windows_Trojan_Icedid_7C1619E3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L239-L261" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4f6de748628b8b06eeef3a5fabfe486bfd7aaa92f50dc5a8a8c70ec038cd33b1" - logic_hash = "v1_sha256_24ddaf474dabc5e91cce08734a035feced9048a3faac4ff236bc97e6caabd642" + logic_hash = "24ddaf474dabc5e91cce08734a035feced9048a3faac4ff236bc97e6caabd642" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60679,7 +60679,7 @@ rule ELASTIC_Windows_Trojan_Icedid_D8B23Cd6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L263-L294" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bd4da2f84c29437bc7efe9599a3a41f574105d449ac0d9b270faaca8795153ab" - logic_hash = "v1_sha256_47e427a4f088de523115f438cad9fc26233158b0518d87703c282df351110762" + logic_hash = "47e427a4f088de523115f438cad9fc26233158b0518d87703c282df351110762" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60719,7 +60719,7 @@ rule ELASTIC_Windows_Trojan_Icedid_A2Ca5F80 : FILE MEMORY reference = "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L296-L323" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e36266cd66b9542f2eb9d38f9a01f7b480f2bcdbe61fe20944dca33e22bd3281" + logic_hash = "e36266cd66b9542f2eb9d38f9a01f7b480f2bcdbe61fe20944dca33e22bd3281" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60757,7 +60757,7 @@ rule ELASTIC_Windows_Trojan_Icedid_B8C59889 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L325-L349" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a63d08cd53053bfda17b8707ab3a94cf3d6021097335dc40d5d211fb9faed045" - logic_hash = "v1_sha256_08c6c604d1791c35a8494e5ec8a96e8c5dd2ca3d6c57971da20057ce8960fa1d" + logic_hash = "08c6c604d1791c35a8494e5ec8a96e8c5dd2ca3d6c57971da20057ce8960fa1d" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -60791,7 +60791,7 @@ rule ELASTIC_Windows_Trojan_Icedid_81Eff9A3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_IcedID.yar#L351-L371" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "96dacdf50d1db495c8395d7cf454aa3a824801cf366ac368fe496f89b5f98fe7" - logic_hash = "v1_sha256_923dd8166cce0ec32b3b8b20cad192b3c15b7ce7c17fd44ddda739ad205a6c06" + logic_hash = "923dd8166cce0ec32b3b8b20cad192b3c15b7ce7c17fd44ddda739ad205a6c06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60821,7 +60821,7 @@ rule ELASTIC_Windows_Ransomware_Hellokitty_8859E8E8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Hellokitty.yar#L1-L32" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ae7bedf236d4e53a33f3a3e1e80eae2d93e91b1988da2f7fcb8fde5dcc3a0e9" - logic_hash = "v1_sha256_72cc718724d9d9a391a9f7a0932ebf397c2ab79558437533bef6e380b06baff9" + logic_hash = "72cc718724d9d9a391a9f7a0932ebf397c2ab79558437533bef6e380b06baff9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60863,7 +60863,7 @@ rule ELASTIC_Windows_Ransomware_Hellokitty_4B668121 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Hellokitty.yar#L34-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9a7daafc56300bd94ceef23eac56a0735b63ec6b9a7a409fb5a9b63efe1aa0b0" - logic_hash = "v1_sha256_00c7a492c304f12b9909e35cf069618a1103311a69e3e8951ca196c3c663b12a" + logic_hash = "00c7a492c304f12b9909e35cf069618a1103311a69e3e8951ca196c3c663b12a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60899,7 +60899,7 @@ rule ELASTIC_Windows_Ransomware_Hellokitty_D9391A1A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Hellokitty.yar#L61-L80" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "10887d13dba1f83ef34e047455a04416d25a83079a7f3798ce3483e0526e3768" - logic_hash = "v1_sha256_074ca47c0526d9828f3c07c7d6dbdd1cec609670d70340b022ae2c712ad80305" + logic_hash = "074ca47c0526d9828f3c07c7d6dbdd1cec609670d70340b022ae2c712ad80305" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -60929,7 +60929,7 @@ rule ELASTIC_Windows_Vulndriver_Viragt_5F92F226 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Viragt.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - logic_hash = "v1_sha256_e7ade7aec563c1dc602dfd7fda8c063058f47ae2a915959468792fce389b38f1" + logic_hash = "e7ade7aec563c1dc602dfd7fda8c063058f47ae2a915959468792fce389b38f1" score = 75 quality = 75 tags = "FILE" @@ -60960,7 +60960,7 @@ rule ELASTIC_Windows_Vulndriver_Viragt_84D508Ad : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Viragt.yar#L23-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - logic_hash = "v1_sha256_a3e1b41155c7dd347976a1057cb763ab60c50c34e981fef050bd54f060a412fc" + logic_hash = "a3e1b41155c7dd347976a1057cb763ab60c50c34e981fef050bd54f060a412fc" score = 75 quality = 75 tags = "FILE" @@ -60991,7 +60991,7 @@ rule ELASTIC_Windows_Ransomware_Cuba_E64A16B1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Cuba.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e" - logic_hash = "v1_sha256_915425ad49f1b9ebde114f92155d5969ec707304403f46d891d014b399165a4d" + logic_hash = "915425ad49f1b9ebde114f92155d5969ec707304403f46d891d014b399165a4d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61021,7 +61021,7 @@ rule ELASTIC_Windows_Ransomware_Cuba_95A98E69 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Cuba.yar#L23-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00f18713f860dc8394fb23a1a2b6280d1eb2f20a487c175433a7b495a1ba408d" - logic_hash = "v1_sha256_d17ef93943e826613be4c21ad1e41d1daa33db9da0fa6106bb8ba6334ebe1d08" + logic_hash = "d17ef93943e826613be4c21ad1e41d1daa33db9da0fa6106bb8ba6334ebe1d08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61052,7 +61052,7 @@ rule ELASTIC_Multi_Hacktool_Rakshasa_D5D3Ef21 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Hacktool_Rakshasa.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ccfa30a40445d5237aaee1e015ecfcd9bdbe7665a6dc2736b28e5ebf07ec4597" - logic_hash = "v1_sha256_123cbea0ce02012a9b22a4a241d11aa9acbb58b50a1bd9228da7cadbf0fa1b4e" + logic_hash = "123cbea0ce02012a9b22a4a241d11aa9acbb58b50a1bd9228da7cadbf0fa1b4e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61085,7 +61085,7 @@ rule ELASTIC_Windows_Trojan_Sythe_02B2811A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Sythe.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2d54a8ba40cc9a1c74db7a889bc75a38f16ae2d025268aa07851c1948daa1b4d" - logic_hash = "v1_sha256_ba472b35f583dd4cf125df575129d07de289d6d7dc12ecdcc518ce1eb9f18def" + logic_hash = "ba472b35f583dd4cf125df575129d07de289d6d7dc12ecdcc518ce1eb9f18def" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61117,7 +61117,7 @@ rule ELASTIC_Windows_Hacktool_Executeassembly_F41F4Df6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_ExecuteAssembly.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a468ba2ba77aafa2a572c8947d414e74604a7c1c6e68a0b87fbfce4f8854dd61" - logic_hash = "v1_sha256_ab72dec636a96338e16fd57f2db4bb52e38fe61315b42c2ffe9c4566fc0326d3" + logic_hash = "ab72dec636a96338e16fd57f2db4bb52e38fe61315b42c2ffe9c4566fc0326d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61146,7 +61146,7 @@ rule ELASTIC_Windows_Trojan_Modpipe_12Bc2604 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_ModPipe.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0a26de1b2fb48d65cde61b60c0eba478da73a3eeaeb785d1b2d6095eccbe34e2" + logic_hash = "0a26de1b2fb48d65cde61b60c0eba478da73a3eeaeb785d1b2d6095eccbe34e2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61178,7 +61178,7 @@ rule ELASTIC_Macos_Trojan_Adload_4995469F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Adload.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6464ca7b36197cccf0dac00f21c43f0cb09f900006b1934e2b3667b367114de5" - logic_hash = "v1_sha256_cceb804a11b93b0e3f491016c47a823d9e6a31294c3ed05d4404601323b30993" + logic_hash = "cceb804a11b93b0e3f491016c47a823d9e6a31294c3ed05d4404601323b30993" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61207,7 +61207,7 @@ rule ELASTIC_Macos_Trojan_Adload_9B9F86C7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Adload.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "952e6004ce164ba607ac7fddc1df3d0d6cac07d271d90be02d790c52e49cb73c" - logic_hash = "v1_sha256_82297db23e036f22c90eee7b2654e84df847eb1c2b1ea4dcf358c48a14819709" + logic_hash = "82297db23e036f22c90eee7b2654e84df847eb1c2b1ea4dcf358c48a14819709" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -61236,7 +61236,7 @@ rule ELASTIC_Macos_Trojan_Adload_F6B18A0A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Adload.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "06f38bb811e6a6c38b5e2db708d4063f4aea27fcd193d57c60594f25a86488c8" - logic_hash = "v1_sha256_20d43fbf0b8155940e2e181f376a7b1979ce248d88dc08409aaa1a916777231c" + logic_hash = "20d43fbf0b8155940e2e181f376a7b1979ce248d88dc08409aaa1a916777231c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61265,7 +61265,7 @@ rule ELASTIC_Linux_Trojan_Connectback_Bf194C93 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Connectback.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6784cb86460bddf1226f71f5f5361463cbda487f813d19cd88e8a4a1eb1a417b" - logic_hash = "v1_sha256_148626e05caee4a2b2542726ea4e4dab074eeab0572a65fdbd32f5d96544daf8" + logic_hash = "148626e05caee4a2b2542726ea4e4dab074eeab0572a65fdbd32f5d96544daf8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61294,7 +61294,7 @@ rule ELASTIC_Linux_Exploit_CVE_2014_3153_1C1E02Ad : FILE MEMORY CVE_2014_3153 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2014_3153.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "64b8c61b73f0c0c0bd44ea5c2bcfb7b665fcca219dbe074a4a16ae20cd565812" - logic_hash = "v1_sha256_42e9de7f306343c4c3e7fd02b414b429faacb837fb2910f98f0c1519da40074c" + logic_hash = "42e9de7f306343c4c3e7fd02b414b429faacb837fb2910f98f0c1519da40074c" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2014-3153" @@ -61323,7 +61323,7 @@ rule ELASTIC_Windows_Ransomware_Makop_3Ac2C13C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Makop.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "854226fc4f5388d40cd9e7312797dd63739444d69a67e4126ef60817fa6972ad" - logic_hash = "v1_sha256_3fa7c506010a87ac97f415db32c21af091dff26fd912a8f9f5bb5e8d43a8da9e" + logic_hash = "3fa7c506010a87ac97f415db32c21af091dff26fd912a8f9f5bb5e8d43a8da9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61352,7 +61352,7 @@ rule ELASTIC_Windows_Ransomware_Makop_3E388338 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Makop.yar#L21-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "854226fc4f5388d40cd9e7312797dd63739444d69a67e4126ef60817fa6972ad" - logic_hash = "v1_sha256_5a6e5fd725f3d042c0c95b42ad00c93965a49aa6bda6ec5383a239f18d74742e" + logic_hash = "5a6e5fd725f3d042c0c95b42ad00c93965a49aa6bda6ec5383a239f18d74742e" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -61386,7 +61386,7 @@ rule ELASTIC_Windows_Trojan_Darkgate_Fa1F1338 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DarkGate.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1fce9ee9254dd0641387cc3b6ea5f6a60f4753132c20ca03ce4eed2aa1042876" - logic_hash = "v1_sha256_d5447a57fc57af52c263b84522346a3e94a464a698de8be77eab3b56156164f2" + logic_hash = "d5447a57fc57af52c263b84522346a3e94a464a698de8be77eab3b56156164f2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61417,7 +61417,7 @@ rule ELASTIC_Windows_Trojan_Darkgate_07Ef6F14 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DarkGate.yar#L23-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1fce9ee9254dd0641387cc3b6ea5f6a60f4753132c20ca03ce4eed2aa1042876" - logic_hash = "v1_sha256_2820286b362b107fc7fc3ec8f1a004a7d7926a84318f2943f58239f1f7e8f1f0" + logic_hash = "2820286b362b107fc7fc3ec8f1a004a7d7926a84318f2943f58239f1f7e8f1f0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61447,7 +61447,7 @@ rule ELASTIC_Windows_Ransomware_Magniber_Ea0140A1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Magniber.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2448b93d7c50801056052fb429d04bcf94a478a0a012191d60e595fed63eec4" - logic_hash = "v1_sha256_e2c05e2c92444d7bcb2bf68e97f809072d2ccdc8a171214d2e7a498b20d08f90" + logic_hash = "e2c05e2c92444d7bcb2bf68e97f809072d2ccdc8a171214d2e7a498b20d08f90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61476,7 +61476,7 @@ rule ELASTIC_Windows_Ransomware_Magniber_97D7575B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Magniber.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2448b93d7c50801056052fb429d04bcf94a478a0a012191d60e595fed63eec4" - logic_hash = "v1_sha256_9c85f98aaae28e9e90a94d6ce18389467013ea6b569f46f6acaf26a6c7e027fc" + logic_hash = "9c85f98aaae28e9e90a94d6ce18389467013ea6b569f46f6acaf26a6c7e027fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61505,7 +61505,7 @@ rule ELASTIC_Macos_Infostealer_Encodedosascript_Eeb54A7E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Macos_Infostealer_EncodedOsascript.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05" - logic_hash = "v1_sha256_2f450c9afd92f52cdd8333e39e41b7334a01ddc39371c118260820a878359742" + logic_hash = "2f450c9afd92f52cdd8333e39e41b7334a01ddc39371c118260820a878359742" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -61536,7 +61536,7 @@ rule ELASTIC_Linux_Trojan_Xzbackdoor_74E87A9D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_XZBackdoor.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049" - logic_hash = "v1_sha256_c777171c36d9369ade7bf44c7cc4e5aee16bb4c803431bc480cc0f8ebb2819c0" + logic_hash = "c777171c36d9369ade7bf44c7cc4e5aee16bb4c803431bc480cc0f8ebb2819c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61569,7 +61569,7 @@ rule ELASTIC_Windows_Ransomware_Pandora_Bca8Ce23 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Pandora.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" - logic_hash = "v1_sha256_52203c1af994667ba6833defe547e886dd02167e4d76c57711080e3be0473bfc" + logic_hash = "52203c1af994667ba6833defe547e886dd02167e4d76c57711080e3be0473bfc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61600,7 +61600,7 @@ rule ELASTIC_Macos_Backdoor_Applejeus_31872Ae2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Backdoor_Applejeus.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55" - logic_hash = "v1_sha256_1d6f06668a7d048a93e53b294c5ab8ffe4cd610f3bef3fd80f14425ef8a85a29" + logic_hash = "1d6f06668a7d048a93e53b294c5ab8ffe4cd610f3bef3fd80f14425ef8a85a29" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61629,7 +61629,7 @@ rule ELASTIC_Windows_Ransomware_Haron_A1C12E7E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Haron.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c" - logic_hash = "v1_sha256_84df5a13495acee5dc2007cf1d6e1828a832d46fcbad2ca8676643fd47756248" + logic_hash = "84df5a13495acee5dc2007cf1d6e1828a832d46fcbad2ca8676643fd47756248" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61659,7 +61659,7 @@ rule ELASTIC_Windows_Ransomware_Haron_23B76Cb7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Haron.yar#L22-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6e6b78a1df17d6718daa857827a2a364b7627d9bfd6672406ad72b276014209c" - logic_hash = "v1_sha256_e53c92be617444da0057680ee1ac45cbc1f707194281644bececa44e4ebe3580" + logic_hash = "e53c92be617444da0057680ee1ac45cbc1f707194281644bececa44e4ebe3580" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61689,7 +61689,7 @@ rule ELASTIC_Windows_Trojan_Oskistealer_A158B1E3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_OskiStealer.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "568cd515c9a3bce7ef21520761b02cbfc95d8884d5b2dc38fc352af92356c694" - logic_hash = "v1_sha256_0ddbe0b234ed60f5a3fc537cdaebf39f639ee24fd66143c9036a9f4786d4c51b" + logic_hash = "0ddbe0b234ed60f5a3fc537cdaebf39f639ee24fd66143c9036a9f4786d4c51b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61722,7 +61722,7 @@ rule ELASTIC_Linux_Exploit_Pulse_2Bea17E8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Pulse.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c29cb4c2d83127cf4731573a7fac531f90f27799857f5e250b9f71362108f559" - logic_hash = "v1_sha256_bc71efa6cc79171666d89fe3e755411ee8032f56ae5bd73e0de440eee5b718ab" + logic_hash = "bc71efa6cc79171666d89fe3e755411ee8032f56ae5bd73e0de440eee5b718ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61751,7 +61751,7 @@ rule ELASTIC_Linux_Exploit_Pulse_246E6F31 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Pulse.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c29cb4c2d83127cf4731573a7fac531f90f27799857f5e250b9f71362108f559" - logic_hash = "v1_sha256_f6755f10863b78303899cefcd81f609884fbbf2dffabd9219686ed869f2cc7e3" + logic_hash = "f6755f10863b78303899cefcd81f609884fbbf2dffabd9219686ed869f2cc7e3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61779,7 +61779,7 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_6660D29F : BETA FILE MEMORY reference = "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_4c12eaa44f82c6f729e51242c9c1836eb1856959c682e2d2e21b975104c197b6" + logic_hash = "4c12eaa44f82c6f729e51242c9c1836eb1856959c682e2d2e21b975104c197b6" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61809,7 +61809,7 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_6Ab188Da : BETA FILE MEMORY reference = "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L23-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_429c87d293b7f517a594e8be020cbe7f8302a8b6eb8337f090ca18973aafbde4" + logic_hash = "429c87d293b7f517a594e8be020cbe7f8302a8b6eb8337f090ca18973aafbde4" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61838,7 +61838,7 @@ rule ELASTIC_Windows_Ransomware_Doppelpaymer_4Fb1A155 : BETA FILE MEMORY reference = "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Doppelpaymer.yar#L44-L63" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_eb041a836b2bc73312a2f87523d817d5274f3d43d3e5fe6aacfad1399c61a9de" + logic_hash = "eb041a836b2bc73312a2f87523d817d5274f3d43d3e5fe6aacfad1399c61a9de" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61868,7 +61868,7 @@ rule ELASTIC_Windows_Trojan_Limerat_24269A79 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Limerat.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ec781a714d6bc6fac48d59890d9ae594ffd4dbc95710f2da1f1aa3d5b87b9e01" - logic_hash = "v1_sha256_053a6abe589db23c4b9baed24729c8bcdd9019535fd0d9efc60ab4035c9779f3" + logic_hash = "053a6abe589db23c4b9baed24729c8bcdd9019535fd0d9efc60ab4035c9779f3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61896,7 +61896,7 @@ rule ELASTIC_Linux_Trojan_Godlua_Ed8E6228 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Godlua.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_848ef3b198737f080f19c5fa55dfbc31356427398074f9125c65cb532c52ce7a" + logic_hash = "848ef3b198737f080f19c5fa55dfbc31356427398074f9125c65cb532c52ce7a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -61924,7 +61924,7 @@ rule ELASTIC_Windows_Ransomware_Egregor_F24023F3 : BETA FILE MEMORY reference = "https://www.bankinfosecurity.com/egregor-ransomware-adds-to-data-leak-trend-a-15110" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Egregor.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5695b44f6ce018a91a99b6c94feae740ff4ac187e232bc9044e51d62d1f42bfa" + logic_hash = "5695b44f6ce018a91a99b6c94feae740ff4ac187e232bc9044e51d62d1f42bfa" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -61958,7 +61958,7 @@ rule ELASTIC_Windows_Ransomware_Egregor_4Ec2B90C : BETA FILE MEMORY reference = "https://www.bankinfosecurity.com/egregor-ransomware-adds-to-data-leak-trend-a-15110" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Egregor.yar#L27-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8342d92e1486b1289645828e5ee5f1f6f21a0e645dd7cc4eca908ed59c2f1c4c" + logic_hash = "8342d92e1486b1289645828e5ee5f1f6f21a0e645dd7cc4eca908ed59c2f1c4c" score = 75 quality = 73 tags = "BETA, FILE, MEMORY" @@ -61990,7 +61990,7 @@ rule ELASTIC_Windows_Trojan_Metastealer_F94E2464 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_MetaStealer.yar#L1-L34" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "14ca15c0751207103c38f1a2f8fdc73e5dd3d58772f6e5641e54e0c790ecd132" - logic_hash = "v1_sha256_bf374bda2ca7c7bcec1ff092bbc9c3fd95c33faa78a6ea105a7b12b8e80a2e23" + logic_hash = "bf374bda2ca7c7bcec1ff092bbc9c3fd95c33faa78a6ea105a7b12b8e80a2e23" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62034,7 +62034,7 @@ rule ELASTIC_Windows_Trojan_Metastealer_A07E395C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_MetaStealer.yar#L36-L56" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a" - logic_hash = "v1_sha256_2464cf1dc5747c93598354329371ea6111c3cbf34a6db83076c9465b867a0e47" + logic_hash = "2464cf1dc5747c93598354329371ea6111c3cbf34a6db83076c9465b867a0e47" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62064,7 +62064,7 @@ rule ELASTIC_Macos_Infostealer_Mdquerysecret_5535Ab96 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Infostealer_MdQuerySecret.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c755e617b9dd41505bb225ea836ecdde8f3f6f9ab7ae79697e6d85190e206c41" + logic_hash = "c755e617b9dd41505bb225ea836ecdde8f3f6f9ab7ae79697e6d85190e206c41" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62094,7 +62094,7 @@ rule ELASTIC_Windows_Generic_Threat_Bc6Ae28D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ce00873eb423c0259c18157a07bf7fd9b07333e528a5b9d48be79194310c9d97" - logic_hash = "v1_sha256_0ca5ec945858a5238eac048520dea4597f706ad2c96be322d341c84c4ddbce33" + logic_hash = "0ca5ec945858a5238eac048520dea4597f706ad2c96be322d341c84c4ddbce33" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62123,7 +62123,7 @@ rule ELASTIC_Windows_Generic_Threat_Ce98C4Bc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L21-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "950e8a29f516ef3cf1a81501e97fbbbedb289ad9fb93352edb563f749378da35" - logic_hash = "v1_sha256_74914f41c03cb2dcb1dc3175cc76574a0d40b66a1a3854af8f50c9858704b66b" + logic_hash = "74914f41c03cb2dcb1dc3175cc76574a0d40b66a1a3854af8f50c9858704b66b" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62153,7 +62153,7 @@ rule ELASTIC_Windows_Generic_Threat_0Cc1481E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L42-L60" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6ec7781e472a6827c1406a53ed4699407659bd57c33dd4ab51cabfe8ece6f23f" - logic_hash = "v1_sha256_1a094cf337cb85aa4b7d1d2025571ab0661a7be1fd03d53d8c7370a90385f38c" + logic_hash = "1a094cf337cb85aa4b7d1d2025571ab0661a7be1fd03d53d8c7370a90385f38c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62182,7 +62182,7 @@ rule ELASTIC_Windows_Generic_Threat_2507C37C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L62-L80" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "04296258f054a958f0fd013b3c6a3435280b28e9a27541463e6fc9afe30363cc" - logic_hash = "v1_sha256_8c5ea1290260993ea5140baa4645f3fd0ebb4d43fce0e9a25f8e8948e683aec1" + logic_hash = "8c5ea1290260993ea5140baa4645f3fd0ebb4d43fce0e9a25f8e8948e683aec1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62211,7 +62211,7 @@ rule ELASTIC_Windows_Generic_Threat_E052D248 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L82-L100" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ed2bbc0d120665044aacb089d8c99d7c946b54d1b08a078aebbb3b91f593da6e" - logic_hash = "v1_sha256_1a16ce6d1c6707560425156e625ad19a82315564b3f03adafbcc3e65b0e98a6d" + logic_hash = "1a16ce6d1c6707560425156e625ad19a82315564b3f03adafbcc3e65b0e98a6d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62240,7 +62240,7 @@ rule ELASTIC_Windows_Generic_Threat_2Bb7Fbe3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L102-L120" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "65cc8704c0e431589d196eadb0ac8a19151631c8d4ab7375d7cb18f7b763ba7b" - logic_hash = "v1_sha256_36e1ab766e09e8d06b9179f67a1cb842ba257f140610964a941fb462ed3e803c" + logic_hash = "36e1ab766e09e8d06b9179f67a1cb842ba257f140610964a941fb462ed3e803c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62269,7 +62269,7 @@ rule ELASTIC_Windows_Generic_Threat_994F2330 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L122-L140" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0a30cb09c480a2659b6f989ac9fe1bfba1802ae3aad98fa5db7cdd146fee3916" - logic_hash = "v1_sha256_ace99deae7f5faa22f273ec4fe45ef07f03acd1ae4d9c0f18687ef6cf5b560c2" + logic_hash = "ace99deae7f5faa22f273ec4fe45ef07f03acd1ae4d9c0f18687ef6cf5b560c2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62298,7 +62298,7 @@ rule ELASTIC_Windows_Generic_Threat_Bf7Aae24 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L142-L160" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6dfc63894f15fc137e27516f2d2a56514c51f25b41b00583123142cf50645e4e" - logic_hash = "v1_sha256_b6dfa6f4c46bddd643f2f89f6275404c19fd4ed1bbae561029fffa884e99e167" + logic_hash = "b6dfa6f4c46bddd643f2f89f6275404c19fd4ed1bbae561029fffa884e99e167" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62327,7 +62327,7 @@ rule ELASTIC_Windows_Generic_Threat_D542E5A5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L162-L180" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3fc4ae7115e0bfa3fc6b75dcff867e7bf9ade9c7f558f31916359d37d001901b" - logic_hash = "v1_sha256_3c16c02d4fc6e019f0ab0ff4daad61f59275afd8fb3ee263b1b59876233a686e" + logic_hash = "3c16c02d4fc6e019f0ab0ff4daad61f59275afd8fb3ee263b1b59876233a686e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62356,7 +62356,7 @@ rule ELASTIC_Windows_Generic_Threat_8D10790B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L182-L200" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "911535923a5451c10239e20e7130d371e8ee37172e0f14fc8cf224d41f7f4c0f" - logic_hash = "v1_sha256_84c017abbce1c8702efbe8657e5a857ae222721b0db2260dc814652f4528df26" + logic_hash = "84c017abbce1c8702efbe8657e5a857ae222721b0db2260dc814652f4528df26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62385,7 +62385,7 @@ rule ELASTIC_Windows_Generic_Threat_347F9F54 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L202-L220" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45a051651ce1edddd33ecef09bb0fbb978adec9044e64f786b13ed81cabf6a3f" - logic_hash = "v1_sha256_63df388393a45ffec68ba01ae6d7707b6d5277e0162ded6e631c1f76ad76b711" + logic_hash = "63df388393a45ffec68ba01ae6d7707b6d5277e0162ded6e631c1f76ad76b711" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62414,7 +62414,7 @@ rule ELASTIC_Windows_Generic_Threat_20469956 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L222-L240" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a1f2923f68f5963499a64bfd0affe0a729f5e7bd6bcccfb9bed1d62831a93c47" - logic_hash = "v1_sha256_da351bec0039a32bb9de1d8623ab3dc26eb752d30a64e613de96f70e1b1c2463" + logic_hash = "da351bec0039a32bb9de1d8623ab3dc26eb752d30a64e613de96f70e1b1c2463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62443,7 +62443,7 @@ rule ELASTIC_Windows_Generic_Threat_742E8A70 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L242-L260" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "94f7678be47651aa457256375f3e4d362ae681a9524388c97dc9ed34ba881090" - logic_hash = "v1_sha256_2925eb8da80ef791b5cf7800a9bf9462203ab6aa743bc69f4fd2343e97eaab7c" + logic_hash = "2925eb8da80ef791b5cf7800a9bf9462203ab6aa743bc69f4fd2343e97eaab7c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62472,7 +62472,7 @@ rule ELASTIC_Windows_Generic_Threat_79174B5C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L262-L280" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c15118230059e85e7a6b65fe1c0ceee8997a3d4e9f1966c8340017a41e0c254c" - logic_hash = "v1_sha256_06a2f0613719f1273a6b3f62f248c22b1cab2fe6054904619e3720f3f6c55e2e" + logic_hash = "06a2f0613719f1273a6b3f62f248c22b1cab2fe6054904619e3720f3f6c55e2e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62501,7 +62501,7 @@ rule ELASTIC_Windows_Generic_Threat_232B71A9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L282-L300" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1e8b34da2d675af96b34041d4e493e34139fc8779f806dbcf62a6c9c4d9980fe" - logic_hash = "v1_sha256_c3bef1509c0d0172dbbc7e0e2b5c69e5ec47dc22365d98a914002b53b0f7d918" + logic_hash = "c3bef1509c0d0172dbbc7e0e2b5c69e5ec47dc22365d98a914002b53b0f7d918" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62530,7 +62530,7 @@ rule ELASTIC_Windows_Generic_Threat_D331D190 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L302-L320" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6d869d320d977f83aa3f0e7719967c7e54c1bdae9ae3729668d755ee3397a96f" - logic_hash = "v1_sha256_901601c892d709fa596c44df1fbe7772a9f20576c71666570713bf96727a809b" + logic_hash = "901601c892d709fa596c44df1fbe7772a9f20576c71666570713bf96727a809b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62559,7 +62559,7 @@ rule ELASTIC_Windows_Generic_Threat_24191082 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L322-L340" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4d20878c16d2b401e76d8e7c288cf8ef5aa3c8d4865f440ee6b44d9f3d0cbf33" - logic_hash = "v1_sha256_a5ea76032a9c189f923d91cd03deb44bd61868e5ad6081afe63249156cbd8927" + logic_hash = "a5ea76032a9c189f923d91cd03deb44bd61868e5ad6081afe63249156cbd8927" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62588,7 +62588,7 @@ rule ELASTIC_Windows_Generic_Threat_Efdb9E81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L342-L361" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1c3302b14324c9f4e07829f41cd767ec654db18ff330933c6544c46bd19e89dd" - logic_hash = "v1_sha256_eae78b07f6c31e3a30ae041a27c67553bb8ea915bc7724583d78832475021955" + logic_hash = "eae78b07f6c31e3a30ae041a27c67553bb8ea915bc7724583d78832475021955" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62618,7 +62618,7 @@ rule ELASTIC_Windows_Generic_Threat_34622A35 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L363-L381" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c021c6adca0ddf38563a13066a652e4d97726175983854674b8dae2f6e59c83f" - logic_hash = "v1_sha256_2b49bd5d3a18307a46f44d9dfeea858ddaa6084f86f96b83b874cee7603e1c11" + logic_hash = "2b49bd5d3a18307a46f44d9dfeea858ddaa6084f86f96b83b874cee7603e1c11" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62647,7 +62647,7 @@ rule ELASTIC_Windows_Generic_Threat_0Ff403Df : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L383-L401" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b3119dc4cea05bef51d1f373b87d69bcff514f6575d4c92da4b1c557f8d8db8f" - logic_hash = "v1_sha256_38bdd9b6f61ab4bb13abc7af94e92151928df95ade061756611218104e7245fd" + logic_hash = "38bdd9b6f61ab4bb13abc7af94e92151928df95ade061756611218104e7245fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62676,7 +62676,7 @@ rule ELASTIC_Windows_Generic_Threat_B1F6F662 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L403-L423" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1b7eaef3cf1bb8021a00df092c829932cccac333990db1c5dac6558a5d906400" - logic_hash = "v1_sha256_e52ff1eaee00334e1a07367bf88f3907bb0b13035717683d9d98371b92bc45c0" + logic_hash = "e52ff1eaee00334e1a07367bf88f3907bb0b13035717683d9d98371b92bc45c0" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -62707,7 +62707,7 @@ rule ELASTIC_Windows_Generic_Threat_2C80562D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L425-L445" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ee8decf1e8e5a927e3a6c10e88093bb4b7708c3fd542d98d43f1a882c6b0198e" - logic_hash = "v1_sha256_07487ae646ac81b94f940c8d3493dbee023bce687297465fe09375f40dff0fb2" + logic_hash = "07487ae646ac81b94f940c8d3493dbee023bce687297465fe09375f40dff0fb2" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -62738,7 +62738,7 @@ rule ELASTIC_Windows_Generic_Threat_E96F9E97 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L447-L465" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bfbab69e9fc517bc46ae88afd0603a498a4c77409e83466d05db2797234ea7fc" - logic_hash = "v1_sha256_1dcf81b8982425ff74107b899e85e2432f0464554e923f85a7555cda65293b54" + logic_hash = "1dcf81b8982425ff74107b899e85e2432f0464554e923f85a7555cda65293b54" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62767,7 +62767,7 @@ rule ELASTIC_Windows_Generic_Threat_005Fd471 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L467-L487" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "502814ed565a923da15626d46fde8cc7fd422790e32b3cad973ed8ec8602b228" - logic_hash = "v1_sha256_10493253a6b2ce3141ee980e0607bdbba72580bb4a076f2f4636e9665ffc6db8" + logic_hash = "10493253a6b2ce3141ee980e0607bdbba72580bb4a076f2f4636e9665ffc6db8" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -62798,7 +62798,7 @@ rule ELASTIC_Windows_Generic_Threat_54B0Ec47 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L489-L508" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9c14203069ff6003e7f408bed71e75394de7a6c1451266c59c5639360bf5718c" - logic_hash = "v1_sha256_e3d74162a8874fe05042fec98d25b8db50e7f537566fd9f4e40f92bfe868259a" + logic_hash = "e3d74162a8874fe05042fec98d25b8db50e7f537566fd9f4e40f92bfe868259a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -62828,7 +62828,7 @@ rule ELASTIC_Windows_Generic_Threat_Acf6222B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L510-L528" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ce0def96be08193ab96817ce1279e8406746a76cfcf4bf44e394920d7acbcaa6" - logic_hash = "v1_sha256_a284b6c163dbc022bd36f19fbc1d7ff70143bee566328ad23e7b8b79abd39e91" + logic_hash = "a284b6c163dbc022bd36f19fbc1d7ff70143bee566328ad23e7b8b79abd39e91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62857,7 +62857,7 @@ rule ELASTIC_Windows_Generic_Threat_5E718A0C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L530-L548" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "430b9369b779208bd3976bd2adc3e63d3f71e5edfea30490e6e93040c1b3bac6" - logic_hash = "v1_sha256_45068afeda7abae0fe922a21f8f768b6c74a6e0f8e9e8b1f68c3ddf92940bf9a" + logic_hash = "45068afeda7abae0fe922a21f8f768b6c74a6e0f8e9e8b1f68c3ddf92940bf9a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -62886,7 +62886,7 @@ rule ELASTIC_Windows_Generic_Threat_Fac6D993 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L550-L568" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e7c88e72cf0c1f4cbee588972fc1434065f7cc9bd95d52379bade1b8520278" - logic_hash = "v1_sha256_3486793324dbe43c908432e1956bbbdb870beb4641da46b3786581fd3e78811a" + logic_hash = "3486793324dbe43c908432e1956bbbdb870beb4641da46b3786581fd3e78811a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62914,7 +62914,7 @@ rule ELASTIC_Windows_Generic_Threat_E7Eaa4Ca : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L570-L587" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_600da0c88dc0606e05f60ecd3b9a90469eef8ac7a702ef800c833f7fd17eb13e" + logic_hash = "600da0c88dc0606e05f60ecd3b9a90469eef8ac7a702ef800c833f7fd17eb13e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62943,7 +62943,7 @@ rule ELASTIC_Windows_Generic_Threat_97703189 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L589-L607" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "968ba3112c54f3437b9abb6137f633d919d75137d790af074df40a346891cfb5" - logic_hash = "v1_sha256_318bc82d49e9a3467ec0e0086aaf1092d2aa7c589b5f16ce6fbb3778eda7ef0b" + logic_hash = "318bc82d49e9a3467ec0e0086aaf1092d2aa7c589b5f16ce6fbb3778eda7ef0b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -62972,7 +62972,7 @@ rule ELASTIC_Windows_Generic_Threat_Ca0686E1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L609-L627" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5" - logic_hash = "v1_sha256_12b2ff66d1be6e2d27f24489b389b5c84660921e8de41653b2b425077cc87669" + logic_hash = "12b2ff66d1be6e2d27f24489b389b5c84660921e8de41653b2b425077cc87669" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63001,7 +63001,7 @@ rule ELASTIC_Windows_Generic_Threat_97C1A260 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L629-L647" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2cc85ebb1ef07948b1ddf1a793809b76ee61d78c07b8bf6e702c9b17346a20f1" - logic_hash = "v1_sha256_5bd84cbdd4ba699c9e9d87e684071342b23138538bd83ffea8c524fcee26a59b" + logic_hash = "5bd84cbdd4ba699c9e9d87e684071342b23138538bd83ffea8c524fcee26a59b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63030,7 +63030,7 @@ rule ELASTIC_Windows_Generic_Threat_A440F624 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L649-L668" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3564fec3d47dfafc7e9c662654865aed74aedeac7371af8a77e573ea92cbd072" - logic_hash = "v1_sha256_23c759a0db5698b28a69232077a6b714f71e8eaa069d2f02a7d3efc48b178a2b" + logic_hash = "23c759a0db5698b28a69232077a6b714f71e8eaa069d2f02a7d3efc48b178a2b" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63060,7 +63060,7 @@ rule ELASTIC_Windows_Generic_Threat_B577C086 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L670-L688" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "27dd61d4d9997738e63e813f8b8ea9d5cf1291eb02d20d1a2ad75ac8aa99459c" - logic_hash = "v1_sha256_a7684340171415ee01e855706192cdffcccd6c82362707229b2c1d096f87dfa8" + logic_hash = "a7684340171415ee01e855706192cdffcccd6c82362707229b2c1d096f87dfa8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63089,7 +63089,7 @@ rule ELASTIC_Windows_Generic_Threat_62E1F5Fc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L690-L710" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4a692e244a389af0339de8c2d429b541d6d763afb0a2b1bb20bee879330f2f42" - logic_hash = "v1_sha256_76e21746ee396f13073b3db1e876246f01cef547d312691dff3dc895ea3a2b82" + logic_hash = "76e21746ee396f13073b3db1e876246f01cef547d312691dff3dc895ea3a2b82" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -63120,7 +63120,7 @@ rule ELASTIC_Windows_Generic_Threat_55D6A1Ab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L712-L731" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ca6ed610479b5aaaf193a2afed8f2ca1e32c0c5550a195d88f689caab60c6fb" - logic_hash = "v1_sha256_4f3a0b2e45ae4e6a00f137798b700a0925fa6eb19ea6b871d7eeb565548888ba" + logic_hash = "4f3a0b2e45ae4e6a00f137798b700a0925fa6eb19ea6b871d7eeb565548888ba" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63150,7 +63150,7 @@ rule ELASTIC_Windows_Generic_Threat_F7D3Cdfd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L733-L751" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f9df83d0b0e06884cdb4a02cd2091ee1fadeabb2ea16ca34cbfef4129ede251f" - logic_hash = "v1_sha256_23e1008f222eb94a4bd34372834924377e813dc76efa8544b0dcbe7d3e3addde" + logic_hash = "23e1008f222eb94a4bd34372834924377e813dc76efa8544b0dcbe7d3e3addde" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63179,7 +63179,7 @@ rule ELASTIC_Windows_Generic_Threat_0350Ed31 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L753-L771" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "008f9352765d1b3360726363e3e179b527a566bc59acecea06bd16eb16b66c5d" - logic_hash = "v1_sha256_149dd26466f47b2e7f514bdcc9822470334490da2898840f35fe6b537ce104f6" + logic_hash = "149dd26466f47b2e7f514bdcc9822470334490da2898840f35fe6b537ce104f6" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -63208,7 +63208,7 @@ rule ELASTIC_Windows_Generic_Threat_A1Cef0Cd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L773-L791" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "71f519c6bd598e17e1298d247a4ad37b78685ca6fd423d560d397d34d16b7db8" - logic_hash = "v1_sha256_2772906e3a8a088e7c6ea1370af5e5bbe2cbae4f49de9b939524e317be8ddde4" + logic_hash = "2772906e3a8a088e7c6ea1370af5e5bbe2cbae4f49de9b939524e317be8ddde4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63237,7 +63237,7 @@ rule ELASTIC_Windows_Generic_Threat_E5F4703F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L793-L811" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "362bda1fad3fefce7d173617909d3c1a0a8e234e22caf3215ee7c6cef6b2743b" - logic_hash = "v1_sha256_f81476d5e5a9bcb42b32d6ec3d4b620165f2878c50691ecf59ef6f34b6ad9d1b" + logic_hash = "f81476d5e5a9bcb42b32d6ec3d4b620165f2878c50691ecf59ef6f34b6ad9d1b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63266,7 +63266,7 @@ rule ELASTIC_Windows_Generic_Threat_8B790Aba : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L813-L832" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ec98bfff01d384bdff6bbbc5e17620b31fa57c662516157fd476ef587b8d239e" - logic_hash = "v1_sha256_8a0b2af3d0c95466ca138dfcc3d6f6a702ec92f5cd4f791b1200c79ffd973840" + logic_hash = "8a0b2af3d0c95466ca138dfcc3d6f6a702ec92f5cd4f791b1200c79ffd973840" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63296,7 +63296,7 @@ rule ELASTIC_Windows_Generic_Threat_76A7579F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L834-L852" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "76c73934bcff7e4ee08b068d1e02b8f5c22161262d127de2b4ac2e81d09d84f6" - logic_hash = "v1_sha256_08ed2d318e7154195911aaf3705626307b48a54aa195eaa054ec53766d3e198d" + logic_hash = "08ed2d318e7154195911aaf3705626307b48a54aa195eaa054ec53766d3e198d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63325,7 +63325,7 @@ rule ELASTIC_Windows_Generic_Threat_3F060B9C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L854-L872" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "32e7a40b13ddbf9fc73bd12c234336b1ae11e2f39476de99ebacd7bbfd22fba0" - logic_hash = "v1_sha256_193583f63f22452f96c8372fdc9ef04e2a684f847564a7fe75145ea30d426901" + logic_hash = "193583f63f22452f96c8372fdc9ef04e2a684f847564a7fe75145ea30d426901" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63354,7 +63354,7 @@ rule ELASTIC_Windows_Generic_Threat_Dbae6542 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L874-L892" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c73f533f96ed894b9ff717da195083a594673e218ee9a269e360353b9c9a0283" - logic_hash = "v1_sha256_673c6b4e6aaa127d45b21d0283437000fbc507a84ecd7a326448869d63759aee" + logic_hash = "673c6b4e6aaa127d45b21d0283437000fbc507a84ecd7a326448869d63759aee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63383,7 +63383,7 @@ rule ELASTIC_Windows_Generic_Threat_808F680E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L894-L912" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "df6955522532e365239b94e9d834ff5eeeb354eec3e3672c48be88725849ac1c" - logic_hash = "v1_sha256_22d91a87c01b401d4a203fbabb93a9b45fd6d8819125c56d9c427449b06d2f84" + logic_hash = "22d91a87c01b401d4a203fbabb93a9b45fd6d8819125c56d9c427449b06d2f84" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63412,7 +63412,7 @@ rule ELASTIC_Windows_Generic_Threat_073909Cf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L914-L932" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "89a6dc518c119b39252889632bd18d9dfdae687f7621310fb14b684d2f85dad8" - logic_hash = "v1_sha256_5b42a74010549c884ff85a67b9add6b82a8109a953473cc1439581976f8f545e" + logic_hash = "5b42a74010549c884ff85a67b9add6b82a8109a953473cc1439581976f8f545e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63441,7 +63441,7 @@ rule ELASTIC_Windows_Generic_Threat_820Fe9C9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L934-L952" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1102a499b8a863bdbfd978a1d17270990e6b7fe60ce54b9dd17492234aad2f8c" - logic_hash = "v1_sha256_81a1359bd5781e1eefb6ae06c6b2ad9e94cc6318c1f81f84c06f0b236b6e84d1" + logic_hash = "81a1359bd5781e1eefb6ae06c6b2ad9e94cc6318c1f81f84c06f0b236b6e84d1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -63470,7 +63470,7 @@ rule ELASTIC_Windows_Generic_Threat_89Efd1B4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L954-L972" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "937c8bc3c89bb9c05b2cb859c4bf0f47020917a309bbadca36236434c8cdc8b9" - logic_hash = "v1_sha256_49a7875fd9c31c5c9b593aed75a28fadb586294422b75c7a8eeba2e8ff254753" + logic_hash = "49a7875fd9c31c5c9b593aed75a28fadb586294422b75c7a8eeba2e8ff254753" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63499,7 +63499,7 @@ rule ELASTIC_Windows_Generic_Threat_61315534 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L974-L992" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "819447ca71080f083b1061ed6e333bd9ef816abd5b0dd0b5e6a58511ab1ce8b9" - logic_hash = "v1_sha256_0fdfe3bb6ebdaac4324a45dac8680f00684d0030419f26f3f72ed002bf5a2a34" + logic_hash = "0fdfe3bb6ebdaac4324a45dac8680f00684d0030419f26f3f72ed002bf5a2a34" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63528,7 +63528,7 @@ rule ELASTIC_Windows_Generic_Threat_Eab96Cf2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L994-L1012" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2be8a2c524f1fb2acb2af92bc56eb9377c4e16923a06f5ac2373811041ea7982" - logic_hash = "v1_sha256_cc1dfc2c9c5e1fbc6282342dfbf3a6c834fa56fb6fc46569a24fa78535c5845f" + logic_hash = "cc1dfc2c9c5e1fbc6282342dfbf3a6c834fa56fb6fc46569a24fa78535c5845f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63557,7 +63557,7 @@ rule ELASTIC_Windows_Generic_Threat_11A56097 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1014-L1033" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "98d538c8f074d831b7a91e549e78f6549db5d2c53a10dbe82209d15d1c2e9b56" - logic_hash = "v1_sha256_42f955c079752c787ac70682bc41fa31f3196d30051d7032276a0d4279d59d58" + logic_hash = "42f955c079752c787ac70682bc41fa31f3196d30051d7032276a0d4279d59d58" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63587,7 +63587,7 @@ rule ELASTIC_Windows_Generic_Threat_F3Bef434 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1035-L1053" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "98d538c8f074d831b7a91e549e78f6549db5d2c53a10dbe82209d15d1c2e9b56" - logic_hash = "v1_sha256_efba0e1fbe6562a9aeaac23b851c31350e4ac6551e505be4986bddade92ca303" + logic_hash = "efba0e1fbe6562a9aeaac23b851c31350e4ac6551e505be4986bddade92ca303" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63616,7 +63616,7 @@ rule ELASTIC_Windows_Generic_Threat_C6F131C5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1055-L1073" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "247314baaaa993b8db9de7ef0e2998030f13b99d6fd0e17ffd59e31a8d17747a" - logic_hash = "v1_sha256_5702a77fee0cd564916abdbfedf76d069bb7a5b6de0c4623150991d52dc02e42" + logic_hash = "5702a77fee0cd564916abdbfedf76d069bb7a5b6de0c4623150991d52dc02e42" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63645,7 +63645,7 @@ rule ELASTIC_Windows_Generic_Threat_B2A054F8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1075-L1095" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "63d2478a5db820731a48a7ad5a20d7a4deca35c6b865a17de86248bef7a64da7" - logic_hash = "v1_sha256_f64b1666f78646322a4c37dc887d8fcfdb275b0bca812e360579cefd9e323c02" + logic_hash = "f64b1666f78646322a4c37dc887d8fcfdb275b0bca812e360579cefd9e323c02" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -63676,7 +63676,7 @@ rule ELASTIC_Windows_Generic_Threat_Fcab7E76 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1097-L1115" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "67d7e016e401bd5d435eecaa9e8ead341aed2f373a1179069f53b64bda3f1f56" - logic_hash = "v1_sha256_90f50d1227b8e462eaa393690dc2b25601444bf80f2108445a0413bff6bedae8" + logic_hash = "90f50d1227b8e462eaa393690dc2b25601444bf80f2108445a0413bff6bedae8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63705,7 +63705,7 @@ rule ELASTIC_Windows_Generic_Threat_90E4F085 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1117-L1137" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1a6a290d98f5957d00756fc55187c78030de7031544a981fd2bb4cfeae732168" - logic_hash = "v1_sha256_2afeae6de965ae155914dcedbfe375327a9fca3b42733c23360dd4fddfcc8a3d" + logic_hash = "2afeae6de965ae155914dcedbfe375327a9fca3b42733c23360dd4fddfcc8a3d" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -63736,7 +63736,7 @@ rule ELASTIC_Windows_Generic_Threat_04A9C177 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1139-L1157" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0cccdde4dcc8916fb6399c181722eb0da2775d86146ce3cb3fc7f8cf6cd67c29" - logic_hash = "v1_sha256_ca7cf71228b1e13ec05c62cd9924ea5089fdf903d8ea4a5151866996ea81e01e" + logic_hash = "ca7cf71228b1e13ec05c62cd9924ea5089fdf903d8ea4a5151866996ea81e01e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63765,7 +63765,7 @@ rule ELASTIC_Windows_Generic_Threat_45D1E986 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1159-L1177" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fd159cf2f9bd48b0f6f5958eef8af8feede2bcbbea035a7e56ce1ff72d3f47eb" - logic_hash = "v1_sha256_d53a4d189b9a49f9b6477e12bce0d41e62827306d1df79e6494ab67669d84f35" + logic_hash = "d53a4d189b9a49f9b6477e12bce0d41e62827306d1df79e6494ab67669d84f35" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63794,7 +63794,7 @@ rule ELASTIC_Windows_Generic_Threat_83C38E63 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1179-L1198" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2121a0e5debcfeedf200d7473030062bc9f5fbd5edfdcd464dfedde272ff1ae7" - logic_hash = "v1_sha256_89d4036290a29b372918205bba85698d6343109503766cbb13999b5177fc3152" + logic_hash = "89d4036290a29b372918205bba85698d6343109503766cbb13999b5177fc3152" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -63824,7 +63824,7 @@ rule ELASTIC_Windows_Generic_Threat_Bd24Be68 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1200-L1218" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fd159cf2f9bd48b0f6f5958eef8af8feede2bcbbea035a7e56ce1ff72d3f47eb" - logic_hash = "v1_sha256_8536593696930d03f1e62586886f0df5438d13fb796b4605df7ad67d9633d5f9" + logic_hash = "8536593696930d03f1e62586886f0df5438d13fb796b4605df7ad67d9633d5f9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63853,7 +63853,7 @@ rule ELASTIC_Windows_Generic_Threat_A0C7B402 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1220-L1238" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5814d7712304800d92487b8e1108d20ad7b44f48910b1fb0a99e9b36baa4333a" - logic_hash = "v1_sha256_d0aa75debbefb301b9fc46ceca4944ae8c4b009118214a9589440b59089b853e" + logic_hash = "d0aa75debbefb301b9fc46ceca4944ae8c4b009118214a9589440b59089b853e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63882,7 +63882,7 @@ rule ELASTIC_Windows_Generic_Threat_42B3E0D7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1240-L1258" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "99ad416b155970fda383a63fe61de2e4d0254e9c9e09564e17938e8e2b49b5b7" - logic_hash = "v1_sha256_58b4c667b6d796f4525afeb706394f593d03393e3a48e2a0b7664f121e6a78fe" + logic_hash = "58b4c667b6d796f4525afeb706394f593d03393e3a48e2a0b7664f121e6a78fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63911,7 +63911,7 @@ rule ELASTIC_Windows_Generic_Threat_66142106 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1260-L1278" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cd164a65fb2a496ad7b54c782f25fbfca0540d46d2c0d6b098d7be516c4ce021" - logic_hash = "v1_sha256_bf5d8db3ed6d2abc3158b04e904351250bf17a6d766e31769b3c5a6e534165b0" + logic_hash = "bf5d8db3ed6d2abc3158b04e904351250bf17a6d766e31769b3c5a6e534165b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63940,7 +63940,7 @@ rule ELASTIC_Windows_Generic_Threat_51A1D82B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1280-L1298" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1a7adde856991fa25fac79048461102fba58cda9492d4f5203b817d767a81018" - logic_hash = "v1_sha256_2d6b0560e1980deb6aad8e0902d065eeda406506b70bb8bb27c7fa58be9842f8" + logic_hash = "2d6b0560e1980deb6aad8e0902d065eeda406506b70bb8bb27c7fa58be9842f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -63969,7 +63969,7 @@ rule ELASTIC_Windows_Generic_Threat_Dee3B4Bf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1300-L1318" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c7f4b63fa5c7386d6444c0d0428a8fe328446efcef5fda93821f05e86efd2fba" - logic_hash = "v1_sha256_cfd7f9250ab44ffe12b62f84ae753032642d9aa2524d88a6d4d989a2afa043a3" + logic_hash = "cfd7f9250ab44ffe12b62f84ae753032642d9aa2524d88a6d4d989a2afa043a3" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -63998,7 +63998,7 @@ rule ELASTIC_Windows_Generic_Threat_Fdbcd3F2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1320-L1338" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9258e4fe077be21ad7ae348868f1ac6226f6e9d404c664025006ab4b64222369" - logic_hash = "v1_sha256_ca9136ca44a61795cca44ac9bb0494fdc34c08d6578603ba3be3582956f4a98f" + logic_hash = "ca9136ca44a61795cca44ac9bb0494fdc34c08d6578603ba3be3582956f4a98f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64027,7 +64027,7 @@ rule ELASTIC_Windows_Generic_Threat_B7852Ccf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1340-L1360" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5ac70fa959be4ee37c0c56f0dd04061a5fed78fcbde21b8449fc93e44a8c133a" - logic_hash = "v1_sha256_4d5c29cceaacfda0c41bcd13cf95e90397b1b6c0c6beeb19b9184f435c8669b9" + logic_hash = "4d5c29cceaacfda0c41bcd13cf95e90397b1b6c0c6beeb19b9184f435c8669b9" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64058,7 +64058,7 @@ rule ELASTIC_Windows_Generic_Threat_C3C8F21A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1362-L1380" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9a102873dd37d08f53dcf6b5dad2555598a954d18fb3090bbf842655c5fded35" - logic_hash = "v1_sha256_b4d2b28fb2c9d46884b0b34f7821151b88891a8d881885c704e0e192cf7fca70" + logic_hash = "b4d2b28fb2c9d46884b0b34f7821151b88891a8d881885c704e0e192cf7fca70" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64087,7 +64087,7 @@ rule ELASTIC_Windows_Generic_Threat_A3D51E0C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1382-L1400" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "18bd25df1025cd04b0642e507b0170bc1a2afba71b2dc4bd5e83cc487860db0d" - logic_hash = "v1_sha256_f128f6a037abb4af2c11605b182852146780be6451b3062a2914bedb5c286843" + logic_hash = "f128f6a037abb4af2c11605b182852146780be6451b3062a2914bedb5c286843" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64116,7 +64116,7 @@ rule ELASTIC_Windows_Generic_Threat_54Ccad4D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1402-L1422" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe4aad002722d2173dd661b7b34cdb0e3d4d8cd600e4165975c48bf1b135763f" - logic_hash = "v1_sha256_b9fb525be22dd2f235c3ac68688ced5298da45194ad032423689f5a085df6e31" + logic_hash = "b9fb525be22dd2f235c3ac68688ced5298da45194ad032423689f5a085df6e31" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64147,7 +64147,7 @@ rule ELASTIC_Windows_Generic_Threat_6Ee18020 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1424-L1442" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d58d8f5a7efcb02adac92362d8c608e6d056824641283497b2e1c1f0e2d19b0a" - logic_hash = "v1_sha256_8a08973ae2ddde275e007686fc6eca831c1fb398b7221d5022da10f90da0e44d" + logic_hash = "8a08973ae2ddde275e007686fc6eca831c1fb398b7221d5022da10f90da0e44d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64176,7 +64176,7 @@ rule ELASTIC_Windows_Generic_Threat_8Eb547Db : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1444-L1462" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3fc821b63dfa653b86b11201073997fa4dc273124d050c2a7c267ac789d8a447" - logic_hash = "v1_sha256_73cabad0656c6b347def017b07138fdbdd5b41da5ccf7d701fea764669058f39" + logic_hash = "73cabad0656c6b347def017b07138fdbdd5b41da5ccf7d701fea764669058f39" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64205,7 +64205,7 @@ rule ELASTIC_Windows_Generic_Threat_803Feff4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1464-L1482" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8f150dfb13e4a2ff36231f873e4c0677b5db4aa235d8f0aeb41e02f7e31c1e05" - logic_hash = "v1_sha256_e22b8b208ff104e2843d897c425467f2f0ec0c586c4db578da90aeaef0209e1d" + logic_hash = "e22b8b208ff104e2843d897c425467f2f0ec0c586c4db578da90aeaef0209e1d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64234,7 +64234,7 @@ rule ELASTIC_Windows_Generic_Threat_9C7D2333 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1484-L1502" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "85219f1402c88ab1e69aa99fe4bed75b2ad1918f4e95c448cdc6a4b9d2f9a5d4" - logic_hash = "v1_sha256_561290ebf3ca2a01914f514d63121be930e7a8c06cfc90ff4b8f0c7cef3408fe" + logic_hash = "561290ebf3ca2a01914f514d63121be930e7a8c06cfc90ff4b8f0c7cef3408fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64263,7 +64263,7 @@ rule ELASTIC_Windows_Generic_Threat_747B58Af : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1504-L1524" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ee28e93412c59d63155fd79bc99979a5664c48dcb3c77e121d17fa985fcb0ebe" - logic_hash = "v1_sha256_fd6b36ca50c1017035474b491f716bfb0d53b181fce4b5478a57a1d1a6ddc3e7" + logic_hash = "fd6b36ca50c1017035474b491f716bfb0d53b181fce4b5478a57a1d1a6ddc3e7" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64294,7 +64294,7 @@ rule ELASTIC_Windows_Generic_Threat_C3C4E847 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1526-L1544" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "86b37f0b2d9d7a810b5739776b4104f1ded3a1228c4ec2d104d26d8eb26aa7ba" - logic_hash = "v1_sha256_fa147abf7aa872f409e7684c4c60485fc58f57543062573526e56ff9866f8dfe" + logic_hash = "fa147abf7aa872f409e7684c4c60485fc58f57543062573526e56ff9866f8dfe" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64323,7 +64323,7 @@ rule ELASTIC_Windows_Generic_Threat_6542Ebda : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1546-L1564" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2073e51c7db7040c6046e36585873a0addc2bcddeb6e944b46f96c607dd83595" - logic_hash = "v1_sha256_30263341bf51a001503dfda9be5771d401bc5b5423682c29a6d4ebc457415d3e" + logic_hash = "30263341bf51a001503dfda9be5771d401bc5b5423682c29a6d4ebc457415d3e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64352,7 +64352,7 @@ rule ELASTIC_Windows_Generic_Threat_1417511B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1566-L1584" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2fc9bd91753ff3334ef7f9861dc1ae79cf5915d79fa50f7104cbb3262b7037da" - logic_hash = "v1_sha256_e6b53082fa447ac3cf56784771aca742696922e6f740a24d014e04250dc5020c" + logic_hash = "e6b53082fa447ac3cf56784771aca742696922e6f740a24d014e04250dc5020c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64381,7 +64381,7 @@ rule ELASTIC_Windows_Generic_Threat_7526F106 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1586-L1605" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5a297c446c27a8d851c444b6b32a346a7f9f5b5e783564742d39e90cd583e0f0" - logic_hash = "v1_sha256_a0f9eb760be05196f0c5c3e3bf250929b48341a58a11c24722978fa19c4a9f57" + logic_hash = "a0f9eb760be05196f0c5c3e3bf250929b48341a58a11c24722978fa19c4a9f57" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -64411,7 +64411,7 @@ rule ELASTIC_Windows_Generic_Threat_Cbe3313A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1607-L1625" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ca2a28c851070b9bfe1f7dd655f2ea10ececef49276c998a1d2a1b48f84cef3" - logic_hash = "v1_sha256_41a731cefe0c8ee95f1db598b68a8860ef7ff06137ce94d0dd0b5c60c4240e85" + logic_hash = "41a731cefe0c8ee95f1db598b68a8860ef7ff06137ce94d0dd0b5c60c4240e85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64440,7 +64440,7 @@ rule ELASTIC_Windows_Generic_Threat_779Cf969 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1627-L1645" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ef281230c248442c804f1930caba48f0ae6cef110665020139f826ab99bbf274" - logic_hash = "v1_sha256_ad0f2d78386abf4c6dc6b5a4a88b4dcf8e5bf8086b08bac91e5e00be9936e908" + logic_hash = "ad0f2d78386abf4c6dc6b5a4a88b4dcf8e5bf8086b08bac91e5e00be9936e908" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64469,7 +64469,7 @@ rule ELASTIC_Windows_Generic_Threat_D568682A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1647-L1665" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d98bc52259e0625ec2f24078cf4ae3233e5be0ade8f97a80ca590a0f1418582" - logic_hash = "v1_sha256_97e172502037c7a5d66327fcc4a237e5548694fc7d73a535838ad56367f15d76" + logic_hash = "97e172502037c7a5d66327fcc4a237e5548694fc7d73a535838ad56367f15d76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64498,7 +64498,7 @@ rule ELASTIC_Windows_Generic_Threat_Ccb6A7A2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1667-L1686" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "60503212db3f27a4d68bbfc94048ffede04ad37c78a19c4fe428b50f27af7a0d" - logic_hash = "v1_sha256_312265bbc4330a463bbe7478c70233f5df3353bda3c450562f2414f3675ba91e" + logic_hash = "312265bbc4330a463bbe7478c70233f5df3353bda3c450562f2414f3675ba91e" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -64528,7 +64528,7 @@ rule ELASTIC_Windows_Generic_Threat_D62F1D01 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1688-L1706" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "380892397b86f47ec5e6ed1845317bf3fd9c00d01f516cedfe032c0549eef239" - logic_hash = "v1_sha256_fd65eb56f3a48c37f83d3544c039d29c231cac1e2f8f07d176d709432a75a4c3" + logic_hash = "fd65eb56f3a48c37f83d3544c039d29c231cac1e2f8f07d176d709432a75a4c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64557,7 +64557,7 @@ rule ELASTIC_Windows_Generic_Threat_2Bb6F41D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1708-L1728" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "afa060352346dda4807dffbcac75bf07e8800d87ff72971b65e9805fabef39c0" - logic_hash = "v1_sha256_7c4e62b69880eb8a901d7e94b7539786e8ac58808df07cb1cbe9ff45efce518e" + logic_hash = "7c4e62b69880eb8a901d7e94b7539786e8ac58808df07cb1cbe9ff45efce518e" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64587,7 +64587,7 @@ rule ELASTIC_Windows_Generic_Threat_C54Ed0Ed : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1730-L1747" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f0f4878cb003371522ed1419984f15fd5049f1adeb8e051b8b51b31b0d620e96" + logic_hash = "f0f4878cb003371522ed1419984f15fd5049f1adeb8e051b8b51b31b0d620e96" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64616,7 +64616,7 @@ rule ELASTIC_Windows_Generic_Threat_Dbe41439 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1749-L1767" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "64afd2bc6cec17402473a29b94325ae2e26989caf5a8b916dc21952149d71b00" - logic_hash = "v1_sha256_288cdc285d024f2b69847e0d49bd4dc1c86a2a6a24a7b4fb248071855ba39a38" + logic_hash = "288cdc285d024f2b69847e0d49bd4dc1c86a2a6a24a7b4fb248071855ba39a38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64645,7 +64645,7 @@ rule ELASTIC_Windows_Generic_Threat_51A52B44 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1769-L1787" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "303aafcc660baa803344bed6a3a7a5b150668f88a222c28182db588fc1e744e0" - logic_hash = "v1_sha256_aad1c350f43cf2e0512e085e1a04db6099c568e375423afb9518b1fb89801c21" + logic_hash = "aad1c350f43cf2e0512e085e1a04db6099c568e375423afb9518b1fb89801c21" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64674,7 +64674,7 @@ rule ELASTIC_Windows_Generic_Threat_5C18A7F9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1789-L1807" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fd272678098eae8f5ec8428cf25d2f1d8b65566c59e363d42c7ce9ffab90faaa" - logic_hash = "v1_sha256_05cea396567ed3e23907dec4e6e3a6629cd1044d9123cde0575a04b73bae6c20" + logic_hash = "05cea396567ed3e23907dec4e6e3a6629cd1044d9123cde0575a04b73bae6c20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64703,7 +64703,7 @@ rule ELASTIC_Windows_Generic_Threat_Ab01Ba9E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1809-L1829" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2b237716d0c0c9877f54b3fa03823068728dfe0710c5b05e9808eab365a1408e" - logic_hash = "v1_sha256_cc8d79950e21270938d2ea7e501c7c8fdbebe92767b48b46bb03c08c377e095b" + logic_hash = "cc8d79950e21270938d2ea7e501c7c8fdbebe92767b48b46bb03c08c377e095b" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -64734,7 +64734,7 @@ rule ELASTIC_Windows_Generic_Threat_917D7645 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1831-L1849" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "19b54a20cfa74cbb0f4724155244b52ca854054a205be6d148f826fa008d6c55" - logic_hash = "v1_sha256_65748ff2e4448f305b9541ea9864cc6bda054d37be5ed34110a2f64c8fef30c7" + logic_hash = "65748ff2e4448f305b9541ea9864cc6bda054d37be5ed34110a2f64c8fef30c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64763,7 +64763,7 @@ rule ELASTIC_Windows_Generic_Threat_7A09E97D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1851-L1869" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0c1e333e60547a90ec9d9dac3fc6698b088769bc0f5ec25883b2c4d1fd680a9" - logic_hash = "v1_sha256_b65b2d12901953c137687a7b466c78e0537a2830c37a4cb13dd0eda457bba937" + logic_hash = "b65b2d12901953c137687a7b466c78e0537a2830c37a4cb13dd0eda457bba937" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64792,7 +64792,7 @@ rule ELASTIC_Windows_Generic_Threat_Dc4Ede3B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1871-L1889" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c49f20c5b42c6d813e6364b1fcb68c1b63a2f7def85a3ddfc4e664c4e90f8798" - logic_hash = "v1_sha256_c402d5f16f2be32912d7a054b51ab6dafc6173bb5a267a7846b3ac9df1c4c19f" + logic_hash = "c402d5f16f2be32912d7a054b51ab6dafc6173bb5a267a7846b3ac9df1c4c19f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64821,7 +64821,7 @@ rule ELASTIC_Windows_Generic_Threat_Bb480769 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1891-L1909" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "010e3aeb26533d418bb7d2fdcfb5ec21b36603b6abb63511be25a37f99635bce" - logic_hash = "v1_sha256_1087e0befceac2606ce5dc5f2b42b45ebad888e7d3e451c3fb89de7e932a31f5" + logic_hash = "1087e0befceac2606ce5dc5f2b42b45ebad888e7d3e451c3fb89de7e932a31f5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64850,7 +64850,7 @@ rule ELASTIC_Windows_Generic_Threat_5Fbf5680 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1911-L1929" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1b0553a9873d4cda213f5464b5e98904163e347a49282db679394f70d4571e77" - logic_hash = "v1_sha256_ec5399f6fb29125cb4c096851b9194fa35fb1e5ddd1f4d4f07b155471ae5c619" + logic_hash = "ec5399f6fb29125cb4c096851b9194fa35fb1e5ddd1f4d4f07b155471ae5c619" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64879,7 +64879,7 @@ rule ELASTIC_Windows_Generic_Threat_Aa30A738 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1931-L1949" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7726a691bd6c1ee51a9682e0087403a2c5a798ad172c1402acf2209c34092d18" - logic_hash = "v1_sha256_64967fbc0e74435452752731a8b9385345cc771d27ee33cd018cccdeb26bb75e" + logic_hash = "64967fbc0e74435452752731a8b9385345cc771d27ee33cd018cccdeb26bb75e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64908,7 +64908,7 @@ rule ELASTIC_Windows_Generic_Threat_9A8Dc290 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1951-L1969" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d951562a841f3706005d7696052d45397e3b4296d4cd96bf187920175fbb1676" - logic_hash = "v1_sha256_0097a13187b953ebe97809dda2be818cfcd94991c03e75f344e34a3d2c4fe902" + logic_hash = "0097a13187b953ebe97809dda2be818cfcd94991c03e75f344e34a3d2c4fe902" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64937,7 +64937,7 @@ rule ELASTIC_Windows_Generic_Threat_Bbf2A354 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1971-L1989" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b4e6c748ad88070e39b53a9373946e9e404623326f710814bed439e5ea61fc3e" - logic_hash = "v1_sha256_6be2fae41199daea6b9d0394c9af7713543333a50620ef417bb8439d5a07f336" + logic_hash = "6be2fae41199daea6b9d0394c9af7713543333a50620ef417bb8439d5a07f336" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -64966,7 +64966,7 @@ rule ELASTIC_Windows_Generic_Threat_Da0F3Cbb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L1991-L2009" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b2c456d0051ffe1ca7e9de1e944692b10ed466eabb38242ea88e663a23157c58" - logic_hash = "v1_sha256_262d0bbb69adde8c4c8645813b048f3aaa2dbcc83996606e7ca21c3edea2b5d8" + logic_hash = "262d0bbb69adde8c4c8645813b048f3aaa2dbcc83996606e7ca21c3edea2b5d8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -64995,7 +64995,7 @@ rule ELASTIC_Windows_Generic_Threat_7D555B55 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2011-L2029" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7efa5c8fd55a20fbc3a270cf2329d4a38f10ca372f3428bee4c42279fbe6f9c3" - logic_hash = "v1_sha256_dc3a3622abbc7d0a02d8d9ed4446d0a72a603ecfd6594ecfa615e5418a9c9970" + logic_hash = "dc3a3622abbc7d0a02d8d9ed4446d0a72a603ecfd6594ecfa615e5418a9c9970" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65024,7 +65024,7 @@ rule ELASTIC_Windows_Generic_Threat_0A38C7D0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2031-L2049" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "69ea7d2ea3ed6826ddcefb3c1daa63d8ab53dc6e66c59cf5c2506a8af1c62ef4" - logic_hash = "v1_sha256_e3fde76825772683c57f830759168fc9a3b3f3387f091828fd971e9ebba06d8a" + logic_hash = "e3fde76825772683c57f830759168fc9a3b3f3387f091828fd971e9ebba06d8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65053,7 +65053,7 @@ rule ELASTIC_Windows_Generic_Threat_98527D90 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2051-L2069" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fa24e7c6777e89928afa2a0afb2fab4db854ed3887056b5a76aef42ae38c3c82" - logic_hash = "v1_sha256_5a93f0a372f3a51233c6b2334539017df922f35a0d5f7d1749e0dd79268cb836" + logic_hash = "5a93f0a372f3a51233c6b2334539017df922f35a0d5f7d1749e0dd79268cb836" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65082,7 +65082,7 @@ rule ELASTIC_Windows_Generic_Threat_Baba80Fb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2071-L2089" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dd22cb2318d66fa30702368a7f06e445fba4b69daf9c45f8e83562d2c170a073" - logic_hash = "v1_sha256_ba0da35bc00b776ae9b427e3a4b312b1b75bdc9b972fb52f26a5df6737f1ddc9" + logic_hash = "ba0da35bc00b776ae9b427e3a4b312b1b75bdc9b972fb52f26a5df6737f1ddc9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65111,7 +65111,7 @@ rule ELASTIC_Windows_Generic_Threat_9F4A80B2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2091-L2109" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "47d57d00e2de43f33cd56ff653adb59b804e4dbe37304a5fa6a202ee20b50c24" - logic_hash = "v1_sha256_1df3b8245bc0e995443d598feb5fe2605e05df64b863d4f47c17ecbe8d28c3ea" + logic_hash = "1df3b8245bc0e995443d598feb5fe2605e05df64b863d4f47c17ecbe8d28c3ea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65140,7 +65140,7 @@ rule ELASTIC_Windows_Generic_Threat_39E1Eb4C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2111-L2129" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a733258bf04ffa058db95c8c908a79650400ebd92600b96dd28ceecac311f94a" - logic_hash = "v1_sha256_d7791ae7513bc5645bcfa93a2d7bf9f7ef47a6727ea2ba5eb85f3c8528761429" + logic_hash = "d7791ae7513bc5645bcfa93a2d7bf9f7ef47a6727ea2ba5eb85f3c8528761429" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65169,7 +65169,7 @@ rule ELASTIC_Windows_Generic_Threat_D51Dd31B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2131-L2150" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2a61c0305d82b6b4180c3d817c28286ab8ee56de44e171522bd07a60a1d8492d" - logic_hash = "v1_sha256_85fc7aa81489b304c348ead2d7042bb5518ff4579b1d3e837290032c4b144e47" + logic_hash = "85fc7aa81489b304c348ead2d7042bb5518ff4579b1d3e837290032c4b144e47" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65199,7 +65199,7 @@ rule ELASTIC_Windows_Generic_Threat_3A321F0A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2152-L2170" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "91056e8c53dc1e97c7feafab31f0943f150d89a0b0026bcfb3664d2e93ccfe2b" - logic_hash = "v1_sha256_83834dd7d4df5de4b6a032f1896f52c1ebdf16ca8ad9766e8872243f1a6da67e" + logic_hash = "83834dd7d4df5de4b6a032f1896f52c1ebdf16ca8ad9766e8872243f1a6da67e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65228,7 +65228,7 @@ rule ELASTIC_Windows_Generic_Threat_A82F45A8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2172-L2190" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ad07428104d3aa7abec2fd86562eaa8600d3e4b0f8d78ba1446f340d10008b53" - logic_hash = "v1_sha256_70ebab6b03af38ef8c81664cf49ab07066a9672666599d99c91291a9d2e3af0b" + logic_hash = "70ebab6b03af38ef8c81664cf49ab07066a9672666599d99c91291a9d2e3af0b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65257,7 +65257,7 @@ rule ELASTIC_Windows_Generic_Threat_D6625Ad7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2192-L2210" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "878c9745320593573597d62c8f3adb3bef0b554cd51b18216f6d9f5d1a32a931" - logic_hash = "v1_sha256_e90aff7c35f60cc3446f9eeb2131edb7125bfa04eb8f90c5671d06e9ff269755" + logic_hash = "e90aff7c35f60cc3446f9eeb2131edb7125bfa04eb8f90c5671d06e9ff269755" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65286,7 +65286,7 @@ rule ELASTIC_Windows_Generic_Threat_61Bbb571 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2212-L2230" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "41e2a6cecb1735e8f09b1ba5dccff3c08afe395b6214396e545347927d1815a8" - logic_hash = "v1_sha256_6b1ec666f3689638b9db9f041b0a89660b27c32590b747c5da3f4a02f01c7112" + logic_hash = "6b1ec666f3689638b9db9f041b0a89660b27c32590b747c5da3f4a02f01c7112" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65315,7 +65315,7 @@ rule ELASTIC_Windows_Generic_Threat_4A605E93 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2232-L2250" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1a84e25505a54e8e308714b53123396df74df1bde223bb306c0dc6220c1f0bbb" - logic_hash = "v1_sha256_6ad7afa5bd03916917e2bbf4d736331f4319b20bfde296d7e62315584813699f" + logic_hash = "6ad7afa5bd03916917e2bbf4d736331f4319b20bfde296d7e62315584813699f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65344,7 +65344,7 @@ rule ELASTIC_Windows_Generic_Threat_B509Dfc8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2252-L2270" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9b5124e5e1be30d3f2ad1020bbdb93e2ceeada4c4d36f71b2abbd728bd5292b8" - logic_hash = "v1_sha256_90b00caf612f56a898b24c28ae6febda3fd11f382ab1deba522bdd2e2ba254b4" + logic_hash = "90b00caf612f56a898b24c28ae6febda3fd11f382ab1deba522bdd2e2ba254b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65373,7 +65373,7 @@ rule ELASTIC_Windows_Generic_Threat_7A49053E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2272-L2292" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "29fb2b18cfd72a2966640ff59e67c89f93f83fc17afad2dfcacf9f53e9ea3446" - logic_hash = "v1_sha256_6db95f20a2bcdfd7cb37cb33dae6351dd19f51a8c3cae54b1bb034af17378094" + logic_hash = "6db95f20a2bcdfd7cb37cb33dae6351dd19f51a8c3cae54b1bb034af17378094" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -65404,7 +65404,7 @@ rule ELASTIC_Windows_Generic_Threat_Fca7F863 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2294-L2312" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d0e786dd8f1dc05eae910c6bcf15b5d05b4b6b0543618ca0c2ff3c4bb657af3" - logic_hash = "v1_sha256_ad45fe6e8257d012824b36aaee1beccb82c1b78031de86c1f1dd26d5be88aa6f" + logic_hash = "ad45fe6e8257d012824b36aaee1beccb82c1b78031de86c1f1dd26d5be88aa6f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65433,7 +65433,7 @@ rule ELASTIC_Windows_Generic_Threat_Cafbd6A3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2314-L2333" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "97081a51aa016d0e6c9ecadc09ff858bf43364265a006db9d7cc133f8429bc46" - logic_hash = "v1_sha256_28813fc8a49b6ec3fe7675409fde923f0f30851429a526c142e0a228b4e0efa6" + logic_hash = "28813fc8a49b6ec3fe7675409fde923f0f30851429a526c142e0a228b4e0efa6" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65463,7 +65463,7 @@ rule ELASTIC_Windows_Generic_Threat_D8F834A9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2335-L2353" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c118c2064a5839ebd57a67a7be731fffe89669a8f17c1fe678432d4ff85e7929" - logic_hash = "v1_sha256_9fa1a65f3290867e4c59f14242f7261741e792b8be48c053ac320a315f2c1beb" + logic_hash = "9fa1a65f3290867e4c59f14242f7261741e792b8be48c053ac320a315f2c1beb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65492,7 +65492,7 @@ rule ELASTIC_Windows_Generic_Threat_De3F91C6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2355-L2373" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e2cd4a8ccbf4a3a93c1387c66d94e9506b5981357004929ce5a41fcedfffb20f" - logic_hash = "v1_sha256_032ac2adb11782d823f50bfedf4e4decb731dbe7d3abbb3b05ccff598ba7edb8" + logic_hash = "032ac2adb11782d823f50bfedf4e4decb731dbe7d3abbb3b05ccff598ba7edb8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65521,7 +65521,7 @@ rule ELASTIC_Windows_Generic_Threat_F0516E98 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2375-L2394" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "21d01bd53f43aa54f22786d7776c7bc90320ec6f7a6501b168790be46ff69632" - logic_hash = "v1_sha256_28f5b1a05d90745f432aee6bb9da3855d70b18d556153059794c5e53bbd5117c" + logic_hash = "28f5b1a05d90745f432aee6bb9da3855d70b18d556153059794c5e53bbd5117c" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65551,7 +65551,7 @@ rule ELASTIC_Windows_Generic_Threat_3C4D9Cbe : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2396-L2414" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "21d01bd53f43aa54f22786d7776c7bc90320ec6f7a6501b168790be46ff69632" - logic_hash = "v1_sha256_b32f9a3b86c60d4d69c59250ac59e93aee70ede890b059b13be999adbe043d2c" + logic_hash = "b32f9a3b86c60d4d69c59250ac59e93aee70ede890b059b13be999adbe043d2c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65580,7 +65580,7 @@ rule ELASTIC_Windows_Generic_Threat_Deb82E8C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2416-L2435" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0f5791588a9898a3db29326785d31b52b524c3097370f6aa28564473d353cd38" - logic_hash = "v1_sha256_c24baecab39c72f6bb30713022297cb9fb41ef5339a353702f3f780a630d5b27" + logic_hash = "c24baecab39c72f6bb30713022297cb9fb41ef5339a353702f3f780a630d5b27" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65610,7 +65610,7 @@ rule ELASTIC_Windows_Generic_Threat_278C589E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2437-L2455" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cccc6c1bf15a7d5725981de950475e272c277bc3b9d266c5debf0fc698770355" - logic_hash = "v1_sha256_59bbbecd73541750f7221b12895ccf51e1a6863ceca62e23f541df904ad23587" + logic_hash = "59bbbecd73541750f7221b12895ccf51e1a6863ceca62e23f541df904ad23587" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65639,7 +65639,7 @@ rule ELASTIC_Windows_Generic_Threat_6B621667 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2457-L2475" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b50b39e460ecd7633a42f0856359088de20512c932fc35af6531ff48c9fa638a" - logic_hash = "v1_sha256_3574b7ef24c4387a9919ed9831af7657047b26d8922ab78788619bbd3d0edd56" + logic_hash = "3574b7ef24c4387a9919ed9831af7657047b26d8922ab78788619bbd3d0edd56" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65668,7 +65668,7 @@ rule ELASTIC_Windows_Generic_Threat_7693D7Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2477-L2495" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc40cc5d0bd3722126302f74ace414e6934eca3a8a5c63a11feada2130b34b89" - logic_hash = "v1_sha256_886ad084f33faf8baae8a650a88095757c2cff9e18c8f5c50ff36120b43ec082" + logic_hash = "886ad084f33faf8baae8a650a88095757c2cff9e18c8f5c50ff36120b43ec082" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65697,7 +65697,7 @@ rule ELASTIC_Windows_Generic_Threat_Df5De012 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2497-L2515" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "13c06d7b030a46c6bb6351f40184af9fafaf4c67b6a2627a45925dd17501d659" - logic_hash = "v1_sha256_1a1ce3644c33a4591ab6582525366d47e07bdc2350aa6066ec5b5fedc605b037" + logic_hash = "1a1ce3644c33a4591ab6582525366d47e07bdc2350aa6066ec5b5fedc605b037" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65726,7 +65726,7 @@ rule ELASTIC_Windows_Generic_Threat_0E8530F5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2517-L2536" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9f44d9acf79ed4450195223a9da185c0b0e8a8ea661d365a3ddea38f2732e2b8" - logic_hash = "v1_sha256_f4a010366625c059151d3e704f6ece1808f367401729feaf6cc423cf4d5c5c60" + logic_hash = "f4a010366625c059151d3e704f6ece1808f367401729feaf6cc423cf4d5c5c60" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -65756,7 +65756,7 @@ rule ELASTIC_Windows_Generic_Threat_Ba807E3E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2538-L2556" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cabd0633b37e6465ece334195ff4cc5c3f44cfe46211165efc07f4073aed1049" - logic_hash = "v1_sha256_896eedb949eec6dff3e867ae3179b741382dd25ba06c6db452ac1ae5bc6bc757" + logic_hash = "896eedb949eec6dff3e867ae3179b741382dd25ba06c6db452ac1ae5bc6bc757" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65785,7 +65785,7 @@ rule ELASTIC_Windows_Generic_Threat_4578Ee8C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2558-L2576" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "699fecdb0bf27994d67492dc480f4ba1320acdd75e5881afbc5f73c982453fed" - logic_hash = "v1_sha256_1a519bb84aae29057536ea09e53ff97cfe34a70c84ac6fa7d1ec173de3754f03" + logic_hash = "1a519bb84aae29057536ea09e53ff97cfe34a70c84ac6fa7d1ec173de3754f03" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65814,7 +65814,7 @@ rule ELASTIC_Windows_Generic_Threat_Ebf62328 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2578-L2598" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dfce19aa2e1a3e983c3bfb2e4bbd7617b96d57602d7a6da6fee7b282e354c9e1" - logic_hash = "v1_sha256_e99b56dde761c5efad14f935befa4d1dbb31cd305b5d6af05a90d44dc3cd0098" + logic_hash = "e99b56dde761c5efad14f935befa4d1dbb31cd305b5d6af05a90d44dc3cd0098" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -65845,7 +65845,7 @@ rule ELASTIC_Windows_Generic_Threat_Dcc622A4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2600-L2618" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "94a3f10396c07783586070119becf0924de9a7caf449d6e07065837d54e6222d" - logic_hash = "v1_sha256_9254226918f39389ccc347de1c5064552a8500ccef1884b8e27b6e98c651f45b" + logic_hash = "9254226918f39389ccc347de1c5064552a8500ccef1884b8e27b6e98c651f45b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -65874,7 +65874,7 @@ rule ELASTIC_Windows_Generic_Threat_046Aa1Ec : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2620-L2638" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c74cf499fb9298d43a6e64930addb1f8a8d8336c796b9bc02ffc260684ec60a2" - logic_hash = "v1_sha256_da6552da3db4851806f5a0ce3c324a79acf4ee4b2690cb02cc8d8c88a2ba28f8" + logic_hash = "da6552da3db4851806f5a0ce3c324a79acf4ee4b2690cb02cc8d8c88a2ba28f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65903,7 +65903,7 @@ rule ELASTIC_Windows_Generic_Threat_85C73807 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2640-L2658" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7f560a22c1f7511518656ac30350229f7a6847d26e1b3857e283f7dcee2604a0" - logic_hash = "v1_sha256_90aa64f17b91ccdf367e1976cd1f5e89e15c7369a58b2d19187143e70939d756" + logic_hash = "90aa64f17b91ccdf367e1976cd1f5e89e15c7369a58b2d19187143e70939d756" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65932,7 +65932,7 @@ rule ELASTIC_Windows_Generic_Threat_642Df623 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2660-L2678" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e5ba85d1a6a54df38b5fa655703c3457783f4a4f71e178f83d8aac878d4847da" - logic_hash = "v1_sha256_555eb66f117312fa4ff3a49c0c40f89caddec3eb4b93d11bda2cce40529d46a0" + logic_hash = "555eb66f117312fa4ff3a49c0c40f89caddec3eb4b93d11bda2cce40529d46a0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65961,7 +65961,7 @@ rule ELASTIC_Windows_Generic_Threat_27A2994F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2680-L2698" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e534914e06d90e119ce87f5abb446c57ec3473a29a7a9e7dc066fdc00dc68adc" - logic_hash = "v1_sha256_66f34ba3052e2369528aeaf076f10d58f8f3dca420666246e02191fecb057f8c" + logic_hash = "66f34ba3052e2369528aeaf076f10d58f8f3dca420666246e02191fecb057f8c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -65990,7 +65990,7 @@ rule ELASTIC_Windows_Generic_Threat_Dbceec58 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2700-L2718" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fbec30528e6f261aebf0d41f3cd6d35fcc937f1e20e1070f99b1b327f02b91e0" - logic_hash = "v1_sha256_2a99fb7b342b43e3a4f0136d7d618625ca5708ae32e6fcabb11420bd8c89915b" + logic_hash = "2a99fb7b342b43e3a4f0136d7d618625ca5708ae32e6fcabb11420bd8c89915b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66019,7 +66019,7 @@ rule ELASTIC_Windows_Generic_Threat_7407Eb79 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2720-L2738" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9ae0f053c8e2c4f4381eac8265170b79301d4a22ec1fdb86e5eb212c51a75d14" - logic_hash = "v1_sha256_a60c3e54493f9dab71584ba301c41c43f30d554df8c0b05674995faaf407ee48" + logic_hash = "a60c3e54493f9dab71584ba301c41c43f30d554df8c0b05674995faaf407ee48" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66048,7 +66048,7 @@ rule ELASTIC_Windows_Generic_Threat_3613Fa12 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2740-L2758" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1403ec99f262c964e3de133a10815e34d2f104b113b0197ab43c6b7b40b536c0" - logic_hash = "v1_sha256_77b23aaf384de138214e64342e170f3dce667ee41c3063c999286da9af6fff42" + logic_hash = "77b23aaf384de138214e64342e170f3dce667ee41c3063c999286da9af6fff42" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66077,7 +66077,7 @@ rule ELASTIC_Windows_Generic_Threat_B125Fff2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2760-L2778" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9c641c0c8c2fd8831ee4e3b29a2a65f070b54775e64821c50b8ccd387e602097" - logic_hash = "v1_sha256_054f3f36c688e1f5c3116e7a926df12df90f79dc1d42bee2616b5251f6ad2c24" + logic_hash = "054f3f36c688e1f5c3116e7a926df12df90f79dc1d42bee2616b5251f6ad2c24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66106,7 +66106,7 @@ rule ELASTIC_Windows_Generic_Threat_D7E5Ec2D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2780-L2798" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe711664a565566cbc710d5e678a9a30063a2db151ebec226e2abcd24c0a7e68" - logic_hash = "v1_sha256_4edb8cc1da81e0b9b3a8facc9a9a7d1e27dff0d2db7851d06a209beec3ccb463" + logic_hash = "4edb8cc1da81e0b9b3a8facc9a9a7d1e27dff0d2db7851d06a209beec3ccb463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66135,7 +66135,7 @@ rule ELASTIC_Windows_Generic_Threat_1636C2Bf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2800-L2818" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6e43916db43d8217214bbe4eb32ed3d82d0ac423cffc91d053a317a3dbe6dafb" - logic_hash = "v1_sha256_c8b198cd5f9277ff3808ee2a313ab979d544b9e609d6623876d2e3c3c5668e38" + logic_hash = "c8b198cd5f9277ff3808ee2a313ab979d544b9e609d6623876d2e3c3c5668e38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66164,7 +66164,7 @@ rule ELASTIC_Windows_Generic_Threat_0A640296 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2820-L2838" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3682eff62caaf2c90adef447d3ff48a3f9c34c571046f379d2eaf121976f1d07" - logic_hash = "v1_sha256_743c47c7a58e7d65261818b4b444aaf8015b9b55d3e54526b1d63a8770a6c5aa" + logic_hash = "743c47c7a58e7d65261818b4b444aaf8015b9b55d3e54526b1d63a8770a6c5aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66193,7 +66193,7 @@ rule ELASTIC_Windows_Generic_Threat_B1Ef4828 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2840-L2859" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "29b20ff8ebad05e4a33c925251d08824ca155f5d9fa72d6f9e359e6ec6c61279" - logic_hash = "v1_sha256_d5d63f38308c6f8e5ca54567c7c8b93fcde69601fbcc28d56d5231edd28163cf" + logic_hash = "d5d63f38308c6f8e5ca54567c7c8b93fcde69601fbcc28d56d5231edd28163cf" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66223,7 +66223,7 @@ rule ELASTIC_Windows_Generic_Threat_48Cbdc20 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2861-L2880" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7a7704c64e64d3a1f76fc718d5b5a5e3d46beeeb62f0493f22e50865ddf66594" - logic_hash = "v1_sha256_687d0f3dc85a7e4b23019deec59ee77c211101d40ed6622a952e69ebc4151483" + logic_hash = "687d0f3dc85a7e4b23019deec59ee77c211101d40ed6622a952e69ebc4151483" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66253,7 +66253,7 @@ rule ELASTIC_Windows_Generic_Threat_420E1Cdc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2882-L2900" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b20254e03f7f1e79fec51d614ee0cfe0cb87432f3a53cf98cf8c047c13e2d774" - logic_hash = "v1_sha256_6bd8a7bd4392e04d64f2e0b93d80978f59f9af634a0c971ca61cb9cb593743e0" + logic_hash = "6bd8a7bd4392e04d64f2e0b93d80978f59f9af634a0c971ca61cb9cb593743e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66282,7 +66282,7 @@ rule ELASTIC_Windows_Generic_Threat_4C37E16E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2902-L2921" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d83a8ed5e192b3fe9d74f3a9966fa094d23676c7e6586c9240d97c252b8e4e74" - logic_hash = "v1_sha256_dabac8aa6a3f4d4bd726161fc6573ca9de4088e7d818c3cf33cafc91f680e7aa" + logic_hash = "dabac8aa6a3f4d4bd726161fc6573ca9de4088e7d818c3cf33cafc91f680e7aa" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66312,7 +66312,7 @@ rule ELASTIC_Windows_Generic_Threat_5Be3A474 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2923-L2941" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b902954d634307260d5bd8fb6248271f933c1cbc649aa2073bf05e79c1aedb66" - logic_hash = "v1_sha256_0f0f46e3bdebb47a4f43ccb64d65ab1e15d68d38c117cb25e5723ec16e7e0758" + logic_hash = "0f0f46e3bdebb47a4f43ccb64d65ab1e15d68d38c117cb25e5723ec16e7e0758" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66341,7 +66341,7 @@ rule ELASTIC_Windows_Generic_Threat_B191061E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2943-L2961" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bd4ef6fae7f29def8e5894bf05057653248f009422de85c1e425d04a0b2df258" - logic_hash = "v1_sha256_cbee10eab984249ceb9f8a82dc06aa014d6a249321f3d4f0d1e5657aab205ec8" + logic_hash = "cbee10eab984249ceb9f8a82dc06aa014d6a249321f3d4f0d1e5657aab205ec8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66370,7 +66370,7 @@ rule ELASTIC_Windows_Generic_Threat_05F52E4D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2963-L2981" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e578b795f8ed77c1057d8e6b827f7426fd4881f02949bfc83bcad11fa7eb2403" - logic_hash = "v1_sha256_79898b59b6d3564aad85d823a1450600faff5b1d2dbfbe0cee4cc59971e4f542" + logic_hash = "79898b59b6d3564aad85d823a1450600faff5b1d2dbfbe0cee4cc59971e4f542" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66399,7 +66399,7 @@ rule ELASTIC_Windows_Generic_Threat_C34E19E9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L2983-L3001" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f9048348a59d9f824b45b16b1fdba9bfeda513aa9fbe671442f84b81679232db" - logic_hash = "v1_sha256_87999b6f2cf359b6436ee7e57691ac73fc41f3947bf8fef3f6b98148e17f180d" + logic_hash = "87999b6f2cf359b6436ee7e57691ac73fc41f3947bf8fef3f6b98148e17f180d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66428,7 +66428,7 @@ rule ELASTIC_Windows_Generic_Threat_E691Eaa1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3003-L3021" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "afa5f36860e69b9134b93e9ad32fed0a5923772e701437e1054ea98e76f28a77" - logic_hash = "v1_sha256_0ac310e3f7cf99b77c2dcfea582752e2f1414caf43965c25d2f3f03cf27586cc" + logic_hash = "0ac310e3f7cf99b77c2dcfea582752e2f1414caf43965c25d2f3f03cf27586cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66457,7 +66457,7 @@ rule ELASTIC_Windows_Generic_Threat_5E33Bb4B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3023-L3041" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "13c06d7b030a46c6bb6351f40184af9fafaf4c67b6a2627a45925dd17501d659" - logic_hash = "v1_sha256_7e2002c3917ccab7d9f56a7aa20ea75be71aa7fdc64b7c3f87edb68be38e74b2" + logic_hash = "7e2002c3917ccab7d9f56a7aa20ea75be71aa7fdc64b7c3f87edb68be38e74b2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66486,7 +66486,7 @@ rule ELASTIC_Windows_Generic_Threat_Be64Ba10 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3043-L3062" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "24bb4fc117aa57fd170e878263973a392d094c94d3a5f651fad7528d5d73b58a" - logic_hash = "v1_sha256_c6acce53610baf119a0e2d55fc698a976463bbd21b739d4ac39a75383fa5fed2" + logic_hash = "c6acce53610baf119a0e2d55fc698a976463bbd21b739d4ac39a75383fa5fed2" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -66516,7 +66516,7 @@ rule ELASTIC_Windows_Generic_Threat_7Bb75582 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3064-L3082" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "35f9698e9b9f611b3dd92466f18f97f4a8b4506ed6f10d4ac84303177f43522d" - logic_hash = "v1_sha256_d959f755d28782b332248085034950a8d4cad3cde13b22254c90ca3952919e1b" + logic_hash = "d959f755d28782b332248085034950a8d4cad3cde13b22254c90ca3952919e1b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66545,7 +66545,7 @@ rule ELASTIC_Windows_Generic_Threat_59698796 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3084-L3102" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "35f9698e9b9f611b3dd92466f18f97f4a8b4506ed6f10d4ac84303177f43522d" - logic_hash = "v1_sha256_59569049dbb09b7e15110fb8de1a146eb7fd606f116b4dd6c75ca973fb62296e" + logic_hash = "59569049dbb09b7e15110fb8de1a146eb7fd606f116b4dd6c75ca973fb62296e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66574,7 +66574,7 @@ rule ELASTIC_Windows_Generic_Threat_2Ae9B09E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3104-L3122" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dc8f4784c368676cd411b7d618407c416d9e56d116dd3cd17c3f750e6cb60c40" - logic_hash = "v1_sha256_183249214e5f8143eb91caf20778b870d17d7a52b6d71ad603827e8716e7e447" + logic_hash = "183249214e5f8143eb91caf20778b870d17d7a52b6d71ad603827e8716e7e447" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66603,7 +66603,7 @@ rule ELASTIC_Windows_Generic_Threat_604A8763 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3124-L3142" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2a51fb11032ec011448184a4f2837d05638a7673d16dcf5dcf4005de3f87883a" - logic_hash = "v1_sha256_cf88c0d102680fc7c16d49b6e8dc49c16b27d5940edf078e667a45e70ebe3883" + logic_hash = "cf88c0d102680fc7c16d49b6e8dc49c16b27d5940edf078e667a45e70ebe3883" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66632,7 +66632,7 @@ rule ELASTIC_Windows_Generic_Threat_F45B3F09 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3144-L3162" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "577f1dbd76030c7e44ed28c748551691d446e268189af94e1fa1545f06395178" - logic_hash = "v1_sha256_9b01ad1271cc5052a793e5a885aa7289cbaea4a928f60d64194477c3036496ed" + logic_hash = "9b01ad1271cc5052a793e5a885aa7289cbaea4a928f60d64194477c3036496ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66661,7 +66661,7 @@ rule ELASTIC_Windows_Generic_Threat_3F390999 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3164-L3182" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1b6fc4eaef3515058f85551e7e5dffb68b9a0550cd7f9ebcbac158dac9ababf1" - logic_hash = "v1_sha256_462a7a38ebbb39515ac2c0a10353660d0cadcfb99360adcd200edc1db5a716ba" + logic_hash = "462a7a38ebbb39515ac2c0a10353660d0cadcfb99360adcd200edc1db5a716ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66690,7 +66690,7 @@ rule ELASTIC_Windows_Generic_Threat_Abd1C09D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3184-L3202" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ff09d2352c2163465d8c86f94baa25ba85c35698a5e3fbc52bc95afc06b7e85" - logic_hash = "v1_sha256_80e6f317e5cd91cb3819e9251efc8c96218071bec577a38c8784826dd4a657cb" + logic_hash = "80e6f317e5cd91cb3819e9251efc8c96218071bec577a38c8784826dd4a657cb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66719,7 +66719,7 @@ rule ELASTIC_Windows_Generic_Threat_B7870213 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3204-L3222" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "04cb0d5eecea673acc575e54439398cc00e78cc54d8f43c4b9bc353e4fc4430d" - logic_hash = "v1_sha256_79b8385543def42259cd9c09d4d7059ff6bb02a9e87cff1bc0a8861e3b333c5f" + logic_hash = "79b8385543def42259cd9c09d4d7059ff6bb02a9e87cff1bc0a8861e3b333c5f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66748,7 +66748,7 @@ rule ELASTIC_Windows_Generic_Threat_2Bba6Bae : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3224-L3242" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d9955c716371422750b77d64256dade6fbd028c8d965db05c0d889d953480373" - logic_hash = "v1_sha256_59e4b173c21b0ab161adf8d89f253f21403bca706b6bf40b3da00697f87dd509" + logic_hash = "59e4b173c21b0ab161adf8d89f253f21403bca706b6bf40b3da00697f87dd509" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -66777,7 +66777,7 @@ rule ELASTIC_Windows_Generic_Threat_4Db75701 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3244-L3262" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fa7847d21d5a350cf96d7ecbcf13dce63e6a0937971cfb479700c5b31850bba9" - logic_hash = "v1_sha256_65f7d15ed551e069b30ce6c0a5f15d01d24b8b29727950269c9956fcf6dc799d" + logic_hash = "65f7d15ed551e069b30ce6c0a5f15d01d24b8b29727950269c9956fcf6dc799d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66806,7 +66806,7 @@ rule ELASTIC_Windows_Generic_Threat_54A914C9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3264-L3282" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c418c5ad8030985bb5067cda61caba3b7a0d24cb8d3f93fc09d452fbdf4174ec" - logic_hash = "v1_sha256_0cc3797564b4c722423f915493e07b0e0fec3085e7a535f9914f82d73c797bed" + logic_hash = "0cc3797564b4c722423f915493e07b0e0fec3085e7a535f9914f82d73c797bed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66835,7 +66835,7 @@ rule ELASTIC_Windows_Generic_Threat_38A88967 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3284-L3302" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6e425eb1a27c4337f05d12992e33fe0047e30259380002797639d51ef9509739" - logic_hash = "v1_sha256_ddbdb1c39a07141d83173504214c889aff75487570d906413ebc6f262fedf9ae" + logic_hash = "ddbdb1c39a07141d83173504214c889aff75487570d906413ebc6f262fedf9ae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66864,7 +66864,7 @@ rule ELASTIC_Windows_Generic_Threat_E8Abb835 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3304-L3322" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e42262671325bec300afa722cefb584e477c3f2782c8d4c6402d6863df348cac" - logic_hash = "v1_sha256_0ad56b8c741a79a600a0d5588c4e8760a6d19fef72ff7814a00cfb84a90f23aa" + logic_hash = "0ad56b8c741a79a600a0d5588c4e8760a6d19fef72ff7814a00cfb84a90f23aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66893,7 +66893,7 @@ rule ELASTIC_Windows_Generic_Threat_492D7223 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3324-L3342" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0d9c9297836aceb4400bcb0877d1df90ca387f18f735de195852a909c67b7ef" - logic_hash = "v1_sha256_9fb2a00def86ed8476d906514a0bc630e28093ac37d757541d8801d2c8e0efc3" + logic_hash = "9fb2a00def86ed8476d906514a0bc630e28093ac37d757541d8801d2c8e0efc3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66922,7 +66922,7 @@ rule ELASTIC_Windows_Generic_Threat_Ea296356 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3344-L3362" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c48a0fe90f3da7bfdd32961da7771a0124b77e1ac1910168020babe8143e959" - logic_hash = "v1_sha256_73ffd16f0047cd57311853aa9083fc21427f2eb21646c6edc7b8def86da90f90" + logic_hash = "73ffd16f0047cd57311853aa9083fc21427f2eb21646c6edc7b8def86da90f90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66951,7 +66951,7 @@ rule ELASTIC_Windows_Generic_Threat_Aeaeb5Cf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3364-L3382" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f57d955d485904f0c729acff9db1de9cb42f32af993393d58538f07fa273b431" - logic_hash = "v1_sha256_640966296bad70234e0fe7b6f87b92fcf4fc111189d307d44f32e926785f76cb" + logic_hash = "640966296bad70234e0fe7b6f87b92fcf4fc111189d307d44f32e926785f76cb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -66980,7 +66980,7 @@ rule ELASTIC_Windows_Generic_Threat_C8424507 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3384-L3403" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d556b02733385b823cfe4db7e562e90aa520e2e6fb00fceb76cc0a6a1ff47692" - logic_hash = "v1_sha256_78d56257cb6e1d67f9343ee30b844fe20138e27ca3b6312a07112e5dbb797851" + logic_hash = "78d56257cb6e1d67f9343ee30b844fe20138e27ca3b6312a07112e5dbb797851" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -67010,7 +67010,7 @@ rule ELASTIC_Windows_Generic_Threat_9Af87Ddb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3405-L3423" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b1fbc11744e21dc08599412887a3a966572614ce25ccd3c8c98f04bcbdda3898" - logic_hash = "v1_sha256_99174c5740324d7704a5c6ae924254f9b5f241c97901dfdb771fc176a76e4a30" + logic_hash = "99174c5740324d7704a5c6ae924254f9b5f241c97901dfdb771fc176a76e4a30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67039,7 +67039,7 @@ rule ELASTIC_Windows_Generic_Threat_D7B57912 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3425-L3443" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0906599be152dd598c7f540498c44cc38efe9ea976731da05137ee6520288fe4" - logic_hash = "v1_sha256_a774e3030d81e29805a9784cfbbc0b69c4fedebe0daa25e403777e1f46f9094f" + logic_hash = "a774e3030d81e29805a9784cfbbc0b69c4fedebe0daa25e403777e1f46f9094f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67068,7 +67068,7 @@ rule ELASTIC_Windows_Generic_Threat_23D33B48 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3445-L3463" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "acbc22df07888498ae6f52f5458e3fb8e0682e443a8c2bc97177a0320b4e2098" - logic_hash = "v1_sha256_c9fb93bb74e4d45197d0da5b641860738a42a583b15cc098e86ea79bb8690bf7" + logic_hash = "c9fb93bb74e4d45197d0da5b641860738a42a583b15cc098e86ea79bb8690bf7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67097,7 +67097,7 @@ rule ELASTIC_Windows_Generic_Threat_4B0B73Ce : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3465-L3483" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "236fc00cd7c75f70904239935ab90f51b03ff347798f56cec1bdd73a286b24c1" - logic_hash = "v1_sha256_d53923df612dd7fe0b1b2c94c1c5d747b08723df129089326ec27c5049769cef" + logic_hash = "d53923df612dd7fe0b1b2c94c1c5d747b08723df129089326ec27c5049769cef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67126,7 +67126,7 @@ rule ELASTIC_Windows_Generic_Threat_1F2E969C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3485-L3503" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7def75df729ed66511fbe91eadf15bc69a03618e78c48e27c35497db2a6a97ae" - logic_hash = "v1_sha256_7d984a902f9bf40c9b49da89aba9249f80b41b24ca1cdb6189f541b40ef41742" + logic_hash = "7d984a902f9bf40c9b49da89aba9249f80b41b24ca1cdb6189f541b40ef41742" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67155,7 +67155,7 @@ rule ELASTIC_Windows_Generic_Threat_27C975Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3505-L3523" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0108af363959f90919f24220caf426fba50be3d61f3735bb0f2acbbcc1f56e0c" - logic_hash = "v1_sha256_f4c500331ce0857b17970206fae4f8501c6f3a65824f37b6cdde47d0a03ceb78" + logic_hash = "f4c500331ce0857b17970206fae4f8501c6f3a65824f37b6cdde47d0a03ceb78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67184,7 +67184,7 @@ rule ELASTIC_Windows_Generic_Threat_D170474C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3525-L3543" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "63da7ea6d4cd240485ad5c546dd60b90cb98d6f4f18df4bc708f5ec689be952f" - logic_hash = "v1_sha256_45089557acec0549acc3f5856c4eef89543ed048984474718376a73085edcb08" + logic_hash = "45089557acec0549acc3f5856c4eef89543ed048984474718376a73085edcb08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67213,7 +67213,7 @@ rule ELASTIC_Windows_Generic_Threat_F57E5E2A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3545-L3563" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bff5112830cc3547c206fb1d028c592a11a3c7cd457ef445b765af86a1e76001" - logic_hash = "v1_sha256_ce972e45f87792599b0800883e848221b0c2c99c9a0432659c655903f530e852" + logic_hash = "ce972e45f87792599b0800883e848221b0c2c99c9a0432659c655903f530e852" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67242,7 +67242,7 @@ rule ELASTIC_Windows_Generic_Threat_4Fe0Deb6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3565-L3583" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5836ef66985e851b37a369b04cce579afdb3b241d46a096bf8b1e8d4df053cd2" - logic_hash = "v1_sha256_7737c264c98a0256c0a0075ab6b2e9525550e0ef60fd64a6c50cf8075639e96c" + logic_hash = "7737c264c98a0256c0a0075ab6b2e9525550e0ef60fd64a6c50cf8075639e96c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67271,7 +67271,7 @@ rule ELASTIC_Windows_Generic_Threat_C9003B7B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3585-L3603" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ff2a1def8c4fae4166e249edab62d73f44ba3c05d5e3c9fda11399bfe1fcee6c" - logic_hash = "v1_sha256_deac86398c04c462d4aa3361c911acec99d422e2ce995ba82fc3e8fe9772c33b" + logic_hash = "deac86398c04c462d4aa3361c911acec99d422e2ce995ba82fc3e8fe9772c33b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67300,7 +67300,7 @@ rule ELASTIC_Windows_Generic_Threat_21253888 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3605-L3623" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "95e523f4003a10a906ef7c68a258d402e25f235fa9f2b022faff7cae41185b9c" - logic_hash = "v1_sha256_121fc74ff09ebd9f2d6eda370b6fa6b5137e0ae59cf6d6f8f18d13e1cc053e15" + logic_hash = "121fc74ff09ebd9f2d6eda370b6fa6b5137e0ae59cf6d6f8f18d13e1cc053e15" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -67329,7 +67329,7 @@ rule ELASTIC_Windows_Generic_Threat_06Dcb833 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3625-L3643" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f7fde85aefb7123ef805c85394907ef73e0983499b49f2290a83aa2b0a2e5e9d" - logic_hash = "v1_sha256_cbddf2b858278ad4a9330dac767f0a0bc7691cbf6a93ac389f48cb2286c8cbdc" + logic_hash = "cbddf2b858278ad4a9330dac767f0a0bc7691cbf6a93ac389f48cb2286c8cbdc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67358,7 +67358,7 @@ rule ELASTIC_Windows_Generic_Threat_5435Fe36 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3645-L3663" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8c0e26af4f9c783844ea457c3eb7bb2bbe1bf3f860ce180bacab00456f3ae7c1" - logic_hash = "v1_sha256_7295e8addf2dcd6192eab261d7a2ca817006a3962dd2e792f51154495be54298" + logic_hash = "7295e8addf2dcd6192eab261d7a2ca817006a3962dd2e792f51154495be54298" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67387,7 +67387,7 @@ rule ELASTIC_Windows_Generic_Threat_491A8310 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3665-L3683" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "59c6846b4676378d9c80d7ced825f0463d1b333546bfcad919ee262cbf6db250" - logic_hash = "v1_sha256_45b1017a7ba8d5dc321ac018613587c371380a3340f6893a046a6bdc8a1d2431" + logic_hash = "45b1017a7ba8d5dc321ac018613587c371380a3340f6893a046a6bdc8a1d2431" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67416,7 +67416,7 @@ rule ELASTIC_Windows_Generic_Threat_2F726F2D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Generic_Threat.yar#L3685-L3703" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ede9bd928a216c9844f290be0de6985ed54dceaff041906dca3a3468293464b6" - logic_hash = "v1_sha256_41314d0685f957a3cdfa37f8f2275ab19137da289c57069b8d3a3e40e4b802e7" + logic_hash = "41314d0685f957a3cdfa37f8f2275ab19137da289c57069b8d3a3e40e4b802e7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67445,7 +67445,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_52A15A93 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "v1_sha256_ceaf5b06108baa6043e31010d777099ed6ac9b4054e86d41309bd7c2b0ffda11" + logic_hash = "ceaf5b06108baa6043e31010d777099ed6ac9b4054e86d41309bd7c2b0ffda11" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67474,7 +67474,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_D0Ad9C82 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "v1_sha256_8351cb61f5b712c65962e734a7c29271fa4805720e14b6badc9bc1c0364778f8" + logic_hash = "8351cb61f5b712c65962e734a7c29271fa4805720e14b6badc9bc1c0364778f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67503,7 +67503,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_E2C89606 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "v1_sha256_64cb8d8ec04a53f663b216208279afba3c10f148fe99822f9a45100a4f73ed28" + logic_hash = "64cb8d8ec04a53f663b216208279afba3c10f148fe99822f9a45100a4f73ed28" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67531,7 +67531,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_82B4E3F3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L61-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8c91f85bc807605a3233d28a5eb8b6e1cf847fb288cbc4427e86226eed7a2055" + logic_hash = "8c91f85bc807605a3233d28a5eb8b6e1cf847fb288cbc4427e86226eed7a2055" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67560,7 +67560,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_601352Dc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L80-L98" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5714e130075f4780e025fb3810f58a63e618659ac34d12abe211a1b6f2f80269" - logic_hash = "v1_sha256_adeeea73b711fc867b88775c06a14011380118ed85691660ba771381e51160e3" + logic_hash = "adeeea73b711fc867b88775c06a14011380118ed85691660ba771381e51160e3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67588,7 +67588,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_Ddca1181 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L100-L117" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_076d4ac69f6bc29975b22e19d429c25ef357443ec8fcaf5165e0a8069112af74" + logic_hash = "076d4ac69f6bc29975b22e19d429c25ef357443ec8fcaf5165e0a8069112af74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67617,7 +67617,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_65E666C0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L119-L137" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "19f9b5382d3e8e604be321aefd47cb72c2337a170403613b853307c266d065dd" - logic_hash = "v1_sha256_2d2bec8f89986b19bf1c806b6654405ac6523f49aeafd759b7631d9587d780c8" + logic_hash = "2d2bec8f89986b19bf1c806b6654405ac6523f49aeafd759b7631d9587d780c8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67646,7 +67646,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_494D5B0F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L139-L157" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7e08df5279f4d22f1f27553946b0dadd60bb8242d522a8dceb45ab7636433c2f" - logic_hash = "v1_sha256_6ddb94f9f44fe749a442592d491343a99bd870ea2d79596631d857516425e72b" + logic_hash = "6ddb94f9f44fe749a442592d491343a99bd870ea2d79596631d857516425e72b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67675,7 +67675,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_Bb4F7F39 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L159-L177" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "v1_sha256_33e8fcbb29cc38b4a8365845eb3a1488e13be964f7383b28a158a98fb259acb4" + logic_hash = "33e8fcbb29cc38b4a8365845eb3a1488e13be964f7383b28a158a98fb259acb4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67703,7 +67703,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_8679E1Cb : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L179-L196" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_6055ac4800397f6582e60cdf15fa74584986e1e7cf49a541b0ec746445834819" + logic_hash = "6055ac4800397f6582e60cdf15fa74584986e1e7cf49a541b0ec746445834819" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67731,7 +67731,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_29B86E6A : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L198-L215" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_dd5f44249cc4c91f39a0e7d0b236ebeed8f78d5fcb03c7ebc80ef1c738b18336" + logic_hash = "dd5f44249cc4c91f39a0e7d0b236ebeed8f78d5fcb03c7ebc80ef1c738b18336" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67760,7 +67760,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_E3086563 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L217-L235" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "v1_sha256_5545f7ce8fa45dc56bc4bb5140ce1db527997dfaa1dd2bbb1e4a12af45300065" + logic_hash = "5545f7ce8fa45dc56bc4bb5140ce1db527997dfaa1dd2bbb1e4a12af45300065" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67789,7 +67789,7 @@ rule ELASTIC_Linux_Trojan_Mobidash_2F114992 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mobidash.yar#L237-L255" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6694640e7df5308a969ef40f86393a65febe51639069cb7eaa5650f62c1f4083" - logic_hash = "v1_sha256_f93fe72e08c8ec135cccc8cdab2ecedbb694e9ad39f2572d060864bb3290e25c" + logic_hash = "f93fe72e08c8ec135cccc8cdab2ecedbb694e9ad39f2572d060864bb3290e25c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67818,7 +67818,7 @@ rule ELASTIC_Windows_Trojan_Xtremerat_Cd5B60Be : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_XtremeRAT.yar#L1-L28" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "735f7bf255bdc5ce8e69259c8e24164e5364aeac3ee78782b7b5275c1d793da8" - logic_hash = "v1_sha256_a6997ae4842bd45c440925ef2a5848b57c58e2373c0971ce6b328ea297ee97b4" + logic_hash = "a6997ae4842bd45c440925ef2a5848b57c58e2373c0971ce6b328ea297ee97b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67856,7 +67856,7 @@ rule ELASTIC_Windows_Trojan_Bughatch_21269Be4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bughatch.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f" - logic_hash = "v1_sha256_a8a2cae51a31e48ffe729df61ec96e3257f9c997ad5234075f85ed55de96f11d" + logic_hash = "a8a2cae51a31e48ffe729df61ec96e3257f9c997ad5234075f85ed55de96f11d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67887,7 +67887,7 @@ rule ELASTIC_Windows_Trojan_Bughatch_98F3C0Be : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bughatch.yar#L24-L51" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f" - logic_hash = "v1_sha256_d578515fece7bd464bb09cc5ddb5caf70f4022e8b10388db689e67e662d57f66" + logic_hash = "d578515fece7bd464bb09cc5ddb5caf70f4022e8b10388db689e67e662d57f66" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67924,7 +67924,7 @@ rule ELASTIC_Linux_Hacktool_Cleanlog_C2907D77 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Cleanlog.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "613ac236130ab1654f051d6f0661fa62414f3bef036ea4cc585b4b21a4bb9d2b" - logic_hash = "v1_sha256_39b72973bbcddf14604b8ea08339657cba317c23fd4d69d4aa0903b262397988" + logic_hash = "39b72973bbcddf14604b8ea08339657cba317c23fd4d69d4aa0903b262397988" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67953,7 +67953,7 @@ rule ELASTIC_Linux_Hacktool_Cleanlog_3Eb725D1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Cleanlog.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4df4ebcc61ab2cdb8e5112eeb4e2f29e4e841048de43d7426b1ec11afe175bf6" - logic_hash = "v1_sha256_a9530aca53d935f3e77a5f0fc332db16e3a2832be67c067e5a6d18e7ec00e39f" + logic_hash = "a9530aca53d935f3e77a5f0fc332db16e3a2832be67c067e5a6d18e7ec00e39f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -67982,7 +67982,7 @@ rule ELASTIC_Linux_Hacktool_Cleanlog_400B7595 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Cleanlog.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4df4ebcc61ab2cdb8e5112eeb4e2f29e4e841048de43d7426b1ec11afe175bf6" - logic_hash = "v1_sha256_e36acf708875efda88143124e11fef5b0e2f99d17b0c49344db969cf0d454db1" + logic_hash = "e36acf708875efda88143124e11fef5b0e2f99d17b0c49344db969cf0d454db1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68011,7 +68011,7 @@ rule ELASTIC_Linux_Trojan_Ddostf_E4874Cd4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ddostf.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2" - logic_hash = "v1_sha256_1523fe8f7bbbc7e42f8c2efe5b28dd381007846a1ba7078a6f1a30aedace884b" + logic_hash = "1523fe8f7bbbc7e42f8c2efe5b28dd381007846a1ba7078a6f1a30aedace884b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68039,7 +68039,7 @@ rule ELASTIC_Linux_Trojan_Ddostf_32C35334 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ddostf.yar#L21-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d62d450d48756c09f8788b27301de889c864e597924a0526a325fa602f91f376" + logic_hash = "d62d450d48756c09f8788b27301de889c864e597924a0526a325fa602f91f376" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68068,7 +68068,7 @@ rule ELASTIC_Linux_Trojan_Ddostf_6Dc1Caab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ddostf.yar#L40-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f4587bd45e57d4106ebe502d2eaa1d97fd68613095234038d67490e74c62ba70" - logic_hash = "v1_sha256_fd70960ed6e06f4d152bbd211fbe491dad596010da12cd53c93b577b551b8053" + logic_hash = "fd70960ed6e06f4d152bbd211fbe491dad596010da12cd53c93b577b551b8053" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68097,7 +68097,7 @@ rule ELASTIC_Linux_Trojan_Ddostf_Dc47A873 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ddostf.yar#L60-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2" - logic_hash = "v1_sha256_2f5bd9e012fd778388074cf29b56c7cd59391840f994835d087b7b661445d316" + logic_hash = "2f5bd9e012fd778388074cf29b56c7cd59391840f994835d087b7b661445d316" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68126,7 +68126,7 @@ rule ELASTIC_Linux_Trojan_Ddostf_Cb0358A0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ddostf.yar#L80-L98" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2" - logic_hash = "v1_sha256_1f152b69bf0b2bfa539fdd42c432e456b9efb3766a450333a987313bb12c1826" + logic_hash = "1f152b69bf0b2bfa539fdd42c432e456b9efb3766a450333a987313bb12c1826" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68155,7 +68155,7 @@ rule ELASTIC_Windows_Hacktool_Sharpup_E5C87C9A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpUp.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45e92b991b3633b446473115f97366d9f35acd446d00cd4a05981a056660ad27" - logic_hash = "v1_sha256_62e9aafd308aacbc7a124c707e230c5a9ffde4f6929a5feada5497e3eae7668c" + logic_hash = "62e9aafd308aacbc7a124c707e230c5a9ffde4f6929a5feada5497e3eae7668c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68190,7 +68190,7 @@ rule ELASTIC_Linux_Cryptominer_Casdet_5D0D33Be : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Casdet.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4b09115c876a8b610e1941c768100e03c963c76b250fdd5b12a74253ef9e5fb6" - logic_hash = "v1_sha256_e3264f614e257d853070907866b838d1cb53c1f60f7a0123ec503f1d540a15d7" + logic_hash = "e3264f614e257d853070907866b838d1cb53c1f60f7a0123ec503f1d540a15d7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68219,7 +68219,7 @@ rule ELASTIC_Windows_Hacktool_Coffloader_81Ba13B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_COFFLoader.yar#L1-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c2e03659eb1594dc958e01344cfa9ba126d66736b089db5e3dd1b1c3e3e7d2f7" - logic_hash = "v1_sha256_d4f061af200a0ae9f3276fd6dfcb09ecdf662f29b7c43ea47c69a53d9fe66793" + logic_hash = "d4f061af200a0ae9f3276fd6dfcb09ecdf662f29b7c43ea47c69a53d9fe66793" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68272,7 +68272,7 @@ rule ELASTIC_Windows_Trojan_Nimplant_44Ff3211 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Nimplant.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b56e20384f98e1d2417bb7dcdbfb375987dd075911b74ea7ead082494836b8f4" - logic_hash = "v1_sha256_ee519d8d722404ed440b385d283a41921bc34ee11f0e7273cdc074b377494c39" + logic_hash = "ee519d8d722404ed440b385d283a41921bc34ee11f0e7273cdc074b377494c39" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68303,7 +68303,7 @@ rule ELASTIC_Linux_Exploit_Wuftpd_0991E62F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Wuftpd.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0b6303300f38013840abe17abe192db6a99ace78c83bc7ef705f5c568bc98fd" - logic_hash = "v1_sha256_71ad26a182c7f16e7e0ad7f7afe0dcf1d38fe953dc0806341d7e21ee4acea87d" + logic_hash = "71ad26a182c7f16e7e0ad7f7afe0dcf1d38fe953dc0806341d7e21ee4acea87d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68332,7 +68332,7 @@ rule ELASTIC_Windows_Hacktool_Capcom_7Abae448 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Capcom.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24" - logic_hash = "v1_sha256_88f25c479cc8970e05ef9d08143afbbbfa17322f34379ba571e3a09105b33ee0" + logic_hash = "88f25c479cc8970e05ef9d08143afbbbfa17322f34379ba571e3a09105b33ee0" score = 75 quality = 75 tags = "FILE" @@ -68362,7 +68362,7 @@ rule ELASTIC_Windows_Trojan_Latrodectus_841Ff697 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Latrodectus.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "aee22a35cbdac3f16c3ed742c0b1bfe9739a13469cf43b36fb2c63565111028c" - logic_hash = "v1_sha256_aa1a4813a18b4eb4f07e805ff9c87523ad74f59c0ed538212918335eaeee29d7" + logic_hash = "aa1a4813a18b4eb4f07e805ff9c87523ad74f59c0ed538212918335eaeee29d7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68398,7 +68398,7 @@ rule ELASTIC_Linux_Rootkit_Fontonlake_8Fa41F5E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Fontonlake.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "826222d399e2fb17ae6bc6a4e1493003881b1406154c4b817f0216249d04a234" - logic_hash = "v1_sha256_e90ace26dd74ae948d2469c6f532af5ec3070a21092f8b2c4d47c4f5b9d04c09" + logic_hash = "e90ace26dd74ae948d2469c6f532af5ec3070a21092f8b2c4d47c4f5b9d04c09" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -68434,7 +68434,7 @@ rule ELASTIC_Linux_Trojan_Orbit_57C23178 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Orbit.yar#L1-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020" - logic_hash = "v1_sha256_25b29e874ea9d400662418ddbb1c995a5a5b49f8ba6f51f59f7aa57cdda74054" + logic_hash = "25b29e874ea9d400662418ddbb1c995a5a5b49f8ba6f51f59f7aa57cdda74054" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -68484,7 +68484,7 @@ rule ELASTIC_Linux_Ransomware_Gonnacry_53C3832D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Gonnacry.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac" - logic_hash = "v1_sha256_2b7453c4eb71b71e6a241f728b077a2ee63d988d55a64fedf61c34222799e262" + logic_hash = "2b7453c4eb71b71e6a241f728b077a2ee63d988d55a64fedf61c34222799e262" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68513,7 +68513,7 @@ rule ELASTIC_Linux_Exploit_CVE_2009_2908_406C2Fef : FILE MEMORY CVE_2009_2908 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2009_2908.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1e05a23f5b3b9cfde183aec26b723147e1816b95dc0fb7f9ac57376efcb22fcd" - logic_hash = "v1_sha256_ae379ca7564eb97f141f6ad71ca12973bf1a38cda4bc03e3f4dca1939a9b6b38" + logic_hash = "ae379ca7564eb97f141f6ad71ca12973bf1a38cda4bc03e3f4dca1939a9b6b38" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-2908" @@ -68542,7 +68542,7 @@ rule ELASTIC_Linux_Ransomware_Itssoeasy_30Bd68E0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_ItsSoEasy.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "efb1024654e86c0c30d2ac5f97d27f5f27b4dd3f7f6ada65d58691f0d703461c" - logic_hash = "v1_sha256_a8838af442d1106bc9a7df93d6d8335ff0275bf5928acbb605e9bad58ce6bbd4" + logic_hash = "a8838af442d1106bc9a7df93d6d8335ff0275bf5928acbb605e9bad58ce6bbd4" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -68572,7 +68572,7 @@ rule ELASTIC_Windows_Ransomware_Gandcrab_8D0Ca31D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_GandCrab.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "29eee4f8b088ec1cdac03a04ca834479fce9a0fdf696224c6f19d573f4e2a703" - logic_hash = "v1_sha256_0ee46c41031a7e7fbdae0b80bd8c53bfd1a0b9d255072971e74470988e492430" + logic_hash = "0ee46c41031a7e7fbdae0b80bd8c53bfd1a0b9d255072971e74470988e492430" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68603,7 +68603,7 @@ rule ELASTIC_Linux_Trojan_Masan_5369C678 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Masan.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f2de9f39ca3910d5b383c245d8ca3c1bdf98e2309553599e0283062e0aeff17f" - logic_hash = "v1_sha256_e57b105004216a6054b0561b69cce00c35255c5bd33aa8e403d0a3967cd0697e" + logic_hash = "e57b105004216a6054b0561b69cce00c35255c5bd33aa8e403d0a3967cd0697e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68632,7 +68632,7 @@ rule ELASTIC_Linux_Ransomware_Babuk_Bd216Cab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Babuk.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d305a30017baef4f08cee38a851b57869676e45c66e64bb7cc58d40bf0142fe0" - logic_hash = "v1_sha256_b0538be9d8deccc3f77640da28e5fd38a07557e9e5e3c09b11349d7eb50a56b5" + logic_hash = "b0538be9d8deccc3f77640da28e5fd38a07557e9e5e3c09b11349d7eb50a56b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68662,7 +68662,7 @@ rule ELASTIC_Linux_Trojan_Mechbot_F2E1C5Aa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mechbot.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5f8e80e6877ff2de09a12135ee1fc17bee8eb6d811a65495bcbcddf14ecb44a3" - logic_hash = "v1_sha256_2ba9ece1ab2360702a59a737a20b6dbd8fca276b543477f9290ab80c6f51e2f1" + logic_hash = "2ba9ece1ab2360702a59a737a20b6dbd8fca276b543477f9290ab80c6f51e2f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68691,7 +68691,7 @@ rule ELASTIC_Windows_Trojan_Remcos_B296E965 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Remcos.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed" - logic_hash = "v1_sha256_069072abd1182eee50cb9937503d47845e7315d8e3cd6b63576adc8f21820c82" + logic_hash = "069072abd1182eee50cb9937503d47845e7315d8e3cd6b63576adc8f21820c82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68723,7 +68723,7 @@ rule ELASTIC_Windows_Trojan_Remcos_7591E9F1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Remcos.yar#L25-L49" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4e6e5ecd1cf9c88d536c894d74320c77967fe08c75066098082bf237283842fa" - logic_hash = "v1_sha256_96acf1ba7740a8d34d929ed4a4fa446c984c3a8f64a603d428e782b6997e4d20" + logic_hash = "96acf1ba7740a8d34d929ed4a4fa446c984c3a8f64a603d428e782b6997e4d20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68757,7 +68757,7 @@ rule ELASTIC_Windows_Trojan_Zeus_E51C60D7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Zeus.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d7e9cb60674e0a05ad17eb96f8796d9f23844a33f83aba5e207b81979d0f2bf3" - logic_hash = "v1_sha256_cde738f95dbad1fbad59e20528b2f577e5e3ee5fcb37c68a45d53c689d2af525" + logic_hash = "cde738f95dbad1fbad59e20528b2f577e5e3ee5fcb37c68a45d53c689d2af525" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68791,7 +68791,7 @@ rule ELASTIC_Windows_Hacktool_Phant0M_2D6F9B57 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Phant0m.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "30978aadd7d7bc86e735facb5046942792ad1beab6919754e6765e0ccbcf89d6" - logic_hash = "v1_sha256_a66f8779f77b216f7831617a34c008e4202f36e74f2866c9792cee34b804408d" + logic_hash = "a66f8779f77b216f7831617a34c008e4202f36e74f2866c9792cee34b804408d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68825,7 +68825,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_69E20012 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "debb5d12c1b876f47a0057aad19b897c21f17de7b02c0e42f4cce478970f0120" - logic_hash = "v1_sha256_5d3c3e3ba7d5d0c20d2fa1a53032da9a93a6727dcd6cb3497bb7bfb8272e4f2b" + logic_hash = "5d3c3e3ba7d5d0c20d2fa1a53032da9a93a6727dcd6cb3497bb7bfb8272e4f2b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68859,7 +68859,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_0C629849 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L26-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ad070542729f3c80d6a981b351095ab8ac836b89a5c788dff367760a2d8b1dbb" - logic_hash = "v1_sha256_2bea8f569728ba81af4024bf062a06a5c91b1f057a0b62fe6d51b6fcadedf58c" + logic_hash = "2bea8f569728ba81af4024bf062a06a5c91b1f057a0b62fe6d51b6fcadedf58c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68892,7 +68892,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_849Cc5D5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L50-L71" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "42d734dbd33295bd68e5a545a29303a2104a5a92e5fee31d645e2a6410cc03e9" - logic_hash = "v1_sha256_01c708b1e000aecf473e0a1cf23f3812a337b9b21f5b81f7a5e481d06fdaeb16" + logic_hash = "01c708b1e000aecf473e0a1cf23f3812a337b9b21f5b81f7a5e481d06fdaeb16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68924,7 +68924,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_Da378432 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L73-L93" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "277499da700e0dbe27269c7cfb1fc385313c4483912a9a3f0c15adba33ecd0bf" - logic_hash = "v1_sha256_cd9df6dff23986d61176e4d3440516b0590abdeebef0e456d1f4924724556fe9" + logic_hash = "cd9df6dff23986d61176e4d3440516b0590abdeebef0e456d1f4924724556fe9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68955,7 +68955,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_B957E45D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L95-L115" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "78af84bad4934283024f4bf72dfbf9cc081d2b92a9de32cc36e1289131c783ab" - logic_hash = "v1_sha256_27281303d007e6723308e88f335f52723b3ff0ef733d1a0712f5ba268e53a073" + logic_hash = "27281303d007e6723308e88f335f52723b3ff0ef733d1a0712f5ba268e53a073" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -68986,7 +68986,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_1A98F2E2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L117-L137" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "89be4507c9c24c4ec9a7282f197a9a6819e696d2832df81f7e544095d048fc22" - logic_hash = "v1_sha256_23ea1c255472a67746b470e50d982bc91d22ede5e2582cf5cfaa90a1ed4e8805" + logic_hash = "23ea1c255472a67746b470e50d982bc91d22ede5e2582cf5cfaa90a1ed4e8805" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69017,7 +69017,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_D74153F6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L139-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2823d27492e2e7a95b67a08cb269eb6f4175451d58b098ae429330913397d40a" - logic_hash = "v1_sha256_c60e7e63183f5bf0354a03f8399576e494e44a30257339ebccb6c19e954d6f3a" + logic_hash = "c60e7e63183f5bf0354a03f8399576e494e44a30257339ebccb6c19e954d6f3a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69048,7 +69048,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_F7A31E87 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L161-L182" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "82b55d8c0f0175d02399aaf88ad9e92e2e37ef27d52c7f71271f3516ba884847" - logic_hash = "v1_sha256_49583ba4f2bedb9337a8c10df4246bb76a3e60b08ba1a6b8684537fee985d911" + logic_hash = "49583ba4f2bedb9337a8c10df4246bb76a3e60b08ba1a6b8684537fee985d911" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69080,7 +69080,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_B0D2D4A4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L184-L205" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a37c888875e84069763303476f0df6769df6015b33aded59fc1e23eb604f2163" - logic_hash = "v1_sha256_bcabf74900222074ecf9051b6e0cb4ca7a240acd047a1b27137d1d198e23f161" + logic_hash = "bcabf74900222074ecf9051b6e0cb4ca7a240acd047a1b27137d1d198e23f161" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69112,7 +69112,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_5D26689F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L207-L229" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dafefb4d79d848384442a697b1316d93fef2741fca854be744896ce1d7f82073" - logic_hash = "v1_sha256_e7906273aa7f42920be9d06cdae89c81e0a99e532cdcd7bd714acc5f2bbb0ed5" + logic_hash = "e7906273aa7f42920be9d06cdae89c81e0a99e532cdcd7bd714acc5f2bbb0ed5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69145,7 +69145,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_1C8C98Ae : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L231-L251" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1a2c40531584ed485f3ff532f4269241a76ff171956d03e4f0d3f9c950f186d4" - logic_hash = "v1_sha256_fc32aa29f58478f0b7f4f5be61aadec65842c05b7d8ded840530503eae28b8eb" + logic_hash = "fc32aa29f58478f0b7f4f5be61aadec65842c05b7d8ded840530503eae28b8eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69176,7 +69176,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_47F4B334 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L253-L277" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c3821f63a7ec8861a6168b4bb494bf8cbac436b3abf5eaffbc6907fd68ebedb8" - logic_hash = "v1_sha256_34c8182d3b5ecbebd122d2d58fc0502a6bbca020b528ffdcc9ee988f21512d99" + logic_hash = "34c8182d3b5ecbebd122d2d58fc0502a6bbca020b528ffdcc9ee988f21512d99" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69211,7 +69211,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_0B014E0E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L279-L303" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a24443331508cc72b3391353f91cd009cafcc223ac5939eab12faf57447e3162" - logic_hash = "v1_sha256_cb19a0461d5fe6066d1fed4898ea12a9818be69d870e511559b19d5c7c959819" + logic_hash = "cb19a0461d5fe6066d1fed4898ea12a9818be69d870e511559b19d5c7c959819" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69246,7 +69246,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_Ccc99Be1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L305-L327" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0e9f52d7aa6bff33bfbdba6513d402db3913d4036a5e1c1c83f4ccd5cc8107c8" - logic_hash = "v1_sha256_96af2123251587ece32e424202ff61cfa70faf2916cacddf5fcd9d81bf483032" + logic_hash = "96af2123251587ece32e424202ff61cfa70faf2916cacddf5fcd9d81bf483032" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69279,7 +69279,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_Ed4B2C85 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L329-L348" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0709a60149ca110f6e016a257f9ac35c6f64f50cfbd71075c4ca8bfe843c3211" - logic_hash = "v1_sha256_79e466b2f40a6769db498cc28cb22ba72ec20f92c8450d6f1f8301d00012f967" + logic_hash = "79e466b2f40a6769db498cc28cb22ba72ec20f92c8450d6f1f8301d00012f967" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69309,7 +69309,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_2B0Ad6F0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L350-L371" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "aa2bce61511c72ac03562b5178aad57bce8b46916160689ed07693790cbfbeec" - logic_hash = "v1_sha256_91b4547e44c40cafe09dd415f0b5dfe5980fcb10d50aeae844cf21e7608d9a9d" + logic_hash = "91b4547e44c40cafe09dd415f0b5dfe5980fcb10d50aeae844cf21e7608d9a9d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69341,7 +69341,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_Bf205D5A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L373-L397" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2162a89f70edd7a7f93f8972c6a13782fb466cdada41f255f0511730ec20d037" - logic_hash = "v1_sha256_9f4c84fadc3d7555c80efc9c9c5dcb01d4ea65d2ff191aa63ae8316f763ded3f" + logic_hash = "9f4c84fadc3d7555c80efc9c9c5dcb01d4ea65d2ff191aa63ae8316f763ded3f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69376,7 +69376,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_E5B61173 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L399-L420" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8032a7a320102c8e038db16d51b8615ee49f04dab1444326463f75ce0c5947a5" - logic_hash = "v1_sha256_f60d2de0b7fac06b62616d7c7f51e9374df3895eb30a07040e742cbcb462a418" + logic_hash = "f60d2de0b7fac06b62616d7c7f51e9374df3895eb30a07040e742cbcb462a418" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69408,7 +69408,7 @@ rule ELASTIC_Linux_Trojan_Metasploit_Dd5Fd075 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Metasploit.yar#L422-L443" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b47132a92b66c32c88f39fe36d0287c6b864043273939116225235d4c5b4043a" - logic_hash = "v1_sha256_f5101d5ddb1a84127e755677da70d9154849c546ac6ef0e7ef2639c82911eb92" + logic_hash = "f5101d5ddb1a84127e755677da70d9154849c546ac6ef0e7ef2639c82911eb92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69439,7 +69439,7 @@ rule ELASTIC_Linux_Cryptominer_Bulz_2Aa8Fbb5 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Bulz.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_21d8bec73476783e01d2a51a99233f186d7c72b49c9292c42e19e1aa6397d415" + logic_hash = "21d8bec73476783e01d2a51a99233f186d7c72b49c9292c42e19e1aa6397d415" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69467,7 +69467,7 @@ rule ELASTIC_Linux_Cryptominer_Bulz_0998F811 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Bulz.yar#L20-L37" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_178f6c42582dd99cc5418388d020d4d76f2a9204297a673359fe0a300121c35b" + logic_hash = "178f6c42582dd99cc5418388d020d4d76f2a9204297a673359fe0a300121c35b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69496,7 +69496,7 @@ rule ELASTIC_Windows_Trojan_Pandastealer_8B333E76 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Pandastealer.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ec346bd56be375b695b4bc76720959fa07d1357ffc3783eb61de9b8d91b3d935" - logic_hash = "v1_sha256_5878799338fc18bac0f946faeadd59c921dee32c9391fc12d22c72c0cd6733a8" + logic_hash = "5878799338fc18bac0f946faeadd59c921dee32c9391fc12d22c72c0cd6733a8" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -69529,7 +69529,7 @@ rule ELASTIC_Linux_Trojan_Mirai_268Aac0B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead" - logic_hash = "v1_sha256_6eae3aba35d3379fa194b66a1b4e0d78d0d0b88386cd4ea5dfeb3c072642c7ba" + logic_hash = "6eae3aba35d3379fa194b66a1b4e0d78d0d0b88386cd4ea5dfeb3c072642c7ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69558,7 +69558,7 @@ rule ELASTIC_Linux_Trojan_Mirai_D5F2Abe2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c490586fbf90d360cf3b2f9e2dc943809441df3dfd64dadad27fc9f5ee96ec74" - logic_hash = "v1_sha256_169e7e5d1a7ea8c219464e22df9be8bc8caa2e78e1bc725674c8e0b14f6b9fc5" + logic_hash = "169e7e5d1a7ea8c219464e22df9be8bc8caa2e78e1bc725674c8e0b14f6b9fc5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69586,7 +69586,7 @@ rule ELASTIC_Linux_Trojan_Mirai_1Cb033F3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L41-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_ebaf45ce58124aa91b07ebb48779e6da73baa0b80b13e663c13d8fb2bb47ad0d" + logic_hash = "ebaf45ce58124aa91b07ebb48779e6da73baa0b80b13e663c13d8fb2bb47ad0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69615,7 +69615,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Fa3Ad9D0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L60-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "v1_sha256_5890c85872ea4508e673235b20b481972f613f6e5f9564c0237c458995532347" + logic_hash = "5890c85872ea4508e673235b20b481972f613f6e5f9564c0237c458995532347" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69644,7 +69644,7 @@ rule ELASTIC_Linux_Trojan_Mirai_0Cb1699C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L80-L98" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "v1_sha256_97307f583240290de2bfc663b99f8dcdedace92885bd3e0c0340709b94c0bc2a" + logic_hash = "97307f583240290de2bfc663b99f8dcdedace92885bd3e0c0340709b94c0bc2a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69673,7 +69673,7 @@ rule ELASTIC_Linux_Trojan_Mirai_6F021787 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L100-L118" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88183d71359c16d91a3252085ad5a270ad3e196fe431e3019b0810ecfd85ae10" - logic_hash = "v1_sha256_7e8062682a0babbaa3c00975807ba9fc34c465afde55e4144944e7598f0ea1fd" + logic_hash = "7e8062682a0babbaa3c00975807ba9fc34c465afde55e4144944e7598f0ea1fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69702,7 +69702,7 @@ rule ELASTIC_Linux_Trojan_Mirai_1E0C5Ce0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L120-L138" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b1f95840caebf9721bf318126be27085ec08cf7881ec64a884211a934351c2d" - logic_hash = "v1_sha256_591cc3ef6932bf990f56c932866b34778e8eccd0e343f9bd6126eb8205a12ecc" + logic_hash = "591cc3ef6932bf990f56c932866b34778e8eccd0e343f9bd6126eb8205a12ecc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69731,7 +69731,7 @@ rule ELASTIC_Linux_Trojan_Mirai_22965A6D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L140-L158" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "09c821aa8977f67878f8769f717c792d69436a951bb5ac06ce5052f46da80a48" - logic_hash = "v1_sha256_6b2a46694edf709d28267268252cfe95d88049b7dca854059cfe44479ada7423" + logic_hash = "6b2a46694edf709d28267268252cfe95d88049b7dca854059cfe44479ada7423" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69760,7 +69760,7 @@ rule ELASTIC_Linux_Trojan_Mirai_4032Ade1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L160-L178" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6150fbbefb916583a0e888dee8ed3df8ec197ba7c04f89fb24f31de50226e688" - logic_hash = "v1_sha256_9c5e24c4efd4035408897f638d3579c3798139fd18178cee4a944b49c13e1532" + logic_hash = "9c5e24c4efd4035408897f638d3579c3798139fd18178cee4a944b49c13e1532" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69788,7 +69788,7 @@ rule ELASTIC_Linux_Trojan_Mirai_B14F4C5D : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L180-L197" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1a2114a7b397c850d732940a0e154bc04fbee1fdc12d343947b343b9b27a8af1" + logic_hash = "1a2114a7b397c850d732940a0e154bc04fbee1fdc12d343947b343b9b27a8af1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69817,7 +69817,7 @@ rule ELASTIC_Linux_Trojan_Mirai_C8385B81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L199-L217" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3d27736caccdd3199a14ce29d91b1812d1d597a4fa8472698e6df6ef716f5ce9" - logic_hash = "v1_sha256_4ff1f0912fb92e7ac5af49e1738dac897ff1f0a118d8ff905da45b0a91b3f4a7" + logic_hash = "4ff1f0912fb92e7ac5af49e1738dac897ff1f0a118d8ff905da45b0a91b3f4a7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69846,7 +69846,7 @@ rule ELASTIC_Linux_Trojan_Mirai_122Ff2E6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L219-L237" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4" - logic_hash = "v1_sha256_62884309b9095cdd6219c9ef6cd77a0f712640d8a1db4afe5b1d01f4bbe5acc2" + logic_hash = "62884309b9095cdd6219c9ef6cd77a0f712640d8a1db4afe5b1d01f4bbe5acc2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69875,7 +69875,7 @@ rule ELASTIC_Linux_Trojan_Mirai_26Cba88C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L239-L257" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4b4758bff3dcaa5640e340d27abba5c2e2b02c3c4a582374e183986375e49be8" - logic_hash = "v1_sha256_bb5a0f9e68655556ab9fccc27d11bf7828c299720bb67948455579d6a7eb2a9f" + logic_hash = "bb5a0f9e68655556ab9fccc27d11bf7828c299720bb67948455579d6a7eb2a9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69904,7 +69904,7 @@ rule ELASTIC_Linux_Trojan_Mirai_93Fc3657 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L259-L277" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "v1_sha256_0b5278feddd00b0b24ca735bf7cd1440379c6ce5aca6d2a6f38c9fdcedcb3c0d" + logic_hash = "0b5278feddd00b0b24ca735bf7cd1440379c6ce5aca6d2a6f38c9fdcedcb3c0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69932,7 +69932,7 @@ rule ELASTIC_Linux_Trojan_Mirai_7C88Acbc : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L279-L296" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_76373f8e09b7467ac5d36e8baad3025a57568e891434297e53f2629a72cf8929" + logic_hash = "76373f8e09b7467ac5d36e8baad3025a57568e891434297e53f2629a72cf8929" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69961,7 +69961,7 @@ rule ELASTIC_Linux_Trojan_Mirai_804F8E7C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L298-L316" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "v1_sha256_711d74406d9b0d658b3b29f647bd659699ac0af9cd482403122124ec6054f1ec" + logic_hash = "711d74406d9b0d658b3b29f647bd659699ac0af9cd482403122124ec6054f1ec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -69990,7 +69990,7 @@ rule ELASTIC_Linux_Trojan_Mirai_A2D2E15A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L318-L336" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "567c3ce9bbbda760be81c286bfb2252418f551a64ba1189f6c0ec8ec059cee49" - logic_hash = "v1_sha256_c76fe953c4a70110346a020f2b27c7e79f4ad8a24fd92ac26e5ddd1fed068f65" + logic_hash = "c76fe953c4a70110346a020f2b27c7e79f4ad8a24fd92ac26e5ddd1fed068f65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70019,7 +70019,7 @@ rule ELASTIC_Linux_Trojan_Mirai_5946F41B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L338-L356" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f0b6bf8a683f8692973ea8291129c9764269a6739650ec3f9ee50d222df0a38a" - logic_hash = "v1_sha256_43691675db419426413ccc24aa9dfe94456fa1007630652b08a625eafd1f17b8" + logic_hash = "43691675db419426413ccc24aa9dfe94456fa1007630652b08a625eafd1f17b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70048,7 +70048,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Da4Aa3B3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L358-L376" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dbc246032d432318f23a4c1e5b6fcd787df29da3bf418613f588f758dcd80617" - logic_hash = "v1_sha256_84ddc505d2e2be955b88a0fe3b78d435f73c0a315b513e105933e84be78ba2ad" + logic_hash = "84ddc505d2e2be955b88a0fe3b78d435f73c0a315b513e105933e84be78ba2ad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70077,7 +70077,7 @@ rule ELASTIC_Linux_Trojan_Mirai_70Ef58F1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L378-L396" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "v1_sha256_3ad201d643e8f93a6f9075c03a76020d78186702a19bf9174b08688a2e94ef5c" + logic_hash = "3ad201d643e8f93a6f9075c03a76020d78186702a19bf9174b08688a2e94ef5c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70106,7 +70106,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Ea584243 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L398-L416" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f363d9bd2132d969cd41e79f29c53ef403da64ca8afc4643084cc50076ddfb47" - logic_hash = "v1_sha256_34c6f800c849c295797cdd971fb4f3d16d680530f9a98c291388345569708208" + logic_hash = "34c6f800c849c295797cdd971fb4f3d16d680530f9a98c291388345569708208" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70135,7 +70135,7 @@ rule ELASTIC_Linux_Trojan_Mirai_564B8Eda : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L418-L436" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee" - logic_hash = "v1_sha256_4bf11492f480911629623250146554f2456f3a527f5f80402ef74b22c1460462" + logic_hash = "4bf11492f480911629623250146554f2456f3a527f5f80402ef74b22c1460462" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70164,7 +70164,7 @@ rule ELASTIC_Linux_Trojan_Mirai_7E9F85Fb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L438-L456" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4333e80fd311b28c948bab7fb3f5efb40adda766f1ea4bed96a8db5fe0d80ea1" - logic_hash = "v1_sha256_f4ce912e190bc5dcb56541f54ba8e47b6103c482bdc7e83b44693d2c066c0170" + logic_hash = "f4ce912e190bc5dcb56541f54ba8e47b6103c482bdc7e83b44693d2c066c0170" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70193,7 +70193,7 @@ rule ELASTIC_Linux_Trojan_Mirai_3A85A418 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L458-L476" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a" - logic_hash = "v1_sha256_bd7fe497fb2557c9e9c26ec90e783f03cbbc9bdaa8d20b364ce65edf6c1e5fa3" + logic_hash = "bd7fe497fb2557c9e9c26ec90e783f03cbbc9bdaa8d20b364ce65edf6c1e5fa3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70222,7 +70222,7 @@ rule ELASTIC_Linux_Trojan_Mirai_24C5B7D6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L478-L496" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7c2f8ba2d6f1e67d1b4a3a737a449429c322d945d49dafb9e8c66608ab2154c4" - logic_hash = "v1_sha256_f790f6b8fcf932773054525ed74a3f15998d91a2626ae9c56486de8dabc2035c" + logic_hash = "f790f6b8fcf932773054525ed74a3f15998d91a2626ae9c56486de8dabc2035c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70251,7 +70251,7 @@ rule ELASTIC_Linux_Trojan_Mirai_99D78950 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L498-L516" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "v1_sha256_bfd628a9973f85ed0a8be2723c7ff4bd028af00ea98c9cbcde9df6aabcf394b2" + logic_hash = "bfd628a9973f85ed0a8be2723c7ff4bd028af00ea98c9cbcde9df6aabcf394b2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70279,7 +70279,7 @@ rule ELASTIC_Linux_Trojan_Mirai_3Fe3C668 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L518-L535" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e75b2dca7de7d9f31a0ae5940dc45d0e6d0f1ca110b5458fc99912400da97bde" + logic_hash = "e75b2dca7de7d9f31a0ae5940dc45d0e6d0f1ca110b5458fc99912400da97bde" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70308,7 +70308,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Eedfbfc6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L537-L555" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b7342f7437a3a16805a7a8d4a667e0e018584f9a99591413650e05d21d3e6da6" - logic_hash = "v1_sha256_949b32db1a00570fc84fbbe510f57f6e898d089efd3fedbd7719f8059021b6bc" + logic_hash = "949b32db1a00570fc84fbbe510f57f6e898d089efd3fedbd7719f8059021b6bc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70337,7 +70337,7 @@ rule ELASTIC_Linux_Trojan_Mirai_6D96Ae91 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L557-L575" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e3a1d92df6fb566e09c389cfb085126d2ea0f51a776ec099afb8913ef5e96f9b" - logic_hash = "v1_sha256_43b0ac7090620eb6c892f1105778c395bf18f5ac309ce1b2d9015b5abccbfc2a" + logic_hash = "43b0ac7090620eb6c892f1105778c395bf18f5ac309ce1b2d9015b5abccbfc2a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70366,7 +70366,7 @@ rule ELASTIC_Linux_Trojan_Mirai_D8779A57 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L577-L595" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c490586fbf90d360cf3b2f9e2dc943809441df3dfd64dadad27fc9f5ee96ec74" - logic_hash = "v1_sha256_2154786bbb6dbcc280aaa9e2b75106b585d04c7c85f6162f441c81dc54663cb3" + logic_hash = "2154786bbb6dbcc280aaa9e2b75106b585d04c7c85f6162f441c81dc54663cb3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70395,7 +70395,7 @@ rule ELASTIC_Linux_Trojan_Mirai_3E72E107 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L597-L615" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "57d04035b68950246dd152054e949008dafb810f3705710d09911876cd44aec7" - logic_hash = "v1_sha256_ba0ba56ded8977502ad9f8a1ceebd30efbff964d576bbfeedff5761f0538d8f0" + logic_hash = "ba0ba56ded8977502ad9f8a1ceebd30efbff964d576bbfeedff5761f0538d8f0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70424,7 +70424,7 @@ rule ELASTIC_Linux_Trojan_Mirai_5C62E6B2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L617-L635" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9" - logic_hash = "v1_sha256_6505c4272f0f7c8c5f2d3f7cefdc3947c4015b0dfd94efde4357a506af93a99d" + logic_hash = "6505c4272f0f7c8c5f2d3f7cefdc3947c4015b0dfd94efde4357a506af93a99d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70453,7 +70453,7 @@ rule ELASTIC_Linux_Trojan_Mirai_C5430Ff9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L637-L655" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5676773882a84d0efc220dd7595c4594bc824cbe3eeddfadc00ac3c8e899aa77" - logic_hash = "v1_sha256_8c385980560cd4b24e703744b57a9d5ea1bca8fbeea066e98dd4b40009e56104" + logic_hash = "8c385980560cd4b24e703744b57a9d5ea1bca8fbeea066e98dd4b40009e56104" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70482,7 +70482,7 @@ rule ELASTIC_Linux_Trojan_Mirai_402Adc45 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L657-L675" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ae0cd7e5bac967e31771873b4b41a1887abddfcdfcc76fa9149bb2054b03ca4" - logic_hash = "v1_sha256_dab879d57507d5e119ddf4ce6ed33570c74f185a2260e97a7ec1d6c844943e5d" + logic_hash = "dab879d57507d5e119ddf4ce6ed33570c74f185a2260e97a7ec1d6c844943e5d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70510,7 +70510,7 @@ rule ELASTIC_Linux_Trojan_Mirai_A39Dfaa7 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L677-L694" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_98fde36fc412b6aa50c80c12118975a6bf754a9fba94f1cc3cdeed22565d6b0d" + logic_hash = "98fde36fc412b6aa50c80c12118975a6bf754a9fba94f1cc3cdeed22565d6b0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70539,7 +70539,7 @@ rule ELASTIC_Linux_Trojan_Mirai_E3E6D768 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L696-L714" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b505cb26d3ead5a0ef82d2c87a9b352cc0268ef0571f5e28defca7131065545e" - logic_hash = "v1_sha256_b848c7200f405d77553d661a6c49fb958df225875957ead35b35091995f307d1" + logic_hash = "b848c7200f405d77553d661a6c49fb958df225875957ead35b35091995f307d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70567,7 +70567,7 @@ rule ELASTIC_Linux_Trojan_Mirai_520Deeb8 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L716-L733" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_671c17835f30cce1e5d68dbf3a73d340069b1b55a2ac42fc132c008cb2da622e" + logic_hash = "671c17835f30cce1e5d68dbf3a73d340069b1b55a2ac42fc132c008cb2da622e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70596,7 +70596,7 @@ rule ELASTIC_Linux_Trojan_Mirai_77137320 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L735-L753" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9" - logic_hash = "v1_sha256_ee48e0478845a61dbbdb5cc3ee5194eb272fcf6dcf139381f068c9af1557d0d4" + logic_hash = "ee48e0478845a61dbbdb5cc3ee5194eb272fcf6dcf139381f068c9af1557d0d4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70624,7 +70624,7 @@ rule ELASTIC_Linux_Trojan_Mirai_A6A81F9C : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L755-L772" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0d31cc1f4a673c13e6c81c492acbe16e1e0dfb0b15913fb276ea4abff18b32af" + logic_hash = "0d31cc1f4a673c13e6c81c492acbe16e1e0dfb0b15913fb276ea4abff18b32af" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70653,7 +70653,7 @@ rule ELASTIC_Linux_Trojan_Mirai_485C4B13 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L774-L792" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead" - logic_hash = "v1_sha256_9625e4190559cc77f41ebef24f9bfa5e3d2e2259c12b301148c614b0f98b5835" + logic_hash = "9625e4190559cc77f41ebef24f9bfa5e3d2e2259c12b301148c614b0f98b5835" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70681,7 +70681,7 @@ rule ELASTIC_Linux_Trojan_Mirai_7146E518 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L794-L811" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_374602254be1f5c1dbb00ad25d870722e03d674033dfcf953a2895e1f50c637d" + logic_hash = "374602254be1f5c1dbb00ad25d870722e03d674033dfcf953a2895e1f50c637d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70709,7 +70709,7 @@ rule ELASTIC_Linux_Trojan_Mirai_6A77Af0F : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L813-L830" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7d7623dfc1e16c7c02294607ddf46edd12cdc7d39a2b920d8711dc47c383731b" + logic_hash = "7d7623dfc1e16c7c02294607ddf46edd12cdc7d39a2b920d8711dc47c383731b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70737,7 +70737,7 @@ rule ELASTIC_Linux_Trojan_Mirai_5F7B67B8 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L832-L849" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b2aedc0361c1093d7a996f26d907da3e4654c32a6dbcdbab441c19d4207f2e2a" + logic_hash = "b2aedc0361c1093d7a996f26d907da3e4654c32a6dbcdbab441c19d4207f2e2a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70766,7 +70766,7 @@ rule ELASTIC_Linux_Trojan_Mirai_A3Cedc45 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L851-L869" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ae0cd7e5bac967e31771873b4b41a1887abddfcdfcc76fa9149bb2054b03ca4" - logic_hash = "v1_sha256_9233e6faa43d8ea43ff3c71ecb5248d5d311b2a593825c299cac4466278cd020" + logic_hash = "9233e6faa43d8ea43ff3c71ecb5248d5d311b2a593825c299cac4466278cd020" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70795,7 +70795,7 @@ rule ELASTIC_Linux_Trojan_Mirai_7D05725E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L871-L889" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "v1_sha256_ac2d0b81325ce7984bc09f93e61b42c8e312a31c75f09d37313d70cd40d3cf8b" + logic_hash = "ac2d0b81325ce7984bc09f93e61b42c8e312a31c75f09d37313d70cd40d3cf8b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70824,7 +70824,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Fa48B592 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L891-L909" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee" - logic_hash = "v1_sha256_5648bcc96b1fdd1529b4b8765b1738594d0d61f7880b763e803cd89bd117e96b" + logic_hash = "5648bcc96b1fdd1529b4b8765b1738594d0d61f7880b763e803cd89bd117e96b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70852,7 +70852,7 @@ rule ELASTIC_Linux_Trojan_Mirai_B9A9D04B : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L911-L928" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_61575576be4c1991bc381965a40e5d9d751bba2680a42907b0148651716419fc" + logic_hash = "61575576be4c1991bc381965a40e5d9d751bba2680a42907b0148651716419fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70881,7 +70881,7 @@ rule ELASTIC_Linux_Trojan_Mirai_D2205527 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L930-L948" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e4f584d1f75f0d7c98b325adc55025304d55907e8eb77b328c007600180d6f06" - logic_hash = "v1_sha256_172ba256873cce61047a5198733cacaff4ef343c9cbd76f2fbbf0e1ed8003236" + logic_hash = "172ba256873cce61047a5198733cacaff4ef343c9cbd76f2fbbf0e1ed8003236" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70910,7 +70910,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Ab073861 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L950-L968" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "175444a9c9ca78565de4b2eabe341f51b55e59dec00090574ee0f1875422cbac" - logic_hash = "v1_sha256_251b92c4fec9d113025c6869c279247a3dd16ee094c8861fe43a33f87132bf75" + logic_hash = "251b92c4fec9d113025c6869c279247a3dd16ee094c8861fe43a33f87132bf75" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70938,7 +70938,7 @@ rule ELASTIC_Linux_Trojan_Mirai_637F2C04 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L970-L987" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_cff4aa6c613ccc64f64441f7e40f79d3a22b5c12856c32814545bd41d5f112bd" + logic_hash = "cff4aa6c613ccc64f64441f7e40f79d3a22b5c12856c32814545bd41d5f112bd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70966,7 +70966,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Aa39Fb02 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L989-L1006" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_ffa95d92a2b619008bd5918cd34a17cd034b2830dc09d495db4b0c397b1cb53a" + logic_hash = "ffa95d92a2b619008bd5918cd34a17cd034b2830dc09d495db4b0c397b1cb53a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -70995,7 +70995,7 @@ rule ELASTIC_Linux_Trojan_Mirai_0Bce98A2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1008-L1026" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1b20df8df7f84ad29d81ccbe276f49a6488c2214077b13da858656c027531c80" - logic_hash = "v1_sha256_04d10ef03c178fb101d3c6b6d3b36f0aa04149b9b35a33c3d10d17af1fc07625" + logic_hash = "04d10ef03c178fb101d3c6b6d3b36f0aa04149b9b35a33c3d10d17af1fc07625" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71023,7 +71023,7 @@ rule ELASTIC_Linux_Trojan_Mirai_3A56423B : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1028-L1045" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0c2765a5c1b331eb9ff5e542bc72eff7be3506e6caef94128413d500086715c6" + logic_hash = "0c2765a5c1b331eb9ff5e542bc72eff7be3506e6caef94128413d500086715c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71052,7 +71052,7 @@ rule ELASTIC_Linux_Trojan_Mirai_D18B3463 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1047-L1065" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cd86534d709877ec737ceb016b2a5889d2e3562ffa45a278bc615838c2e9ebc3" - logic_hash = "v1_sha256_f906c6f9baae6d6fa3f42e84607549bae44ed9ca847fd916d04f2671eef1caa1" + logic_hash = "f906c6f9baae6d6fa3f42e84607549bae44ed9ca847fd916d04f2671eef1caa1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71080,7 +71080,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Fe721Dc5 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1067-L1084" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e9312eefb5f14a27d96e973139e45098c2f62a24d5254ca24dea64b9888a4448" + logic_hash = "e9312eefb5f14a27d96e973139e45098c2f62a24d5254ca24dea64b9888a4448" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71108,7 +71108,7 @@ rule ELASTIC_Linux_Trojan_Mirai_575F5Bc8 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1086-L1103" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_dec143d096f5774f297ce90ef664ae50c40ae4f87843bbb34e496565c0faf3b2" + logic_hash = "dec143d096f5774f297ce90ef664ae50c40ae4f87843bbb34e496565c0faf3b2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71137,7 +71137,7 @@ rule ELASTIC_Linux_Trojan_Mirai_449937Aa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1105-L1123" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6f27766534445cffb097c7c52db1fca53b2210c1b10b75594f77c34dc8b994fe" - logic_hash = "v1_sha256_d459e46893115dbdef46bcaceb6a66255ef3a389f1bf7173b0e0bd0d8ce024fb" + logic_hash = "d459e46893115dbdef46bcaceb6a66255ef3a389f1bf7173b0e0bd0d8ce024fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71166,7 +71166,7 @@ rule ELASTIC_Linux_Trojan_Mirai_2E3F67A9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1125-L1143" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "v1_sha256_8c83c5d32c58041444f33264f692a7580c76324d2cbad736fdd737bdfcd63595" + logic_hash = "8c83c5d32c58041444f33264f692a7580c76324d2cbad736fdd737bdfcd63595" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71194,7 +71194,7 @@ rule ELASTIC_Linux_Trojan_Mirai_01E4A728 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1145-L1162" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_753936b97a36c774975a1d0988f6f908d4b5e5906498aa34c606d4cd971f1ba5" + logic_hash = "753936b97a36c774975a1d0988f6f908d4b5e5906498aa34c606d4cd971f1ba5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71223,7 +71223,7 @@ rule ELASTIC_Linux_Trojan_Mirai_64D5Cde2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1164-L1182" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "caf2a8c199156db2f39dbb0a303db56040f615c4410e074ef56be2662752ca9d" - logic_hash = "v1_sha256_08f3635e5517185cae936b39f503bbeba5aed2e36abdd805170a259bc5e3644f" + logic_hash = "08f3635e5517185cae936b39f503bbeba5aed2e36abdd805170a259bc5e3644f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71252,7 +71252,7 @@ rule ELASTIC_Linux_Trojan_Mirai_0D73971C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1184-L1202" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead" - logic_hash = "v1_sha256_56f3bac05fce0a0458e5b80197335e7bef6dcd50b9feb6f1008b8679f29cf37a" + logic_hash = "56f3bac05fce0a0458e5b80197335e7bef6dcd50b9feb6f1008b8679f29cf37a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71281,7 +71281,7 @@ rule ELASTIC_Linux_Trojan_Mirai_82C361D4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1204-L1222" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f8dbcf0fc52f0c717c8680cb5171a8c6c395f14fd40a2af75efc9ba5684a5b49" - logic_hash = "v1_sha256_766a964d7d35525fbc88adcf86fb69d11f9c63c0d28ceefb3ae79797a7161193" + logic_hash = "766a964d7d35525fbc88adcf86fb69d11f9c63c0d28ceefb3ae79797a7161193" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71310,7 +71310,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Ec591E81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1224-L1242" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7d45a4a128c25f317020b5d042ab893e9875b6ff0ef17482b984f5b3fe87e451" - logic_hash = "v1_sha256_f2a147fe7f98d2b3141a1fda118ee803c81d9bc6f498bfaf3557665397eb44da" + logic_hash = "f2a147fe7f98d2b3141a1fda118ee803c81d9bc6f498bfaf3557665397eb44da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71339,7 +71339,7 @@ rule ELASTIC_Linux_Trojan_Mirai_0Eba3F5A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1244-L1262" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2e4f89c76dfefd4b2bfd1cf0467ac0324026355723950d12d7ed51195fd998cf" - logic_hash = "v1_sha256_bcb2f1e1659102f39977fac43b119c58d6c72f828c3065e2318f671146e911da" + logic_hash = "bcb2f1e1659102f39977fac43b119c58d6c72f828c3065e2318f671146e911da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71368,7 +71368,7 @@ rule ELASTIC_Linux_Trojan_Mirai_E43A8744 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1264-L1282" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f363d9bd2132d969cd41e79f29c53ef403da64ca8afc4643084cc50076ddfb47" - logic_hash = "v1_sha256_17c52d2b720fa2e98c3e9bb077525a695a6e547a66e8c44fcc1e26e48df81adf" + logic_hash = "17c52d2b720fa2e98c3e9bb077525a695a6e547a66e8c44fcc1e26e48df81adf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71396,7 +71396,7 @@ rule ELASTIC_Linux_Trojan_Mirai_6E8E9257 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1284-L1301" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_67973257e578783838f18dc8ae994f221ad1c1b3f4a04a2b6b523da5ebd8c95b" + logic_hash = "67973257e578783838f18dc8ae994f221ad1c1b3f4a04a2b6b523da5ebd8c95b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71425,7 +71425,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Ac253E4F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1303-L1321" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "91642663793bdda93928597ff1ac6087e4c1e5d020a8f40f2140e9471ab730f9" - logic_hash = "v1_sha256_1ab463fce01148c2cc95659fdf8b05e597d9b4eeabe81a9cdfa1da3632d72291" + logic_hash = "1ab463fce01148c2cc95659fdf8b05e597d9b4eeabe81a9cdfa1da3632d72291" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71454,7 +71454,7 @@ rule ELASTIC_Linux_Trojan_Mirai_994535C4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1323-L1341" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "376a2771a2a973628e22379b3dbb9a8015c828505bbe18a0c027b5d513c9e90d" - logic_hash = "v1_sha256_c83c8c9cdfea1bf322115e5b23d751b226a5dbf42fc41faac172d36192ccf31f" + logic_hash = "c83c8c9cdfea1bf322115e5b23d751b226a5dbf42fc41faac172d36192ccf31f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71483,7 +71483,7 @@ rule ELASTIC_Linux_Trojan_Mirai_A68E498C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1343-L1361" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "v1_sha256_e4552813dc92b397c5ba78f32ee6507520f337b55779a3fc705de7e961f8eb8f" + logic_hash = "e4552813dc92b397c5ba78f32ee6507520f337b55779a3fc705de7e961f8eb8f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71512,7 +71512,7 @@ rule ELASTIC_Linux_Trojan_Mirai_88De437F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1363-L1381" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6" - logic_hash = "v1_sha256_233dbf3d13c35f4c9c7078d67ea60086355c801ce6515f9d3c518e95afd39d85" + logic_hash = "233dbf3d13c35f4c9c7078d67ea60086355c801ce6515f9d3c518e95afd39d85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71541,7 +71541,7 @@ rule ELASTIC_Linux_Trojan_Mirai_95E0056C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1383-L1401" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45f67d4c18abc1bad9a9cc6305983abf3234cd955d2177f1a72c146ced50a380" - logic_hash = "v1_sha256_9e34891d28034d1f4fc3da5cb99df8fc74f0b876903088f5eab5fe36e0e0e603" + logic_hash = "9e34891d28034d1f4fc3da5cb99df8fc74f0b876903088f5eab5fe36e0e0e603" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71570,7 +71570,7 @@ rule ELASTIC_Linux_Trojan_Mirai_B548632D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1403-L1421" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "639d9d6da22e84fb6b6fc676a1c4cfd74a8ed546ce8661500ab2ef971242df07" - logic_hash = "v1_sha256_bfb46457f8b79548726e3988d649f94e04f26f9e546aae70ece94defae6bab8a" + logic_hash = "bfb46457f8b79548726e3988d649f94e04f26f9e546aae70ece94defae6bab8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71598,7 +71598,7 @@ rule ELASTIC_Linux_Trojan_Mirai_E0Cf29E2 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1423-L1440" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_693e27da8cbab32954cc2c9ba648151ad9fc21fe53251628145d7b436ec5e976" + logic_hash = "693e27da8cbab32954cc2c9ba648151ad9fc21fe53251628145d7b436ec5e976" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71627,7 +71627,7 @@ rule ELASTIC_Linux_Trojan_Mirai_1754B331 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1442-L1460" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d89fc59d0de2584af0e4614a1561d1d343faa766edfef27d1ea96790ac7014b" - logic_hash = "v1_sha256_fde04b0e31a00326f9d011198995999ff9b15628f5ff4139ec7dec19ac0c59c9" + logic_hash = "fde04b0e31a00326f9d011198995999ff9b15628f5ff4139ec7dec19ac0c59c9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71656,7 +71656,7 @@ rule ELASTIC_Linux_Trojan_Mirai_3278F1B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1462-L1480" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb" - logic_hash = "v1_sha256_4d709e8e2062099ac06b241408e52bcb86bbf8163faaffbcff68a05f864e1b3f" + logic_hash = "4d709e8e2062099ac06b241408e52bcb86bbf8163faaffbcff68a05f864e1b3f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71685,7 +71685,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Ab804Bb7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1482-L1500" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8f0cc764729498b4cb9c5446f1a84cde54e828e913dc78faf537004a7df21b20" - logic_hash = "v1_sha256_cef2ffafe152332502fb0d72d014c81b90dc9ad4f4491f1b2f2f9c1f73cc7958" + logic_hash = "cef2ffafe152332502fb0d72d014c81b90dc9ad4f4491f1b2f2f9c1f73cc7958" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71714,7 +71714,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Dca3B9B4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1502-L1520" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a839437deba6d30e7a22104561e38f60776729199a96a71da3a88a7c7990246a" - logic_hash = "v1_sha256_f85dfc1c00706d7ac11ef35c41c471383ef8b019a5c2566b27072a5ef5ad5c93" + logic_hash = "f85dfc1c00706d7ac11ef35c41c471383ef8b019a5c2566b27072a5ef5ad5c93" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71742,7 +71742,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Ae9D0Fa6 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1522-L1539" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8da5b14b95d96de5ced8bcab98e23973e449c1b5ca101f39a2114bb8e74fd9a5" + logic_hash = "8da5b14b95d96de5ced8bcab98e23973e449c1b5ca101f39a2114bb8e74fd9a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71771,7 +71771,7 @@ rule ELASTIC_Linux_Trojan_Mirai_612B407C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1541-L1559" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7833bc89778461a9f46cc47a78c67dda48b498ee40b09a80a21e67cb70c6add1" - logic_hash = "v1_sha256_6514725a32f7c28be7de5ff6fe1363df7c50e2cd6c8c79824ec4cbeadda2ca31" + logic_hash = "6514725a32f7c28be7de5ff6fe1363df7c50e2cd6c8c79824ec4cbeadda2ca31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71800,7 +71800,7 @@ rule ELASTIC_Linux_Trojan_Mirai_D5Da717F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1561-L1579" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1f6bcdfc7d1c56228897cd7548266bb0b9a41b913be354036816643ac21b6f66" - logic_hash = "v1_sha256_034dae5bea7536e8c8aa22b8b891b9c991b94f04be12c9fe6d78ddf07a2365d9" + logic_hash = "034dae5bea7536e8c8aa22b8b891b9c991b94f04be12c9fe6d78ddf07a2365d9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71829,7 +71829,7 @@ rule ELASTIC_Linux_Trojan_Mirai_D33095D4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1581-L1599" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "72326a3a9160e9481dd6fc87159f7ebf8a358f52bf0c17fbc3df80217d032635" - logic_hash = "v1_sha256_b7feaec65d72907d08c98b09fb4ac494ceee7d7bd51c09063363c617e3f057a4" + logic_hash = "b7feaec65d72907d08c98b09fb4ac494ceee7d7bd51c09063363c617e3f057a4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71858,7 +71858,7 @@ rule ELASTIC_Linux_Trojan_Mirai_4E2246Fb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1601-L1619" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1f6bcdfc7d1c56228897cd7548266bb0b9a41b913be354036816643ac21b6f66" - logic_hash = "v1_sha256_6d2e1300286751a5e1ae683e9aab2f59bfbb20d1cc18dcce89c06ecadf25a3e6" + logic_hash = "6d2e1300286751a5e1ae683e9aab2f59bfbb20d1cc18dcce89c06ecadf25a3e6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71887,7 +71887,7 @@ rule ELASTIC_Linux_Trojan_Mirai_D5981806 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1621-L1639" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "784f2005853b5375efaf3995208e4611b81b8c52f67b6dc139fd9fec7b49d9dc" - logic_hash = "v1_sha256_e625323543aa5c8374a179dfa51c3f5be1446459c45fa7c7a27ae383cf0f551b" + logic_hash = "e625323543aa5c8374a179dfa51c3f5be1446459c45fa7c7a27ae383cf0f551b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71916,7 +71916,7 @@ rule ELASTIC_Linux_Trojan_Mirai_C6055Dc9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1641-L1659" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c1718d7fdeef886caa33951e75cbd9139467fa1724605fdf76c8cdb1ec20e024" - logic_hash = "v1_sha256_4d9d7c44f0d3ae60275720ae5faf3c25c368aa6e7d9ab5ed706a30f9a7ffd3b8" + logic_hash = "4d9d7c44f0d3ae60275720ae5faf3c25c368aa6e7d9ab5ed706a30f9a7ffd3b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71945,7 +71945,7 @@ rule ELASTIC_Linux_Trojan_Mirai_3B9675Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1661-L1679" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4ec4bc88156bd51451fdaf0550c21c799c6adacbfc654c8ec634ebca3383bd66" - logic_hash = "v1_sha256_61ff7cb8d664291de5cf0c82b80cf0f4001c41d3f02b7f4762f67eb8128df15d" + logic_hash = "61ff7cb8d664291de5cf0c82b80cf0f4001c41d3f02b7f4762f67eb8128df15d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -71974,7 +71974,7 @@ rule ELASTIC_Linux_Trojan_Mirai_1C0D246D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1681-L1700" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "211cfe9d158c8a6840a53f2d1db2bf94ae689946fffb791eed3acceef7f0e3dd" - logic_hash = "v1_sha256_7a101e6d2265e09eb6c8d0f1a2fe54c9aa353dfd8bd156926937f4aec86c3ef1" + logic_hash = "7a101e6d2265e09eb6c8d0f1a2fe54c9aa353dfd8bd156926937f4aec86c3ef1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72003,7 +72003,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Ad337D2F : FILE MEMORY reference = "012b717909a8b251ec1e0c284b3c795865a32a1f4b79706d2254a4eb289c30a7" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1702-L1720" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_dba630c1deb00b0dbd9f895a9b93393bc634150c8f32527b02d8dd71dc806e7d" + logic_hash = "dba630c1deb00b0dbd9f895a9b93393bc634150c8f32527b02d8dd71dc806e7d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72031,7 +72031,7 @@ rule ELASTIC_Linux_Trojan_Mirai_88A1B067 : FILE MEMORY reference = "1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1722-L1740" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0755f1f974734ccd4ecc444217bf52ed306d1dc32c05841ba9ca6d259e1a147e" + logic_hash = "0755f1f974734ccd4ecc444217bf52ed306d1dc32c05841ba9ca6d259e1a147e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72059,7 +72059,7 @@ rule ELASTIC_Linux_Trojan_Mirai_76Bbc4Ca : FILE MEMORY reference = "1a9ff86a66d417678c387102932a71fd879972173901c04f3462de0e519c3b51" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1742-L1760" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_855b7938b92b5645fcefd2ec1e2ccb71269654816f362282ccbf9aef1c01c8a0" + logic_hash = "855b7938b92b5645fcefd2ec1e2ccb71269654816f362282ccbf9aef1c01c8a0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72088,7 +72088,7 @@ rule ELASTIC_Linux_Trojan_Mirai_0Bfc17Bd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1762-L1780" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1cdd94f2a1cb2b93134646c171d947e325a498f7a13db021e88c05a4cbb68903" - logic_hash = "v1_sha256_ef83bc9ae3c881d09b691db42a1712b500a5bb8df34060a6786cfdc6caaf5530" + logic_hash = "ef83bc9ae3c881d09b691db42a1712b500a5bb8df34060a6786cfdc6caaf5530" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72117,7 +72117,7 @@ rule ELASTIC_Linux_Trojan_Mirai_389Ee3E9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1782-L1800" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f" - logic_hash = "v1_sha256_fedeae98d468a11c3eaa561b9d5433ec206bdd4caed5aed7926434730f7f866b" + logic_hash = "fedeae98d468a11c3eaa561b9d5433ec206bdd4caed5aed7926434730f7f866b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72146,7 +72146,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Cc93863B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1802-L1820" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f" - logic_hash = "v1_sha256_881998dee010270d7cefae5b59a888e541d4a2b93e3e52ae0abe0df41371c50d" + logic_hash = "881998dee010270d7cefae5b59a888e541d4a2b93e3e52ae0abe0df41371c50d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72175,7 +72175,7 @@ rule ELASTIC_Linux_Trojan_Mirai_8Aa7B5D3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1822-L1840" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f" - logic_hash = "v1_sha256_3c99b7b126184b75802c7198c81f4783af776920edc6e964dbe726d28d88f64d" + logic_hash = "3c99b7b126184b75802c7198c81f4783af776920edc6e964dbe726d28d88f64d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72204,7 +72204,7 @@ rule ELASTIC_Linux_Trojan_Mirai_76908C99 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1842-L1860" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "533a90959bfb337fd7532fb844501fd568f5f4a49998d5d479daf5dfbd01abb2" - logic_hash = "v1_sha256_bd8254e888b1ea93ca9aad92ea2c8ece1f2d03ae2949ca4c3743b6e339ee21e0" + logic_hash = "bd8254e888b1ea93ca9aad92ea2c8ece1f2d03ae2949ca4c3743b6e339ee21e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72233,7 +72233,7 @@ rule ELASTIC_Linux_Trojan_Mirai_1538Ce1A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1862-L1880" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2382996a8fd44111376253da227120649a1a94b5c61739e87a4e8acc1130e662" - logic_hash = "v1_sha256_cf2dd11da520640c6a64e05c4679072a714d8cf93d5f5aa3a1eca8eb3e9c8b3b" + logic_hash = "cf2dd11da520640c6a64e05c4679072a714d8cf93d5f5aa3a1eca8eb3e9c8b3b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72262,7 +72262,7 @@ rule ELASTIC_Linux_Trojan_Mirai_07B1F4F6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1882-L1900" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2382996a8fd44111376253da227120649a1a94b5c61739e87a4e8acc1130e662" - logic_hash = "v1_sha256_4af1a20e29e0c9b62e1530031e49a3d7b37d4e9a547d89a270a2e59e0c7852cc" + logic_hash = "4af1a20e29e0c9b62e1530031e49a3d7b37d4e9a547d89a270a2e59e0c7852cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72291,7 +72291,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Feaa98Ff : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1902-L1920" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2382996a8fd44111376253da227120649a1a94b5c61739e87a4e8acc1130e662" - logic_hash = "v1_sha256_06be9d8bcfcb7e6b600103cf29fa8a94a457ff56e8c7018336c270978a57ccbf" + logic_hash = "06be9d8bcfcb7e6b600103cf29fa8a94a457ff56e8c7018336c270978a57ccbf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72320,7 +72320,7 @@ rule ELASTIC_Linux_Trojan_Mirai_3Acd6Ed4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1922-L1940" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2644447de8befa1b4fe39b2117d49754718a2f230d6d5f977166386aa88e7b84" - logic_hash = "v1_sha256_ab284d41af8e1920fa54ac8bfab84bac493adf816aebce60490ab22c0e502201" + logic_hash = "ab284d41af8e1920fa54ac8bfab84bac493adf816aebce60490ab22c0e502201" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72349,7 +72349,7 @@ rule ELASTIC_Linux_Trojan_Mirai_Eb940856 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mirai.yar#L1942-L1960" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fbf814c04234fc95b6a288b62fb9513d6bbad2e601b96db14bb65ab153e65fef" - logic_hash = "v1_sha256_d7bb2373a35ea97a11513e80e9a561f53a8f0b9345f392e8e7f042d4cb2d7d20" + logic_hash = "d7bb2373a35ea97a11513e80e9a561f53a8f0b9345f392e8e7f042d4cb2d7d20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72378,7 +72378,7 @@ rule ELASTIC_Macos_Trojan_Electrorat_B4Dbfd1D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Electrorat.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b1028b38fcce0d54f2013c89a9c0605ccb316c36c27faf3a35adf435837025a4" - logic_hash = "v1_sha256_a36143a8c93cb187dba0a88a15550219c19f1483502f782dfefc1e53829cfbf1" + logic_hash = "a36143a8c93cb187dba0a88a15550219c19f1483502f782dfefc1e53829cfbf1" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -72410,7 +72410,7 @@ rule ELASTIC_Windows_Trojan_Suddenicon_99487621 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SuddenIcon.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973" - logic_hash = "v1_sha256_9a441c47e8b95d8aaec6f495d6ddfec2ed6b0762637ea48e64c9ea01b0945019" + logic_hash = "9a441c47e8b95d8aaec6f495d6ddfec2ed6b0762637ea48e64c9ea01b0945019" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72445,7 +72445,7 @@ rule ELASTIC_Windows_Trojan_Suddenicon_8B07C275 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SuddenIcon.yar#L28-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "aa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973" - logic_hash = "v1_sha256_64e8bd8929c9fb8cae16f772e3266b02b4ddec770ff8d5379a93a483eb8ff660" + logic_hash = "64e8bd8929c9fb8cae16f772e3266b02b4ddec770ff8d5379a93a483eb8ff660" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72474,7 +72474,7 @@ rule ELASTIC_Windows_Trojan_Suddenicon_Ac021Ae0 : FILE MEMORY reference = "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SuddenIcon.yar#L50-L76" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_033eabdd8ce8ecc4e1a657161c1f298c7dfe536ee2dbf9375cfda894638a7bee" + logic_hash = "033eabdd8ce8ecc4e1a657161c1f298c7dfe536ee2dbf9375cfda894638a7bee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72511,7 +72511,7 @@ rule ELASTIC_Windows_Vulndriver_Llaccess_C57534E8 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_LLAccess.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - logic_hash = "v1_sha256_8bf629fd2ce0b1f15c7aacd573659b649dcf968556232683b29d68b27d12e577" + logic_hash = "8bf629fd2ce0b1f15c7aacd573659b649dcf968556232683b29d68b27d12e577" score = 75 quality = 75 tags = "FILE" @@ -72541,7 +72541,7 @@ rule ELASTIC_Windows_Shellcode_Generic_8C487E57 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Shellcode_Generic.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_a86ea8e15248e83ce7322c10e308a5a24096b1d7c67f5673687563dec8229dfe" + logic_hash = "a86ea8e15248e83ce7322c10e308a5a24096b1d7c67f5673687563dec8229dfe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72569,7 +72569,7 @@ rule ELASTIC_Windows_Shellcode_Generic_F27D7Beb : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Shellcode_Generic.yar#L20-L37" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8530a74a002d0286711cd86545aff0bf853de6b6684473b6211d678797c3639f" + logic_hash = "8530a74a002d0286711cd86545aff0bf853de6b6684473b6211d678797c3639f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72597,7 +72597,7 @@ rule ELASTIC_Windows_Shellcode_Generic_29Dcbf7A : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Shellcode_Generic.yar#L39-L56" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c2a81cc27e696a2e488df7d2f96784bbaed83df5783efab312fc5ccbfd524b43" + logic_hash = "c2a81cc27e696a2e488df7d2f96784bbaed83df5783efab312fc5ccbfd524b43" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72626,7 +72626,7 @@ rule ELASTIC_Windows_Hacktool_Cpulocker_73B41444 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_CpuLocker.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dbfc90fa2c5dc57899cc75ccb9dc7b102cb4556509cdfecde75b36f602d7da66" - logic_hash = "v1_sha256_8fb33744326781c51bb6bd18d0574602256b813b62ec8344d5338e6442bb2de0" + logic_hash = "8fb33744326781c51bb6bd18d0574602256b813b62ec8344d5338e6442bb2de0" score = 75 quality = 75 tags = "FILE" @@ -72655,7 +72655,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_8Bd3002C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5480bc02aeebd3062e6d19e50a5540536ce140d950327cce937ff7e71ebd15e2" - logic_hash = "v1_sha256_578fd1c3e6091df9550b3c2caf999d7a0432f037b0cc4b15642531e7fdffd7b7" + logic_hash = "578fd1c3e6091df9550b3c2caf999d7a0432f037b0cc4b15642531e7fdffd7b7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72684,7 +72684,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_A592A280 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5480bc02aeebd3062e6d19e50a5540536ce140d950327cce937ff7e71ebd15e2" - logic_hash = "v1_sha256_b16cf5b527782680cc1da6f61dd537596792fed615993b19965ef2dbde701e64" + logic_hash = "b16cf5b527782680cc1da6f61dd537596792fed615993b19965ef2dbde701e64" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72713,7 +72713,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_D57Aa841 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "555d60bd863caff231700c5f606d0034d5aa8362862d1fd0c816615d59f582f7" - logic_hash = "v1_sha256_b0db72ad81d27f5b2ac2d2bb903ff10849c304d40619fd95a39e7d48c64c45ba" + logic_hash = "b0db72ad81d27f5b2ac2d2bb903ff10849c304d40619fd95a39e7d48c64c45ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72742,7 +72742,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_B97E0253 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5480bc02aeebd3062e6d19e50a5540536ce140d950327cce937ff7e71ebd15e2" - logic_hash = "v1_sha256_dc11d50166a4d1b400c0df81295054192d42822dd3e065e374a92a31727d4dbd" + logic_hash = "dc11d50166a4d1b400c0df81295054192d42822dd3e065e374a92a31727d4dbd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72771,7 +72771,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_66C465A0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7454ee074812d7fa49044de8190e17b5034b3f08625f547d1b04aae4054fd81a" - logic_hash = "v1_sha256_71f224e3ee1ff29787258a61f29a37a9ddc51e9cb5df0693ea52fd4b6f0b5ad8" + logic_hash = "71f224e3ee1ff29787258a61f29a37a9ddc51e9cb5df0693ea52fd4b6f0b5ad8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72800,7 +72800,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_D8573802 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7454ee074812d7fa49044de8190e17b5034b3f08625f547d1b04aae4054fd81a" - logic_hash = "v1_sha256_b51ab7a7c26e889a4e8efc2b9883f709c17d82032b0c28ab3e30229d6f296367" + logic_hash = "b51ab7a7c26e889a4e8efc2b9883f709c17d82032b0c28ab3e30229d6f296367" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72829,7 +72829,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_7926Bc8E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "555d60bd863caff231700c5f606d0034d5aa8362862d1fd0c816615d59f582f7" - logic_hash = "v1_sha256_ac42dd714696825d64402861e96122cce7cd09ae8d9c43a19dd9cf95d7b09610" + logic_hash = "ac42dd714696825d64402861e96122cce7cd09ae8d9c43a19dd9cf95d7b09610" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72858,7 +72858,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_E2377400 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b88daf00a0e890b6750e691856b0fe7428d90d417d9503f62a917053e340228b" - logic_hash = "v1_sha256_71276698d1bdb9bc494fe6f1aa9755940583331836abc490e0b5ac3454d35de6" + logic_hash = "71276698d1bdb9bc494fe6f1aa9755940583331836abc490e0b5ac3454d35de6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72886,7 +72886,7 @@ rule ELASTIC_Linux_Trojan_Ngioweb_994F1E97 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ngioweb.yar#L161-L178" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2384e787877b622445d7d14053a8340d2e97d3ab103a3fabfa08a40068726ad0" + logic_hash = "2384e787877b622445d7d14053a8340d2e97d3ab103a3fabfa08a40068726ad0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -72915,7 +72915,7 @@ rule ELASTIC_Windows_Hacktool_Sharpshares_88Cdcd52 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpShares.yar#L1-L30" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bbdd3620a67aedec4b9a68b2c9cc880b6631215e129816aea19902a6f4bc6f41" - logic_hash = "v1_sha256_85c59b939da6158f931e779c2884cea77b80fab54ee5e157d86afa19f0253db3" + logic_hash = "85c59b939da6158f931e779c2884cea77b80fab54ee5e157d86afa19f0253db3" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -72955,7 +72955,7 @@ rule ELASTIC_Windows_Trojan_Mylobot_A895174A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_MyloBot.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "33831d9ad64d0f52f507f08ef81607aafa6ced58a189969af6cf57c659c982d2" - logic_hash = "v1_sha256_16f2d8eeb6c85944030a33bd250e4e8b98985a6c877a0ec3ad5a6037e7c00159" + logic_hash = "16f2d8eeb6c85944030a33bd250e4e8b98985a6c877a0ec3ad5a6037e7c00159" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -72990,7 +72990,7 @@ rule ELASTIC_Windows_Vulndriver_Msio_Aa20A3C6 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_MsIo.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6" - logic_hash = "v1_sha256_3b383934dc91536f69e2c6cb2cf2054c5f8a08766ecf1d1804c57f3a2c39c1c2" + logic_hash = "3b383934dc91536f69e2c6cb2cf2054c5f8a08766ecf1d1804c57f3a2c39c1c2" score = 75 quality = 75 tags = "FILE" @@ -73019,7 +73019,7 @@ rule ELASTIC_Windows_Vulndriver_Msio_Ce0Bda23 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_MsIo.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - logic_hash = "v1_sha256_f7fbe0255a006cce42aff61b294512c11e1cceaf11d5c1b6f75b96fb3b155895" + logic_hash = "f7fbe0255a006cce42aff61b294512c11e1cceaf11d5c1b6f75b96fb3b155895" score = 75 quality = 75 tags = "FILE" @@ -73048,7 +73048,7 @@ rule ELASTIC_Linux_Virus_Gmon_E544D891 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Virus_Gmon.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d0fe377664aa0bc0d1fd3a307650f211dd3ef2e2f04597abee465e836e6a6f32" - logic_hash = "v1_sha256_6dcfd51aaa79d7bac0100d9c891aa4275b8e1f7614cda46a5da4c738d376c729" + logic_hash = "6dcfd51aaa79d7bac0100d9c891aa4275b8e1f7614cda46a5da4c738d376c729" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73077,7 +73077,7 @@ rule ELASTIC_Linux_Virus_Gmon_192Bd9B3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Virus_Gmon.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d0fe377664aa0bc0d1fd3a307650f211dd3ef2e2f04597abee465e836e6a6f32" - logic_hash = "v1_sha256_3df275349d14a845c73087375f96e0c9a069ff685beb89249590ef9448e50373" + logic_hash = "3df275349d14a845c73087375f96e0c9a069ff685beb89249590ef9448e50373" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73106,7 +73106,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_57C0C6D7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "100dc1ede4c0832a729d77725784d9deb358b3a768dfaf7ff9e96535f5b5a361" - logic_hash = "v1_sha256_d3a272d488cebe4f774c994001a14d825372a27f16267bc0339b7e3b22ada8db" + logic_hash = "d3a272d488cebe4f774c994001a14d825372a27f16267bc0339b7e3b22ada8db" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73135,7 +73135,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_7E42Bf80 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "551b6e6617fa3f438ec1b3bd558b3cbc981141904cab261c0ac082a697e5b07d" - logic_hash = "v1_sha256_ad8c8f0081d07f7e2a5400de6af2c6b311f77ff336d7576f7fb0bfe2593a9062" + logic_hash = "ad8c8f0081d07f7e2a5400de6af2c6b311f77ff336d7576f7fb0bfe2593a9062" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73164,7 +73164,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_271121Fb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "19aeafb63430b5ac98e93dfd6469c20b9c1145e6b5b86202553bd7bd9e118842" - logic_hash = "v1_sha256_f43b1527ad4bbd07023126def89c1af47698cc832f71f4a1381ed0d621d79ed5" + logic_hash = "f43b1527ad4bbd07023126def89c1af47698cc832f71f4a1381ed0d621d79ed5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73192,7 +73192,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_E7E64Fb7 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L61-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e325ac02c51526c5a36bdd6c2bcb3bee51f1214d78eff8048c8a1ae88334a9e8" + logic_hash = "e325ac02c51526c5a36bdd6c2bcb3bee51f1214d78eff8048c8a1ae88334a9e8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73220,7 +73220,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_79B42B21 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L80-L97" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_db42871193960ea4c2cbe5f5040cbc1097d57d9e4dc291bcc77ed72b588311ab" + logic_hash = "db42871193960ea4c2cbe5f5040cbc1097d57d9e4dc291bcc77ed72b588311ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73249,7 +73249,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_77Fbc695 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L99-L117" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e723a2b976adddb01abb1101f2d3407b783067bec042a135b21b14d63bc18a68" - logic_hash = "v1_sha256_af8e09cd5d6b7532af0c06273aa465cf6c40ad6c919a679fd09191a1c2a302f5" + logic_hash = "af8e09cd5d6b7532af0c06273aa465cf6c40ad6c919a679fd09191a1c2a302f5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73278,7 +73278,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_403B0A12 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L119-L137" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "54d806b3060404ccde80d9f3153eebe8fdda49b6e8cdba197df0659c6724a52d" - logic_hash = "v1_sha256_5b7662124eb980b11f88a50665292e7a405595f7ad85c5c448dd087ea096689a" + logic_hash = "5b7662124eb980b11f88a50665292e7a405595f7ad85c5c448dd087ea096689a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73306,7 +73306,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_Bffa106B : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L139-L156" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d7214ad9c4291205b50567d142d99b8a19a9cfa69d3cd0a644774c3a1adb6b49" + logic_hash = "d7214ad9c4291205b50567d142d99b8a19a9cfa69d3cd0a644774c3a1adb6b49" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73335,7 +73335,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_73Faf972 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L158-L176" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00e29303b66cb39a8bc23fe91379c087376ea26baa21f6b7f7817289ba89f655" - logic_hash = "v1_sha256_a6a9d304d215302bf399c90ed0dd77a681796254c51a2a20e4a316dba43b387f" + logic_hash = "a6a9d304d215302bf399c90ed0dd77a681796254c51a2a20e4a316dba43b387f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73364,7 +73364,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_Af809Eea : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L178-L196" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00e29303b66cb39a8bc23fe91379c087376ea26baa21f6b7f7817289ba89f655" - logic_hash = "v1_sha256_4ae4b119a3eecfdb47a88fe5a89a4f79ae96eecf5d08eef08997357de7e6538a" + logic_hash = "4ae4b119a3eecfdb47a88fe5a89a4f79ae96eecf5d08eef08997357de7e6538a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73393,7 +73393,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_9F6Ac00F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L198-L216" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9cd58c1759056c0c5bbd78248b9192c4f8c568ed89894aff3724fdb2be44ca43" - logic_hash = "v1_sha256_9fa8e7be5c35c9a649c42613d0d5d5cecff3d9c3e9a572e4be1ca661876748a5" + logic_hash = "9fa8e7be5c35c9a649c42613d0d5d5cecff3d9c3e9a572e4be1ca661876748a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73422,7 +73422,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrig_Dbcc9D87 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrig.yar#L218-L236" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "da9b8fb5c26e81fb3aed3b0bc95d855339fced303aae2af281daf0f1a873e585" - logic_hash = "v1_sha256_b7fa60e32cb53484d8b76b13066eda1f2275ee2660ac2dc02b0078b921998e79" + logic_hash = "b7fa60e32cb53484d8b76b13066eda1f2275ee2660ac2dc02b0078b921998e79" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73451,7 +73451,7 @@ rule ELASTIC_Linux_Trojan_Gognt_50C3D9Da : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gognt.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79602bc786edda7017c5f576814b683fba41e4cb4cf3f837e963c6d0d42c50ee" - logic_hash = "v1_sha256_ecd9cd94b3bf8c50c347e70aab3da03ea6589530b20941a9f62dac501f8144fc" + logic_hash = "ecd9cd94b3bf8c50c347e70aab3da03ea6589530b20941a9f62dac501f8144fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73480,7 +73480,7 @@ rule ELASTIC_Linux_Trojan_Gognt_05B10F4B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gognt.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e43aaf2345dbb5c303d5a5e53cd2e2e84338d12f69ad809865f20fd1a5c2716f" - logic_hash = "v1_sha256_1dfc3417f75aa81aea5eda3d6da076f1cacf82dbfc039252b1d16f52b81a5a65" + logic_hash = "1dfc3417f75aa81aea5eda3d6da076f1cacf82dbfc039252b1d16f52b81a5a65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73509,7 +73509,7 @@ rule ELASTIC_Macos_Hacktool_Jokerspy_58A6B26D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Macos_Hacktool_JokerSpy.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" - logic_hash = "v1_sha256_e9e1333c7172d5a0f06093a902edefd7f128963dbaadf77e829f032ccb04ce56" + logic_hash = "e9e1333c7172d5a0f06093a902edefd7f128963dbaadf77e829f032ccb04ce56" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73543,7 +73543,7 @@ rule ELASTIC_Windows_Trojan_Cybergate_517Aac7D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CyberGate.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365" - logic_hash = "v1_sha256_50e061d0c358655c03b95ccbe2d05e252501c3e6afd21dd20513019cd67e6147" + logic_hash = "50e061d0c358655c03b95ccbe2d05e252501c3e6afd21dd20513019cd67e6147" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -73576,7 +73576,7 @@ rule ELASTIC_Windows_Trojan_Cybergate_9996D800 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CyberGate.yar#L25-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "07b8f25e7b536f5b6f686c12d04edc37e11347c8acd5c53f98a174723078c365" - logic_hash = "v1_sha256_efefc171b6390c9792145973708358f62b18b8d0180feacaf5b9267563c3f7cc" + logic_hash = "efefc171b6390c9792145973708358f62b18b8d0180feacaf5b9267563c3f7cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73605,7 +73605,7 @@ rule ELASTIC_Windows_Trojan_Cybergate_C219A2F3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CyberGate.yar#L45-L64" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b7204f8caf6ace6ae1aed267de0ad6b39660d0e636d8ee0ecf88135f8a58dc42" - logic_hash = "v1_sha256_8075892728c610c1ceacd0df54615d2a3e833d728d631a9bf81311e8c6485f6e" + logic_hash = "8075892728c610c1ceacd0df54615d2a3e833d728d631a9bf81311e8c6485f6e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73635,7 +73635,7 @@ rule ELASTIC_Linux_Hacktool_Aduh_6Cae7C78 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Aduh.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9c67207546ad274dc78a0819444d1c8805537f9ac36d3c53eba9278ed44b360c" - logic_hash = "v1_sha256_130df108de5b6cdfb9227f96301bdaa1e272d47b8cb9ad96c3aa574bf65870b2" + logic_hash = "130df108de5b6cdfb9227f96301bdaa1e272d47b8cb9ad96c3aa574bf65870b2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73664,7 +73664,7 @@ rule ELASTIC_Windows_Vulndriver_Mhyprot_26214176 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Mhyprot.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6" - logic_hash = "v1_sha256_61d1713c689b9d663f2d3360d07735b07ca10365b5ce424b2df726bd6cc434d3" + logic_hash = "61d1713c689b9d663f2d3360d07735b07ca10365b5ce424b2df726bd6cc434d3" score = 75 quality = 75 tags = "FILE" @@ -73696,7 +73696,7 @@ rule ELASTIC_Multi_Hacktool_Gsocket_761D3A0F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Hacktool_Gsocket.yar#L1-L32" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "193efd61ae10f286d06390968537fa85e4df40995fd424d1afe426c089d172ab" - logic_hash = "v1_sha256_6f60b63f406b42ac2a43cbe3afbbc98789504d7c6036d50f852a5bc4a6c46cef" + logic_hash = "6f60b63f406b42ac2a43cbe3afbbc98789504d7c6036d50f852a5bc4a6c46cef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73738,7 +73738,7 @@ rule ELASTIC_Windows_Trojan_Eagerbee_7029Ba21 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_EagerBee.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "09005775fc587ac7bf150c05352e59dc01008b7bf8c1d870d1cea87561aa0b06" - logic_hash = "v1_sha256_874959361b14ba74e13e6e674da75c9bdb6b9475d8b286572825c940b41f679f" + logic_hash = "874959361b14ba74e13e6e674da75c9bdb6b9475d8b286572825c940b41f679f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73768,7 +73768,7 @@ rule ELASTIC_Windows_Trojan_Eagerbee_A64B323B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_EagerBee.yar#L23-L45" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "339e4fdbccb65b0b06a1421c719300a8da844789a2016d58e8ce4227cb5dc91b" - logic_hash = "v1_sha256_e1c25cf8ce0ff434727c9104c6b79110ff5cfa84eb3e939119fd05cf676727c6" + logic_hash = "e1c25cf8ce0ff434727c9104c6b79110ff5cfa84eb3e939119fd05cf676727c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73800,7 +73800,7 @@ rule ELASTIC_Linux_Trojan_Lala_51Deb1F9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Lala.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3af65d3307fbdc2e8ce6e1358d1413ebff5eeb5dbedc051394377a4dabffa82" - logic_hash = "v1_sha256_73a7ec230be9aabcc301095c9c075f839852155419bdd8d5542287f34699ab33" + logic_hash = "73a7ec230be9aabcc301095c9c075f839852155419bdd8d5542287f34699ab33" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73829,7 +73829,7 @@ rule ELASTIC_Windows_Trojan_Bitrat_34Bd6C83 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bitrat.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "37f70ae0e4e671c739d402c00f708761e98b155a1eefbedff1236637c4b7690a" - logic_hash = "v1_sha256_d386fc2a4b6a98638328d1aa05a8d8dbb7a1bbcd72943457b1a5a27b056744ef" + logic_hash = "d386fc2a4b6a98638328d1aa05a8d8dbb7a1bbcd72943457b1a5a27b056744ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73862,7 +73862,7 @@ rule ELASTIC_Windows_Trojan_Bitrat_54916275 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bitrat.yar#L25-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d3b2c410b431c006c59f14b33e95c0e44e6221b1118340c745911712296f659f" - logic_hash = "v1_sha256_4c66f79f4bf6bde49bfb9208e6dc1d3b5d041927565e7302381838b0f32da6f4" + logic_hash = "4c66f79f4bf6bde49bfb9208e6dc1d3b5d041927565e7302381838b0f32da6f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73891,7 +73891,7 @@ rule ELASTIC_Linux_Trojan_Mumblehard_523450Aa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mumblehard.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a637ea8f070e1edf2c9c81450e83934c177696171b24b4dff32dfb23cefa56d3" - logic_hash = "v1_sha256_60b4cc388975ce030e03c5c3a48adcfeec25299105206909163f20100fbf45d8" + logic_hash = "60b4cc388975ce030e03c5c3a48adcfeec25299105206909163f20100fbf45d8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73920,7 +73920,7 @@ rule ELASTIC_Windows_Hacktool_Sharpstay_Eac706C5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpStay.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "498d201f65b57a007a79259ce7015eb7eb1bba660d44deafea716e36316a9caa" - logic_hash = "v1_sha256_b85679018658e33e81cd2589e9f99cf9ed16ac25b27d93bece26cb5ccc2e379a" + logic_hash = "b85679018658e33e81cd2589e9f99cf9ed16ac25b27d93bece26cb5ccc2e379a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -73953,7 +73953,7 @@ rule ELASTIC_Windows_Trojan_Pipedance_01C18057 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PipeDance.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d3f739e35182992f1e3ade48b8999fb3a5049f48c14db20e38ee63eddc5a1e7" - logic_hash = "v1_sha256_0c03a725ae930eb829d6a6a9f681489d61aa7f69e72b6b298776f75a98115398" + logic_hash = "0c03a725ae930eb829d6a6a9f681489d61aa7f69e72b6b298776f75a98115398" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -73989,7 +73989,7 @@ rule ELASTIC_Linux_Trojan_Ganiw_99349371 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ganiw.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e8dbb246fdd1a50226a36c407ac90eb44b0cf5e92bf0b92c89218f474f9c2afb" - logic_hash = "v1_sha256_26160e855c63fc0b73e415de2fe058f2005df1ec5544d21865d022c5474df30c" + logic_hash = "26160e855c63fc0b73e415de2fe058f2005df1ec5544d21865d022c5474df30c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74017,7 +74017,7 @@ rule ELASTIC_Linux_Trojan_Ganiw_B9F045Aa : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ganiw.yar#L21-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2565101b261bee22ddecf6898ff0ac8a114d09c822d8db26ba3e3571ebe06b12" + logic_hash = "2565101b261bee22ddecf6898ff0ac8a114d09c822d8db26ba3e3571ebe06b12" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74046,7 +74046,7 @@ rule ELASTIC_Linux_Trojan_Dnsamp_C31Eebd4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dnsamp.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4b86de97819a49a90961d59f9c3ab9f8e57e19add9fe1237d2a2948b4ff22de6" - logic_hash = "v1_sha256_b998065eff9f67a1cdf19644a13edb0cef3c619d8b6e16c412d58f5d538e4617" + logic_hash = "b998065eff9f67a1cdf19644a13edb0cef3c619d8b6e16c412d58f5d538e4617" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74075,7 +74075,7 @@ rule ELASTIC_Multi_Generic_Threat_19854Dc2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Generic_Threat.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "be216fa9cbf0b64d769d1e8ecddcfc3319c7ca8e610e438dcdfefc491730d208" - logic_hash = "v1_sha256_beed6d6cd7b7b6eb3f4ab6a45fd19f2ebfb661e470d468691b68634994e2eef7" + logic_hash = "beed6d6cd7b7b6eb3f4ab6a45fd19f2ebfb661e470d468691b68634994e2eef7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -74104,7 +74104,7 @@ rule ELASTIC_Linux_Trojan_Sdbot_98628Ea1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sdbot.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5568ae1f8a1eb879eb4705db5b3820e36c5ecea41eb54a8eef5b742f477cbdd8" - logic_hash = "v1_sha256_55b8e3fa755965b85a043015f9303644b8e06fe8bfdc0e2062de75bdc2881541" + logic_hash = "55b8e3fa755965b85a043015f9303644b8e06fe8bfdc0e2062de75bdc2881541" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74133,7 +74133,7 @@ rule ELASTIC_Windows_Vulndriver_Elrawdisk_F9Fd1A80 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_ElRawDisk.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ed4f2b3db9a79535228af253959a0749b93291ad8b1058c7a41644b73035931b" - logic_hash = "v1_sha256_43f9f1f6ad6c1defe2f0d6dd0cd380bea1a8ead19bc0bf203bdfe4f83b9c284d" + logic_hash = "43f9f1f6ad6c1defe2f0d6dd0cd380bea1a8ead19bc0bf203bdfe4f83b9c284d" score = 75 quality = 75 tags = "FILE" @@ -74162,7 +74162,7 @@ rule ELASTIC_Multi_Trojan_Sliver_42298C4A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Sliver.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007" - logic_hash = "v1_sha256_a84bdb51fcdeb4629365bdb727b53087604ee0eb112c8d6c3ecf315598ec678a" + logic_hash = "a84bdb51fcdeb4629365bdb727b53087604ee0eb112c8d6c3ecf315598ec678a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74197,7 +74197,7 @@ rule ELASTIC_Multi_Trojan_Sliver_3Bde542D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Sliver.yar#L27-L50" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05461e1c2a2e581a7c30e14d04bd3d09670e281f9f7c60f4169e9614d22ce1b3" - logic_hash = "v1_sha256_23a0e28c1423f577a147efdf927f2dc71871760e38d4d7494ead2920b90ef05e" + logic_hash = "23a0e28c1423f577a147efdf927f2dc71871760e38d4d7494ead2920b90ef05e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74231,7 +74231,7 @@ rule ELASTIC_Multi_Trojan_Sliver_3D6B7Cd3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Sliver.yar#L52-L88" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9846124cfd124eed466465d187eeacb4d405c558dd84ba8e575d8a7b3290403e" - logic_hash = "v1_sha256_3cbd3358b7d59d6a2912069f4cb8de005b6fafd61e44111d1f6cf0418eb2d1fc" + logic_hash = "3cbd3358b7d59d6a2912069f4cb8de005b6fafd61e44111d1f6cf0418eb2d1fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74278,7 +74278,7 @@ rule ELASTIC_Windows_PUP_Mediaarena_A9E3B4A1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_PUP_MediaArena.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c071e0b67e4c105c87b876183900f97a4e8bc1a7c18e61c028dee59ce690b1ac" - logic_hash = "v1_sha256_8e52b29f2848498aae2fd7ad35494362d6c07f0e752b628840a256923aca32c7" + logic_hash = "8e52b29f2848498aae2fd7ad35494362d6c07f0e752b628840a256923aca32c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74312,7 +74312,7 @@ rule ELASTIC_Multi_EICAR_Ac8F42D6 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_EICAR.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_05c92058aab1229dfa31e006276c2c83fa484e813bdfe66edf387763797d9d57" + logic_hash = "05c92058aab1229dfa31e006276c2c83fa484e813bdfe66edf387763797d9d57" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -74341,7 +74341,7 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_53Df500F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Virus_Maxofferdeal.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ecd62ef880da057726ca55c6826ce4e1584ec6fc3afaabed7f66154fc39ffef8" - logic_hash = "v1_sha256_ed63c14e31c200f906b525c7ef1cd671511a89c8833cfa1a605fc9870fe91043" + logic_hash = "ed63c14e31c200f906b525c7ef1cd671511a89c8833cfa1a605fc9870fe91043" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74370,7 +74370,7 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_F4681Eba : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Virus_Maxofferdeal.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ecd62ef880da057726ca55c6826ce4e1584ec6fc3afaabed7f66154fc39ffef8" - logic_hash = "v1_sha256_cf478ec5313b40d74d110e4d6e97da5f671d5af331adc3ab059a69616e78c76c" + logic_hash = "cf478ec5313b40d74d110e4d6e97da5f671d5af331adc3ab059a69616e78c76c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74399,7 +74399,7 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_4091E373 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Virus_Maxofferdeal.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c38c4bdd3c1fa16fd32db06d44d0db1b25bb099462f8d2936dbdd42af325b37c" - logic_hash = "v1_sha256_ce82f6d3a2e4b7ffe7010629bf91a9144a94e50513682a6c0622603d28248d51" + logic_hash = "ce82f6d3a2e4b7ffe7010629bf91a9144a94e50513682a6c0622603d28248d51" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74428,7 +74428,7 @@ rule ELASTIC_Macos_Virus_Maxofferdeal_20A0091E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Virus_Maxofferdeal.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b00a61c908cd06dbc26bee059ba290e7ce2ad6b66c453ea272c7287ffa29c5ab" - logic_hash = "v1_sha256_bb90b7e1637fd86e91763b4801a0b3bb8a1b956f328d07e96cf1b26e42b1931b" + logic_hash = "bb90b7e1637fd86e91763b4801a0b3bb8a1b956f328d07e96cf1b26e42b1931b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74457,7 +74457,7 @@ rule ELASTIC_Linux_Webshell_Generic_E80Ff633 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Webshell_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7640ba6f2417931ef901044152d5bfe1b266219d13b5983d92ddbdf644de5818" - logic_hash = "v1_sha256_d345e6ce3e51ed55064aafb1709e9bee7ef2ce87ec80165ac1b58eebd83cefee" + logic_hash = "d345e6ce3e51ed55064aafb1709e9bee7ef2ce87ec80165ac1b58eebd83cefee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74485,7 +74485,7 @@ rule ELASTIC_Linux_Webshell_Generic_41A5Fa40 : FILE MEMORY reference = "18ac7fbc3d8d3bb8581139a20a7fee8ea5b7fcfea4a9373e3d22c71bae3c9de0" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Webshell_Generic.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_574148bc58626aac00add1989c65ad56315c7e2a8d27c7b96be404d831a7a576" + logic_hash = "574148bc58626aac00add1989c65ad56315c7e2a8d27c7b96be404d831a7a576" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -74514,7 +74514,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_4557_B7E15F5E : FILE MEMORY CVE_2016_4557 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_4557.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bbed2f81104b5eb4a8475deff73b29a350dc8b0f96dcc4987d0112b993675271" - logic_hash = "v1_sha256_9c40233fec9607404ca4f78313e0f62922180e5ef88dbf801dd60725af61bdde" + logic_hash = "9c40233fec9607404ca4f78313e0f62922180e5ef88dbf801dd60725af61bdde" score = 75 quality = 73 tags = "FILE, MEMORY, CVE-2016-4557" @@ -74543,7 +74543,7 @@ rule ELASTIC_Linux_Trojan_Skidmap_Aa7B661D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Skidmap.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4282ba9b7bee69d42bfff129fff45494fb8f7db0e1897fc5aa1e4265cb6831d9" - logic_hash = "v1_sha256_aa976158d004d582234a92ff648d4581440f9c933a0abef212d9d837d9607ba4" + logic_hash = "aa976158d004d582234a92ff648d4581440f9c933a0abef212d9d837d9607ba4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74572,7 +74572,7 @@ rule ELASTIC_Linux_Trojan_Skidmap_52Fb8489 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Skidmap.yar#L21-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4282ba9b7bee69d42bfff129fff45494fb8f7db0e1897fc5aa1e4265cb6831d9" - logic_hash = "v1_sha256_9d199666f36a703b77d6b2a47e8d2065c25746a5776df63f5bfacb912afa582b" + logic_hash = "9d199666f36a703b77d6b2a47e8d2065c25746a5776df63f5bfacb912afa582b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74619,7 +74619,7 @@ rule ELASTIC_Linux_Trojan_Backegmm_B59712E6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Backegmm.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d6c8e15cb65102b442b7ee42186c58fa69cd0cb68f4fd47eb5ad23763371e0be" - logic_hash = "v1_sha256_a2e6016bfd8475880c28c89b5f5beeef1335de9529d44bbe7c5aaa352aab9a29" + logic_hash = "a2e6016bfd8475880c28c89b5f5beeef1335de9529d44bbe7c5aaa352aab9a29" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74648,7 +74648,7 @@ rule ELASTIC_Linux_Trojan_Roopre_B6B9E71D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Roopre.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36ae2bf773135fdb0ead7fbbd46f90fd41d6f973569de1941c8723158fc6cfcc" - logic_hash = "v1_sha256_32294e476a014a919d2d738bdc940a7fc5f91e1b13c005f164a5b6bf84eb2635" + logic_hash = "32294e476a014a919d2d738bdc940a7fc5f91e1b13c005f164a5b6bf84eb2635" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74677,7 +74677,7 @@ rule ELASTIC_Linux_Trojan_Roopre_05F7F237 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Roopre.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36ae2bf773135fdb0ead7fbbd46f90fd41d6f973569de1941c8723158fc6cfcc" - logic_hash = "v1_sha256_12e14ac31932033f2448b7a3bfd6ce826fff17494547ac4baefb20f6713baf5f" + logic_hash = "12e14ac31932033f2448b7a3bfd6ce826fff17494547ac4baefb20f6713baf5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74706,7 +74706,7 @@ rule ELASTIC_Windows_Clickfraud_Luckyslots_A82433B6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Clickfraud_LuckySlots.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6503770b34c53025793f1674af87d80a8f6ed44b5780490796012a2b771b8f84" - logic_hash = "v1_sha256_342dafb67ae8557de66ac810482e2747ae88c76f07c244f1a465351fcc72cab9" + logic_hash = "342dafb67ae8557de66ac810482e2747ae88c76f07c244f1a465351fcc72cab9" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -74741,7 +74741,7 @@ rule ELASTIC_Linux_Backdoor_Python_00606Bac : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Backdoor_Python.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b3e3728d43535f47a1c15b915c2d29835d9769a9dc69eb1b16e40d5ba1b98460" - logic_hash = "v1_sha256_92ad2cf4aa848c8f3bcedd319654bf5ef873cd4daba62572381c7e20f0296b82" + logic_hash = "92ad2cf4aa848c8f3bcedd319654bf5ef873cd4daba62572381c7e20f0296b82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74770,7 +74770,7 @@ rule ELASTIC_Windows_Trojan_Asyncrat_11A11Ba1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Asyncrat.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1" - logic_hash = "v1_sha256_c6c4ce9ccf01c280be6c25c0c82c34b601626bc200b84d3e77b08be473335d3d" + logic_hash = "c6c4ce9ccf01c280be6c25c0c82c34b601626bc200b84d3e77b08be473335d3d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74804,7 +74804,7 @@ rule ELASTIC_Windows_Trojan_M0Yv_92F66467 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_M0yv.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0004d22dd18c0239b722c085101c0a32b967159e2066a0b7b9104bb43f5cdea0" - logic_hash = "v1_sha256_a47b20679aee9559213de22783cfbc55c6091785e4dc288349963e863b78cf41" + logic_hash = "a47b20679aee9559213de22783cfbc55c6091785e4dc288349963e863b78cf41" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -74835,7 +74835,7 @@ rule ELASTIC_Windows_Trojan_Whispergate_9192618B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_WhisperGate.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78" - logic_hash = "v1_sha256_28bb08d61d99d2bfc49ba18cdbabc34c31a715ae6439ab25bbce8cc6958ed381" + logic_hash = "28bb08d61d99d2bfc49ba18cdbabc34c31a715ae6439ab25bbce8cc6958ed381" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74868,7 +74868,7 @@ rule ELASTIC_Linux_Exploit_Intfour_0Ca45Cd3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Intfour.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d32c5447aa5182b4be66b7a283616cf531a2fd3ba3dde1bc363b24d8b22682f" - logic_hash = "v1_sha256_088d8daa9ba4f53c8de229282ed8a7b30b1e567687e7807ac6c3df9524dabba9" + logic_hash = "088d8daa9ba4f53c8de229282ed8a7b30b1e567687e7807ac6c3df9524dabba9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -74897,7 +74897,7 @@ rule ELASTIC_Linux_Downloader_Generic_0Bd15Ae0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Downloader_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e511efb068e76a4a939c2ce2f2f0a089ef55ca56ee5f2ba922828d23e6181f09" - logic_hash = "v1_sha256_c9558562d9e9d3b55bd1fba9e55b332e6b4db5a170e0dd349bef1e35f0c7fd21" + logic_hash = "c9558562d9e9d3b55bd1fba9e55b332e6b4db5a170e0dd349bef1e35f0c7fd21" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74925,7 +74925,7 @@ rule ELASTIC_Windows_Trojan_Rudebird_3Cbf7Bc6 : FILE MEMORY reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RudeBird.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2095c3b6bde779b5661c7796b5e33bb0c43facf791b272a603b786f889a06a95" + logic_hash = "2095c3b6bde779b5661c7796b5e33bb0c43facf791b272a603b786f889a06a95" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74954,7 +74954,7 @@ rule ELASTIC_Linux_Cryptominer_Bscope_348B7Fa0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Bscope.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a6fb80d77986e00a6b861585bd4e573a927e970fb0061bf5516f83400ad7c0db" - logic_hash = "v1_sha256_bc6a59dcc36676273c61fa71231fd8709884beebb7ab64b58f22551393b20c71" + logic_hash = "bc6a59dcc36676273c61fa71231fd8709884beebb7ab64b58f22551393b20c71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -74983,7 +74983,7 @@ rule ELASTIC_Linux_Hacktool_Earthworm_4De7B584 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Earthworm.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d61aabcf935121b4f7fc6b0d082d7d6c31cb43bf253a8603dd46435e66b7955" - logic_hash = "v1_sha256_019b2504df192e673f96a86464bb5e8ba5e89190e51bfe7d702753f76c00b979" + logic_hash = "019b2504df192e673f96a86464bb5e8ba5e89190e51bfe7d702753f76c00b979" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75012,7 +75012,7 @@ rule ELASTIC_Linux_Hacktool_Earthworm_E3Da43E2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Earthworm.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "da0cffc4222d11825778fe4fa985fef2945caa0cc3b4de26af0a06509ebafb21" - logic_hash = "v1_sha256_b129b7060b6af4ff2aae2678a455b969579132891fba44e4fdc2481a5437bdf9" + logic_hash = "b129b7060b6af4ff2aae2678a455b969579132891fba44e4fdc2481a5437bdf9" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -75041,7 +75041,7 @@ rule ELASTIC_Linux_Hacktool_Earthworm_82D5C4Cf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Earthworm.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dc412d4f2b0e9ca92063a47adfb0657507d3f2a54a415619db5a7ccb59afb204" - logic_hash = "v1_sha256_81f35293bd3dd0cfbbf67f036773e16625bb74e06320fa1fff5bc428ef2f3a43" + logic_hash = "81f35293bd3dd0cfbbf67f036773e16625bb74e06320fa1fff5bc428ef2f3a43" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -75070,7 +75070,7 @@ rule ELASTIC_Linux_Hacktool_Earthworm_4Ec2Ec63 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Earthworm.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dc412d4f2b0e9ca92063a47adfb0657507d3f2a54a415619db5a7ccb59afb204" - logic_hash = "v1_sha256_25f616c5440a48aef0f824cb6859e88787db4f42c1ec904a3d3bd72f3a64116e" + logic_hash = "25f616c5440a48aef0f824cb6859e88787db4f42c1ec904a3d3bd72f3a64116e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75099,7 +75099,7 @@ rule ELASTIC_Windows_Hacktool_Darkloadlibrary_C25Ee4Eb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_DarkLoadLibrary.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5546194a71bc449789c3697f9c106860ac0a21e1ccf2b1196120b3f92f4b5306" - logic_hash = "v1_sha256_c585abbe72834e9ba2e5f1c8070a43b0f10c2b574c72ffe1def4bfd431096415" + logic_hash = "c585abbe72834e9ba2e5f1c8070a43b0f10c2b574c72ffe1def4bfd431096415" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75137,7 +75137,7 @@ rule ELASTIC_Linux_Rootkit_Generic_61229Bdf : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Generic.yar#L1-L74" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_624c599a073c59f9c7f7c7492053470e4aafd1735519bf2c3eef290999e4e4ad" + logic_hash = "624c599a073c59f9c7f7c7492053470e4aafd1735519bf2c3eef290999e4e4ad" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -75221,7 +75221,7 @@ rule ELASTIC_Linux_Rootkit_Generic_482Bca48 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Generic.yar#L76-L116" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5b73588523e7ae66e9346c1b7a078cc04fab42672c8d2ff5900d4346385143c7" + logic_hash = "5b73588523e7ae66e9346c1b7a078cc04fab42672c8d2ff5900d4346385143c7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75272,7 +75272,7 @@ rule ELASTIC_Linux_Rootkit_Generic_D0C5Cfe0 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Generic.yar#L118-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e5d7e5a7147724f3c6baa3697ab51ed105d34ffbd7a14dec22a95181a6361d5f" + logic_hash = "e5d7e5a7147724f3c6baa3697ab51ed105d34ffbd7a14dec22a95181a6361d5f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75324,7 +75324,7 @@ rule ELASTIC_Linux_Rootkit_Generic_F07Bcabe : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Generic.yar#L161-L180" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2e63ceede0347ad6cf80f9a0d8acce42c8b34bd1a549cfc20993af76f780dd2f" + logic_hash = "2e63ceede0347ad6cf80f9a0d8acce42c8b34bd1a549cfc20993af76f780dd2f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75355,7 +75355,7 @@ rule ELASTIC_Linux_Cryptominer_Attribute_3683D149 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Attribute.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ec9e74d52d745275718fe272bfd755335739ad5f680f73f5a4e66df6eb141a63" - logic_hash = "v1_sha256_71aa8aa4171671af4aa0271b64da95ac1d8766de12a949c97ebcac9369224ecd" + logic_hash = "71aa8aa4171671af4aa0271b64da95ac1d8766de12a949c97ebcac9369224ecd" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75384,7 +75384,7 @@ rule ELASTIC_Windows_Ransomware_Akira_C8C298Ba : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Akira.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2df5477cf924bd41241a3326060cc2f913aff2379858b148ddec455e4da67bc" - logic_hash = "v1_sha256_9058c83693e93f6daee8894453e56e0d9a4867d551ec3a6b66d7a517f65d8b07" + logic_hash = "9058c83693e93f6daee8894453e56e0d9a4867d551ec3a6b66d7a517f65d8b07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75417,7 +75417,7 @@ rule ELASTIC_Windows_Ransomware_Snake_550E0265 : BETA FILE MEMORY reference = "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Snake.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d9c2f6961a4ef560743060ed176bdc606561ca1b8270b8826cb0dbadaf4e5dbc" + logic_hash = "d9c2f6961a4ef560743060ed176bdc606561ca1b8270b8826cb0dbadaf4e5dbc" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -75450,7 +75450,7 @@ rule ELASTIC_Windows_Ransomware_Snake_119F9C83 : BETA FILE MEMORY reference = "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Snake.yar#L26-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_cf6c81e7332acc798409a05a548460bad0ac3621402672c242e48a1b6bccdae6" + logic_hash = "cf6c81e7332acc798409a05a548460bad0ac3621402672c242e48a1b6bccdae6" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -75480,7 +75480,7 @@ rule ELASTIC_Windows_Ransomware_Snake_20Bc5Abc : BETA FILE MEMORY reference = "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Snake.yar#L48-L67" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f3d8a523e04e516e8e059c9f13df355e6caf29a528cfebdf730e3a7d135e3351" + logic_hash = "f3d8a523e04e516e8e059c9f13df355e6caf29a528cfebdf730e3a7d135e3351" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -75510,7 +75510,7 @@ rule ELASTIC_Windows_Trojan_Fickerstealer_Cc02E75E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Fickerstealer.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6" - logic_hash = "v1_sha256_ccfd7edf7625c13eea5b88fa29f9b8d3d873688f328f3e52c0500ac722c84511" + logic_hash = "ccfd7edf7625c13eea5b88fa29f9b8d3d873688f328f3e52c0500ac722c84511" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75540,7 +75540,7 @@ rule ELASTIC_Windows_Trojan_Fickerstealer_F2159Bec : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Fickerstealer.yar#L22-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a4113ccb55e06e783b6cb213647614f039aa7dbb454baa338459ccf37897ebd6" - logic_hash = "v1_sha256_d36cb90b526a291858291d615272baa78881309c83376f4d4cce1768c740ddbc" + logic_hash = "d36cb90b526a291858291d615272baa78881309c83376f4d4cce1768c740ddbc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75569,7 +75569,7 @@ rule ELASTIC_Linux_Ransomware_Redalert_39642D52 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_RedAlert.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09" - logic_hash = "v1_sha256_fa8fc16f0c8a55dd78781d334d7f55db6aa5e60f76cebf5282150af8ceb08dc3" + logic_hash = "fa8fc16f0c8a55dd78781d334d7f55db6aa5e60f76cebf5282150af8ceb08dc3" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -75602,7 +75602,7 @@ rule ELASTIC_Macos_Backdoor_Useragent_1A02Fc3A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Backdoor_Useragent.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "623f99cbe20af8b79cbfea7f485d47d3462d927153d24cac4745d7043c15619a" - logic_hash = "v1_sha256_90debdfc24ef100952302808a2e418bca2a46be3e505add9a0ccf4c49aff5102" + logic_hash = "90debdfc24ef100952302808a2e418bca2a46be3e505add9a0ccf4c49aff5102" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75635,7 +75635,7 @@ rule ELASTIC_Windows_Trojan_Xeno_F92Ffb82 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Xeno.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "22dbdbcdd4c8b6899006f9f07e87c19b6a2947eeff8cc89c653309379b388cf4" - logic_hash = "v1_sha256_17d5107b297c150cf737382c175e491e6bc4b17b2db583ff193f4acd40fdd459" + logic_hash = "17d5107b297c150cf737382c175e491e6bc4b17b2db583ff193f4acd40fdd459" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75664,7 +75664,7 @@ rule ELASTIC_Windows_Trojan_Xeno_89F9F060 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Xeno.yar#L21-L45" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b74733d68e95220ab0630a68ddf973b0c959fd421628e639c1b91e465ba9299b" - logic_hash = "v1_sha256_a98bf8d1411449b41f0e35d368de3355ace837d9a406eee4f8fb087737eb283e" + logic_hash = "a98bf8d1411449b41f0e35d368de3355ace837d9a406eee4f8fb087737eb283e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75699,7 +75699,7 @@ rule ELASTIC_Windows_Trojan_Caesarkbd_32Bb198B : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CaesarKbd.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8" - logic_hash = "v1_sha256_f708706524515f98ebf612ac98318ee7172347096251d9ccd723f439070521de" + logic_hash = "f708706524515f98ebf612ac98318ee7172347096251d9ccd723f439070521de" score = 75 quality = 75 tags = "FILE" @@ -75728,7 +75728,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_48Bb4B2C : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_XTier.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0f726d8ce21c0c9e01ebe6b55913c519ad6086bcaec1a89f8308f3effacd435f" - logic_hash = "v1_sha256_fd6ae610a4d2cbf02aae2302d181d07780e723ac7e61b5aa3fd18ba834160729" + logic_hash = "fd6ae610a4d2cbf02aae2302d181d07780e723ac7e61b5aa3fd18ba834160729" score = 75 quality = 75 tags = "FILE" @@ -75759,7 +75759,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_8A2F6Dc1 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_XTier.yar#L23-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - logic_hash = "v1_sha256_90e1efd9d918f15459dd3fabb4737cbdeded66da1d556becca051bdda5867c11" + logic_hash = "90e1efd9d918f15459dd3fabb4737cbdeded66da1d556becca051bdda5867c11" score = 75 quality = 75 tags = "FILE" @@ -75790,7 +75790,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_F4760D4A : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_XTier.yar#L45-L65" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0e14a4401011a9f4e444028ac5b1595da34bbbf9af04a00670f15ff839734003" - logic_hash = "v1_sha256_dc83771e08b8530bf138782ba8c7724e7ecff40c973407a7f654346302a284d5" + logic_hash = "dc83771e08b8530bf138782ba8c7724e7ecff40c973407a7f654346302a284d5" score = 75 quality = 75 tags = "FILE" @@ -75821,7 +75821,7 @@ rule ELASTIC_Windows_Vulndriver_Xtier_6A7De49F : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_XTier.yar#L67-L87" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "26c86227d3f387897c1efd77dc711eef748eb90be84149cb306e3d4c45cc71c7" - logic_hash = "v1_sha256_de0d25377103d50b33a95a804b9c3eb9ef221d56fa1dfda0a32f14dcd95ee4b1" + logic_hash = "de0d25377103d50b33a95a804b9c3eb9ef221d56fa1dfda0a32f14dcd95ee4b1" score = 75 quality = 75 tags = "FILE" @@ -75852,7 +75852,7 @@ rule ELASTIC_Linux_Backdoor_Bash_E427876D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Backdoor_Bash.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "07db41a4ddaac802b04df5e5bbae0881fead30cb8f6fa53a8a2e1edf14f2d36b" - logic_hash = "v1_sha256_fdd066b746416730419787d21eb53fa2ba997679a237d9db3a2e1365d43df892" + logic_hash = "fdd066b746416730419787d21eb53fa2ba997679a237d9db3a2e1365d43df892" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -75881,7 +75881,7 @@ rule ELASTIC_Windows_Hacktool_Certify_Ffe1Cca2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Certify.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3c7f759a6c38d0c0780fba2d43be6dcf9e4869d54b66f16c0703ec8e58124953" - logic_hash = "v1_sha256_e1d37ad683bfbe34433dc5e13ae2cf7c873fed640e1c58a3b0274b4b34900e53" + logic_hash = "e1d37ad683bfbe34433dc5e13ae2cf7c873fed640e1c58a3b0274b4b34900e53" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -75918,7 +75918,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_B2Ccf852 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Reptile.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "v1_sha256_efb4c0a9894e09b5a2a614a02810524e66b21f00b76ad583cc1eb551f4a73dcc" + logic_hash = "efb4c0a9894e09b5a2a614a02810524e66b21f00b76ad583cc1eb551f4a73dcc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75951,7 +75951,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_C9F8806D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Reptile.yar#L25-L53" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "v1_sha256_de1f8dc139ca506581119edcbd8d9b19576b0522e86b7f36713538f67a235446" + logic_hash = "de1f8dc139ca506581119edcbd8d9b19576b0522e86b7f36713538f67a235446" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -75990,7 +75990,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_Eb201301 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Reptile.yar#L55-L92" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "v1_sha256_665c791cdcdc3aed7b9dcd6b839b12e3f9a838bef54c698b5d353b44922ea87c" + logic_hash = "665c791cdcdc3aed7b9dcd6b839b12e3f9a838bef54c698b5d353b44922ea87c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76038,7 +76038,7 @@ rule ELASTIC_Linux_Rootkit_Reptile_85Abf958 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Reptile.yar#L94-L118" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "331494780c1869e8367c3e16a2b99aeadc604c73b87f09a01dda00ade686675b" - logic_hash = "v1_sha256_955dc251eeec64216eafa5c1ff7574e2ee96e72413b689ba147de9fbfc994864" + logic_hash = "955dc251eeec64216eafa5c1ff7574e2ee96e72413b689ba147de9fbfc994864" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76073,7 +76073,7 @@ rule ELASTIC_Linux_Cryptominer_Ksmdbot_Ebeedb3C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Ksmdbot.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b927e0fe58219305d86df8b3e44493a7c854a6ea4f76d1ebe531a7bfd4365b54" - logic_hash = "v1_sha256_67f97cc4f2886ed296b5b3827dc1d1792136ba8d9d27c20b677c9467618c879d" + logic_hash = "67f97cc4f2886ed296b5b3827dc1d1792136ba8d9d27c20b677c9467618c879d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76107,7 +76107,7 @@ rule ELASTIC_Windows_Vulndriver_Iobitunlocker_Defb90Fd : FILE license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0aff83f28d70f425539fee3d6a780210d0406264f8a4eb124e32b074e8ffd556" hash = "5ce1a8eac73ef1d0741f34d9fb2661da322117a63bffe60ccad092da89664c42" - logic_hash = "v1_sha256_4b0f440c66b7c9a193f0d6675c2a4246036ebc5c0c83856f45ec40a041e9cd07" + logic_hash = "4b0f440c66b7c9a193f0d6675c2a4246036ebc5c0c83856f45ec40a041e9cd07" score = 75 quality = 75 tags = "FILE" @@ -76140,7 +76140,7 @@ rule ELASTIC_Windows_Trojan_Bumblebee_35F50Bea : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bumblebee.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6" - logic_hash = "v1_sha256_9f22b1b7f9e2d7858738d02730ef5477f8d430ad3606ebf4ac8b01314fdc9c46" + logic_hash = "9f22b1b7f9e2d7858738d02730ef5477f8d430ad3606ebf4ac8b01314fdc9c46" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76170,7 +76170,7 @@ rule ELASTIC_Windows_Trojan_Bumblebee_70Bed4F3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bumblebee.yar#L22-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9fff05a5aa9cbbf7d37bc302d8411cbd63fb3a28dc6f5163798ae899b9edcda6" - logic_hash = "v1_sha256_3ff97986bfd8df812c4ef94395b3ac7f9ead4d059c398f8984ee217a1bcee4af" + logic_hash = "3ff97986bfd8df812c4ef94395b3ac7f9ead4d059c398f8984ee217a1bcee4af" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76205,7 +76205,7 @@ rule ELASTIC_Windows_Trojan_Spectralviper_43Abeeeb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SpectralViper.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7e35ba39c2c77775b0394712f89679308d1a4577b6e5d0387835ac6c06e556cb" - logic_hash = "v1_sha256_976e5b5b4ba73f1b392c2f6b32a86b09b5fd9e5a3510c60b77a39f1e0d705822" + logic_hash = "976e5b5b4ba73f1b392c2f6b32a86b09b5fd9e5a3510c60b77a39f1e0d705822" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76241,7 +76241,7 @@ rule ELASTIC_Windows_Trojan_Spectralviper_368C36A0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SpectralViper.yar#L29-L53" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d1c32176b46ce171dbce46493eb3c5312db134b0a3cfa266071555c704e6cff8" - logic_hash = "v1_sha256_6182bde93e18dc6a83a94b50b193f5f29ed9abfa89b53c290818e7dab5bbb334" + logic_hash = "6182bde93e18dc6a83a94b50b193f5f29ed9abfa89b53c290818e7dab5bbb334" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76274,7 +76274,7 @@ rule ELASTIC_Windows_Trojan_Downtown_901C4Fdd : FILE MEMORY reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DownTown.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_6368d37fa9ba4e32131e16bceaee322f2fa8507873d01ebd687536e593354725" + logic_hash = "6368d37fa9ba4e32131e16bceaee322f2fa8507873d01ebd687536e593354725" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76304,7 +76304,7 @@ rule ELASTIC_Windows_Trojan_Downtown_145Ecd2F : FILE MEMORY reference = "https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DownTown.yar#L23-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_744a51c5317e265177185d9d0b8838a8fc939b4c56cc5e5bc51d5432d046d9f1" + logic_hash = "744a51c5317e265177185d9d0b8838a8fc939b4c56cc5e5bc51d5432d046d9f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76336,7 +76336,7 @@ rule ELASTIC_Macos_Trojan_Thiefquest_9130C0F3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Thiefquest.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bed3561210e44c290cd410adadcdc58462816a03c15d20b5be45d227cd7dca6b" - logic_hash = "v1_sha256_20e9ea15a437a17c4ef68f2472186f6d1ab3118d5b392f84fcb2bd376ec3863a" + logic_hash = "20e9ea15a437a17c4ef68f2472186f6d1ab3118d5b392f84fcb2bd376ec3863a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76368,7 +76368,7 @@ rule ELASTIC_Macos_Trojan_Thiefquest_Fc2E1271 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Thiefquest.yar#L24-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "12fb0eca3903a3b39ecc3c2aa6c04fe5faa1f43a3d271154d14731d1eb196923" - logic_hash = "v1_sha256_a20c76e53874fc0fec5fd2660c63c6f1e7c1b2055cbd2a9efdfd114cd6bdda5c" + logic_hash = "a20c76e53874fc0fec5fd2660c63c6f1e7c1b2055cbd2a9efdfd114cd6bdda5c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76397,7 +76397,7 @@ rule ELASTIC_Macos_Trojan_Thiefquest_86F9Ef0C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Thiefquest.yar#L44-L62" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "59fb018e338908eb69be72ab11837baebf8d96cdb289757f1f4977228e7640a0" - logic_hash = "v1_sha256_426d533d39e594123f742b15d0a93ded986b9b308685f7b2cfaf5de0b32cdbff" + logic_hash = "426d533d39e594123f742b15d0a93ded986b9b308685f7b2cfaf5de0b32cdbff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76426,7 +76426,7 @@ rule ELASTIC_Macos_Trojan_Thiefquest_40F9C1C3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Thiefquest.yar#L64-L82" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e402063ca317867de71e8e3189de67988e2be28d5d773bbaf75618202e80f9f6" - logic_hash = "v1_sha256_546edc2d6d715eac47e7a8d3ceb91cf314fa6dbee04f0475a5c4a84ba53fd722" + logic_hash = "546edc2d6d715eac47e7a8d3ceb91cf314fa6dbee04f0475a5c4a84ba53fd722" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76455,7 +76455,7 @@ rule ELASTIC_Macos_Trojan_Thiefquest_0F9Fe37C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Thiefquest.yar#L84-L102" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "12fb0eca3903a3b39ecc3c2aa6c04fe5faa1f43a3d271154d14731d1eb196923" - logic_hash = "v1_sha256_84f9e8938d7e2b0210003fc8334b8fa781a40afffeda8d2341970b84ed5d3b5a" + logic_hash = "84f9e8938d7e2b0210003fc8334b8fa781a40afffeda8d2341970b84ed5d3b5a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76484,7 +76484,7 @@ rule ELASTIC_Macos_Trojan_Thiefquest_1F4Bac78 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Thiefquest.yar#L104-L122" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "12fb0eca3903a3b39ecc3c2aa6c04fe5faa1f43a3d271154d14731d1eb196923" - logic_hash = "v1_sha256_96db33e135138846f978026867bb2536226539997d060f41e7081f7f29b66c85" + logic_hash = "96db33e135138846f978026867bb2536226539997d060f41e7081f7f29b66c85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76513,7 +76513,7 @@ rule ELASTIC_Linux_Ransomware_Blacksuit_9F53E7E5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_BlackSuit.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e" - logic_hash = "v1_sha256_121e0139385cfef5dff394c4ea36d950314b00c6d7021cf2ca667ee942e74763" + logic_hash = "121e0139385cfef5dff394c4ea36d950314b00c6d7021cf2ca667ee942e74763" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -76544,7 +76544,7 @@ rule ELASTIC_Macos_Trojan_Generic_A829D361 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b2a1cd801ae68a890b40dbd1601cdfeb5085574637ae8658417d0975be8acb5" - logic_hash = "v1_sha256_70a954e8b44b1ce46f5ce0ebcf43b46e1292f0b8cdb46aa67f980d3c9b0a6f61" + logic_hash = "70a954e8b44b1ce46f5ce0ebcf43b46e1292f0b8cdb46aa67f980d3c9b0a6f61" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76573,7 +76573,7 @@ rule ELASTIC_Windows_Exploit_CVE_2022_38028_31Fdb122 : FILE MEMORY CVE_2022_3802 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_CVE_2022_38028.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f" - logic_hash = "v1_sha256_df0ef11ce8e840c331d1db8f98917367dc2a33b6f1be48adb9d0b86729ecbe99" + logic_hash = "df0ef11ce8e840c331d1db8f98917367dc2a33b6f1be48adb9d0b86729ecbe99" score = 75 quality = 73 tags = "FILE, MEMORY, CVE-2022-38028" @@ -76602,7 +76602,7 @@ rule ELASTIC_Macos_Trojan_Rustbucket_E64F7A92 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_RustBucket.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747" - logic_hash = "v1_sha256_bd6005d72faba6aaeebdcbd8c771995cbfc667faf01eb93825afe985954a47fc" + logic_hash = "bd6005d72faba6aaeebdcbd8c771995cbfc667faf01eb93825afe985954a47fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76633,7 +76633,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_D13544D7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "85fa30ba59602199fd99463acf50bd607e755c2e18cd8843ffcfb6b1aca24bb3" - logic_hash = "v1_sha256_fcb2fc7a84fbcd23f9a9d9fd2750c45ff881689670a373fce0cc444183d11999" + logic_hash = "fcb2fc7a84fbcd23f9a9d9fd2750c45ff881689670a373fce0cc444183d11999" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76662,7 +76662,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Ad09E090 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cdd3d567fbcbdd6799afad241ae29acbe4ab549445e5c4fc0678d16e75b40dfa" - logic_hash = "v1_sha256_6c2d548ba9f01444e8fe4b0aa8a0556970acac06d39bb7c87446b6b91ab0d129" + logic_hash = "6c2d548ba9f01444e8fe4b0aa8a0556970acac06d39bb7c87446b6b91ab0d129" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76691,7 +76691,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_12299814 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eb3802496bd2fef72bd2a07e32ea753f69f1c2cc0b5a605e480f3bbb80b22676" - logic_hash = "v1_sha256_52e8bcd0512cedf0fa048b6990a5d331f4302d99b00681c83a76587415894b1e" + logic_hash = "52e8bcd0512cedf0fa048b6990a5d331f4302d99b00681c83a76587415894b1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76720,7 +76720,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_A47B77E4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "995b43ccb20343494e314824343a567fd85f430e241fdeb43704d9d4937d76cc" - logic_hash = "v1_sha256_bd2b14c8b8e2649af837224fadb32bf0fb67ac403189063a8cb10ad344fb8015" + logic_hash = "bd2b14c8b8e2649af837224fadb32bf0fb67ac403189063a8cb10ad344fb8015" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76749,7 +76749,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_21D0550B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "07db41a4ddaac802b04df5e5bbae0881fead30cb8f6fa53a8a2e1edf14f2d36b" - logic_hash = "v1_sha256_c9a12eee281b1e944b5572142c5e18ff087989f45026a94268df22d483210178" + logic_hash = "c9a12eee281b1e944b5572142c5e18ff087989f45026a94268df22d483210178" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76778,7 +76778,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_C8Adb449 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00ec7a6e9611b5c0e26c148ae5ebfedc57cf52b21e93c2fe3eac85bf88edc7ea" - logic_hash = "v1_sha256_9c43602dc752dd737a983874bee5ec6af145ce5fdd45d03864a1afdc2aec3ad4" + logic_hash = "9c43602dc752dd737a983874bee5ec6af145ce5fdd45d03864a1afdc2aec3ad4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76807,7 +76807,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Bcab1E8F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "19df7fd22051abe3f782432398ea30f8be88cf42ef14bc301b1676f35b37cd7e" - logic_hash = "v1_sha256_72643b2860f40c7e901c671d7cc9992870b91912df5d75d2ffba0dfb8684f8d3" + logic_hash = "72643b2860f40c7e901c671d7cc9992870b91912df5d75d2ffba0dfb8684f8d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76836,7 +76836,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_6671F33A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "85fa30ba59602199fd99463acf50bd607e755c2e18cd8843ffcfb6b1aca24bb3" - logic_hash = "v1_sha256_a15c842c7c7ec3b11183a1502f8ec03ea786e3f0d47fbab58c62ffff7b018030" + logic_hash = "a15c842c7c7ec3b11183a1502f8ec03ea786e3f0d47fbab58c62ffff7b018030" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76865,7 +76865,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_74418Ec5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d79ad967ac9fc0b1b6d54e844de60d7ba3eaad673ee69d30f9f804e5ccbf2880" - logic_hash = "v1_sha256_e74463f53611baaec7c8e126218d8353c6e3a5e71c20e98a7035df6b771b690b" + logic_hash = "e74463f53611baaec7c8e126218d8353c6e3a5e71c20e98a7035df6b771b690b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76893,7 +76893,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_979160F6 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L181-L198" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e70097fb263c90576e87e76cc7be391dbf9c9d73bbd7fb8e5ec282e6ac1f648d" + logic_hash = "e70097fb263c90576e87e76cc7be391dbf9c9d73bbd7fb8e5ec282e6ac1f648d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76922,7 +76922,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Fe7139E5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L200-L218" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8b13dc59db58b6c4cd51abf9c1d6f350fa2cb0dbb44b387d3e171eacc82a04de" - logic_hash = "v1_sha256_d1ef74f2a74950845091b2ebc2f7fd05980bcbd2aea4fdd9549c54cec1768501" + logic_hash = "d1ef74f2a74950845091b2ebc2f7fd05980bcbd2aea4fdd9549c54cec1768501" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76951,7 +76951,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_F35A670C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L220-L238" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a73808211ba00b92f8d0027831b3aa74db15f068c53dd7f20fcadb294224f480" - logic_hash = "v1_sha256_95a8aeffb7193c3f4adfea5b7f0741a53528620c57cbdb4d471d756db03c6493" + logic_hash = "95a8aeffb7193c3f4adfea5b7f0741a53528620c57cbdb4d471d756db03c6493" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -76980,7 +76980,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_70E5946E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L240-L258" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "v1_sha256_324deafee2b14c125100e49b90ea95bc1fc55020a7e81a69c7730a57430560f4" + logic_hash = "324deafee2b14c125100e49b90ea95bc1fc55020a7e81a69c7730a57430560f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77009,7 +77009,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_033F06Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L260-L278" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3afc8d2d85aca61108d21f82355ad813eba7a189e81dde263d318988c5ea50bd" - logic_hash = "v1_sha256_a0c788dbcd43cab2af1614d5d90ed9e07a45b547241f729e09709d2a1ec24e60" + logic_hash = "a0c788dbcd43cab2af1614d5d90ed9e07a45b547241f729e09709d2a1ec24e60" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -77038,7 +77038,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Ce0C185F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L280-L298" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cdd3d567fbcbdd6799afad241ae29acbe4ab549445e5c4fc0678d16e75b40dfa" - logic_hash = "v1_sha256_f88c5a295cc62f5a91e26731fc60aaf450376cbb282f43304ba2a5ac5d149dd4" + logic_hash = "f88c5a295cc62f5a91e26731fc60aaf450376cbb282f43304ba2a5ac5d149dd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77067,7 +77067,7 @@ rule ELASTIC_Linux_Cryptominer_Malxmr_Da08E491 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Malxmr.yar#L300-L318" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4638d9ece32cd1385121146378772d487666548066aecd7e40c3ba5231f54cc0" - logic_hash = "v1_sha256_f98252c33f8d76981bbc51de87a11a7edca7292a864fc2a305d29cd21961729e" + logic_hash = "f98252c33f8d76981bbc51de87a11a7edca7292a864fc2a305d29cd21961729e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77096,7 +77096,7 @@ rule ELASTIC_Windows_Trojan_Plugx_5F3844Ff : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PlugX.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a823380e46878dfa8deb3ca0dc394db1db23bb2544e2d6e49c0eceeffb595875" - logic_hash = "v1_sha256_a1a484f4cf00ec0775a3f322bae66ce5f9cc52f08306b38f079445233c49bf52" + logic_hash = "a1a484f4cf00ec0775a3f322bae66ce5f9cc52f08306b38f079445233c49bf52" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77129,7 +77129,7 @@ rule ELASTIC_Windows_Trojan_Plugx_F338Dab5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PlugX.yar#L25-L45" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8af3fc1f8bd13519d78ee83af43daaa8c5e2c3f184c09f5c41941e0c6f68f0f7" - logic_hash = "v1_sha256_0482305a73bc500aa7c266536cb8286ea796f6b1eaba39547bed22313bbb4457" + logic_hash = "0482305a73bc500aa7c266536cb8286ea796f6b1eaba39547bed22313bbb4457" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77160,7 +77160,7 @@ rule ELASTIC_Linux_Trojan_Merlin_55Beddd3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Merlin.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15ccdf2b948fe6bd3d3a7f5370e72cf3badec83f0ec7f47cdf116990fb551adf" - logic_hash = "v1_sha256_293158c981463544abd0c38694bfc8635ad1a679bbae115521b65879f145cea6" + logic_hash = "293158c981463544abd0c38694bfc8635ad1a679bbae115521b65879f145cea6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77189,7 +77189,7 @@ rule ELASTIC_Linux_Trojan_Merlin_Bbad69B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Merlin.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d9955487f7d08f705e41a5ff848fb6f02d6c88286a52ec837b7b555fb422d1b6" - logic_hash = "v1_sha256_e18079c9f018dc8d7f2fdf5c950b405f9f84ad2a5b18775dbef829fe1cb770c3" + logic_hash = "e18079c9f018dc8d7f2fdf5c950b405f9f84ad2a5b18775dbef829fe1cb770c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77218,7 +77218,7 @@ rule ELASTIC_Linux_Trojan_Merlin_C6097296 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Merlin.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d9955487f7d08f705e41a5ff848fb6f02d6c88286a52ec837b7b555fb422d1b6" - logic_hash = "v1_sha256_f48ed7f19ab29633600fde4bfea274bf36e7f60d700c9806b334d38a51d28b92" + logic_hash = "f48ed7f19ab29633600fde4bfea274bf36e7f60d700c9806b334d38a51d28b92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77247,7 +77247,7 @@ rule ELASTIC_Windows_Vulndriver_Hrsword_15B431Ee : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_HrSword.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "272e934cec4a84ab92b2bccb98539d73542ea9184960a2c9923d4edc667f4d4f" - logic_hash = "v1_sha256_d8aed70f101a717efe83adceea0f220fb0b145ab8aa39b6250ac2bc057bf51ce" + logic_hash = "d8aed70f101a717efe83adceea0f220fb0b145ab8aa39b6250ac2bc057bf51ce" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77277,7 +77277,7 @@ rule ELASTIC_Windows_Ransomware_Stop_1E8D48Ff : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Stop.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3" - logic_hash = "v1_sha256_d743feae072a5f3e1b008354352bef48218bb041bc8a5ba39526815ab9cd2690" + logic_hash = "d743feae072a5f3e1b008354352bef48218bb041bc8a5ba39526815ab9cd2690" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77307,7 +77307,7 @@ rule ELASTIC_Windows_Hacktool_Blackbone_2Ff5Ec38 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_BlackBone.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4e3887f950bff034efedd40f1e949579854a24140128246fa6141f2c34de6017" - logic_hash = "v1_sha256_0c32bd04460cdf7a56664253992a684c2c684b15ac9ca853b27ab24f07f71607" + logic_hash = "0c32bd04460cdf7a56664253992a684c2c684b15ac9ca853b27ab24f07f71607" score = 75 quality = 75 tags = "FILE" @@ -77336,7 +77336,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_70C153B5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "55b133ba805bb691dc27a5d16d3473650360c988e48af8adc017377eed07935b" - logic_hash = "v1_sha256_e2fc0721435c656a16e59b6747563df17f0f54a4620efc403a3bba717ccb0f38" + logic_hash = "e2fc0721435c656a16e59b6747563df17f0f54a4620efc403a3bba717ccb0f38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77365,7 +77365,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_98B00F9C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c01b88c5d3df7ce828e567bd8d639b135c48106e388cd81497fcbd5dcf30f332" - logic_hash = "v1_sha256_cf8c5deddf22e7699cd880bd3f9f28721db5ece6705be4f932e1d041893eef71" + logic_hash = "cf8c5deddf22e7699cd880bd3f9f28721db5ece6705be4f932e1d041893eef71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77394,7 +77394,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_2B250178 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "636605cf63d3e335fe9481d4d110c43572e9ab365edfa2b6d16d96b52d6283ef" - logic_hash = "v1_sha256_067705c52de710372b4a2a3b77427106068ad2d9a8e56602e315d09e7b8b6206" + logic_hash = "067705c52de710372b4a2a3b77427106068ad2d9a8e56602e315d09e7b8b6206" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77423,7 +77423,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_67Bf4B54 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d33fba4fda6831d22afc72bf3d6d5349c5393abb3823dfa2a5c9e391d2b9ddf" - logic_hash = "v1_sha256_448f5b9dc3c17984464c15f6d542f495a52b0531acc362dedfe3d1a20b932969" + logic_hash = "448f5b9dc3c17984464c15f6d542f495a52b0531acc362dedfe3d1a20b932969" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77451,7 +77451,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_504B42Ca : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L81-L98" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_dd3ed5350e0229ac714178a30de28893c30708734faec329c776e189493cf930" + logic_hash = "dd3ed5350e0229ac714178a30de28893c30708734faec329c776e189493cf930" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77480,7 +77480,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_D1Bb752F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L100-L118" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bea55bc9495ee51c78ceedadf3a685ea9d6dd428170888c67276c100d4d94beb" - logic_hash = "v1_sha256_47aa5516350d5c00d1387649df46ce8f09d87bdfafeaa4cbf1c3ef5f2e0b9023" + logic_hash = "47aa5516350d5c00d1387649df46ce8f09d87bdfafeaa4cbf1c3ef5f2e0b9023" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77508,7 +77508,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_D625Fcd2 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L120-L137" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b95b66392e1a07e0b6acd718a9501cede76e57561e69701e9e881bd3fbd3fe39" + logic_hash = "b95b66392e1a07e0b6acd718a9501cede76e57561e69701e9e881bd3fbd3fe39" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77537,7 +77537,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_02D19C01 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L139-L157" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b6df662f5f7566851b95884c0058e7476e49aeb7a96d2aa203393d88e584972f" - logic_hash = "v1_sha256_43a1dc49bf75cd13637c37290d47b4d6fc1b2c2ac252b64725c0c64e1dd745c6" + logic_hash = "43a1dc49bf75cd13637c37290d47b4d6fc1b2c2ac252b64725c0c64e1dd745c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77566,7 +77566,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_2Dd045Fc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L159-L177" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "30a77ab582f0558829a78960929f657a7c3c03c2cf89cd5a0f6934b79a74b7a4" - logic_hash = "v1_sha256_fa23ca75027f7a5e73652173c9e84112a0b5cd3008fc453fdb33c980dc7b7b24" + logic_hash = "fa23ca75027f7a5e73652173c9e84112a0b5cd3008fc453fdb33c980dc7b7b24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77595,7 +77595,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_D1A814B0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L179-L197" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bea55bc9495ee51c78ceedadf3a685ea9d6dd428170888c67276c100d4d94beb" - logic_hash = "v1_sha256_a06f5d5be87153be1253c2e20a60fa36701a745813926be03ee466ce8e2285b0" + logic_hash = "a06f5d5be87153be1253c2e20a60fa36701a745813926be03ee466ce8e2285b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77624,7 +77624,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_C6218E30 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L199-L217" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b43ddd8e355b0c538c123c43832e7c8c557e4aee9e914baaed0866ee5d68ee55" - logic_hash = "v1_sha256_3efbc3cb1591a9340df10640b411a9ab4c41e0aa26c1677d9def8b82e4c246f4" + logic_hash = "3efbc3cb1591a9340df10640b411a9ab4c41e0aa26c1677d9def8b82e4c246f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77653,7 +77653,7 @@ rule ELASTIC_Linux_Cryptominer_Xmrminer_B17A7888 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xmrminer.yar#L219-L237" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "65c9fdd7c559554af06cd394dcebece1bc0fdc7dd861929a35c74547376324a6" - logic_hash = "v1_sha256_a7f6daa5c42d186d2c5a027fdb35b45287c3564a7b57b8a2f53659e6ca90602a" + logic_hash = "a7f6daa5c42d186d2c5a027fdb35b45287c3564a7b57b8a2f53659e6ca90602a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77682,7 +77682,7 @@ rule ELASTIC_Windows_Trojan_Behinder_B9A49F4B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Behinder.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a50ca8df4181918fe0636272f31e19815f1b97cce6d871e15e03b0ee0e3da17b" - logic_hash = "v1_sha256_2303ef82e4dc5e8be87ddc4563dcd06963d17e1fbf25cf246a6c81e4e74adbcb" + logic_hash = "2303ef82e4dc5e8be87ddc4563dcd06963d17e1fbf25cf246a6c81e4e74adbcb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -77713,7 +77713,7 @@ rule ELASTIC_Windows_Trojan_Dustywarehouse_A6Cfc9F7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DustyWarehouse.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8c4de69e89dcc659d2fff52d695764f1efd7e64e0a80983ce6d0cb9eeddb806c" - logic_hash = "v1_sha256_2b4cd9316e2fda882c95673edecb9c82a03ef4fdcc2d2e25783644cc5dfb5bf0" + logic_hash = "2b4cd9316e2fda882c95673edecb9c82a03ef4fdcc2d2e25783644cc5dfb5bf0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77746,7 +77746,7 @@ rule ELASTIC_Windows_Trojan_Dustywarehouse_3Fef514B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DustyWarehouse.yar#L25-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4ad024f53595fdd380f5b5950b62595cd47ac424d2427c176a7b2dfe4e1f35f7" - logic_hash = "v1_sha256_865ea1e54950a465b71939a41f7a726ccddcfa9f0d777ea853926f65bca0da84" + logic_hash = "865ea1e54950a465b71939a41f7a726ccddcfa9f0d777ea853926f65bca0da84" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77775,7 +77775,7 @@ rule ELASTIC_Linux_Exploit_Criscras_Fc505C1D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Criscras.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7399f6b8fbd6d6c6fb56ab350c84910fe19cc5da67e4de37065ff3d4648078ab" - logic_hash = "v1_sha256_4d84570c13c584fb7360e798df9f3e6039ee74fdb6ad597add0ea150e3deaa80" + logic_hash = "4d84570c13c584fb7360e798df9f3e6039ee74fdb6ad597add0ea150e3deaa80" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77804,7 +77804,7 @@ rule ELASTIC_Windows_Hacktool_Sharpgpoabuse_14Ea480E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpGPOAbuse.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d13f87b9eaf09ef95778b2f1469aa34d03186d127c8f73c73299957d386c78d1" - logic_hash = "v1_sha256_efc1259f4ed05c8f41df75c056d36fd5a808a92b5c88cfb0522caedea39476b4" + logic_hash = "efc1259f4ed05c8f41df75c056d36fd5a808a92b5c88cfb0522caedea39476b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77840,7 +77840,7 @@ rule ELASTIC_Windows_Vulndriver_Threatfire_Cbe7Ac92 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_ThreatFire.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1c1a4ca2cbac9fe5954763a20aeb82da9b10d028824f42fff071503dcbe15856" - logic_hash = "v1_sha256_689e17c9fdfc9de10a2cf3d39306103712504ab46db35ac65ed0340c83af240d" + logic_hash = "689e17c9fdfc9de10a2cf3d39306103712504ab46db35ac65ed0340c83af240d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77870,7 +77870,7 @@ rule ELASTIC_Windows_Hacktool_Clroxide_D92D9575 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_ClrOxide.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3a4900eff80563bff586ced172c3988347980f902aceef2f9f9f6d188fac8e3" - logic_hash = "v1_sha256_01bb071e1286bb139c5e1c37e421153ef1b28a5994feeaedf6ad27ad7dade5e9" + logic_hash = "01bb071e1286bb139c5e1c37e421153ef1b28a5994feeaedf6ad27ad7dade5e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77904,7 +77904,7 @@ rule ELASTIC_Windows_Hacktool_Askcreds_34E3E3D4 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_AskCreds.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d911566ca546a8546928cd0ffa838fd344b35f75a4a7e80789d20e52c7cd38d0" + logic_hash = "d911566ca546a8546928cd0ffa838fd344b35f75a4a7e80789d20e52c7cd38d0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -77935,7 +77935,7 @@ rule ELASTIC_Windows_Trojan_Generic_A681F24A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a796f316b1ed7fa809d9ad5e9b25bd780db76001345ea83f5035a33618f927fa" - logic_hash = "v1_sha256_72bfefc8f92dbe65d197e02bf896315dcbc54d7b68d0434f43de026ccf934f40" + logic_hash = "72bfefc8f92dbe65d197e02bf896315dcbc54d7b68d0434f43de026ccf934f40" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -77965,7 +77965,7 @@ rule ELASTIC_Windows_Trojan_Generic_Ae824B13 : REF1296 FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L23-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_cee46c1efdaa1815606f932a4f79b316e02c1b481e73c4c2f8b7c72023e8684c" + logic_hash = "cee46c1efdaa1815606f932a4f79b316e02c1b481e73c4c2f8b7c72023e8684c" score = 75 quality = 67 tags = "REF1296, FILE, MEMORY" @@ -77996,7 +77996,7 @@ rule ELASTIC_Windows_Trojan_Generic_Eb47E754 : REF1296 FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L45-L65" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1d96e813ed0261bd0d7caca2803ed8d5fe4d77ea00efc9130eef86aa872c4656" + logic_hash = "1d96e813ed0261bd0d7caca2803ed8d5fe4d77ea00efc9130eef86aa872c4656" score = 75 quality = 67 tags = "REF1296, FILE, MEMORY" @@ -78028,7 +78028,7 @@ rule ELASTIC_Windows_Trojan_Generic_C7Fd8D38 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L67-L89" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a1702ec12c2bf4a52e11fbdab6156358084ad2c662c8b3691918ef7eabacde96" - logic_hash = "v1_sha256_81c56cd741692a7f2a894c2b8f2676aad47f14221228b9466a2ab0f05d76c623" + logic_hash = "81c56cd741692a7f2a894c2b8f2676aad47f14221228b9466a2ab0f05d76c623" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78061,7 +78061,7 @@ rule ELASTIC_Windows_Trojan_Generic_Bbe6C282 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L91-L109" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" - logic_hash = "v1_sha256_fe874d69ae71775cf997845c90e731479569e2ac1ac882a4b8c3c73d015b1f30" + logic_hash = "fe874d69ae71775cf997845c90e731479569e2ac1ac882a4b8c3c73d015b1f30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78090,7 +78090,7 @@ rule ELASTIC_Windows_Trojan_Generic_889B1248 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L111-L132" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a48d57a139c7e3efa0c47f8699e2cf6159dc8cdd823b16ce36257eb8c9d14d53" - logic_hash = "v1_sha256_b3bb93b95377d6c6606d29671395b78c0954cc47d5cc450436799638d0458469" + logic_hash = "b3bb93b95377d6c6606d29671395b78c0954cc47d5cc450436799638d0458469" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -78122,7 +78122,7 @@ rule ELASTIC_Windows_Trojan_Generic_02A87A20 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L134-L152" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" - logic_hash = "v1_sha256_610db1b429ed2ecfc552f73ed4782cb56254e6fc98b728ffeff6938fbcce9616" + logic_hash = "610db1b429ed2ecfc552f73ed4782cb56254e6fc98b728ffeff6938fbcce9616" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78151,7 +78151,7 @@ rule ELASTIC_Windows_Trojan_Generic_4Fbff084 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L154-L175" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7010a69ba77e65e70f4f3f4a10af804e6932c2218ff4abd5f81240026822b401" - logic_hash = "v1_sha256_47d1a01e0edee3239d99ff1f32eb4cfc77d6e38823fed799a562e142d3d3a22d" + logic_hash = "47d1a01e0edee3239d99ff1f32eb4cfc77d6e38823fed799a562e142d3d3a22d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78183,7 +78183,7 @@ rule ELASTIC_Windows_Trojan_Generic_73Ed7375 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L177-L196" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2b17328a3ef0e389419c9c86f81db4118cf79640799e5c6fdc97de0fc65ad556" - logic_hash = "v1_sha256_7e27c9377d0b2058a2a36da4ac7d37a54c566f3246e69aa356171edae6b478c5" + logic_hash = "7e27c9377d0b2058a2a36da4ac7d37a54c566f3246e69aa356171edae6b478c5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78213,7 +78213,7 @@ rule ELASTIC_Windows_Trojan_Generic_96Cdf3C4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L198-L217" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9a4d68de36f1706a3083de7eb41f839d8c7a4b8b585cc767353df12866a48c81" - logic_hash = "v1_sha256_f92e5549aca320d71e1eec8daa82e8bbf3517c7f23f376bb355fdfa32da2e7a9" + logic_hash = "f92e5549aca320d71e1eec8daa82e8bbf3517c7f23f376bb355fdfa32da2e7a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78243,7 +78243,7 @@ rule ELASTIC_Windows_Trojan_Generic_F0C79978 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L219-L238" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8f800b35bfbc8474f64b76199b846fe56b24a3ffd8c7529b92ff98a450d3bd38" - logic_hash = "v1_sha256_b16971ed0947660dda8d79c11531a9498a80e00f2dbc2c0eb63895b7f5c5f980" + logic_hash = "b16971ed0947660dda8d79c11531a9498a80e00f2dbc2c0eb63895b7f5c5f980" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78273,7 +78273,7 @@ rule ELASTIC_Windows_Trojan_Generic_40899C85 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L240-L260" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88eb4f2e7085947bfbd03c69573fdca0de4a74bab844f09ecfcf88e358af20cc" - logic_hash = "v1_sha256_317034add0343baa26548712de8b2acc04946385fbee048cea0bd8d7ae642b36" + logic_hash = "317034add0343baa26548712de8b2acc04946385fbee048cea0bd8d7ae642b36" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78303,7 +78303,7 @@ rule ELASTIC_Windows_Trojan_Generic_9997489C : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L262-L290" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_857bbf64ced06f76eb50afbfbb699c62e11625196213c2e5267b828cca911b74" + logic_hash = "857bbf64ced06f76eb50afbfbb699c62e11625196213c2e5267b828cca911b74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78343,7 +78343,7 @@ rule ELASTIC_Windows_Trojan_Generic_2993E5A5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L292-L310" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9f9b926cef69e879462d9fa914dda8c60a01f3d409b55afb68c3fb94bf1a339b" - logic_hash = "v1_sha256_37a10597d1afeb9411f6c652537186628291cbe6af680abe12bb96591add7e78" + logic_hash = "37a10597d1afeb9411f6c652537186628291cbe6af680abe12bb96591add7e78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78372,7 +78372,7 @@ rule ELASTIC_Windows_Trojan_Generic_0E135D58 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Generic.yar#L312-L330" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c" - logic_hash = "v1_sha256_bc10218b1d761f72836bb5f9bb41d3f0fe13c4baa1109025269f938ec642aec4" + logic_hash = "bc10218b1d761f72836bb5f9bb41d3f0fe13c4baa1109025269f938ec642aec4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78401,7 +78401,7 @@ rule ELASTIC_Windows_Vulndriver_Cpuz_A53D1446 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Cpuz.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6" - logic_hash = "v1_sha256_37da20f5fe1377fe85594055dc811424f52e53a9d77060c6784c2e4d1279e26f" + logic_hash = "37da20f5fe1377fe85594055dc811424f52e53a9d77060c6784c2e4d1279e26f" score = 75 quality = 75 tags = "FILE" @@ -78431,7 +78431,7 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_3793364E : FILE MEMORY reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BloodAlchemy.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c9f03767b92bb2c44f6b386e1f0a521f1a7a063cf73799844cc3423d4a7de7be" + logic_hash = "c9f03767b92bb2c44f6b386e1f0a521f1a7a063cf73799844cc3423d4a7de7be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78460,7 +78460,7 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_E510798D : FILE MEMORY reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BloodAlchemy.yar#L22-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7919bb5f19745a1620e6be91622c40083cbd2ddb02905215736a2ed11e9af5c4" + logic_hash = "7919bb5f19745a1620e6be91622c40083cbd2ddb02905215736a2ed11e9af5c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78489,7 +78489,7 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_63084Eea : FILE MEMORY reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BloodAlchemy.yar#L43-L61" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_3fe64502992281511e942b8f4541d61b33e900dbe23ea9f976c7eb9522ce4cbd" + logic_hash = "3fe64502992281511e942b8f4541d61b33e900dbe23ea9f976c7eb9522ce4cbd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78517,7 +78517,7 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_C2D80609 : FILE MEMORY reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BloodAlchemy.yar#L63-L81" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_694a0f917f106fbdde4c8e5dd8f9cdce56e9423ce5a7c3a5bf30bf43308d42e9" + logic_hash = "694a0f917f106fbdde4c8e5dd8f9cdce56e9423ce5a7c3a5bf30bf43308d42e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78545,7 +78545,7 @@ rule ELASTIC_Windows_Trojan_Bloodalchemy_De591C5A : FILE MEMORY reference = "https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BloodAlchemy.yar#L83-L106" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fd5cfe2558a7c02a617003140cdcf477ec451ecea4adf2808bef8f93673c28f1" + logic_hash = "fd5cfe2558a7c02a617003140cdcf477ec451ecea4adf2808bef8f93673c28f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78579,7 +78579,7 @@ rule ELASTIC_Windows_Vulndriver_Rweverything_Aee156A5 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_RWEverything.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3c5bf92c26398695f9ced7ce647a7e9f6ddcc89eea66b45aa3607196a187431b" - logic_hash = "v1_sha256_46b7f2ad46564c6b99f0df6146dff7c88ccbe3ad6c6d1bcbefe756606c4fe40e" + logic_hash = "46b7f2ad46564c6b99f0df6146dff7c88ccbe3ad6c6d1bcbefe756606c4fe40e" score = 75 quality = 75 tags = "FILE" @@ -78609,7 +78609,7 @@ rule ELASTIC_Windows_Trojan_Bazar_711D59F6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bazar.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f29253139dab900b763ef436931213387dc92e860b9d3abb7dcd46040ac28a0e" - logic_hash = "v1_sha256_3bde62b468c44bdc18878fd369a7f0cf06f7be64149587a11524f725fa875f69" + logic_hash = "3bde62b468c44bdc18878fd369a7f0cf06f7be64149587a11524f725fa875f69" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78638,7 +78638,7 @@ rule ELASTIC_Windows_Trojan_Bazar_9Dddea36 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bazar.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "63df43daa61f9a0fbea2e5409b8f0063f7af3363b6bc8d6984ce7e90c264727d" - logic_hash = "v1_sha256_cf88e2e896fce742ad3325d53523167d6eb42188309ed4e66f73601bbb85574e" + logic_hash = "cf88e2e896fce742ad3325d53523167d6eb42188309ed4e66f73601bbb85574e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78667,7 +78667,7 @@ rule ELASTIC_Windows_Trojan_Bazar_3A2Cc53B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bazar.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b057eb94e711995fd5fd6c57aa38a243575521b11b98734359658a7a9829b417" - logic_hash = "v1_sha256_8cde37be646dbcf7e7f5e3f28f0fe8c95480861c62fa2ee8cdd990859313756c" + logic_hash = "8cde37be646dbcf7e7f5e3f28f0fe8c95480861c62fa2ee8cdd990859313756c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78696,7 +78696,7 @@ rule ELASTIC_Windows_Trojan_Bazar_De8D625A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bazar.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ad9ac4785b82c8bfa355c7343b9afc7b1f163471c41671ea2f9152a1b550f0c" - logic_hash = "v1_sha256_5fd7bb4ac818ec1b4bfcb7d236868a31b2f726182407c07c7f06c1d7e9c15d02" + logic_hash = "5fd7bb4ac818ec1b4bfcb7d236868a31b2f726182407c07c7f06c1d7e9c15d02" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78725,7 +78725,7 @@ rule ELASTIC_Windows_Trojan_Xpertrat_Ce03C41D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Xpertrat.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d7f2fddb43eb63f9246f0a4535dfcca6da2817592455d7eceaacde666cf1aaae" - logic_hash = "v1_sha256_f6ff0a11f261bc75c9d0015131f177d39bb9e8e30346a75209ba8fa808ac4fcb" + logic_hash = "f6ff0a11f261bc75c9d0015131f177d39bb9e8e30346a75209ba8fa808ac4fcb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78756,7 +78756,7 @@ rule ELASTIC_Windows_Hacktool_Sharplaps_381C3F40 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpLAPS.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ef0d508b3051fe6f99ba55202a17237f29fdbc0085e3f5c99b1aef52c8ebe425" - logic_hash = "v1_sha256_d94f9e4200a63283346919c121873130ad90e4ad5979c017cb71dc0cc910a64a" + logic_hash = "d94f9e4200a63283346919c121873130ad90e4ad5979c017cb71dc0cc910a64a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -78792,7 +78792,7 @@ rule ELASTIC_Windows_Trojan_Masslogger_511B001E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_MassLogger.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "177875c756a494872c516000beb6011cec22bd9a73e58ba6b2371dba2ab8c337" - logic_hash = "v1_sha256_5abac5e32e55467710842e19c25cab5c7f1cdb0f8a68fb6808d54467c69ebdf6" + logic_hash = "5abac5e32e55467710842e19c25cab5c7f1cdb0f8a68fb6808d54467c69ebdf6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78826,7 +78826,7 @@ rule ELASTIC_Linux_Rootkit_Melofee_25D42Bdd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Melofee.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5830862707711a032728dfa6a85c904020766fa316ea85b3eef9c017f0e898cc" - logic_hash = "v1_sha256_5af18434295e80403c3587165cd9db3b771d8f06eaa467e1161a0cd213446bee" + logic_hash = "5af18434295e80403c3587165cd9db3b771d8f06eaa467e1161a0cd213446bee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78863,7 +78863,7 @@ rule ELASTIC_Linux_Cryptominer_Loudminer_581F57A9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Loudminer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "v1_sha256_82db0985f215da1d84e16fce94df7553b43b06082bf5475515dbbcf016c40fe4" + logic_hash = "82db0985f215da1d84e16fce94df7553b43b06082bf5475515dbbcf016c40fe4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78892,7 +78892,7 @@ rule ELASTIC_Linux_Cryptominer_Loudminer_F2298A50 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Loudminer.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "v1_sha256_6c2c9b6aea1fb35f8f600dd084ed9cfd56123f7502036e76dd168ccd8b43b28f" + logic_hash = "6c2c9b6aea1fb35f8f600dd084ed9cfd56123f7502036e76dd168ccd8b43b28f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78921,7 +78921,7 @@ rule ELASTIC_Linux_Cryptominer_Loudminer_851Fc7Aa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Loudminer.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c2729395805fc9d3c1e654c9a065bbafc4f28d8ab235afaae8d2c484060596b" - logic_hash = "v1_sha256_9f271a16fe30fbf0c16533522b733228f19e0c44d173e4c0ef43bf13323e7383" + logic_hash = "9f271a16fe30fbf0c16533522b733228f19e0c44d173e4c0ef43bf13323e7383" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78950,7 +78950,7 @@ rule ELASTIC_Windows_Vulndriver_Windivert_25991186 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_WinDivert.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8da085332782708d8767bcace5327a6ec7283c17cfb85e40b03cd2323a90ddc2" - logic_hash = "v1_sha256_a67679bb2f23d1f6691c9ad23da1fd4c2402701ba1929c7abf078d7d95011a08" + logic_hash = "a67679bb2f23d1f6691c9ad23da1fd4c2402701ba1929c7abf078d7d95011a08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -78979,7 +78979,7 @@ rule ELASTIC_Linux_Trojan_Sshdkit_18A0B82A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdkit.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "003245047359e17706e4504f8988905a219fcb48865afea934e6aafa7f97cef6" - logic_hash = "v1_sha256_4b7a78ebf3c114809148cc9855379b2e63c959966272ad45759838d570b42016" + logic_hash = "4b7a78ebf3c114809148cc9855379b2e63c959966272ad45759838d570b42016" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79008,7 +79008,7 @@ rule ELASTIC_Windows_Trojan_Raccoon_Af6Decc6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Raccoon.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe09bef10b21f085e9ca411e24e0602392ab5044b7268eaa95fb88790f1a124d" - logic_hash = "v1_sha256_50ec446e8fd51129c7333c943dfe62db099fe1379530441f6b102fcbe3bc0dbd" + logic_hash = "50ec446e8fd51129c7333c943dfe62db099fe1379530441f6b102fcbe3bc0dbd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79038,7 +79038,7 @@ rule ELASTIC_Windows_Trojan_Raccoon_58091F64 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Raccoon.yar#L22-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe09bef10b21f085e9ca411e24e0602392ab5044b7268eaa95fb88790f1a124d" - logic_hash = "v1_sha256_8a7388e9c3dd0dd1a79215dbabcd964a0afa883490611afb6bb500635fbfff9a" + logic_hash = "8a7388e9c3dd0dd1a79215dbabcd964a0afa883490611afb6bb500635fbfff9a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79067,7 +79067,7 @@ rule ELASTIC_Windows_Trojan_Raccoon_Deb6325C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Raccoon.yar#L42-L63" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f7b1aaae018d5287444990606fc43a0f2deb4ac0c7b2712cc28331781d43ae27" - logic_hash = "v1_sha256_94f70c60ed4fab021e013cf6a632321e0e1bdeef25a48a598d9e7388e7e445ca" + logic_hash = "94f70c60ed4fab021e013cf6a632321e0e1bdeef25a48a598d9e7388e7e445ca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79099,7 +79099,7 @@ rule ELASTIC_Windows_Vulndriver_Arpot_09C714C5 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_ArPot.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - logic_hash = "v1_sha256_e5f972ad9a31aefbd20237e6ea3dd19a025c2e3487fa080e9f9b8acf1e3f58e6" + logic_hash = "e5f972ad9a31aefbd20237e6ea3dd19a025c2e3487fa080e9f9b8acf1e3f58e6" score = 75 quality = 75 tags = "FILE" @@ -79130,7 +79130,7 @@ rule ELASTIC_Linux_Trojan_Rekoobe_E75472Fa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rekoobe.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8d2a9e363752839a09001a9e3044ab7919daffd9d9aee42d936bc97394164a88" - logic_hash = "v1_sha256_e3e9934ee8ce6933f676949c5b5c82ad044ac32f08fe86697b0a0cf7fb63fc5e" + logic_hash = "e3e9934ee8ce6933f676949c5b5c82ad044ac32f08fe86697b0a0cf7fb63fc5e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79159,7 +79159,7 @@ rule ELASTIC_Linux_Trojan_Rekoobe_52462Fe8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rekoobe.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c1d8c64105caecbd90c6e19cf89301a4dc091c44ab108e780bdc8791a94caaad" - logic_hash = "v1_sha256_1ab6979392eeaa7bd6bd84f8d3531bd9071c54b58306a42dcfdd27bf7ec8f8cd" + logic_hash = "1ab6979392eeaa7bd6bd84f8d3531bd9071c54b58306a42dcfdd27bf7ec8f8cd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79188,7 +79188,7 @@ rule ELASTIC_Linux_Trojan_Rekoobe_De9E7Bdf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rekoobe.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "447da7bee72c98c2202f1919561543e54ec1b9b67bd67e639b9fb6e42172d951" - logic_hash = "v1_sha256_bdc4a3e4eeffc0d32e6a86dda54beceab8301d0065731d9ade390392ab4c6126" + logic_hash = "bdc4a3e4eeffc0d32e6a86dda54beceab8301d0065731d9ade390392ab4c6126" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79217,7 +79217,7 @@ rule ELASTIC_Linux_Trojan_Rekoobe_B41F70C2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rekoobe.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "19c1a54279be1710724fc75a112741575936fe70379d166effc557420da714cd" - logic_hash = "v1_sha256_02de55c537da1cc03af26a171c768ad87984e45983c3739f90ad9983c70e7ccf" + logic_hash = "02de55c537da1cc03af26a171c768ad87984e45983c3739f90ad9983c70e7ccf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79246,7 +79246,7 @@ rule ELASTIC_Linux_Trojan_Rekoobe_1D307D7C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rekoobe.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00bc669f79b2903c5d9e6412050655486111647c646698f9a789e481a7c98662" - logic_hash = "v1_sha256_de4807353d2ba977459a1bf7f51fd815e311c0bdc5fccd5e99fd44a766f6866f" + logic_hash = "de4807353d2ba977459a1bf7f51fd815e311c0bdc5fccd5e99fd44a766f6866f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79275,7 +79275,7 @@ rule ELASTIC_Linux_Trojan_Rekoobe_7F7Aba78 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rekoobe.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "50b73742726b0b7e00856e288e758412c74371ea2f0eaf75b957d73dfb396fd7" - logic_hash = "v1_sha256_a3b46d29fa51dd6a911cb9cb0e67e9d57d3f3b6697dc8edcc4d82f09d9819a92" + logic_hash = "a3b46d29fa51dd6a911cb9cb0e67e9d57d3f3b6697dc8edcc4d82f09d9819a92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79304,7 +79304,7 @@ rule ELASTIC_Linux_Trojan_Rekoobe_Ab8Ba790 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rekoobe.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2aee0c74d9642ffab1f313179c26400acf60d7cbd2188bade28534d403f468d4" - logic_hash = "v1_sha256_2a7a71712ad3f756a2dc53ec80bd9fb625f7c679fd9566945ebfeb392b9874a9" + logic_hash = "2a7a71712ad3f756a2dc53ec80bd9fb625f7c679fd9566945ebfeb392b9874a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79333,7 +79333,7 @@ rule ELASTIC_Linux_Trojan_Dofloo_Be1973Ed : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dofloo.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88d826bac06c29e1b9024baaf90783e15d87d2a5c8c97426cbd5a70ae0f99461" - logic_hash = "v1_sha256_65f9daabf44006fe4405032bf93570185248bc62cd287650c68f854b23aa2158" + logic_hash = "65f9daabf44006fe4405032bf93570185248bc62cd287650c68f854b23aa2158" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79362,7 +79362,7 @@ rule ELASTIC_Linux_Trojan_Dofloo_1D057993 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dofloo.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88d826bac06c29e1b9024baaf90783e15d87d2a5c8c97426cbd5a70ae0f99461" - logic_hash = "v1_sha256_c5e15e21946816052d5a8dc293db3830f1d6d06cdbf22eb8667b655206dbbc1f" + logic_hash = "c5e15e21946816052d5a8dc293db3830f1d6d06cdbf22eb8667b655206dbbc1f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79391,7 +79391,7 @@ rule ELASTIC_Linux_Trojan_Dofloo_29C12775 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dofloo.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88d826bac06c29e1b9024baaf90783e15d87d2a5c8c97426cbd5a70ae0f99461" - logic_hash = "v1_sha256_a8eb79fdf57811f4ffd5a7c5ec54cf46c06281f8cd4d677aec1ad168d6648a08" + logic_hash = "a8eb79fdf57811f4ffd5a7c5ec54cf46c06281f8cd4d677aec1ad168d6648a08" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79420,7 +79420,7 @@ rule ELASTIC_Linux_Trojan_Pnscan_20E34E35 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Pnscan.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7dbd5b709f16296ba7dac66dc35b9c3373cf88452396d79d0c92d7502c1b0005" - logic_hash = "v1_sha256_1e69ef50d25ffd0f38ed0eb81ab3295822aa183c5e06f307caf02826b1dfa011" + logic_hash = "1e69ef50d25ffd0f38ed0eb81ab3295822aa183c5e06f307caf02826b1dfa011" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79449,7 +79449,7 @@ rule ELASTIC_Linux_Cryptominer_Stak_05088561 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Stak.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d0d2bab33076121cf6a0a2c4ff1738759464a09ae4771c39442a865a76daff59" - logic_hash = "v1_sha256_2b0f8a4efdfb13abcc2a1b43e9c39828ea1de6015fef0ef613bd754da5aa3e9a" + logic_hash = "2b0f8a4efdfb13abcc2a1b43e9c39828ea1de6015fef0ef613bd754da5aa3e9a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79477,7 +79477,7 @@ rule ELASTIC_Linux_Cryptominer_Stak_Ae8B98A9 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Stak.yar#L21-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_aade76488aa2f557de9082647153cca374a4819cd8e539ebba4bfef2334221b0" + logic_hash = "aade76488aa2f557de9082647153cca374a4819cd8e539ebba4bfef2334221b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79506,7 +79506,7 @@ rule ELASTIC_Linux_Cryptominer_Stak_D707Fd3A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Stak.yar#L40-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d0d2bab33076121cf6a0a2c4ff1738759464a09ae4771c39442a865a76daff59" - logic_hash = "v1_sha256_b825247372aace6e3ce0ff1d9685b6bb041b7277f8967d5f5926b49813cfadc9" + logic_hash = "b825247372aace6e3ce0ff1d9685b6bb041b7277f8967d5f5926b49813cfadc9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79535,7 +79535,7 @@ rule ELASTIC_Linux_Cryptominer_Stak_52Dc7Af3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Stak.yar#L60-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a9c14b51f95d0c368bf90fb10e7d821a2fbcc79df32fd9f068a7fc053cbd7e83" - logic_hash = "v1_sha256_81998164f517b6f1ef72b10227cfff86aa8bbd2b4e2668f946c8ed59696ae74d" + logic_hash = "81998164f517b6f1ef72b10227cfff86aa8bbd2b4e2668f946c8ed59696ae74d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79564,7 +79564,7 @@ rule ELASTIC_Linux_Cryptominer_Stak_Bb3153Ac : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Stak.yar#L80-L98" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b974b6e6a239bcdc067c53cc8a6180c900052d7874075244dc49aaaa9414cca" - logic_hash = "v1_sha256_e8516a24358b12863fe52c823ca67f0004457017334fe77dabf5f08d6bf2d907" + logic_hash = "e8516a24358b12863fe52c823ca67f0004457017334fe77dabf5f08d6bf2d907" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -79593,7 +79593,7 @@ rule ELASTIC_Windows_Ransomware_Blackmatter_B548D151 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Blackmatter.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486" - logic_hash = "v1_sha256_cf76a311de9d292a2ea09b3937b8eb7fd761b7c33a464a31acf6b9a5bf121959" + logic_hash = "cf76a311de9d292a2ea09b3937b8eb7fd761b7c33a464a31acf6b9a5bf121959" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79622,7 +79622,7 @@ rule ELASTIC_Windows_Ransomware_Blackmatter_8394F6D5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Blackmatter.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486" - logic_hash = "v1_sha256_50a9b65ca6dde4fc32d2d57e72042f4380dd6c263ec5c33ce7c158151b91a5ae" + logic_hash = "50a9b65ca6dde4fc32d2d57e72042f4380dd6c263ec5c33ce7c158151b91a5ae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79651,7 +79651,7 @@ rule ELASTIC_Windows_Trojan_STRRAT_A3E48Cd2 : MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_STRRAT.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9" - logic_hash = "v1_sha256_32f79695829f703bf9996d212aeb563791aed28e1bbb9f700cb45325fd02db77" + logic_hash = "32f79695829f703bf9996d212aeb563791aed28e1bbb9f700cb45325fd02db77" score = 75 quality = 75 tags = "MEMORY" @@ -79681,7 +79681,7 @@ rule ELASTIC_Linux_Rootkit_Perfctl_Ce456896 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Perfctl.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "69de4c062eebb13bf2ee3ee0febfd4a621f2a17c3048416d897aecf14503213a" - logic_hash = "v1_sha256_d3782e9674b20fc3efccf7491659969e09f74c2467f1643fe8f5019102f4ee54" + logic_hash = "d3782e9674b20fc3efccf7491659969e09f74c2467f1643fe8f5019102f4ee54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79714,7 +79714,7 @@ rule ELASTIC_Windows_Ransomware_Rook_Ee21Fa67 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Rook.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c2d46d256b8f9490c9599eea11ecef19fde7d4fdd2dea93604cee3cea8e172ac" - logic_hash = "v1_sha256_6fe19cfc572a3dceba5e26615d111a3c0fa1036e275a5640a5c5a8f8cdaf6dc1" + logic_hash = "6fe19cfc572a3dceba5e26615d111a3c0fa1036e275a5640a5c5a8f8cdaf6dc1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79743,7 +79743,7 @@ rule ELASTIC_Windows_Ransomware_Maui_266Dea64 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Maui.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e" - logic_hash = "v1_sha256_2094920615b6297adb222003d25a8d0934a89f24869e7e70644a4956021c7afc" + logic_hash = "2094920615b6297adb222003d25a8d0934a89f24869e7e70644a4956021c7afc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79782,7 +79782,7 @@ rule ELASTIC_Windows_Vulndriver_Fidpci_Cb7F69B5 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Fidpci.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46" - logic_hash = "v1_sha256_459429fb4e5156890f19c451e48676c9cd06eaab1c2eaea9236737c795086b5f" + logic_hash = "459429fb4e5156890f19c451e48676c9cd06eaab1c2eaea9236737c795086b5f" score = 75 quality = 75 tags = "FILE" @@ -79811,7 +79811,7 @@ rule ELASTIC_Linux_Rootkit_Arkd_Bbd56917 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Arkd.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e0765f0e90839b551778214c2f9ae567dd44838516a3df2c73396a488227a600" - logic_hash = "v1_sha256_5e1ce9c37d92222e21b43f9e5f3275a70c6e8eb541c3762f9382c5d5c72fb50d" + logic_hash = "5e1ce9c37d92222e21b43f9e5f3275a70c6e8eb541c3762f9382c5d5c72fb50d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79840,7 +79840,7 @@ rule ELASTIC_Windows_Hacktool_Sharpdump_7C17D8B1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpDump.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "14c3ea569a1bd9ac3aced4f8dd58314532dbf974bfa359979e6c7b6a4bbf41ca" - logic_hash = "v1_sha256_10ca29b097d9f1cef27349751e8f1e584ead1056a636224a80f00823ca878c13" + logic_hash = "10ca29b097d9f1cef27349751e8f1e584ead1056a636224a80f00823ca878c13" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -79873,7 +79873,7 @@ rule ELASTIC_Linux_Ransomware_Royalpest_502A3Db6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_RoyalPest.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "09a79e5e20fa4f5aae610c8ce3fe954029a91972b56c6576035ff7e0ec4c1d14" - logic_hash = "v1_sha256_aefb5a286636b827b50e4bc0ea978a75ba6a9e572504bfbc0a7700372c54a077" + logic_hash = "aefb5a286636b827b50e4bc0ea978a75ba6a9e572504bfbc0a7700372c54a077" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79905,7 +79905,7 @@ rule ELASTIC_Windows_Rootkit_R77_5Bab748B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Rootkit_R77.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cfc76dddc74996bfbca6d9076d2f6627912ea196fdbdfb829819656d4d316c0c" - logic_hash = "v1_sha256_ebf851ef41fde8e3118acc742cd2b38651f662a00f11dd6f7c65cf56019c43d5" + logic_hash = "ebf851ef41fde8e3118acc742cd2b38651f662a00f11dd6f7c65cf56019c43d5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79934,7 +79934,7 @@ rule ELASTIC_Windows_Rootkit_R77_Eb366Abc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Rootkit_R77.yar#L22-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "21e7f69986987fc75bce67c4deda42bd7605365bac83cf2cecb25061b2d86d4f" - logic_hash = "v1_sha256_3d6f1c60bf749c53f4a4fcfd6490d309e4450d5f7e64de4665c3d80af1bce44f" + logic_hash = "3d6f1c60bf749c53f4a4fcfd6490d309e4450d5f7e64de4665c3d80af1bce44f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79964,7 +79964,7 @@ rule ELASTIC_Windows_Rootkit_R77_99050E7D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Rootkit_R77.yar#L44-L64" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3dc94c88caa3169e096715eb6c2e6de1b011120117c0a51d12f572b4ba999ea6" - logic_hash = "v1_sha256_0fedf4698cc652076090b1fe256d05d2c0bc3ad2ab7ed5faa270c5c7fe0efca1" + logic_hash = "0fedf4698cc652076090b1fe256d05d2c0bc3ad2ab7ed5faa270c5c7fe0efca1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -79994,7 +79994,7 @@ rule ELASTIC_Windows_Rootkit_R77_Be403E3C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Rootkit_R77.yar#L66-L85" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "91c6e2621121a6871af091c52fafe41220ae12d6e47e52fd13a7b9edd8e31796" - logic_hash = "v1_sha256_efbf924c7a299f2543c639b6262007eb3bdbf6ff5e33dab7d6102814b9477811" + logic_hash = "efbf924c7a299f2543c639b6262007eb3bdbf6ff5e33dab7d6102814b9477811" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80023,7 +80023,7 @@ rule ELASTIC_Windows_Rootkit_R77_Ee853C9F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Rootkit_R77.yar#L87-L112" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "916c805b0d512dd7bbd88f46632d66d9613de61691b4bd368e4b7cb1f0ac7f60" - logic_hash = "v1_sha256_94f080f310ecace76da32ba2b4edcc80dedfb339113823708167c1d842db8cf3" + logic_hash = "94f080f310ecace76da32ba2b4edcc80dedfb339113823708167c1d842db8cf3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80058,7 +80058,7 @@ rule ELASTIC_Windows_Rootkit_R77_D0367E28 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Rootkit_R77.yar#L114-L141" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "96849108e13172d14591169f8fdcbf8a8aa6be05b7b6ef396d65529eacc02d89" - logic_hash = "v1_sha256_588b18c54c344ca267b86143df20c7dcaab081e0ef6acae0bd0dae61593eb521" + logic_hash = "588b18c54c344ca267b86143df20c7dcaab081e0ef6acae0bd0dae61593eb521" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80095,7 +80095,7 @@ rule ELASTIC_Linux_Exploit_Perl_4A4B8A42 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Perl.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d1fa8520d3c3811d29c3d5702e7e0e7296b3faef0553835c495223a2bc015214" - logic_hash = "v1_sha256_c1f7b1c20fe6db6acbe46be38cc97a40de6ca047a4e4490e86610dbff356b395" + logic_hash = "c1f7b1c20fe6db6acbe46be38cc97a40de6ca047a4e4490e86610dbff356b395" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -80124,7 +80124,7 @@ rule ELASTIC_Linux_Exploit_Perl_982Bb709 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Perl.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e4e2b5af9d0c72aae83cec57e5c091a95c549f826e8f13559aaf7d300f6e13" - logic_hash = "v1_sha256_b38e6cb15034c38c31f6b267b9ecaabe8dfa950a2fc8863cfff7705182cffb3a" + logic_hash = "b38e6cb15034c38c31f6b267b9ecaabe8dfa950a2fc8863cfff7705182cffb3a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -80153,7 +80153,7 @@ rule ELASTIC_Windows_Trojan_Diamondfox_18Bc11E3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DiamondFox.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a44c46d4b9cf1254aaabd1e689f84c4d2c3dd213597f827acabface03a1ae6d1" - logic_hash = "v1_sha256_c64e4b3349b33cfd0fec1fe41f91ad819bb6b6751e822d7ab8d14638ad27571d" + logic_hash = "c64e4b3349b33cfd0fec1fe41f91ad819bb6b6751e822d7ab8d14638ad27571d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80186,7 +80186,7 @@ rule ELASTIC_Windows_Trojan_Amadey_7Abb059B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Amadey.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "33e6b58ce9571ca7208d1c98610005acd439f3e37d2329dae8eb871a2c4c297e" - logic_hash = "v1_sha256_23b75d6df9e2a7f8e1efee46ecaf1fc84247312b19a8a1941ddbca1b2ce5e1db" + logic_hash = "23b75d6df9e2a7f8e1efee46ecaf1fc84247312b19a8a1941ddbca1b2ce5e1db" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80215,7 +80215,7 @@ rule ELASTIC_Windows_Trojan_Amadey_C4Df8D4A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Amadey.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9039d31d0bd88d0c15ee9074a84f8d14e13f5447439ba80dd759bf937ed20bf2" - logic_hash = "v1_sha256_7f96c4de585223033fb7e7906be6d6898651ecf30be51ed01abde18ef52c0e1e" + logic_hash = "7f96c4de585223033fb7e7906be6d6898651ecf30be51ed01abde18ef52c0e1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80244,7 +80244,7 @@ rule ELASTIC_Linux_Trojan_Swrort_5Ad1A4F9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Swrort.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fa5695c355a6dc1f368a4b36a45e8f18958dacdbe0eac80c618fbec976bac8fe" - logic_hash = "v1_sha256_3a1fa978e0c8ab0dd4e7965a3f91306d6123c19f21b86d3f8088979bf58c3a07" + logic_hash = "3a1fa978e0c8ab0dd4e7965a3f91306d6123c19f21b86d3f8088979bf58c3a07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80273,7 +80273,7 @@ rule ELASTIC_Linux_Trojan_Swrort_4Cb5B116 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Swrort.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "703c16d4fcc6f815f540d50d8408ea00b4cf8060cc5f6f3ba21be047e32758e0" - logic_hash = "v1_sha256_9404856fc3290f3a8f9bf891fde9a614fc4484719eb3b51ce7ab601a41e0c3a5" + logic_hash = "9404856fc3290f3a8f9bf891fde9a614fc4484719eb3b51ce7ab601a41e0c3a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80302,7 +80302,7 @@ rule ELASTIC_Linux_Trojan_Swrort_22C2D6B6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Swrort.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6df073767f48dd79f98e60aa1079f3ab0b89e4f13eedc1af3c2c073e5e235bbc" - logic_hash = "v1_sha256_f661544d267a55feec786ab3d4fc4f002afa8e2b58833461f56b745ec65acfd4" + logic_hash = "f661544d267a55feec786ab3d4fc4f002afa8e2b58833461f56b745ec65acfd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80331,7 +80331,7 @@ rule ELASTIC_Windows_Trojan_Doubleback_D2246A35 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DoubleBack.yar#L1-L31" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "03d2a0747d06458ccddf65ff5847a511a105e0ad4dcb5134082623af6f705012" - logic_hash = "v1_sha256_2241d2c6e5b5896fe6f3b02cb1786c39fa620ee503c4585bd75c8763b6d3c06a" + logic_hash = "2241d2c6e5b5896fe6f3b02cb1786c39fa620ee503c4585bd75c8763b6d3c06a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80372,7 +80372,7 @@ rule ELASTIC_Windows_Wiper_Caddywiper_484Bd98A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Wiper_CaddyWiper.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea" - logic_hash = "v1_sha256_f473673afc211b02328f4e9d88e709acd95bf4b1fa565f5aca972b92324bf589" + logic_hash = "f473673afc211b02328f4e9d88e709acd95bf4b1fa565f5aca972b92324bf589" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80404,7 +80404,7 @@ rule ELASTIC_Windows_Hacktool_Ringq_B9715540 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_RingQ.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "450e01c32618cd4e4a327147896352ed1b34dca9fb28389dba450acf95f8b735" - logic_hash = "v1_sha256_80d693c43a7026d28121e035ae875689512fd46d7f06c3f469b83d6fe707f36b" + logic_hash = "80d693c43a7026d28121e035ae875689512fd46d7f06c3f469b83d6fe707f36b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80439,7 +80439,7 @@ rule ELASTIC_Windows_Hacktool_Sharpwmi_A67D6Fe5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpWMI.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2134a5e1a5eece1336f831a7686c5ea3b6ca5aaa63ab7e7820be937da0678e15" - logic_hash = "v1_sha256_de8749951ece8d4798ade4661d531515e12edf8e8606ddc330000d847a66a26c" + logic_hash = "de8749951ece8d4798ade4661d531515e12edf8e8606ddc330000d847a66a26c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -80476,7 +80476,7 @@ rule ELASTIC_Windows_Vulndriver_Powerprofiler_2Eedff78 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_PowerProfiler.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - logic_hash = "v1_sha256_c4a7ae2ffdf70984cea5b543af93b202c78b6108da1e442186d24071b44d6259" + logic_hash = "c4a7ae2ffdf70984cea5b543af93b202c78b6108da1e442186d24071b44d6259" score = 75 quality = 75 tags = "FILE" @@ -80507,7 +80507,7 @@ rule ELASTIC_Windows_Vulndriver_Iqvw_B8B45E6B : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Iqvw.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - logic_hash = "v1_sha256_b0a8716f550ba231ca7db61bafd6effbc351faa45864f9ebf7be81f63f14a933" + logic_hash = "b0a8716f550ba231ca7db61bafd6effbc351faa45864f9ebf7be81f63f14a933" score = 60 quality = 55 tags = "FILE" @@ -80538,7 +80538,7 @@ rule ELASTIC_Linux_Virus_Rst_1214E2Ae : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Virus_Rst.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b0e4f44d2456960bb6b20cb468c4ca1390338b83774b7af783c3d03e49eebe44" - logic_hash = "v1_sha256_82de4a97f414d591daba2d5d49b941ec4c51d6a6af36f97f062eaac5c74ebe30" + logic_hash = "82de4a97f414d591daba2d5d49b941ec4c51d6a6af36f97f062eaac5c74ebe30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80567,7 +80567,7 @@ rule ELASTIC_Windows_Trojan_Revcoderat_8E6D4182 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Revcoderat.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210" - logic_hash = "v1_sha256_35626d752b291e343350534aece35f1d875068c2c050d12312a60e67753c71e1" + logic_hash = "35626d752b291e343350534aece35f1d875068c2c050d12312a60e67753c71e1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80599,7 +80599,7 @@ rule ELASTIC_Windows_Trojan_Vidar_9007Feb2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Vidar.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec" - logic_hash = "v1_sha256_fcdef7397f17ee402155e526c6fa8b51f3ea96e203a095b0b4c36cb7d3cc83d1" + logic_hash = "fcdef7397f17ee402155e526c6fa8b51f3ea96e203a095b0b4c36cb7d3cc83d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80628,7 +80628,7 @@ rule ELASTIC_Windows_Trojan_Vidar_114258D5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Vidar.yar#L21-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec" - logic_hash = "v1_sha256_9ea3ea0533d14edd0332fa688497efd566a890d1507214fc8591a0a11433d060" + logic_hash = "9ea3ea0533d14edd0332fa688497efd566a890d1507214fc8591a0a11433d060" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80662,7 +80662,7 @@ rule ELASTIC_Windows_Trojan_Vidar_32Fea8Da : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Vidar.yar#L46-L66" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6f5c24fc5af2085233c96159402cec9128100c221cb6cb0d1c005ced7225e211" - logic_hash = "v1_sha256_1a18cdc3bd533c34eb05b239830ecec418dc76ee9f4fcfc48afc73b07d55b3cd" + logic_hash = "1a18cdc3bd533c34eb05b239830ecec418dc76ee9f4fcfc48afc73b07d55b3cd" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -80693,7 +80693,7 @@ rule ELASTIC_Windows_Trojan_Vidar_C374Cd85 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Vidar.yar#L68-L86" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1c677585a8b724332849c411ffe2563b2b753fd6699c210f0720352f52a6ab72" - logic_hash = "v1_sha256_8e183f780400f3bf9840798d53b431a4bf28bc43e07d69a3d614217e02f5dd79" + logic_hash = "8e183f780400f3bf9840798d53b431a4bf28bc43e07d69a3d614217e02f5dd79" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80722,7 +80722,7 @@ rule ELASTIC_Windows_Trojan_Vidar_65D3D7E5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Vidar.yar#L88-L114" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "83d7c2b437a5cbb314c457d3b7737305dadb2bc02d6562a98a8a8994061fe929" - logic_hash = "v1_sha256_2b340f43faf563c7edbce6323d551208c4d9541d7153ea6c1c0d9a95b351e54b" + logic_hash = "2b340f43faf563c7edbce6323d551208c4d9541d7153ea6c1c0d9a95b351e54b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80759,7 +80759,7 @@ rule ELASTIC_Windows_Trojan_Havoc_77F3D40E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Havoc.yar#L1-L35" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3427dac129b760a03f2c40590c01065c9bf2340d2dfa4a4a7cf4830a02e95879" - logic_hash = "v1_sha256_3d2733ed24d90e9e851ec36a08c497e9c90b47c3dcbb8755e3f6b6a6bd3a8b54" + logic_hash = "3d2733ed24d90e9e851ec36a08c497e9c90b47c3dcbb8755e3f6b6a6bd3a8b54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80804,7 +80804,7 @@ rule ELASTIC_Windows_Trojan_Havoc_9C7Bb863 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Havoc.yar#L37-L56" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "261b92d9e8dcb9d0abf1627b791831ec89779f2b7973b1926c6ec9691288dd57" - logic_hash = "v1_sha256_c1245c38c54b0a72fb335680d9ea191390e4e2fe7e47a3ed776878c5e01a3e16" + logic_hash = "c1245c38c54b0a72fb335680d9ea191390e4e2fe7e47a3ed776878c5e01a3e16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80834,7 +80834,7 @@ rule ELASTIC_Windows_Trojan_Havoc_88053562 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Havoc.yar#L58-L76" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2f0b59f8220edd0d34fba92905faf0b51aead95d53be8b5f022eed7e21bdb4af" - logic_hash = "v1_sha256_f79b39cc2ca4bbf6ad4b6585a9914a75797110d6fb68bcb7141c5c3d0429c412" + logic_hash = "f79b39cc2ca4bbf6ad4b6585a9914a75797110d6fb68bcb7141c5c3d0429c412" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80863,7 +80863,7 @@ rule ELASTIC_Windows_Trojan_Havoc_Ffecc8Af : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Havoc.yar#L78-L107" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "495d323651c252e38814b77b9c6c913b9489e769252ac8bbaf8432f15e0efe44" - logic_hash = "v1_sha256_c9da6215db1de91a6cd52dd6558dc5a60bbd69abc6fa0db8714f001cdae20ddb" + logic_hash = "c9da6215db1de91a6cd52dd6558dc5a60bbd69abc6fa0db8714f001cdae20ddb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80903,7 +80903,7 @@ rule ELASTIC_Linux_Trojan_Snessik_D166F98C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Snessik.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3ececc2edfff2f92d80ed3a5140af55b6bebf7cae8642a0d46843162eeddddd" - logic_hash = "v1_sha256_44f15a87d48338aafa408d4bcabef844c8864cd95640ad99208b5035e28ccd27" + logic_hash = "44f15a87d48338aafa408d4bcabef844c8864cd95640ad99208b5035e28ccd27" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80932,7 +80932,7 @@ rule ELASTIC_Linux_Trojan_Snessik_E435A79C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Snessik.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e24749b07f824a4839b462ec4e086a4064b29069e7224c24564e2ad7028d5d60" - logic_hash = "v1_sha256_4850530a0566844447f56f4e5cb43c5982b1dcb784bb1aef3e377525b8651ed3" + logic_hash = "4850530a0566844447f56f4e5cb43c5982b1dcb784bb1aef3e377525b8651ed3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -80961,7 +80961,7 @@ rule ELASTIC_Linux_Rootkit_Hiddenwasp_8408057B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_HiddenWasp.yar#L1-L34" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7c5e20872bc0ac5cce83d4c68485743cd16a818cd1e495f97438caad0399c847" - logic_hash = "v1_sha256_1d21cdd38d7428c498eface37fb8b1ca1e99295c88f57cb638871753d0be0f15" + logic_hash = "1d21cdd38d7428c498eface37fb8b1ca1e99295c88f57cb638871753d0be0f15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81005,7 +81005,7 @@ rule ELASTIC_Linux_Ransomware_Monti_9C64F016 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Monti.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ad8d1b28405d9aebae6f42db1a09daec471bf342e9e0a10ab4e0a258a7fa8713" - logic_hash = "v1_sha256_c22a4efaaf97d68deaf1978e637dd7f790541e5007c6323629bcc9e3d4eecd06" + logic_hash = "c22a4efaaf97d68deaf1978e637dd7f790541e5007c6323629bcc9e3d4eecd06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81036,7 +81036,7 @@ rule ELASTIC_Linux_Trojan_Ebury_7B13E9B6 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ebury.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_30d126ffc5b782236663c23734f1eef21e1cc929d549a37bba8e1e7b41321111" + logic_hash = "30d126ffc5b782236663c23734f1eef21e1cc929d549a37bba8e1e7b41321111" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81065,7 +81065,7 @@ rule ELASTIC_Linux_Backdoor_Fontonlake_Fe916A45 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Backdoor_Fontonlake.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8a0a9740cf928b3bd1157a9044c6aced0dfeef3aa25e9ff9c93e113cbc1117ee" - logic_hash = "v1_sha256_590b28264345ea0bdbd53791f422cb4f1fad143df2b790824fc182356a568d7d" + logic_hash = "590b28264345ea0bdbd53791f422cb4f1fad143df2b790824fc182356a568d7d" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -81104,7 +81104,7 @@ rule ELASTIC_Windows_Vulndriver_Asrock_986D2D3C : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Asrock.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838" - logic_hash = "v1_sha256_d767a1ecdff557753f80ac9d73f02364dd035f7a287d0f260316f807364af2d5" + logic_hash = "d767a1ecdff557753f80ac9d73f02364dd035f7a287d0f260316f807364af2d5" score = 75 quality = 75 tags = "FILE" @@ -81133,7 +81133,7 @@ rule ELASTIC_Windows_Vulndriver_Asrock_Cdf192F9 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Asrock.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d" - logic_hash = "v1_sha256_2f844b6d3fa19fd39097395175162578ad71d78c61dad104efd320cd8285fa6b" + logic_hash = "2f844b6d3fa19fd39097395175162578ad71d78c61dad104efd320cd8285fa6b" score = 75 quality = 75 tags = "FILE" @@ -81163,7 +81163,7 @@ rule ELASTIC_Windows_Vulndriver_Asrock_0Eca57Dc : FILE license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" - logic_hash = "v1_sha256_82a0cba571dc58ed8d3fd87d3650ec0c1016e6c8e972547f6120ba91c8febce1" + logic_hash = "82a0cba571dc58ed8d3fd87d3650ec0c1016e6c8e972547f6120ba91c8febce1" score = 75 quality = 75 tags = "FILE" @@ -81194,7 +81194,7 @@ rule ELASTIC_Windows_Trojan_Phoreal_66E91De3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Phoreal.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88f073552b30462a00d1d612b1638b0508e4ef02c15cf46203998091f0aef4de" - logic_hash = "v1_sha256_c68131fd5e0272d3d473db387a186056a38e6611925ae448d5b668022e6e163a" + logic_hash = "c68131fd5e0272d3d473db387a186056a38e6611925ae448d5b668022e6e163a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -81226,7 +81226,7 @@ rule ELASTIC_Windows_Trojan_Hancitor_6738D84A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Hancitor.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a674898f39377e538f9ec54197689c6fa15f00f51aa0b5cc75c2bafd86384a40" - logic_hash = "v1_sha256_448243b6925c4e419b1fd492ac5e8d43a7baa4492ba7a5a0b44bc8e036c77ec2" + logic_hash = "448243b6925c4e419b1fd492ac5e8d43a7baa4492ba7a5a0b44bc8e036c77ec2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81257,7 +81257,7 @@ rule ELASTIC_Windows_Vulndriver_Speedfan_9B590Eee : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Speedfan.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - logic_hash = "v1_sha256_6f75c0e6b89dd1ceb85c73b7e51fd261ca2804e14a5f8ed6ce3352b3f1bcdfe4" + logic_hash = "6f75c0e6b89dd1ceb85c73b7e51fd261ca2804e14a5f8ed6ce3352b3f1bcdfe4" score = 75 quality = 75 tags = "FILE" @@ -81287,7 +81287,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_825B6808 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7db9a0760dd16e23cb299559a0e31a431b836a105d5309a9880fa4b821937659" - logic_hash = "v1_sha256_f5f997d8401f1505e81072dcb0e24ad7a78f0b56133698b70d8dd93ef25ddaf3" + logic_hash = "f5f997d8401f1505e81072dcb0e24ad7a78f0b56133698b70d8dd93ef25ddaf3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81316,7 +81316,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_A44Ab8Cd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4b2068a4a666b0279358b8eb4f480d2df4c518a8b4518d0d77c6687c3bff0a32" - logic_hash = "v1_sha256_a0501f76aff532366292189d34a57844ba999748b94f349be2f391dfd96e2106" + logic_hash = "a0501f76aff532366292189d34a57844ba999748b94f349be2f391dfd96e2106" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81345,7 +81345,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_7026F674 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b7a77ebb66664c54d01a57abed5bb034ef2933a9590b595bba0566938b099438" - logic_hash = "v1_sha256_ec8ece1f922260f620fb30d82469f77a4d0239da536fc464fc37a3943cd6e463" + logic_hash = "ec8ece1f922260f620fb30d82469f77a4d0239da536fc464fc37a3943cd6e463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81374,7 +81374,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_761Ad88E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1d88971f342e4bc4e6615e42080a3b6cec9f84912aa273c36fc46aaf86ff6771" - logic_hash = "v1_sha256_2b0c64da713e2f8ff671cbe086638810bc02a983d42851e78c68a57bde9f023c" + logic_hash = "2b0c64da713e2f8ff671cbe086638810bc02a983d42851e78c68a57bde9f023c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81402,7 +81402,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_B93655D3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L81-L98" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_34cb06385543c6c2c562f757df2f641d8402e7c9f95fa924e17652a1c38d695f" + logic_hash = "34cb06385543c6c2c562f757df2f641d8402e7c9f95fa924e17652a1c38d695f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81431,7 +81431,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_Af9F75E6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L100-L118" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705" - logic_hash = "v1_sha256_b74f5fad3c7219038e51eb4fa12fb9d55d7f65a9f4bab0adff8609fabb0afdab" + logic_hash = "b74f5fad3c7219038e51eb4fa12fb9d55d7f65a9f4bab0adff8609fabb0afdab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81460,7 +81460,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_1Bf0E994 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L120-L138" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ea2dc13eec0d7a8ec20307f5afac8e9344d827a6037bb96a54ad7b12f65b59c" - logic_hash = "v1_sha256_2c1099b8078ac306f7cb67be5b5b5e34f57414b9aa26bdd6c26d3636c80846cd" + logic_hash = "2c1099b8078ac306f7cb67be5b5b5e34f57414b9aa26bdd6c26d3636c80846cd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81489,7 +81489,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_D710A5Da : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L140-L158" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ba895a9c449bf9bf6c092df88b6d862a3e8ed4079ef795e5520cb163a45bcdb4" - logic_hash = "v1_sha256_118a29cc0ccd191181dabc134de282ba134e041113faaa4d95e0aa201646438b" + logic_hash = "118a29cc0ccd191181dabc134de282ba134e041113faaa4d95e0aa201646438b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81518,7 +81518,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_F434A3Fb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L160-L178" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ba895a9c449bf9bf6c092df88b6d862a3e8ed4079ef795e5520cb163a45bcdb4" - logic_hash = "v1_sha256_11b173f73b87f50775be50c6b4528bd9b148ea4266297aec76ae126cab0facb0" + logic_hash = "11b173f73b87f50775be50c6b4528bd9b148ea4266297aec76ae126cab0facb0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81547,7 +81547,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_A2795A4C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L180-L198" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9a564d6b29d2aaff960e6f84cd0ef4c701fefa2a62e2ea690106f3fdbabb0d71" - logic_hash = "v1_sha256_18e15b8a417f9ff2fd9277a01eb3224c761807ce9541ece568f4525ae66eb81f" + logic_hash = "18e15b8a417f9ff2fd9277a01eb3224c761807ce9541ece568f4525ae66eb81f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81576,7 +81576,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_678C1145 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L200-L218" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "559793b9cb5340478f76aaf5f81c8dbfbcfa826657713d5257dac3c496b243a6" - logic_hash = "v1_sha256_5ff15c8d92bca62700bbb67aeebc41fd603687dbc0c93733955bf59375df40a1" + logic_hash = "5ff15c8d92bca62700bbb67aeebc41fd603687dbc0c93733955bf59375df40a1" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -81605,7 +81605,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_3Cbdfb1F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L220-L238" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bd40ac964f3ad2011841c7eb4bf7cab332d4d95191122e830ab031dc9511c079" - logic_hash = "v1_sha256_38e8ca59bf55c32b99aa76a89f60edcf09956b7cad0b4745fab92eca327c52db" + logic_hash = "38e8ca59bf55c32b99aa76a89f60edcf09956b7cad0b4745fab92eca327c52db" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -81634,7 +81634,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_8B63Ff02 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L240-L258" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a57de6cd3468f55b4bfded5f1eed610fdb2cbffbb584660ae000c20663d5b304" - logic_hash = "v1_sha256_3b68353c8eeb21a3eba7a02ae76b66b4f094ec52d5309582544d247cc6548da3" + logic_hash = "3b68353c8eeb21a3eba7a02ae76b66b4f094ec52d5309582544d247cc6548da3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81663,7 +81663,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_30973084 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L260-L278" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a22ffa748bcaaed801f48f38b26a9cfdd5e62183a9f6f31c8a1d4a8443bf62a4" - logic_hash = "v1_sha256_d965a032c0fb6020c6187aa3117f7251dd8c9287c45453e3d5ae2ac62b3067bb" + logic_hash = "d965a032c0fb6020c6187aa3117f7251dd8c9287c45453e3d5ae2ac62b3067bb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -81692,7 +81692,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_1Cfa95Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L280-L298" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1d88971f342e4bc4e6615e42080a3b6cec9f84912aa273c36fc46aaf86ff6771" - logic_hash = "v1_sha256_f73a96cc379c8dc060bfe5668ef7e47c5bcd037b3f41c300ef20c2f2f653cb00" + logic_hash = "f73a96cc379c8dc060bfe5668ef7e47c5bcd037b3f41c300ef20c2f2f653cb00" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81721,7 +81721,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_25C48456 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L300-L318" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eba6f3e4f7b53e22522d82bdbdf5271c3fc701cbe07e9ecb7b4c0b85adc9d6b4" - logic_hash = "v1_sha256_4ed4b901fccaed834b9908fb447da1521bf31f283ae55b6d8f6090814cf8fcd2" + logic_hash = "4ed4b901fccaed834b9908fb447da1521bf31f283ae55b6d8f6090814cf8fcd2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81750,7 +81750,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_B1Ca2Abd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L320-L338" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1d88971f342e4bc4e6615e42080a3b6cec9f84912aa273c36fc46aaf86ff6771" - logic_hash = "v1_sha256_05b906a9823bf9ba25ba1ed490beb8f338429cbc744ca230c5c4cbb41ab9f140" + logic_hash = "05b906a9823bf9ba25ba1ed490beb8f338429cbc744ca230c5c4cbb41ab9f140" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81779,7 +81779,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_Cce8C792 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L340-L358" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ea56da9584fc36dc67cb1e746bd13c95c4d878f9d594e33221baad7e01571ee6" - logic_hash = "v1_sha256_14700d24e8682ec04f2aae02f5820c4d956db60583b1bc61038b47e709705d0d" + logic_hash = "14700d24e8682ec04f2aae02f5820c4d956db60583b1bc61038b47e709705d0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81808,7 +81808,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_4Bcea1C4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L360-L378" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9a564d6b29d2aaff960e6f84cd0ef4c701fefa2a62e2ea690106f3fdbabb0d71" - logic_hash = "v1_sha256_76019729a3a33fc04ff983f38b4fbf174a66da7ffc05cd07eb93e3cd5aecaaa2" + logic_hash = "76019729a3a33fc04ff983f38b4fbf174a66da7ffc05cd07eb93e3cd5aecaaa2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81837,7 +81837,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_Ab561A1B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L380-L398" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1b7df0d491974bead05d04ede6cf763ecac30ecff4d27bb4097c90cc9c3f4155" - logic_hash = "v1_sha256_5720d2ada4b33514f2d528417876606d2951786df8b0512f9e8833b8ec87127a" + logic_hash = "5720d2ada4b33514f2d528417876606d2951786df8b0512f9e8833b8ec87127a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81866,7 +81866,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_1A4Eb229 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L400-L418" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705" - logic_hash = "v1_sha256_83b04e366a05a46ad67b9aaf6b9658520e119003cd65941dd69416cbc5229c30" + logic_hash = "83b04e366a05a46ad67b9aaf6b9658520e119003cd65941dd69416cbc5229c30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81895,7 +81895,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_51Ef0659 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L420-L438" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b7a2bc75dd9c44c38b2a6e4e7e579142ece92a75b8a3f815940c5aa31470be2b" - logic_hash = "v1_sha256_26dd95cb1cdaec10d408e294a3baca85d741cf5e56649cdcc79ef7216e4cb440" + logic_hash = "26dd95cb1cdaec10d408e294a3baca85d741cf5e56649cdcc79ef7216e4cb440" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81924,7 +81924,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_D90C4Cbe : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L440-L458" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "409c55110d392aed1a9ec98a6598fb8da86ab415534c8754aa48e3949e7c4b62" - logic_hash = "v1_sha256_145d32f8a06af18e6f13b0905cc51fd7b1a9e00b41b0f0a5d537ada2b54a94b5" + logic_hash = "145d32f8a06af18e6f13b0905cc51fd7b1a9e00b41b0f0a5d537ada2b54a94b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81953,7 +81953,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_C680C9Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L460-L478" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ea56da9584fc36dc67cb1e746bd13c95c4d878f9d594e33221baad7e01571ee6" - logic_hash = "v1_sha256_a283132ffdd109b8b1f01e5a3e2700b70b742945c7ae8b15b2b244fb249a5e3d" + logic_hash = "a283132ffdd109b8b1f01e5a3e2700b70b742945c7ae8b15b2b244fb249a5e3d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -81982,7 +81982,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_E63396F4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L480-L498" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "913e6d2538bd7eed3a8f3d958cf445fe11c5c299a70e5385e0df6a9b2f638323" - logic_hash = "v1_sha256_d3f7c62a7411caf86ee574a686b4b1972066602f89d39ae9e49ba66d9917c7c9" + logic_hash = "d3f7c62a7411caf86ee574a686b4b1972066602f89d39ae9e49ba66d9917c7c9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82010,7 +82010,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_7D5355Da : FILE MEMORY reference = "03397525f90c8c2242058d2f6afc81ceab199c5abcab8fd460fabb6b083d8d20" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L500-L518" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b4540f941ca1a36c460d056ef263ebd67c6388f3f6f373f50371f7cca2739bc4" + logic_hash = "b4540f941ca1a36c460d056ef263ebd67c6388f3f6f373f50371f7cca2739bc4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82038,7 +82038,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_A9E8A90F : FILE MEMORY reference = "0558cf8cab0ba1515b3b69ac32975e5e18d754874e7a54d19098e7240ebf44e4" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L520-L538" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8f1fcb736a9363142a25426ef2d166f92526bffaf8069f1b12056c9cf5825379" + logic_hash = "8f1fcb736a9363142a25426ef2d166f92526bffaf8069f1b12056c9cf5825379" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82066,7 +82066,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_A598192A : FILE MEMORY reference = "101f2240cd032831b9c0930a68ea6f74688f68ae801c776c71b488e17bc71871" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L540-L558" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_19909f53acca8c84125c95fc651765a25162c5f916366da8351e67675393e583" + logic_hash = "19909f53acca8c84125c95fc651765a25162c5f916366da8351e67675393e583" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82094,7 +82094,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_53Bf4E37 : FILE MEMORY reference = "101f2240cd032831b9c0930a68ea6f74688f68ae801c776c71b488e17bc71871" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L560-L578" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d1aabf8067b74dac114e197722d51c4bbb9a78e6ba9b5401399930c29d55bdcc" + logic_hash = "d1aabf8067b74dac114e197722d51c4bbb9a78e6ba9b5401399930c29d55bdcc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82122,7 +82122,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_50158A6E : FILE MEMORY reference = "1e0cdb655e48d21a6b02d2e1e62052ffaaec9fdfe65a3d180fc8afabc249e1d8" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L580-L598" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_67c22fcf514a3e8c2c27817798c796aacf00ba82e1090894aa2c1170a1e2a096" + logic_hash = "67c22fcf514a3e8c2c27817798c796aacf00ba82e1090894aa2c1170a1e2a096" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82150,7 +82150,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_F454Ec10 : FILE MEMORY reference = "0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L600-L618" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e5afb215632ad6359ba95df86316d496ea5e36edb79901c34e0710a6bd9c97d1" + logic_hash = "e5afb215632ad6359ba95df86316d496ea5e36edb79901c34e0710a6bd9c97d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82178,7 +82178,7 @@ rule ELASTIC_Linux_Hacktool_Flooder_9417F77B : FILE MEMORY reference = "60ff13e27dad5e6eadb04011aa653a15e1a07200b6630fdd0d0d72a9ba797d68" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Flooder.yar#L620-L638" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_470b7e44cd875b1f6abcfa5e4d33d2808a65630dc914b38643c9efb14db5f1ff" + logic_hash = "470b7e44cd875b1f6abcfa5e4d33d2808a65630dc914b38643c9efb14db5f1ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82206,7 +82206,7 @@ rule ELASTIC_Windows_Trojan_Dcrat_1Aeea1Ac : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DCRat.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_6163e04a40ed52d5e94662131511c3ae08d473719c364e0f7de60dff7fa92cf7" + logic_hash = "6163e04a40ed52d5e94662131511c3ae08d473719c364e0f7de60dff7fa92cf7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82241,7 +82241,7 @@ rule ELASTIC_Windows_Trojan_Wineloader_13E8860A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_WineLoader.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f5cb3234eff0dbbd653d5cdce1d4b1026fa9574ebeaf16aaae3d4e921b6a7f9d" - logic_hash = "v1_sha256_c072abb73377ed59c0dd9fab25a4c84575ab9badbddfda1ed51e576e4e12fa82" + logic_hash = "c072abb73377ed59c0dd9fab25a4c84575ab9badbddfda1ed51e576e4e12fa82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82272,7 +82272,7 @@ rule ELASTIC_Windows_Hacktool_Dinvokerust_512D3B59 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_DinvokeRust.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ebf0f1bfd166d2d49b642fa43cb0c7364c0c605d9a7f108dc49d9f1cc859ab4a" - logic_hash = "v1_sha256_7be1a4e25cf41e47ab135c718b7ec5a49a2890cf873c52597f8dab4d47636ed8" + logic_hash = "7be1a4e25cf41e47ab135c718b7ec5a49a2890cf873c52597f8dab4d47636ed8" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -82306,7 +82306,7 @@ rule ELASTIC_Windows_Trojan_Shadowpad_Be71209D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_ShadowPad.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "452b08d6d2aa673fb6ccc4af6cebdcb12b5df8722f4d70d1c3491479e7b39c05" - logic_hash = "v1_sha256_24e035bbcd5d44877e6e582a995d0035ad26c53e832c34b0c8a3836cb1a11637" + logic_hash = "24e035bbcd5d44877e6e582a995d0035ad26c53e832c34b0c8a3836cb1a11637" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82336,7 +82336,7 @@ rule ELASTIC_Windows_Trojan_Shadowpad_0D899241 : MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_ShadowPad.yar#L23-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cb3a425565b854f7b892e6ebfb3734c92418c83cd590fc1ee9506bcf4d8e02ea" - logic_hash = "v1_sha256_57385e149c6419aed2dcd3ecbbe26d8598918395a6480dd5cdb799ce7328901a" + logic_hash = "57385e149c6419aed2dcd3ecbbe26d8598918395a6480dd5cdb799ce7328901a" score = 75 quality = 75 tags = "MEMORY" @@ -82371,7 +82371,7 @@ rule ELASTIC_Windows_Backdoor_Goldbackdoor_91902940 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Backdoor_Goldbackdoor.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "485246b411ef5ea9e903397a5490d106946a8323aaf79e6041bdf94763a0c028" - logic_hash = "v1_sha256_71e26cce6d730560e1303b2a4f49d0da6d1341263bb47ade46338f03e528cbf7" + logic_hash = "71e26cce6d730560e1303b2a4f49d0da6d1341263bb47ade46338f03e528cbf7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82407,7 +82407,7 @@ rule ELASTIC_Windows_Backdoor_Goldbackdoor_F11D57Df : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Backdoor_Goldbackdoor.yar#L28-L51" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45ece107409194f5f1ec2fbd902d041f055a914e664f8ed2aa1f90e223339039" - logic_hash = "v1_sha256_6401b215523289a3842dec6d3e016a2ca99512c5889e87cb5ff13023bb0b8e1e" + logic_hash = "6401b215523289a3842dec6d3e016a2ca99512c5889e87cb5ff13023bb0b8e1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82441,7 +82441,7 @@ rule ELASTIC_Windows_Trojan_Hijackloader_A8444812 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_HijackLoader.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "065c379a33ef1539e8a68fd4b7638fe8a30ec19fc128642ed0c68539656374b9" - logic_hash = "v1_sha256_6cd88adc7a0d35013a26d1135efb294ee6f9ddab99b4549e82d3d6f5f65509b6" + logic_hash = "6cd88adc7a0d35013a26d1135efb294ee6f9ddab99b4549e82d3d6f5f65509b6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82475,7 +82475,7 @@ rule ELASTIC_Windows_Trojan_Arkeistealer_84C7086A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_ArkeiStealer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "708d9fb40f49192d4bf6eff62e0140c920a7eca01b9f78aeaf558bef0115dbe2" - logic_hash = "v1_sha256_b7129094389f789f0b43f0da54645c24a6d1149f53d6536c14714e3ff44f935b" + logic_hash = "b7129094389f789f0b43f0da54645c24a6d1149f53d6536c14714e3ff44f935b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82503,7 +82503,7 @@ rule ELASTIC_Windows_Ransomware_Clop_6A1670Aa : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Clop.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_afe28000d50495bf2f2adc6cbf0159591ce87bff207f3c6a1d38e09f9ed328d7" + logic_hash = "afe28000d50495bf2f2adc6cbf0159591ce87bff207f3c6a1d38e09f9ed328d7" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -82532,7 +82532,7 @@ rule ELASTIC_Windows_Ransomware_Clop_E04959B5 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Clop.yar#L22-L50" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_039fcb0e48898c7546588cd095fac16f06cf5e5568141aefb6db382a61e80a8d" + logic_hash = "039fcb0e48898c7546588cd095fac16f06cf5e5568141aefb6db382a61e80a8d" score = 75 quality = 50 tags = "BETA, FILE, MEMORY" @@ -82570,7 +82570,7 @@ rule ELASTIC_Windows_Ransomware_Clop_9Ac9Ea3E : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Clop.yar#L52-L71" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1228ee4b934faf1d5f8cf4518974cd2c80a73d84c8a354bde4813fb97ba516d7" + logic_hash = "1228ee4b934faf1d5f8cf4518974cd2c80a73d84c8a354bde4813fb97ba516d7" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -82599,7 +82599,7 @@ rule ELASTIC_Windows_Ransomware_Clop_606020E7 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Clop.yar#L73-L92" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f5169b324bc19f6f5a04c99f1d3326c97300d038ec383c3eab94eb258963ac30" + logic_hash = "f5169b324bc19f6f5a04c99f1d3326c97300d038ec383c3eab94eb258963ac30" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -82628,7 +82628,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_A6E956C9 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fb4e3e54618075d5ef6ec98d1ba9c332ce9f677f0879e07b34a2ca08b2180dd9" + logic_hash = "fb4e3e54618075d5ef6ec98d1ba9c332ce9f677f0879e07b34a2ca08b2180dd9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82657,7 +82657,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_38B8Ceec : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8e3bc02661cedb9885467373f8120542bb7fc8b0944803bc01642fbc8426298b" + logic_hash = "8e3bc02661cedb9885467373f8120542bb7fc8b0944803bc01642fbc8426298b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82686,7 +82686,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_7Bc0F998 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_29cb48086dbcd48bd83c5042ed78370e127e1ea5170ee7383b88659b31e896b5" + logic_hash = "29cb48086dbcd48bd83c5042ed78370e127e1ea5170ee7383b88659b31e896b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82715,7 +82715,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_F7F826B4 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2f5264e07c65d5ef4efe49a48c24ccef9a4b9379db581d2cf18e1131982e6f2f" + logic_hash = "2f5264e07c65d5ef4efe49a48c24ccef9a4b9379db581d2cf18e1131982e6f2f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82744,7 +82744,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_24338919 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_af8cceebdebca863019860afca5d7c6400b68c8450bc17b7d7b74aeab2d62d16" + logic_hash = "af8cceebdebca863019860afca5d7c6400b68c8450bc17b7d7b74aeab2d62d16" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82773,7 +82773,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_0F5A852D : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_11cddf2191a2f70222a0c8c591e387b4b5667bc432a2f686629def9252361c1d" + logic_hash = "11cddf2191a2f70222a0c8c591e387b4b5667bc432a2f686629def9252361c1d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82802,7 +82802,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_C9773203 : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L121-L140" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1d6503ccf05b8e8b4368ed0fb2e57aa2be94151ce7e2445b5face7b226a118e9" + logic_hash = "1d6503ccf05b8e8b4368ed0fb2e57aa2be94151ce7e2445b5face7b226a118e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82832,7 +82832,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_Dd5Ce989 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L142-L164" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "86cf98bf854b01a55e3f306597437900e11d429ac6b7781e090eeda3a5acb360" - logic_hash = "v1_sha256_5c094979be1cd347ffee944816b819b6fbb62804b183a6120cd3a93d2759155b" + logic_hash = "5c094979be1cd347ffee944816b819b6fbb62804b183a6120cd3a93d2759155b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82864,7 +82864,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_96233B6B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L166-L185" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e7a2d966deea3a2df6ce1aeafa8c2caa753824215a8368e0a96b394fb46b753b" - logic_hash = "v1_sha256_09a2b9414a126367df65322966b671fe7ea963cd65ef48e316c9d139ee502d31" + logic_hash = "09a2b9414a126367df65322966b671fe7ea963cd65ef48e316c9d139ee502d31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82894,7 +82894,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_4A1C4Da8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L187-L206" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22" - logic_hash = "v1_sha256_9d3a3164ed1019dcb557cf20734a81be9964a555ddb2e0104f7202880b2ed177" + logic_hash = "9d3a3164ed1019dcb557cf20734a81be9964a555ddb2e0104f7202880b2ed177" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82924,7 +82924,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_91Bc5D7D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L208-L226" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987" - logic_hash = "v1_sha256_74154902b03c36a4ee9bc54ae9399bae9e6afb7fe8d0fe232b88250afc368d6f" + logic_hash = "74154902b03c36a4ee9bc54ae9399bae9e6afb7fe8d0fe232b88250afc368d6f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82953,7 +82953,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_A91A6571 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L228-L246" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ff7795edff95a45b15b03d698cbdf70c19bc452daf4e2d5e86b2bbac55494472" - logic_hash = "v1_sha256_cc59320ba9f8907d1d9b9dc120d8b4807b419e49c55be1fd5d2cdbb0c5d4e5cc" + logic_hash = "cc59320ba9f8907d1d9b9dc120d8b4807b419e49c55be1fd5d2cdbb0c5d4e5cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -82982,7 +82982,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_B29Fe355 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L248-L268" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4f0ab4e42e6c10bc9e4a699d8d8819b04c17ed1917047f770dc6980a0a378a68" - logic_hash = "v1_sha256_7a2189b59175acb66a7497c692a43c413a476f5c4371f797bf03a8ddb550992c" + logic_hash = "7a2189b59175acb66a7497c692a43c413a476f5c4371f797bf03a8ddb550992c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83013,7 +83013,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_66140F58 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L270-L288" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01a0c5630fbbfc7043d21a789440fa9dadc6e4f79640b370f1a21c6ebf6a710a" - logic_hash = "v1_sha256_0a855b7296f7cea39cc5d57b239d3906133ea43a0811ec60e4d91765cf89aced" + logic_hash = "0a855b7296f7cea39cc5d57b239d3906133ea43a0811ec60e4d91765cf89aced" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83042,7 +83042,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_2092C42A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L290-L309" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e47d88c11a89dcc84257841de0c9f1ec388698006f55a0e15567354b33f07d3c" - logic_hash = "v1_sha256_83c46c6b957f10d406ea9985c518eb2fba3e82b9023bfdefa8bdd4be7fb67826" + logic_hash = "83c46c6b957f10d406ea9985c518eb2fba3e82b9023bfdefa8bdd4be7fb67826" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -83072,7 +83072,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_46E1C247 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L311-L330" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ef70e1faa3b1f40d92b0a161c96e13c96c43ec6651e7c87ee3977ed07b950bab" - logic_hash = "v1_sha256_760a4e28e312a7d744208dc833ffad8d139ce7c536b407625a7fb0dff5ddb1d1" + logic_hash = "760a4e28e312a7d744208dc833ffad8d139ce7c536b407625a7fb0dff5ddb1d1" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -83102,7 +83102,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_B62Aac1E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L332-L351" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "af9af81f7e46217330b447900f80c9ce38171655becb3b63e51f913b95c71e70" - logic_hash = "v1_sha256_3ef6b7fb258b060ae00b060dbf9b07620f8cda0d9a827985bbb3ed9617969ef6" + logic_hash = "3ef6b7fb258b060ae00b060dbf9b07620f8cda0d9a827985bbb3ed9617969ef6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83132,7 +83132,7 @@ rule ELASTIC_Windows_Trojan_Metasploit_47F5D54A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Metasploit.yar#L353-L372" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bc3754cf4a04491a7ad7a75f69dd3bb2ddf0d8592ce078b740d7c9c7bc85a7e1" - logic_hash = "v1_sha256_be080d0aae457348c4a02c204507a8cb14d1728d1bc50d7cf12b577aa06daf9f" + logic_hash = "be080d0aae457348c4a02c204507a8cb14d1728d1bc50d7cf12b577aa06daf9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83162,7 +83162,7 @@ rule ELASTIC_Windows_Trojan_Dbatloader_F93A8E90 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DBatLoader.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f72d7e445702bbf6b762ebb19d521452b9c76953d93b4d691e0e3e508790256e" - logic_hash = "v1_sha256_6fe91d91bb383c66a6dc623b02817411a39b88030142517f4048c5c25fbb4ac5" + logic_hash = "6fe91d91bb383c66a6dc623b02817411a39b88030142517f4048c5c25fbb4ac5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83191,7 +83191,7 @@ rule ELASTIC_Linux_Hacktool_Portscan_A40C7Ef0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Portscan.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c389c42bac5d4261dbca50c848f22c701df4c9a2c5877dc01e2eaa81300bdc29" - logic_hash = "v1_sha256_6118ea86d628450e79ee658f4b95bae40080764a25240698d8ca7fcb7e6adaaf" + logic_hash = "6118ea86d628450e79ee658f4b95bae40080764a25240698d8ca7fcb7e6adaaf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83220,7 +83220,7 @@ rule ELASTIC_Linux_Hacktool_Portscan_6C6000C2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Portscan.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8877009fc8ee27ba3b35a7680b80d21c84ee7296bcabe1de51aeeafcc8978da7" - logic_hash = "v1_sha256_0cae81cbc0fdf48b4e7ac09865f05e2ad93d79b7a6f1af76a632727127ab050f" + logic_hash = "0cae81cbc0fdf48b4e7ac09865f05e2ad93d79b7a6f1af76a632727127ab050f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83249,7 +83249,7 @@ rule ELASTIC_Linux_Hacktool_Portscan_E191222D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Portscan.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e2f4313538c3ef23adbfc50f37451c318bfd1ffd0e5aaa346cce4cc37417f812" - logic_hash = "v1_sha256_6ffb2add4a76214ffd555cf1fe356371acd3638216094097b355670ecfe02ecd" + logic_hash = "6ffb2add4a76214ffd555cf1fe356371acd3638216094097b355670ecfe02ecd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83278,7 +83278,7 @@ rule ELASTIC_Linux_Hacktool_Portscan_E57B0A0C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Portscan.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f8ee385316b60ee551565876287c06d76ac5765f005ca584d1ca6da13a6eb619" - logic_hash = "v1_sha256_b2f67805e9381864591fdf61846284da97f8dd2f5c60484ce9c6e76d2f6f3872" + logic_hash = "b2f67805e9381864591fdf61846284da97f8dd2f5c60484ce9c6e76d2f6f3872" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83307,7 +83307,7 @@ rule ELASTIC_Linux_Trojan_Rozena_56651C1D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rozena.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "997684fb438af3f5530b0066d2c9e0d066263ca9da269d6a7e160fa757a51e04" - logic_hash = "v1_sha256_a6d283b0c398cb1004defe7f5669f912112262e5aaf677ae4ca7fd15565cb988" + logic_hash = "a6d283b0c398cb1004defe7f5669f912112262e5aaf677ae4ca7fd15565cb988" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83336,7 +83336,7 @@ rule ELASTIC_Windows_Trojan_A310Logger_520Cd7Ec : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_A310logger.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3" - logic_hash = "v1_sha256_6095ce913e3fb1cfc2f1b091598fc06b2dfec30c2353be7df08dcbb1a06b07c3" + logic_hash = "6095ce913e3fb1cfc2f1b091598fc06b2dfec30c2353be7df08dcbb1a06b07c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83369,7 +83369,7 @@ rule ELASTIC_Windows_Trojan_Dridex_63Ddf193 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Dridex.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b1d66350978808577159acc7dc7faaa273e82c103487a90bf0d040afa000cb0d" - logic_hash = "v1_sha256_e792f4693be0a7c71d1e638212a8fb3acb1e14dedd48218861fad8c09811da29" + logic_hash = "e792f4693be0a7c71d1e638212a8fb3acb1e14dedd48218861fad8c09811da29" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83399,7 +83399,7 @@ rule ELASTIC_Windows_Trojan_Dridex_C6F01353 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Dridex.yar#L22-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "739682ccb54170e435730c54ba9f7e09f32a3473c07d2d18ae669235dcfe84de" - logic_hash = "v1_sha256_7146204d779610c04badfc7d884ff882ff5f1439b61f889d1edf4419240c5751" + logic_hash = "7146204d779610c04badfc7d884ff882ff5f1439b61f889d1edf4419240c5751" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83428,7 +83428,7 @@ rule ELASTIC_Linux_Trojan_Getshell_98D002Bf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Getshell.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "97b7650ab083f7ba23417e6d5d9c1d133b9158e2c10427d1f1e50dfe6c0e7541" - logic_hash = "v1_sha256_358575f55910b060bde94bbc55daa9650a43cf1470b77d1842ddcaa8b299700a" + logic_hash = "358575f55910b060bde94bbc55daa9650a43cf1470b77d1842ddcaa8b299700a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83456,7 +83456,7 @@ rule ELASTIC_Linux_Trojan_Getshell_213D4D69 : FILE MEMORY reference = "05fc4dcce9e9e1e627ebf051a190bd1f73bc83d876c78c6b3d86fc97b0dfd8e8" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Getshell.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2075def88b31ac32e44c270ab20273c8b91f37e25a837c0353f76bcf431cdcb3" + logic_hash = "2075def88b31ac32e44c270ab20273c8b91f37e25a837c0353f76bcf431cdcb3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83484,7 +83484,7 @@ rule ELASTIC_Linux_Trojan_Getshell_3Cf5480B : FILE MEMORY reference = "0e41c0d6286fb7cd3288892286548eaebf67c16f1a50a69924f39127eb73ff38" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Getshell.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_87b0db74e81d4f236b11f51a72fba2e4263c988402292b2182d19293858c6126" + logic_hash = "87b0db74e81d4f236b11f51a72fba2e4263c988402292b2182d19293858c6126" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83512,7 +83512,7 @@ rule ELASTIC_Linux_Trojan_Getshell_8A79B859 : FILE MEMORY reference = "1154ba394176730e51c7c7094ff3274e9f68aaa2ed323040a94e1c6f7fb976a2" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Getshell.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2aa3914ec4cc04e5daa2da1460410b4f0e5e7a37c5a2eae5a02ff5f55382f1fe" + logic_hash = "2aa3914ec4cc04e5daa2da1460410b4f0e5e7a37c5a2eae5a02ff5f55382f1fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83541,7 +83541,7 @@ rule ELASTIC_Windows_Vulndriver_Ryzen_7Df5A747 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Ryzen.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" - logic_hash = "v1_sha256_192b51f0bbd2cab4c1d3da6f82fbee7129a53abaa6e8769d3681821112017824" + logic_hash = "192b51f0bbd2cab4c1d3da6f82fbee7129a53abaa6e8769d3681821112017824" score = 75 quality = 75 tags = "FILE" @@ -83572,7 +83572,7 @@ rule ELASTIC_Windows_Vulndriver_Ryzen_9B01C718 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Ryzen.yar#L23-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bb82d8c29127955d58dff58978605a9daa718425c74c4bce5ae3e53712909148" - logic_hash = "v1_sha256_5734f6a249656f22a2a363b42ae77b5e6b7673bc96bad34b04b1be7f2b584b08" + logic_hash = "5734f6a249656f22a2a363b42ae77b5e6b7673bc96bad34b04b1be7f2b584b08" score = 75 quality = 75 tags = "FILE" @@ -83603,7 +83603,7 @@ rule ELASTIC_Linux_Exploit_CVE_2019_13272_583Dd2C0 : FILE MEMORY CVE_2019_13272 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2019_13272.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3191b9473f3e59f55e062e6bdcfe61b88974602c36477bfa6855ccd92ff7ca83" - logic_hash = "v1_sha256_0b25f0d979d2fc3f7d646a9b3eccf2a293b41181b499c790d3e99515fcd09603" + logic_hash = "0b25f0d979d2fc3f7d646a9b3eccf2a293b41181b499c790d3e99515fcd09603" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2019-13272" @@ -83631,7 +83631,7 @@ rule ELASTIC_Windows_Trojan_Octopus_15813E26 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Octopus.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0d30b96ead4ccba75e08f6ba1db73cee61a29b5b0c7ee0fb523cbcd61dce9d87" + logic_hash = "0d30b96ead4ccba75e08f6ba1db73cee61a29b5b0c7ee0fb523cbcd61dce9d87" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83661,7 +83661,7 @@ rule ELASTIC_Linux_Trojan_Dinodasrat_1D371D10 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_DinodasRAT.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bf830191215e0c8db207ea320d8e795990cf6b3e6698932e6e0c9c0588fc9eff" - logic_hash = "v1_sha256_933e78882be1d8dd9553ba90f038963d1b6f8f643888258541b7668aa3434808" + logic_hash = "933e78882be1d8dd9553ba90f038963d1b6f8f643888258541b7668aa3434808" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83695,7 +83695,7 @@ rule ELASTIC_Windows_Trojan_Flawedgrace_8C5Eb04B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_FlawedGrace.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "966112f3143d751a95c000a990709572ac8b49b23c0e57b2691955d6fda1016e" - logic_hash = "v1_sha256_dc07197cb9a02ff8d271f78756c2784c74d09e530af20377a584dbfe77e973aa" + logic_hash = "dc07197cb9a02ff8d271f78756c2784c74d09e530af20377a584dbfe77e973aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83728,7 +83728,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_13B3C88B : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Rtkio.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - logic_hash = "v1_sha256_1e37650292884e28dcc51c42bc1b1d1e8efc13b0727f7865ff1dc7b8e1a72380" + logic_hash = "1e37650292884e28dcc51c42bc1b1d1e8efc13b0727f7865ff1dc7b8e1a72380" score = 75 quality = 75 tags = "FILE" @@ -83758,7 +83758,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_D595781E : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Rtkio.yar#L22-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" - logic_hash = "v1_sha256_289eb17025d989cc74e109b1c03378e9760817a84f1a759153ff6ff6b6401e6d" + logic_hash = "289eb17025d989cc74e109b1c03378e9760817a84f1a759153ff6ff6b6401e6d" score = 75 quality = 75 tags = "FILE" @@ -83788,7 +83788,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_B09Af431 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Rtkio.yar#L43-L62" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" - logic_hash = "v1_sha256_916a6e63dc4c7ee0bfdf4a455ee467a1d03c1042db60806511aa7cbf3b096190" + logic_hash = "916a6e63dc4c7ee0bfdf4a455ee467a1d03c1042db60806511aa7cbf3b096190" score = 75 quality = 75 tags = "FILE" @@ -83818,7 +83818,7 @@ rule ELASTIC_Windows_Vulndriver_Rtkio_5693E967 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Rtkio.yar#L64-L83" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - logic_hash = "v1_sha256_4cbc7a52de7f610cdb12bf40a9099bcfae818dcb5e4119a8c34499433aeebd7e" + logic_hash = "4cbc7a52de7f610cdb12bf40a9099bcfae818dcb5e4119a8c34499433aeebd7e" score = 75 quality = 75 tags = "FILE" @@ -83848,7 +83848,7 @@ rule ELASTIC_Windows_Trojan_Darkcomet_1Df27Bcc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Darkcomet.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569" - logic_hash = "v1_sha256_5886e3316839e64f934a0e84d85074e076f3e1e44f86fee35a87eb560bfa2aa7" + logic_hash = "5886e3316839e64f934a0e84d85074e076f3e1e44f86fee35a87eb560bfa2aa7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83881,7 +83881,7 @@ rule ELASTIC_Linux_Trojan_Generic_402Be6C5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d30a8f5971763831f92d9a6dd4720f52a1638054672a74fdb59357ae1c9e6deb" - logic_hash = "v1_sha256_b32111972bc21822f0f2c8e47198c90b70e78667410175257b9542c212fc3a1d" + logic_hash = "b32111972bc21822f0f2c8e47198c90b70e78667410175257b9542c212fc3a1d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83910,7 +83910,7 @@ rule ELASTIC_Linux_Trojan_Generic_5420D3E7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "103b8fced0aebd73cb8ba9eff1a55e6b6fa13bb0a099c9234521f298ee8d2f9f" - logic_hash = "v1_sha256_8ba3566ec900e37f05f11d40c65ffe1dfc587c553fa9c28b71ced7a9a90f50c3" + logic_hash = "8ba3566ec900e37f05f11d40c65ffe1dfc587c553fa9c28b71ced7a9a90f50c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83939,7 +83939,7 @@ rule ELASTIC_Linux_Trojan_Generic_4F4Cc3Ea : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "32e25641360dbfd50125c43754cd327cf024f1b3bfd75b617cdf8a17024e2da5" - logic_hash = "v1_sha256_9eb0d93b8c1a579ca8362d033edecbbe6a9ade82f6ae5688c183b97ed7b97faa" + logic_hash = "9eb0d93b8c1a579ca8362d033edecbbe6a9ade82f6ae5688c183b97ed7b97faa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -83968,7 +83968,7 @@ rule ELASTIC_Linux_Trojan_Generic_703A0258 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b086d0119042fc960fe540c23d0a274dd0fb6f3570607823895c9158d4f75974" - logic_hash = "v1_sha256_cb37930637b8da91188d199ee20f1b64a0b1f13e966a99e69b983e623dac51de" + logic_hash = "cb37930637b8da91188d199ee20f1b64a0b1f13e966a99e69b983e623dac51de" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -83997,7 +83997,7 @@ rule ELASTIC_Linux_Trojan_Generic_378765E4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ed42910e09e88777ae9958439d14176cb77271edf110053e1a29372fce21ec1" - logic_hash = "v1_sha256_dd10305f553fa94ff83fafa84cff3d544f097b617fca20760eef838902e1f7db" + logic_hash = "dd10305f553fa94ff83fafa84cff3d544f097b617fca20760eef838902e1f7db" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84026,7 +84026,7 @@ rule ELASTIC_Linux_Trojan_Generic_F657Fb4F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ed42910e09e88777ae9958439d14176cb77271edf110053e1a29372fce21ec1" - logic_hash = "v1_sha256_af4fa2c21b47f360b425ebbfea624e3728cd682e54e367d265b4f3a6515b0720" + logic_hash = "af4fa2c21b47f360b425ebbfea624e3728cd682e54e367d265b4f3a6515b0720" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84055,7 +84055,7 @@ rule ELASTIC_Linux_Trojan_Generic_Be1757Ef : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e4e2b5af9d0c72aae83cec57e5c091a95c549f826e8f13559aaf7d300f6e13" - logic_hash = "v1_sha256_567d33c262e5f812c6a702bcc0a1f0cf576b67bf7cf67bb82b5f9ce9f233aaff" + logic_hash = "567d33c262e5f812c6a702bcc0a1f0cf576b67bf7cf67bb82b5f9ce9f233aaff" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -84084,7 +84084,7 @@ rule ELASTIC_Linux_Trojan_Generic_7A95Ef79 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f59340a740af8f7f4b96e3ea46d38dbe81f2b776820b6f53b7028119c5db4355" - logic_hash = "v1_sha256_6da43e4bab6b2024b49dfc943f099fb21c06d8d4a082a05594b07cb55989183c" + logic_hash = "6da43e4bab6b2024b49dfc943f099fb21c06d8d4a082a05594b07cb55989183c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84113,7 +84113,7 @@ rule ELASTIC_Linux_Trojan_Generic_1C5E42B7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f" - logic_hash = "v1_sha256_cd759b87a303fafb9461d0a73b6a6b3f468b1f3db0189ba0e584a629e5d78da1" + logic_hash = "cd759b87a303fafb9461d0a73b6a6b3f468b1f3db0189ba0e584a629e5d78da1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84142,7 +84142,7 @@ rule ELASTIC_Linux_Trojan_Generic_8Ca4B663 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L181-L199" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ddf479e504867dfa27a2f23809e6255089fa0e2e7dcf31b6ce7d08f8d88947e" - logic_hash = "v1_sha256_43b8cae2075f55a98b226f865d54e1c96345db0564815d849b3458d3f3ffee7f" + logic_hash = "43b8cae2075f55a98b226f865d54e1c96345db0564815d849b3458d3f3ffee7f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84171,7 +84171,7 @@ rule ELASTIC_Linux_Trojan_Generic_D3Fe3Fae : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L201-L219" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2a2542142adb05bff753e0652e119c1d49232d61c49134f13192425653332dc3" - logic_hash = "v1_sha256_0b980a0bcf8340410fe2b53d109f629c6e871ebe82af467153d7b50b73fd8644" + logic_hash = "0b980a0bcf8340410fe2b53d109f629c6e871ebe82af467153d7b50b73fd8644" score = 60 quality = 43 tags = "FILE, MEMORY" @@ -84200,7 +84200,7 @@ rule ELASTIC_Linux_Trojan_Generic_5E981634 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L221-L239" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "448e8d71e335cabf5c4e9e8d2d31e6b52f620dbf408d8cc9a6232a81c051441b" - logic_hash = "v1_sha256_4623c07a15588788ec8a484642a33f2d18127849302d57520a0dac875564f62c" + logic_hash = "4623c07a15588788ec8a484642a33f2d18127849302d57520a0dac875564f62c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84229,7 +84229,7 @@ rule ELASTIC_Linux_Trojan_Generic_D8953Ca0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L241-L259" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "552753661c3cc7b3a4326721789808482a4591cb662bc813ee50d95f101a3501" - logic_hash = "v1_sha256_cbc1a60a1d9525f7230336dff07f56e6a0b99e7c70c99d3f4363c06ed0071716" + logic_hash = "cbc1a60a1d9525f7230336dff07f56e6a0b99e7c70c99d3f4363c06ed0071716" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84258,7 +84258,7 @@ rule ELASTIC_Linux_Trojan_Generic_181054Af : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L261-L279" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e677f1eed0dbb4c680549e0bf86d92b0a28a85c6d571417baaba0d0719da5f93" - logic_hash = "v1_sha256_e92807b603dd33fe7a083985644a213913a77e81c068623fdac7931148207b91" + logic_hash = "e92807b603dd33fe7a083985644a213913a77e81c068623fdac7931148207b91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84287,7 +84287,7 @@ rule ELASTIC_Linux_Trojan_Generic_C3D529A2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L281-L299" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b46135ae52db6399b680e5c53f891d101228de5cd6c06b6ae115e4a763a5fb22" - logic_hash = "v1_sha256_a508acd95844a4385943166f715606199048d96be0098bc89f9be7b9db34833e" + logic_hash = "a508acd95844a4385943166f715606199048d96be0098bc89f9be7b9db34833e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84316,7 +84316,7 @@ rule ELASTIC_Linux_Trojan_Generic_4675Dffa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L301-L320" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "43e14c9713b1ca1f3a7f4bcb57dd3959d3a964be5121eb5aba312de41e2fb7a6" - logic_hash = "v1_sha256_d2865a869d0cf0bf784106fe6242a4c7f58e58a43c4d4ae0241b10569810904d" + logic_hash = "d2865a869d0cf0bf784106fe6242a4c7f58e58a43c4d4ae0241b10569810904d" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -84345,7 +84345,7 @@ rule ELASTIC_Linux_Trojan_Generic_5E3Bc3B3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Generic.yar#L322-L344" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_33c14a6b8b5a2fc105ea6f1d5ee89e53f6c5e44126b9cf687058de64d649b5ca" + logic_hash = "33c14a6b8b5a2fc105ea6f1d5ee89e53f6c5e44126b9cf687058de64d649b5ca" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -84379,7 +84379,7 @@ rule ELASTIC_Windows_Backdoor_Dragoncastling_4Ecf6F9F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Backdoor_DragonCastling.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9776c7ae6ca73f87d7c838257a5bcd946372fbb77ebed42eebdfb633b13cd387" - logic_hash = "v1_sha256_26ff86354230f1006bd451eab5c1634b91888330d124a06dd2dfa5ab515d6e1a" + logic_hash = "26ff86354230f1006bd451eab5c1634b91888330d124a06dd2dfa5ab515d6e1a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84416,7 +84416,7 @@ rule ELASTIC_Windows_Trojan_Squirrelwaffle_88033Ff1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Squirrelwaffle.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c" - logic_hash = "v1_sha256_695d7d411a4de23ba1517a06bda3ce73add37dca1e6fe9046e7c2dcae237389e" + logic_hash = "695d7d411a4de23ba1517a06bda3ce73add37dca1e6fe9046e7c2dcae237389e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84448,7 +84448,7 @@ rule ELASTIC_Windows_Trojan_Squirrelwaffle_D3B685A1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Squirrelwaffle.yar#L24-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00d045c89934c776a70318a36655dcdd77e1fedae0d33c98e301723f323f234c" - logic_hash = "v1_sha256_7d187aa75fc767f5009f3090852de4894776f4b3f99f189478e7e9fd9c3acbe7" + logic_hash = "7d187aa75fc767f5009f3090852de4894776f4b3f99f189478e7e9fd9c3acbe7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84477,7 +84477,7 @@ rule ELASTIC_Linux_Exploit_Abrox_5641Ba81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Abrox.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8de96c8e61536cae870f4a24127d28b86bd8122428bf13965c596f92182625aa" - logic_hash = "v1_sha256_29c894720c8d9134623427768ab1ab3d5e66fbeae86dd957f449d00091db9019" + logic_hash = "29c894720c8d9134623427768ab1ab3d5e66fbeae86dd957f449d00091db9019" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84505,7 +84505,7 @@ rule ELASTIC_Multi_Attacksimulation_Blindspot_D93F54C5 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_AttackSimulation_Blindspot.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_41984a0ad20ab21186252bb2f3f68604d2cbeea0e1ce22895dd163f7acbf2ca1" + logic_hash = "41984a0ad20ab21186252bb2f3f68604d2cbeea0e1ce22895dd163f7acbf2ca1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84534,7 +84534,7 @@ rule ELASTIC_Linux_Trojan_Dropperl_B97Baf37 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dropperl.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "aff94f915fc81d5a2649ebd7c21ec8a4c2fc0d622ec9b790b43cc49f7feb83da" - logic_hash = "v1_sha256_e58130c33242bc3020602c2c0254bed2bbc564c4a11806c6cfcd858fd724c362" + logic_hash = "e58130c33242bc3020602c2c0254bed2bbc564c4a11806c6cfcd858fd724c362" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84563,7 +84563,7 @@ rule ELASTIC_Linux_Trojan_Dropperl_E2443Be5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dropperl.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "aff94f915fc81d5a2649ebd7c21ec8a4c2fc0d622ec9b790b43cc49f7feb83da" - logic_hash = "v1_sha256_85733ff904cfa3eddaa4c4fbfc51c00494c3a3725e2eb722bbf33c82e7135336" + logic_hash = "85733ff904cfa3eddaa4c4fbfc51c00494c3a3725e2eb722bbf33c82e7135336" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84592,7 +84592,7 @@ rule ELASTIC_Linux_Trojan_Dropperl_683C2Ba1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dropperl.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a02e166fbf002dd4217c012f24bb3a8dbe310a9f0b0635eb20a7d315049367e1" - logic_hash = "v1_sha256_eef2bdef7e20633f7dc92f653b43e3a217e8cbdbac63d05540bdd520e22dd1ed" + logic_hash = "eef2bdef7e20633f7dc92f653b43e3a217e8cbdbac63d05540bdd520e22dd1ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84621,7 +84621,7 @@ rule ELASTIC_Linux_Trojan_Dropperl_8Bca73F6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dropperl.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e7c17b7916b38494b9a07c249acb99499808959ba67125c29afec194ca4ae36c" - logic_hash = "v1_sha256_2cfad4e436198391185fdae5c4af18ae43841db19da33473fdf18b64b0399613" + logic_hash = "2cfad4e436198391185fdae5c4af18ae43841db19da33473fdf18b64b0399613" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84650,7 +84650,7 @@ rule ELASTIC_Linux_Trojan_Dropperl_C4018572 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dropperl.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c1515b3a7a91650948af7577b613ee019166f116729b7ff6309b218047141f6d" - logic_hash = "v1_sha256_10d70540532c5c2984dc7e492672450924cb8f34c8158638191886057596b0a1" + logic_hash = "10d70540532c5c2984dc7e492672450924cb8f34c8158638191886057596b0a1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84679,7 +84679,7 @@ rule ELASTIC_Linux_Trojan_Dropperl_733C0330 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dropperl.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b303f241a2687dba8d7b4987b7a46b5569bd2272e2da3e0c5e597b342d4561b6" - logic_hash = "v1_sha256_37bf7777e26e556f09b8cb0e7e3c8425226a6412c3bed0d95fdab7229b6f4815" + logic_hash = "37bf7777e26e556f09b8cb0e7e3c8425226a6412c3bed0d95fdab7229b6f4815" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84708,7 +84708,7 @@ rule ELASTIC_Linux_Trojan_Dropperl_39F4Cd0D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Dropperl.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c08e1347877dc77ad73c1e017f928c69c8c78a0e3c16ac5455668d2ad22500f3" - logic_hash = "v1_sha256_5b61f54604b110d2c8efaf1782a2e520baac96c6d3e8d1eda0877475c504bf89" + logic_hash = "5b61f54604b110d2c8efaf1782a2e520baac96c6d3e8d1eda0877475c504bf89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84737,7 +84737,7 @@ rule ELASTIC_Macos_Trojan_Fplayer_1C1Fae37 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Fplayer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f57e651088dee2236328d09705cef5e98461e97d1eb2150c372d00ca7c685725" - logic_hash = "v1_sha256_0d65717bdbac694ffb2535a1ff584f7ec2aa7b553a08d29113c6e2bd7b2ff1aa" + logic_hash = "0d65717bdbac694ffb2535a1ff584f7ec2aa7b553a08d29113c6e2bd7b2ff1aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84766,7 +84766,7 @@ rule ELASTIC_Windows_Remoteadmin_Ultravnc_965F054A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_RemoteAdmin_UltraVNC.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "59bddb5ccdc1c37c838c8a3d96a865a28c75b5807415fd931eaff0af931d1820" - logic_hash = "v1_sha256_a9b9d0958f09b23fa7b27ef7ec32b3feb98edca3be5a21552a3a2f50e3fd41c1" + logic_hash = "a9b9d0958f09b23fa7b27ef7ec32b3feb98edca3be5a21552a3a2f50e3fd41c1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84801,7 +84801,7 @@ rule ELASTIC_Linux_Trojan_Sambashell_F423755D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sambashell.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bd8a3728a59afbf433799578ef597b9a7211c8d62e87a25209398814851a77ea" - logic_hash = "v1_sha256_b93c671fae87cd635679142d248cb2b754389ba3b416f3370ea331640eb906ab" + logic_hash = "b93c671fae87cd635679142d248cb2b754389ba3b416f3370ea331640eb906ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84829,7 +84829,7 @@ rule ELASTIC_Linux_Trojan_Kinsing_196523Fa : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kinsing.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_baa5808fcf22700ae96844dbf8cb3bec52425eec365d2ba4c71b73ece11a69a2" + logic_hash = "baa5808fcf22700ae96844dbf8cb3bec52425eec365d2ba4c71b73ece11a69a2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84858,7 +84858,7 @@ rule ELASTIC_Linux_Trojan_Kinsing_7Cdbe9Fa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kinsing.yar#L20-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b3527e3d03a30fcf1fdaa73a1b3743866da6db088fbfa5f51964f519e22d05e6" - logic_hash = "v1_sha256_c6f5d2cf0430301ec0eae57808100203b69428f258e0e6882fecbc762d73f4bf" + logic_hash = "c6f5d2cf0430301ec0eae57808100203b69428f258e0e6882fecbc762d73f4bf" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -84887,7 +84887,7 @@ rule ELASTIC_Linux_Trojan_Kinsing_2C1Ffe78 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kinsing.yar#L40-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b3527e3d03a30fcf1fdaa73a1b3743866da6db088fbfa5f51964f519e22d05e6" - logic_hash = "v1_sha256_9561511710eef5877c5afa49890b77fbad31a6e312b5cd33fc01f91ff2a73583" + logic_hash = "9561511710eef5877c5afa49890b77fbad31a6e312b5cd33fc01f91ff2a73583" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -84916,7 +84916,7 @@ rule ELASTIC_Linux_Trojan_Kinsing_85276Fb4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kinsing.yar#L60-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b3527e3d03a30fcf1fdaa73a1b3743866da6db088fbfa5f51964f519e22d05e6" - logic_hash = "v1_sha256_6919afd133e7e369eece10ea79d9d17a1a3fbb6210593395e0be157f8c262811" + logic_hash = "6919afd133e7e369eece10ea79d9d17a1a3fbb6210593395e0be157f8c262811" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84945,7 +84945,7 @@ rule ELASTIC_Windows_Trojan_Falsefont_D1F0D357 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_FalseFont.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614" - logic_hash = "v1_sha256_af356dec77f773cec01626a3823dbea7e9d3719b9d152ec4057c0b97efabf0df" + logic_hash = "af356dec77f773cec01626a3823dbea7e9d3719b9d152ec4057c0b97efabf0df" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -84981,7 +84981,7 @@ rule ELASTIC_Linux_Exploit_CVE_2009_1897_6Cf0A073 : FILE MEMORY CVE_2009_1897 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2009_1897.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "85f371bf73ee6d8fcb6fa9a8a68b38c5e023151257fd549855c4c290cc340724" - logic_hash = "v1_sha256_dcde454fda09cb6bc7b213b76d70eafd65d2601cfda70ff25c6940b55ce3adb6" + logic_hash = "dcde454fda09cb6bc7b213b76d70eafd65d2601cfda70ff25c6940b55ce3adb6" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-1897" @@ -85010,7 +85010,7 @@ rule ELASTIC_Linux_Trojan_Snowlight_F5C83D35 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Snowlight.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7d6652d8fa3748d7f58d7e15cefee5a48126d0209cf674818f55e9a68248be01" - logic_hash = "v1_sha256_fef8f44e897a0f453be2f84d28886d27e261f8256c53c0425c5265b138ce5f40" + logic_hash = "fef8f44e897a0f453be2f84d28886d27e261f8256c53c0425c5265b138ce5f40" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85039,7 +85039,7 @@ rule ELASTIC_Linux_Ransomware_Conti_53A640F4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Conti.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201" - logic_hash = "v1_sha256_b83a47664d8acce7de17ac5972d9fd5e708c8cd3d8ebedc2bacf1397fd25f5d3" + logic_hash = "b83a47664d8acce7de17ac5972d9fd5e708c8cd3d8ebedc2bacf1397fd25f5d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85068,7 +85068,7 @@ rule ELASTIC_Linux_Ransomware_Conti_A89C26Cf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Conti.yar#L21-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7" - logic_hash = "v1_sha256_301f3f3ece06a1cd6788db6e3003497b27470780eaaad95f40ed926e7623793e" + logic_hash = "301f3f3ece06a1cd6788db6e3003497b27470780eaaad95f40ed926e7623793e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85100,7 +85100,7 @@ rule ELASTIC_Linux_Hacktool_Fontonlake_68Ad8568 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Fontonlake.yar#L1-L30" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "717953f52318e7687fc95626561cc607d4875d77ff7e3cf5c7b21cf91f576fa4" - logic_hash = "v1_sha256_63dd5769305c715e27e3c62160f7b0f65b57204009ed46383b5b477c67cfac8e" + logic_hash = "63dd5769305c715e27e3c62160f7b0f65b57204009ed46383b5b477c67cfac8e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85140,7 +85140,7 @@ rule ELASTIC_Windows_Trojan_Pony_D5516Fe8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Pony.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567" - logic_hash = "v1_sha256_4a850d32fb28477e7e3fef2dda6ba327b800e2ebcae1a483970cde78f34a4ff7" + logic_hash = "4a850d32fb28477e7e3fef2dda6ba327b800e2ebcae1a483970cde78f34a4ff7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85175,7 +85175,7 @@ rule ELASTIC_Windows_Trojan_Twistedtinsel_Aa56E527 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_TwistedTinsel.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ef1cbdf9a23ae028a858e1d09529982eaeda61197ae029e091918690d3a86e2e" - logic_hash = "v1_sha256_de31d0a5560baf6b37897eba3a637b00b539f542a2620983c3407a6898e003c7" + logic_hash = "de31d0a5560baf6b37897eba3a637b00b539f542a2620983c3407a6898e003c7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -85205,7 +85205,7 @@ rule ELASTIC_Linux_Exploit_CVE_2017_100011_21025F50 : FILE MEMORY CVE_2017_10001 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2017_100011.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "32db88b2c964ce48e6d1397ca655075ea54ce298340af55ea890a2411a67d554" - logic_hash = "v1_sha256_3ec54a7639ccfc019e01fa287f69a93af57087e2d67d0c8574a646afb9043db5" + logic_hash = "3ec54a7639ccfc019e01fa287f69a93af57087e2d67d0c8574a646afb9043db5" score = 75 quality = 73 tags = "FILE, MEMORY, CVE-2017-100011" @@ -85234,7 +85234,7 @@ rule ELASTIC_Windows_Vulndriver_Rentdrv_B6711B6B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_RentDrv.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5" - logic_hash = "v1_sha256_3b3d66fefb4f0efbc8b86687925eac25284a6efad3acc74ad4a627d975cd5e7b" + logic_hash = "3b3d66fefb4f0efbc8b86687925eac25284a6efad3acc74ad4a627d975cd5e7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85264,7 +85264,7 @@ rule ELASTIC_Windows_Vulndriver_Rtcore_4Eeb2Ce5 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_RtCore.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd" - logic_hash = "v1_sha256_f547bce6554c60e8f3ef8e128c05533cf1f35ce0ee414d5a1c5e9a205b05d8fe" + logic_hash = "f547bce6554c60e8f3ef8e128c05533cf1f35ce0ee414d5a1c5e9a205b05d8fe" score = 75 quality = 75 tags = "FILE" @@ -85294,7 +85294,7 @@ rule ELASTIC_Windows_Trojan_Babylonrat_0F66E73B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Babylonrat.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4278064ec50f87bb0471053c068b13955ed9d599434e687a64bf2060438a7511" - logic_hash = "v1_sha256_66223dc9e2ef7330e26c91f0c82c555e96e4c794a637ab2cbe36410f3eca202a" + logic_hash = "66223dc9e2ef7330e26c91f0c82c555e96e4c794a637ab2cbe36410f3eca202a" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -85326,7 +85326,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_D7Bd0E5D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "afcfd67af99e437f553029ccf97b91ed0ca891f9bcc01c148c2b38c75482d671" - logic_hash = "v1_sha256_1f87721fdfe58d029c0696bc99385a0052c771bc48b2c9ce01b72c3e42359654" + logic_hash = "1f87721fdfe58d029c0696bc99385a0052c771bc48b2c9ce01b72c3e42359654" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85355,7 +85355,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_69E1A763 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b04d9fabd1e8fc42d1fa8e90a3299a3c36e6f05d858dfbed9f5e90a84b68bcbb" - logic_hash = "v1_sha256_d0dac8e2c9571d9e622c8c1250a54a7671ad1b9b00dba584c3741b714c22d8e0" + logic_hash = "d0dac8e2c9571d9e622c8c1250a54a7671ad1b9b00dba584c3741b714c22d8e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85384,7 +85384,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_397A86Bd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79c47a80ecc6e0f5f87749319f6d5d6a3f0fbff7c34082d747155b9b20510cde" - logic_hash = "v1_sha256_6b46a82d1aea0357f5a48c9ae1d93e3d4d31bd98b9c9b4e0b0d0629e7f159499" + logic_hash = "6b46a82d1aea0357f5a48c9ae1d93e3d4d31bd98b9c9b4e0b0d0629e7f159499" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85413,7 +85413,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_37C3F8D3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "efbddf1020d0845b7a524da357893730981b9ee65a90e54976d7289d46d0ffd4" - logic_hash = "v1_sha256_e7bdd185ea4227b0960c3e677e7d8ac7488d53eaa77efd631be828b2ca079bb8" + logic_hash = "e7bdd185ea4227b0960c3e677e7d8ac7488d53eaa77efd631be828b2ca079bb8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85442,7 +85442,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_28A80546 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "96cc225cf20240592e1dcc8a13a69f2f97637ed8bc89e30a78b8b2423991d850" - logic_hash = "v1_sha256_120e9f7cad0fc8aebd843374c0edca8cbb701882ab55a7f24aced1d80d8cd697" + logic_hash = "120e9f7cad0fc8aebd843374c0edca8cbb701882ab55a7f24aced1d80d8cd697" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85471,7 +85471,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_9D531F70 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36f2ce4e34faf42741f0a15f62e8b3477d69193bf289818e22d0e3ee3e906eb0" - logic_hash = "v1_sha256_87d3cb7049975d52f2a6d6aa10e6b6d0d008d166ca5f9889ad1413a573d8b58e" + logic_hash = "87d3cb7049975d52f2a6d6aa10e6b6d0d008d166ca5f9889ad1413a573d8b58e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85500,7 +85500,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_23A5C29A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1320d7a2b5e3b65fe974a95374b4ea7ed1a5aa27d76cd3d9517d3a271121103f" - logic_hash = "v1_sha256_c2608e7ee73102e0737a859a18c5482877c6dc0e597d8a14d8d41f5e01a0b1f4" + logic_hash = "c2608e7ee73102e0737a859a18c5482877c6dc0e597d8a14d8d41f5e01a0b1f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85529,7 +85529,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_Ea5703Ce : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bec6eea63025e2afa5940d27ead403bfda3a7b95caac979079cabef88af5ee0b" - logic_hash = "v1_sha256_bbf0191ecff24fd24376fd3dec2e96644188ca4d26b4ca4f087e212bae2eab85" + logic_hash = "bbf0191ecff24fd24376fd3dec2e96644188ca4d26b4ca4f087e212bae2eab85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85558,7 +85558,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_6A4F4255 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8cfc38db2b860efcce5da40ce1e3992f467ab0b7491639d68d530b79529cda80" - logic_hash = "v1_sha256_133290dc7423174bb3b41b152bab038d118b47baaca52705b66fd9be01692a03" + logic_hash = "133290dc7423174bb3b41b152bab038d118b47baaca52705b66fd9be01692a03" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85587,7 +85587,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_9088D00B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L181-L199" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8abb2b058ec475b0b6fd0c994685db72e98d87ee3eec58e29cf5c324672df04a" - logic_hash = "v1_sha256_3ebc8cb6d647138e72194528dafc644c90222440855d657ec50109f11ff936da" + logic_hash = "3ebc8cb6d647138e72194528dafc644c90222440855d657ec50109f11ff936da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85616,7 +85616,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_71024C4A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L201-L219" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "afe81c84dcb693326ee207ccd8aeed6ed62603ad3c8d361e8d75035f6ce7c80f" - logic_hash = "v1_sha256_0c66a3388fe8546ae180e52d50ef05a28755d24e47b3b56f390d5c6fcb0b89eb" + logic_hash = "0c66a3388fe8546ae180e52d50ef05a28755d24e47b3b56f390d5c6fcb0b89eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85645,7 +85645,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_D81368A3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L221-L239" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "71225e4702f2e0a0ecf79f7ec6c6a1efc95caf665fda93a646519f6f5744990b" - logic_hash = "v1_sha256_0e30c9ebd8f2d3a489180f114daf91a3655ce9075ae25ea3d6ef5be472d7721a" + logic_hash = "0e30c9ebd8f2d3a489180f114daf91a3655ce9075ae25ea3d6ef5be472d7721a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85674,7 +85674,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_97E9Cebe : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L241-L259" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b4ff62d92bd4d423379f26b37530776b3f4d927cc8a22bd9504ef6f457de4b7a" - logic_hash = "v1_sha256_8aad31db2646fb9971b9af886e30f6c5a62a9c7de86cb9dc9e1341ac3b7762eb" + logic_hash = "8aad31db2646fb9971b9af886e30f6c5a62a9c7de86cb9dc9e1341ac3b7762eb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85703,7 +85703,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_98Ff0F36 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L261-L279" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c14aaf05149bb38bbff041432bf9574dd38e851038638aeb121b464a1e60dcc" - logic_hash = "v1_sha256_60f17855b08cfc51e497003cbb5ed25d9168fb29c57d8bfd7105b9b5e714e3a1" + logic_hash = "60f17855b08cfc51e497003cbb5ed25d9168fb29c57d8bfd7105b9b5e714e3a1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85732,7 +85732,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_1512Cf40 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L281-L299" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc063a0e763894e86cdfcd2b1c73d588ae6ecb411c97df2a7a802cd85ee3f46d" - logic_hash = "v1_sha256_0d43e6a4bd5036c2b6adb61f2d7b11e625c20e9a3d29242c7c34cfc7708561be" + logic_hash = "0d43e6a4bd5036c2b6adb61f2d7b11e625c20e9a3d29242c7c34cfc7708561be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85761,7 +85761,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_0D6005A1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L301-L319" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "230d46b39b036552e8ca6525a0d2f7faadbf4246cdb5e0ac9a8569584ef295d4" - logic_hash = "v1_sha256_c3fd32e7582f0900b94fe3ba6b6bcdf238f78e2e343d70d5b0196a968a41cf26" + logic_hash = "c3fd32e7582f0900b94fe3ba6b6bcdf238f78e2e343d70d5b0196a968a41cf26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85790,7 +85790,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_E1Ff020A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L321-L339" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b611898f1605751a3d518173b5b3d4864b4bb4d1f8d9064cc90ad836dd61812" - logic_hash = "v1_sha256_be801989b9770f3b70217bd5f13795b5dd0b516209f631d900b6647e0afe8d98" + logic_hash = "be801989b9770f3b70217bd5f13795b5dd0b516209f631d900b6647e0afe8d98" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85819,7 +85819,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_102D6F7C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L341-L359" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bd40c2fbf775e3c8cb4de4a1c7c02bc4bcfa5b459855b2e5f1a8ab40f2fb1f9e" - logic_hash = "v1_sha256_52966eaaef5522e711dc89bd796b1e12019a8485ee789e8d5112d86f7e630170" + logic_hash = "52966eaaef5522e711dc89bd796b1e12019a8485ee789e8d5112d86f7e630170" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85848,7 +85848,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_9C8F3B1A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L361-L379" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "74d8344139c5deea854d8f82970e06fc6a51a6bf845e763de603bde7b8aa80ac" - logic_hash = "v1_sha256_f7ab9990b417c1c81903dcb7adaae910d20ea7fce6689d4846dd6002bea3e721" + logic_hash = "f7ab9990b417c1c81903dcb7adaae910d20ea7fce6689d4846dd6002bea3e721" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85877,7 +85877,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_76Cb94A9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L381-L399" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1320d7a2b5e3b65fe974a95374b4ea7ed1a5aa27d76cd3d9517d3a271121103f" - logic_hash = "v1_sha256_758ee41048c94576e7a872bfdacc6b6f2be3d460169905c876585037e11fdaa8" + logic_hash = "758ee41048c94576e7a872bfdacc6b6f2be3d460169905c876585037e11fdaa8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85906,7 +85906,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_616Afaa1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L401-L419" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0901672d2688660baa26fdaac05082c9e199c06337871d2ae40f369f5d575f71" - logic_hash = "v1_sha256_53a309a6a274558e4ae8cfa8f3e258f23dc9ceafab3be46351c00d24f5d790ec" + logic_hash = "53a309a6a274558e4ae8cfa8f3e258f23dc9ceafab3be46351c00d24f5d790ec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85935,7 +85935,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_18Af74B2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L421-L439" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "52707aa413c488693da32bf2705d4ac702af34faee3f605b207db55cdcc66318" - logic_hash = "v1_sha256_d8ec9bd01fcabdd4a80e07287ecc85026007672bbc3cd2d4cbb2aef98da88ed5" + logic_hash = "d8ec9bd01fcabdd4a80e07287ecc85026007672bbc3cd2d4cbb2aef98da88ed5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85964,7 +85964,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_1B76C066 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L441-L459" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f60302de1a0e756e3af9da2547a28da5f57864191f448e341af1911d64e5bc8b" - logic_hash = "v1_sha256_be239bc14d1adf05a5c6bf2b2557551566330644a049b256a7a5c0ab9549bd06" + logic_hash = "be239bc14d1adf05a5c6bf2b2557551566330644a049b256a7a5c0ab9549bd06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -85993,7 +85993,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_B6Ea5Ee1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L461-L479" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "19b442c9aa229cd724ed9cbaa73f9dfaf0ed61aa3fd1bee7bf8ba964fc23a2b8" - logic_hash = "v1_sha256_529119e07aa0243afddc3141dc441c314c3f75bdf3aee473b8bb7749c95fa78a" + logic_hash = "529119e07aa0243afddc3141dc441c314c3f75bdf3aee473b8bb7749c95fa78a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86022,7 +86022,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_050Ac14C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L481-L499" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36f2ce4e34faf42741f0a15f62e8b3477d69193bf289818e22d0e3ee3e906eb0" - logic_hash = "v1_sha256_c34b0ff3ce867a76ef57fad7642de7916fa7baebf1a2a8d514f7b74be7231fd4" + logic_hash = "c34b0ff3ce867a76ef57fad7642de7916fa7baebf1a2a8d514f7b74be7231fd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86051,7 +86051,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_Df937Caa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L501-L519" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "19b442c9aa229cd724ed9cbaa73f9dfaf0ed61aa3fd1bee7bf8ba964fc23a2b8" - logic_hash = "v1_sha256_d76a6008576687088f28674fb752e1a79ad2046e0208a65c21d0fcd284812ad8" + logic_hash = "d76a6008576687088f28674fb752e1a79ad2046e0208a65c21d0fcd284812ad8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86080,7 +86080,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_E9Ff82A8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L521-L539" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "62ea137e42ce32680066693f02f57a0fb03483f78c365dffcebc1f992bb49c7a" - logic_hash = "v1_sha256_9309aaad6643fa212bb04ce8dc7d24978839fe475f17d36e3b692320563b6fad" + logic_hash = "9309aaad6643fa212bb04ce8dc7d24978839fe475f17d36e3b692320563b6fad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86109,7 +86109,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_A5267Ea3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L541-L559" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b342ceeef58b3eeb7a312038622bcce4d76fc112b9925379566b24f45390be7d" - logic_hash = "v1_sha256_081633b5aa0490dbffcc0b8ab9850b59dbbd67d947c0fe68d28338a352e94676" + logic_hash = "081633b5aa0490dbffcc0b8ab9850b59dbbd67d947c0fe68d28338a352e94676" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86138,7 +86138,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_4E9075E6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L561-L579" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "098bf2f1ce9d7f125e1c9618f349ae798a987316e95345c037a744964277f0fe" - logic_hash = "v1_sha256_fe117f65666b9eac19fa588ee631f9be7551a3a9e3695b7ecbb77806658678aa" + logic_hash = "fe117f65666b9eac19fa588ee631f9be7551a3a9e3695b7ecbb77806658678aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86166,7 +86166,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_3A8D0974 : FILE MEMORY reference = "193fe9ea690759f8e155458ef8f8e9efe9efc8c22ec8073bbb760e4f96b5aef7" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L581-L599" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7039d461d8339d635a543fae2c6dbea284ce1b727d6585b69d8d621c603f37ac" + logic_hash = "7039d461d8339d635a543fae2c6dbea284ce1b727d6585b69d8d621c603f37ac" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86195,7 +86195,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_B9E6Ffdf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L601-L619" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0f3200a93f1be4589eec562c4f688e379e687d09c03d1d8850cc4b5f90f192a" - logic_hash = "v1_sha256_57d5b3eb5812a849d04695bdb1fb728a5ebd3bf5201ac3e7f36d37af0622eec2" + logic_hash = "57d5b3eb5812a849d04695bdb1fb728a5ebd3bf5201ac3e7f36d37af0622eec2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86224,7 +86224,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_7Ef74003 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L621-L639" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a172cfecdec8ebd365603ae094a16e247846fdbb47ba7fd79564091b7e8942a0" - logic_hash = "v1_sha256_1bde07dbb88357fcc02171512725be94d9fc0427c03afb2d59fbd0658c5d8e2e" + logic_hash = "1bde07dbb88357fcc02171512725be94d9fc0427c03afb2d59fbd0658c5d8e2e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86253,7 +86253,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_1D0700B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L641-L659" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "de59bee1793b88e7b48b6278a52e579770f5204e92042142cc3a9b2d683798dd" - logic_hash = "v1_sha256_a24264cb071d269c82718aed5bc5c6c955e1cb2c7a63fe74d4033bfa6adf8385" + logic_hash = "a24264cb071d269c82718aed5bc5c6c955e1cb2c7a63fe74d4033bfa6adf8385" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86282,7 +86282,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_55Beb2Ee : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L661-L679" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "edda1c6b3395e7f14dd201095c1e9303968d02c127ff9bf6c76af6b3d02e80ad" - logic_hash = "v1_sha256_8a31b4866100b35d559d50f5db6f80d51bced93f9aac3f0d2d1de71ba692a3c5" + logic_hash = "8a31b4866100b35d559d50f5db6f80d51bced93f9aac3f0d2d1de71ba692a3c5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86311,7 +86311,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_Fdd7340F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L681-L699" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "de59bee1793b88e7b48b6278a52e579770f5204e92042142cc3a9b2d683798dd" - logic_hash = "v1_sha256_fd39ba5cf050d23de0889feefa9cd74dfb6385a09aa9dba90dc1d5d6cb020867" + logic_hash = "fd39ba5cf050d23de0889feefa9cd74dfb6385a09aa9dba90dc1d5d6cb020867" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86340,7 +86340,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_E36A35B0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L701-L719" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ab6d8f09df67a86fed4faabe4127cc65570dbb9ec56a1bdc484e72b72476f5a4" - logic_hash = "v1_sha256_0572f584746a2af6f545798b25445fd4e764a9eecc01b7476e5c1af631eb314a" + logic_hash = "0572f584746a2af6f545798b25445fd4e764a9eecc01b7476e5c1af631eb314a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86369,7 +86369,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_6Dad0380 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L721-L739" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "628b1cc8ccdbe2ae0d4ef621da047e07e2532d00fe3d4da65f0a0bcab20fb546" - logic_hash = "v1_sha256_b305448d5517212adb7586e7af12842095e1a263520511329e40f0865fe4f81b" + logic_hash = "b305448d5517212adb7586e7af12842095e1a263520511329e40f0865fe4f81b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86398,7 +86398,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_E73F501E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L741-L759" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2f646ced4d05ba1807f8e08a46ae92ae3eea7199e4a58daf27f9bd0f63108266" - logic_hash = "v1_sha256_2f6187f3447f9409485e9e8aa047114aa3c38bcc338106c3ed8680152dff121a" + logic_hash = "2f6187f3447f9409485e9e8aa047114aa3c38bcc338106c3ed8680152dff121a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86427,7 +86427,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_5E56D076 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L761-L779" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "32e1cb0369803f817a0c61f25ca410774b4f37882cab966133b4f3e9c74fac09" - logic_hash = "v1_sha256_c8e2ebcffe8a169c2cc311c95538b674937fa87e06d2946a6ed3b0c1f039f7fc" + logic_hash = "c8e2ebcffe8a169c2cc311c95538b674937fa87e06d2946a6ed3b0c1f039f7fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86456,7 +86456,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_54357231 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L781-L799" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "388b927b850b388e0a46a6c9a22b733d469e0f93dc053ebd78996e903b25e38a" - logic_hash = "v1_sha256_a895c9fd124d6bd55748093c3ef54606e5692285260aa21bd70dca02126239d2" + logic_hash = "a895c9fd124d6bd55748093c3ef54606e5692285260aa21bd70dca02126239d2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86485,7 +86485,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_467C4D46 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L801-L819" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "388b927b850b388e0a46a6c9a22b733d469e0f93dc053ebd78996e903b25e38a" - logic_hash = "v1_sha256_b28f871365c1fa6315b1c2fc6698bdd224961972cd578db05c311406c239ac22" + logic_hash = "b28f871365c1fa6315b1c2fc6698bdd224961972cd578db05c311406c239ac22" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86514,7 +86514,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_E0Cca9Dc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L821-L839" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383" - logic_hash = "v1_sha256_fa4089f74fc78e99427b4e8eda9f8348e042dc876c7281a4a2173c83076bfbd2" + logic_hash = "fa4089f74fc78e99427b4e8eda9f8348e042dc876c7281a4a2173c83076bfbd2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86543,7 +86543,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_36E404E2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L841-L859" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "59a1d8aa677739f2edbb8bd34f566b31f19d729b0a115fef2eac8ab1d1acc383" - logic_hash = "v1_sha256_d38cc5714721c0b00cfa47cb9828fd76ff57ec8180e5cfe1fec67a092dd87904" + logic_hash = "d38cc5714721c0b00cfa47cb9828fd76ff57ec8180e5cfe1fec67a092dd87904" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86572,7 +86572,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_947Dcc5E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L861-L879" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7c5a6ac425abe60e8ea5df5dfa8211a7c34a307048b4e677336b735237dcd8fd" - logic_hash = "v1_sha256_c4aac006561386fbfe0fa0fe3df6b6798d2915a3dbfb5384583ebf9b2f413115" + logic_hash = "c4aac006561386fbfe0fa0fe3df6b6798d2915a3dbfb5384583ebf9b2f413115" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86601,7 +86601,7 @@ rule ELASTIC_Linux_Cryptominer_Generic_B4C2D007 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Generic.yar#L881-L899" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e1e518ba226d30869e404b92bfa810bae27c8b1476766934961e80c44e39c738" - logic_hash = "v1_sha256_cb52d9233028918210b8bd3959a6649d75b5c6873befff0cf62d9e71dfecc302" + logic_hash = "cb52d9233028918210b8bd3959a6649d75b5c6873befff0cf62d9e71dfecc302" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86630,7 +86630,7 @@ rule ELASTIC_Windows_Vulndriver_Vmdrv_7C674F8E : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Vmdrv.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" - logic_hash = "v1_sha256_87f29b861d5239c60e44541fe31ed90696068225b1b6d824dc9b06fcdb1597ae" + logic_hash = "87f29b861d5239c60e44541fe31ed90696068225b1b6d824dc9b06fcdb1597ae" score = 75 quality = 75 tags = "FILE" @@ -86661,7 +86661,7 @@ rule ELASTIC_Windows_Hacktool_Sharphound_5Adf9D6D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpHound.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1f74ed6e61880d19e53cde5b0d67a0507bfda0be661860300dcb0f20ea9a45f4" - logic_hash = "v1_sha256_2c9f38187866985109a42ffdf8940b5d195aadd3815b2de952b190d4b0b95c3c" + logic_hash = "2c9f38187866985109a42ffdf8940b5d195aadd3815b2de952b190d4b0b95c3c" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -86694,7 +86694,7 @@ rule ELASTIC_Windows_Trojan_Smokeloader_4E31426E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Smokeloader.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174" - logic_hash = "v1_sha256_44ac7659964519ae72f83076bcd1b3e5244eb9cadd9a3b123dda78b0e9e07424" + logic_hash = "44ac7659964519ae72f83076bcd1b3e5244eb9cadd9a3b123dda78b0e9e07424" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86723,7 +86723,7 @@ rule ELASTIC_Windows_Trojan_Smokeloader_4Ee15B92 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Smokeloader.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2" - logic_hash = "v1_sha256_7d5ba6a4cc1f1b87f7ea1963b41749f5488197ea28b31f20a235091236250463" + logic_hash = "7d5ba6a4cc1f1b87f7ea1963b41749f5488197ea28b31f20a235091236250463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86752,7 +86752,7 @@ rule ELASTIC_Windows_Trojan_Smokeloader_Ea14B2A5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Smokeloader.yar#L41-L60" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15fe237276b9c2c6ceae405c0739479d165b406321891c8a31883023e7b15d54" - logic_hash = "v1_sha256_8a96985902f82979f1512d4d30cfa41fd23562b8f86bf2f722351ef2adf4365f" + logic_hash = "8a96985902f82979f1512d4d30cfa41fd23562b8f86bf2f722351ef2adf4365f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86782,7 +86782,7 @@ rule ELASTIC_Windows_Trojan_Smokeloader_De52Ed44 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Smokeloader.yar#L62-L81" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c689a384f626616005d37a94e6a5a713b9eead1b819a238e4e586452871f6718" - logic_hash = "v1_sha256_95a60079a316016ca3f78f18e7920b962f5770bef4211dd70e37f45bbe069406" + logic_hash = "95a60079a316016ca3f78f18e7920b962f5770bef4211dd70e37f45bbe069406" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86812,7 +86812,7 @@ rule ELASTIC_Windows_Trojan_Smokeloader_Bf391Fe0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Smokeloader.yar#L83-L102" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe2489230d024f5e0e7d0da0210f93e70248dc282192c092cbb5e0eddc7bd528" - logic_hash = "v1_sha256_8a697596f8aa9a2af230b294c64ee844fcb593814a070ebf10e084c18e7f5ac7" + logic_hash = "8a697596f8aa9a2af230b294c64ee844fcb593814a070ebf10e084c18e7f5ac7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86842,7 +86842,7 @@ rule ELASTIC_Windows_Trojan_Smokeloader_A01Aa3Ab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Smokeloader.yar#L104-L123" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3a189a736cfdfbb1e3789326c35cecfa901a2adccc08c66c5de1cac8e4c1791b" - logic_hash = "v1_sha256_385f93a98e71f8e78e2f916775bd8db182842c8439a2f15238780388b63e2e91" + logic_hash = "385f93a98e71f8e78e2f916775bd8db182842c8439a2f15238780388b63e2e91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86872,7 +86872,7 @@ rule ELASTIC_Windows_Trojan_Smokeloader_62Eb5427 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Smokeloader.yar#L125-L145" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "21e7fcce8ffb7826108800b6aee21d6b8ea9275975b639ed5ca9f8ddd747329e" - logic_hash = "v1_sha256_e3c70731792a8fbf0b08443f6df3c42f44a548fa9d19be7ee98c677952600e5b" + logic_hash = "e3c70731792a8fbf0b08443f6df3c42f44a548fa9d19be7ee98c677952600e5b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86903,7 +86903,7 @@ rule ELASTIC_Windows_Trojan_Raspberryrobin_4B4D6899 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RaspberryRobin.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2f0451f38adb74cb96c857de455887b00c5038b68210294c7f52b0b5ff64cc1e" - logic_hash = "v1_sha256_bbafad9509b367e811e86cb8f2f64d9c1d59f82b5cd58a7af43325bb7fa9d9c3" + logic_hash = "bbafad9509b367e811e86cb8f2f64d9c1d59f82b5cd58a7af43325bb7fa9d9c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86932,7 +86932,7 @@ rule ELASTIC_Linux_Trojan_Azeela_Aad9D6Cc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Azeela.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6c476a7457ae07eca3d3d19eda6bb6b6b3fa61fa72722958b5a77caff899aaa6" - logic_hash = "v1_sha256_8cd3c383ac2149e0cd18589bf838848d81b5ff72e3123a8b523ee2467023a8f6" + logic_hash = "8cd3c383ac2149e0cd18589bf838848d81b5ff72e3123a8b523ee2467023a8f6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86962,7 +86962,7 @@ rule ELASTIC_Linux_Trojan_Xpmmap_7Dcc3534 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Xpmmap.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "765546a981921187a4a2bed9904fbc2ccb2a5876e0d45c72e79f04a517c1bda3" - logic_hash = "v1_sha256_f88cc0f02797651e8cdf8e25b67a92f7825ec616b79df21daae798b613baf334" + logic_hash = "f88cc0f02797651e8cdf8e25b67a92f7825ec616b79df21daae798b613baf334" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -86991,7 +86991,7 @@ rule ELASTIC_Windows_Vulndriver_Ccprotect_0D3Ee86F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_CCProtect.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5f0cfe8357bb52b45068ddbac053e32bc38e6cb5e086746f5402657b0a5cfb1c" - logic_hash = "v1_sha256_4da5cf6b5cd00f8f7ba6daf8e8b4c6161cf9e0166dea39943b32a54f35dfd6c2" + logic_hash = "4da5cf6b5cd00f8f7ba6daf8e8b4c6161cf9e0166dea39943b32a54f35dfd6c2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87022,7 +87022,7 @@ rule ELASTIC_Linux_Trojan_Shellbot_65Aa6568 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Shellbot.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "457d1f4e1db41a9bdbfad78a6815f42e45da16ad0252673b9a2b5dcefc02c47b" - logic_hash = "v1_sha256_46558801151ddc2f25bf46a278719f027acca2a18d2a9fcb275f4d787fbb1f0b" + logic_hash = "46558801151ddc2f25bf46a278719f027acca2a18d2a9fcb275f4d787fbb1f0b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87051,7 +87051,7 @@ rule ELASTIC_Linux_Trojan_Nuker_12F26779 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Nuker.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "440105a62c75dea5575a1660fe217c9104dc19fb5a9238707fe40803715392bf" - logic_hash = "v1_sha256_8bafbc2792bd4cacd309efd72d2d8787342685d66785ea41cb57c91519a3c545" + logic_hash = "8bafbc2792bd4cacd309efd72d2d8787342685d66785ea41cb57c91519a3c545" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87080,7 +87080,7 @@ rule ELASTIC_Windows_Ransomware_Wannacry_D9855102 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_WannaCry.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0b7878babbaf7c63d808f3ce32c7306cb785fdfb1ceb73be07fb48fdd091fdfb" - logic_hash = "v1_sha256_5edf6a42c9f20de3819b46f24be243940b79e7e9004fee3d601794ea0b534cf1" + logic_hash = "5edf6a42c9f20de3819b46f24be243940b79e7e9004fee3d601794ea0b534cf1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87115,7 +87115,7 @@ rule ELASTIC_Linux_Virus_Staffcounter_D2D608A8 : FILE MEMORY reference = "06e562b54b7ee2ffee229c2410c9e2c42090e77f6211ce4b9fa26459ff310315" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Virus_Staffcounter.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e30f1312eb1cbbc4faba3f67527a4e0e955b5684a1ba58cdd82a7a0f1ce3d2b9" + logic_hash = "e30f1312eb1cbbc4faba3f67527a4e0e955b5684a1ba58cdd82a7a0f1ce3d2b9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87144,7 +87144,7 @@ rule ELASTIC_Linux_Ransomware_Ragnarlocker_9F5982B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_RagnarLocker.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f668f74d8808f5658153ff3e6aee8653b6324ada70a4aa2034dfa20d96875836" - logic_hash = "v1_sha256_c08579dc675a709add392a0189d01e05af61034b72f451d2b024c89c1299ee6c" + logic_hash = "c08579dc675a709add392a0189d01e05af61034b72f451d2b024c89c1299ee6c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87175,7 +87175,7 @@ rule ELASTIC_Windows_Ransomware_Royal_B7D42109 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Royal.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "491c2b32095174b9de2fd799732a6f84878c2e23b9bb560cd3155cbdc65e2b80" - logic_hash = "v1_sha256_06f4a1487e97e0b8c1f5df380ab4f90b37ef0a508aba7dac272c16c8371d8143" + logic_hash = "06f4a1487e97e0b8c1f5df380ab4f90b37ef0a508aba7dac272c16c8371d8143" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87207,7 +87207,7 @@ rule ELASTIC_Windows_Ransomware_Lockbit_89E64044 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Lockbit.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d" - logic_hash = "v1_sha256_bd504b078704b9f307a50c8556c143eee061015a9727670137aadc47ae93e2a6" + logic_hash = "bd504b078704b9f307a50c8556c143eee061015a9727670137aadc47ae93e2a6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87238,7 +87238,7 @@ rule ELASTIC_Windows_Ransomware_Lockbit_A1C60939 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Lockbit.yar#L23-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d6524b9a1d709ecd9f19f75fa78d94096e039b3d4592d13e8dbddf99867182d" - logic_hash = "v1_sha256_6e6d88251e93f69788ad22fc915133f3ba0267984d6a5004d5ca44dcd9f5f052" + logic_hash = "6e6d88251e93f69788ad22fc915133f3ba0267984d6a5004d5ca44dcd9f5f052" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87267,7 +87267,7 @@ rule ELASTIC_Windows_Ransomware_Lockbit_369E1E94 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Lockbit.yar#L43-L67" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee" - logic_hash = "v1_sha256_c34dafc024d85902b85fc3424573abb8781d6fab58edd86c255266db3635ce98" + logic_hash = "c34dafc024d85902b85fc3424573abb8781d6fab58edd86c255266db3635ce98" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87302,7 +87302,7 @@ rule ELASTIC_Windows_Ransomware_Darkside_D7Fc4594 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Darkside.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893" - logic_hash = "v1_sha256_0083fb64955973e7dbbb35d08cb780fa0b4ff4d064c102dc8f86e29af8358bad" + logic_hash = "0083fb64955973e7dbbb35d08cb780fa0b4ff4d064c102dc8f86e29af8358bad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87331,7 +87331,7 @@ rule ELASTIC_Windows_Ransomware_Darkside_Aceac5D9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Darkside.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bfb31c96f9e6285f5bb60433f2e45898b8a7183a2591157dc1d766be16c29893" - logic_hash = "v1_sha256_888ab06b55b07879ee6b9a45c04f1a09c570aeb4be55c698300566d57fd47252" + logic_hash = "888ab06b55b07879ee6b9a45c04f1a09c570aeb4be55c698300566d57fd47252" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87360,7 +87360,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_1388212A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Mimikatz.yar#L1-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a" - logic_hash = "v1_sha256_1b717453810455e3f530e399f5f9f163d1ad0d71a5464fa5c68aa82edd699cda" + logic_hash = "1b717453810455e3f530e399f5f9f163d1ad0d71a5464fa5c68aa82edd699cda" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -87413,7 +87413,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_674Fd079 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Mimikatz.yar#L45-L77" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a" - logic_hash = "v1_sha256_f63f3de05dd4f4f40cda6df67b75e37d7baa82c4b4cafd3ebdca35adfb0b15f8" + logic_hash = "f63f3de05dd4f4f40cda6df67b75e37d7baa82c4b4cafd3ebdca35adfb0b15f8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87456,7 +87456,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_355D5D3A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Mimikatz.yar#L79-L112" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "945245ca795e0a3575ee4fdc174df9d377a598476c2bf4bf0cdb0cde4286af96" - logic_hash = "v1_sha256_c6b48ab2cc92deb507d7eead1fb6381ee40b698e84d9eaac45288f95dbda66b3" + logic_hash = "c6b48ab2cc92deb507d7eead1fb6381ee40b698e84d9eaac45288f95dbda66b3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87500,7 +87500,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_71Fe23D9 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Mimikatz.yar#L114-L133" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "856687718b208341e7caeea2d96da10f880f9b5a75736796a1158d4c8755f678" - logic_hash = "v1_sha256_6d1e84bb8532c6271ad3966055eac8d60ec019d8ae6632efb59463c35b46ad9b" + logic_hash = "6d1e84bb8532c6271ad3966055eac8d60ec019d8ae6632efb59463c35b46ad9b" score = 75 quality = 75 tags = "FILE" @@ -87530,7 +87530,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_B393864F : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Mimikatz.yar#L135-L154" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe" - logic_hash = "v1_sha256_d09cb7f753675e0b6ecd8a7977ca7f8d313e5d525f05170fc54b265c2ae6c188" + logic_hash = "d09cb7f753675e0b6ecd8a7977ca7f8d313e5d525f05170fc54b265c2ae6c188" score = 75 quality = 75 tags = "FILE" @@ -87560,7 +87560,7 @@ rule ELASTIC_Windows_Hacktool_Mimikatz_1Ff74F7E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Mimikatz.yar#L156-L175" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1b6aad500d45de7b076942d31b7c3e77487643811a335ae5ce6783368a4a5081" - logic_hash = "v1_sha256_f47f760b4c373a073399c69681e76eb9dde6cfdb36c1cc31d7131376493931c0" + logic_hash = "f47f760b4c373a073399c69681e76eb9dde6cfdb36c1cc31d7131376493931c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87590,7 +87590,7 @@ rule ELASTIC_Windows_Vulndriver_Hpportio_B31E3473 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_HpPortIo.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - logic_hash = "v1_sha256_e449b45f3cf2836254614bbdc957aa7093162fc1acd672edd931d5f240503963" + logic_hash = "e449b45f3cf2836254614bbdc957aa7093162fc1acd672edd931d5f240503963" score = 75 quality = 75 tags = "FILE" @@ -87621,7 +87621,7 @@ rule ELASTIC_Linux_Exploit_CVE_2009_2698_12374E97 : FILE MEMORY CVE_2009_2698 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2009_2698.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "656fddc1bf4743a08a455628b6151076b81e604ff49c93d797fa49b1f7d09c2f" - logic_hash = "v1_sha256_ed86a239b909681f2ab3503cfedf202dbe5f53a6f554cf4db13f08bee625c0b7" + logic_hash = "ed86a239b909681f2ab3503cfedf202dbe5f53a6f554cf4db13f08bee625c0b7" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-2698" @@ -87650,7 +87650,7 @@ rule ELASTIC_Linux_Exploit_CVE_2009_2698_Cc04Dddd : FILE MEMORY CVE_2009_2698 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2009_2698.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "502b73ea04095e8a7ec4e8d7cc306242b45850ad28690156754beac8cd8d7b2d" - logic_hash = "v1_sha256_68daa56ca98cc8f713faa138432190d19c27f07b2182a1f82347a3bfc5821ebb" + logic_hash = "68daa56ca98cc8f713faa138432190d19c27f07b2182a1f82347a3bfc5821ebb" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2009-2698" @@ -87679,7 +87679,7 @@ rule ELASTIC_Linux_Trojan_Morpes_D2Ae1Edf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Morpes.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "14c4c297388afe4be47be091146aea6c6230880e9ea43759ef29fc1471c4b86b" - logic_hash = "v1_sha256_27eb8b4d0f91477c2ac26a5e25bfc52903faf5501300ec40773d3fc6797c3218" + logic_hash = "27eb8b4d0f91477c2ac26a5e25bfc52903faf5501300ec40773d3fc6797c3218" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87708,7 +87708,7 @@ rule ELASTIC_Windows_Trojan_Tofsee_26124Fe4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Tofsee.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494" - logic_hash = "v1_sha256_e765953dec7c7b2a1fbebf92c2fff46453c8258722ad5ca92ba4c7526a8b0c66" + logic_hash = "e765953dec7c7b2a1fbebf92c2fff46453c8258722ad5ca92ba4c7526a8b0c66" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87738,7 +87738,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_D6Cc23Af : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Biostar.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - logic_hash = "v1_sha256_6a1f5de3a0daf446ceb812a9f5749410a3a7752dce44e935adc288c95816f59d" + logic_hash = "6a1f5de3a0daf446ceb812a9f5749410a3a7752dce44e935adc288c95816f59d" score = 75 quality = 75 tags = "FILE" @@ -87769,7 +87769,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_68682378 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Biostar.yar#L23-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - logic_hash = "v1_sha256_8510de6fc33bde153f3bd4d1bb8b0d98ce69aae479d242c6043ac8c712dbb888" + logic_hash = "8510de6fc33bde153f3bd4d1bb8b0d98ce69aae479d242c6043ac8c712dbb888" score = 75 quality = 75 tags = "FILE" @@ -87800,7 +87800,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_684A5123 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Biostar.yar#L45-L65" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - logic_hash = "v1_sha256_7c0c7e14f9b5085a87e5dbe27feb8e49bdb4d2fdcfbcbc643999d7969d118240" + logic_hash = "7c0c7e14f9b5085a87e5dbe27feb8e49bdb4d2fdcfbcbc643999d7969d118240" score = 75 quality = 75 tags = "FILE" @@ -87831,7 +87831,7 @@ rule ELASTIC_Windows_Vulndriver_Biostar_E0B6Cf55 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Biostar.yar#L67-L85" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e" - logic_hash = "v1_sha256_dccbf6fa46de1a8bc6438578b651055e2d02d15bd04461be74059e6fde40fca3" + logic_hash = "dccbf6fa46de1a8bc6438578b651055e2d02d15bd04461be74059e6fde40fca3" score = 75 quality = 75 tags = "FILE" @@ -87860,7 +87860,7 @@ rule ELASTIC_Windows_Ransomware_Conti_89F3F6Fa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Conti.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe" - logic_hash = "v1_sha256_4c1834e45d5e42f466249b75a89561ce1e88b9e3c07070e2833d4897fbed22ee" + logic_hash = "4c1834e45d5e42f466249b75a89561ce1e88b9e3c07070e2833d4897fbed22ee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87889,7 +87889,7 @@ rule ELASTIC_Macos_Backdoor_Keyboardrecord_832F7Bac : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Backdoor_Keyboardrecord.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6" - logic_hash = "v1_sha256_5719681d50134edacb5341034314c33ed27e9325de0ae26b2a01d350429c533b" + logic_hash = "5719681d50134edacb5341034314c33ed27e9325de0ae26b2a01d350429c533b" score = 75 quality = 75 tags = "FILE" @@ -87922,7 +87922,7 @@ rule ELASTIC_Windows_Trojan_Sadbridge_6E83Eaeb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SadBridge.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b432cdd217b171f3ad4a8a959fa0357bd7917f078a9546aed1649af00fc4bda6" - logic_hash = "v1_sha256_5883675a7c6f0271f26d70031a48ed59504ef4f01826e978124ab4876d23cbf2" + logic_hash = "5883675a7c6f0271f26d70031a48ed59504ef4f01826e978124ab4876d23cbf2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87951,7 +87951,7 @@ rule ELASTIC_Windows_Hacktool_Sleepobfloader_460A1A75 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SleepObfLoader.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "84b3bc58ec04ab272544d31f5e573c0dd7812b56df4fa445194e7466f280e16d" - logic_hash = "v1_sha256_c0bc1b7ef71c1a91fc487f904315c6f187530ab39825f90f55ac36625d5b93cf" + logic_hash = "c0bc1b7ef71c1a91fc487f904315c6f187530ab39825f90f55ac36625d5b93cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -87982,7 +87982,7 @@ rule ELASTIC_Windows_Vulndriver_Tmcomm_333F3851 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_TmComm.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - logic_hash = "v1_sha256_a4464fb7edbacb6d9c8d6b385f9cc28685f0bed40876eecd5a7c87e0707e3025" + logic_hash = "a4464fb7edbacb6d9c8d6b385f9cc28685f0bed40876eecd5a7c87e0707e3025" score = 75 quality = 75 tags = "FILE" @@ -88013,7 +88013,7 @@ rule ELASTIC_Windows_Vulndriver_Fiddrv_E7875A5A : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_FidDrv.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158" - logic_hash = "v1_sha256_aa1635c651c8364ad2ee93b369dd583fce699001d753e46de013c476d185eef1" + logic_hash = "aa1635c651c8364ad2ee93b369dd583fce699001d753e46de013c476d185eef1" score = 75 quality = 75 tags = "FILE" @@ -88046,7 +88046,7 @@ rule ELASTIC_Windows_Trojan_Netwire_6A7Df287 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Netwire.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254" - logic_hash = "v1_sha256_d5f36e2a81cf0a9037267d39266b4c31ca9c07b05fb9772e296aeac2da6051a5" + logic_hash = "d5f36e2a81cf0a9037267d39266b4c31ca9c07b05fb9772e296aeac2da6051a5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88075,7 +88075,7 @@ rule ELASTIC_Windows_Trojan_Netwire_1B43Df38 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Netwire.yar#L22-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254" - logic_hash = "v1_sha256_bb0eb1c1969bc1416e933822843293c5d41bf9bc3d402fa5dbdc3cdf2f4b394a" + logic_hash = "bb0eb1c1969bc1416e933822843293c5d41bf9bc3d402fa5dbdc3cdf2f4b394a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88106,7 +88106,7 @@ rule ELASTIC_Windows_Trojan_Netwire_F85E4Abc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Netwire.yar#L45-L64" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ab037c87d8072c63dc22b22ff9cfcd9b4837c1fee2f7391d594776a6ac8f6776" - logic_hash = "v1_sha256_af8fc8fff2e1a0b6c87ac6d24fecf2e1cefe6313ec66da13fddd1be25c1c3d92" + logic_hash = "af8fc8fff2e1a0b6c87ac6d24fecf2e1cefe6313ec66da13fddd1be25c1c3d92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88135,7 +88135,7 @@ rule ELASTIC_Windows_Trojan_Netwire_F42Cb379 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Netwire.yar#L66-L90" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ab037c87d8072c63dc22b22ff9cfcd9b4837c1fee2f7391d594776a6ac8f6776" - logic_hash = "v1_sha256_fc1436596987d3971a464e707ee6fd5689e7d2800df471c125c1e3f748537f5d" + logic_hash = "fc1436596987d3971a464e707ee6fd5689e7d2800df471c125c1e3f748537f5d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88169,7 +88169,7 @@ rule ELASTIC_Windows_Exploit_Rpcjunction_0405253B : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_RpcJunction.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05588fe3d2aae1273e9d0b0ac00c867d92bcdea41c33661760dcbe84439e7949" - logic_hash = "v1_sha256_c663285d81e00bf6b028cdb043da3c6d5033a0c100d9c626acfa26d67bc1c093" + logic_hash = "c663285d81e00bf6b028cdb043da3c6d5033a0c100d9c626acfa26d67bc1c093" score = 75 quality = 75 tags = "FILE" @@ -88200,7 +88200,7 @@ rule ELASTIC_Windows_PUP_Veriato_Fae5978C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_PUP_Veriato.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "53f09e60b188e67cdbf28bda669728a1f83d47b0279debf3d0a8d5176479d17f" - logic_hash = "v1_sha256_8ae6f8b2b6e3849b33e6a477af52982efe137d7ebeff0c92cee5667d75f05145" + logic_hash = "8ae6f8b2b6e3849b33e6a477af52982efe137d7ebeff0c92cee5667d75f05145" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88231,7 +88231,7 @@ rule ELASTIC_Windows_Hacktool_Sharpersist_06606812 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharPersist.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8" - logic_hash = "v1_sha256_ddabfb54422f6fb2ad6999b724b1d8f186adf71f96f01a8770715029529e869a" + logic_hash = "ddabfb54422f6fb2ad6999b724b1d8f186adf71f96f01a8770715029529e869a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -88264,7 +88264,7 @@ rule ELASTIC_Windows_Trojan_Lurker_0Ee51802 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Lurker.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5718fd4f807e29e48a8b6a6f4484426ba96c61ec8630dc78677686e0c9ba2b87" - logic_hash = "v1_sha256_782926c927dce82b95e51634d5607c474937e1edc0f7f739acefa0f4c03aa753" + logic_hash = "782926c927dce82b95e51634d5607c474937e1edc0f7f739acefa0f4c03aa753" score = 75 quality = 75 tags = "FILE" @@ -88293,7 +88293,7 @@ rule ELASTIC_Linux_Ransomware_Echoraix_Ea9532Df : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_EchoRaix.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dfe32d97eb48fb2afc295eecfda3196cba5d27ced6217532d119a764071c6297" - logic_hash = "v1_sha256_4944f5a2632bfe0abebfa6f658ed3f71e4d97efcb428ed0987e2071dfd66e6a9" + logic_hash = "4944f5a2632bfe0abebfa6f658ed3f71e4d97efcb428ed0987e2071dfd66e6a9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -88322,7 +88322,7 @@ rule ELASTIC_Linux_Ransomware_Echoraix_Ee0C719A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_EchoRaix.yar#L21-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e711b2d9323582aa390cf34846a2064457ae065c7d2ee1a78f5ed0859b40f9c0" - logic_hash = "v1_sha256_3ca12ea0f1794935ea570dda83f33d04ffb19b6664cc1c8b1cbeed59ac04a01a" + logic_hash = "3ca12ea0f1794935ea570dda83f33d04ffb19b6664cc1c8b1cbeed59ac04a01a" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -88352,7 +88352,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_364F3B7B : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d4c43bf0cdd6486a4bcab988517e58b8c15d276f41600e596ecc28b0b728e69" - logic_hash = "v1_sha256_5950195453232e4752b58c9e466c4df1b5ca2b22d5325730de69cd4178438aa7" + logic_hash = "5950195453232e4752b58c9e466c4df1b5ca2b22d5325730de69cd4178438aa7" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88381,7 +88381,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_3A2Ed31B : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ebbf3bc39ec661e2029d88960a5608e348de92089099019348bc0e891841690f" - logic_hash = "v1_sha256_30cd10e38cbda719d9c344efd813e9a19e738a5251e3622957c8349e94366a29" + logic_hash = "30cd10e38cbda719d9c344efd813e9a19e738a5251e3622957c8349e94366a29" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88410,7 +88410,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_7448814C : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e95d0783b635e34743109d090af17aef2e507e8c90060d171e71d9ac79e083ba" - logic_hash = "v1_sha256_0024b2cc22bf6c2dfc3b73ba91080cea8d502659db38d94b19338382e2fc0c84" + logic_hash = "0024b2cc22bf6c2dfc3b73ba91080cea8d502659db38d94b19338382e2fc0c84" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88439,7 +88439,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_2Fa988E3 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "679392e78d4abefc05b885e43aaccc2da235bd7f2a267c6ecfbe2cf824776993" - logic_hash = "v1_sha256_55c3992ca62ebaf8d45aff818d3261838d239f2004125689ea81edca2cfa59c2" + logic_hash = "55c3992ca62ebaf8d45aff818d3261838d239f2004125689ea81edca2cfa59c2" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88468,7 +88468,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ea8801Ac : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7acccfd8c2e5555a3e3bf979ad2314c12a939c1ef32b66e61e30a712f07164fd" - logic_hash = "v1_sha256_00a7f71a0559f937ace15465059147839598897467db6176040882d86111bcd2" + logic_hash = "00a7f71a0559f937ace15465059147839598897467db6176040882d86111bcd2" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88497,7 +88497,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_B2Ebdebd : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dee49d4b7f406fd1728dad4dc217484ced2586e014e2cd265ea64eff70a2633d" - logic_hash = "v1_sha256_a9d6ffa65b503f9aa13a0054fa92e346c86585418b6b72131efc00340f8ec224" + logic_hash = "a9d6ffa65b503f9aa13a0054fa92e346c86585418b6b72131efc00340f8ec224" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88526,7 +88526,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_9190D516 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "837ffed1f23293dc9c7cb994601488fc121751a249ffde51326947c33c5fca7f" - logic_hash = "v1_sha256_370248d2b6bb625d65f160b62f1b4a7d2809f3fedfb98a009b19dab61f0ba57e" + logic_hash = "370248d2b6bb625d65f160b62f1b4a7d2809f3fedfb98a009b19dab61f0ba57e" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88555,7 +88555,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_3B460716 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8c4d49d4881ebdab1bd0e083d4e644cfc8eb7af3b96664598526ab3d175fc420" - logic_hash = "v1_sha256_759e08c9e3405d841aa467c3343cfac01fed9e9d86aca90139d0eae8855942e5" + logic_hash = "759e08c9e3405d841aa467c3343cfac01fed9e9d86aca90139d0eae8855942e5" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88584,7 +88584,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ccfd7518 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b1017db71cf195aa565c57fed91ff1cdfcce344dc76526256d5817018f1351bf" - logic_hash = "v1_sha256_02720152af167f1a7e5707f97aa920c6d955458df58d8ef0d9eba868da6a16af" + logic_hash = "02720152af167f1a7e5707f97aa920c6d955458df58d8ef0d9eba868da6a16af" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88613,7 +88613,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_D41C2C63 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L181-L199" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a4e5751b4e8fa2e9b70e1e234f435a03290c414f9547dc7709ce2ee4263a35f1" - logic_hash = "v1_sha256_c9460cfc2b6d686145be9afd3ed670619f04c7155b03caa193222cba8405160d" + logic_hash = "c9460cfc2b6d686145be9afd3ed670619f04c7155b03caa193222cba8405160d" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88642,7 +88642,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ffa7F059 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L201-L219" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a073c6be047ea7b4500b1ffdc8bdadd9a06f9efccd38c88e0fc976b97b2b2df5" - logic_hash = "v1_sha256_b558066b80232ceb32c625f49a0ddeccd4b3bc52e664e5a72f2aa7361bcec352" + logic_hash = "b558066b80232ceb32c625f49a0ddeccd4b3bc52e664e5a72f2aa7361bcec352" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88671,7 +88671,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Fb24C7E4 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L221-L239" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a073c6be047ea7b4500b1ffdc8bdadd9a06f9efccd38c88e0fc976b97b2b2df5" - logic_hash = "v1_sha256_17a2a628f2d1fa088a1e0c5b2ad3f08e24b8504033b328c944b9ae83a5d12fcc" + logic_hash = "17a2a628f2d1fa088a1e0c5b2ad3f08e24b8504033b328c944b9ae83a5d12fcc" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88700,7 +88700,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_B45098Df : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L241-L259" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e053aca86570b3781b3e08daab51382712270d2a375257c8b5789d3d87149314" - logic_hash = "v1_sha256_4622551b73a12c5399df1f4e052ce32b4cee04486a870bc92942c8597dcad1f7" + logic_hash = "4622551b73a12c5399df1f4e052ce32b4cee04486a870bc92942c8597dcad1f7" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88729,7 +88729,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_9C67A994 : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L261-L279" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "70429d67402a43ed801e295b1ae1757e4fccd5d786c09ee054591ae51dfc1b25" - logic_hash = "v1_sha256_742ce59fadefe242ca97d8ce603976fa8b5e1ba55ede38434c04dcd6f4891712" + logic_hash = "742ce59fadefe242ca97d8ce603976fa8b5e1ba55ede38434c04dcd6f4891712" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88758,7 +88758,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_Ab87C1Ed : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L281-L299" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c13c32d3a14cbc9c2580b1c76625cce8d48c5ae683230149a3f41640655e7f28" - logic_hash = "v1_sha256_737f5ff982d2b656918ad3258ca20bce2ec416f2af743335b9a87a86f78be810" + logic_hash = "737f5ff982d2b656918ad3258ca20bce2ec416f2af743335b9a87a86f78be810" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88787,7 +88787,7 @@ rule ELASTIC_Linux_Exploit_CVE_2016_5195_F1C0482A : FILE MEMORY CVE_2016_5195 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2016_5195.yar#L301-L319" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a12a1e8253ee1244b018fd3bdcb6b7729dfe16e06aed470f6b08344a110a4061" - logic_hash = "v1_sha256_084ba60d8464ef5bf3a3aa942bb88caf447c6cee3ebf023157bd261226057663" + logic_hash = "084ba60d8464ef5bf3a3aa942bb88caf447c6cee3ebf023157bd261226057663" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2016-5195" @@ -88816,7 +88816,7 @@ rule ELASTIC_Linux_Trojan_Sshdoor_5B78Aa01 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdoor.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2e1d909e4a6ba843194f9912826728bd2639b0f34ee512e0c3c9e5ce4d27828e" - logic_hash = "v1_sha256_bcf285ac220b2b2ed9caf0943fa22ee830e5b26501c54a223e483a33e2fc63c0" + logic_hash = "bcf285ac220b2b2ed9caf0943fa22ee830e5b26501c54a223e483a33e2fc63c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88845,7 +88845,7 @@ rule ELASTIC_Linux_Trojan_Sshdoor_1B443A9B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdoor.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a33112daa5a7d31ea1a1ca9b910475843b7d8c84d4658ccc00bafee044382709" - logic_hash = "v1_sha256_4afcd7103a14d59abc08d9e03182a985e3d0250c09aad5e81fd110c6a95f29e0" + logic_hash = "4afcd7103a14d59abc08d9e03182a985e3d0250c09aad5e81fd110c6a95f29e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88874,7 +88874,7 @@ rule ELASTIC_Linux_Trojan_Sshdoor_7C36D3Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdoor.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "def4de838d58c70f9f0ae026cdad3bf09b711a55af97ed20804fa1e34e7b59e9" - logic_hash = "v1_sha256_c1b61fce7593a44e47043fac8a6356f9aa9e74b66db005400684a5a79b69a5cd" + logic_hash = "c1b61fce7593a44e47043fac8a6356f9aa9e74b66db005400684a5a79b69a5cd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88903,7 +88903,7 @@ rule ELASTIC_Linux_Trojan_Sshdoor_3E81B1B7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdoor.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "def4de838d58c70f9f0ae026cdad3bf09b711a55af97ed20804fa1e34e7b59e9" - logic_hash = "v1_sha256_54253df560e6552a728dc2651c557bc23ae8ec4847760290701438821c52342e" + logic_hash = "54253df560e6552a728dc2651c557bc23ae8ec4847760290701438821c52342e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88932,7 +88932,7 @@ rule ELASTIC_Linux_Trojan_Sshdoor_Cde7Cfd4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdoor.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cd646a1d59c99b9e038098b91cdb63c3fe9b35bb10583bef0ab07260dbd4d23d" - logic_hash = "v1_sha256_47967d90a6dbb4461e22998aff5b7e68b4b9007ea7e5e30574ae1f1cfcbaa573" + logic_hash = "47967d90a6dbb4461e22998aff5b7e68b4b9007ea7e5e30574ae1f1cfcbaa573" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88961,7 +88961,7 @@ rule ELASTIC_Linux_Trojan_Sshdoor_32D9Fb1B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdoor.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ee1f6dbea40d198e437e8c2ae81193472c89e41d1998bee071867dab1ce16b90" - logic_hash = "v1_sha256_35ef4f3970484a46d705e6976a9932639d576717454b8e07ed24a72114d9c42d" + logic_hash = "35ef4f3970484a46d705e6976a9932639d576717454b8e07ed24a72114d9c42d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -88990,7 +88990,7 @@ rule ELASTIC_Linux_Trojan_Sshdoor_7C3Cfc62 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sshdoor.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ee1f6dbea40d198e437e8c2ae81193472c89e41d1998bee071867dab1ce16b90" - logic_hash = "v1_sha256_da9804489f30b575d2b459f82570f5df07c1777f105cd373c4268f8a31fa4e43" + logic_hash = "da9804489f30b575d2b459f82570f5df07c1777f105cd373c4268f8a31fa4e43" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89019,7 +89019,7 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_A1311F49 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostPulse.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0175448655e593aa299278d5f11b81f2af76638859e104975bdb5d30af5c0c11" - logic_hash = "v1_sha256_21838f230ac1a77f09d01d30f4ea3b66313618660e63ab7012b030e0b819547e" + logic_hash = "21838f230ac1a77f09d01d30f4ea3b66313618660e63ab7012b030e0b819547e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89048,7 +89048,7 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_3Fe1D02D : FILE MEMORY reference = "https://www.elastic.co/security-labs/ghostpulse-haunts-victims-using-defense-evasion-bag-o-tricks" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostPulse.yar#L23-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_4ef78d436a153ed751a8483c1e43ec2ba053dedfa0da2780fded42012d3042c1" + logic_hash = "4ef78d436a153ed751a8483c1e43ec2ba053dedfa0da2780fded42012d3042c1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89077,7 +89077,7 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_3673D337 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostPulse.yar#L43-L63" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3013ba32838f6d97d7d75e25394f9611b1c5def94d93588f0a05c90b25b7d6d5" - logic_hash = "v1_sha256_a92815f27533338e17afd5ebdbe82e382636fb81167a82d1b613c0dccc5b7ed3" + logic_hash = "a92815f27533338e17afd5ebdbe82e382636fb81167a82d1b613c0dccc5b7ed3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89107,7 +89107,7 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_8Ae8310B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostPulse.yar#L65-L84" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b64f91b41a7390d89cd3b1fccf02b08b18b7fed17a43b0bfac63d75dc0df083" - logic_hash = "v1_sha256_b3873a3c728e98d65984033620c0ac8ee93be21db5b6d9bd4665b9f7d0d759fa" + logic_hash = "b3873a3c728e98d65984033620c0ac8ee93be21db5b6d9bd4665b9f7d0d759fa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89137,7 +89137,7 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_9E22C56D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostPulse.yar#L86-L106" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "349b4dfa1e93144b010affba926663264288a5cfcb7b305320f466b2551b93df" - logic_hash = "v1_sha256_5dbd0d6a936a73e933181017c67c36fde7576b47643ec00848f7b58170bd9c6b" + logic_hash = "5dbd0d6a936a73e933181017c67c36fde7576b47643ec00848f7b58170bd9c6b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89168,7 +89168,7 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_Bb38Fcb3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostPulse.yar#L108-L127" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b54d9db283e6c958697bfc4f97a5dd0ba585bc1d05267569264a2d700f0799ae" - logic_hash = "v1_sha256_95a7f663f0bac81a5426d722ec95e11f37fcde45cbf8ebd4e32b9f4c72873c2b" + logic_hash = "95a7f663f0bac81a5426d722ec95e11f37fcde45cbf8ebd4e32b9f4c72873c2b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89198,7 +89198,7 @@ rule ELASTIC_Windows_Trojan_Ghostpulse_Caea316B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostPulse.yar#L129-L147" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "454e898405a10ecc06b4243c25f86c855203722a4970dee4c4e1a4e8e75f5137" - logic_hash = "v1_sha256_740dad0ce9d6b7c5a4125db9c6ad36e767bacba478ee627032b7fe00431c6d7b" + logic_hash = "740dad0ce9d6b7c5a4125db9c6ad36e767bacba478ee627032b7fe00431c6d7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89227,7 +89227,7 @@ rule ELASTIC_Linux_Trojan_Malxmr_7054A0D0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Malxmr.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3a6b3552ffac13aa70e24fef72b69f683ac221105415efb294fb9a2fc81c260a" - logic_hash = "v1_sha256_f7153fb11e0e4bf422021cc0fab99536c2a193198bf70d7f2af2fa5c1971c028" + logic_hash = "f7153fb11e0e4bf422021cc0fab99536c2a193198bf70d7f2af2fa5c1971c028" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -89256,7 +89256,7 @@ rule ELASTIC_Linux_Trojan_Malxmr_144994A5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Malxmr.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "07db41a4ddaac802b04df5e5bbae0881fead30cb8f6fa53a8a2e1edf14f2d36b" - logic_hash = "v1_sha256_4d40337895e63d3dc6f0d94889863f0f5017533658210b902b08d84cf3588cab" + logic_hash = "4d40337895e63d3dc6f0d94889863f0f5017533658210b902b08d84cf3588cab" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -89285,7 +89285,7 @@ rule ELASTIC_Windows_Hacktool_Cheatengine_Fedac96D : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_CheatEngine.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b20b339a7b61dc7dbc9a36c45492ba9654a8b8a7c8cbc202ed1dfed427cfd799" - logic_hash = "v1_sha256_426b6d388f86dd935d8165af0fb7c8491c987542755ec4c7c53a35a9003f8680" + logic_hash = "426b6d388f86dd935d8165af0fb7c8491c987542755ec4c7c53a35a9003f8680" score = 75 quality = 35 tags = "FILE" @@ -89315,7 +89315,7 @@ rule ELASTIC_Windows_Ransomware_Helloxd_0C50F01B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Helloxd.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589" - logic_hash = "v1_sha256_71e09fa1a00fa6f3688129ee2b2a8957b84f64ef51fcba5123a6a9df80a9c7e1" + logic_hash = "71e09fa1a00fa6f3688129ee2b2a8957b84f64ef51fcba5123a6a9df80a9c7e1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89351,7 +89351,7 @@ rule ELASTIC_Windows_Ransomware_Blackhunt_7B46Cb9C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_BlackHunt.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6c4e968c9b53906ba0e86a41eccdabe2b736238cb126852023e15850e956293d" - logic_hash = "v1_sha256_97bb8436574fd814d8278e5a7043e011d0e4f9a7dd9df5e67605f28ac1af1e74" + logic_hash = "97bb8436574fd814d8278e5a7043e011d0e4f9a7dd9df5e67605f28ac1af1e74" score = 50 quality = 75 tags = "FILE, MEMORY" @@ -89386,7 +89386,7 @@ rule ELASTIC_Linux_Exploit_Openssl_47C6Fad7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Openssl.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8024af0931dff24b5444f0b06a27366a776014358aa0b7fc073030958f863ef8" - logic_hash = "v1_sha256_4c60071ecd7b826e692710ae11b09be30e7df5833bcaa8642fea014e12b9abd7" + logic_hash = "4c60071ecd7b826e692710ae11b09be30e7df5833bcaa8642fea014e12b9abd7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89415,7 +89415,7 @@ rule ELASTIC_Windows_Trojan_Lumma_693A5234 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Lumma.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88340abcdc3cfe7574ee044aea44808446daf3bb7bf9fc60b16a2b1360c5d9c0" - logic_hash = "v1_sha256_2b29ac9bc73f191bdbfc92601cab923aa9f2f3380c8123ee469ced3754625dd0" + logic_hash = "2b29ac9bc73f191bdbfc92601cab923aa9f2f3380c8123ee469ced3754625dd0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89445,7 +89445,7 @@ rule ELASTIC_Windows_Trojan_Lumma_30608A8C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Lumma.yar#L22-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "672e06b9729da0616b103c19d68b812bed33e3e12c788a584f13925f81d68129" - logic_hash = "v1_sha256_1793a535db3fd7e8ad3db4b2de22efffabbcd3e91d89f36de71e95dc0fa9012f" + logic_hash = "1793a535db3fd7e8ad3db4b2de22efffabbcd3e91d89f36de71e95dc0fa9012f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89475,7 +89475,7 @@ rule ELASTIC_Windows_Trojan_Lumma_4Ad749B0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Lumma.yar#L43-L61" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1f953271bc983b3a561b85083bc14a13d18b81a34855d0a6d9fe902934347f92" - logic_hash = "v1_sha256_2248fe539cd0ba17073f1e1650fb93fb755ebe4bc2505e11aa7db9635a0fcb8e" + logic_hash = "2248fe539cd0ba17073f1e1650fb93fb755ebe4bc2505e11aa7db9635a0fcb8e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89504,7 +89504,7 @@ rule ELASTIC_Windows_Trojan_Garble_Eae7F2F7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Garble.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4820a1ec99981e03675a86c4c01acba6838f04945b5f753770b3de4e253e1b8c" - logic_hash = "v1_sha256_5d88579b0f0f71b8b4310c141fb243f39696e158227da0a1e0140b030b783c65" + logic_hash = "5d88579b0f0f71b8b4310c141fb243f39696e158227da0a1e0140b030b783c65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89533,7 +89533,7 @@ rule ELASTIC_Windows_Trojan_Lobshot_013C1B0B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Lobshot.yar#L1-L30" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e4ea88887753a936eaf3361dcc00380b88b0c210dcbde24f8f7ce27991856bf6" - logic_hash = "v1_sha256_e1fb245c3441c9bd393a47a9bed01bf7f62aa3ec36d460584d75e326e7e92ad4" + logic_hash = "e1fb245c3441c9bd393a47a9bed01bf7f62aa3ec36d460584d75e326e7e92ad4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89572,7 +89572,7 @@ rule ELASTIC_Linux_Shellcode_Generic_5669055F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "87ef4def16d956cdfecaea899cbb55ff59a6739bbb438bf44a8b5fec7fcfd85b" - logic_hash = "v1_sha256_735b8dc7fff3c9cc96646a4eb7c5afd70be19dcc821e9e26ce906681130746be" + logic_hash = "735b8dc7fff3c9cc96646a4eb7c5afd70be19dcc821e9e26ce906681130746be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89601,7 +89601,7 @@ rule ELASTIC_Linux_Shellcode_Generic_D2C96B1D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "403d53a65bd77856f7c565307af5003b07413f2aba50869655cdd88ce15b0c82" - logic_hash = "v1_sha256_33d964e22c8e3046f114e8264d18e8b4a0e7b55eca59151b084db7eea07aa0b1" + logic_hash = "33d964e22c8e3046f114e8264d18e8b4a0e7b55eca59151b084db7eea07aa0b1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89630,7 +89630,7 @@ rule ELASTIC_Linux_Shellcode_Generic_30C70926 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a742e23f26726293b1bff3db72864471d6bb4062db1cc6e1c4241f51ec0e21b1" - logic_hash = "v1_sha256_3594994a911e5428198c472a51de189a6be74895170581ec577c49f8dbb9167a" + logic_hash = "3594994a911e5428198c472a51de189a6be74895170581ec577c49f8dbb9167a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89659,7 +89659,7 @@ rule ELASTIC_Linux_Shellcode_Generic_224Bdcc4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bd22648babbee04555cef52bfe3e0285d33852e85d254b8ebc847e4e841b447e" - logic_hash = "v1_sha256_8c4a2bb63f0926e7373caf0a027179b4730cc589f9af66d2071e88f4165b0f73" + logic_hash = "8c4a2bb63f0926e7373caf0a027179b4730cc589f9af66d2071e88f4165b0f73" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89688,7 +89688,7 @@ rule ELASTIC_Linux_Shellcode_Generic_99B991Cd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "954b5a073ce99075b60beec72936975e48787bea936b4c5f13e254496a20d81d" - logic_hash = "v1_sha256_664e213314fe1d6f1920de237ebea3a94f7fbc42eff089475674ccef812f0f68" + logic_hash = "664e213314fe1d6f1920de237ebea3a94f7fbc42eff089475674ccef812f0f68" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89717,7 +89717,7 @@ rule ELASTIC_Linux_Shellcode_Generic_24B9Aa12 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "24b2c1ccbbbe135d40597fbd23f7951d93260d0039e0281919de60fa74eb5977" - logic_hash = "v1_sha256_4685253eb00a21d6dd6e874ff68209f20c8668262f24767086687555ccf934aa" + logic_hash = "4685253eb00a21d6dd6e874ff68209f20c8668262f24767086687555ccf934aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89746,7 +89746,7 @@ rule ELASTIC_Linux_Shellcode_Generic_8Ac37612 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c199b902fa4b0fcf54dc6bf3e25ad16c12f862b47e055863a5e9e1f98c6bd6ca" - logic_hash = "v1_sha256_c0af751bc54dcd9cf834fa5fe9fa120be5e49a56135ebb72fd6073948e956929" + logic_hash = "c0af751bc54dcd9cf834fa5fe9fa120be5e49a56135ebb72fd6073948e956929" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89775,7 +89775,7 @@ rule ELASTIC_Linux_Shellcode_Generic_932Ed0F0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Shellcode_Generic.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f357597f718f86258e7a640250f2e9cf1c3363ab5af8ddbbabb10ebfa3c91251" - logic_hash = "v1_sha256_20ae3f1d96f8afd0900ac919eacaff3bd748a7466af5bb2b9f77cfdc4b8b829e" + logic_hash = "20ae3f1d96f8afd0900ac919eacaff3bd748a7466af5bb2b9f77cfdc4b8b829e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89804,7 +89804,7 @@ rule ELASTIC_Linux_Ransomware_Sfile_9E347B52 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_SFile.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "49473adedc4ee9b1252f120ad8a69e165dc62eabfa794370408ae055ec65db9d" - logic_hash = "v1_sha256_394571fd5746132d15da97428c3afc149435d91d5432eadf1c838d4a6433c7c1" + logic_hash = "394571fd5746132d15da97428c3afc149435d91d5432eadf1c838d4a6433c7c1" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -89834,7 +89834,7 @@ rule ELASTIC_Windows_Trojan_Pikabot_8C6750B5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PikaBot.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" - logic_hash = "v1_sha256_03e36f927513625d1dd997c79843b1b14e344e8411155740213d7aff9794c5c6" + logic_hash = "03e36f927513625d1dd997c79843b1b14e344e8411155740213d7aff9794c5c6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89868,7 +89868,7 @@ rule ELASTIC_Windows_Trojan_Pikabot_5B220E9C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PikaBot.yar#L27-L52" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d836b06b0118e6d258e318b1cfdc509cacc0859c6a6b3d7c5f4d2525e00d97b2" - logic_hash = "v1_sha256_1d2158716b7c32734f12f8528352a3872e21fea2f9b21a36d6ac44fcd50a9f3c" + logic_hash = "1d2158716b7c32734f12f8528352a3872e21fea2f9b21a36d6ac44fcd50a9f3c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89902,7 +89902,7 @@ rule ELASTIC_Windows_Trojan_Pikabot_5441F511 : FILE MEMORY reference = "https://www.elastic.co/security-labs/pikabot-i-choose-you" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PikaBot.yar#L54-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fa44408874c6a007212dfc206cbecbac7a3e50df94da4ce02de2e04e9119c79f" + logic_hash = "fa44408874c6a007212dfc206cbecbac7a3e50df94da4ce02de2e04e9119c79f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89936,7 +89936,7 @@ rule ELASTIC_Windows_Trojan_Pikabot_95Db8B5A : FILE MEMORY reference = "https://www.elastic.co/security-labs/pikabot-i-choose-you" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PikaBot.yar#L80-L103" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_74073ceae1b26b953b7644d56a2ec92993b83802a30ce82c6921df5448ebab06" + logic_hash = "74073ceae1b26b953b7644d56a2ec92993b83802a30ce82c6921df5448ebab06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -89970,7 +89970,7 @@ rule ELASTIC_Linux_Exploit_CVE_2021_4034_1C8F235D : FILE CVE_2021_4034 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2021_4034.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b" - logic_hash = "v1_sha256_217df6687076a715712a053672d7b02567a3ee38ce9c0ccf80d23fcfde35592a" + logic_hash = "217df6687076a715712a053672d7b02567a3ee38ce9c0ccf80d23fcfde35592a" score = 75 quality = 75 tags = "FILE, CVE-2021-4034" @@ -90000,7 +90000,7 @@ rule ELASTIC_Macos_Infostealer_Mdquerytcc_142313Cb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Infostealer_MdQueryTCC.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d895075057e491b34b0f8c0392b44e43ade425d19eaaacea6ef8c5c9bd3487d8" - logic_hash = "v1_sha256_e00015867ad0a0c440a49364945fe828d50675ecfd2039028653d97c77cff323" + logic_hash = "e00015867ad0a0c440a49364945fe828d50675ecfd2039028653d97c77cff323" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90028,7 +90028,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_1Cab7Ea1 : BETA FILE MEMORY reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ragnarok.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8bae3ea4304473209fc770673b680154bf227ce30f6299101d93fe830da0fe91" + logic_hash = "8bae3ea4304473209fc770673b680154bf227ce30f6299101d93fe830da0fe91" score = 75 quality = 73 tags = "BETA, FILE, MEMORY" @@ -90057,7 +90057,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_7E802F95 : BETA FILE MEMORY reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ragnarok.yar#L22-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8f293cdbdc3c395e18c304dfa43d0dcdb52b18bde5b5d084190ceec70aea6cbd" + logic_hash = "8f293cdbdc3c395e18c304dfa43d0dcdb52b18bde5b5d084190ceec70aea6cbd" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -90087,7 +90087,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_Efafbe48 : BETA FILE MEMORY reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ragnarok.yar#L44-L71" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c9d203620e0e6e04d717595ca70a5e5efa74abfc11e4e732d729caab2d246c27" + logic_hash = "c9d203620e0e6e04d717595ca70a5e5efa74abfc11e4e732d729caab2d246c27" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -90124,7 +90124,7 @@ rule ELASTIC_Windows_Ransomware_Ragnarok_5625D3F6 : BETA FILE MEMORY reference = "https://twitter.com/malwrhunterteam/status/1256263426441125888?s=20" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ragnarok.yar#L73-L95" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8c22cf9dfbeba7391f6d2370c88129650ef4c778464e676752de1d0fd9c5b34e" + logic_hash = "8c22cf9dfbeba7391f6d2370c88129650ef4c778464e676752de1d0fd9c5b34e" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -90157,7 +90157,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_6Cab0Ec0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42" - logic_hash = "v1_sha256_c19fe812b74b034bfb42c0e2ee552d879ed038e054c5870b85e7e610d3184198" + logic_hash = "c19fe812b74b034bfb42c0e2ee552d879ed038e054c5870b85e7e610d3184198" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90186,7 +90186,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_293Bfea9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L21-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42" - logic_hash = "v1_sha256_b8bd0d034a6306f99333723d77724ae53c1a189dad3fad7417f2d2fde214c24a" + logic_hash = "b8bd0d034a6306f99333723d77724ae53c1a189dad3fad7417f2d2fde214c24a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -90218,7 +90218,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_448Fa81D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L44-L64" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7ab5490dca314b442181f9a603252ad7985b719c8aa35ddb4c3aa4b26dcc8a42" - logic_hash = "v1_sha256_ab0608920b9f632bad99e1358f21a88bc6048f46fca21a488a1a10b7ef1e42ae" + logic_hash = "ab0608920b9f632bad99e1358f21a88bc6048f46fca21a488a1a10b7ef1e42ae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90248,7 +90248,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_768Df39D : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/shell_reverse_tcp.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L66-L85" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_140ba93d57b27325f66b36132ecaab205663e3e582818baf377e050802c8d152" + logic_hash = "140ba93d57b27325f66b36132ecaab205663e3e582818baf377e050802c8d152" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90277,7 +90277,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_7Ce0B709 : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/shell_bind_tcp.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L87-L106" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_56fc05ece464d562ff6e56247756454c940c07b03c4a4c783b2bae4d5807247a" + logic_hash = "56fc05ece464d562ff6e56247756454c940c07b03c4a4c783b2bae4d5807247a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90306,7 +90306,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_F11Ccdac : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/shell_find_port.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L108-L127" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fcf578d3e98b591b33cb6f4bec1b9e92a7e1a88f0b56f3c501f9089d2094289c" + logic_hash = "fcf578d3e98b591b33cb6f4bec1b9e92a7e1a88f0b56f3c501f9089d2094289c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90335,7 +90335,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_D9B16F4C : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/vforkshell_bind_tcp.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L129-L148" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8e082878fb52f6314ec8c725dd279447ee8a0fc403c47ffd997712adb496e7c3" + logic_hash = "8e082878fb52f6314ec8c725dd279447ee8a0fc403c47ffd997712adb496e7c3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90364,7 +90364,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_2992B917 : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x86/vforkshell_reverse_tcp.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L150-L169" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_10056ffb719092f83ad236a63ef6fa1f40568e500c042bd737575997bb67a8ec" + logic_hash = "10056ffb719092f83ad236a63ef6fa1f40568e500c042bd737575997bb67a8ec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90393,7 +90393,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_27D409F1 : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/osx/x64/shell_bind_tcp.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L171-L190" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b757e0ab6665a3e4846c6bbe4386e9d9a730ece00a2453933ce771aec2dd716e" + logic_hash = "b757e0ab6665a3e4846c6bbe4386e9d9a730ece00a2453933ce771aec2dd716e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90422,7 +90422,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_65A2394B : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stages/osx/x86/vforkshell.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L192-L211" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f01f671b0bf9fa53aa3383c88ba871742f0e55dbdae4278f440ed29f35eb1ca1" + logic_hash = "f01f671b0bf9fa53aa3383c88ba871742f0e55dbdae4278f440ed29f35eb1ca1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90451,7 +90451,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_C7B7A90B : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/osx/x86/reverse_tcp.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L213-L232" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d4b1f01bf8434dd69188d2ad0b376fad3a4d9c94ebe74d40f05019baf95b5496" + logic_hash = "d4b1f01bf8434dd69188d2ad0b376fad3a4d9c94ebe74d40f05019baf95b5496" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90480,7 +90480,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_4Bd6Aaca : FILE MEMORY reference = "https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/osx/x86/bind_tcp.rb" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L234-L253" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_a3de610ced90679f6fa0dcdf7890a64369c774839ea30018a7ef6fe9289d3d17" + logic_hash = "a3de610ced90679f6fa0dcdf7890a64369c774839ea30018a7ef6fe9289d3d17" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90510,7 +90510,7 @@ rule ELASTIC_Macos_Trojan_Metasploit_5E5B685F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Metasploit.yar#L255-L273" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cdf0a3c07ef1479b53d49b8f22a9f93adcedeea3b869ef954cc043e54f65c3d0" - logic_hash = "v1_sha256_003fb4f079b125f37899a2b3cb62d80edd5b3e5ccbed5bc1ea514a4a173d329d" + logic_hash = "003fb4f079b125f37899a2b3cb62d80edd5b3e5ccbed5bc1ea514a4a173d329d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90539,7 +90539,7 @@ rule ELASTIC_Windows_Trojan_Beam_E41B243A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Beam.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "233a1f1dcbb679d31dab7744358b434cccabfc752baf53ba991388ced098f7c8" - logic_hash = "v1_sha256_295837743ecfa51e1713d19cba24ff8885c8716201caac058ae8b2bc9e008e6c" + logic_hash = "295837743ecfa51e1713d19cba24ff8885c8716201caac058ae8b2bc9e008e6c" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -90571,7 +90571,7 @@ rule ELASTIC_Windows_Trojan_Beam_5A951D13 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Beam.yar#L24-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "233a1f1dcbb679d31dab7744358b434cccabfc752baf53ba991388ced098f7c8" - logic_hash = "v1_sha256_3419b649717b69f07334bd966f438dd0b77f03572fe14f4b88ce95a2a86cae07" + logic_hash = "3419b649717b69f07334bd966f438dd0b77f03572fe14f4b88ce95a2a86cae07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90600,7 +90600,7 @@ rule ELASTIC_Windows_Trojan_Afdk_C952Fcfa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Afdk.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6723a9489e7cfb5e2d37ff9160d55cda065f06907122d73764849808018eb7a0" - logic_hash = "v1_sha256_a0589a3bf9e733e615b6e552395b3ff513e4fad7efd7d2ebea634aa91d2f60d9" + logic_hash = "a0589a3bf9e733e615b6e552395b3ff513e4fad7efd7d2ebea634aa91d2f60d9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90629,7 +90629,7 @@ rule ELASTIC_Windows_Trojan_Afdk_5F8Cc135 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Afdk.yar#L21-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6723a9489e7cfb5e2d37ff9160d55cda065f06907122d73764849808018eb7a0" - logic_hash = "v1_sha256_0523a0cc3a4446f2ac88c72999568313c6b40f7f8975b8e332c0c6b1e48c5d76" + logic_hash = "0523a0cc3a4446f2ac88c72999568313c6b40f7f8975b8e332c0c6b1e48c5d76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90660,7 +90660,7 @@ rule ELASTIC_Windows_Ransomware_Grief_9953339A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Grief.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0864575d4f487e52a1479c61c2c4ad16742d92e16d0c10f5ed2b40506bbc6ca0" - logic_hash = "v1_sha256_f99ea1e1f59dc2999659cbe649e76001dd7139b1438440717b60f081d1e99d70" + logic_hash = "f99ea1e1f59dc2999659cbe649e76001dd7139b1438440717b60f081d1e99d70" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90689,7 +90689,7 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_21B60705 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Rhadamanthys.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ba97c51ba503fa4bdcfd5580c75436bc88794b4ae883afa1d92bb0b2a0f5efe" - logic_hash = "v1_sha256_ef3f60689d72553111b42b27e0a1a0316288ae07fbfaf159eea8c76380d528fa" + logic_hash = "ef3f60689d72553111b42b27e0a1a0316288ae07fbfaf159eea8c76380d528fa" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -90724,7 +90724,7 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_1Da1C2C2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Rhadamanthys.yar#L27-L52" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9bfc4fed7afc79a167cac173bf3602f9d1f90595d4e41dab68ff54973f2cedc1" - logic_hash = "v1_sha256_bf5d45fe79dacfc6aee5cfd788ec6ce77e99e55d5a6d294da57c126bedf75ee9" + logic_hash = "bf5d45fe79dacfc6aee5cfd788ec6ce77e99e55d5a6d294da57c126bedf75ee9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90760,7 +90760,7 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_Ae00F48C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Rhadamanthys.yar#L54-L74" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "56b5ff5132ec1c5836223ced287d51a9ecee8d2b081f449245e136b1262a8714" - logic_hash = "v1_sha256_423b68717a7aead3c871e7fc744e35dad1cfd7727bfba2bdaec69fb782540380" + logic_hash = "423b68717a7aead3c871e7fc744e35dad1cfd7727bfba2bdaec69fb782540380" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -90791,7 +90791,7 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_Cf5Dd2E2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Rhadamanthys.yar#L76-L97" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "39ccc224c2c6d89d0bce3d9e2c677465cbc7524f2d2aa903f79ad26b340dec3d" - logic_hash = "v1_sha256_039d6de0d072be6717ba3eb90735d7b4898d3bbac83db4feb75efcdbca8fd98b" + logic_hash = "039d6de0d072be6717ba3eb90735d7b4898d3bbac83db4feb75efcdbca8fd98b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90823,7 +90823,7 @@ rule ELASTIC_Windows_Trojan_Rhadamanthys_C4760266 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Rhadamanthys.yar#L99-L117" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165" - logic_hash = "v1_sha256_b8c1c56681aac4e1b1741dfa3ea929677214873b6f1795423a80742f699249de" + logic_hash = "b8c1c56681aac4e1b1741dfa3ea929677214873b6f1795423a80742f699249de" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90852,7 +90852,7 @@ rule ELASTIC_Windows_Trojan_Lokibot_1F885282 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Lokibot.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409" - logic_hash = "v1_sha256_c76941a83e18f11ed5af701e89616d324ddba613a95069997ea8f1830f328307" + logic_hash = "c76941a83e18f11ed5af701e89616d324ddba613a95069997ea8f1830f328307" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90881,7 +90881,7 @@ rule ELASTIC_Windows_Trojan_Lokibot_0F421617 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Lokibot.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080" - logic_hash = "v1_sha256_0076ccbe43ae77e3a80164d43832643f077e659a595fff01c87694e2274c5e86" + logic_hash = "0076ccbe43ae77e3a80164d43832643f077e659a595fff01c87694e2274c5e86" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90909,7 +90909,7 @@ rule ELASTIC_Windows_Trojan_P8Loader_E478A831 : FILE MEMORY reference = "https://www.elastic.co/security-labs/elastic-charms-spectralviper" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_P8Loader.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f1a7de6bb4477ea82c18aea1ddc4481de2fc362ce5321f4205bb3b74c1c45a7e" + logic_hash = "f1a7de6bb4477ea82c18aea1ddc4481de2fc362ce5321f4205bb3b74c1c45a7e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90945,7 +90945,7 @@ rule ELASTIC_Windows_Trojan_Stealc_B8Ab9Ab5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Stealc.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d1c07c84c54348db1637e21260dbed09bd6b7e675ef58e003d0fe8f017fd2c8" - logic_hash = "v1_sha256_5fc5d5cea481d1d204d1aa6c52679a23eb59438df2fe547d14c00524772867bb" + logic_hash = "5fc5d5cea481d1d204d1aa6c52679a23eb59438df2fe547d14c00524772867bb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -90982,7 +90982,7 @@ rule ELASTIC_Windows_Trojan_Stealc_A2B71Dc4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Stealc.yar#L29-L50" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0d1c07c84c54348db1637e21260dbed09bd6b7e675ef58e003d0fe8f017fd2c8" - logic_hash = "v1_sha256_b79ac3e65cd7d2819d6a49f59ec661241c97174f66a7c4ada91932f10fc43583" + logic_hash = "b79ac3e65cd7d2819d6a49f59ec661241c97174f66a7c4ada91932f10fc43583" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91014,7 +91014,7 @@ rule ELASTIC_Windows_Trojan_Stealc_5D3F297C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Stealc.yar#L52-L70" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "885c8cd8f7ad93f0fd43ba4fb7f14d94dfdee3d223715da34a6e2fbb4d25b9f4" - logic_hash = "v1_sha256_556d3bc9374a5ec23faa410900dfc94b5534434c9733165355d281976444a42b" + logic_hash = "556d3bc9374a5ec23faa410900dfc94b5534434c9733165355d281976444a42b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91043,7 +91043,7 @@ rule ELASTIC_Linux_Cryptominer_Presenoker_3Bb5533D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Presenoker.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bbc155c610c7aa439f98e32f97895d7eeaef06dab7cca05a5179b0eb3ba3cc00" - logic_hash = "v1_sha256_13bf69ea6bc7df5ba9ebffe67234657f2ecab99e28fd76d0bbedceaf9706a4dd" + logic_hash = "13bf69ea6bc7df5ba9ebffe67234657f2ecab99e28fd76d0bbedceaf9706a4dd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91072,7 +91072,7 @@ rule ELASTIC_Windows_Hacktool_Sharpmove_05E28928 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpMove.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "051f60f9f4665b96f764810defe9525ae7b4f9898249b83a23094cee63fa0c3b" - logic_hash = "v1_sha256_021a56dd47d9929e71b82b00d24aa8969a31945681dcf414c69b8d175fb0b6eb" + logic_hash = "021a56dd47d9929e71b82b00d24aa8969a31945681dcf414c69b8d175fb0b6eb" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91105,7 +91105,7 @@ rule ELASTIC_Windows_Vulndriver_Mtcbsv_7F6D642E : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_MtcBsv.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ff803017d1acafde6149fe7d463aee23b1c4f6f3b97c698c05f3ca6f07e4df6c" - logic_hash = "v1_sha256_dfd53a2b97ad722307561fc5f109dcba372bf600113786bb351ed1262fdc8556" + logic_hash = "dfd53a2b97ad722307561fc5f109dcba372bf600113786bb351ed1262fdc8556" score = 75 quality = 75 tags = "FILE" @@ -91136,7 +91136,7 @@ rule ELASTIC_Macos_Trojan_Genieo_5E0F8980 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Genieo.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6c698bac178892dfe03624905256a7d9abe468121163d7507cade48cf2131170" - logic_hash = "v1_sha256_76b725f6ae5755bb00d384ef2ae1511789487257d8bb7cb61b893226f03a803e" + logic_hash = "76b725f6ae5755bb00d384ef2ae1511789487257d8bb7cb61b893226f03a803e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91165,7 +91165,7 @@ rule ELASTIC_Macos_Trojan_Genieo_37878473 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Genieo.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0fadd926f8d763f7f15e64f857e77f44a492dcf5dc82ae965d3ddf80cd9c7a0d" - logic_hash = "v1_sha256_bb04ae4e0a98e0dbd0c0708d5e767306e38edf76de2671523f4bd43cbcbfefc2" + logic_hash = "bb04ae4e0a98e0dbd0c0708d5e767306e38edf76de2671523f4bd43cbcbfefc2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91194,7 +91194,7 @@ rule ELASTIC_Macos_Trojan_Genieo_0D003634 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Genieo.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bcd391b58338efec4769e876bd510d0c4b156a7830bab56c3b56585974435d70" - logic_hash = "v1_sha256_0412f88408fb14d1126ef091d0a5cc0ee2b2e39aeb241bef55208b59830ca993" + logic_hash = "0412f88408fb14d1126ef091d0a5cc0ee2b2e39aeb241bef55208b59830ca993" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91223,7 +91223,7 @@ rule ELASTIC_Macos_Trojan_Genieo_9E178C0B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Genieo.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b7760e73195c3ea8566f3ff0427d85d6f35c6eec7ee9184f3aceab06da8845d8" - logic_hash = "v1_sha256_212f96ca964aceeb80c6d3282d488cfbb74aeffb9c0c9dd840a3a28f9bbdcbea" + logic_hash = "212f96ca964aceeb80c6d3282d488cfbb74aeffb9c0c9dd840a3a28f9bbdcbea" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91252,7 +91252,7 @@ rule ELASTIC_Windows_Trojan_Njrat_30F3C220 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Njrat.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b" - logic_hash = "v1_sha256_76347165829415646f943bb984cd17ca138cf238d03f114c498dbcec081d5ae3" + logic_hash = "76347165829415646f943bb984cd17ca138cf238d03f114c498dbcec081d5ae3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91286,7 +91286,7 @@ rule ELASTIC_Windows_Trojan_Njrat_Eb2698D2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Njrat.yar#L26-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d537397bc41f0a1cb964fa7be6658add5fe58d929ac91500fc7770c116d49608" - logic_hash = "v1_sha256_c32a641f2d639f56a8137b3e0d0be3261fba30084eeba9d1205974713413af9f" + logic_hash = "c32a641f2d639f56a8137b3e0d0be3261fba30084eeba9d1205974713413af9f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -91315,7 +91315,7 @@ rule ELASTIC_Windows_Trojan_Blackwood_2B94Bce9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Blackwood.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c37dd77f659059da7e12e13b063036ee69097a4d2f88c170832fff78f3788991" - logic_hash = "v1_sha256_279e85ce3bb974ce5af541e7307cb2fd1031f36c9da013756883172a765b0e19" + logic_hash = "279e85ce3bb974ce5af541e7307cb2fd1031f36c9da013756883172a765b0e19" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91350,7 +91350,7 @@ rule ELASTIC_Macos_Virus_Vsearch_0Dd3Ec6F : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Virus_Vsearch.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_17a467b000117ea6c39fbd40b502ac9c7d59a97408c2cdfb09c65b2bb09924e5" + logic_hash = "17a467b000117ea6c39fbd40b502ac9c7d59a97408c2cdfb09c65b2bb09924e5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91378,7 +91378,7 @@ rule ELASTIC_Macos_Virus_Vsearch_2A0419F8 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Virus_Vsearch.yar#L20-L37" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fa9b811465e435bff5bc0f149ff65f57932c94f548a5ece4ec54ba775cdbb55a" + logic_hash = "fa9b811465e435bff5bc0f149ff65f57932c94f548a5ece4ec54ba775cdbb55a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91407,7 +91407,7 @@ rule ELASTIC_Windows_Wiper_Doublezero_65Ec0C50 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Wiper_DoubleZero.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe" - logic_hash = "v1_sha256_bce33817d99f71b9d087ea079ef8db08b496315b72cf9d1cf6f0b107a604e52c" + logic_hash = "bce33817d99f71b9d087ea079ef8db08b496315b72cf9d1cf6f0b107a604e52c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91439,7 +91439,7 @@ rule ELASTIC_Linux_Trojan_Ladvix_Db41F9D2 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ladvix.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_81642b4ff1b6488098f019c5e992fc942916bc6eb593006cf91e878ac41509d6" + logic_hash = "81642b4ff1b6488098f019c5e992fc942916bc6eb593006cf91e878ac41509d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91468,7 +91468,7 @@ rule ELASTIC_Linux_Trojan_Ladvix_77D184Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ladvix.yar#L20-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1bb44b567b3c82f7ee0e08b16f7326d1af57efe77d608a96b2df43aab5faa9f7" - logic_hash = "v1_sha256_0ae9c41d3eb7964344f71b9708278a0e83776228e4455cf0ad7c08e288305203" + logic_hash = "0ae9c41d3eb7964344f71b9708278a0e83776228e4455cf0ad7c08e288305203" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91497,7 +91497,7 @@ rule ELASTIC_Linux_Trojan_Ladvix_C9888Edb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ladvix.yar#L40-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1d798e9f15645de89d73e2c9d142189d2eaf81f94ecf247876b0b865be081dca" - logic_hash = "v1_sha256_608f2340b0ee4b843933d8137aa0908583a6de477e6c472fb4bd2e5bb62dfb80" + logic_hash = "608f2340b0ee4b843933d8137aa0908583a6de477e6c472fb4bd2e5bb62dfb80" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91525,7 +91525,7 @@ rule ELASTIC_Linux_Trojan_Ladvix_81Fccd74 : FILE MEMORY reference = "2a183f613fca5ec30dfd82c9abf72ab88a2c57d2dd6f6483375913f81aa1c5af" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ladvix.yar#L60-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_18f7ca953d22f02c1dbf03595a19b66ea582d2c1623f0042dcf15f86556ca41e" + logic_hash = "18f7ca953d22f02c1dbf03595a19b66ea582d2c1623f0042dcf15f86556ca41e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91553,7 +91553,7 @@ rule ELASTIC_Windows_Trojan_Backoff_22798F00 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Backoff.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_65b5aff18a4e0bc29d7cc4cfbe2d5882f99a855727fe467b2ba2e2851c43d21b" + logic_hash = "65b5aff18a4e0bc29d7cc4cfbe2d5882f99a855727fe467b2ba2e2851c43d21b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91587,7 +91587,7 @@ rule ELASTIC_Windows_Vulndriver_Gvci_F5A35359 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Gvci.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f" - logic_hash = "v1_sha256_beb0c324358a016e708dae30a222373113a7eab8e3d90dfa1bbde6c2f7874362" + logic_hash = "beb0c324358a016e708dae30a222373113a7eab8e3d90dfa1bbde6c2f7874362" score = 75 quality = 75 tags = "FILE" @@ -91616,7 +91616,7 @@ rule ELASTIC_Linux_Trojan_Psybnc_563Ecb11 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Psybnc.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f77216b169e8d12f22ef84e625159f3a51346c2b6777a1fcfb71268d17b06d39" - logic_hash = "v1_sha256_b93e6ab097ccd4c348d228a48df098594e560e62256bfe019669ca9488221214" + logic_hash = "b93e6ab097ccd4c348d228a48df098594e560e62256bfe019669ca9488221214" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91645,7 +91645,7 @@ rule ELASTIC_Linux_Trojan_Psybnc_Ab3396D5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Psybnc.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c5ec84e7cc891af25d6319abb07b1cedd90b04cbb6c8656c60bcb07e60f0b620" - logic_hash = "v1_sha256_8c083f66fc252a88395bb954a67d710d64f5b68efb9df4b60b260302874b400a" + logic_hash = "8c083f66fc252a88395bb954a67d710d64f5b68efb9df4b60b260302874b400a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91674,7 +91674,7 @@ rule ELASTIC_Linux_Trojan_Psybnc_F07357F1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Psybnc.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f77216b169e8d12f22ef84e625159f3a51346c2b6777a1fcfb71268d17b06d39" - logic_hash = "v1_sha256_cfe217fe108de787600d1ef06ac6738d84aedfc46e5632143692a9f83cb62df7" + logic_hash = "cfe217fe108de787600d1ef06ac6738d84aedfc46e5632143692a9f83cb62df7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91703,7 +91703,7 @@ rule ELASTIC_Linux_Exploit_Alie_E69De1Ee : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Alie.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "882839549f062ab4cbe6df91336ed320eaf6c2300fc2ed64d1877426a0da567d" - logic_hash = "v1_sha256_bb4625751c924b9ff5d32cc044fcff68892e82d9e94d679c4e4c8286f680a854" + logic_hash = "bb4625751c924b9ff5d32cc044fcff68892e82d9e94d679c4e4c8286f680a854" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91732,7 +91732,7 @@ rule ELASTIC_Linux_Trojan_Springtail_35D5B90B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Springtail.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213" - logic_hash = "v1_sha256_7158e60aedfde884d9ee01457abfe6d9b6b1df9cdc1c415231d98429866eaa6c" + logic_hash = "7158e60aedfde884d9ee01457abfe6d9b6b1df9cdc1c415231d98429866eaa6c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91767,7 +91767,7 @@ rule ELASTIC_Windows_Trojan_Solarmarker_D466E548 : FILE MEMORY license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "330f5067c93041821be4e7097cf32fb569e2e1d00e952156c9aafcddb847b873" hash = "e2a620e76352fa7ac58407a711821da52093d97d12293ae93d813163c58eb84b" - logic_hash = "v1_sha256_c0792bc3c1a2f01ff4b8d0a12c95a74491c2805c876f95a26bbeaabecdff70e9" + logic_hash = "c0792bc3c1a2f01ff4b8d0a12c95a74491c2805c876f95a26bbeaabecdff70e9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91796,7 +91796,7 @@ rule ELASTIC_Windows_Trojan_Solarmarker_08Bfc26B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SolarMarker.yar#L22-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c1a6d2d78cc50f080f1fe4cadc6043027bf201d194f2b73625ce3664433a3966" - logic_hash = "v1_sha256_b31b9f8460b606426c1101eba39a41a75c7ecaafc62388a6a5ac0f24057561ed" + logic_hash = "b31b9f8460b606426c1101eba39a41a75c7ecaafc62388a6a5ac0f24057561ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91827,7 +91827,7 @@ rule ELASTIC_Windows_Trojan_Nighthawk_9F3A5Abb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Nighthawk.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94" - logic_hash = "v1_sha256_27a34e48141fe260c16c12a2652e440d2540ca5f0c84b41c9c4762dcab44ffd4" + logic_hash = "27a34e48141fe260c16c12a2652e440d2540ca5f0c84b41c9c4762dcab44ffd4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91863,7 +91863,7 @@ rule ELASTIC_Windows_Trojan_Nighthawk_2A2E3B9D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Nighthawk.yar#L28-L47" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf" - logic_hash = "v1_sha256_c42605ebba900fafb4ec2d34d93bb7adb69e731ce151b82a95889dd0d738da00" + logic_hash = "c42605ebba900fafb4ec2d34d93bb7adb69e731ce151b82a95889dd0d738da00" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91893,7 +91893,7 @@ rule ELASTIC_Windows_Trojan_Nighthawk_23489175 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Nighthawk.yar#L49-L74" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "697742d5dd071add40b700022fd30424cb231ffde223d21bd83a44890e06762f" - logic_hash = "v1_sha256_be41fc53f7098ca3cf718e8066a488196423ede993466c9a24ad2af387e03b24" + logic_hash = "be41fc53f7098ca3cf718e8066a488196423ede993466c9a24ad2af387e03b24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91929,7 +91929,7 @@ rule ELASTIC_Windows_Infostealer_Phemedronestealer_Bed8Ea8A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Infostealer_PhemedroneStealer.yar#L1-L30" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "38279fdad25c7972be9426cadb5ad5e3ee7e9761b0a41ed617945cb9a3713702" - logic_hash = "v1_sha256_88fc33abfe6c7a611aa0c354645b06e9e74121ffc9a5acd20b4d3a59287489d6" + logic_hash = "88fc33abfe6c7a611aa0c354645b06e9e74121ffc9a5acd20b4d3a59287489d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -91968,7 +91968,7 @@ rule ELASTIC_Windows_Ransomware_Bitpaymer_D74273B3 : BETA FILE MEMORY reference = "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Bitpaymer.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_126246689b28e92ed10bfa6165f06ff7d4f0e062de7c58b821eaaf5e3cae9306" + logic_hash = "126246689b28e92ed10bfa6165f06ff7d4f0e062de7c58b821eaaf5e3cae9306" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -91997,7 +91997,7 @@ rule ELASTIC_Windows_Ransomware_Bitpaymer_Bca25Ac6 : BETA FILE MEMORY reference = "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Bitpaymer.yar#L22-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7670f9dafacc8fc5998c1974af66ede388c0997545da067648fec4fd053f0001" + logic_hash = "7670f9dafacc8fc5998c1974af66ede388c0997545da067648fec4fd053f0001" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -92033,7 +92033,7 @@ rule ELASTIC_Macos_Infostealer_Mdquerytoken_1C52D574 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Infostealer_MdQueryToken.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_ede29154aae99bb67075e21acb694b089f9a1b366a4e2505cb761142393994a8" + logic_hash = "ede29154aae99bb67075e21acb694b089f9a1b366a4e2505cb761142393994a8" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -92063,7 +92063,7 @@ rule ELASTIC_Macos_Virus_Pirrit_271B8Ed0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Virus_Pirrit.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7feda05d41b09c06a08c167c7f4dde597ac775c54bf0d74a82aa533644035177" - logic_hash = "v1_sha256_cb77f6df1403afbc7f45d30551559b6de7eb1c3434778b46d31754da0a1b1f10" + logic_hash = "cb77f6df1403afbc7f45d30551559b6de7eb1c3434778b46d31754da0a1b1f10" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92092,7 +92092,7 @@ rule ELASTIC_Windows_Hacktool_Sharpchromium_41Ce5080 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpChromium.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9dd65aa53728d51f0f3b9aaf51a24f8a2c3f84b4a4024245575975cf9ad7f2e5" - logic_hash = "v1_sha256_50972a6e6af1d7076243320fb6559193e0c46ac1300aa62d12390fdeb2fffdcd" + logic_hash = "50972a6e6af1d7076243320fb6559193e0c46ac1300aa62d12390fdeb2fffdcd" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -92125,7 +92125,7 @@ rule ELASTIC_Windows_Trojan_Pingpull_09Dd9559 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Pingpull.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761" - logic_hash = "v1_sha256_114674b1a9acfc7643138d3b07885343a50c9d319b8d22a6ef34e916685c4469" + logic_hash = "114674b1a9acfc7643138d3b07885343a50c9d319b8d22a6ef34e916685c4469" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92160,7 +92160,7 @@ rule ELASTIC_Windows_Trojan_Privateloader_96Ac2734 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PrivateLoader.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "077225467638a420cf29fb9b3f0241416dcb9ed5d4ba32fdcf2bf28f095740bb" - logic_hash = "v1_sha256_9f96f1c54853866e124d0996504e6efd3d154111390617999cc10520d7f68fe6" + logic_hash = "9f96f1c54853866e124d0996504e6efd3d154111390617999cc10520d7f68fe6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92192,7 +92192,7 @@ rule ELASTIC_Linux_Virus_Thebe_1Eb5985A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Virus_Thebe.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "30af289be070f4e0f8761f04fb44193a037ec1aab9cc029343a1a1f2a8d67670" - logic_hash = "v1_sha256_7d4bc4b1615048dec1f1fac599afa667e06ccb369bb1242b25887e0ce2a5066a" + logic_hash = "7d4bc4b1615048dec1f1fac599afa667e06ccb369bb1242b25887e0ce2a5066a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92221,7 +92221,7 @@ rule ELASTIC_Windows_Trojan_Onlylogger_B9E88336 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_OnlyLogger.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "69876ee4d89ba68ee86f1a4eaf0a7cb51a012752e14c952a177cd5ffd8190986" - logic_hash = "v1_sha256_b8d1c4c1e33fc0b54a62f82b8f53c9a1b051ad8c2f578d2a43f504158d1d9247" + logic_hash = "b8d1c4c1e33fc0b54a62f82b8f53c9a1b051ad8c2f578d2a43f504158d1d9247" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92253,7 +92253,7 @@ rule ELASTIC_Windows_Trojan_Onlylogger_Ec14D5F2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_OnlyLogger.yar#L24-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f45adcc2aad5c0fd900df4521f404bc9ca71b01e3378a5490f5ae2f0c711912e" - logic_hash = "v1_sha256_2838851a5e013705b64625801d2ab1d56cfc17c52f75a5fd71448cb0a4b4b683" + logic_hash = "2838851a5e013705b64625801d2ab1d56cfc17c52f75a5fd71448cb0a4b4b683" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92286,7 +92286,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_01365E46 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5c450d4be39caef1d9ec943f5dfeb6517047175fec166a52970c08cd1558e172" - logic_hash = "v1_sha256_4d61de2cb37e12f62326c1717f6ed44554f5d2aa7ede6033d0c988e5e64df54d" + logic_hash = "4d61de2cb37e12f62326c1717f6ed44554f5d2aa7ede6033d0c988e5e64df54d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92314,7 +92314,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_06Fd4Ac4 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_bde387f1e22d1399fb99f6d41732a37635d8e90f29626f2995914a073a7cac89" + logic_hash = "bde387f1e22d1399fb99f6d41732a37635d8e90f29626f2995914a073a7cac89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92343,7 +92343,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Ce4305D1 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L41-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c547114475383e5d84f6b8cb72585ddd5778ae3afa491deddeef8a5ec56be1b5" + logic_hash = "c547114475383e5d84f6b8cb72585ddd5778ae3afa491deddeef8a5ec56be1b5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92371,7 +92371,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_1E56Fad7 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L60-L77" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_815b37804f79fb4607e6b84294882d818233c3df13aececb3d341244900a2e44" + logic_hash = "815b37804f79fb4607e6b84294882d818233c3df13aececb3d341244900a2e44" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92399,7 +92399,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_93C9A2A4 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L79-L96" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_dadeeba6147b118b80e014ab067eac7a2c3c2990958a6c7016562d8b64fef53c" + logic_hash = "dadeeba6147b118b80e014ab067eac7a2c3c2990958a6c7016562d8b64fef53c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92427,7 +92427,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_5340Afa3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L98-L115" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8b9d3c978f0c4a04ee5b3446b990172206b17496036bc1cc04180ea7e9b99734" + logic_hash = "8b9d3c978f0c4a04ee5b3446b990172206b17496036bc1cc04180ea7e9b99734" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92455,7 +92455,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_E7932501 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L117-L134" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f82704a408a0cf1def2a5926dc4c02fa56afea1422c88ba41af50d44c60edb07" + logic_hash = "f82704a408a0cf1def2a5926dc4c02fa56afea1422c88ba41af50d44c60edb07" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92483,7 +92483,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Cd0868D5 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L136-L153" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_053a99e5e722fd2aa1cae96266cc344954f9c3a12d0851fa9d5e95a6420651f4" + logic_hash = "053a99e5e722fd2aa1cae96266cc344954f9c3a12d0851fa9d5e95a6420651f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92511,7 +92511,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_515504E2 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L155-L172" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5410068e09de4a1283f98f6364ddf243373e228ba060b00699db6323f1167684" + logic_hash = "5410068e09de4a1283f98f6364ddf243373e228ba060b00699db6323f1167684" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92539,7 +92539,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_A0Fc8F35 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L174-L191" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7ab2b45ddfc1d7fa409a6ea3dfd8d4940e1bdf3fc0cb6c7e8d49c60e7bda5b1b" + logic_hash = "7ab2b45ddfc1d7fa409a6ea3dfd8d4940e1bdf3fc0cb6c7e8d49c60e7bda5b1b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92567,7 +92567,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Cb95Dc06 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L193-L210" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_563b2311d37ace2d09601a70325352db3fcbf135e7ce518965f5410081b5d626" + logic_hash = "563b2311d37ace2d09601a70325352db3fcbf135e7ce518965f5410081b5d626" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92595,7 +92595,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_9D4D3Fa4 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L212-L229" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7c3c9917a95248fd990b6947a0304ded473bf1bcceec8f4498a7955e879d348b" + logic_hash = "7c3c9917a95248fd990b6947a0304ded473bf1bcceec8f4498a7955e879d348b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92623,7 +92623,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_34F00046 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L231-L248" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f9d646645d6726e3aac5cc3eaea9edf1c89c7e743aff7cfa73998a72f3446711" + logic_hash = "f9d646645d6726e3aac5cc3eaea9edf1c89c7e743aff7cfa73998a72f3446711" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92651,7 +92651,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_F2A18B09 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L250-L267" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c4c4b0b1df1e8fde87284fb27d46e917c47b479a675fec60faeca6185511907d" + logic_hash = "c4c4b0b1df1e8fde87284fb27d46e917c47b479a675fec60faeca6185511907d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92679,7 +92679,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_D916Ae65 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L269-L286" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e0aafe498cd9f0e8addfef78027943a754ca797aafae0cb40f1c6425de501339" + logic_hash = "e0aafe498cd9f0e8addfef78027943a754ca797aafae0cb40f1c6425de501339" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92707,7 +92707,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_52722678 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L288-L305" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_6340171fdde68b32de480f1f410aa4c491a8fffa7c1f699bf5fa72a12ecb77b8" + logic_hash = "6340171fdde68b32de480f1f410aa4c491a8fffa7c1f699bf5fa72a12ecb77b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92735,7 +92735,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_28A60148 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L307-L324" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_20a26ed3f0da3a77867597494bf0069a2093ec19b1c5e179c0e7934c1b69d4b9" + logic_hash = "20a26ed3f0da3a77867597494bf0069a2093ec19b1c5e179c0e7934c1b69d4b9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92763,7 +92763,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_997B25A0 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L326-L343" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_ca688086c4628c64c32a99083d620bcb5373e3100d154331451a3e9f86081aca" + logic_hash = "ca688086c4628c64c32a99083d620bcb5373e3100d154331451a3e9f86081aca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92791,7 +92791,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_B17B33A1 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L345-L362" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7fa69674d1e985bafe310597f23ae80113136768141f0a1931baf88b2509e6ef" + logic_hash = "7fa69674d1e985bafe310597f23ae80113136768141f0a1931baf88b2509e6ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92820,7 +92820,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_23D77Ae5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L364-L396" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "844974a2d3266e1f9ba275520c0e8a5d176df69a0ccd5135b99facf798a5d209" - logic_hash = "v1_sha256_e5f5cf854ebd0e25fffbd6796217f22223a06937e1cacb33baa105ac41731256" + logic_hash = "e5f5cf854ebd0e25fffbd6796217f22223a06937e1cacb33baa105ac41731256" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -92863,7 +92863,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_5574Be7D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L398-L432" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8c5c0d27153f60ef8aec57def2f88e3d5f9a7385b5e8b8177bab55fa7fac7b18" - logic_hash = "v1_sha256_ed0fc98c5d628ce38b923e1410eaf7a4a65ecffea42bed35314e30c99a52219b" + logic_hash = "ed0fc98c5d628ce38b923e1410eaf7a4a65ecffea42bed35314e30c99a52219b" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -92908,7 +92908,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_1473F0B4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L434-L459" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9cfb441eb5c60ab1c90b58d4878543ee554ada2cceee98d6b867e73490d30fec" - logic_hash = "v1_sha256_dc13625e58c029c60b8670f8e63cd7786bf3e9705c462f3cbbf5b39e7c02f9a1" + logic_hash = "dc13625e58c029c60b8670f8e63cd7786bf3e9705c462f3cbbf5b39e7c02f9a1" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -92944,7 +92944,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Dcf25Dde : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L461-L502" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ba2a255671d33677cab8d93531eb25c0b1f1ac3e3085b95365a017463662d787" - logic_hash = "v1_sha256_64d15d92faf0919a8fa1ce6772750cde47eaa24b09cf4243393777334bad9712" + logic_hash = "64d15d92faf0919a8fa1ce6772750cde47eaa24b09cf4243393777334bad9712" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -92996,7 +92996,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_46Dc12Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L504-L528" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bf38a787aee5afdcab00b95ccdf036bc7f91f07151b4444b54165bb70d649ce5" - logic_hash = "v1_sha256_e01209a83f4743cbad7dda01595c053277868bd47208e48214b557ae339b5b3c" + logic_hash = "e01209a83f4743cbad7dda01595c053277868bd47208e48214b557ae339b5b3c" score = 50 quality = 75 tags = "FILE, MEMORY" @@ -93031,7 +93031,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_78A26074 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L530-L564" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8cd75fa8650ebcf0a6200283e474a081cc0be57307e54909ee15f4d04621dde0" - logic_hash = "v1_sha256_3837c22f7f9d55f03cb0bc1336798f0e2a91549c187b9f5136491cbafd26ce6e" + logic_hash = "3837c22f7f9d55f03cb0bc1336798f0e2a91549c187b9f5136491cbafd26ce6e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93076,7 +93076,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_217B9C97 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L566-L601" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1e90a73793017720c9a020069ed1c87879174c19c3b619e5b78db8220a63e9b7" - logic_hash = "v1_sha256_9b2b8a8154d4aba06029fd35d896331449f7baa961f183fb0cb47e890610ff99" + logic_hash = "9b2b8a8154d4aba06029fd35d896331449f7baa961f183fb0cb47e890610ff99" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -93122,7 +93122,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_D2110921 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L603-L632" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05ef40f7745db836de735ac73d6101406e1d9e58c6b5f5322254eb75b98d236a" - logic_hash = "v1_sha256_39ef17836f29c358f596e0047d582b5f1d1af523c8f6354ac8a783eda9969554" + logic_hash = "39ef17836f29c358f596e0047d582b5f1d1af523c8f6354ac8a783eda9969554" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93162,7 +93162,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_0114D469 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L634-L667" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "083cb35a7064aa5589efc544ac1ed1b04ec0f89f0e60383fcb1b02b63f4117e9" - logic_hash = "v1_sha256_6ca8e73f758d3fa956fe53cc83abb43806359f93df05c42a58e2f394a1a3c117" + logic_hash = "6ca8e73f758d3fa956fe53cc83abb43806359f93df05c42a58e2f394a1a3c117" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93206,7 +93206,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_07239Dad : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L669-L703" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dbd534f2b5739f89e99782563062169289f23aa335639a9552173bedc98bb834" - logic_hash = "v1_sha256_231592d1a45798de6d22c922626ca28ef4019bae95d552a0f2822823d8dec384" + logic_hash = "231592d1a45798de6d22c922626ca28ef4019bae95d552a0f2822823d8dec384" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93251,7 +93251,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Fd7A39Af : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L705-L739" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d5bb8d94b71d475b5eb9bb4235a428563f4104ea49f11ef02c8a08d2e859fd68" - logic_hash = "v1_sha256_15cb286504e6167c78e194488555f565965a03e7714fe16692a115df26985a01" + logic_hash = "15cb286504e6167c78e194488555f565965a03e7714fe16692a115df26985a01" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -93296,7 +93296,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_2D89E9Cd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L741-L785" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3963649ebfabe8f6277190be4300ecdb68d4b497ac5f81f38231d3e6c862a0a8" - logic_hash = "v1_sha256_c15833687c2aed55aae0bb5de83c088cb66edeb4ad1964543522f5477c1f1942" + logic_hash = "c15833687c2aed55aae0bb5de83c088cb66edeb4ad1964543522f5477c1f1942" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -93351,7 +93351,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_32930807 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L787-L808" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e999b83629355ec7ff3b6fda465ef53ce6992c9327344fbf124f7eb37808389d" - logic_hash = "v1_sha256_e98503696bd72cab4d0d1633991bdb87c0537fd1e2d95507ccd474125328f318" + logic_hash = "e98503696bd72cab4d0d1633991bdb87c0537fd1e2d95507ccd474125328f318" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93383,7 +93383,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_618B27D2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L810-L843" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d3ec8f4a46b21fb189fc3d58f3d87bf9897653ecdf90b7952dcc71f3b4023b4e" - logic_hash = "v1_sha256_e66a9dd7efdbff8b9e30119d0e99187e3dfa4ca1c1bc1ade0f8f1003d10e2620" + logic_hash = "e66a9dd7efdbff8b9e30119d0e99187e3dfa4ca1c1bc1ade0f8f1003d10e2620" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93427,7 +93427,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_6Eb31E7B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L845-L872" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3e3d82ea4764b117b71119e7c2eecf46b7c2126617eafccdfc6e96e13da973b1" - logic_hash = "v1_sha256_5b6902c8644c79bd183725f0e41bf2f7ae425bf0eb1dddea6fd1a38b77f176ba" + logic_hash = "5b6902c8644c79bd183725f0e41bf2f7ae425bf0eb1dddea6fd1a38b77f176ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93465,7 +93465,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_91516Cf4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L874-L896" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6cd0d4666553fd7184895502d48c960294307d57be722ebb2188b004fc1a8066" - logic_hash = "v1_sha256_6c0bdd6827bebb337c0012cdb6e931cd96ce2ad61f3764f288b96ff049b2d007" + logic_hash = "6c0bdd6827bebb337c0012cdb6e931cd96ce2ad61f3764f288b96ff049b2d007" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93498,7 +93498,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_Be718Af9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L898-L921" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c1f1bc58456cff7413d7234e348d47a8acfdc9d019ae7a4aba1afc1b3ed55ffa" - logic_hash = "v1_sha256_d020f7d1637fc4ee3246e97c9acae0be1782e688154bd109f53f807211beebd7" + logic_hash = "d020f7d1637fc4ee3246e97c9acae0be1782e688154bd109f53f807211beebd7" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -93532,7 +93532,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_F8Dac4Bc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L923-L954" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "13d102d546b9384f944f2a520ba32fb5606182bed45a8bba681e4374d7e5e322" - logic_hash = "v1_sha256_d4536aac0ee402abcb87826e45c892d6f39562bc1e39b72ae8880dc077f230d9" + logic_hash = "d4536aac0ee402abcb87826e45c892d6f39562bc1e39b72ae8880dc077f230d9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93574,7 +93574,7 @@ rule ELASTIC_Windows_Trojan_Trickbot_9C0Fa8Fe : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Trickbot.yar#L956-L974" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f528c3ea7138df7c661d88fafe56d118b6ee1d639868212378232ca09dc9bfad" - logic_hash = "v1_sha256_23aebc3139c34ecd609db7920fa0d5e194173409e1862555e4c468dad6c46299" + logic_hash = "23aebc3139c34ecd609db7920fa0d5e194173409e1862555e4c468dad6c46299" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93603,7 +93603,7 @@ rule ELASTIC_Linux_Exploit_Cornelgen_584A227A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Cornelgen.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c823cb669f1d6cb9258d6f0b187609c226af23396f9c5be26eb479e5722a9d97" - logic_hash = "v1_sha256_db3b6bbab48074449ae8b404f8fa77d93cde1ab8e57bd4ad981ac2afb8226494" + logic_hash = "db3b6bbab48074449ae8b404f8fa77d93cde1ab8e57bd4ad981ac2afb8226494" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93632,7 +93632,7 @@ rule ELASTIC_Linux_Exploit_Cornelgen_Be0Bc02D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Cornelgen.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "24c0ba8ad4f543f9b0aff0d0b66537137bc78606b47ced9b6d08039bbae78d80" - logic_hash = "v1_sha256_67c4f2d875f233b52fcbc24d9225c51af4dc09c27ce3915f0d756202bd4e5867" + logic_hash = "67c4f2d875f233b52fcbc24d9225c51af4dc09c27ce3915f0d756202bd4e5867" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93661,7 +93661,7 @@ rule ELASTIC_Linux_Exploit_Cornelgen_03Ee53D3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Cornelgen.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "711eafd09d4e5433be142d54db153993ee55b6c53779d8ec7e76ca534b4f81a5" - logic_hash = "v1_sha256_e7d9c66621ad3c56f3bb8150c17b10495053d9485b2143750aeefd3c55ab7943" + logic_hash = "e7d9c66621ad3c56f3bb8150c17b10495053d9485b2143750aeefd3c55ab7943" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93690,7 +93690,7 @@ rule ELASTIC_Windows_Trojan_Siestagraph_8C36Ddc1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SiestaGraph.yar#L1-L28" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "50c2f1bb99d742d8ae0ad7c049362b0e62d2d219b610dcf25ba50c303ccfef54" - logic_hash = "v1_sha256_17ce8090b88100f00c07df0599cd51dc7682f4c43de989ce58621df97eca42fb" + logic_hash = "17ce8090b88100f00c07df0599cd51dc7682f4c43de989ce58621df97eca42fb" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -93727,7 +93727,7 @@ rule ELASTIC_Windows_Trojan_Siestagraph_Ad3Fe5C6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SiestaGraph.yar#L30-L56" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb" - logic_hash = "v1_sha256_b625221b77803c2c052db09c90a76666cf9e0ae34cb0d59ae303e890e646e94b" + logic_hash = "b625221b77803c2c052db09c90a76666cf9e0ae34cb0d59ae303e890e646e94b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93763,7 +93763,7 @@ rule ELASTIC_Windows_Trojan_Siestagraph_D801Ce71 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SiestaGraph.yar#L58-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fe8f99445ad139160a47b109a8f3291eef9c6a23b4869c48d341380d608ed4cb" - logic_hash = "v1_sha256_c2d00d64d69cb5d24d76f6c551b49aa1acef1e1bab96f7ed7facc148244a8370" + logic_hash = "c2d00d64d69cb5d24d76f6c551b49aa1acef1e1bab96f7ed7facc148244a8370" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93794,7 +93794,7 @@ rule ELASTIC_Windows_Hacktool_Rubeus_43F18623 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Rubeus.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b7b4691ad1cdad7663c32d07e911a03d9cc8b104f724c2825fd4957007649235" - logic_hash = "v1_sha256_8714f30e12c0dc61c83491a71dbf9f1e9b6bc66663a8f2c069e7a7841d52cf68" + logic_hash = "8714f30e12c0dc61c83491a71dbf9f1e9b6bc66663a8f2c069e7a7841d52cf68" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -93831,7 +93831,7 @@ rule ELASTIC_Multi_Ransomware_Luna_8614D3D7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_Luna.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51" - logic_hash = "v1_sha256_14e40c5b1a21ba31664ed31b04bfc4a8646b3e31f96d39e0928a3d6a50d79307" + logic_hash = "14e40c5b1a21ba31664ed31b04bfc4a8646b3e31f96d39e0928a3d6a50d79307" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93867,7 +93867,7 @@ rule ELASTIC_Linux_Trojan_Badbee_231Cb054 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Badbee.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "832ba859c3030e58b94398ff663ddfe27078946a83dcfc81a5ef88351d41f4e2" - logic_hash = "v1_sha256_a1ed8f2da9b4f891a5c65d943424bb7c465f0d07e7756e292c617ce5ef14d182" + logic_hash = "a1ed8f2da9b4f891a5c65d943424bb7c465f0d07e7756e292c617ce5ef14d182" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93896,7 +93896,7 @@ rule ELASTIC_Windows_Vulndriver_Marvinhw_37326842 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_MarvinHW.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - logic_hash = "v1_sha256_f37290912ab7d997d718c074eef48a67a36444e9e97592b6be65855ade2ba246" + logic_hash = "f37290912ab7d997d718c074eef48a67a36444e9e97592b6be65855ade2ba246" score = 50 quality = 75 tags = "FILE" @@ -93928,7 +93928,7 @@ rule ELASTIC_Macos_Cryptominer_Generic_D3F68E29 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Cryptominer_Generic.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d9c78c822dfd29a1d9b1909bf95cab2a9550903e8f5f178edeb7a5a80129fbdb" - logic_hash = "v1_sha256_cc336e536e0f8dda47f9551dfabfc50c2094fffe4a69cdcec23824dd063dede0" + logic_hash = "cc336e536e0f8dda47f9551dfabfc50c2094fffe4a69cdcec23824dd063dede0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -93959,7 +93959,7 @@ rule ELASTIC_Macos_Cryptominer_Generic_365Ecbb9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Cryptominer_Generic.yar#L23-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e2562251058123f86c52437e82ea9ff32aae5f5227183638bc8aa2bc1b4fd9cf" - logic_hash = "v1_sha256_66f16c8694c5cfde1b5e4eea03c530fa32a15022fa35acdbb676bb696e7deae2" + logic_hash = "66f16c8694c5cfde1b5e4eea03c530fa32a15022fa35acdbb676bb696e7deae2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -93988,7 +93988,7 @@ rule ELASTIC_Macos_Cryptominer_Generic_4E7D4488 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Cryptominer_Generic.yar#L43-L61" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e2562251058123f86c52437e82ea9ff32aae5f5227183638bc8aa2bc1b4fd9cf" - logic_hash = "v1_sha256_708b21b687c8b853a9b5f8a50d31119e4f0a02a5b63f81ba1cac8c06acd19214" + logic_hash = "708b21b687c8b853a9b5f8a50d31119e4f0a02a5b63f81ba1cac8c06acd19214" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -94017,7 +94017,7 @@ rule ELASTIC_Macos_Trojan_Hloader_A3945Baf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_HLoader.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1" - logic_hash = "v1_sha256_0383485b6bbcdae210a6c949f6796023b2f7ec3f1edbd2116207fc2b75a67849" + logic_hash = "0383485b6bbcdae210a6c949f6796023b2f7ec3f1edbd2116207fc2b75a67849" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94048,7 +94048,7 @@ rule ELASTIC_Linux_Trojan_Banload_D5E1C189 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Banload.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "48bf0403f777db5da9c6a7eada17ad4ddf471bd73ea6cf02817dd202b49204f4" - logic_hash = "v1_sha256_3f0bee251152a8c835a3bf71dc33c2e150705713c50ca2cfdbeb69361ed91a09" + logic_hash = "3f0bee251152a8c835a3bf71dc33c2e150705713c50ca2cfdbeb69361ed91a09" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94077,7 +94077,7 @@ rule ELASTIC_Linux_Exploit_Foda_F41E9Ef9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Foda.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6059a6dd039b5efa36ce97acbb01406128aaf6062429474e422624ee69783ca8" - logic_hash = "v1_sha256_7b15fef304b91601a76c6fcf48a892105d6eedf5a3e2395ab7c2937a84709d9f" + logic_hash = "7b15fef304b91601a76c6fcf48a892105d6eedf5a3e2395ab7c2937a84709d9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94106,7 +94106,7 @@ rule ELASTIC_Linux_Ransomware_Noescape_6De58E0C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_NoEscape.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "46f1a4c77896f38a387f785b2af535f8c29d40a105b63a259d295cb14d36a561" - logic_hash = "v1_sha256_c275d0cfdadcaabe57c432956e96b4bb344d947899fa5ad55b872e02b4d44274" + logic_hash = "c275d0cfdadcaabe57c432956e96b4bb344d947899fa5ad55b872e02b4d44274" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94137,7 +94137,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_83715433 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3648a407224634d76e82eceec84250a7506720a7f43a6ccf5873f478408fedba" - logic_hash = "v1_sha256_7a7328322c2c1e128e267e92de0964e78ad9f49b7de8ec69d7f0632c69723a7d" + logic_hash = "7a7328322c2c1e128e267e92de0964e78ad9f49b7de8ec69d7f0632c69723a7d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94165,7 +94165,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_28A2Fe0C : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L21-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_04bbc6c40cdd71b4185222a822d18b96ec8427006221f213a1c9e4d9c689ce5c" + logic_hash = "04bbc6c40cdd71b4185222a822d18b96ec8427006221f213a1c9e4d9c689ce5c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -94194,7 +94194,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Eb96Cc26 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L40-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "440318179ba2419cfa34ea199b49ee6bdecd076883d26329bbca6dca9d39c500" - logic_hash = "v1_sha256_3d8740a6cca4856a73ea745877a3eb39cbf3ad4ca612daabd197f551116efa04" + logic_hash = "3d8740a6cca4856a73ea745877a3eb39cbf3ad4ca612daabd197f551116efa04" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94223,7 +94223,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_5008Aee6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L60-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b32cd71fcfda0a2fcddad49d8c5ba8d4d68867b2ff2cb3b49d1a0e358346620c" - logic_hash = "v1_sha256_538bae17dcf0298e379f656e1dba794b75af6c7448a23253a51994bde9d30524" + logic_hash = "538bae17dcf0298e379f656e1dba794b75af6c7448a23253a51994bde9d30524" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94252,7 +94252,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6321B565 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L80-L98" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cd48addd392e7912ab15a5464c710055f696990fab564f29f13121e7a5e93730" - logic_hash = "v1_sha256_ad5c73ab68059101acf2fd8cfb3d676fd1ff58811e1c4b9008c291361ee951b8" + logic_hash = "ad5c73ab68059101acf2fd8cfb3d676fd1ff58811e1c4b9008c291361ee951b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94281,7 +94281,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A6A2Adb9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L100-L118" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "v1_sha256_8f5fc4cb1ad51178701509a44a793e119fe7e7fad97eafcac8be14fce64e3b7b" + logic_hash = "8f5fc4cb1ad51178701509a44a793e119fe7e7fad97eafcac8be14fce64e3b7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94310,7 +94310,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_C573932B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L120-L138" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "v1_sha256_174a3fcebc1e17cc35ddc11fde1798164b5783fc51fdf16581a9690c3b4d6549" + logic_hash = "174a3fcebc1e17cc35ddc11fde1798164b5783fc51fdf16581a9690c3b4d6549" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94338,7 +94338,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A10161Ce : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L140-L157" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_12ba13a746300d1ab1d0386b86ec224eebf4e6d0b3688495c2fee6a7eccc361d" + logic_hash = "12ba13a746300d1ab1d0386b86ec224eebf4e6d0b3688495c2fee6a7eccc361d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94366,7 +94366,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Ae01D978 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L159-L176" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c6c22b11dc1f0d4996e5da92c6edf58b7d21d7be40da87ddd39ed0e2d4c84072" + logic_hash = "c6c22b11dc1f0d4996e5da92c6edf58b7d21d7be40da87ddd39ed0e2d4c84072" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94395,7 +94395,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9E9530A7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L178-L196" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "v1_sha256_6a5a80e58c86a80f8954e678a2cc26b258d7d7c50047a3e71f3580f1780e3454" + logic_hash = "6a5a80e58c86a80f8954e678a2cc26b258d7d7c50047a3e71f3580f1780e3454" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94424,7 +94424,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_5Bf62Ce4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L198-L216" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "v1_sha256_848e0c796584cfa21afc182da5f417f5467ae84c74f52cabc13e0f5de4990232" + logic_hash = "848e0c796584cfa21afc182da5f417f5467ae84c74f52cabc13e0f5de4990232" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94453,7 +94453,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_F3D83A74 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L218-L236" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "v1_sha256_2db46180e66c9268a97d63cd1c4eb8439e6882b4e3277bc4848e940e4d25482f" + logic_hash = "2db46180e66c9268a97d63cd1c4eb8439e6882b4e3277bc4848e940e4d25482f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94481,7 +94481,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_807911A2 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L238-L255" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_66b15304d5ed22daea666bd0e2b18726b8a058361ff8d69b974bfded933a4d8c" + logic_hash = "66b15304d5ed22daea666bd0e2b18726b8a058361ff8d69b974bfded933a4d8c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94509,7 +94509,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9C18716C : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L257-L274" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0e70dc82b2049a6f5efcc501e18e6f87e04a2d50efcb5143240c68c4a924de52" + logic_hash = "0e70dc82b2049a6f5efcc501e18e6f87e04a2d50efcb5143240c68c4a924de52" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94538,7 +94538,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Fbed4652 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L276-L294" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2ea21358205612f5dc0d5f417c498b236c070509531621650b8c215c98c49467" - logic_hash = "v1_sha256_fc1f501123ab7421034e183186b077f65838b475f883d4ff04e8fc8a283424ef" + logic_hash = "fc1f501123ab7421034e183186b077f65838b475f883d4ff04e8fc8a283424ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94567,7 +94567,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_94A44Aa5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L296-L314" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a7694202f9c32a9d73a571a30a9e4a431d5dfd7032a500084756ba9a48055dba" - logic_hash = "v1_sha256_deb46c2960dc4868b7bac1255d8753895950bc066dec03674a714860ff72ef2c" + logic_hash = "deb46c2960dc4868b7bac1255d8753895950bc066dec03674a714860ff72ef2c" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -94596,7 +94596,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E0673A90 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L316-L334" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6" - logic_hash = "v1_sha256_149147eedd66f9ca2dad9cb69f37abc849d44331ec1b5d2917ab3867ced0b274" + logic_hash = "149147eedd66f9ca2dad9cb69f37abc849d44331ec1b5d2917ab3867ced0b274" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94625,7 +94625,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_821173Df : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L336-L354" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "de7d1aff222c7d474e1a42b2368885ef16317e8da1ca3a63009bf06376026163" - logic_hash = "v1_sha256_1c6c7666983c43176aa1a9628fb4352f8f11729e02dda13669ca2e62aed5f4ee" + logic_hash = "1c6c7666983c43176aa1a9628fb4352f8f11729e02dda13669ca2e62aed5f4ee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94654,7 +94654,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_31796A40 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L356-L374" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "227c7f13f7bdadf6a14cc85e8d2106b9d69ab80abe6fc0056af5edef3621d4fb" - logic_hash = "v1_sha256_0e0e901d12edd77e77a205f8547f891f483fc8676493e9b7a324e970225af3c9" + logic_hash = "0e0e901d12edd77e77a205f8547f891f483fc8676493e9b7a324e970225af3c9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94683,7 +94683,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_750Fe002 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L376-L394" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "v1_sha256_eb9907d8a63822c2e3ab57d43dca8ede7876610f029e2f9c10c9eeace9ea0078" + logic_hash = "eb9907d8a63822c2e3ab57d43dca8ede7876610f029e2f9c10c9eeace9ea0078" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94711,7 +94711,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6122Acdf : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L396-L413" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_140b32a8f2b7493b068e63a05b3d9baec6ec14c9f2062c7e760dde96335e29f1" + logic_hash = "140b32a8f2b7493b068e63a05b3d9baec6ec14c9f2062c7e760dde96335e29f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94740,7 +94740,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A0A4De11 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L415-L433" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417" - logic_hash = "v1_sha256_220c6ba82b906f070123b3bae9aafa72c0fb3bc8d5858a4f4bd65567076eb73d" + logic_hash = "220c6ba82b906f070123b3bae9aafa72c0fb3bc8d5858a4f4bd65567076eb73d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94769,7 +94769,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A473Dcb6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L435-L453" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7ba74e3cb0d633de0e8dbe6cfc49d4fc77dd0c02a5f1867cc4a1f1d575def97d" - logic_hash = "v1_sha256_106ee9cd9c368674ae08b835f54dbb6918b553e3097aae9b0de88f55420f046b" + logic_hash = "106ee9cd9c368674ae08b835f54dbb6918b553e3097aae9b0de88f55420f046b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94798,7 +94798,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_30444846 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L455-L473" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c84b81d79d437bb9b8a6bad3646aef646f2a8e1f1554501139648d2f9de561da" - logic_hash = "v1_sha256_26bc95efb2ea69fece52cf3ab38ce35891c77fc0dac3e26e5580ba3a88e112e9" + logic_hash = "26bc95efb2ea69fece52cf3ab38ce35891c77fc0dac3e26e5580ba3a88e112e9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -94826,7 +94826,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Ea92Cca8 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L475-L492" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5a9598b3fd37b15444063403a481df1a43894ddcbbd343961e1c770cb74180c9" + logic_hash = "5a9598b3fd37b15444063403a481df1a43894ddcbbd343961e1c770cb74180c9" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -94855,7 +94855,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D4227Dbf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L494-L512" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "v1_sha256_7953b8d08834315a6ca2c0c8ac1ec7b74a6ffcb71cec4fc053c24e1b59232c0c" + logic_hash = "7953b8d08834315a6ca2c0c8ac1ec7b74a6ffcb71cec4fc053c24e1b59232c0c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94884,7 +94884,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_09C3070E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L514-L532" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "v1_sha256_f8f8e8883cf1e51fbaef81b8334ac5fa45a54682d285282da62c80e4aa50a48d" + logic_hash = "f8f8e8883cf1e51fbaef81b8334ac5fa45a54682d285282da62c80e4aa50a48d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94913,7 +94913,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Fa19B8Fc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L534-L552" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a7cfc16ec33ec633cbdcbff3c4cefeed84d7cbe9ca1f4e2a3b3e43d39291cd6b" - logic_hash = "v1_sha256_cddf3b9948b9bc685ff7d4c00377d0f80861169707777022297e549bd166dbf0" + logic_hash = "cddf3b9948b9bc685ff7d4c00377d0f80861169707777022297e549bd166dbf0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94942,7 +94942,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Eaa9A668 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L554-L572" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "409c55110d392aed1a9ec98a6598fb8da86ab415534c8754aa48e3949e7c4b62" - logic_hash = "v1_sha256_05e9047342a9d081a09f8514f0ec32d72bc43a286035014ada90b0243f92cfa8" + logic_hash = "05e9047342a9d081a09f8514f0ec32d72bc43a286035014ada90b0243f92cfa8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -94971,7 +94971,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_46Eec778 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L574-L592" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9526277255a8d632355bfe54d53154c9c54a4ab75e3ba24333c73ad0ed7cadb1" - logic_hash = "v1_sha256_08e77a31005e14a06197857301e22d20334c1f2ef7fc06a4208643438377f4c4" + logic_hash = "08e77a31005e14a06197857301e22d20334c1f2ef7fc06a4208643438377f4c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95000,7 +95000,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_F51C5Ac3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L594-L612" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "v1_sha256_e82b5ddb760d5bdcd146e1de12ec34c4764e668543420765146e22dee6f5732b" + logic_hash = "e82b5ddb760d5bdcd146e1de12ec34c4764e668543420765146e22dee6f5732b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95029,7 +95029,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_71E487Ea : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L614-L632" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b8d044f2de21d20c7e4b43a2baf5d8cdb97fba95c3b99816848c0f214515295b" - logic_hash = "v1_sha256_3de9e0e3334e9e6e5906886f95ff8ce3596f85772dc25021fb0ee148281cf81c" + logic_hash = "3de9e0e3334e9e6e5906886f95ff8ce3596f85772dc25021fb0ee148281cf81c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95058,7 +95058,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6620Ec67 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L634-L652" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b91eb196605c155c98f824abf8afe122f113d1fed254074117652f93d0c9d6b2" - logic_hash = "v1_sha256_2df2c8cdc2cb545f916159d44a800708b55a2993cd54a4dcf920a6a8dc6361e7" + logic_hash = "2df2c8cdc2cb545f916159d44a800708b55a2993cd54a4dcf920a6a8dc6361e7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95087,7 +95087,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D996D335 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L654-L672" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda" - logic_hash = "v1_sha256_212c75ab61eac8b3ed2049966628dfc81ae5a620b4a4b38aaa0696d594910dea" + logic_hash = "212c75ab61eac8b3ed2049966628dfc81ae5a620b4a4b38aaa0696d594910dea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95115,7 +95115,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D0C57A2E : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L674-L691" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2ac51f0943d573fdc9a39837aeefd9158c27a4b3f35fbbb0a058a88392a53c14" + logic_hash = "2ac51f0943d573fdc9a39837aeefd9158c27a4b3f35fbbb0a058a88392a53c14" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95143,7 +95143,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_751Acb94 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L693-L710" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1963351d209168f4ae2268d245cfd5320e4442d00746d021088ffae98e5da454" + logic_hash = "1963351d209168f4ae2268d245cfd5320e4442d00746d021088ffae98e5da454" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95172,7 +95172,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_656Bf077 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L712-L730" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6" - logic_hash = "v1_sha256_0c9728304e720eb2cd00afad8d16f309514473dece48fa94af6a72ca41705a36" + logic_hash = "0c9728304e720eb2cd00afad8d16f309514473dece48fa94af6a72ca41705a36" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95201,7 +95201,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E6D75E6F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L732-L750" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "48b15093f33c18778724c48c34199a420be4beb0d794e36034097806e1521eb8" - logic_hash = "v1_sha256_339dd33a3313a4a94d2515cd4c2100ac6b9d5e0029881494c28dc3e7c8a05798" + logic_hash = "339dd33a3313a4a94d2515cd4c2100ac6b9d5e0029881494c28dc3e7c8a05798" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95230,7 +95230,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_7167D08F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L752-L770" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4c6aeaa6f6a0c40a3f4116a2e19e669188a8b1678a8930350889da1bab531c68" - logic_hash = "v1_sha256_88c07bf06801192f38ef66229a0aa5c1ef6242caeb080ce1c7cd13ad0d540c82" + logic_hash = "88c07bf06801192f38ef66229a0aa5c1ef6242caeb080ce1c7cd13ad0d540c82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95259,7 +95259,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_27De1106 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L772-L790" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "v1_sha256_4e266e1ae31d7d86866b112a04ca38c0a8185c18ebb10ac6497bbaa69f51b2fd" + logic_hash = "4e266e1ae31d7d86866b112a04ca38c0a8185c18ebb10ac6497bbaa69f51b2fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95288,7 +95288,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_148B91A2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L792-L810" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d5b2bde0749ff482dc2389971e2ac76c4b1e7b887208a538d5555f0fe6984825" - logic_hash = "v1_sha256_1a974c0882c2d088c978a52e5b535807c86f117cf2f05c40c084e849b1849f5b" + logic_hash = "1a974c0882c2d088c978a52e5b535807c86f117cf2f05c40c084e849b1849f5b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95317,7 +95317,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_20F5E74F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L812-L830" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9084b00f9bb71524987dc000fb2bc6f38e722e2be2832589ca4bb1671e852f5b" - logic_hash = "v1_sha256_067f1c15961c1ddceecb490b338db9f5b8501d89b38e870edfa628d21527dc1c" + logic_hash = "067f1c15961c1ddceecb490b338db9f5b8501d89b38e870edfa628d21527dc1c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95346,7 +95346,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_1B2E2A3A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L832-L850" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "v1_sha256_6f40f868d20f0125721eb2a7934b356d69b695d4a558155a2ddcd0107d3f8c30" + logic_hash = "6f40f868d20f0125721eb2a7934b356d69b695d4a558155a2ddcd0107d3f8c30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95375,7 +95375,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_620087B9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L852-L870" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "v1_sha256_411451ea326498a25af8be5cd43fe0b98973af354706268c89828b88ece5e497" + logic_hash = "411451ea326498a25af8be5cd43fe0b98973af354706268c89828b88ece5e497" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95404,7 +95404,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Dd0D6173 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L872-L890" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c5a317d0d8470814ff343ce78ad2428ebb3f036763fcf703a589b6c4d33a3ec6" - logic_hash = "v1_sha256_7061edef1981e2b93bcdd8be47c0f6067acc140a543eed748bf0513f182e0a59" + logic_hash = "7061edef1981e2b93bcdd8be47c0f6067acc140a543eed748bf0513f182e0a59" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95433,7 +95433,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_779E142F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L892-L910" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "v1_sha256_80ba5a1cf333fafc6a1d7823ca4a8d5c30c1c07a01d6d681c22dd29e197089f1" + logic_hash = "80ba5a1cf333fafc6a1d7823ca4a8d5c30c1c07a01d6d681c22dd29e197089f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95462,7 +95462,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Cf84C9F2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L912-L930" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "v1_sha256_9af164ece7e7e0f33dc32f18735a8f655593ae6cde34e05108f3221b71aa8676" + logic_hash = "9af164ece7e7e0f33dc32f18735a8f655593ae6cde34e05108f3221b71aa8676" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95490,7 +95490,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_0Cd591Cd : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L932-L949" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_4300bdd173dfb33ca34c0f2fe4fa6ee071e99d5db201262e914721aad0ad433b" + logic_hash = "4300bdd173dfb33ca34c0f2fe4fa6ee071e99d5db201262e914721aad0ad433b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95519,7 +95519,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_859042A0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L951-L969" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "41615d3f3f27f04669166fdee3996d77890016304ee87851a5f90804d6d4a0b0" - logic_hash = "v1_sha256_b8daa4a136a6511472703687fe56fbca2bd005a1373802a46c8d211b6d039d75" + logic_hash = "b8daa4a136a6511472703687fe56fbca2bd005a1373802a46c8d211b6d039d75" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95548,7 +95548,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_33B4111A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L971-L989" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961" - logic_hash = "v1_sha256_a08c0f7be26e2e9abfaa392712895bb3ce1d12583da4060ebe41e1a9c1491b7c" + logic_hash = "a08c0f7be26e2e9abfaa392712895bb3ce1d12583da4060ebe41e1a9c1491b7c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95577,7 +95577,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_4F43B164 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L991-L1009" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f0fdb3de75f85e199766bbb39722865cac578cde754afa2d2f065ef028eec788" - logic_hash = "v1_sha256_79a17e70e9b7af6e53f62211c33355a4c46a82e7c4e80c20ffe9684e24155808" + logic_hash = "79a17e70e9b7af6e53f62211c33355a4c46a82e7c4e80c20ffe9684e24155808" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95605,7 +95605,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E4A1982B : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1011-L1028" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_4cd7aa205b3571cffca208e315d6311fa92a5993e2a8e40d342d6184811f42f0" + logic_hash = "4cd7aa205b3571cffca208e315d6311fa92a5993e2a8e40d342d6184811f42f0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95634,7 +95634,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_862C4E0E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1030-L1048" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9526277255a8d632355bfe54d53154c9c54a4ab75e3ba24333c73ad0ed7cadb1" - logic_hash = "v1_sha256_a1dce44e76f9d2a517c4849c58dfecb07e1ef0d78fddff10af601184d636583f" + logic_hash = "a1dce44e76f9d2a517c4849c58dfecb07e1ef0d78fddff10af601184d636583f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95663,7 +95663,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9127F7Be : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1050-L1068" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "899c072730590003b98278bdda21c15ecaa2f49ad51e417ed59e88caf054a72d" - logic_hash = "v1_sha256_2b1fa115598561e081dfb9b5f24f6728b0d52cb81ac7933728d81646f461bcae" + logic_hash = "2b1fa115598561e081dfb9b5f24f6728b0d52cb81ac7933728d81646f461bcae" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95691,7 +95691,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_0E03B7D3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1070-L1087" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_845be03fac893f8e914aabda5206000dc07947ade0b8f46cc5d58d8458f035f6" + logic_hash = "845be03fac893f8e914aabda5206000dc07947ade0b8f46cc5d58d8458f035f6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95720,7 +95720,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_32Eb0C81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1089-L1107" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "275cbd5d3b3d8c521649b95122d90d1ca9b7ae1958b721bdc158aaa2d31d49df" - logic_hash = "v1_sha256_a06d9e1190ba79b0e19cab7468f01a49359629a6feb27b7d72f3d1d52d1483d7" + logic_hash = "a06d9e1190ba79b0e19cab7468f01a49359629a6feb27b7d72f3d1d52d1483d7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95748,7 +95748,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9Abf7E0C : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1109-L1126" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_00276330e388d07368577c4134343cb9fc11957dba6cff5523331199f1ed04aa" + logic_hash = "00276330e388d07368577c4134343cb9fc11957dba6cff5523331199f1ed04aa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95777,7 +95777,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_33801844 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1128-L1146" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2ceff60e88c30c02c1c7b12a224aba1895669aad7316a40b575579275b3edbb3" - logic_hash = "v1_sha256_20b8ebce14776e48310be099afd0dca0f28778d0024318b339b75e2689f70128" + logic_hash = "20b8ebce14776e48310be099afd0dca0f28778d0024318b339b75e2689f70128" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95805,7 +95805,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_A33A8363 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1148-L1165" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_3fe17dc43f07dacdad6ababf141983854b977e244c0af824fea0ab953ad70fee" + logic_hash = "3fe17dc43f07dacdad6ababf141983854b977e244c0af824fea0ab953ad70fee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95834,7 +95834,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_9A62845F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1167-L1185" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f67f8566beab9d7494350923aceb0e76cd28173bdf2c4256e9d45eff7fc8cb41" - logic_hash = "v1_sha256_b3ab125c8bfb5b7a0be0e92cf5a50057e403ab3597698ec2e7a8bafa0d3a8b80" + logic_hash = "b3ab125c8bfb5b7a0be0e92cf5a50057e403ab3597698ec2e7a8bafa0d3a8b80" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95863,7 +95863,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_4D81Ad42 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1187-L1205" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3021a861e6f03df3e7e3919e6255bdae6e48163b9a8ba4f1a5c5dced3e3e368b" - logic_hash = "v1_sha256_57b54eed37690949ba2d4eff713691f16f00207d7b374beb7dfa2e368588dbb0" + logic_hash = "57b54eed37690949ba2d4eff713691f16f00207d7b374beb7dfa2e368588dbb0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95891,7 +95891,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6A510422 : FILE MEMORY reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1207-L1225" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_4384536817bf5df223d4cf145892b7714f2dbd1748930b6cd43152d4e35c9e56" + logic_hash = "4384536817bf5df223d4cf145892b7714f2dbd1748930b6cd43152d4e35c9e56" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95919,7 +95919,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D2953F92 : FILE MEMORY reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1227-L1245" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d0af462d26f6ffe469c57d63f1f7d551e3fb9cc39c7e4c35b3e71f659c01c076" + logic_hash = "d0af462d26f6ffe469c57d63f1f7d551e3fb9cc39c7e4c35b3e71f659c01c076" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95947,7 +95947,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_6Ae4B580 : FILE MEMORY reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1247-L1265" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_eb0fe44df1c995c5d4e3a361c3e466f78cb70bffbc76d1b7b345ee651b313b9e" + logic_hash = "eb0fe44df1c995c5d4e3a361c3e466f78cb70bffbc76d1b7b345ee651b313b9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -95975,7 +95975,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D608Cf3B : FILE MEMORY reference = "14cc92b99daa0c91aa09d9a7996ee5549a5cacd7be733960b2cf3681a7c2b628" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1267-L1285" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_ad5b7d32c85adc7f778a8f4815e595b90a6f15dec048bcf97c6ab179582eb4f7" + logic_hash = "ad5b7d32c85adc7f778a8f4815e595b90a6f15dec048bcf97c6ab179582eb4f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96003,7 +96003,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_3F8Cf56E : FILE MEMORY reference = "1878f0783085cc6beb2b81cfda304ec983374264ce54b6b98a51c09aea9f750d" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1287-L1305" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b2cf8b1913a88e6a6346f0ac8cd2e7c33b41d44bf60ff7327ae40a2d54748bd9" + logic_hash = "b2cf8b1913a88e6a6346f0ac8cd2e7c33b41d44bf60ff7327ae40a2d54748bd9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96031,7 +96031,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Fb14E81F : FILE MEMORY reference = "0fd07e6068a721774716eb4940e2c19faef02d5bdacf3b018bf5995fa98a3a27" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1307-L1325" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2efb958c269640c374485502611372f4404cf35d7ab704d20ce37b8c1f69645d" + logic_hash = "2efb958c269640c374485502611372f4404cf35d7ab704d20ce37b8c1f69645d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96059,7 +96059,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_E09726Dc : FILE MEMORY reference = "1e64187b5e3b5fe71d34ea555ff31961404adad83f8e0bd1ce0aad056a878d73" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1327-L1345" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_ebd00e593a7fcd46e36fd0ca213e1f82c0f4a94448b6fd605d35cea45a490493" + logic_hash = "ebd00e593a7fcd46e36fd0ca213e1f82c0f4a94448b6fd605d35cea45a490493" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96087,7 +96087,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_Ad12B9B6 : FILE MEMORY reference = "f0411131acfddb40ac8069164ce2808e9c8928709898d3fb5dc88036003fe9c8" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1347-L1365" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_72a85d14eb8ab78364ea2e8b89d9409c0046b14602f4a3415d829f4985fb2de3" + logic_hash = "72a85d14eb8ab78364ea2e8b89d9409c0046b14602f4a3415d829f4985fb2de3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96116,7 +96116,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_0535Ebf7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1367-L1385" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "77e18bb5479b644ba01d074057c9e2bd532717f6ab3bb88ad2b7497b85d2a5de" - logic_hash = "v1_sha256_eb574468e9d371def0da74e6aba827272181399a84388a14ffb167ec6ebd40d1" + logic_hash = "eb574468e9d371def0da74e6aba827272181399a84388a14ffb167ec6ebd40d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96145,7 +96145,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_32A7Edd2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1387-L1405" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "v1_sha256_af26549c1cad0975735e2c233bc71e5e1b0e283d02552fdaea02656332ecd854" + logic_hash = "af26549c1cad0975735e2c233bc71e5e1b0e283d02552fdaea02656332ecd854" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96174,7 +96174,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_D7F35B54 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1407-L1425" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "v1_sha256_d827e21c09b8dce65db293aa57b39f49f034537bb708471989ad64e653c479be" + logic_hash = "d827e21c09b8dce65db293aa57b39f49f034537bb708471989ad64e653c479be" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96203,7 +96203,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_F11E98Be : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1427-L1445" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "v1_sha256_9b9122f0897610dff6b37446b3cecbfcec3dce8dc7e1934e78cc32d5f6ac9648" + logic_hash = "9b9122f0897610dff6b37446b3cecbfcec3dce8dc7e1934e78cc32d5f6ac9648" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96232,7 +96232,7 @@ rule ELASTIC_Linux_Trojan_Gafgyt_8D4E4F4A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Gafgyt.yar#L1447-L1465" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79a75c8aa5aa0d1edef5965e1bcf8ba2f2a004a77833a74870b8377d7fde89cf" - logic_hash = "v1_sha256_11ee101a936f8e6949701e840ef48a0fe102099ea3b71c790b9a5128e5c59029" + logic_hash = "11ee101a936f8e6949701e840ef48a0fe102099ea3b71c790b9a5128e5c59029" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96261,7 +96261,7 @@ rule ELASTIC_Linux_Exploit_Iouring_D04C1C19 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_IOUring.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "29e6a5f7b36e271219601528f3fd70831aacb8b9f05722779faa40afc97b3b60" - logic_hash = "v1_sha256_b1d8d6090576b4b5bcd435eb69ee1dc1f1947115d38b62364cf1730a4f08d317" + logic_hash = "b1d8d6090576b4b5bcd435eb69ee1dc1f1947115d38b62364cf1730a4f08d317" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96291,7 +96291,7 @@ rule ELASTIC_Multi_Trojan_Mythic_4Beb7E17 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Mythic.yar#L1-L28" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7b3b7bae1763f3c73df206f97065920fa55b973d22c967acb3d26ac8e89e60c7" + logic_hash = "7b3b7bae1763f3c73df206f97065920fa55b973d22c967acb3d26ac8e89e60c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96330,7 +96330,7 @@ rule ELASTIC_Multi_Trojan_Mythic_E0Ea7Ef9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Mythic.yar#L30-L61" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e091d63c8e8b0a32a3d25cffdf02419fdbec714f31e4061bafd80b1971831c5f" - logic_hash = "v1_sha256_237307d85fe7886eb2cf351a9f7872e3e5551f05535f0b6a966a960d204aee90" + logic_hash = "237307d85fe7886eb2cf351a9f7872e3e5551f05535f0b6a966a960d204aee90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96372,7 +96372,7 @@ rule ELASTIC_Multi_Trojan_Mythic_528324B4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Mythic.yar#L63-L89" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2cd883eab722a5eacbca7fa82e0eebb5f6c30cffa955abcb1ab8cf169af97202" - logic_hash = "v1_sha256_8c85d086b30030a24fba9f519aed3fdf3c821932d71ceaecfe354fe07cd1d631" + logic_hash = "8c85d086b30030a24fba9f519aed3fdf3c821932d71ceaecfe354fe07cd1d631" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96409,7 +96409,7 @@ rule ELASTIC_Windows_Trojan_Hazelcobra_6A9Fe48A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_HazelCobra.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d" - logic_hash = "v1_sha256_dc4d561497c2e3da270d305ceaf3194b48d64c0d8e212ee6f03a2d89c8e006e8" + logic_hash = "dc4d561497c2e3da270d305ceaf3194b48d64c0d8e212ee6f03a2d89c8e006e8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96441,7 +96441,7 @@ rule ELASTIC_Windows_Vulndriver_ATSZIO_E22Cc429 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_ATSZIO.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" - logic_hash = "v1_sha256_e3f057d5a5c47a1f3b4d50e2ad0ebb3a4ffe0efe513a0d375f827fadb3328d80" + logic_hash = "e3f057d5a5c47a1f3b4d50e2ad0ebb3a4ffe0efe513a0d375f827fadb3328d80" score = 75 quality = 75 tags = "FILE" @@ -96471,7 +96471,7 @@ rule ELASTIC_Linux_Ransomware_Quantum_8513Fb8B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Quantum.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3bcb9ad92fdca53195f390fc4d8d721b504b38deeda25c1189a909a7011406c9" - logic_hash = "v1_sha256_7e24be541bafc2427ecd8f76b7774fb65d7421bc300503eeb068b8104e168c70" + logic_hash = "7e24be541bafc2427ecd8f76b7774fb65d7421bc300503eeb068b8104e168c70" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96501,7 +96501,7 @@ rule ELASTIC_Windows_Trojan_Bitsloth_05Fc3A0A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BITSloth.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0944b17a4330e1c97600f62717d6bae7e4a4260604043f2390a14c8d76ef1507" - logic_hash = "v1_sha256_8210dc28cf408f7f836aad3c32868ea21dd0862070c2c37d98b089a80be9285e" + logic_hash = "8210dc28cf408f7f836aad3c32868ea21dd0862070c2c37d98b089a80be9285e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96538,7 +96538,7 @@ rule ELASTIC_Windows_Hacktool_Physmem_Cc0978Df : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_PhysMem.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - logic_hash = "v1_sha256_e2fabf5889dbdc98dc6942be4fb0de4351d64a06bab945993b2a2c4afe89984e" + logic_hash = "e2fabf5889dbdc98dc6942be4fb0de4351d64a06bab945993b2a2c4afe89984e" score = 75 quality = 75 tags = "FILE" @@ -96568,7 +96568,7 @@ rule ELASTIC_Windows_Hacktool_Physmem_B3Fa382B : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_PhysMem.yar#L22-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9" - logic_hash = "v1_sha256_36a60b78de15a52721ad4830b37daffc33d7689e8b180fe148876da00562273a" + logic_hash = "36a60b78de15a52721ad4830b37daffc33d7689e8b180fe148876da00562273a" score = 75 quality = 75 tags = "FILE" @@ -96597,7 +96597,7 @@ rule ELASTIC_Linux_Trojan_Asacub_D3C4Aa41 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Asacub.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15044273a506f825859e287689a57c6249b01bb0a848f113c946056163b7e5f1" - logic_hash = "v1_sha256_3645e10e5ef8c50e5e82d749da07f5669c5162cb95aa5958ce45a414b870f619" + logic_hash = "3645e10e5ef8c50e5e82d749da07f5669c5162cb95aa5958ce45a414b870f619" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96626,7 +96626,7 @@ rule ELASTIC_Windows_Trojan_Darkvnc_Bd803C2E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DarkVNC.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0fcc1b02fdaf211c772bd4fa1abcdeb5338d95911c226a9250200ff7f8e45601" - logic_hash = "v1_sha256_d9e8a42a424d6a186939682e1cd2ed794c8a3765824188e863b1b2829650e2d5" + logic_hash = "d9e8a42a424d6a186939682e1cd2ed794c8a3765824188e863b1b2829650e2d5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -96659,7 +96659,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_E8243Dae : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_NetFilter.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510" - logic_hash = "v1_sha256_c551bd87e73f980d8836b13449490de5e639d768b72d9006d90969f3140b28e2" + logic_hash = "c551bd87e73f980d8836b13449490de5e639d768b72d9006d90969f3140b28e2" score = 75 quality = 75 tags = "FILE" @@ -96688,7 +96688,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_Dd576D28 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_NetFilter.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "88cfe6d7c81d0064045c4198d6ec7d3c50dc3ec8e36e053456ed1b50fc8c23bf" - logic_hash = "v1_sha256_7635ed94ca77c7705df4d2a9c5546ece86bf831b5bf5355943419174e0387b86" + logic_hash = "7635ed94ca77c7705df4d2a9c5546ece86bf831b5bf5355943419174e0387b86" score = 75 quality = 75 tags = "FILE" @@ -96717,7 +96717,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_B4F2A520 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_NetFilter.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5d0d5373c5e52c4405f4bd963413e6ef3490b7c4c919ec2d4e3fb92e91f397a0" - logic_hash = "v1_sha256_520d2194593f1622a3b905fe182a0773447a4eee3472e7701cce977f5bf4fbae" + logic_hash = "520d2194593f1622a3b905fe182a0773447a4eee3472e7701cce977f5bf4fbae" score = 75 quality = 75 tags = "FILE" @@ -96746,7 +96746,7 @@ rule ELASTIC_Windows_Hacktool_Netfilter_1Cae6E26 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_NetFilter.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e2ec3b2a93c473d88bfdf2deb1969d15ab61737acc1ee8e08234bc5513ee87ea" - logic_hash = "v1_sha256_29c0edc03934e6e7275c3870a8808e03ec85dacb1f54e10efca3123d2257db98" + logic_hash = "29c0edc03934e6e7275c3870a8808e03ec85dacb1f54e10efca3123d2257db98" score = 75 quality = 75 tags = "FILE" @@ -96774,7 +96774,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_25D3C5Ba : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ryuk.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_4d461ff9b87e3a17637cef89ff8a85ef22f69695d4664f6fe8f271a6a5f7b4bc" + logic_hash = "4d461ff9b87e3a17637cef89ff8a85ef22f69695d4664f6fe8f271a6a5f7b4bc" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96803,7 +96803,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_878Bae7E : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ryuk.yar#L22-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_94bed2220aeb41ae8069cee56cc5299b9fc56797d3b54085b8246a03d9e8bd93" + logic_hash = "94bed2220aeb41ae8069cee56cc5299b9fc56797d3b54085b8246a03d9e8bd93" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96833,7 +96833,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_6C726744 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ryuk.yar#L44-L67" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_ee7586d5cbef23d1863a4dfcc5da9b97397c993268881922c681022bf4f293f0" + logic_hash = "ee7586d5cbef23d1863a4dfcc5da9b97397c993268881922c681022bf4f293f0" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96866,7 +96866,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_1A4Ad952 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ryuk.yar#L69-L88" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_bb854f5760f41e2c103c99d8f128a2546926a614dff8753eaa1287ac583e213a" + logic_hash = "bb854f5760f41e2c103c99d8f128a2546926a614dff8753eaa1287ac583e213a" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96895,7 +96895,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_72B5Fd9D : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ryuk.yar#L90-L109" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b2abc8f70df5d730ce6a7d0bc125bb623f27b292e7d575914368a8bfc0fb5837" + logic_hash = "b2abc8f70df5d730ce6a7d0bc125bb623f27b292e7d575914368a8bfc0fb5837" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96924,7 +96924,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_8Ba51798 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ryuk.yar#L111-L137" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0733ae6a7e38bc2a25aa76a816284482d3ee25626559ec5af554b5f5070e534a" + logic_hash = "0733ae6a7e38bc2a25aa76a816284482d3ee25626559ec5af554b5f5070e534a" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96960,7 +96960,7 @@ rule ELASTIC_Windows_Ransomware_Ryuk_88Daaf8E : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ryuk.yar#L139-L158" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_6fc463976c0fb9c3e4f25d854545d07800c63730826f3974298f0077d272cff0" + logic_hash = "6fc463976c0fb9c3e4f25d854545d07800c63730826f3974298f0077d272cff0" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -96990,7 +96990,7 @@ rule ELASTIC_Multi_Hacktool_Stowaway_89F1D452 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Hacktool_Stowaway.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c073d3be469c8eea0f007bb37c722bad30e06dc994d3a59773838ed8be154c95" - logic_hash = "v1_sha256_c5db1335fea606ec32f7a6540ee4dee637dd2ad5aee27e092b89fa03ad085690" + logic_hash = "c5db1335fea606ec32f7a6540ee4dee637dd2ad5aee27e092b89fa03ad085690" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97027,7 +97027,7 @@ rule ELASTIC_Windows_Trojan_Bandook_38497690 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Bandook.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4d079586a51168aac708a9ab7d11a5a49dfe7a16d9ced852fbbc5884020c0c97" - logic_hash = "v1_sha256_199614993f63636764808313f25199348afdf4d537c8dca06f673559e34636b8" + logic_hash = "199614993f63636764808313f25199348afdf4d537c8dca06f673559e34636b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97061,7 +97061,7 @@ rule ELASTIC_Windows_Ransomware_Lockfile_74185716 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Lockfile.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce" - logic_hash = "v1_sha256_e922c2fc9dd52dd0238847a9d48691bea90d028cf680fc3a1a0dbdfef1d8dce3" + logic_hash = "e922c2fc9dd52dd0238847a9d48691bea90d028cf680fc3a1a0dbdfef1d8dce3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97093,7 +97093,7 @@ rule ELASTIC_Linux_Ransomware_Lockbit_D248E80E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Lockbit.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4800a67ceff340d2ab4f79406a01f58e5a97d589b29b35394b2a82a299b19745" - logic_hash = "v1_sha256_5d33d243cd7f9d9189139eb34a4dd8d81882be200223d5c8e60dfd07ca98f94b" + logic_hash = "5d33d243cd7f9d9189139eb34a4dd8d81882be200223d5c8e60dfd07ca98f94b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97127,7 +97127,7 @@ rule ELASTIC_Linux_Ransomware_Lockbit_5B30A04B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Lockbit.yar#L26-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "41cbb7d79388eaa4d6e704bd4a8bf8f34d486d27277001c343ea3ce112f4fb0d" - logic_hash = "v1_sha256_b89d0f25f08ffa35e075def6a29cf52a80500c6499732146426a71c741059a3b" + logic_hash = "b89d0f25f08ffa35e075def6a29cf52a80500c6499732146426a71c741059a3b" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -97158,7 +97158,7 @@ rule ELASTIC_Macos_Trojan_Amcleaner_445Bb666 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Amcleaner.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c85bf71310882bc0c0cf9b74c9931fd19edad97600bc86ca51cf94ed85a78052" - logic_hash = "v1_sha256_664829ff761186ec8f3055531b5490b7516756b0aa9d0183d4c17240a5ca44c4" + logic_hash = "664829ff761186ec8f3055531b5490b7516756b0aa9d0183d4c17240a5ca44c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97187,7 +97187,7 @@ rule ELASTIC_Macos_Trojan_Amcleaner_A91D3907 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Amcleaner.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dc9c700f3f6a03ecb6e3f2801d4269599c32abce7bc5e6a1b7e6a64b0e025f58" - logic_hash = "v1_sha256_e61ceea117acf444a6b137b93d7c335c6eb8a7e13a567177ec4ea44bf64fd5c6" + logic_hash = "e61ceea117acf444a6b137b93d7c335c6eb8a7e13a567177ec4ea44bf64fd5c6" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97216,7 +97216,7 @@ rule ELASTIC_Macos_Trojan_Amcleaner_8Ce3Fea8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Amcleaner.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c85bf71310882bc0c0cf9b74c9931fd19edad97600bc86ca51cf94ed85a78052" - logic_hash = "v1_sha256_08c4b5b4afefbf1ee207525f9b28bc7eed7b55cb07f8576fddfa0bbe95002769" + logic_hash = "08c4b5b4afefbf1ee207525f9b28bc7eed7b55cb07f8576fddfa0bbe95002769" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97245,7 +97245,7 @@ rule ELASTIC_Windows_Ransomware_Nightsky_A7F19411 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Nightsky.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577" - logic_hash = "v1_sha256_defc7ab43035c663302edfda60a4b57cb301b3d61662afe3ce1de2ac93cfc3e2" + logic_hash = "defc7ab43035c663302edfda60a4b57cb301b3d61662afe3ce1de2ac93cfc3e2" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -97277,7 +97277,7 @@ rule ELASTIC_Windows_Ransomware_Nightsky_253C4D0D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Nightsky.yar#L24-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c940a35025dd3847f7c954a282f65e9c2312d2ada28686f9d1dc73d1c500224" - logic_hash = "v1_sha256_ba9e6dab664e464e0fdc65bd8bdccc661846d85e7fd8fbf089e72e9e5b71fb17" + logic_hash = "ba9e6dab664e464e0fdc65bd8bdccc661846d85e7fd8fbf089e72e9e5b71fb17" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97306,7 +97306,7 @@ rule ELASTIC_Linux_Exploit_Race_758A0884 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Race.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a4966baaa34b05cb782071ef114a53cac164e6dece275c862fe96a2cff4a6f06" - logic_hash = "v1_sha256_ccba0e2ddefd53939cda6b4985def2d487ac5916cbad7374ac3143f02b9f7ff5" + logic_hash = "ccba0e2ddefd53939cda6b4985def2d487ac5916cbad7374ac3143f02b9f7ff5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97335,7 +97335,7 @@ rule ELASTIC_Multi_Ransomware_Akira_21842Eb3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_Akira.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75" - logic_hash = "v1_sha256_1c50f4da476cef9f9818f8c0117621eae232be0245ad244babe51d493f0a5a48" + logic_hash = "1c50f4da476cef9f9818f8c0117621eae232be0245ad244babe51d493f0a5a48" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97364,7 +97364,7 @@ rule ELASTIC_Linux_Rootkit_Snapekit_01205A75 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Snapekit.yar#L1-L56" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "58d1e56fff04affb4c8cbb5fc3ea848e88d1f05c07e6f730e1cf17100ef1b666" - logic_hash = "v1_sha256_ba9b40481afb29a6db33fe61fe23b9f3895744da6737167788018396987bb533" + logic_hash = "ba9b40481afb29a6db33fe61fe23b9f3895744da6737167788018396987bb533" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97430,7 +97430,7 @@ rule ELASTIC_Windows_Hacktool_Iox_98Cd1Cd8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Iox.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d4544a521d4e6eb07336816b1aae54f92c5c4fd2eb31dcfbdf26e4ef890e73db" - logic_hash = "v1_sha256_d7f9e4f399410d54416e974fbd66b2caa27359ae0f2e33e01d62f1aa618daa34" + logic_hash = "d7f9e4f399410d54416e974fbd66b2caa27359ae0f2e33e01d62f1aa618daa34" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97462,7 +97462,7 @@ rule ELASTIC_Linux_Cryptominer_Xpaj_Fdbd614E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Xpaj.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3e2b1b36981713217301dd02db33fb01458b3ff47f28dfdc795d8d1d332f13ea" - logic_hash = "v1_sha256_70e6450f98411750361481aaad0d3ea079f58b1ae09970f04da09c20137a50fa" + logic_hash = "70e6450f98411750361481aaad0d3ea079f58b1ae09970f04da09c20137a50fa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -97491,7 +97491,7 @@ rule ELASTIC_Windows_Trojan_Sysjoker_1Ef19A12 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SysJoker.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc" - logic_hash = "v1_sha256_25bd58d546549d208f9f95f4c27d1e58f86f87750dae1e293544cc92b25f8b32" + logic_hash = "25bd58d546549d208f9f95f4c27d1e58f86f87750dae1e293544cc92b25f8b32" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97523,7 +97523,7 @@ rule ELASTIC_Windows_Trojan_Sysjoker_34559Bcd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SysJoker.yar#L24-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c" - logic_hash = "v1_sha256_ebe7f6037f14e37b6efe81614c06c6d26fe0cc17d0475b8b19715f80d0d9aad3" + logic_hash = "ebe7f6037f14e37b6efe81614c06c6d26fe0cc17d0475b8b19715f80d0d9aad3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97558,7 +97558,7 @@ rule ELASTIC_Linux_Ransomware_Esxiargs_75A8Ec04 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Esxiargs.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66" - logic_hash = "v1_sha256_7316cab75c1bcf41ae6c96afa41ef96c37ab1bb679f36a0cc1dd08002a357165" + logic_hash = "7316cab75c1bcf41ae6c96afa41ef96c37ab1bb679f36a0cc1dd08002a357165" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97591,7 +97591,7 @@ rule ELASTIC_Windows_Trojan_Avemaria_31D2Bce9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_AveMaria.yar#L1-L31" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b" - logic_hash = "v1_sha256_7ba59c3be07e35b415719b60b14a0f629619e5729c20f50f00dbea0c2f8bd026" + logic_hash = "7ba59c3be07e35b415719b60b14a0f629619e5729c20f50f00dbea0c2f8bd026" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97632,7 +97632,7 @@ rule ELASTIC_Linux_Exploit_Moogrey_81131B66 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Moogrey.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cc27b9755bd9feb1fb2c510f66e36c20a1503e6769cdaeee2bea7fe962d22ccc" - logic_hash = "v1_sha256_dc2fe7caa38f665d24bbc673ff63491ebdeec8d56a420092243ce241238846cf" + logic_hash = "dc2fe7caa38f665d24bbc673ff63491ebdeec8d56a420092243ce241238846cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97661,7 +97661,7 @@ rule ELASTIC_Windows_Vulndriver_Glckio_39C4Abd4 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_GlckIo.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25" - logic_hash = "v1_sha256_fd43503c9427a386674c06bb790e110ac23c27d8fc4adedbaa8a9b7cb0cbafd4" + logic_hash = "fd43503c9427a386674c06bb790e110ac23c27d8fc4adedbaa8a9b7cb0cbafd4" score = 75 quality = 75 tags = "FILE" @@ -97690,7 +97690,7 @@ rule ELASTIC_Windows_Vulndriver_Glckio_68D5Afbb : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_GlckIo.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a" - logic_hash = "v1_sha256_0b5f0d408a5c4089ef496c5f8241a34d0468cc3d21e89e41dc105a0df0855d38" + logic_hash = "0b5f0d408a5c4089ef496c5f8241a34d0468cc3d21e89e41dc105a0df0855d38" score = 75 quality = 75 tags = "FILE" @@ -97719,7 +97719,7 @@ rule ELASTIC_Windows_Hacktool_Processhacker_3D01069E : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_ProcessHacker.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - logic_hash = "v1_sha256_bcba74aa20b62329c48060bfebaf49ab12f89f9ec3a09fc0c0cb702de5e2b940" + logic_hash = "bcba74aa20b62329c48060bfebaf49ab12f89f9ec3a09fc0c0cb702de5e2b940" score = 75 quality = 75 tags = "FILE" @@ -97748,7 +97748,7 @@ rule ELASTIC_Linux_Hacktool_Bruteforce_Bad95Bd6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Bruteforce.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8e8be482357ebddc6ac3ea9ee60241d011063f7e558a59e6bd119e72e4862024" - logic_hash = "v1_sha256_8001e6503baeb52c66c9b30026544913270085406a1fe4c45d14629811d36d5f" + logic_hash = "8001e6503baeb52c66c9b30026544913270085406a1fe4c45d14629811d36d5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97777,7 +97777,7 @@ rule ELASTIC_Linux_Hacktool_Bruteforce_66A14C03 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Bruteforce.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2d8e2c34ae95243477820583c0b00dfe3f475811d57ffb95a557a227f94cd55" - logic_hash = "v1_sha256_c8b2925c2e3f95e78f117ddd52e208d143d19ee75e9283f7f15d10e930eaac5f" + logic_hash = "c8b2925c2e3f95e78f117ddd52e208d143d19ee75e9283f7f15d10e930eaac5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97806,7 +97806,7 @@ rule ELASTIC_Linux_Hacktool_Bruteforce_Eb83B6Aa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Bruteforce.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8dec88576f61f37fbaece3c30e71d338c340c8fb9c231f9d7b1c32510d2c3167" - logic_hash = "v1_sha256_bc79860e414d07ee8000eea3d61827272d66faa90a8bf6c65fcda90a4bd762ef" + logic_hash = "bc79860e414d07ee8000eea3d61827272d66faa90a8bf6c65fcda90a4bd762ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97835,7 +97835,7 @@ rule ELASTIC_Windows_Vulndriver_Dbutil_Ffe07C79 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_DBUtil.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3" - logic_hash = "v1_sha256_18b1c93c395b105f446b4c968441e0a43e42b1bd7efcf6501a89eb92cbd21824" + logic_hash = "18b1c93c395b105f446b4c968441e0a43e42b1bd7efcf6501a89eb92cbd21824" score = 75 quality = 75 tags = "FILE" @@ -97864,7 +97864,7 @@ rule ELASTIC_Windows_Vulndriver_Dbutil_852Ba283 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_DBUtil.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5" - logic_hash = "v1_sha256_78acd081c2517f9c53cb311481c0cc40cc3699b222afc290da1a3698e7bf75b7" + logic_hash = "78acd081c2517f9c53cb311481c0cc40cc3699b222afc290da1a3698e7bf75b7" score = 75 quality = 75 tags = "FILE" @@ -97893,7 +97893,7 @@ rule ELASTIC_Linux_Ransomware_Clop_728Cf32A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Clop.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef" - logic_hash = "v1_sha256_31c2fdfcfc46ad1dd69489536172937b9771d8505f36c7bd8dc796f40a2fe4d2" + logic_hash = "31c2fdfcfc46ad1dd69489536172937b9771d8505f36c7bd8dc796f40a2fe4d2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97924,7 +97924,7 @@ rule ELASTIC_Linux_Trojan_Setag_351Eeb76 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Setag.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_3519d9e4bfa18c19b49d0fa15ef78151bd13db9614406c4569720d20830f3cbb" + logic_hash = "3519d9e4bfa18c19b49d0fa15ef78151bd13db9614406c4569720d20830f3cbb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97953,7 +97953,7 @@ rule ELASTIC_Linux_Trojan_Setag_01E2F79B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Setag.yar#L20-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b5e8486174026491341a750f6367959999bbacd3689215f59a62dbb13a45fcc" - logic_hash = "v1_sha256_1e0336760f364acbbe0e8aec10bc7bfb48ed7e33cde56d8914617664cb93fd9b" + logic_hash = "1e0336760f364acbbe0e8aec10bc7bfb48ed7e33cde56d8914617664cb93fd9b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -97982,7 +97982,7 @@ rule ELASTIC_Multi_Hacktool_Nps_C6Eb4A27 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Hacktool_Nps.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4714e8ad9c625070ca0a151ffc98d87d8e5da7c8ef42037ca5f43baede6cfac1" - logic_hash = "v1_sha256_53baf04f4ab8967761c6badb24f6632cc1bf4a448abf0049318b96855f30feea" + logic_hash = "53baf04f4ab8967761c6badb24f6632cc1bf4a448abf0049318b96855f30feea" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -98016,7 +98016,7 @@ rule ELASTIC_Multi_Hacktool_Nps_F76F257D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Hacktool_Nps.yar#L27-L50" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "80721b20a8667536a33fca50236f5c8e0c0d07aa7805b980e40818ab92cd9f4a" - logic_hash = "v1_sha256_0bbd7f86bfd2967dc390510c2e403d05e1b56551b965ea716b9e5330f75c9bd5" + logic_hash = "0bbd7f86bfd2967dc390510c2e403d05e1b56551b965ea716b9e5330f75c9bd5" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -98049,7 +98049,7 @@ rule ELASTIC_Linux_Exploit_CVE_2021_3490_D369D615 : FILE MEMORY CVE_2021_3490 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2021_3490.yar#L1-L30" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e65ba616942fd1e893e10898d546fe54458debbc42e0d6826aff7a4bb4b2cf19" - logic_hash = "v1_sha256_6fa4b36366d2c255f5ccf0e22a06c7e17df74fddd06963787dbcd713b3e8aca6" + logic_hash = "6fa4b36366d2c255f5ccf0e22a06c7e17df74fddd06963787dbcd713b3e8aca6" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2021-3490" @@ -98089,7 +98089,7 @@ rule ELASTIC_Windows_Trojan_Hotpage_414F235F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_HotPage.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b8464126b64c809b4ab47aa91c5f322ce2c0ae4fd668a43de738a5caa7567225" - logic_hash = "v1_sha256_cfa0036b22a83a5396b3f9014511720071246a775053ad493791ebc1212400f2" + logic_hash = "cfa0036b22a83a5396b3f9014511720071246a775053ad493791ebc1212400f2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98124,7 +98124,7 @@ rule ELASTIC_Linux_Trojan_Chinaz_A2140Ca1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Chinaz.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7c44c2ca77ef7a62446f6266a757817a6c9af5e010a219a43a1905e2bc5725b0" - logic_hash = "v1_sha256_c9c63114e45b45b1c243af1f719cddc838a06a1f35d65dca6a2fb5574047eff0" + logic_hash = "c9c63114e45b45b1c243af1f719cddc838a06a1f35d65dca6a2fb5574047eff0" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -98153,7 +98153,7 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_B521801B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Matanbuchus.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "v1_sha256_609a0941b118d737124a5cd9c98c007e21557a239cfa3cf97cd3b4348c934f03" + logic_hash = "609a0941b118d737124a5cd9c98c007e21557a239cfa3cf97cd3b4348c934f03" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -98185,7 +98185,7 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_4Ce9Affb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Matanbuchus.yar#L24-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "v1_sha256_16441eb4617b6b3cb1e7d600959a5cbfe15c72c00361b45551b7ef4c81f78462" + logic_hash = "16441eb4617b6b3cb1e7d600959a5cbfe15c72c00361b45551b7ef4c81f78462" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98214,7 +98214,7 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_58A61Aaa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Matanbuchus.yar#L44-L62" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "v1_sha256_7226e2f61bd6f1cca15c1f3f8d8697cb277d1e214f756295ffda5bc16304cc49" + logic_hash = "7226e2f61bd6f1cca15c1f3f8d8697cb277d1e214f756295ffda5bc16304cc49" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98243,7 +98243,7 @@ rule ELASTIC_Windows_Trojan_Matanbuchus_C7811Ccc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Matanbuchus.yar#L64-L82" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4eb85a5532b98cbc4a6db1697cf46b9e2b7e28e89d6bbfc137b36c0736cd80e2" - logic_hash = "v1_sha256_e65dc05f6d9289a42c05afdc4da0ce1c18c1129dd87688a277ece925e83d7ef1" + logic_hash = "e65dc05f6d9289a42c05afdc4da0ce1c18c1129dd87688a277ece925e83d7ef1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98272,7 +98272,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_17Ee6A17 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "497bc53c1c75003fe4ae3199b0ff656c085f21dffa71d00d7a3a33abce1a3382" - logic_hash = "v1_sha256_0c868d0673c01e2c115d6822c34c877db77265251167f3a890a448a1de5c6a2d" + logic_hash = "0c868d0673c01e2c115d6822c34c877db77265251167f3a890a448a1de5c6a2d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98309,7 +98309,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_F54632Eb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L29-L56" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25" - logic_hash = "v1_sha256_1779919556ee5c9a78342aabafb8408e035cb39632b25c54da6bf195894901dc" + logic_hash = "1779919556ee5c9a78342aabafb8408e035cb39632b25c54da6bf195894901dc" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -98347,7 +98347,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_3D9371Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L58-L82" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a" - logic_hash = "v1_sha256_1c8a64ce7615f502602ab960638dd55f4deaeea3b49d894274d64d4d0b6a1d10" + logic_hash = "1c8a64ce7615f502602ab960638dd55f4deaeea3b49d894274d64d4d0b6a1d10" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -98382,7 +98382,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_63E7E006 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L84-L104" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e062c99dc9f3fa780ea9c6249fa4ef96bbe17fd1df38dbe11c664a10a92deece" - logic_hash = "v1_sha256_2085eaf622b52372124e9b23d19e3e4a7fdb7a4559ad9a09216c1cbae96ca5b6" + logic_hash = "2085eaf622b52372124e9b23d19e3e4a7fdb7a4559ad9a09216c1cbae96ca5b6" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -98413,7 +98413,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_F07B3Cb4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L106-L125" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5e491625475fc25c465fc7f6db98def189c15a133af7d0ac1ecbc8d887c4feb6" - logic_hash = "v1_sha256_64536e3b340254554154ac1b33adfb4f3c72a2c6c0d1ef27827621b905d431c5" + logic_hash = "64536e3b340254554154ac1b33adfb4f3c72a2c6c0d1ef27827621b905d431c5" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -98443,7 +98443,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_4Df4Bcb6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L127-L145" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9389475bd26c1d3fd04a083557f2797d0ee89dfdd1f7de67775fcd19e61dfbb3" - logic_hash = "v1_sha256_d9027fa9c8d9c938159a734431bb2be67fd7cca1f898c2208f7b909157524da4" + logic_hash = "d9027fa9c8d9c938159a734431bb2be67fd7cca1f898c2208f7b909157524da4" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -98472,7 +98472,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_15Ee6903 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L147-L166" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "46b506cafb2460ca2969f69bcb0ee0af63b6d65e6b2a6249ef7faa21bde1a6bd" - logic_hash = "v1_sha256_22c8a1f4b5b94261cfabdbcc00e45b9437a0132d4e9d4543b734d4f303336696" + logic_hash = "22c8a1f4b5b94261cfabdbcc00e45b9437a0132d4e9d4543b734d4f303336696" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -98502,7 +98502,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_6Dfafd7B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L168-L186" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "809e303ba26b894f006b8f2d3983ff697aef13b67c36957d98c56aae9afd8852" - logic_hash = "v1_sha256_888bc2fdfae8673cd6bce56fc9894b3cab6d7e3c384d854d6bc8aef47fdecf1c" + logic_hash = "888bc2fdfae8673cd6bce56fc9894b3cab6d7e3c384d854d6bc8aef47fdecf1c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -98531,7 +98531,7 @@ rule ELASTIC_Windows_Trojan_Redlinestealer_983Cd7A7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_RedLineStealer.yar#L188-L208" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7aa20c57b8815dd63c8ae951e1819c75b5d2deec5aae0597feec878272772f35" - logic_hash = "v1_sha256_2104bad5ec42bc72ec611607a53086a85359bdb4bf084d7377e9a8e234b0e928" + logic_hash = "2104bad5ec42bc72ec611607a53086a85359bdb4bf084d7377e9a8e234b0e928" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98562,7 +98562,7 @@ rule ELASTIC_Multi_Trojan_Gosar_31Dba745 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Gosar.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4caf4b280e61745ce53f96f48a74dea3b69df299c3b9de78ba4731b83c76c334" - logic_hash = "v1_sha256_116fb9c44a992067d50cd95715ffa320c6141f133eb8c9dc91b2db8559a8ee2d" + logic_hash = "116fb9c44a992067d50cd95715ffa320c6141f133eb8c9dc91b2db8559a8ee2d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98597,7 +98597,7 @@ rule ELASTIC_Linux_Exploit_Local_47C64Fb6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0caa9035027ff88788e6b8e43bfc012a367a12148be809555c025942054a6360" - logic_hash = "v1_sha256_7d977edd5fc90c6f03ed5558c690b3dd2102bbff9d7e5124403276405e15201b" + logic_hash = "7d977edd5fc90c6f03ed5558c690b3dd2102bbff9d7e5124403276405e15201b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98626,7 +98626,7 @@ rule ELASTIC_Linux_Exploit_Local_76C24B62 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "330de2ca1add7e06389d94dfc541c367a484394c51663b26d27d89346b08ad1b" - logic_hash = "v1_sha256_ff55d6a316394812cfa1108578aece91050bfb2f7e0f8c0440dcb64156f3e893" + logic_hash = "ff55d6a316394812cfa1108578aece91050bfb2f7e0f8c0440dcb64156f3e893" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98655,7 +98655,7 @@ rule ELASTIC_Linux_Exploit_Local_30C21B03 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a09c81f185a4ceed134406fa7fefdfa7d8dfc10d639dd044c94fbb6d570fa029" - logic_hash = "v1_sha256_396965c457b2e02d7d524d9d5fb3cc76852895ed9675c7b1205a94f47ba10144" + logic_hash = "396965c457b2e02d7d524d9d5fb3cc76852895ed9675c7b1205a94f47ba10144" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98684,7 +98684,7 @@ rule ELASTIC_Linux_Exploit_Local_9Ace9649 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b38869605521531153cfd8077f05e0d6b52dca0fffbc627a4d5eaa84855a491c" - logic_hash = "v1_sha256_d7a60b0cb7fcbd9e802660bda3e0456f7f4ef9db38b6dab131c160efce48909e" + logic_hash = "d7a60b0cb7fcbd9e802660bda3e0456f7f4ef9db38b6dab131c160efce48909e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98713,7 +98713,7 @@ rule ELASTIC_Linux_Exploit_Local_705C9589 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "845727ea46491b46a665d4e1a3a9dbbe6cd0536d070f1c1efd533b91b75cdc88" - logic_hash = "v1_sha256_9834d564c2acc688750d5e6c53db7c1201ef85c6fb3d1d0ea2425a5ba905ff18" + logic_hash = "9834d564c2acc688750d5e6c53db7c1201ef85c6fb3d1d0ea2425a5ba905ff18" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98742,7 +98742,7 @@ rule ELASTIC_Linux_Exploit_Local_A677Fb9C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d20b260c7485173264e3e674adc7563ea3891224a3dc98bdd342ebac4a1349e8" - logic_hash = "v1_sha256_9b43e651f73d17dbd2143cec4c79929723689ce738924588e38c99a9554e5545" + logic_hash = "9b43e651f73d17dbd2143cec4c79929723689ce738924588e38c99a9554e5545" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98771,7 +98771,7 @@ rule ELASTIC_Linux_Exploit_Local_78E50162 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "706c865257d5e1f5f434ae0f31e11dfc7e16423c4c639cb2763ec0f51bc73300" - logic_hash = "v1_sha256_10a5bef486ec0ececfe0a9edfcad7ce053da2a97028cd1648aa27572fedd8ef6" + logic_hash = "10a5bef486ec0ececfe0a9edfcad7ce053da2a97028cd1648aa27572fedd8ef6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98800,7 +98800,7 @@ rule ELASTIC_Linux_Exploit_Local_3B767A1F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e05fed9e514cccbdb775f295327d8f8838b73ad12f25e7bb0b9d607ff3d0511c" - logic_hash = "v1_sha256_0f24a7d4e8ff0899430aa0a702000f35039b07400120b382b675825630f0ea4e" + logic_hash = "0f24a7d4e8ff0899430aa0a702000f35039b07400120b382b675825630f0ea4e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98829,7 +98829,7 @@ rule ELASTIC_Linux_Exploit_Local_2535C9B6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d0f9cc114f6a1f788f36e359e03a9bbf89c075f41aec006229b6ad20ebbfba0b" - logic_hash = "v1_sha256_222e929d8352ed02714a59b0e1b9777b0f2d80d63cb369fa9bf33460c84efbb2" + logic_hash = "222e929d8352ed02714a59b0e1b9777b0f2d80d63cb369fa9bf33460c84efbb2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98858,7 +98858,7 @@ rule ELASTIC_Linux_Exploit_Local_6A9B5D50 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L181-L199" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "80ab71dc9ed2131b08b5b75b5a4a12719d499c6b6ee6819ad5a6626df4a1b862" - logic_hash = "v1_sha256_99a18bfb62c195bdea89c688fed4456fee33477878ecdee8a78cd4bf18ad539b" + logic_hash = "99a18bfb62c195bdea89c688fed4456fee33477878ecdee8a78cd4bf18ad539b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98887,7 +98887,7 @@ rule ELASTIC_Linux_Exploit_Local_66557224 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L201-L219" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f58151a2f653972e744822cdc420ab1c2b8b642877d3dfa2e8b2b6915e8edf40" - logic_hash = "v1_sha256_5583f086d594ebdf5890a8a5fbee5c04fbddfe42adcae07480532d87e474ef0c" + logic_hash = "5583f086d594ebdf5890a8a5fbee5c04fbddfe42adcae07480532d87e474ef0c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98916,7 +98916,7 @@ rule ELASTIC_Linux_Exploit_Local_6229602F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Local.yar#L221-L239" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4fdb15663a405f6fc4379aad9a5021040d7063b8bb82403bedb9578d45d428fa" - logic_hash = "v1_sha256_c3ab6a36c0c2d430d576f7c0cfdc6d1affcd99d007e2d05596677da9bda5a19e" + logic_hash = "c3ab6a36c0c2d430d576f7c0cfdc6d1affcd99d007e2d05596677da9bda5a19e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98944,7 +98944,7 @@ rule ELASTIC_Linux_Trojan_Marut_47Af730D : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Marut.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_048ce8059be6697c5f507fb1912ac2adcedab87c75583dd84700984e6d0d81e6" + logic_hash = "048ce8059be6697c5f507fb1912ac2adcedab87c75583dd84700984e6d0d81e6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -98973,7 +98973,7 @@ rule ELASTIC_Windows_Wiper_Hermeticwiper_7206A969 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Wiper_HermeticWiper.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" - logic_hash = "v1_sha256_84c61b8223a6ebf1ccfa4fdccee3c9091abca4553e55ac6c2492cff5503b4774" + logic_hash = "84c61b8223a6ebf1ccfa4fdccee3c9091abca4553e55ac6c2492cff5503b4774" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99006,7 +99006,7 @@ rule ELASTIC_Macos_Exploit_Log4J_75A13888 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Exploit_Log4j.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b09d8dd9c422e7eb8aa23f8b1204d31fd290252925099300d6d19d73e562ca5e" + logic_hash = "b09d8dd9c422e7eb8aa23f8b1204d31fd290252925099300d6d19d73e562ca5e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99041,7 +99041,7 @@ rule ELASTIC_Macos_Trojan_Sugarloader_E7E1D99C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_SugarLoader.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ea2ead8f3cec030906dcbffe3efd5c5d77d5d375d4a54cca03bfe8a6cb59940" - logic_hash = "v1_sha256_0689b704add81e8e7968d9dba5f60d45c8791209330f4ee97e218f8eeb22c88f" + logic_hash = "0689b704add81e8e7968d9dba5f60d45c8791209330f4ee97e218f8eeb22c88f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99074,7 +99074,7 @@ rule ELASTIC_Linux_Cryptominer_Ursu_3C05F8Ab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Ursu.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d72361010184f5a48386860918052dbb8726d40e860ea0287994936702577956" - logic_hash = "v1_sha256_8261e4ee40131cd7df61914cd7bdf154e8a2b5fa3abd9d301436f9371253f510" + logic_hash = "8261e4ee40131cd7df61914cd7bdf154e8a2b5fa3abd9d301436f9371253f510" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99103,7 +99103,7 @@ rule ELASTIC_Linux_Ransomware_Limpdemon_95C748E0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_LimpDemon.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a4200e90a821a2f2eb3056872f06cf5b057be154dcc410274955b2aaca831651" - logic_hash = "v1_sha256_e66906725c0af657d91771642908ac0b2c72a97c4d4f651dcc907c2c1437f2da" + logic_hash = "e66906725c0af657d91771642908ac0b2c72a97c4d4f651dcc907c2c1437f2da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99135,7 +99135,7 @@ rule ELASTIC_Windows_Trojan_Wikiloader_C57F3F88 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_WikiLoader.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0f71b1805d7feb6830b856c5a5328d3a132af4c37fcd747d82beb0f61c77f6f5" - logic_hash = "v1_sha256_408c6d811232dbd0c87f75fd28508366151cf9f2f10f012919588db1919e406b" + logic_hash = "408c6d811232dbd0c87f75fd28508366151cf9f2f10f012919588db1919e406b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99164,7 +99164,7 @@ rule ELASTIC_Windows_Trojan_Wikiloader_99681F1C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_WikiLoader.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0b02cfe16ac73f2e7dc52eaf3b93279b7d02b3d64d061782dfed0c55ab621a8e" - logic_hash = "v1_sha256_fb293d74186e778856780377120ac2ebe9550a508a0b33e706c39f93a5509df8" + logic_hash = "fb293d74186e778856780377120ac2ebe9550a508a0b33e706c39f93a5509df8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99193,7 +99193,7 @@ rule ELASTIC_Linux_Trojan_Sckit_A244328F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sckit.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "685da66303a007322d235b7808190c3ea78a828679277e8e03e6d8d511df0a30" - logic_hash = "v1_sha256_8001c9fcf9f8b70c3e27554156b0b26ddcd6cab36bf97cf3b89a4c43c9ad883c" + logic_hash = "8001c9fcf9f8b70c3e27554156b0b26ddcd6cab36bf97cf3b89a4c43c9ad883c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99222,7 +99222,7 @@ rule ELASTIC_Windows_Trojan_Hawkeye_77C36Ace : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Hawkeye.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "28e28025060f1bafd4eb96c7477cab73497ca2144b52e664b254c616607d94cd" - logic_hash = "v1_sha256_e8c1060efde0c4a073247d03a19dedb1c0acc8506fbf6eac93ac44f00fc73be1" + logic_hash = "e8c1060efde0c4a073247d03a19dedb1c0acc8506fbf6eac93ac44f00fc73be1" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -99255,7 +99255,7 @@ rule ELASTIC_Windows_Trojan_Hawkeye_975D546C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Hawkeye.yar#L25-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "aca133bf1d72cf379101e6877871979d6e6e8bc4cc692a5ba815289735014340" - logic_hash = "v1_sha256_cbd8ce991059f961236a4bb83ea5a78efa661199b40fca8b09550856e932198b" + logic_hash = "cbd8ce991059f961236a4bb83ea5a78efa661199b40fca8b09550856e932198b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99289,7 +99289,7 @@ rule ELASTIC_Windows_Hacktool_Sharpsccm_9Bef8Dab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpSCCM.yar#L1-L31" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2e169c4fd16627029445bb0365a2f9ee61ab6b3757b8ad02fd210ce85dc9c97f" - logic_hash = "v1_sha256_560c780934a63b3c857a09841c09cbc350205868c696fac958e249e1379cc865" + logic_hash = "560c780934a63b3c857a09841c09cbc350205868c696fac958e249e1379cc865" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99330,7 +99330,7 @@ rule ELASTIC_Linux_Exploit_Sorso_Ecf99F8F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Sorso.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd" - logic_hash = "v1_sha256_c771ff109e548e37134cd76ac668f0d4abafcf262de12b00236ad94fc11a99d1" + logic_hash = "c771ff109e548e37134cd76ac668f0d4abafcf262de12b00236ad94fc11a99d1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99359,7 +99359,7 @@ rule ELASTIC_Linux_Exploit_Sorso_91A4D487 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Sorso.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd" - logic_hash = "v1_sha256_bb58c78ae3cc730aa1ef32974f65adabd63972ef181696aeb79954f904f2f405" + logic_hash = "bb58c78ae3cc730aa1ef32974f65adabd63972ef181696aeb79954f904f2f405" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99388,7 +99388,7 @@ rule ELASTIC_Linux_Exploit_Sorso_61Eae7Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Sorso.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0f0a7b45fb91bc18264d901c20539dd32bc03fa5b7d839a0ef5012fb0d895cd" - logic_hash = "v1_sha256_a8bc8a2c8405b80b160ad21898003781405a762c0e627f13b34e9362e0aa51a1" + logic_hash = "a8bc8a2c8405b80b160ad21898003781405a762c0e627f13b34e9362e0aa51a1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99417,7 +99417,7 @@ rule ELASTIC_Linux_Trojan_Melofee_C23D18F3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Melofee.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b0abf6691e769ead1f11cfdcd300f8cd5291f19059be6bb40d556f793b1bc21e" - logic_hash = "v1_sha256_fd769e0eca9ee858a3773a906189c510742364722b3e5c384158b3ec4158fc68" + logic_hash = "fd769e0eca9ee858a3773a906189c510742364722b3e5c384158b3ec4158fc68" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -99451,7 +99451,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_D9E6B88E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a4ac275275e7be694a200fe6c5c5746256398c109cf54f45220637fe5d9e26ba" - logic_hash = "v1_sha256_979d2ae62efca0f719ed1db2ff832dc9a0aa0347dcd50ccede29ec35cba6d296" + logic_hash = "979d2ae62efca0f719ed1db2ff832dc9a0aa0347dcd50ccede29ec35cba6d296" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99480,7 +99480,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_30C039E2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b494ca3b7bae2ab9a5197b81e928baae5b8eac77dfdc7fe1223fee8f27024772" - logic_hash = "v1_sha256_a9dbfede68a3209b403aa40dbc5b69326c3e1c14259ed6bc6351f0f9412cfce2" + logic_hash = "a9dbfede68a3209b403aa40dbc5b69326c3e1c14259ed6bc6351f0f9412cfce2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99509,7 +99509,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_C94Eec37 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "294fcdd57fc0a53e2d63b620e85fa65c00942db2163921719d052d341aa2dc30" - logic_hash = "v1_sha256_39a49e1661ac2ca6a43a56b0bd136976f6d506c0779d862a43ba2c25d6947fee" + logic_hash = "39a49e1661ac2ca6a43a56b0bd136976f6d506c0779d862a43ba2c25d6947fee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99538,7 +99538,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_F806D5D9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5259495788f730a2a3bad7478c1873c8a6296506a778f18bc68e39ce48b979da" - logic_hash = "v1_sha256_86336f662e3abcf2fe7635155782c549fc9eef514356bf78bfbc3b65192e2d90" + logic_hash = "86336f662e3abcf2fe7635155782c549fc9eef514356bf78bfbc3b65192e2d90" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99567,7 +99567,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_0Fa3A6E9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "40a15a186373a062bfb476b37a73c61e1ba84e5fa57282a7f9ec0481860f372a" - logic_hash = "v1_sha256_970062e909ffe5356b750605f2c44a6e893949bc5bc71be3ea98b16e51629d4d" + logic_hash = "970062e909ffe5356b750605f2c44a6e893949bc5bc71be3ea98b16e51629d4d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99596,7 +99596,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_36A98405 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a57de6cd3468f55b4bfded5f1eed610fdb2cbffbb584660ae000c20663d5b304" - logic_hash = "v1_sha256_a32d324d1865a7796faefbc2f209e6043008a696929fe7837afbbc770e6f4c74" + logic_hash = "a32d324d1865a7796faefbc2f209e6043008a696929fe7837afbbc770e6f4c74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99625,7 +99625,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_0C6686B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "409c55110d392aed1a9ec98a6598fb8da86ab415534c8754aa48e3949e7c4b62" - logic_hash = "v1_sha256_731bb3f9957e8777040c0b7b316a818f4ee1ca9a113fb9eed24ee61bfc71e11d" + logic_hash = "731bb3f9957e8777040c0b7b316a818f4ee1ca9a113fb9eed24ee61bfc71e11d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99654,7 +99654,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_9Ce5B69F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ad63fbd15b7de4da0db1b38609b7481253c100e3028c19831a5d5c1926351829" - logic_hash = "v1_sha256_b9756eb99e59ba3a9a616b391bcf26bda26a6ac0de115460f9ba52129f590764" + logic_hash = "b9756eb99e59ba3a9a616b391bcf26bda26a6ac0de115460f9ba52129f590764" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99683,7 +99683,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_55A80Ab6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5259495788f730a2a3bad7478c1873c8a6296506a778f18bc68e39ce48b979da" - logic_hash = "v1_sha256_1fc29f98e9ea2a5b67d0a88f37813a5e62b5f1d2a26aee74f90e9ead445dc713" + logic_hash = "1fc29f98e9ea2a5b67d0a88f37813a5e62b5f1d2a26aee74f90e9ead445dc713" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99712,7 +99712,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_E98B83Ee : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L181-L199" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cf1ca1d824c8687e87a5b0275a0e39fa101442b4bbf470859ddda9982f9b3417" - logic_hash = "v1_sha256_8b16c0fee991ee2143a20998097066a90b1f20060bac7b42e5c3188adcdc7907" + logic_hash = "8b16c0fee991ee2143a20998097066a90b1f20060bac7b42e5c3188adcdc7907" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99741,7 +99741,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_8A11F9Be : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L201-L219" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1f773d0e00d40eecde9e3ab80438698923a2620036c2fc33315ef95229e98571" - logic_hash = "v1_sha256_f80dcb3579a76da787e9bb2bfb02ef86e464aec1bea405f02642b8c8902c7663" + logic_hash = "f80dcb3579a76da787e9bb2bfb02ef86e464aec1bea405f02642b8c8902c7663" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99770,7 +99770,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_2462067E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L221-L239" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3847f1c7c15ce771613079419de3d5e8adc07208e1fefa23f7dd416b532853a1" - logic_hash = "v1_sha256_cf6c0703f9108f8193e0a9c18ba3d76263527a13fe44e194fa464d399512ae05" + logic_hash = "cf6c0703f9108f8193e0a9c18ba3d76263527a13fe44e194fa464d399512ae05" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99799,7 +99799,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_0A028640 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L241-L259" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e36081f0dbd6d523c9378cdd312e117642b0359b545b29a61d8f9027d8c0f2f0" - logic_hash = "v1_sha256_663f110c7214498466759b66a83ff1844f5bf45ce706fa8ad0e8b205cc9c8f72" + logic_hash = "663f110c7214498466759b66a83ff1844f5bf45ce706fa8ad0e8b205cc9c8f72" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99828,7 +99828,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_6B3974B2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L281-L299" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2216776ba5c6495d86a13f6a3ce61b655b72a328ca05b3678d1abb7a20829d04" - logic_hash = "v1_sha256_7c44a0abcd51a6b775fc379b592652ebb10faf16c039ca23b20984183340cada" + logic_hash = "7c44a0abcd51a6b775fc379b592652ebb10faf16c039ca23b20984183340cada" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99857,7 +99857,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_87Bcb848 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L301-L319" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "575b0dc887d132aa3983e5712b8f642b03762b0685fbd5a32c104bca72871857" - logic_hash = "v1_sha256_60e8aa7e27ea0bec665075a373ce150c21af4cddfd511b7ec771293126f0006c" + logic_hash = "60e8aa7e27ea0bec665075a373ce150c21af4cddfd511b7ec771293126f0006c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99885,7 +99885,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_Ad60D7E8 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L321-L338" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1253a8cd1a5230f1ec1f8c7ecd07f89f28acf5c2aa92395c6cb9e635c16a1e25" + logic_hash = "1253a8cd1a5230f1ec1f8c7ecd07f89f28acf5c2aa92395c6cb9e635c16a1e25" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -99914,7 +99914,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_22646C0D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L340-L358" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "20439a8fc21a94c194888725fbbb7a7fbeef5faf4b0f704559d89f1cd2e57d9d" - logic_hash = "v1_sha256_548f531429132392f6d9bccff706b56ba87d8e44763116dedca5d0baa5097b92" + logic_hash = "548f531429132392f6d9bccff706b56ba87d8e44763116dedca5d0baa5097b92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99943,7 +99943,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_019F0E75 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L360-L378" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "575b0dc887d132aa3983e5712b8f642b03762b0685fbd5a32c104bca72871857" - logic_hash = "v1_sha256_7a63eb94266b04a31ba67165c512e2e060c3e344665aeed748a51943143b2219" + logic_hash = "7a63eb94266b04a31ba67165c512e2e060c3e344665aeed748a51943143b2219" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -99972,7 +99972,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_7C545Abf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L380-L398" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "95691c7ad1d80f7f1b5541e1d1a1dbeba30a26702a4080d256f14edb75851c5d" - logic_hash = "v1_sha256_fa50ccc4c85417d18a84b7f117f853609c44b17c488a937cdc7495e2d32757f7" + logic_hash = "fa50ccc4c85417d18a84b7f117f853609c44b17c488a937cdc7495e2d32757f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100001,7 +100001,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_32C0B950 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L400-L418" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "214c1caf20ceae579476d3bf97f489484df4c5f1c0c44d37ff9b9066072cd83c" - logic_hash = "v1_sha256_db077e5916327ca78fcc9dc35f64e5c497dbbe60c4a0c1eb7abb49c555765681" + logic_hash = "db077e5916327ca78fcc9dc35f64e5c497dbbe60c4a0c1eb7abb49c555765681" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100030,7 +100030,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_Cbf50D9C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L420-L438" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b64d0cf4fc4149aa4f63900e61b6739e154d328ea1eb31f4c231016679fc4aa5" - logic_hash = "v1_sha256_331a35fb3ecc54022b1d4d05bd64e7c5c6a7997b06dbea3a36c33ccc0a2f7086" + logic_hash = "331a35fb3ecc54022b1d4d05bd64e7c5c6a7997b06dbea3a36c33ccc0a2f7086" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100059,7 +100059,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_40C25A06 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L440-L458" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "61af6bb7be25465e7d469953763be5671f33c197d4b005e4a78227da11ae91e9" - logic_hash = "v1_sha256_38976911ff9e56fae27fad8b9df01063ed703f43c8220b1fbcef7a3945b3f1ad" + logic_hash = "38976911ff9e56fae27fad8b9df01063ed703f43c8220b1fbcef7a3945b3f1ad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100088,7 +100088,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_35806Adc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L460-L478" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15e7942ebf88a51346d3a5975bb1c2d87996799e6255db9e92aed798d279b36b" - logic_hash = "v1_sha256_6e9d3e5c0a33208d1b5f4f84f8634955e70bd63395b367cd1ece67798ce5e502" + logic_hash = "6e9d3e5c0a33208d1b5f4f84f8634955e70bd63395b367cd1ece67798ce5e502" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100117,7 +100117,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_D74D7F0C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L480-L498" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b0a8b2259c00d563aa387d7e1a1f1527405da19bf4741053f5822071699795e2" - logic_hash = "v1_sha256_6f5313fc9e838bd06bd4e797ea7fb448073849dc714ecf18809f94900fa11ca2" + logic_hash = "6f5313fc9e838bd06bd4e797ea7fb448073849dc714ecf18809f94900fa11ca2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100146,7 +100146,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_71D31510 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L500-L518" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "33dd6c0af99455a0ca3908c0117e16a513b39fabbf9c52ba24c7b09226ad8626" - logic_hash = "v1_sha256_18bfe9347faf1811686a61e0ee0de5cef842beb25fb06793947309135c41de89" + logic_hash = "18bfe9347faf1811686a61e0ee0de5cef842beb25fb06793947309135c41de89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100175,7 +100175,7 @@ rule ELASTIC_Linux_Trojan_Tsunami_97288Af8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Tsunami.yar#L520-L538" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c39eb055c5f71ebfd6881ff04e876f49495c0be5560687586fc47bf5faee0c84" - logic_hash = "v1_sha256_c5b521cc887236a189dca419476758cee0f1513a8ad81c94b1ff42e4fe232b8e" + logic_hash = "c5b521cc887236a189dca419476758cee0f1513a8ad81c94b1ff42e4fe232b8e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -100204,7 +100204,7 @@ rule ELASTIC_Windows_Trojan_Dragonbreath_B27Bc56B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DragonBreath.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45023fd0e694d66c284dfe17f78c624fd7e246a6c36860a0d892d232a30949be" - logic_hash = "v1_sha256_b86d5541a7e03a698ad918cdbba987474c6680353b4d2de2f8422ecd0ebcac61" + logic_hash = "b86d5541a7e03a698ad918cdbba987474c6680353b4d2de2f8422ecd0ebcac61" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -100235,7 +100235,7 @@ rule ELASTIC_Multi_Hacktool_Supershell_F7486598 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Hacktool_SuperShell.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "18556a794f5d47f93d375e257fa94b9fb1088f3021cf79cc955eb4c1813a95da" - logic_hash = "v1_sha256_8c2c3f13fad03ece29f7f3fd12e22807b61ecdc16dee00b6430b915631554cff" + logic_hash = "8c2c3f13fad03ece29f7f3fd12e22807b61ecdc16dee00b6430b915631554cff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100267,7 +100267,7 @@ rule ELASTIC_Windows_Trojan_Naplistener_E8F16920 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_NapListener.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6e8c5bb2dfc90bca380c6f42af7458c8b8af40b7be95fab91e7c67b0dee664c4" - logic_hash = "v1_sha256_6cb7b5051fab2b56f39b2805788b5b0838a095b41fcc623fe412b215736be5d4" + logic_hash = "6cb7b5051fab2b56f39b2805788b5b0838a095b41fcc623fe412b215736be5d4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100298,7 +100298,7 @@ rule ELASTIC_Windows_Trojan_Naplistener_414180A7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_NapListener.yar#L23-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6e8c5bb2dfc90bca380c6f42af7458c8b8af40b7be95fab91e7c67b0dee664c4" - logic_hash = "v1_sha256_52d3ddebdc1a8aa4bcb902273bd2d3b4f9b51f248d25e7ae1cc260a9550111f5" + logic_hash = "52d3ddebdc1a8aa4bcb902273bd2d3b4f9b51f248d25e7ae1cc260a9550111f5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100332,7 +100332,7 @@ rule ELASTIC_Windows_Trojan_Protects_9F6Eaa90 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_ProtectS.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0330e072b7003f55a3153ac3e0859369b9c3e22779b113284e95ce1e2ce2099" - logic_hash = "v1_sha256_ddc8c97598b2d961dc51bdf2c7ab96abcec63824acd39b767bc175371844c1e5" + logic_hash = "ddc8c97598b2d961dc51bdf2c7ab96abcec63824acd39b767bc175371844c1e5" score = 75 quality = 75 tags = "FILE" @@ -100361,7 +100361,7 @@ rule ELASTIC_Linux_Trojan_Sqlexp_1Aa5001E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sqlexp.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "714a520fc69c54bcd422e75f4c3b71ce636cfae7fcec3c5c413d1294747d2dd6" - logic_hash = "v1_sha256_48c7331c80aa7d918f46d282c6f38b8e780f9b5222cf9304bf1a8bb39cc129ab" + logic_hash = "48c7331c80aa7d918f46d282c6f38b8e780f9b5222cf9304bf1a8bb39cc129ab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100390,7 +100390,7 @@ rule ELASTIC_Linux_Ransomware_Akira_02237952 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Akira.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296" - logic_hash = "v1_sha256_a9b3cdddb3387251d7da90f32b08b9c1eedcdff1fe90d51f4732183666a6d467" + logic_hash = "a9b3cdddb3387251d7da90f32b08b9c1eedcdff1fe90d51f4732183666a6d467" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100422,7 +100422,7 @@ rule ELASTIC_Linux_Ransomware_Akira_27440619 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Akira.yar#L24-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75" - logic_hash = "v1_sha256_d2bb413b5919b3ed6239fbc714d025d2ddc321cb8a0b310aaae48b0869810be8" + logic_hash = "d2bb413b5919b3ed6239fbc714d025d2ddc321cb8a0b310aaae48b0869810be8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100451,7 +100451,7 @@ rule ELASTIC_Linux_Hacktool_Wipelog_Daea1Aa4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Wipelog.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "39b3a95928326012c3b2f64e2663663adde4b028d940c7e804ac4d3953677ea6" - logic_hash = "v1_sha256_e2483b7719f4a1e28ec3732120770066333d8db269c9c9711813a8eeb75176d6" + logic_hash = "e2483b7719f4a1e28ec3732120770066333d8db269c9c9711813a8eeb75176d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100490,7 +100490,7 @@ rule ELASTIC_Linux_Exploit_Vmsplice_Cfa94001 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Vmsplice.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0a26e67692605253819c489cd4793a57e86089d50150124394c30a8801bf33e6" - logic_hash = "v1_sha256_b5a86a79384997f977d353371ccaa8c736f5c24af40b85a24076d4c4fb79a237" + logic_hash = "b5a86a79384997f977d353371ccaa8c736f5c24af40b85a24076d4c4fb79a237" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100519,7 +100519,7 @@ rule ELASTIC_Linux_Exploit_Vmsplice_A000F267 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Vmsplice.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c85cc6768a28fb7de16f1cad8d3c69d8f0b4aa01e00c8e48759d27092747ca6f" - logic_hash = "v1_sha256_2a8cb11bb21f2ce620a6fa1f0fb932bef60a479fac836058ec4e8c760b5d60f9" + logic_hash = "2a8cb11bb21f2ce620a6fa1f0fb932bef60a479fac836058ec4e8c760b5d60f9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100548,7 +100548,7 @@ rule ELASTIC_Linux_Exploit_Vmsplice_8B9E4F9F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Vmsplice.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0230c81ba747e588cd9b6113df6e1867dcabf9d8ada0c1921d1bffa9c1b9c75d" - logic_hash = "v1_sha256_6979a900a2532a8da36711f3ffe13f71ec4efa7771aa2feec9391bd031aaa023" + logic_hash = "6979a900a2532a8da36711f3ffe13f71ec4efa7771aa2feec9391bd031aaa023" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100577,7 +100577,7 @@ rule ELASTIC_Linux_Exploit_Vmsplice_055F88B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Vmsplice.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "607c8c5edc8cbbd79a40ce4a0eccf46e01447985d9415d1eff6a91bf64074507" - logic_hash = "v1_sha256_29e59bb372f0b37b507c72e5b5bcb27ba0fa2aaac71ea77f0cab85af31708c8a" + logic_hash = "29e59bb372f0b37b507c72e5b5bcb27ba0fa2aaac71ea77f0cab85af31708c8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100605,7 +100605,7 @@ rule ELASTIC_Linux_Exploit_Vmsplice_431E689D : FILE MEMORY reference = "1cbb09223f16af4cd13545d72dbeeb996900535b1e279e4bcf447670728de1e1" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Vmsplice.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5b9a7ffcd6fc6893a8224fd2b9ca59f4cff6086669a73190114db510a1ad9ff2" + logic_hash = "5b9a7ffcd6fc6893a8224fd2b9ca59f4cff6086669a73190114db510a1ad9ff2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100634,7 +100634,7 @@ rule ELASTIC_Multi_Trojan_Sparkrat_9A21E541 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_SparkRat.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "23efecc03506a9428175546a4b7d40c8a943c252110e83dec132c6a5db8c4dd6" - logic_hash = "v1_sha256_903c5c65436bea8dd044fd5f1f6dda3d1e90ab25802d508f67ba0f7fd06e92d4" + logic_hash = "903c5c65436bea8dd044fd5f1f6dda3d1e90ab25802d508f67ba0f7fd06e92d4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100665,7 +100665,7 @@ rule ELASTIC_Linux_Trojan_Rbot_C69475E3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rbot.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d97c69b65d2900c39ca012fe0486e6a6abceebb890cbb6d2e091bb90f6b9690" - logic_hash = "v1_sha256_2a8629ebf6e2082ce90f1b2130ae596e4e515f3289a25899f2fc57b99c01a654" + logic_hash = "2a8629ebf6e2082ce90f1b2130ae596e4e515f3289a25899f2fc57b99c01a654" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100694,7 +100694,7 @@ rule ELASTIC_Linux_Trojan_Rbot_96625C8C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rbot.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a052cfad3034d851c6fad62cc8f9c65bceedc73f3e6a37c9befe52720fd0890e" - logic_hash = "v1_sha256_5a9671e10e7b9b58ecf9fab231de18b4b6039c9d351b145fae1705297acda95e" + logic_hash = "5a9671e10e7b9b58ecf9fab231de18b4b6039c9d351b145fae1705297acda95e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100723,7 +100723,7 @@ rule ELASTIC_Linux_Trojan_Rbot_366F1599 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rbot.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5553d154a0e02e7f97415299eeae78e5bb0ecfbf5454e3933d6fd9675d78b3eb" - logic_hash = "v1_sha256_3efe0f35efd855b415149513e8abb2210a26ef6f3b6c31275c8147fabb634fab" + logic_hash = "3efe0f35efd855b415149513e8abb2210a26ef6f3b6c31275c8147fabb634fab" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100752,7 +100752,7 @@ rule ELASTIC_Linux_Exploit_Ramen_01B205Eb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Ramen.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0b6303300f38013840abe17abe192db6a99ace78c83bc7ef705f5c568bc98fd" - logic_hash = "v1_sha256_e477e93434db9e650f159995f2cb754394f3187dc341d2ea4c2466924e19a8a6" + logic_hash = "e477e93434db9e650f159995f2cb754394f3187dc341d2ea4c2466924e19a8a6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100781,7 +100781,7 @@ rule ELASTIC_Linux_Rootkit_Adore_Fe3Fd09F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Adore.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f4e532b840e279daf3d206e9214a1b065f97deb7c1487a34ac5cbd7cbbf33e1a" - logic_hash = "v1_sha256_cc07efb9484562cd870649a38126f08aa4e99ed5ad4662ece0488d9ffd97520e" + logic_hash = "cc07efb9484562cd870649a38126f08aa4e99ed5ad4662ece0488d9ffd97520e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100810,7 +100810,7 @@ rule ELASTIC_Windows_Hacktool_Leigod_89397Ebf : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_LeiGod.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3" - logic_hash = "v1_sha256_e887c34c624a182a3c57a55abe02784c4350d3956bcfd9f7918f08a464819e63" + logic_hash = "e887c34c624a182a3c57a55abe02784c4350d3956bcfd9f7918f08a464819e63" score = 75 quality = 75 tags = "FILE" @@ -100839,7 +100839,7 @@ rule ELASTIC_Windows_Hacktool_Leigod_3F5C98C4 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_LeiGod.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" - logic_hash = "v1_sha256_7570bf1a69df6b493bde41c1de27969e36a3fcb59be574ee2e24e3a61347a146" + logic_hash = "7570bf1a69df6b493bde41c1de27969e36a3fcb59be574ee2e24e3a61347a146" score = 75 quality = 75 tags = "FILE" @@ -100868,7 +100868,7 @@ rule ELASTIC_Windows_Trojan_Buerloader_C8A60F46 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Buerloader.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac" - logic_hash = "v1_sha256_d11b117efc10547e77ce8979f8a1d42f34937101e58a0e36228baa37cd30d2aa" + logic_hash = "d11b117efc10547e77ce8979f8a1d42f34937101e58a0e36228baa37cd30d2aa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -100902,7 +100902,7 @@ rule ELASTIC_Linux_Trojan_Backconnect_C6803B39 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Backconnect.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a5e6b084cdabe9a4557b5ff8b2313db6c3bb4ba424d107474024030115eeaa0f" - logic_hash = "v1_sha256_02750b2788c2912bba0fc8594f6a12c75ce1f41d1075acf7c920f6e616ab65c7" + logic_hash = "02750b2788c2912bba0fc8594f6a12c75ce1f41d1075acf7c920f6e616ab65c7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100931,7 +100931,7 @@ rule ELASTIC_Windows_Exploit_Ioring_1E4A8F47 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_IoRing.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ba2bd270bf3f312dfa3f77f0716edb634c90506c87f82c04aee09445d18738eb" - logic_hash = "v1_sha256_cbbea9a60bde13356ce88cd96aacaa02a3c99f4ae0b48c4ba84b72528a3d6b91" + logic_hash = "cbbea9a60bde13356ce88cd96aacaa02a3c99f4ae0b48c4ba84b72528a3d6b91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100963,7 +100963,7 @@ rule ELASTIC_Macos_Cryptominer_Xmrig_241780A1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Cryptominer_Xmrig.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f" - logic_hash = "v1_sha256_9e091f6881a96abdc6592db385eb9026806befdda6bda4489470b4e16e1d4d87" + logic_hash = "9e091f6881a96abdc6592db385eb9026806befdda6bda4489470b4e16e1d4d87" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -100995,7 +100995,7 @@ rule ELASTIC_Windows_Trojan_Fabookie_024F8759 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Fabookie.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6c6345c6f0a5beadc4616170c87ec8a577de185d53345581e1b00e72af24c13e" - logic_hash = "v1_sha256_9477406b718c6489161cf4636be66c4f72df923b9c5a7ee4069ef6a9552de485" + logic_hash = "9477406b718c6489161cf4636be66c4f72df923b9c5a7ee4069ef6a9552de485" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101025,7 +101025,7 @@ rule ELASTIC_Windows_Trojan_Legionloader_F91120C6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_LegionLoader.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45670ffa9b24542ae84e3c9eb5ce609c2bcd29129215a7f37eb74b6211e32b22" - logic_hash = "v1_sha256_760402587a9ca3d3e6602fe57d3346ea6f60ba5c8d3a902bf493233baab597b0" + logic_hash = "760402587a9ca3d3e6602fe57d3346ea6f60ba5c8d3a902bf493233baab597b0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101054,7 +101054,7 @@ rule ELASTIC_Macos_Hacktool_Swiftbelt_Bc62Ede6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Hacktool_Swiftbelt.yar#L1-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "452c832a17436f61ad5f32ee1c97db05575160105ed1dcd0d3c6db9fb5a9aea1" - logic_hash = "v1_sha256_51481baa6ddb09cf8463d989637319cb26b23fef625cc1a44c96d438c77362ca" + logic_hash = "51481baa6ddb09cf8463d989637319cb26b23fef625cc1a44c96d438c77362ca" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101107,7 +101107,7 @@ rule ELASTIC_Linux_Backdoor_Generic_Babf9101 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Backdoor_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9ea73d2c2a5f480ae343846e2b6dd791937577cb2b3d8358f5b6ede8f3696b86" - logic_hash = "v1_sha256_40084f3bed66c1d4a1cd2ffca99fd6789c8ed2db04031e4d4a4926b41d622355" + logic_hash = "40084f3bed66c1d4a1cd2ffca99fd6789c8ed2db04031e4d4a4926b41d622355" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101136,7 +101136,7 @@ rule ELASTIC_Linux_Backdoor_Generic_5776Ae49 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Backdoor_Generic.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e247a5decb5184fd5dee0d209018e402c053f4a950dae23be59b71c082eb910c" - logic_hash = "v1_sha256_b606f12c47182d80e07f8715639c3cc73753274bd8833cb9f6380879356a2b12" + logic_hash = "b606f12c47182d80e07f8715639c3cc73753274bd8833cb9f6380879356a2b12" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101165,7 +101165,7 @@ rule ELASTIC_Windows_Exploit_Eternalblue_Ead33Bf8 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_Eternalblue.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a1340e418c80be58fb6bbb48d4e363de8c6d62ea59730817d5eda6ba17b2c7a7" - logic_hash = "v1_sha256_4d0ab8bd7ef5b20e656110ac3c78b08803539387cb4fe1425a284d39c42aa199" + logic_hash = "4d0ab8bd7ef5b20e656110ac3c78b08803539387cb4fe1425a284d39c42aa199" score = 75 quality = 75 tags = "FILE" @@ -101194,7 +101194,7 @@ rule ELASTIC_Macos_Trojan_Aobokeylogger_Bd960F34 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Aobokeylogger.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2b50146c20621741642d039f1e3218ff68e5dbfde8bb9edaa0a560ca890f0970" - logic_hash = "v1_sha256_f89fbf1d6bf041de0ce32f7920818c34ce0eeb6779bb7fac6f223bbea1c6f6fa" + logic_hash = "f89fbf1d6bf041de0ce32f7920818c34ce0eeb6779bb7fac6f223bbea1c6f6fa" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101222,7 +101222,7 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_83F05Fbe : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Sodinokibi.yar#L1-L34" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c88fc2690deae3700e605b2affb5ecac3d1ffc92435f33209f31897d28715b8c" + logic_hash = "c88fc2690deae3700e605b2affb5ecac3d1ffc92435f33209f31897d28715b8c" score = 75 quality = 73 tags = "BETA, FILE, MEMORY" @@ -101264,7 +101264,7 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_182B2Cea : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Sodinokibi.yar#L36-L62" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1c23effe5f8b35c5e03ebd5e57664c8937259d464f92dda0a9df344b982e8f8c" + logic_hash = "1c23effe5f8b35c5e03ebd5e57664c8937259d464f92dda0a9df344b982e8f8c" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -101299,7 +101299,7 @@ rule ELASTIC_Windows_Ransomware_Sodinokibi_A282Ba44 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Sodinokibi.yar#L64-L91" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_3a583069c9ab851a90f3a61c9c4fa67f8b918b8d168fcf7f25b2a3ae3465c596" + logic_hash = "3a583069c9ab851a90f3a61c9c4fa67f8b918b8d168fcf7f25b2a3ae3465c596" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -101336,7 +101336,7 @@ rule ELASTIC_Windows_Cryptominer_Generic_Dd1E4D1A : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Cryptominer_Generic.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7ac1d7b6107307fb2442522604c8fa56010d931392d606ac74dcea6b7125954b" - logic_hash = "v1_sha256_b7289c4688ec67d59e67755461f1f4e0c3f47ef9f8c73fc1dcc1d168baf11623" + logic_hash = "b7289c4688ec67d59e67755461f1f4e0c3f47ef9f8c73fc1dcc1d168baf11623" score = 75 quality = 75 tags = "FILE" @@ -101365,7 +101365,7 @@ rule ELASTIC_Windows_Cryptominer_Generic_F53Cfb9B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Cryptominer_Generic.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a9870a03ddc6543a5a12d50f95934ff49f26b60921096b2c8f2193cb411ed408" - logic_hash = "v1_sha256_b2453862747e251afc34c57e887889b8d3a65a9cc876d4a95ff5ecfcc24e4bd3" + logic_hash = "b2453862747e251afc34c57e887889b8d3a65a9cc876d4a95ff5ecfcc24e4bd3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101394,7 +101394,7 @@ rule ELASTIC_Windows_Hacktool_EDRWFP_F6D7Db7A : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_EDRWFP.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a1fc2f3ded852f75e36e70ae39087e21ae5b6af10e2038d04e61bd500ba511e2" - logic_hash = "v1_sha256_45d427e4f52346b4a18c154bb0afb636c18951fd9c7323846bf2eb7e47928ef6" + logic_hash = "45d427e4f52346b4a18c154bb0afb636c18951fd9c7323846bf2eb7e47928ef6" score = 75 quality = 75 tags = "FILE" @@ -101426,7 +101426,7 @@ rule ELASTIC_Macos_Trojan_Getshell_F339D74C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Getshell.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b2199c15500728a522c04320aee000938f7eb69d751a55d7e51a2806d8cd0fe7" - logic_hash = "v1_sha256_77a409f1a0ab5f87a77a6b2ffa2d4ff7bd6d86c0f685c524e2083585bb3fb764" + logic_hash = "77a409f1a0ab5f87a77a6b2ffa2d4ff7bd6d86c0f685c524e2083585bb3fb764" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101455,7 +101455,7 @@ rule ELASTIC_Windows_Trojan_Carberp_D6De82Ae : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Carberp.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f98fadb6feab71930bd5c08e85153898d686cc96c84fe349c00bf6d482de9b53" - logic_hash = "v1_sha256_085020755c77b299b2bfd18b34af6c68450c29de67b8ae32ddf2b26299b923ae" + logic_hash = "085020755c77b299b2bfd18b34af6c68450c29de67b8ae32ddf2b26299b923ae" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101486,7 +101486,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_03C81Bd9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3fc701a2caab0297112501f55eaeb05264c5e4099c411dcadc7095627e19837a" - logic_hash = "v1_sha256_dc2dfa128f509221cae8bae9864190e8316bb7a5ae081da1076081b5f4fdc870" + logic_hash = "dc2dfa128f509221cae8bae9864190e8316bb7a5ae081da1076081b5f4fdc870" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101515,7 +101515,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_757637D9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0762fa4e0d74e3c21b2afc8e4c28e2292d1c3de3683c46b5b77f0f9fe1faeec7" - logic_hash = "v1_sha256_b1f1784aae5958740d03ca50d0b9731e8db7d86d918d16e82cf6fc1e1bf663a9" + logic_hash = "b1f1784aae5958740d03ca50d0b9731e8db7d86d918d16e82cf6fc1e1bf663a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101544,7 +101544,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_78543893 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ff5b02d2b4dfa9c3d53e7218533f3c57e82315be8f62aa17e26eda55a3b53479" - logic_hash = "v1_sha256_4bb6a6e063fd00569b04f4514ec1731357aa8e8ce4cfee354fdd86773a4358da" + logic_hash = "4bb6a6e063fd00569b04f4514ec1731357aa8e8ce4cfee354fdd86773a4358da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101573,7 +101573,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_4F8D83D2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d78128eca706557eeab8a454cf875362a097459347ddc32118f71bd6c73d5bbd" - logic_hash = "v1_sha256_6fee488d97fe1d4be558b6886c603010c6d1423a750783b38a65d2fb3eeb76f4" + logic_hash = "6fee488d97fe1d4be558b6886c603010c6d1423a750783b38a65d2fb3eeb76f4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101602,7 +101602,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_F4Afd230 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "805e900ffc9edb9f550dcbc938a3b06d28e9e7d3fb604ff68a311a0accbcd2b1" - logic_hash = "v1_sha256_9aba4ebbf946f07071bfb94fa50c6981ae8c659aca9ee6e05c7ef214432d7466" + logic_hash = "9aba4ebbf946f07071bfb94fa50c6981ae8c659aca9ee6e05c7ef214432d7466" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101631,7 +101631,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_Bb384Bc9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ecc6635117b99419255af5d292a7af3887b06d5f3b0f59d158281eebfe606445" - logic_hash = "v1_sha256_1e9faba4f245d8b0d6944430286a5fc3e11cd7e036a4151b29fc2c5f037894fb" + logic_hash = "1e9faba4f245d8b0d6944430286a5fc3e11cd7e036a4151b29fc2c5f037894fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101660,7 +101660,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_B293F6Ec : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d1fa8520d3c3811d29c3d5702e7e0e7296b3faef0553835c495223a2bc015214" - logic_hash = "v1_sha256_0e310082714f5283f9b4ccde5a8e17994e3bc4acf3d744b22734c136dde7cebb" + logic_hash = "0e310082714f5283f9b4ccde5a8e17994e3bc4acf3d744b22734c136dde7cebb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101689,7 +101689,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_C5983669 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d08be92a484991afae3567256b6cec60a53400e0e9b6f6b4d5c416a22ccca1cf" - logic_hash = "v1_sha256_ff673070969f1ededf8ff2c7cadfc251c7d2e52da58906b15cfc04593a755d55" + logic_hash = "ff673070969f1ededf8ff2c7cadfc251c7d2e52da58906b15cfc04593a755d55" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101718,7 +101718,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_Fbff22Da : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0762fa4e0d74e3c21b2afc8e4c28e2292d1c3de3683c46b5b77f0f9fe1faeec7" - logic_hash = "v1_sha256_d3e3037593f5714dfb49c6e19631fd46331e2702c8bf6d6099bb5b34158321a9" + logic_hash = "d3e3037593f5714dfb49c6e19631fd46331e2702c8bf6d6099bb5b34158321a9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101747,7 +101747,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_E2D5Fad8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L181-L199" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7e54e57db3de32555c15e529c04b35f52d75af630e45b5f8d6c21149866b6929" - logic_hash = "v1_sha256_b294ce1c4d928d73342bb6260456d850f9c59f3c48c7c4ffbce32ea9238f6eee" + logic_hash = "b294ce1c4d928d73342bb6260456d850f9c59f3c48c7c4ffbce32ea9238f6eee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101776,7 +101776,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_F2F8Eb6B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L201-L219" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01721b9c024ca943f42c402a57f45bd4c77203a604c5c2cd26e5670df76a95b2" - logic_hash = "v1_sha256_b6555e69b663591550976fd44352ecbdf0a0aef1e07a64396a576125a4fe4ba6" + logic_hash = "b6555e69b663591550976fd44352ecbdf0a0aef1e07a64396a576125a4fe4ba6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101805,7 +101805,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_89671B03 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L241-L259" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "001098473574cfac1edaca9f1180ab2005569e094be63186c45b48c18f880cf8" - logic_hash = "v1_sha256_dfa7027c4fa0cbde33df87063fea4ecf51a085f3cc1805123c62747882d0a07e" + logic_hash = "dfa7027c4fa0cbde33df87063fea4ecf51a085f3cc1805123c62747882d0a07e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101834,7 +101834,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_Dbc73Db0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L261-L279" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9fe78e4dd7975856a74d8dfd83e69793a769143e0fe6994cbc3ef28ea37d6cf8" - logic_hash = "v1_sha256_4a7453342fd72dacb781919d3fac3bab02e7ef7c882d5938a2e0e1274c704705" + logic_hash = "4a7453342fd72dacb781919d3fac3bab02e7ef7c882d5938a2e0e1274c704705" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101863,7 +101863,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_Ec339160 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L281-L299" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0002b469972f5c77a29e2a2719186059a3e96a6f4b1ef2d18a68fee3205ea0ba" - logic_hash = "v1_sha256_9c1d1254093b172798024c42a6d78f5e6720d20b8c2a8ad4ca26c8e88e42f0e8" + logic_hash = "9c1d1254093b172798024c42a6d78f5e6720d20b8c2a8ad4ca26c8e88e42f0e8" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101892,7 +101892,7 @@ rule ELASTIC_Linux_Exploit_Lotoor_7Cd57E18 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Lotoor.yar#L301-L319" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1eecf16dae302ae788d1bc81278139cd9f6af52d7bed48b8677b35ba5eb14e30" - logic_hash = "v1_sha256_97604cdc9daa9993b9a18dc5df7ab105a5e6001129bcfcfeeb86640bee26f59d" + logic_hash = "97604cdc9daa9993b9a18dc5df7ab105a5e6001129bcfcfeeb86640bee26f59d" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -101921,7 +101921,7 @@ rule ELASTIC_Windows_Trojan_Danabot_6F3Dadb2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Danabot.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "716e5a3d29ff525aed30c18061daff4b496f3f828ba2ac763efd857062a42e96" - logic_hash = "v1_sha256_b9c895be9eab775726abd2c13256d598c5b79bceb2d652c30b1df4cfc37e4b93" + logic_hash = "b9c895be9eab775726abd2c13256d598c5b79bceb2d652c30b1df4cfc37e4b93" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -101957,7 +101957,7 @@ rule ELASTIC_Linux_Rootkit_Kovid_B77Dc7F4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Kovid.yar#L1-L47" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "933273ff95a57dfe0162175dc6143395e23c69e36d8ca366481b795deaab4fd0" - logic_hash = "v1_sha256_090c92e108f78a6d7ba9d0ed796c32226f253b81cf0ad8a138736d073761856c" + logic_hash = "090c92e108f78a6d7ba9d0ed796c32226f253b81cf0ad8a138736d073761856c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -102014,7 +102014,7 @@ rule ELASTIC_Windows_Ransomware_Generic_99F5A632 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Generic.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382" - logic_hash = "v1_sha256_2284cfc91d17816f1733e8fe319af52bc66af467364d27f84e213082c216ae8b" + logic_hash = "2284cfc91d17816f1733e8fe319af52bc66af467364d27f84e213082c216ae8b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -102046,7 +102046,7 @@ rule ELASTIC_Windows_Vulndriver_Sandra_5D112Feb : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Sandra.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3a364a7a3f6c0f2f925a060e84fb18b16c118125165b5ea6c94363221dc1b6de" - logic_hash = "v1_sha256_d234a1e74234400f51c2aa7a9fb1549be1bc422bdf585db7d2ec9ad1ec75e490" + logic_hash = "d234a1e74234400f51c2aa7a9fb1549be1bc422bdf585db7d2ec9ad1ec75e490" score = 75 quality = 75 tags = "FILE" @@ -102076,7 +102076,7 @@ rule ELASTIC_Windows_Vulndriver_Sandra_612A7A16 : FILE reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Sandra.yar#L23-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8fda0e1775d903b73836d4103f6e8b0e2f052026b3acdb07bd345b9ddb3c873a" + logic_hash = "8fda0e1775d903b73836d4103f6e8b0e2f052026b3acdb07bd345b9ddb3c873a" score = 75 quality = 75 tags = "FILE" @@ -102107,7 +102107,7 @@ rule ELASTIC_Windows_Trojan_Agenttesla_D3Ac2B2F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_AgentTesla.yar#L1-L58" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4" - logic_hash = "v1_sha256_9c13a99107593d476de1522ced10aa43d34535b844e8c3ae871b22358137c926" + logic_hash = "9c13a99107593d476de1522ced10aa43d34535b844e8c3ae871b22358137c926" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -102174,7 +102174,7 @@ rule ELASTIC_Windows_Trojan_Agenttesla_E577E17E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_AgentTesla.yar#L60-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6" - logic_hash = "v1_sha256_84c5f1096735cee0f0f4ad41a81286c0a60dc17c276f23568b855271d996c8a2" + logic_hash = "84c5f1096735cee0f0f4ad41a81286c0a60dc17c276f23568b855271d996c8a2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102203,7 +102203,7 @@ rule ELASTIC_Windows_Trojan_Agenttesla_F2A90D14 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_AgentTesla.yar#L81-L100" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6" - logic_hash = "v1_sha256_3f39b773f2b1524b05d3c1d9aa1fb54594ec9003d2e9da342b6d17ba885f5a03" + logic_hash = "3f39b773f2b1524b05d3c1d9aa1fb54594ec9003d2e9da342b6d17ba885f5a03" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102232,7 +102232,7 @@ rule ELASTIC_Windows_Trojan_Agenttesla_A2D69E48 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_AgentTesla.yar#L102-L122" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "edef51e59d10993155104d90fcd80175daa5ade63fec260e3272f17b237a6f44" - logic_hash = "v1_sha256_1f90be86b7afa7f518a3dcec55028bfc915cf6d4fed1350a56e351946cc55f41" + logic_hash = "1f90be86b7afa7f518a3dcec55028bfc915cf6d4fed1350a56e351946cc55f41" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102262,7 +102262,7 @@ rule ELASTIC_Windows_Trojan_Agenttesla_Ebf431A8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_AgentTesla.yar#L124-L148" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0cb3051a80a0515ce715b71fdf64abebfb8c71b9814903cb9abcf16c0403f62b" - logic_hash = "v1_sha256_b02d6e2d68b336aaa37336e0c0c3ffa6c7a126bfcdb6cb6ad5a3432004c6030c" + logic_hash = "b02d6e2d68b336aaa37336e0c0c3ffa6c7a126bfcdb6cb6ad5a3432004c6030c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102295,7 +102295,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_Aa5Eefed : BETA FILE MEMORY reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Dharma.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_bbafc2eac17562f315b09fa42eb601d0140152917d7962429df3a378abe67732" + logic_hash = "bbafc2eac17562f315b09fa42eb601d0140152917d7962429df3a378abe67732" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102325,7 +102325,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_B31Cac3F : BETA FILE MEMORY reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Dharma.yar#L23-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_30500e35721e9db3d63cafa5ca10818557fa9f4e0bda9c0d02283183508cf7b5" + logic_hash = "30500e35721e9db3d63cafa5ca10818557fa9f4e0bda9c0d02283183508cf7b5" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102356,7 +102356,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_E9319E4A : BETA FILE MEMORY reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Dharma.yar#L46-L65" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_182ed508d645a0b1fab80fb6f975a05d33b64c43005bd3656df6470934cd71f4" + logic_hash = "182ed508d645a0b1fab80fb6f975a05d33b64c43005bd3656df6470934cd71f4" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102385,7 +102385,7 @@ rule ELASTIC_Windows_Ransomware_Dharma_942142E3 : BETA FILE MEMORY reference = "https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Dharma.yar#L67-L86" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_af5068ef3442964e4d1c5e27090fb84eaf762ff23463b7a0c2902e523ae601c1" + logic_hash = "af5068ef3442964e4d1c5e27090fb84eaf762ff23463b7a0c2902e523ae601c1" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -102415,7 +102415,7 @@ rule ELASTIC_Linux_Exploit_CVE_2017_16995_0C81A317 : FILE MEMORY CVE_2017_16995 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "48d927b4b18a03dfbce54bb5f4518869773737e449301ba2477eb797afbb9972" - logic_hash = "v1_sha256_cdd6b309a1e802f1251d726b0ea74e3d11fdd10d1d0bfa4c6f3d802f819368ec" + logic_hash = "cdd6b309a1e802f1251d726b0ea74e3d11fdd10d1d0bfa4c6f3d802f819368ec" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2017-16995" @@ -102444,7 +102444,7 @@ rule ELASTIC_Linux_Exploit_CVE_2017_16995_82816Caa : FILE MEMORY CVE_2017_16995 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "14e6b788db0db57067d9885ab5ff3d3a5749639549d82abd98fa4fcf27000f34" - logic_hash = "v1_sha256_3ae00290073d41ff5dba2f677510bf9a9c0ebaed221901eb8b1a8dda08157a46" + logic_hash = "3ae00290073d41ff5dba2f677510bf9a9c0ebaed221901eb8b1a8dda08157a46" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2017-16995" @@ -102473,7 +102473,7 @@ rule ELASTIC_Linux_Exploit_CVE_2017_16995_5Edb0181 : FILE MEMORY CVE_2017_16995 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2017_16995.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e4df84e1dffbad217d07222314a7e13fd74771a9111d07adc467a89d8ba81127" - logic_hash = "v1_sha256_f6eb19329db765938b48021039baaf1b5aeb3240c405ba20ed81863a0fb4b583" + logic_hash = "f6eb19329db765938b48021039baaf1b5aeb3240c405ba20ed81863a0fb4b583" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2017-16995" @@ -102502,7 +102502,7 @@ rule ELASTIC_Macos_Backdoor_Kagent_64Ca1865 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Backdoor_Kagent.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d599d7814adbab0f1442f5a10074e00f3a776ce183ea924abcd6154f0d068bb4" - logic_hash = "v1_sha256_dea0a1bbe8c3065b395de50b5ffc2fbdf479ed35ce284fa33298d6ed55e960c6" + logic_hash = "dea0a1bbe8c3065b395de50b5ffc2fbdf479ed35ce284fa33298d6ed55e960c6" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -102537,7 +102537,7 @@ rule ELASTIC_Windows_Wiper_Isaacwiper_239Cd2Dc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Wiper_IsaacWiper.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033" - logic_hash = "v1_sha256_102ffe215b1e1c39e1225cb39dfeb10a20a08c5b10f836490fc1501c6eb9e930" + logic_hash = "102ffe215b1e1c39e1225cb39dfeb10a20a08c5b10f836490fc1501c6eb9e930" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102571,7 +102571,7 @@ rule ELASTIC_Windows_Trojan_Sliver_46525B49 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Sliver.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ecce5071c28940a1098aca3124b3f82e0630c4453f4f32e1b91576aac357ac9c" - logic_hash = "v1_sha256_6e61d82b191a740882bcfeac2f2cf337e19ace7b05784ff041b6af2f79ed8809" + logic_hash = "6e61d82b191a740882bcfeac2f2cf337e19ace7b05784ff041b6af2f79ed8809" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102601,7 +102601,7 @@ rule ELASTIC_Windows_Trojan_Sliver_C9Cae357 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Sliver.yar#L22-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "27210d8d6e16c492c2ee61a59d39c461312f5563221ad4a0917d4e93b699418e" - logic_hash = "v1_sha256_fea862352981787055961b1171de9b69a9c13d246f434809c8f4416d5c49a0ff" + logic_hash = "fea862352981787055961b1171de9b69a9c13d246f434809c8f4416d5c49a0ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102630,7 +102630,7 @@ rule ELASTIC_Windows_Trojan_Sliver_1Dd6D9C2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Sliver.yar#L42-L61" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dc508a3e9ea093200acfc1ceebebb2b56686f4764fd8c94ab8c58eec7ee85c8b" - logic_hash = "v1_sha256_5ef70322a6ee3dec609d2881b7624d25bc0297a2e6f43ac60834745e6a258cf3" + logic_hash = "5ef70322a6ee3dec609d2881b7624d25bc0297a2e6f43ac60834745e6a258cf3" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -102660,7 +102660,7 @@ rule ELASTIC_Linux_Rootkit_Suterusu_94667Bf2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Suterusu.yar#L1-L60" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "753fd579a684e09a70ae0fd147441c45d24a5acae94a78a92e393058c3b69506" - logic_hash = "v1_sha256_a02e2d05bc3bee902829087e21dcc7ed19320336c7d66d3938b0b9fd4c298bcb" + logic_hash = "a02e2d05bc3bee902829087e21dcc7ed19320336c7d66d3938b0b9fd4c298bcb" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -102730,7 +102730,7 @@ rule ELASTIC_Windows_Infostealer_Generic_Acde9261 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Infostealer_Generic.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b46239c47a835757bba49078728f693b7273b0e3755e2968deac4aa92e90364d" - logic_hash = "v1_sha256_86897117295bdcf79fad9f2ad939fabe89e3770309122ba142c7a26c926148c5" + logic_hash = "86897117295bdcf79fad9f2ad939fabe89e3770309122ba142c7a26c926148c5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102763,7 +102763,7 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_C42Fd06D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Uwamson.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8cfc38db2b860efcce5da40ce1e3992f467ab0b7491639d68d530b79529cda80" - logic_hash = "v1_sha256_4ff7aad11adaae8fccb23d36fc96937ba48a5517895a742f2864ba1973f3db3a" + logic_hash = "4ff7aad11adaae8fccb23d36fc96937ba48a5517895a742f2864ba1973f3db3a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102792,7 +102792,7 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_D08B1D2E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Uwamson.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4f7ad24b53b8e255710e4080d55f797564aa8c270bf100129bdbe52a29906b78" - logic_hash = "v1_sha256_8f489bb020397beae91f7bce82bc1b47912deab1b79224158f79c53f1d7c7fd3" + logic_hash = "8f489bb020397beae91f7bce82bc1b47912deab1b79224158f79c53f1d7c7fd3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102821,7 +102821,7 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_0797De34 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Uwamson.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e4699e35ce8091f97decbeebff63d7fa8c868172a79f9d9d52b6778c3faab8f2" - logic_hash = "v1_sha256_7ab5dd99d8bbef61ec764900df5bebf39ed90833a8f9481c427cbb46faf2c521" + logic_hash = "7ab5dd99d8bbef61ec764900df5bebf39ed90833a8f9481c427cbb46faf2c521" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102850,7 +102850,7 @@ rule ELASTIC_Linux_Cryptominer_Uwamson_41E36585 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Uwamson.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8cfc38db2b860efcce5da40ce1e3992f467ab0b7491639d68d530b79529cda80" - logic_hash = "v1_sha256_e176523afe8c3394ddda41a5ef11f825fed1e149476709a7c1ea26b8af72d4fc" + logic_hash = "e176523afe8c3394ddda41a5ef11f825fed1e149476709a7c1ea26b8af72d4fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102879,7 +102879,7 @@ rule ELASTIC_Windows_Hacktool_Chromekatz_Fa232Bba : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_ChromeKatz.yar#L1-L28" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3f6922049422df14f1a1777001fea54b18fbfb0a4b03c4ee27786bfbc3b8ab87" - logic_hash = "v1_sha256_c86291fadd51845cbd7428b159e401d78ac77090e14e34d06bf7bf2018f4502a" + logic_hash = "c86291fadd51845cbd7428b159e401d78ac77090e14e34d06bf7bf2018f4502a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102917,7 +102917,7 @@ rule ELASTIC_Linux_Cryptominer_Minertr_9901E275 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Minertr.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f77246a93782fd8ee40f12659f41fccc5012a429a8600f332c67a7c2669e4e8f" - logic_hash = "v1_sha256_a18e0763fe9aec6d89b39cefb872b1751727e2d88ec4733b9c8b443b83219763" + logic_hash = "a18e0763fe9aec6d89b39cefb872b1751727e2d88ec4733b9c8b443b83219763" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102946,7 +102946,7 @@ rule ELASTIC_Windows_Trojan_Poshc2_E2D3881E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PoshC2.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7a718a4f74656346bd9a2e29e008705fc2b1c4d167a52bd4f6ff10b3f2cd9395" - logic_hash = "v1_sha256_4f3e2a9f22826a155a3007193a0f75a5fde6e423734a60f30628ea3bb33d3457" + logic_hash = "4f3e2a9f22826a155a3007193a0f75a5fde6e423734a60f30628ea3bb33d3457" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -102982,7 +102982,7 @@ rule ELASTIC_Windows_Ransomware_Crytox_29859242 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Crytox.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "55a27cb6280f31c077987d338151b13e9dc0cc1c14d47a32e64de6d6c1a6a742" - logic_hash = "v1_sha256_47ca96e14b2b56bc6ef1ed22b42adac7aa557170632c2dc085fae3baf6198f40" + logic_hash = "47ca96e14b2b56bc6ef1ed22b42adac7aa557170632c2dc085fae3baf6198f40" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103011,7 +103011,7 @@ rule ELASTIC_Linux_Rootkit_Jynx_C470Eaff : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Jynx.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79c2ae1a95b44f3df42d669cb44db606d2088c5c393e7de5af875f255865ecb4" - logic_hash = "v1_sha256_02d1ec1670089a3d9743e57a8dd504f57cea897eca0f896c129fd4f30f24e700" + logic_hash = "02d1ec1670089a3d9743e57a8dd504f57cea897eca0f896c129fd4f30f24e700" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103050,7 +103050,7 @@ rule ELASTIC_Windows_Hacktool_Sharpview_2C7603Ad : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpView.yar#L1-L34" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c0621954bd329b5cabe45e92b31053627c27fa40853beb2cce2734fa677ffd93" - logic_hash = "v1_sha256_1f80b2fd6121c2b36742c819a56626af2e1450dac0f62c67d93f09e4e140b75f" + logic_hash = "1f80b2fd6121c2b36742c819a56626af2e1450dac0f62c67d93f09e4e140b75f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -103094,7 +103094,7 @@ rule ELASTIC_Windows_Trojan_Microbackdoor_903E33C3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_MicroBackdoor.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21" - logic_hash = "v1_sha256_5f96f68df442eb1da21d87c3ae954c4e36cf87db583cbef1775f8ca9e76b776e" + logic_hash = "5f96f68df442eb1da21d87c3ae954c4e36cf87db583cbef1775f8ca9e76b776e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103123,7 +103123,7 @@ rule ELASTIC_Windows_Trojan_Microbackdoor_46F2E5Fd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_MicroBackdoor.yar#L21-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fbbfcc81a976b57739ef13c1545ea4409a1c69720469c05ba249a42d532f9c21" - logic_hash = "v1_sha256_580be4c5b058916c2bc67a7964522a7c369bb254394e3cedbf0da025105231c4" + logic_hash = "580be4c5b058916c2bc67a7964522a7c369bb254394e3cedbf0da025105231c4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103157,7 +103157,7 @@ rule ELASTIC_Linux_Hacktool_Tcpscan_334D0Ca5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Tcpscan.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "62de04185c2e3c22af349479a68ad53c31b3874794e7c4f0f33e8d125c37f6b0" - logic_hash = "v1_sha256_94ee723c660294e35caec5a2b66eeea64896265cfebc839ed3f55cf8f8c67d7e" + logic_hash = "94ee723c660294e35caec5a2b66eeea64896265cfebc839ed3f55cf8f8c67d7e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103186,7 +103186,7 @@ rule ELASTIC_Linux_Trojan_Lady_75F6392C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Lady.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c257ac7bd3a9639e0d67a7db603d5bc8d8505f6f2107a26c2615c5838cf11826" - logic_hash = "v1_sha256_5160b6ab4800c72b48b501787f3164c2ba1061a2abe21c63180e02d6791a4c12" + logic_hash = "5160b6ab4800c72b48b501787f3164c2ba1061a2abe21c63180e02d6791a4c12" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103214,7 +103214,7 @@ rule ELASTIC_Linux_Trojan_Meterpreter_A82F5D21 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Meterpreter.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d76886222de7292e8a76717f6d49452f52aaffb957bb0326bcfc7a35c3fdfc6a" + logic_hash = "d76886222de7292e8a76717f6d49452f52aaffb957bb0326bcfc7a35c3fdfc6a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103243,7 +103243,7 @@ rule ELASTIC_Linux_Trojan_Meterpreter_383C6708 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Meterpreter.yar#L20-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d9d607f0bbc101f7f6dc0f16328bdd8f6ddb8ae83107b7eee34e1cc02072cb15" - logic_hash = "v1_sha256_b0fd479722ab0808a4709cbacbb874282c48a425f4dbdaec9f74bc7f839c82e4" + logic_hash = "b0fd479722ab0808a4709cbacbb874282c48a425f4dbdaec9f74bc7f839c82e4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103271,7 +103271,7 @@ rule ELASTIC_Linux_Trojan_Meterpreter_621054Fe : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Meterpreter.yar#L40-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_18f22bb0aa66ec2ecdaa9ca0e0d00ee59a2c9a3f231bd71915140e4464a4ea78" + logic_hash = "18f22bb0aa66ec2ecdaa9ca0e0d00ee59a2c9a3f231bd71915140e4464a4ea78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103299,7 +103299,7 @@ rule ELASTIC_Linux_Trojan_Meterpreter_1Bda891E : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Meterpreter.yar#L59-L76" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_74e7547472117de20159f5b158cee0ccacc02a9aba5e5ad64a52c552c966d539" + logic_hash = "74e7547472117de20159f5b158cee0ccacc02a9aba5e5ad64a52c552c966d539" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103327,7 +103327,7 @@ rule ELASTIC_Macos_Creddump_Keychainaccess_535C1511 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Creddump_KeychainAccess.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_c2995263622d62b11db93f7d163a7595e316ec24b51099f434bc5dbd0afefbfe" + logic_hash = "c2995263622d62b11db93f7d163a7595e316ec24b51099f434bc5dbd0afefbfe" score = 75 quality = 49 tags = "FILE, MEMORY" @@ -103363,7 +103363,7 @@ rule ELASTIC_Windows_Trojan_Jesterstealer_B35C6F4B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_JesterStealer.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "10c3846867f70dd26c5a54332ed22070c9e5e0e4f52f05fdae12ead801f7933b" - logic_hash = "v1_sha256_acc49348267e963af9ff6ba7afa053d4056d4068b4386a872e33e025790ba759" + logic_hash = "acc49348267e963af9ff6ba7afa053d4056d4068b4386a872e33e025790ba759" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103398,7 +103398,7 @@ rule ELASTIC_Windows_Trojan_Jesterstealer_8F657F58 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_JesterStealer.yar#L27-L45" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "10c3846867f70dd26c5a54332ed22070c9e5e0e4f52f05fdae12ead801f7933b" - logic_hash = "v1_sha256_20a0d8be9c25d50d4dddd455ecb9739f772f57e988855c7fc2df597b2f67585b" + logic_hash = "20a0d8be9c25d50d4dddd455ecb9739f772f57e988855c7fc2df597b2f67585b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103427,7 +103427,7 @@ rule ELASTIC_Linux_Trojan_Ircbot_Bb204B81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ircbot.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6147481d083c707dc98905a1286827a6e7009e08490e7d7c280ed5a6356527ad" - logic_hash = "v1_sha256_90d211c11281f5f8832210f3fc087fe5ff5a519b9b38628835e8b5fcc560bd9b" + logic_hash = "90d211c11281f5f8832210f3fc087fe5ff5a519b9b38628835e8b5fcc560bd9b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103456,7 +103456,7 @@ rule ELASTIC_Linux_Trojan_Ircbot_7C60454D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ircbot.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "14eeff3516de6d2cb11d6ada4026e3dcee1402940e3a0fb4fa224a5c030049d8" - logic_hash = "v1_sha256_90dcd0a3d3f6345e66db0a4f8465e3830eb4e3bcb675db16c60a89e20f935aec" + logic_hash = "90dcd0a3d3f6345e66db0a4f8465e3830eb4e3bcb675db16c60a89e20f935aec" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103485,7 +103485,7 @@ rule ELASTIC_Windows_Trojan_Blister_Cb99A1Df : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Blister.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0a7778cf6f9a1bd894e89f282f2e40f9d6c9cd4b72be97328e681fe32a1b1a00" - logic_hash = "v1_sha256_deb1be5300d8af12dda868dd5f4ccdbb3ec653bd97c33a09e567c13ecafb9e8a" + logic_hash = "deb1be5300d8af12dda868dd5f4ccdbb3ec653bd97c33a09e567c13ecafb9e8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103516,7 +103516,7 @@ rule ELASTIC_Windows_Trojan_Blister_9D757838 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Blister.yar#L24-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "863de84a39c9f741d8103db83b076695d0d10a7384e4e3ba319c05a6018d9737" - logic_hash = "v1_sha256_4d9ce1622d77b2ac8b20b2dfb60ac672752dabab315221a5449ebd3c73a3edca" + logic_hash = "4d9ce1622d77b2ac8b20b2dfb60ac672752dabab315221a5449ebd3c73a3edca" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103546,7 +103546,7 @@ rule ELASTIC_Windows_Trojan_Blister_68B53E1B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Blister.yar#L46-L66" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5fc79a4499bafa3a881778ef51ce29ef015ee58a587e3614702e69da304395db" - logic_hash = "v1_sha256_6d935461406a6b9b39867d52aa5ecb088945ae0f8c56895a67e8565e5a2a3699" + logic_hash = "6d935461406a6b9b39867d52aa5ecb088945ae0f8c56895a67e8565e5a2a3699" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103576,7 +103576,7 @@ rule ELASTIC_Windows_Trojan_Blister_487B0966 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Blister.yar#L68-L89" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5fc79a4499bafa3a881778ef51ce29ef015ee58a587e3614702e69da304395db" - logic_hash = "v1_sha256_521409d03335205507cc6894e0de3ca627eb966a95a2f8e7b931e552ad78bbb7" + logic_hash = "521409d03335205507cc6894e0de3ca627eb966a95a2f8e7b931e552ad78bbb7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103607,7 +103607,7 @@ rule ELASTIC_Windows_Trojan_Blister_26F8C5F2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Blister.yar#L91-L110" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cba30fb1731e165acc256d99d32f3c9e5abfa27d152419d24a91d8b79c5c5cb0" - logic_hash = "v1_sha256_dc87a3ae4edf0b8ee18cb7c34f9b4a0305c504b7ef66cb3232c91dc364d3563c" + logic_hash = "dc87a3ae4edf0b8ee18cb7c34f9b4a0305c504b7ef66cb3232c91dc364d3563c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103637,7 +103637,7 @@ rule ELASTIC_Linux_Trojan_Ipstorm_3C43D4A7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ipstorm.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5103133574615fb49f6a94607540644689be017740d17005bc08b26be9485aa7" - logic_hash = "v1_sha256_c7e9191312197f8925d7231d0b8badf8b5ca35685df909c0d1feb301b4385d7b" + logic_hash = "c7e9191312197f8925d7231d0b8badf8b5ca35685df909c0d1feb301b4385d7b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103666,7 +103666,7 @@ rule ELASTIC_Linux_Trojan_Ipstorm_F9269F00 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ipstorm.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5103133574615fb49f6a94607540644689be017740d17005bc08b26be9485aa7" - logic_hash = "v1_sha256_5914d222b49aaf6c1040e48ffd93c04bd5df25f1d97bde79b034862fca6555f6" + logic_hash = "5914d222b49aaf6c1040e48ffd93c04bd5df25f1d97bde79b034862fca6555f6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103695,7 +103695,7 @@ rule ELASTIC_Linux_Trojan_Ipstorm_08Bcf61C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Ipstorm.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "503f293d84de4f2c826f81a68180ad869e0d1448ea6c0dbf09a7b23801e1a9b9" - logic_hash = "v1_sha256_fb2755c04b61d19788a92b8c9c1c9eb2552b62b27011e302840fdcf689b3d9b4" + logic_hash = "fb2755c04b61d19788a92b8c9c1c9eb2552b62b27011e302840fdcf689b3d9b4" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103723,7 +103723,7 @@ rule ELASTIC_Windows_PUP_Generic_198B73Aa : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_PUP_Generic.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_a584c34b9dfc2d78bf8a1e594a2ed519d20088184ce1df09e679b2400aa396d3" + logic_hash = "a584c34b9dfc2d78bf8a1e594a2ed519d20088184ce1df09e679b2400aa396d3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103754,7 +103754,7 @@ rule ELASTIC_Linux_Exploit_CVE_2010_3301_79D52Efd : FILE MEMORY CVE_2010_3301 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "53a2163ad17a414d9db95f5287d9981c9410e7eaeea096610ba622eb763a6970" - logic_hash = "v1_sha256_1d4eb14042f552aa1577d0fe452e92c25bda66d0ad1a66e824677bee65908578" + logic_hash = "1d4eb14042f552aa1577d0fe452e92c25bda66d0ad1a66e824677bee65908578" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2010-3301" @@ -103783,7 +103783,7 @@ rule ELASTIC_Linux_Exploit_CVE_2010_3301_D0Eb0924 : FILE MEMORY CVE_2010_3301 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "907995e90a80d3ace862f2ffdf13fd361762b5acc5397e14135d85ca6a61619b" - logic_hash = "v1_sha256_5229be3d1997ee4d05846d6804ffafd36c088dd8607a1fba39a0a43950e448c1" + logic_hash = "5229be3d1997ee4d05846d6804ffafd36c088dd8607a1fba39a0a43950e448c1" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2010-3301" @@ -103812,7 +103812,7 @@ rule ELASTIC_Linux_Exploit_CVE_2010_3301_A5828970 : FILE MEMORY CVE_2010_3301 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2010_3301.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4fc781f765a65b714ec27080f25c03f20e06830216506e06325240068ba62d83" - logic_hash = "v1_sha256_61b0cb38a6e14efee157547e811450d2ed4674f79ac86656a8d984084f71a665" + logic_hash = "61b0cb38a6e14efee157547e811450d2ed4674f79ac86656a8d984084f71a665" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2010-3301" @@ -103841,7 +103841,7 @@ rule ELASTIC_Multi_Trojan_Coreimpact_37703Dc3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Coreimpact.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2d954908da9f63cd3942c0df2e8bb5fe861ac5a336ddef2bd0a977cebe030ad7" - logic_hash = "v1_sha256_0695f22d6eb8c1b335c43213087539db419562bebd6f5b948cbb168c454bd37c" + logic_hash = "0695f22d6eb8c1b335c43213087539db419562bebd6f5b948cbb168c454bd37c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103873,7 +103873,7 @@ rule ELASTIC_Windows_Attacksimulation_Hovercraft_F5C7178F : FILE MEMORY reference = "046645b2a646c83b4434a893a0876ea9bd51ae05e70d4e72f2ccc648b0f18cb6" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_AttackSimulation_Hovercraft.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e707e89904a5fa4d30f94bfc625b736a411df6bb055c0e40df18ae65025a3740" + logic_hash = "e707e89904a5fa4d30f94bfc625b736a411df6bb055c0e40df18ae65025a3740" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103902,7 +103902,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_9Ac1654B : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L1-L18" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5de1f43803f3d3b94149ea39ed961e7b9a1ad86c15c5085e2e0a5f9c314e98ff" + logic_hash = "5de1f43803f3d3b94149ea39ed961e7b9a1ad86c15c5085e2e0a5f9c314e98ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103930,7 +103930,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_Dd167Aa0 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L20-L37" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_88be4fbb337fa866e126021b40a01d86a33029071af7efc289a8c5490d21ea8a" + logic_hash = "88be4fbb337fa866e126021b40a01d86a33029071af7efc289a8c5490d21ea8a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103959,7 +103959,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_B25398Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L39-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6fb3b77be0a66a10124a82f9ec6ad22247d7865a4d26aa49c5d602320318ce3c" - logic_hash = "v1_sha256_e7fdb3c573909e8f197417278a6d333cc3743b05257d81fed46769b185354183" + logic_hash = "e7fdb3c573909e8f197417278a6d333cc3743b05257d81fed46769b185354183" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -103988,7 +103988,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_6A279F19 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L59-L77" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b01f72b2c53db9b8f253bb98c6584581ebd1af1b1aaee62659f54193c269fca" - logic_hash = "v1_sha256_91e3c0d96fe5ab9c61b38f01d39639020ec459bec6348b1f87a2c5b1a874e24a" + logic_hash = "91e3c0d96fe5ab9c61b38f01d39639020ec459bec6348b1f87a2c5b1a874e24a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104017,7 +104017,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_4E7945A4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L79-L97" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b7504ce57787956e486d951b4ff78d73807fcc2a7958b172febc6d914e7a23a7" - logic_hash = "v1_sha256_aebc544076954fcce917e026467a8828b18446ce7c690b4c748562e311b7d491" + logic_hash = "aebc544076954fcce917e026467a8828b18446ce7c690b4c748562e311b7d491" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104046,7 +104046,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_29C1C386 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L99-L117" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc73bbfb12c64d2f20efa22a6d8d8c5782ef57cb0ca6d844669b262e80db2444" - logic_hash = "v1_sha256_1a3a9065cbb59658c06dfbfc622ccd2e577e988370ffe47848a5859f96db4e24" + logic_hash = "1a3a9065cbb59658c06dfbfc622ccd2e577e988370ffe47848a5859f96db4e24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104074,7 +104074,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_25B63F54 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L119-L136" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_640ffe2040e382ad536c1b6947e05f8c25ff82897ef7ac673a7676815856a346" + logic_hash = "640ffe2040e382ad536c1b6947e05f8c25ff82897ef7ac673a7676815856a346" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104103,7 +104103,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_73E2373E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L138-L156" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc73bbfb12c64d2f20efa22a6d8d8c5782ef57cb0ca6d844669b262e80db2444" - logic_hash = "v1_sha256_2377da6667860dc7204760ee64213cba95909c9181bd1a3ea96c3ad29988c9f7" + logic_hash = "2377da6667860dc7204760ee64213cba95909c9181bd1a3ea96c3ad29988c9f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104132,7 +104132,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_B8552Fff : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L158-L176" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cdd3d567fbcbdd6799afad241ae29acbe4ab549445e5c4fc0678d16e75b40dfa" - logic_hash = "v1_sha256_476b800422b6d98405d8bde727bb589c5cae36723436b269beaa65381b3d0abe" + logic_hash = "476b800422b6d98405d8bde727bb589c5cae36723436b269beaa65381b3d0abe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104161,7 +104161,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_83550472 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L178-L196" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d2d8421ffdcebb7fed00edcf306ec5e86fc30ad3e87d55e85b05bea5dc1f7d63" - logic_hash = "v1_sha256_f62d4a2a7dfb312b2e362844bfa29bd4453a05f31b4f72550ef29ff40ed6fb9d" + logic_hash = "f62d4a2a7dfb312b2e362844bfa29bd4453a05f31b4f72550ef29ff40ed6fb9d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104190,7 +104190,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_8799D8D6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L198-L216" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4a6d98eae8951e5b9e0a226f1197732d6d14ed45c1b1534d3cdb4413261eb352" - logic_hash = "v1_sha256_4bcd7931aeed09069d5dd248a66f119a2bdf628e03b9abed9ee2de59a149c2bc" + logic_hash = "4bcd7931aeed09069d5dd248a66f119a2bdf628e03b9abed9ee2de59a149c2bc" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -104219,7 +104219,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_0F7C5375 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L218-L236" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e75be5377ad65abdc69e6c7f9fe17429a98188a217d0ca3a6f40e75c4f0c07e8" - logic_hash = "v1_sha256_05f4b16a7e4c7ffbc6b8a2f60050a4ac1d05d9efbe948e2da689055f6383cf82" + logic_hash = "05f4b16a7e4c7ffbc6b8a2f60050a4ac1d05d9efbe948e2da689055f6383cf82" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104248,7 +104248,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_87639Dbd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L238-L256" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d2d8421ffdcebb7fed00edcf306ec5e86fc30ad3e87d55e85b05bea5dc1f7d63" - logic_hash = "v1_sha256_b81af8c9baee999b91e63f97d5a46451d9960487b25b04079df5539f857be466" + logic_hash = "b81af8c9baee999b91e63f97d5a46451d9960487b25b04079df5539f857be466" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104277,7 +104277,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_Cdd631C1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L258-L276" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "91549c171ae7f43c1a85a303be30169932a071b5c2b6cf3f4913f20073c97897" - logic_hash = "v1_sha256_5e4b26a74fc3737c068917c7c1228048f885ac30fc326a2844611f7e707d1300" + logic_hash = "5e4b26a74fc3737c068917c7c1228048f885ac30fc326a2844611f7e707d1300" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104306,7 +104306,7 @@ rule ELASTIC_Linux_Cryptominer_Camelot_209B02Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Camelot.yar#L278-L296" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "60d33d1fdabc6b10f7bb304f4937051a53d63f39613853836e6c4d095343092e" - logic_hash = "v1_sha256_5cadc955242d4b7d5fd4365a0b425051d89c905e3d49ea03967150de0020225c" + logic_hash = "5cadc955242d4b7d5fd4365a0b425051d89c905e3d49ea03967150de0020225c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104335,7 +104335,7 @@ rule ELASTIC_Windows_Vulndriver_Microstar_D72B85B2 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_MicroStar.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ed15a390d8dfbd8a8fb99e8367e19bfd1cced0e629dfe43ccdb46c863394b59" - logic_hash = "v1_sha256_04e9c1f318acae5544cdc826938383bf8f6c6b838cb5828a7097383ac564f404" + logic_hash = "04e9c1f318acae5544cdc826938383bf8f6c6b838cb5828a7097383ac564f404" score = 75 quality = 75 tags = "FILE" @@ -104366,7 +104366,7 @@ rule ELASTIC_Macos_Hacktool_Bifrost_39Bcbdf8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Hacktool_Bifrost.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e2b64df0add316240b010db7d34d83fc9ac7001233259193e5a72b6e04aece46" - logic_hash = "v1_sha256_a2ff4f1aca51e80f2b277e9171e99a80a75177d1d17d487de2eb8872832cb0d5" + logic_hash = "a2ff4f1aca51e80f2b277e9171e99a80a75177d1d17d487de2eb8872832cb0d5" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -104403,7 +104403,7 @@ rule ELASTIC_Linux_Cryptominer_Zexaf_B90E7683 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Zexaf.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "98650ebb7e463a06e737bcea4fd2b0f9036fafb0638ba8f002e6fe141b9fecfe" - logic_hash = "v1_sha256_d8485d8fbf00d5c828d7c6c80fef61f228f308e3d27a762514cfb3f00053b30b" + logic_hash = "d8485d8fbf00d5c828d7c6c80fef61f228f308e3d27a762514cfb3f00053b30b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104432,7 +104432,7 @@ rule ELASTIC_Windows_Vulndriver_Directio_7Bea6C8F : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_DirectIo.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1dadd707c55413a16320dc70d2ca7784b94c6658331a753b3424ae696c5d93ea" - logic_hash = "v1_sha256_3b148fed9c52af1d2d1eb18b6c4b191fb80e547f2da1beccdaf3d3e0237ecc1b" + logic_hash = "3b148fed9c52af1d2d1eb18b6c4b191fb80e547f2da1beccdaf3d3e0237ecc1b" score = 75 quality = 75 tags = "FILE" @@ -104462,7 +104462,7 @@ rule ELASTIC_Windows_Vulndriver_Directio_Abe8Bfa6 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_DirectIo.yar#L22-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5" - logic_hash = "v1_sha256_5224938b0381943a171b1db00249e71c43ce2c179ef4bbe14b46cc0787e35cb2" + logic_hash = "5224938b0381943a171b1db00249e71c43ce2c179ef4bbe14b46cc0787e35cb2" score = 75 quality = 75 tags = "FILE" @@ -104492,7 +104492,7 @@ rule ELASTIC_Windows_Vulndriver_Vbox_3315863F : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_VBox.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "42d926cfb3794f9b1e3cb397498696cb687f505e15feb9df11b419c49c9af498" - logic_hash = "v1_sha256_ba4e6a94516e36dcd6140b6732d959703e2c58a79add705b9260001ea26db738" + logic_hash = "ba4e6a94516e36dcd6140b6732d959703e2c58a79add705b9260001ea26db738" score = 75 quality = 75 tags = "FILE" @@ -104522,7 +104522,7 @@ rule ELASTIC_Windows_Vulndriver_Vbox_1B1C5Cd5 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_VBox.yar#L22-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1684e24dae20ab83ab5462aa1ff6473110ec53f52a32cfb8c1fe95a2642c6d22" - logic_hash = "v1_sha256_5fcfffea021aee8d18172383df0e65f8c618fab545c800f1a7b659e8112c6c0f" + logic_hash = "5fcfffea021aee8d18172383df0e65f8c618fab545c800f1a7b659e8112c6c0f" score = 75 quality = 75 tags = "FILE" @@ -104553,7 +104553,7 @@ rule ELASTIC_Linux_Trojan_Pornoasset_927F314F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Pornoasset.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93" - logic_hash = "v1_sha256_7267375346c1628e04c8272c24bde04a5d6ae2b420f64dfe58657cfc3eecc0e7" + logic_hash = "7267375346c1628e04c8272c24bde04a5d6ae2b420f64dfe58657cfc3eecc0e7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104582,7 +104582,7 @@ rule ELASTIC_Windows_Virus_Floxif_493D1897 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Virus_Floxif.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e628b7973ee25fdfd8f849fdf5923c6fba48141de802b0b4ce3e9ad2e40fe470" - logic_hash = "v1_sha256_d3f516966bd4423c49771251075a1ea2f725aec91615f7f44dd098da2a4f3574" + logic_hash = "d3f516966bd4423c49771251075a1ea2f725aec91615f7f44dd098da2a4f3574" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104611,7 +104611,7 @@ rule ELASTIC_Linux_Packer_Patched_UPX_62E11C64 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Packer_Patched_UPX.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "02f81a1e1edcb9032a1d7256a002b11e1e864b2e9989f5d24ea1c9b507895669" - logic_hash = "v1_sha256_cb576fdd59c255234a96397460b81cbb2deeb38befaed101749b7bb515624028" + logic_hash = "cb576fdd59c255234a96397460b81cbb2deeb38befaed101749b7bb515624028" score = 75 quality = 75 tags = "FILE" @@ -104640,7 +104640,7 @@ rule ELASTIC_Windows_Vulndriver_Truesight_7429Ac81 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_TrueSight.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" - logic_hash = "v1_sha256_8490947a632ca32822231631e19e52380b8b1a26c74c697d36898b0facbfcc9c" + logic_hash = "8490947a632ca32822231631e19e52380b8b1a26c74c697d36898b0facbfcc9c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104670,7 +104670,7 @@ rule ELASTIC_Windows_Hacktool_Edrrecon_69453Aff : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_EDRrecon.yar#L1-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f62e51b2405c0d42c53ff1f560376ef0530ba2eea1c97e18f2a3cf148346bcd1" - logic_hash = "v1_sha256_3d0f6dc5d47a3c0957a7aa8d2918fee113d079d7d74f37a1c17c5429034ba41f" + logic_hash = "3d0f6dc5d47a3c0957a7aa8d2918fee113d079d7d74f37a1c17c5429034ba41f" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -104739,7 +104739,7 @@ rule ELASTIC_Windows_Hacktool_Edrrecon_Ca314Aa1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_EDRrecon.yar#L61-L115" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f62e51b2405c0d42c53ff1f560376ef0530ba2eea1c97e18f2a3cf148346bcd1" - logic_hash = "v1_sha256_04b8681b0b6f8fa51eb90488edf35638da3334886c7db5fc22218712b0d23007" + logic_hash = "04b8681b0b6f8fa51eb90488edf35638da3334886c7db5fc22218712b0d23007" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -104804,7 +104804,7 @@ rule ELASTIC_Windows_Vulndriver_Segwin_04A3962E : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Segwin.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - logic_hash = "v1_sha256_1e9ba5fc78f2b4eeee56314c9e8cf3071817d726b44cb8510f8d7069e85ab7bf" + logic_hash = "1e9ba5fc78f2b4eeee56314c9e8cf3071817d726b44cb8510f8d7069e85ab7bf" score = 75 quality = 75 tags = "FILE" @@ -104835,7 +104835,7 @@ rule ELASTIC_Windows_Trojan_Cryptbot_489A6562 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Cryptbot.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "423563995910af04cb2c4136bf50607fc26977dfa043a84433e8bd64b3315110" - logic_hash = "v1_sha256_7fee3cc67419e66de790ba2ad8c3102425b3a45bdfe31801758dd38021a8439b" + logic_hash = "7fee3cc67419e66de790ba2ad8c3102425b3a45bdfe31801758dd38021a8439b" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -104868,7 +104868,7 @@ rule ELASTIC_Linux_Trojan_Adlibrary_2E908E5F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Adlibrary.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "acb22b88ecfb31664dc07b2cb3490b78d949cd35a67f3fdcd65b1a4335f728f1" - logic_hash = "v1_sha256_0d0df636876adf0268b7a409bfc9d8bfad298793d11297596ef91aeba86889da" + logic_hash = "0d0df636876adf0268b7a409bfc9d8bfad298793d11297596ef91aeba86889da" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104897,7 +104897,7 @@ rule ELASTIC_Windows_Vulndriver_Toshibabios_2891972A : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_ToshibaBios.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - logic_hash = "v1_sha256_c253181a754f421ee36ced994412672770497756848d78d557907957486e711b" + logic_hash = "c253181a754f421ee36ced994412672770497756848d78d557907957486e711b" score = 75 quality = 75 tags = "FILE" @@ -104928,7 +104928,7 @@ rule ELASTIC_Windows_Trojan_Pizzapotion_D334C613 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_PizzaPotion.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "37bee101cf34a84cba49adb67a555c6ebd3b8ac7c25d50247b0a014c82630003" - logic_hash = "v1_sha256_de7d395c8a993abf9858858e56ba0ec4acbf0fa1c8bfe4a34ae95be2205967fc" + logic_hash = "de7d395c8a993abf9858858e56ba0ec4acbf0fa1c8bfe4a34ae95be2205967fc" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -104962,7 +104962,7 @@ rule ELASTIC_Windows_Ransomware_Mespinoza_3Adb59F5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Mespinoza.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6f3cd5f05ab4f404c78bab92f705c91d967b31a9b06017d910af312fa87ae3d6" - logic_hash = "v1_sha256_28c8ad42a3af70fed274edc9105dae5cef13749d71510561a50428c822464934" + logic_hash = "28c8ad42a3af70fed274edc9105dae5cef13749d71510561a50428c822464934" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -104993,7 +104993,7 @@ rule ELASTIC_Windows_Trojan_Gh0St_Ee6De6Bc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Gh0st.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ea1dc816dfc87c2340a8b8a77a4f97618bccf19ad3b006dce4994be02e13245d" - logic_hash = "v1_sha256_3619df974c9f4ec76899afbafdfd6839070714862c7361be476cf8f83e766e2f" + logic_hash = "3619df974c9f4ec76899afbafdfd6839070714862c7361be476cf8f83e766e2f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105026,7 +105026,7 @@ rule ELASTIC_Windows_Ransomware_Agenda_D7B1Af3F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Agenda.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464" - logic_hash = "v1_sha256_a68330bf98ae200ff2d0da51836436f2bdff5c10eb4e0145502f688055980493" + logic_hash = "a68330bf98ae200ff2d0da51836436f2bdff5c10eb4e0145502f688055980493" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105058,7 +105058,7 @@ rule ELASTIC_Windows_Vulndriver_Gdrv_5368078B : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_GDrv.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" - logic_hash = "v1_sha256_f4d43ac4a4b6d879ffb5ba637b38ec75c8b57f531db644015c1a71c2cdea45d5" + logic_hash = "f4d43ac4a4b6d879ffb5ba637b38ec75c8b57f531db644015c1a71c2cdea45d5" score = 75 quality = 75 tags = "FILE" @@ -105089,7 +105089,7 @@ rule ELASTIC_Windows_Ransomware_Whispergate_C80F3B4B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_WhisperGate.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92" - logic_hash = "v1_sha256_04452141a867d4f6fce618c21795cc142a1265b56c62ecb9e579003d36b4b2b9" + logic_hash = "04452141a867d4f6fce618c21795cc142a1265b56c62ecb9e579003d36b4b2b9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105119,7 +105119,7 @@ rule ELASTIC_Windows_Ransomware_Whispergate_3476008E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_WhisperGate.yar#L22-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d" - logic_hash = "v1_sha256_729818df1b6b82fc00eba0fe1c9139ec4746e1775146ab7fdea9e25dec1cddea" + logic_hash = "729818df1b6b82fc00eba0fe1c9139ec4746e1775146ab7fdea9e25dec1cddea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105151,7 +105151,7 @@ rule ELASTIC_Windows_Vulndriver_BSMI_65223B8D : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_BSMI.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" - logic_hash = "v1_sha256_c4fa65bbd9d374092137b65209f29744caeb8b04fbd364b1acc67b73c45604e8" + logic_hash = "c4fa65bbd9d374092137b65209f29744caeb8b04fbd364b1acc67b73c45604e8" score = 75 quality = 75 tags = "FILE" @@ -105182,7 +105182,7 @@ rule ELASTIC_Linux_Rootkit_Brokepkg_7B7D4581 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_BrokePKG.yar#L1-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "97c5e011c7315a05c470eef4032030e461ec2a596513703beedeec0b0c6ed2da" - logic_hash = "v1_sha256_a4e5916fa0ca6b07fcbb6f970abb0212a970cf723b906e605c18e620efc501dc" + logic_hash = "a4e5916fa0ca6b07fcbb6f970abb0212a970cf723b906e605c18e620efc501dc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105230,7 +105230,7 @@ rule ELASTIC_Windows_Hacktool_Dcsyncer_425579C5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Dcsyncer.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "af7dbc84efeb186006d75d095f54a266f59e6b2348d0c20591da16ae7b7d509a" - logic_hash = "v1_sha256_b0330adf1d4420ddf1f302974d2e4179f52ab1c8dc2f294ddf52286d714e0463" + logic_hash = "b0330adf1d4420ddf1f302974d2e4179f52ab1c8dc2f294ddf52286d714e0463" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105263,7 +105263,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_66197D54 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_7bccf37960e2f197bb0021ecb12872f0f715b674d9774d02ec4e396f18963029" + logic_hash = "7bccf37960e2f197bb0021ecb12872f0f715b674d9774d02ec4e396f18963029" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105300,7 +105300,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_E8Ed269C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L29-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_c56b6dfb2c3ae657615c825a4d5d5640c2204fa4217262e1ccb4359d5a914a63" + logic_hash = "c56b6dfb2c3ae657615c825a4d5d5640c2204fa4217262e1ccb4359d5a914a63" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105339,7 +105339,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_413Caa6B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L59-L87" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_4f2417d61be5e68630408a151cd73372aef9e7f4638acf4e80bfa5b2811119a7" + logic_hash = "4f2417d61be5e68630408a151cd73372aef9e7f4638acf4e80bfa5b2811119a7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105378,7 +105378,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_23Fee092 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L89-L115" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_ed019c9198b5d9ff8392bfd7e0b23a7b1383eabce4c71c665a3ca4a943c8b6ee" + logic_hash = "ed019c9198b5d9ff8392bfd7e0b23a7b1383eabce4c71c665a3ca4a943c8b6ee" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105415,7 +105415,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_861D3264 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L117-L145" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_e6a0a0a24c70d69c0aa56063d2db0f5a0fedcda5b96d945ac14520524b1d00fd" + logic_hash = "e6a0a0a24c70d69c0aa56063d2db0f5a0fedcda5b96d945ac14520524b1d00fd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105454,7 +105454,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_57587F8C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L147-L175" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_175b8b6f9fca189f2fc41f1029ad512db2c8b0e52ea04bfbc3d410d355928ab9" + logic_hash = "175b8b6f9fca189f2fc41f1029ad512db2c8b0e52ea04bfbc3d410d355928ab9" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -105493,7 +105493,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_Cae025B1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L177-L203" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_9c34443cffed43513242321e2170484dbb0d41b251aee8ea640d44da76918122" + logic_hash = "9c34443cffed43513242321e2170484dbb0d41b251aee8ea640d44da76918122" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105530,7 +105530,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_4A9B9603 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L205-L231" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_8d78483b54d3be6988b1f5df826b8709b7aa2045ff3a3e754c359365d053bb27" + logic_hash = "8d78483b54d3be6988b1f5df826b8709b7aa2045ff3a3e754c359365d053bb27" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105567,7 +105567,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_4Db2C852 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L233-L261" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_88c88103a055d25ba97f08e2f47881001ad8a2200a33ac04246494963dfe6638" + logic_hash = "88c88103a055d25ba97f08e2f47881001ad8a2200a33ac04246494963dfe6638" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105606,7 +105606,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_Bcedc8B2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L263-L291" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_7f0a6a9168b5ff7cc02ccadd211cc8096307651be65c2b3e7cc9fdbbde08ab9f" + logic_hash = "7f0a6a9168b5ff7cc02ccadd211cc8096307651be65c2b3e7cc9fdbbde08ab9f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105645,7 +105645,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_B6Bb3E7C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L293-L321" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_e2eaf91b9c5d3616fb2f6f6bc4b44841b1efa3b4efe7ac72afe225728523af75" + logic_hash = "e2eaf91b9c5d3616fb2f6f6bc4b44841b1efa3b4efe7ac72afe225728523af75" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105684,7 +105684,7 @@ rule ELASTIC_Windows_Hacktool_Winpeas_Ng_94474B0B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_WinPEAS_ng.yar#L323-L351" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f3e1e5b6fd2d548dfe0af8730b15eb7ef40e128a0777855f569b2a99d6101195" - logic_hash = "v1_sha256_e209c9ce1f4b11c5fdeade3298329d62f5cf561403c87077d94b6921e81ffaea" + logic_hash = "e209c9ce1f4b11c5fdeade3298329d62f5cf561403c87077d94b6921e81ffaea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105723,7 +105723,7 @@ rule ELASTIC_Linux_Trojan_Cerbu_69D5657E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Cerbu.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f10bf3cf2fdfbd365d3c2d8dedb2d01b85236eaa97d15370dbcb5166149d70e9" - logic_hash = "v1_sha256_644e8d5a1b5c8618e71497f21b0244215924e293e274b9164692dd927cd74ba8" + logic_hash = "644e8d5a1b5c8618e71497f21b0244215924e293e274b9164692dd927cd74ba8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105752,7 +105752,7 @@ rule ELASTIC_Windows_Trojan_Guloader_8F10Fa66 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Guloader.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a3e2d5013b80cd2346e37460753eca4a4fec3a7941586cc26e049a463277562e" - logic_hash = "v1_sha256_f2cd08f6a32c075dc0294a0e26c51e686babc54ced4faa1873368c8821f0bfef" + logic_hash = "f2cd08f6a32c075dc0294a0e26c51e686babc54ced4faa1873368c8821f0bfef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105785,7 +105785,7 @@ rule ELASTIC_Windows_Trojan_Guloader_C4D9Dd33 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Guloader.yar#L26-L45" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a3e2d5013b80cd2346e37460753eca4a4fec3a7941586cc26e049a463277562e" - logic_hash = "v1_sha256_623ea751fc32648720bda40598024d4d5b6a9a11b3cce3c9427310ba17745643" + logic_hash = "623ea751fc32648720bda40598024d4d5b6a9a11b3cce3c9427310ba17745643" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105814,7 +105814,7 @@ rule ELASTIC_Windows_Trojan_Guloader_2F1E44C8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Guloader.yar#L47-L70" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6ae7089aa6beaa09b1c3aa3ecf28a884d8ca84f780aab39902223721493b1f99" - logic_hash = "v1_sha256_434b33c3fdc6bf4b0f59cd4aba66327d0b7ab524be603b256494d46b609cecd5" + logic_hash = "434b33c3fdc6bf4b0f59cd4aba66327d0b7ab524be603b256494d46b609cecd5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105847,7 +105847,7 @@ rule ELASTIC_Linux_Ransomware_Hive_Bdc7De59 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Hive.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771" - logic_hash = "v1_sha256_33908128258843d63c5dfe5acf15cfd68463f5cbdf08b88ef1bba394058a5a92" + logic_hash = "33908128258843d63c5dfe5acf15cfd68463f5cbdf08b88ef1bba394058a5a92" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105876,7 +105876,7 @@ rule ELASTIC_Windows_Trojan_Glupteba_70557305 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Glupteba.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ad13fd7968f9574d2c822e579291c77a0c525991cfb785cbe6cdd500b737218" - logic_hash = "v1_sha256_f3eee9808a1e8a2080116dda7ce795815e1179143c756ea8fdd26070f1f8f74a" + logic_hash = "f3eee9808a1e8a2080116dda7ce795815e1179143c756ea8fdd26070f1f8f74a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105910,7 +105910,7 @@ rule ELASTIC_Windows_Trojan_Glupteba_4669Dcd6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Glupteba.yar#L26-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1b55042e06f218546db5ddc52d140be4303153d592dcfc1ce90e6077c05e77f7" - logic_hash = "v1_sha256_64b2099f40f94b17bc5860b41773c41322420500696d320399ff1c016cb56e15" + logic_hash = "64b2099f40f94b17bc5860b41773c41322420500696d320399ff1c016cb56e15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105939,7 +105939,7 @@ rule ELASTIC_Windows_Ransomware_Hive_55619Cd0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Hive.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609" - logic_hash = "v1_sha256_51e2b03a9f9b92819bbf05ecbb33a23662a40e7d51f9812aa8243c4506057f1f" + logic_hash = "51e2b03a9f9b92819bbf05ecbb33a23662a40e7d51f9812aa8243c4506057f1f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -105970,7 +105970,7 @@ rule ELASTIC_Windows_Ransomware_Hive_3Ed67Fe6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Hive.yar#L23-L45" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609" - logic_hash = "v1_sha256_a599f0d528bdbec00afa7e9a5cddec5e799ee755a7f30af70dde7d2459b70155" + logic_hash = "a599f0d528bdbec00afa7e9a5cddec5e799ee755a7f30af70dde7d2459b70155" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106003,7 +106003,7 @@ rule ELASTIC_Windows_Ransomware_Hive_B97Ec33B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Hive.yar#L47-L65" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609" - logic_hash = "v1_sha256_10034d9f53fd5099a423269e0c42c01eac18318f5d11599e1390912c8fd7af25" + logic_hash = "10034d9f53fd5099a423269e0c42c01eac18318f5d11599e1390912c8fd7af25" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106031,7 +106031,7 @@ rule ELASTIC_Linux_Trojan_Bluez_50E87Fa9 : FILE MEMORY reference = "1e526b6e3be273489afa8f0a3d50be233b97dc07f85815cc2231a87f5a651ef1" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Bluez.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_53754c538a7dea6f06e37980901350feddc3517821ea42544cb96e371709752f" + logic_hash = "53754c538a7dea6f06e37980901350feddc3517821ea42544cb96e371709752f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106059,7 +106059,7 @@ rule ELASTIC_Windows_Ransomware_Maze_61254061 : BETA FILE MEMORY reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Maze.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_b8537add953cdd7bc6adbff97f7f5a94de028709f0bd71102ee96d26d55f4f20" + logic_hash = "b8537add953cdd7bc6adbff97f7f5a94de028709f0bd71102ee96d26d55f4f20" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -106089,7 +106089,7 @@ rule ELASTIC_Windows_Ransomware_Maze_46F40C40 : BETA FILE MEMORY reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Maze.yar#L23-L44" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_99180f41aaaf1dfb0a8a40709dcc392fdbc2b2d3a4d4b4a1ab160dd5f2b4c703" + logic_hash = "99180f41aaaf1dfb0a8a40709dcc392fdbc2b2d3a4d4b4a1ab160dd5f2b4c703" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -106120,7 +106120,7 @@ rule ELASTIC_Windows_Ransomware_Maze_20Caee5B : BETA FILE MEMORY reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Maze.yar#L46-L71" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e09c059b285d2176aeba1a1f70d39f13cef4e05dc023c7db25fb9d92bd9a67d9" + logic_hash = "e09c059b285d2176aeba1a1f70d39f13cef4e05dc023c7db25fb9d92bd9a67d9" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -106155,7 +106155,7 @@ rule ELASTIC_Windows_Ransomware_Maze_F88F136F : BETA FILE MEMORY reference = "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Maze.yar#L73-L94" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5587f332a076650f6ad7b1e3b464ef6085d960e6dacf53607cf75c9f9ad07628" + logic_hash = "5587f332a076650f6ad7b1e3b464ef6085d960e6dacf53607cf75c9f9ad07628" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -106187,7 +106187,7 @@ rule ELASTIC_Linux_Trojan_Winnti_61215D98 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Winnti.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cc1455e3a479602581c1c7dc86a0e02605a3c14916b86817960397d5a2f41c31" - logic_hash = "v1_sha256_051cc157f189094d25d45e66e410bdfd61ed7649a4c935d076cec1597c5debf5" + logic_hash = "051cc157f189094d25d45e66e410bdfd61ed7649a4c935d076cec1597c5debf5" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106215,7 +106215,7 @@ rule ELASTIC_Linux_Trojan_Winnti_4C5A1865 : FILE MEMORY reference = "0d963a713093fc8e5928141f5747640c9b43f3aadc8a5478c949f7ec364b28ad" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Winnti.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_69f6dcba59ec8cd7f4dfe853495a35601e35d74476fad9e18bef7685a68ece51" + logic_hash = "69f6dcba59ec8cd7f4dfe853495a35601e35d74476fad9e18bef7685a68ece51" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106243,7 +106243,7 @@ rule ELASTIC_Linux_Trojan_Winnti_6F4Ca425 : FILE MEMORY reference = "161af780209aa24845863f7a8120aa982aa811f16ec04bcd797ed165955a09c1" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Winnti.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_a1ffc0e3d27c4bb9fd10f14d45b649b4f059c654b31449013ac06d0981ed25ed" + logic_hash = "a1ffc0e3d27c4bb9fd10f14d45b649b4f059c654b31449013ac06d0981ed25ed" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106271,7 +106271,7 @@ rule ELASTIC_Linux_Trojan_Winnti_De4B0F6E : FILE MEMORY reference = "a6b9b3ea19eaddd4d90e58c372c10bbe37dbfced638d167182be2c940e615710" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Winnti.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fb7b0ff4757dfc1ba2ca8585d5ddf14aae03063e10bdc2565443362c6ba37c30" + logic_hash = "fb7b0ff4757dfc1ba2ca8585d5ddf14aae03063e10bdc2565443362c6ba37c30" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106300,7 +106300,7 @@ rule ELASTIC_Windows_Hacktool_Safetykatz_072B7370 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SafetyKatz.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9" - logic_hash = "v1_sha256_cedd3ede487371a8e0d29804f2b81ae808c7ad01bd803fa39dc2c50e472cff43" + logic_hash = "cedd3ede487371a8e0d29804f2b81ae808c7ad01bd803fa39dc2c50e472cff43" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -106333,7 +106333,7 @@ rule ELASTIC_Windows_Trojan_Jupyter_56152E31 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Jupyter.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601" - logic_hash = "v1_sha256_7b32e9caca744f4f6b48aefa5fda111e6b7ac81a62dd1fb8873d2c800ac3c42b" + logic_hash = "7b32e9caca744f4f6b48aefa5fda111e6b7ac81a62dd1fb8873d2c800ac3c42b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106365,7 +106365,7 @@ rule ELASTIC_Windows_Trojan_Farfli_85D1Bcc9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Farfli.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e3e9ea1b547cc235e6f1a78b4ca620c69a54209f84c7de9af17eb5b02e9b58c3" - logic_hash = "v1_sha256_746eb5a2583077189d82d1a96b499ff383f31220845bd8a6df5b7a7ceb11e6fb" + logic_hash = "746eb5a2583077189d82d1a96b499ff383f31220845bd8a6df5b7a7ceb11e6fb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106395,7 +106395,7 @@ rule ELASTIC_Windows_Vulndriver_Agent64_8Ef48Aeb : FILE license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca" - logic_hash = "v1_sha256_a35f82202507e582e3cbc7018656545fcee1244ec1638a696f0b7c970fd5023c" + logic_hash = "a35f82202507e582e3cbc7018656545fcee1244ec1638a696f0b7c970fd5023c" score = 75 quality = 75 tags = "FILE" @@ -106429,7 +106429,7 @@ rule ELASTIC_Windows_Trojan_Formbook_1112E116 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Formbook.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a" - logic_hash = "v1_sha256_ec307a8681fa01fc0c7c0579b0e3eff10e7f373159ad58dae0a358ff16fbc10b" + logic_hash = "ec307a8681fa01fc0c7c0579b0e3eff10e7f373159ad58dae0a358ff16fbc10b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106460,7 +106460,7 @@ rule ELASTIC_Windows_Trojan_Formbook_772Cc62D : FILE MEMORY reference = "https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Formbook.yar#L25-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_db9ab8df029856fc1c210499ed8e1b92c9722f7aa2264363670c47b51ec8fa83" + logic_hash = "db9ab8df029856fc1c210499ed8e1b92c9722f7aa2264363670c47b51ec8fa83" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106492,7 +106492,7 @@ rule ELASTIC_Windows_Trojan_Formbook_5799D1F2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Formbook.yar#L48-L67" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8555a6d313cb17f958fc2e08d6c042aaff9ceda967f8598ac65ab6333d14efd9" - logic_hash = "v1_sha256_8e61eabd11beb9fb35c016983cfb3085f5ceddfc8268522f3b48d20be5b5df6a" + logic_hash = "8e61eabd11beb9fb35c016983cfb3085f5ceddfc8268522f3b48d20be5b5df6a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106521,7 +106521,7 @@ rule ELASTIC_Linux_Ransomware_Blackbasta_96Eb3F20 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_BlackBasta.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be" - logic_hash = "v1_sha256_a5e0b60ba51490f70af53c9fba91e3349c712bebb10574eb4bed028ab961ae74" + logic_hash = "a5e0b60ba51490f70af53c9fba91e3349c712bebb10574eb4bed028ab961ae74" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106556,7 +106556,7 @@ rule ELASTIC_Multi_Ransomware_Blackcat_Aaf312C3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_BlackCat.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479" - logic_hash = "v1_sha256_0771ab5a795af164a568bda036cccf08afeb33458f2cd5a7240349fca9b60ead" + logic_hash = "0771ab5a795af164a568bda036cccf08afeb33458f2cd5a7240349fca9b60ead" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106586,7 +106586,7 @@ rule ELASTIC_Multi_Ransomware_Blackcat_00E525D7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_BlackCat.yar#L22-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479" - logic_hash = "v1_sha256_e44625d0fa8308b9d4d63a9e6920b4da4a2ce124437f122b2c8fe5cf0ab85a6b" + logic_hash = "e44625d0fa8308b9d4d63a9e6920b4da4a2ce124437f122b2c8fe5cf0ab85a6b" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -106618,7 +106618,7 @@ rule ELASTIC_Multi_Ransomware_Blackcat_C4B043E6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_BlackCat.yar#L45-L63" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "45b8678f74d29c87e2d06410245ab6c2762b76190594cafc9543fb9db90f3d4f" - logic_hash = "v1_sha256_1262ca76581920f08a6482ead68023fdfff08a9ddd19e00230054e3167dc184c" + logic_hash = "1262ca76581920f08a6482ead68023fdfff08a9ddd19e00230054e3167dc184c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106647,7 +106647,7 @@ rule ELASTIC_Multi_Ransomware_Blackcat_70171625 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_BlackCat.yar#L65-L91" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479" - logic_hash = "v1_sha256_fd07acd7c8627754f000c44827848bf65bcaa96f2dfb46e41542f3c9b40eee78" + logic_hash = "fd07acd7c8627754f000c44827848bf65bcaa96f2dfb46e41542f3c9b40eee78" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106684,7 +106684,7 @@ rule ELASTIC_Multi_Ransomware_Blackcat_E066D802 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_BlackCat.yar#L93-L113" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "00360830bf5886288f23784b8df82804bf6f22258e410740db481df8a7701525" - logic_hash = "v1_sha256_00fbb8013faf26c35b6cd8a72ebc246444c37c5ec7a0df2295830e96c01c8720" + logic_hash = "00fbb8013faf26c35b6cd8a72ebc246444c37c5ec7a0df2295830e96c01c8720" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106715,7 +106715,7 @@ rule ELASTIC_Multi_Ransomware_Blackcat_0Ffb0A37 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_BlackCat.yar#L115-L134" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "57136b118a0d6d3c71e522ea53e3305dae58b51f06c29cd01c0c28fa0fa34287" - logic_hash = "v1_sha256_4f28281e4b23868c63438d4800b9e5978426e7c98b6142ef8082cfd251cafe57" + logic_hash = "4f28281e4b23868c63438d4800b9e5978426e7c98b6142ef8082cfd251cafe57" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -106745,7 +106745,7 @@ rule ELASTIC_Linux_Trojan_Zerobot_185E2396 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Zerobot.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f" - logic_hash = "v1_sha256_caa21cc019d8e4549d976f8b4f98d930ef7acf4c39c41956ae35fa78c975e016" + logic_hash = "caa21cc019d8e4549d976f8b4f98d930ef7acf4c39c41956ae35fa78c975e016" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106781,7 +106781,7 @@ rule ELASTIC_Linux_Trojan_Zerobot_3A5B56Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Zerobot.yar#L28-L51" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f" - logic_hash = "v1_sha256_2491fff4ad0327e0440d842f221fb6623c8efd97e2991bf2090abceaef9c2ccf" + logic_hash = "2491fff4ad0327e0440d842f221fb6623c8efd97e2991bf2090abceaef9c2ccf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106815,7 +106815,7 @@ rule ELASTIC_Linux_Trojan_Bedevil_A1A72C39 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Bedevil.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "017a9d7290cf327444d23227518ab612111ca148da7225e64a9f6ebd253449ab" - logic_hash = "v1_sha256_227adcc340c38cebf56ea2f39b483c965dd46827d83afe5f866ca844c932da76" + logic_hash = "227adcc340c38cebf56ea2f39b483c965dd46827d83afe5f866ca844c932da76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106844,7 +106844,7 @@ rule ELASTIC_Windows_Trojan_Stormkitty_6256031A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_StormKitty.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0c69015f534d1da3770dbc14183474a643c4332de6a599278832abd2b15ba027" - logic_hash = "v1_sha256_a797e87eaf5b173da9dd43fcff03b3d26198dcafa29c3f2ca369773c73001234" + logic_hash = "a797e87eaf5b173da9dd43fcff03b3d26198dcafa29c3f2ca369773c73001234" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106878,7 +106878,7 @@ rule ELASTIC_Windows_Trojan_Doorme_246Eda61 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_DoorMe.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "96b226e1dcfb8ea2155c2fa508125472c8c767569d009a881ab4c39453e4fe7f" - logic_hash = "v1_sha256_01240f2e23904498c34ec805cc8bc3e9ac7b76c6519685ef6b367066f1a0bc5b" + logic_hash = "01240f2e23904498c34ec805cc8bc3e9ac7b76c6519685ef6b367066f1a0bc5b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106912,7 +106912,7 @@ rule ELASTIC_Linux_Hacktool_Lightning_D9A9173A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Lightning.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7" - logic_hash = "v1_sha256_93961d9771aa4e828e15923064a848291c7814ad4e15e30cd252fc41523d789e" + logic_hash = "93961d9771aa4e828e15923064a848291c7814ad4e15e30cd252fc41523d789e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106944,7 +106944,7 @@ rule ELASTIC_Linux_Hacktool_Lightning_E87C9D50 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Lightning.yar#L25-L48" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e" - logic_hash = "v1_sha256_455ecf97e7becaf9c40843f8a3f60ec233d35e0061c6994f168428a8835c1b20" + logic_hash = "455ecf97e7becaf9c40843f8a3f60ec233d35e0061c6994f168428a8835c1b20" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -106977,7 +106977,7 @@ rule ELASTIC_Linux_Hacktool_Lightning_3Bcac358 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Lightning.yar#L50-L72" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237" - logic_hash = "v1_sha256_f260372b9f2ea32f93ff7a30dc8239766e713a1e177a483444b14538741c24af" + logic_hash = "f260372b9f2ea32f93ff7a30dc8239766e713a1e177a483444b14538741c24af" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107009,7 +107009,7 @@ rule ELASTIC_Windows_Trojan_Qbot_D91C1384 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Qbot.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "18ac3870aaa9aaaf6f4a5c0118daa4b43ad93d71c38bf42cb600db3d786c6dda" - logic_hash = "v1_sha256_8fd8249a2af236c92ccbc20b2a8380f69ca75976bd64bad167828e9ab4c6ed90" + logic_hash = "8fd8249a2af236c92ccbc20b2a8380f69ca75976bd64bad167828e9ab4c6ed90" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107038,7 +107038,7 @@ rule ELASTIC_Windows_Trojan_Qbot_7D5Dc64A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Qbot.yar#L22-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2bacde7210d88675564106406d9c2f3b738e2b1993737cb8bf621b78a9ebf56" - logic_hash = "v1_sha256_5c8858502050494ab20a230f04c2c1cb4bfcd80f4a248dad82787d7ce67c741d" + logic_hash = "5c8858502050494ab20a230f04c2c1cb4bfcd80f4a248dad82787d7ce67c741d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107068,7 +107068,7 @@ rule ELASTIC_Windows_Trojan_Qbot_6Fd34691 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Qbot.yar#L44-L64" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0838cd11d6f504203ea98f78cac8f066eb2096a2af16d27fb9903484e7e6a689" - logic_hash = "v1_sha256_9422d9f276f0c8c2990ece3282d918abc6fcce7eeb6809d46ae6b768a501a877" + logic_hash = "9422d9f276f0c8c2990ece3282d918abc6fcce7eeb6809d46ae6b768a501a877" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107098,7 +107098,7 @@ rule ELASTIC_Windows_Trojan_Qbot_3074A8D4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Qbot.yar#L66-L97" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a" - logic_hash = "v1_sha256_90c06bd09fe640bb5a6be8e4f2384fb15c7501674d57db005e790ed336740c99" + logic_hash = "90c06bd09fe640bb5a6be8e4f2384fb15c7501674d57db005e790ed336740c99" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107139,7 +107139,7 @@ rule ELASTIC_Windows_Trojan_Qbot_1Ac22A26 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Qbot.yar#L99-L136" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c2ba065654f13612ae63bca7f972ea91c6fe97291caeaaa3a28a180fb1912b3a" - logic_hash = "v1_sha256_d9beaf4a8c28a0b3c38dda6bf22a96b8c96ef715bd36de880504a9f970338fe2" + logic_hash = "d9beaf4a8c28a0b3c38dda6bf22a96b8c96ef715bd36de880504a9f970338fe2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107186,7 +107186,7 @@ rule ELASTIC_Windows_Vulndriver_Elby_65B09743 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Elby.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - logic_hash = "v1_sha256_7c7438520b238daf38d4ac91cbdee48bbfa9c85bd76208a436ce59edcfcecb80" + logic_hash = "7c7438520b238daf38d4ac91cbdee48bbfa9c85bd76208a436ce59edcfcecb80" score = 75 quality = 75 tags = "FILE" @@ -107217,7 +107217,7 @@ rule ELASTIC_Multi_Trojan_Merlin_32643F4C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Trojan_Merlin.yar#L1-L28" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "84b988c4656677bc021e23df2a81258212d9ceba13be204867ac1d9d706404e2" - logic_hash = "v1_sha256_7de2deec0e2c7fd3ce2b42762f88bfe87cb4ffb02b697953aa1716425d6f1612" + logic_hash = "7de2deec0e2c7fd3ce2b42762f88bfe87cb4ffb02b697953aa1716425d6f1612" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107255,7 +107255,7 @@ rule ELASTIC_Linux_Proxy_Frp_4213778F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Proxy_Frp.yar#L1-L28" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "16294086be1cc853f75e864a405f31e2da621cb9d6a59f2a71a2fca4e268b6c2" - logic_hash = "v1_sha256_83eeb632026c38ac08357c27d971da31fbc9a0500ecf489e8332ac5862a77b85" + logic_hash = "83eeb632026c38ac08357c27d971da31fbc9a0500ecf489e8332ac5862a77b85" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107293,7 +107293,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_28B13E67 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0b50a38749ea8faf571169ebcfce3dfd668eaefeb9a91d25a96e6b3881e4a3e8" - logic_hash = "v1_sha256_586ae19e570c51805afd3727b2e570cdb1c48344aa699e54774a708f02bc3a6f" + logic_hash = "586ae19e570c51805afd3727b2e570cdb1c48344aa699e54774a708f02bc3a6f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107322,7 +107322,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_75C8Cb4E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3d69912e19758958e1ebdef5e12c70c705d7911c3b9df03348c5d02dd06ebe4e" - logic_hash = "v1_sha256_527fecb8460c0325c009beddd6992e0abbf8c5a05843e4cedf3b17deb4b19a1c" + logic_hash = "527fecb8460c0325c009beddd6992e0abbf8c5a05843e4cedf3b17deb4b19a1c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107351,7 +107351,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_17B564B4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "94f6e5ee6eb3a191faaf332ea948301bbb919f4ec6725b258e4f8e07b6a7881d" - logic_hash = "v1_sha256_40cd2a793c8ed51a8191ecb9b358f50dc2035d997d0f773f6049f9c272291607" + logic_hash = "40cd2a793c8ed51a8191ecb9b358f50dc2035d997d0f773f6049f9c272291607" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107380,7 +107380,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_C90C088A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "875513f4ebeb63b9e4d82fb5bff2b2dc75b69c0bfa5dd8d2895f22eaa783f372" - logic_hash = "v1_sha256_c82c5c8d1e38e0d2631c5611e384eb49b58c64daeafe0cc642682e5c64686b60" + logic_hash = "c82c5c8d1e38e0d2631c5611e384eb49b58c64daeafe0cc642682e5c64686b60" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107409,7 +107409,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_3965578D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d72543505e36db40e0ccbf14f4ce3853b1022a8aeadd96d173d84e068b4f68fa" - logic_hash = "v1_sha256_6bd24640e0a3aa152fcd90b6975ee4fb7e99ab5f2d48d3a861bc804c526c90b6" + logic_hash = "6bd24640e0a3aa152fcd90b6975ee4fb7e99ab5f2d48d3a861bc804c526c90b6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107438,7 +107438,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_00D9D0E9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "73069b34e513ff1b742b03fed427dc947c22681f30cf46288a08ca545fc7d7dd" - logic_hash = "v1_sha256_535831872408caa27984190d1b1b1a5954e502265925d50457e934219598dbfd" + logic_hash = "535831872408caa27984190d1b1b1a5954e502265925d50457e934219598dbfd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107467,7 +107467,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_650B8Ff4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L121-L139" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "78fd2c4afd7e810d93d91811888172c4788a0a2af0b88008573ce8b6b819ae5a" - logic_hash = "v1_sha256_e8a706db010e9c3d9714d5e7a376e9b2189af382a7b01db9a9e7ee947e9637bb" + logic_hash = "e8a706db010e9c3d9714d5e7a376e9b2189af382a7b01db9a9e7ee947e9637bb" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107496,7 +107496,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_C8Ad7Edd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L141-L159" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d4915473e1096a82afdaee405189a0d0ae961bd11a9e5e9adc420dd64cb48c24" - logic_hash = "v1_sha256_be09b4bd612bb499044fe91ca4e1ab62405cf1e4d75b8e1da90e326d1c66e04f" + logic_hash = "be09b4bd612bb499044fe91ca4e1ab62405cf1e4d75b8e1da90e326d1c66e04f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107525,7 +107525,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_Cb7344Eb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L161-L179" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "53373668d8c5dc17f58768bf59fb5ab6d261a62d0950037f0605f289102e3e56" - logic_hash = "v1_sha256_6b5e868dfd14e9b1cdf3caeb1216764361b28c1dd38849526baf5dbdb1020d8d" + logic_hash = "6b5e868dfd14e9b1cdf3caeb1216764361b28c1dd38849526baf5dbdb1020d8d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107554,7 +107554,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_753E5738 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L181-L199" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "42aeea232b28724d1fa6e30b1aeb8f8b8c22e1bc8afd1bbb4f90e445e31bdfe9" - logic_hash = "v1_sha256_7a6907b51c793e4182c1606eab6f2bcb71f0350a34aef93fa3f3a9f1a49961ba" + logic_hash = "7a6907b51c793e4182c1606eab6f2bcb71f0350a34aef93fa3f3a9f1a49961ba" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107583,7 +107583,7 @@ rule ELASTIC_Macos_Trojan_Bundlore_7B9F0C28 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Bundlore.yar#L201-L219" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fc4da125fed359d3e1740dafaa06f4db1ffc91dbf22fd5e7993acf8597c4c283" - logic_hash = "v1_sha256_32abbb76c866e3a555ee6a9c39f62a0712f641959b66068abfb4379baa9a9da9" + logic_hash = "32abbb76c866e3a555ee6a9c39f62a0712f641959b66068abfb4379baa9a9da9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107612,7 +107612,7 @@ rule ELASTIC_Windows_Hacktool_Sharprdp_80895Fcb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpRDP.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6e909861781a8812ee01bc59435fd73fd34da23fa9ad6d699eefbf9f84629876" - logic_hash = "v1_sha256_ef9a92f2ed29f508dca591e9c65a6ce0013ccdfd0c62770e8840be2f3ee5982e" + logic_hash = "ef9a92f2ed29f508dca591e9c65a6ce0013ccdfd0c62770e8840be2f3ee5982e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -107645,7 +107645,7 @@ rule ELASTIC_Windows_Trojan_Diceloader_B32C6B99 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Diceloader.yar#L1-L25" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a3b3f56a61c6dc8ba2aa25bdd9bd7dc2c5a4602c2670431c5cbc59a76e2b4c54" - logic_hash = "v1_sha256_f9e023f340edc4c46b2926e750c2ad3a3798e34415e43c0ea2d83073e3dc526a" + logic_hash = "f9e023f340edc4c46b2926e750c2ad3a3798e34415e43c0ea2d83073e3dc526a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107680,7 +107680,7 @@ rule ELASTIC_Windows_Trojan_Diceloader_15Eeb7B9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Diceloader.yar#L27-L46" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746" - logic_hash = "v1_sha256_f1ab9ad69f9ea75343c7404b82a3f7a4976a442b980a98fe5b95c55d4f9cb34e" + logic_hash = "f1ab9ad69f9ea75343c7404b82a3f7a4976a442b980a98fe5b95c55d4f9cb34e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107710,7 +107710,7 @@ rule ELASTIC_Windows_Trojan_Gozi_Fd494041 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Gozi.yar#L1-L32" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237" - logic_hash = "v1_sha256_fdd18817e7377f1b4006d3bf135d924b8ead62a461ea56f57157b2856ba6846b" + logic_hash = "fdd18817e7377f1b4006d3bf135d924b8ead62a461ea56f57157b2856ba6846b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107752,7 +107752,7 @@ rule ELASTIC_Windows_Trojan_Gozi_261F5Ac5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Gozi.yar#L34-L60" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f" - logic_hash = "v1_sha256_23a7427e162e2f77ee0a281fe4bc54eab29a3bdca8e51015147e8eb223e7e2f7" + logic_hash = "23a7427e162e2f77ee0a281fe4bc54eab29a3bdca8e51015147e8eb223e7e2f7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -107788,7 +107788,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_C851687A : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L1-L37" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7fac6fb24ac18bd69dd9f8f4090c4a77d1cc6554b6ae5c846e32d7666e5a1971" + logic_hash = "7fac6fb24ac18bd69dd9f8f4090c4a77d1cc6554b6ae5c846e32d7666e5a1971" score = 75 quality = 25 tags = "FILE, MEMORY" @@ -107835,7 +107835,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_0B58325E : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L39-L77" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_3822431e946fcc38c700cc8ce213e95f33a155d7f38b6ab2a24cb998d42c8521" + logic_hash = "3822431e946fcc38c700cc8ce213e95f33a155d7f38b6ab2a24cb998d42c8521" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -107884,7 +107884,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_2B8Cddf8 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L79-L114" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_5502c06d33b93bae3bc25ba7dd6a5a9a3b0b2b43bb7e867e601ecb206bf503ed" + logic_hash = "5502c06d33b93bae3bc25ba7dd6a5a9a3b0b2b43bb7e867e601ecb206bf503ed" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -107930,7 +107930,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_59B44767 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L116-L142" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7027d0dcbdb1961d2604f29392a923957d298a047c268553599ea8c881f76a98" + logic_hash = "7027d0dcbdb1961d2604f29392a923957d298a047c268553599ea8c881f76a98" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -107967,7 +107967,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7Efd3C3F : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L144-L168" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_45a0aaba6c1be016fc5f4051680ee7e3aa62e8a5d9730b7adab08c14ae37da24" + logic_hash = "45a0aaba6c1be016fc5f4051680ee7e3aa62e8a5d9730b7adab08c14ae37da24" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108002,7 +108002,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_6E971281 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L170-L201" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_f204965c0118dbdfe7e134d319c92b30d22585e888609ff31df90643116a2c38" + logic_hash = "f204965c0118dbdfe7e134d319c92b30d22585e888609ff31df90643116a2c38" score = 75 quality = 51 tags = "FILE, MEMORY" @@ -108044,7 +108044,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_09B79Efa : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L203-L232" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_75fd003b9adf03aff8479b1b10da9c94955870b5fa4f1958f870e14acb2793c7" + logic_hash = "75fd003b9adf03aff8479b1b10da9c94955870b5fa4f1958f870e14acb2793c7" score = 75 quality = 48 tags = "FILE, MEMORY" @@ -108084,7 +108084,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_6E77233E : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L234-L269" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_93aa11523b794402b257d02d4f9edc5ad320bfdb5b8b0f671ff08f399ef9e674" + logic_hash = "93aa11523b794402b257d02d4f9edc5ad320bfdb5b8b0f671ff08f399ef9e674" score = 75 quality = 63 tags = "FILE, MEMORY" @@ -108130,7 +108130,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_De42495A : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L271-L301" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_2a13c73d221d80d25a432f9e0a1387153a78f58719066586e9d80d17613293ef" + logic_hash = "2a13c73d221d80d25a432f9e0a1387153a78f58719066586e9d80d17613293ef" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108171,7 +108171,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_72F68375 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L303-L328" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_912e37829a9f99e00326745343c9e4593cd7cfb8d4dfafc66027cddcb4d883be" + logic_hash = "912e37829a9f99e00326745343c9e4593cd7cfb8d4dfafc66027cddcb4d883be" score = 75 quality = 63 tags = "FILE, MEMORY" @@ -108207,7 +108207,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_15F680Fb : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L330-L360" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_0efe368ad82f5b0f6301121bfda9fd049b008ac246368bfa22bd976fa2c56b79" + logic_hash = "0efe368ad82f5b0f6301121bfda9fd049b008ac246368bfa22bd976fa2c56b79" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108248,7 +108248,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_5B4383Ec : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L362-L392" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_033bd831209958674f6309739d65c58d05acb9d17e53cede1cf171c6d6e84efa" + logic_hash = "033bd831209958674f6309739d65c58d05acb9d17e53cede1cf171c6d6e84efa" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108289,7 +108289,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_91E08059 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L394-L421" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d5a8c1a0baa5e915cff29bcac33e30a7d7260f938ecaa6171d3aa88425a69266" + logic_hash = "d5a8c1a0baa5e915cff29bcac33e30a7d7260f938ecaa6171d3aa88425a69266" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108327,7 +108327,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_Ee756Db7 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L423-L491" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_8d594aa1b889e80000cfcedbfc470a1b768bdcc2a9c436cd449b495c91011918" + logic_hash = "8d594aa1b889e80000cfcedbfc470a1b768bdcc2a9c436cd449b495c91011918" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -108406,7 +108406,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_9C0D5561 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L493-L523" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_a8929266950e0f540a68c4fedf708e8ddc27f208f9f2866245ad7bb7f6d87913" + logic_hash = "a8929266950e0f540a68c4fedf708e8ddc27f208f9f2866245ad7bb7f6d87913" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108447,7 +108447,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_59Ed9124 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L525-L560" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_a50fd291f5f1bf7ec41b1938a32473a23c3c082018b86eab87aff0d95b26ba06" + logic_hash = "a50fd291f5f1bf7ec41b1938a32473a23c3c082018b86eab87aff0d95b26ba06" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -108493,7 +108493,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8A791Eb7 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L562-L597" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_d1765e6cac9b1560d6484baa1fa5a1bc0b768a72b389c7c6a60e34115669933e" + logic_hash = "d1765e6cac9b1560d6484baa1fa5a1bc0b768a72b389c7c6a60e34115669933e" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -108539,7 +108539,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_D00573A3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L599-L625" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e458d41d28b76c989af6385f183f33aa9e11b93e529f032e95bd75433b80bd69" + logic_hash = "e458d41d28b76c989af6385f183f33aa9e11b93e529f032e95bd75433b80bd69" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108576,7 +108576,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7Bcd759C : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L627-L648" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_bfbb8e8009182e87c49242ec3da6e98b23447b646f5c7ea5f97196ae929d7c5f" + logic_hash = "bfbb8e8009182e87c49242ec3da6e98b23447b646f5c7ea5f97196ae929d7c5f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108608,7 +108608,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_A56B820F : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L650-L685" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_52de8110727c29b0f5c75cd470ce6b80ba7821d0ba78ad074536323e2e80b460" + logic_hash = "52de8110727c29b0f5c75cd470ce6b80ba7821d0ba78ad074536323e2e80b460" score = 75 quality = 43 tags = "FILE, MEMORY" @@ -108654,7 +108654,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_92F05172 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L687-L716" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_7f0ff4ee14a043d72810826ab9d2b90b0f66724550ba9d3cdd2abe749f4874d0" + logic_hash = "7f0ff4ee14a043d72810826ab9d2b90b0f66724550ba9d3cdd2abe749f4874d0" score = 75 quality = 63 tags = "FILE, MEMORY" @@ -108694,7 +108694,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_417239B5 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L718-L764" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fda252747359e677459d82d65c4c9c8f2ff80bc8fd6a38712f858039f3cb8dd1" + logic_hash = "fda252747359e677459d82d65c4c9c8f2ff80bc8fd6a38712f858039f3cb8dd1" score = 75 quality = 51 tags = "FILE, MEMORY" @@ -108751,7 +108751,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_29374056 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L766-L785" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_09755b23a7057c70f3ea242ec48549de65ebc6f13bdc38cbe22d6d758c3718cf" + logic_hash = "09755b23a7057c70f3ea242ec48549de65ebc6f13bdc38cbe22d6d758c3718cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108781,7 +108781,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_949F10E3 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L787-L806" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e4b726c83013f4b9c9d61683f78a4a91935225e9ed3de0ce164b96b5a6719579" + logic_hash = "e4b726c83013f4b9c9d61683f78a4a91935225e9ed3de0ce164b96b5a6719579" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108811,7 +108811,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8751Cdf9 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L808-L827" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_64fae95fd89ad46a50a00c943cf98a997a0842a83be64b3728b25151867b75a8" + logic_hash = "64fae95fd89ad46a50a00c943cf98a997a0842a83be64b3728b25151867b75a8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108841,7 +108841,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_663Fc95D : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L829-L847" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_842a0a372cfb2316293f4a08e1690194fa98368a9f6ffe9c63222b2c4ab6532c" + logic_hash = "842a0a372cfb2316293f4a08e1690194fa98368a9f6ffe9c63222b2c4ab6532c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108871,7 +108871,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_B54B94Ac : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L849-L872" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "v1_sha256_6f63e4c31e55da2008f95e9d05391e40d44e2757c511e666032563ab798e274c" + logic_hash = "6f63e4c31e55da2008f95e9d05391e40d44e2757c511e666032563ab798e274c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108905,7 +108905,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_F0B627Fc : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L874-L897" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b" - logic_hash = "v1_sha256_1087294af3a9ef59c00098f5fd7adfe0b335525e135d95e45ac30e44c6739a72" + logic_hash = "1087294af3a9ef59c00098f5fd7adfe0b335525e135d95e45ac30e44c6739a72" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108939,7 +108939,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_Dcdcdd8C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L899-L923" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "v1_sha256_f3ae07282b763d3720e45a84878cc457f65041f381951cdc9affd5e3ce67e6cc" + logic_hash = "f3ae07282b763d3720e45a84878cc457f65041f381951cdc9affd5e3ce67e6cc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -108974,7 +108974,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_A3Fb2616 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L925-L947" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "v1_sha256_a3c36326ccc2bc828f6654ccaba507a283f92146fdc52f71d7d934f6908793e2" + logic_hash = "a3c36326ccc2bc828f6654ccaba507a283f92146fdc52f71d7d934f6908793e2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109007,7 +109007,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8Ee55Ee5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L949-L969" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "v1_sha256_d0cc321e15660311ae0b8e3261abe716a50a2455f82635c1b02d0a5444c8a89a" + logic_hash = "d0cc321e15660311ae0b8e3261abe716a50a2455f82635c1b02d0a5444c8a89a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109038,7 +109038,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_8D5963A2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L971-L989" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9fe43996a5c4e99aff6e2a1be743fedec35e96d1e6670579beb4f7e7ad591af9" - logic_hash = "v1_sha256_f4f8fba807256bd885ccf4946eec8c2fb76eb04f86ed76d015178fe512a3c091" + logic_hash = "f4f8fba807256bd885ccf4946eec8c2fb76eb04f86ed76d015178fe512a3c091" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109067,7 +109067,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_1787Eef5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L991-L1014" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a" - logic_hash = "v1_sha256_0b70c61e986dee3126fec6eea127e01fce4b647aff8e2d2d5072eb8328549225" + logic_hash = "0b70c61e986dee3126fec6eea127e01fce4b647aff8e2d2d5072eb8328549225" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109101,7 +109101,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_4106070A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L1016-L1035" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "98789a11c06c1dfff7e02f66146afca597233c17e0d4900d6a683a150f16b3a4" - logic_hash = "v1_sha256_90f0209a55ca381ca58264664e04c007c799cf558f143d0c02983d4caf47bfb8" + logic_hash = "90f0209a55ca381ca58264664e04c007c799cf558f143d0c02983d4caf47bfb8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109131,7 +109131,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_3Dc22D14 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L1037-L1056" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7898194ae0244611117ec948eb0b0a5acbc15cd1419b1ecc553404e63bc519f9" - logic_hash = "v1_sha256_2f52cd5f3b782c28e372c3daa9b7ddc4d2b9f68832f5250983412c2e7a755e73" + logic_hash = "2f52cd5f3b782c28e372c3daa9b7ddc4d2b9f68832f5250983412c2e7a755e73" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109161,7 +109161,7 @@ rule ELASTIC_Windows_Trojan_Cobaltstrike_7F8Da98A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_CobaltStrike.yar#L1058-L1076" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e3bc2bec4a55ad6cfdf49e5dbd4657fc704af1758ca1d6e31b83dcfb8bf0f89d" - logic_hash = "v1_sha256_6c8698d65cbbf893f79ca1de5273535891418c87c234a2542f5f8079e56d9507" + logic_hash = "6c8698d65cbbf893f79ca1de5273535891418c87c234a2542f5f8079e56d9507" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -109190,7 +109190,7 @@ rule ELASTIC_Windows_Exploit_Perfusion_5Ab5Ddee : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_Perfusion.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7fdef25acb0d1447203b9768ae58a8e21db24816c602b160d105dab86ae34728" - logic_hash = "v1_sha256_490f3fc89cf78dbe82f1feb012a147a8d187612720efb6e1eb4e97720b26ee59" + logic_hash = "490f3fc89cf78dbe82f1feb012a147a8d187612720efb6e1eb4e97720b26ee59" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109222,7 +109222,7 @@ rule ELASTIC_Linux_Exploit_Courier_190258Dd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Courier.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "349866d0fb81d07a35b53eac6f11176721629bbd692526851e483eaa83d690c3" - logic_hash = "v1_sha256_c318d78a11a021334c84a21db2be6d7df57440a1f3ad6feaaff9cc95ebf6f716" + logic_hash = "c318d78a11a021334c84a21db2be6d7df57440a1f3ad6feaaff9cc95ebf6f716" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109251,7 +109251,7 @@ rule ELASTIC_Linux_Trojan_Kaiji_253C44De : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kaiji.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e31eb8880bb084b4c642eba127e64ce99435ea8299a98c183a63a2e6a139d926" - logic_hash = "v1_sha256_81a07f60765f50c58b2c0f0153367ee570f36c579e9f88fb2f0e49ae5c08773f" + logic_hash = "81a07f60765f50c58b2c0f0153367ee570f36c579e9f88fb2f0e49ae5c08773f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109280,7 +109280,7 @@ rule ELASTIC_Linux_Trojan_Kaiji_535F07Ac : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kaiji.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "28b2993d7c8c1d8dfce9cd2206b4a3971d0705fd797b9fde05211686297f6bb0" - logic_hash = "v1_sha256_539977c1076b71873135cfe02153da87c0e9ac17122f04570977a22c92d2694f" + logic_hash = "539977c1076b71873135cfe02153da87c0e9ac17122f04570977a22c92d2694f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109309,7 +109309,7 @@ rule ELASTIC_Linux_Trojan_Kaiji_Dcf6565E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kaiji.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "49f3086105bdc160248e66334db00ce37cdc9167a98faac98800b2c97515b6e7" - logic_hash = "v1_sha256_2bc943e100548e9aacd97930b3230353be760c8a292dbbbd1d0b5646f647c4fe" + logic_hash = "2bc943e100548e9aacd97930b3230353be760c8a292dbbbd1d0b5646f647c4fe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109338,7 +109338,7 @@ rule ELASTIC_Linux_Trojan_Kaiji_91091Be3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Kaiji.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dca574d13fcbd7d244d434fcbca68136e0097fefc5f131bec36e329448f9a202" - logic_hash = "v1_sha256_3b55cb3be5775311af4dc90f9624448d30cc58ef1a42729f6ca4eb3b36ad8b06" + logic_hash = "3b55cb3be5775311af4dc90f9624448d30cc58ef1a42729f6ca4eb3b36ad8b06" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109367,7 +109367,7 @@ rule ELASTIC_Windows_Trojan_Svcready_Af498D39 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_SVCReady.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "08e427c92010a8a282c894cf5a77a874e09c08e283a66f1905c131871cc4d273" - logic_hash = "v1_sha256_e3520103064cf82cd1747f8889667929d23466c9febfda7e4968a3679db97d71" + logic_hash = "e3520103064cf82cd1747f8889667929d23466c9febfda7e4968a3679db97d71" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109400,7 +109400,7 @@ rule ELASTIC_Windows_Exploit_Dcom_7A1Bcec7 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_Dcom.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "84073caf71d0e0523adeb96169c85b8f0bfea09e7ef3bf677bfc19d3b536d8a5" - logic_hash = "v1_sha256_484576ab5369f99dc7086d724ead12d464f2bedaf84c93b74e137ddd98600b06" + logic_hash = "484576ab5369f99dc7086d724ead12d464f2bedaf84c93b74e137ddd98600b06" score = 75 quality = 73 tags = "FILE" @@ -109429,7 +109429,7 @@ rule ELASTIC_Linux_Rootkit_Diamorphine_716C7Ffa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Diamorphine.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01fb490fbe2c2b5368cc227abd97e011e83b5e99bb80945ef599fc80e85f8545" - logic_hash = "v1_sha256_29ae87a563085ff0e4821a994ede16fa3f6fec693418c2e92ac90b839fcfa7cf" + logic_hash = "29ae87a563085ff0e4821a994ede16fa3f6fec693418c2e92ac90b839fcfa7cf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109462,7 +109462,7 @@ rule ELASTIC_Linux_Rootkit_Diamorphine_66Eb93C7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Diamorphine.yar#L25-L54" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "01fb490fbe2c2b5368cc227abd97e011e83b5e99bb80945ef599fc80e85f8545" - logic_hash = "v1_sha256_26063aacb585825f5d6b56d0d671e94efb273605175f4164d271c8edfdbc150a" + logic_hash = "26063aacb585825f5d6b56d0d671e94efb273605175f4164d271c8edfdbc150a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109501,7 +109501,7 @@ rule ELASTIC_Windows_Ransomware_Phobos_A5420148 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Phobos.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_9fcfe41102bee4f8ecf19f30d0bbb2de50e1a1aff4e17c587b5d9adb417527c5" + logic_hash = "9fcfe41102bee4f8ecf19f30d0bbb2de50e1a1aff4e17c587b5d9adb417527c5" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -109532,7 +109532,7 @@ rule ELASTIC_Windows_Ransomware_Phobos_Ff55774D : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Phobos.yar#L24-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_9ee41b9638a8cc1d9f9b254878c935c531b2f599be59550b3617b1de8cba2ba5" + logic_hash = "9ee41b9638a8cc1d9f9b254878c935c531b2f599be59550b3617b1de8cba2ba5" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -109561,7 +109561,7 @@ rule ELASTIC_Windows_Ransomware_Phobos_11Ea7Be5 : BETA FILE MEMORY reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Phobos.yar#L45-L64" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_1f86695f316200c92d0d02f5f3ba9f68854978f98db5d4291a81c06c9f0b8d28" + logic_hash = "1f86695f316200c92d0d02f5f3ba9f68854978f98db5d4291a81c06c9f0b8d28" score = 75 quality = 75 tags = "BETA, FILE, MEMORY" @@ -109591,7 +109591,7 @@ rule ELASTIC_Linux_Exploit_CVE_2012_0056_06B2Dff5 : FILE MEMORY CVE_2012_0056 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "168b3fb1c675ab76224c641e228434495160502a738b64172c679e8ce791ac17" - logic_hash = "v1_sha256_4361e6e74d6678d9e0823b23a7a2e4ae84119142cad319950154f806115845d5" + logic_hash = "4361e6e74d6678d9e0823b23a7a2e4ae84119142cad319950154f806115845d5" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2012-0056" @@ -109620,7 +109620,7 @@ rule ELASTIC_Linux_Exploit_CVE_2012_0056_B39839F4 : FILE MEMORY CVE_2012_0056 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cf569647759e011ff31d8626cea65ed506e8d0ef1d26f3bbb7c02a4060ce58dc" - logic_hash = "v1_sha256_553111c64d8abfc3688a88dd95088de0ea7e92f68592e9a778f8041b40071e84" + logic_hash = "553111c64d8abfc3688a88dd95088de0ea7e92f68592e9a778f8041b40071e84" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2012-0056" @@ -109649,7 +109649,7 @@ rule ELASTIC_Linux_Exploit_CVE_2012_0056_A1E53450 : FILE MEMORY CVE_2012_0056 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2012_0056.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "15a4d149e935758199f6df946ff889e12097f5fec4ef450e9cbd554d1efbd5e6" - logic_hash = "v1_sha256_f2ab5de83c36a9a834e41c8f6fdccd0dffdeb384adf7b1e1098e86a2ac52df18" + logic_hash = "f2ab5de83c36a9a834e41c8f6fdccd0dffdeb384adf7b1e1098e86a2ac52df18" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2012-0056" @@ -109678,7 +109678,7 @@ rule ELASTIC_Windows_Hacktool_Sharpapplocker_9645Cf22 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_SharpAppLocker.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0f7390905abc132889f7b9a6d5b42701173aafbff5b8f8882397af35d8c10965" - logic_hash = "v1_sha256_cb72ecf7715b288acddac51dab091d84c64e3bd30276cba38a0d773e6693875c" + logic_hash = "cb72ecf7715b288acddac51dab091d84c64e3bd30276cba38a0d773e6693875c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -109710,7 +109710,7 @@ rule ELASTIC_Linux_Exploit_CVE_2021_3156_F3Fb10Cd : FILE CVE_2021_3156 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2021_3156.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "65fb8baa5ec3bfb4473e4b2f565b461dd59989d43c72b1c5ec2e1a68baa8b51a" - logic_hash = "v1_sha256_cc80e0b2355877cd9ceecae19d4dcebb641d90a24c0751bf706134b31bf26750" + logic_hash = "cc80e0b2355877cd9ceecae19d4dcebb641d90a24c0751bf706134b31bf26750" score = 75 quality = 75 tags = "FILE, CVE-2021-3156" @@ -109740,7 +109740,7 @@ rule ELASTIC_Linux_Exploit_CVE_2021_3156_7F5672D0 : FILE CVE_2021_3156 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2021_3156.yar#L22-L45" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1a4517d2582ac97b88ae568c23e75beba93daf8518bd3971985d6a798049fd61" - logic_hash = "v1_sha256_e25907f11a2f292441a96e19834ad89636593a3f8998ec0010e43830f5aa0c64" + logic_hash = "e25907f11a2f292441a96e19834ad89636593a3f8998ec0010e43830f5aa0c64" score = 75 quality = 75 tags = "FILE, CVE-2021-3156" @@ -109774,7 +109774,7 @@ rule ELASTIC_Windows_Vulndriver_Procid_86605Fa9 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_ProcId.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29" - logic_hash = "v1_sha256_882cdbd267d812e77e68e7080f1fca0ca3d7e75ab84c583c3ec148894b1cf644" + logic_hash = "882cdbd267d812e77e68e7080f1fca0ca3d7e75ab84c583c3ec148894b1cf644" score = 75 quality = 75 tags = "FILE" @@ -109803,7 +109803,7 @@ rule ELASTIC_Linux_Trojan_Pumakit_B86138C3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Pumakit.yar#L1-L30" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "30b26707d5fb407ef39ebee37ded7edeea2890fb5ec1ebfa09a3b3edfc80db1f" - logic_hash = "v1_sha256_fc486aafee5cd4156ef7027ed6bf596c62397601787833d9173c198d5d919cde" + logic_hash = "fc486aafee5cd4156ef7027ed6bf596c62397601787833d9173c198d5d919cde" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109843,7 +109843,7 @@ rule ELASTIC_Windows_Vulndriver_Winflash_881758Da : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_WinFlash.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8596ea3952d84eeef8f5dc5b0b83014feb101ec295b2d80910f21508a95aa026" - logic_hash = "v1_sha256_a46ac1f19ba5d9543c88434575870b61fbb935cd4c4e28cb80a077502af7d2db" + logic_hash = "a46ac1f19ba5d9543c88434575870b61fbb935cd4c4e28cb80a077502af7d2db" score = 75 quality = 75 tags = "FILE" @@ -109872,7 +109872,7 @@ rule ELASTIC_Linux_Ransomware_Sodinokibi_2883D7Cd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Sodinokibi.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a322b230a3451fd11dcfe72af4da1df07183d6aaf1ab9e062f0e6b14cf6d23cd" - logic_hash = "v1_sha256_97d6b1b641c4b5b596b67a809e8e70bb0bccb9219282cd6c41bc905e2ea44c84" + logic_hash = "97d6b1b641c4b5b596b67a809e8e70bb0bccb9219282cd6c41bc905e2ea44c84" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109901,7 +109901,7 @@ rule ELASTIC_Linux_Rootkit_Dakkatoni_010D3Ac2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Dakkatoni.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "38b2d033eb5ce87faa4faa7fcac943d9373e432e0d45e741a0c01d714ee9d4d3" - logic_hash = "v1_sha256_51119321f29aed695e09da22d3234eae96db93e8029d4525d018e56c7131f7b8" + logic_hash = "51119321f29aed695e09da22d3234eae96db93e8029d4525d018e56c7131f7b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109930,7 +109930,7 @@ rule ELASTIC_Windows_Trojan_Ghostengine_8Ea2Aa65 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_GhostEngine.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753" - logic_hash = "v1_sha256_3bddd2ac79d92d34df5d2df4a11cf96cc44ca39c3baece1b5c67b75a682778ff" + logic_hash = "3bddd2ac79d92d34df5d2df4a11cf96cc44ca39c3baece1b5c67b75a682778ff" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -109966,7 +109966,7 @@ rule ELASTIC_Macos_Trojan_Eggshell_Ddacf7B9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Trojan_Eggshell.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6d93a714dd008746569c0fbd00fadccbd5f15eef06b200a4e831df0dc8f3d05b" - logic_hash = "v1_sha256_f986f7d1e3a68e27f82048017c6d6381a0354ffad2cd10f3eee69bbbfa940abd" + logic_hash = "f986f7d1e3a68e27f82048017c6d6381a0354ffad2cd10f3eee69bbbfa940abd" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -109999,7 +109999,7 @@ rule ELASTIC_Windows_Trojan_Azorult_38Fce9Ea : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Azorult.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491" - logic_hash = "v1_sha256_e23b21992b7ff577d4521c733929638522f4bf57b54c72e5e46196d028d6be26" + logic_hash = "e23b21992b7ff577d4521c733929638522f4bf57b54c72e5e46196d028d6be26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110032,7 +110032,7 @@ rule ELASTIC_Windows_Exploit_Fakepipe_6Bc93551 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Exploit_FakePipe.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "545a41ccfcd0a4f09c1c62bef2dde61b52fa92abada71ab72b3f4febb9265f75" - logic_hash = "v1_sha256_daf78c4a2db337f51054e108b5b54c8aa32300eae3bd39c5fc2d4769221c8aea" + logic_hash = "daf78c4a2db337f51054e108b5b54c8aa32300eae3bd39c5fc2d4769221c8aea" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110064,7 +110064,7 @@ rule ELASTIC_Windows_Vulndriver_Fileseclab_4A21229A : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Fileseclab.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" - logic_hash = "v1_sha256_bac78186f3d46c6765bacaf6a324ff94e449261cefe2594cb38c4cc25db1f0de" + logic_hash = "bac78186f3d46c6765bacaf6a324ff94e449261cefe2594cb38c4cc25db1f0de" score = 75 quality = 75 tags = "FILE" @@ -110098,7 +110098,7 @@ rule ELASTIC_Linux_Rootkit_Bedevil_2Af79Cea : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Rootkit_Bedevil.yar#L1-L29" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8f8c598350632b32e72cd6af3a0ca93c05b4d9100fd03e2ae1aec97a946eb347" - logic_hash = "v1_sha256_3acded46df45f88cf2cdd0eab424810d3dab51cac90845574a1361301e72be23" + logic_hash = "3acded46df45f88cf2cdd0eab424810d3dab51cac90845574a1361301e72be23" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110137,7 +110137,7 @@ rule ELASTIC_Macos_Backdoor_Fakeflashlxk_06Fd8071 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/MacOS_Backdoor_Fakeflashlxk.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "107f844f19e638866d8249e6f735daf650168a48a322d39e39d5e36cfc1c8659" - logic_hash = "v1_sha256_853d44465a472786bb48bbe1009e0ff925f79e4fd72f0eac537dd271c1ec3703" + logic_hash = "853d44465a472786bb48bbe1009e0ff925f79e4fd72f0eac537dd271c1ec3703" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110168,7 +110168,7 @@ rule ELASTIC_Windows_Ransomware_Cicada3301_99Fee259 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Cicada3301.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e" - logic_hash = "v1_sha256_18996d70192b0e997eba70c22ed70a2611a7e038a8825308f4d3d002b681939b" + logic_hash = "18996d70192b0e997eba70c22ed70a2611a7e038a8825308f4d3d002b681939b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110201,7 +110201,7 @@ rule ELASTIC_Windows_Ransomware_Blackbasta_494D3C54 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_BlackBasta.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "357fe8c56e246ffacd54d12f4deb9f1adb25cb772b5cd2436246da3f2d01c222" - logic_hash = "v1_sha256_1ecb3c95a2d3f91d267f0b625fffc8477612fde9de3942eff8eb13115c0af6b8" + logic_hash = "1ecb3c95a2d3f91d267f0b625fffc8477612fde9de3942eff8eb13115c0af6b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110238,7 +110238,7 @@ rule ELASTIC_Linux_Cryptominer_Pgminer_Ccf88A37 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Pgminer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3afc8d2d85aca61108d21f82355ad813eba7a189e81dde263d318988c5ea50bd" - logic_hash = "v1_sha256_77833cdb319bc8e22db2503478677d5992774105f659fe7520177a691c83aa91" + logic_hash = "77833cdb319bc8e22db2503478677d5992774105f659fe7520177a691c83aa91" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110267,7 +110267,7 @@ rule ELASTIC_Linux_Cryptominer_Pgminer_5Fb2Efd5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Pgminer.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6d296648fdbc693e604f6375eaf7e28b87a73b8405dc8cd3147663b5e8b96ff0" - logic_hash = "v1_sha256_4c247f40c9781332f04f82a244f6e8e22c9c744963f736937eddecf769b40a54" + logic_hash = "4c247f40c9781332f04f82a244f6e8e22c9c744963f736937eddecf769b40a54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110295,7 +110295,7 @@ rule ELASTIC_Windows_Trojan_Parallax_D72Ec0E2 : FILE MEMORY reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Parallax.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_6c2c84624912f3b612ae435cf3e8000192a1b168b30205ed4a93b7fab7e336ad" + logic_hash = "6c2c84624912f3b612ae435cf3e8000192a1b168b30205ed4a93b7fab7e336ad" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110326,7 +110326,7 @@ rule ELASTIC_Windows_Trojan_Parallax_B4Ea4F1A : FILE MEMORY reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Parallax.yar#L24-L55" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_731fe7bd339ec6b0372b4809004a21f53537bd82f084960b8d018f994dcdc06a" + logic_hash = "731fe7bd339ec6b0372b4809004a21f53537bd82f084960b8d018f994dcdc06a" score = 75 quality = 42 tags = "FILE, MEMORY" @@ -110368,7 +110368,7 @@ rule ELASTIC_Linux_Ransomware_Hellokitty_35731270 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Ransomware_Hellokitty.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed" - logic_hash = "v1_sha256_40cb632d6b8561de56f2010a082a24b0c50d4cabed21e073168b5302ddff7044" + logic_hash = "40cb632d6b8561de56f2010a082a24b0c50d4cabed21e073168b5302ddff7044" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110399,7 +110399,7 @@ rule ELASTIC_Windows_Packer_Scrubcrypt_6A75A4Bb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Packer_ScrubCrypt.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "05c1eea2ff8c31aa5baf1dfd8015988f7e737753275ed1c8c29013a3a7414b50" - logic_hash = "v1_sha256_edcaa6f1cc85ef084ae5bf2524f39869a90b008dce85e72bca4835565f067ca7" + logic_hash = "edcaa6f1cc85ef084ae5bf2524f39869a90b008dce85e72bca4835565f067ca7" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110429,7 +110429,7 @@ rule ELASTIC_Windows_Trojan_Clipbanker_7Efaef9F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Clipbanker.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "02b06acb113c31f5a2ac9c99f9614e0fab0f78afc5ae872e46bae139c2c9b1f6" - logic_hash = "v1_sha256_fa547d7c1623b332ef306672dd2293b44016d9974c1a3ec4b15e5ae0483ff879" + logic_hash = "fa547d7c1623b332ef306672dd2293b44016d9974c1a3ec4b15e5ae0483ff879" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110462,7 +110462,7 @@ rule ELASTIC_Windows_Trojan_Clipbanker_B60A50B8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Clipbanker.yar#L25-L43" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "02b06acb113c31f5a2ac9c99f9614e0fab0f78afc5ae872e46bae139c2c9b1f6" - logic_hash = "v1_sha256_fe585ab7efbc3b500ea23d1c164bc79ded658001e53fc71721e435ed7579182a" + logic_hash = "fe585ab7efbc3b500ea23d1c164bc79ded658001e53fc71721e435ed7579182a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110491,7 +110491,7 @@ rule ELASTIC_Windows_Trojan_Clipbanker_F9F9E79D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Clipbanker.yar#L45-L63" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c" - logic_hash = "v1_sha256_a71d75719133e8b84956ec002cb31f82386ef711fa2af79d204d176492cd354b" + logic_hash = "a71d75719133e8b84956ec002cb31f82386ef711fa2af79d204d176492cd354b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110520,7 +110520,7 @@ rule ELASTIC_Windows_Trojan_Clipbanker_787B130B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Clipbanker.yar#L65-L87" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c" - logic_hash = "v1_sha256_88783bde7014853f6556c6e7ee2dfd5cd5fcbfb4523ed158b4287e2bfba409f1" + logic_hash = "88783bde7014853f6556c6e7ee2dfd5cd5fcbfb4523ed158b4287e2bfba409f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110553,7 +110553,7 @@ rule ELASTIC_Windows_Trojan_Revengerat_Db91Bcc6 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Revengerat.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "30d8f81a19976d67b495eb1324372598cc25e1e69179c11efa22025341e455bd" - logic_hash = "v1_sha256_1e33cb1d614aae0b2181ebaca694c69e7fc849b3a3b7ffff7059e8c43553f8cc" + logic_hash = "1e33cb1d614aae0b2181ebaca694c69e7fc849b3a3b7ffff7059e8c43553f8cc" score = 75 quality = 50 tags = "FILE, MEMORY" @@ -110585,7 +110585,7 @@ rule ELASTIC_Linux_Cryptominer_Flystudio_579A3A4D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Flystudio.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "84afc47554cf42e76ef8d28f2d29c28f3d35c2876cec2fb1581b0ac7cfe719dd" - logic_hash = "v1_sha256_6579630a4fb6cf5bc8ccb2e4f93f5d549baa6ea9b742b2ee83a52f07352c4741" + logic_hash = "6579630a4fb6cf5bc8ccb2e4f93f5d549baa6ea9b742b2ee83a52f07352c4741" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110613,7 +110613,7 @@ rule ELASTIC_Linux_Cryptominer_Flystudio_0A370634 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Flystudio.yar#L21-L38" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_cf924ba45a7dba19fe571bb9da8c4896690c3ad02f732b759a10174b9f61883f" + logic_hash = "cf924ba45a7dba19fe571bb9da8c4896690c3ad02f732b759a10174b9f61883f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110642,7 +110642,7 @@ rule ELASTIC_Linux_Hacktool_Exploitscan_4327F817 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Exploitscan.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "66c6d0e58916d863a1a973b4f5cb7d691fbd01d26b408dbc8c74f0f1e4088dfb" - logic_hash = "v1_sha256_7797d9bd75dff355e1ee84b856e77cf9e886dfe727fb8ce7a6fdbe5ed1eb0985" + logic_hash = "7797d9bd75dff355e1ee84b856e77cf9e886dfe727fb8ce7a6fdbe5ed1eb0985" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110671,7 +110671,7 @@ rule ELASTIC_Linux_Backdoor_Tinyshell_67Ee6Fae : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Backdoor_Tinyshell.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9d2e25ec0208a55fba97ac70b23d3d3753e9b906b4546d1b14d8c92f8d8eb03d" - logic_hash = "v1_sha256_200d4267e21b8934deecc48273294f2e34464fcb412e39f3f5a006278631b9f1" + logic_hash = "200d4267e21b8934deecc48273294f2e34464fcb412e39f3f5a006278631b9f1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110703,7 +110703,7 @@ rule ELASTIC_Linux_Exploit_CVE_2022_0847_E831C285 : FILE MEMORY CVE_2022_0847 source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_CVE_2022_0847.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c6b2cef2f2bc04e3ae33e0d368eb39eb5ea38d1bca390df47f7096117c1aecca" - logic_hash = "v1_sha256_e15daf5de9bf66060e373a6e772669eade543ed56bef6b6924a0ee44e59522e1" + logic_hash = "e15daf5de9bf66060e373a6e772669eade543ed56bef6b6924a0ee44e59522e1" score = 75 quality = 75 tags = "FILE, MEMORY, CVE-2022-0847" @@ -110740,7 +110740,7 @@ rule ELASTIC_Windows_Vulndriver_Atillk_18316Dd9 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Atillk.yar#L1-L21" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173" - logic_hash = "v1_sha256_02d218d0a0ea447e4ad0b03bff50c307ca5f36b8ed268787cd73c88a05aa4214" + logic_hash = "02d218d0a0ea447e4ad0b03bff50c307ca5f36b8ed268787cd73c88a05aa4214" score = 75 quality = 75 tags = "FILE" @@ -110771,7 +110771,7 @@ rule ELASTIC_Linux_Trojan_Patpooty_E2E0Dff1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Patpooty.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d38b9e76cbc863f69b29fc47262ceafd26ac476b0ae6283d3fa50985f93bedf3" - logic_hash = "v1_sha256_ec7d12296383ca0ed20e3221fb96b9dbdaf6cc7f07f5c8383e43489a9fd6fcfe" + logic_hash = "ec7d12296383ca0ed20e3221fb96b9dbdaf6cc7f07f5c8383e43489a9fd6fcfe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110800,7 +110800,7 @@ rule ELASTIC_Linux_Trojan_Patpooty_F90C7E43 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Patpooty.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "79475a66be8741d9884bc60f593c81a44bdb212592cd1a7b6130166a724cb3d3" - logic_hash = "v1_sha256_2d995722b06ce51a5378e395896764421f84afcf6b13855a87ed43d9b9e38982" + logic_hash = "2d995722b06ce51a5378e395896764421f84afcf6b13855a87ed43d9b9e38982" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110829,7 +110829,7 @@ rule ELASTIC_Multi_Ransomware_Ransomhub_4A8A07Cd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Multi_Ransomware_RansomHub.yar#L1-L26" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bfbbba7d18be1aa2e85390fa69a761302756ee9348b7343af6f42f3b5d0a939c" - logic_hash = "v1_sha256_8e2d062e890cf66418c18ce8988c0ac4744c9f00fdc296e8dd91df39ec240abe" + logic_hash = "8e2d062e890cf66418c18ce8988c0ac4744c9f00fdc296e8dd91df39ec240abe" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110864,7 +110864,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_1916686D : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L1-L31" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_e0e7b8ba2865fc76845b21aa3e075ceab98888635a60bd722c0c81e0f4fcf58c" + logic_hash = "e0e7b8ba2865fc76845b21aa3e075ceab98888635a60bd722c0c81e0f4fcf58c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110905,7 +110905,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_9B267F96 : FILE MEMORY reference = "https://github.com/elastic/protections-artifacts/" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L33-L57" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_fbaaf4bf2462119b39a5df90b91fb831be3e602b926cd893374a5dddf48f029d" + logic_hash = "fbaaf4bf2462119b39a5df90b91fb831be3e602b926cd893374a5dddf48f029d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110941,7 +110941,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_684A39F2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L59-L84" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5f4782a34368bb661f413f33e2d1fb9f237b7f9637f2c0c21dc752316b02350c" - logic_hash = "v1_sha256_7cb74176e1dbdd248295649568d29c9d88841fcd0c16479b6b7efc71c4a1d706" + logic_hash = "7cb74176e1dbdd248295649568d29c9d88841fcd0c16479b6b7efc71c4a1d706" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -110977,7 +110977,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_Ade6C9D5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L86-L109" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dc9757c9aa3aff76d86f9f23a3d20a817e48ca3d7294307cc67477177af5c0d4" - logic_hash = "v1_sha256_8ff8ed1e2b909606fe6aae3f43ad02898d7b3906c3d329a508f6d40490ec75a0" + logic_hash = "8ff8ed1e2b909606fe6aae3f43ad02898d7b3906c3d329a508f6d40490ec75a0" score = 60 quality = 45 tags = "FILE, MEMORY" @@ -111011,7 +111011,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_4110D879 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L111-L130" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e0fbbc548fdb9da83a72ddc1040463e37ab6b8b544bf0d2b206bfff352175afe" - logic_hash = "v1_sha256_22c27523ddd8183c41da40f7ff908ae5bdee3b482c8a3f70aaa63a4c419e515b" + logic_hash = "22c27523ddd8183c41da40f7ff908ae5bdee3b482c8a3f70aaa63a4c419e515b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111041,7 +111041,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_5B12Cbab : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L132-L150" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8165798fec8294523f25aedfc6699faad0c5d75f60bc7cefcbb2fa13dbc656e3" - logic_hash = "v1_sha256_b86296dafaef1dfa0a41704cafa351694abb0e453e104dfe06836ed599338f38" + logic_hash = "b86296dafaef1dfa0a41704cafa351694abb0e453e104dfe06836ed599338f38" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111070,7 +111070,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_5E383Ae0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L152-L184" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "0b506ef32f58ee2b1e5701ca8e13c67584739ab1d00ee4a0c2f532c09a15836f" - logic_hash = "v1_sha256_5d87ada1c609e23742c389f8153a9266c4db95be4a5e10b50979aebc993a45e0" + logic_hash = "5d87ada1c609e23742c389f8153a9266c4db95be4a5e10b50979aebc993a45e0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111113,7 +111113,7 @@ rule ELASTIC_Windows_Trojan_Bruteratel_644Ac114 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_BruteRatel.yar#L186-L205" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ace6a99d95ef859d4ab74db6900753e754273a12a34721f1aa8f1a9df3d8ec35" - logic_hash = "v1_sha256_06ffea16a0348f2276f379db150b5f9d2dbdffbcb2eee83c55c27c837ecb1e69" + logic_hash = "06ffea16a0348f2276f379db150b5f9d2dbdffbcb2eee83c55c27c837ecb1e69" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111143,7 +111143,7 @@ rule ELASTIC_Windows_Ransomware_Avoslocker_7Ae4D4F2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Avoslocker.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "43b7a60c0ef8b4af001f45a0c57410b7374b1d75a6811e0dfc86e4d60f503856" - logic_hash = "v1_sha256_c87faf6f128fd6a8cabd68ec8de72fb10e6be42bdbe23ece374dd8f3cf0c1b15" + logic_hash = "c87faf6f128fd6a8cabd68ec8de72fb10e6be42bdbe23ece374dd8f3cf0c1b15" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111176,7 +111176,7 @@ rule ELASTIC_Windows_Trojan_Kronos_Cdd2E2C5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Kronos.yar#L1-L27" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "baa9cedbbe0f5689be8f8028a6537c39e9ea8b0815ad76cb98f365ca5a41653f" - logic_hash = "v1_sha256_a8943c5ef166446629cb46517d35db39c97a1e3efa3a7a0b5cb3d3ee9d1e6e9c" + logic_hash = "a8943c5ef166446629cb46517d35db39c97a1e3efa3a7a0b5cb3d3ee9d1e6e9c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111212,7 +111212,7 @@ rule ELASTIC_Windows_Vulndriver_Winio_C9Cc6D00 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_WinIo.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf" - logic_hash = "v1_sha256_4b6a78c2c807cf1f569ae9bc275d42d9c895efba7a2d64fec0652e3cb163d553" + logic_hash = "4b6a78c2c807cf1f569ae9bc275d42d9c895efba7a2d64fec0652e3cb163d553" score = 75 quality = 75 tags = "FILE" @@ -111241,7 +111241,7 @@ rule ELASTIC_Windows_Vulndriver_Winio_B0F21A70 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_WinIo.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374" - logic_hash = "v1_sha256_c82d95e805898f9a9a1ffccb483e506df0a53dc420068314e7c724e4947f3572" + logic_hash = "c82d95e805898f9a9a1ffccb483e506df0a53dc420068314e7c724e4947f3572" score = 75 quality = 75 tags = "FILE" @@ -111270,7 +111270,7 @@ rule ELASTIC_Windows_Ransomware_Mountlocker_126A76E2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Mountlocker.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4a5ac3c6f8383cc33c795804ba5f7f5553c029bbb4a6d28f1e4d8fb5107902c1" - logic_hash = "v1_sha256_5a5e157a245a75033abbe6bc7aa66fe6af6d91dc30abe1fdadce85f8f3905b1e" + logic_hash = "5a5e157a245a75033abbe6bc7aa66fe6af6d91dc30abe1fdadce85f8f3905b1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111303,7 +111303,7 @@ rule ELASTIC_Linux_Cryptominer_Roboto_0B6807F8 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Roboto.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "c2542e399f865b5c490ee66b882f5ff246786b3f004abb7489ec433c11007dda" - logic_hash = "v1_sha256_d945c7a23b9f435851f3c998231da615e220c259051cf213186c28f3279be1dd" + logic_hash = "d945c7a23b9f435851f3c998231da615e220c259051cf213186c28f3279be1dd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111332,7 +111332,7 @@ rule ELASTIC_Linux_Cryptominer_Roboto_1F1Cfe9A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Roboto.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "497a6d426ff93d5cd18cea623074fb209d4f407a02ef8f382f089f1ed3f108c5" - logic_hash = "v1_sha256_2171284991b0019379c8d271013a35237c37bc2e13d807caed86f8fb9d2ba418" + logic_hash = "2171284991b0019379c8d271013a35237c37bc2e13d807caed86f8fb9d2ba418" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111361,7 +111361,7 @@ rule ELASTIC_Windows_Vulndriver_Zam_928812A7 : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Zam.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" - logic_hash = "v1_sha256_82ca874d60d8a0ee04aca39f59415f22797e7e0337314c88dd8ebad1a823d200" + logic_hash = "82ca874d60d8a0ee04aca39f59415f22797e7e0337314c88dd8ebad1a823d200" score = 75 quality = 75 tags = "FILE" @@ -111391,7 +111391,7 @@ rule ELASTIC_Windows_Vulndriver_Zam_7C86D260 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Zam.yar#L22-L42" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - logic_hash = "v1_sha256_cc29f26c222825eb5262d91065a00243bc913fe2071d8ad6b0dc61dd22798f1e" + logic_hash = "cc29f26c222825eb5262d91065a00243bc913fe2071d8ad6b0dc61dd22798f1e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111422,7 +111422,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_59E029C3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_BPFDoor.yar#L1-L24" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "144526d30ae747982079d5d340d1ff116a7963aba2e3ed589e7ebc297ba0c1b3" - logic_hash = "v1_sha256_64620a3404b331855d0b8018c1626c88cb28380785beac1a391613ae8dc1b1bf" + logic_hash = "64620a3404b331855d0b8018c1626c88cb28380785beac1a391613ae8dc1b1bf" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111455,7 +111455,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_0F768F60 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_BPFDoor.yar#L26-L50" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155" - logic_hash = "v1_sha256_1aaa74c2d8fbb230cbfc0e08fd6865b5f7e90e4abcdb97121e52afb7569b2dbc" + logic_hash = "1aaa74c2d8fbb230cbfc0e08fd6865b5f7e90e4abcdb97121e52afb7569b2dbc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111489,7 +111489,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_8453771B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_BPFDoor.yar#L52-L78" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78" - logic_hash = "v1_sha256_546e5c56ceb6b99db14dc225a2ec4872cb54859a0f2f6ad520d4f446793e031e" + logic_hash = "546e5c56ceb6b99db14dc225a2ec4872cb54859a0f2f6ad520d4f446793e031e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111525,7 +111525,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_F690Fe3B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_BPFDoor.yar#L80-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "591198c234416c6ccbcea6967963ca2ca0f17050be7eed1602198308d9127c78" - logic_hash = "v1_sha256_35c6be75348a30f415a1a4bb94ae7e3a2f49f54a0fb3ddc4bae1aa3e03c1a909" + logic_hash = "35c6be75348a30f415a1a4bb94ae7e3a2f49f54a0fb3ddc4bae1aa3e03c1a909" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111554,7 +111554,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_1A7D804B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_BPFDoor.yar#L101-L127" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "76bf736b25d5c9aaf6a84edd4e615796fffc338a893b49c120c0b4941ce37925" - logic_hash = "v1_sha256_b0c4b168d92947e599e8c74d0ae6a91766c8a034c34e9c07e2472620c9b61037" + logic_hash = "b0c4b168d92947e599e8c74d0ae6a91766c8a034c34e9c07e2472620c9b61037" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111590,7 +111590,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_E14B0B79 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_BPFDoor.yar#L129-L152" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dc8346bf443b7b453f062740d8ae8d8d7ce879672810f4296158f90359dcae3a" - logic_hash = "v1_sha256_7cdf111ae253bffef7243ad3722f1a79f81f45d80f938f9542af8e056f75d3fc" + logic_hash = "7cdf111ae253bffef7243ad3722f1a79f81f45d80f938f9542af8e056f75d3fc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111623,7 +111623,7 @@ rule ELASTIC_Linux_Trojan_Bpfdoor_F1Cd26Ad : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_BPFDoor.yar#L154-L175" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "afa8a32ec29a31f152ba20a30eb483520fe50f2dce6c9aa9135d88f7c9c511d7" - logic_hash = "v1_sha256_ad3e130d5a1203c55b5c8d369c7d9989f66f76c9bd57e2314a30f4c931e4b98d" + logic_hash = "ad3e130d5a1203c55b5c8d369c7d9989f66f76c9bd57e2314a30f4c931e4b98d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111654,7 +111654,7 @@ rule ELASTIC_Linux_Trojan_Bish_974B4B47 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Bish.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9171fd2bbe182f0a3cd35937f3ee0076c9358f52f5bc047498dd9e233ae11757" - logic_hash = "v1_sha256_c5a7d036c89fe50626da51486d19ee731ad28cbc8d36def075d8f33a7b68961f" + logic_hash = "c5a7d036c89fe50626da51486d19ee731ad28cbc8d36def075d8f33a7b68961f" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111683,7 +111683,7 @@ rule ELASTIC_Windows_Vulndriver_Eneio_6E01882F : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_EneIo.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347" - logic_hash = "v1_sha256_144ac5375cb637b6301a2275f2412fbd0d0c5fb23105c7cce5aa7912cf68fa2c" + logic_hash = "144ac5375cb637b6301a2275f2412fbd0d0c5fb23105c7cce5aa7912cf68fa2c" score = 75 quality = 75 tags = "FILE" @@ -111711,7 +111711,7 @@ rule ELASTIC_Linux_Trojan_Sysrv_85097F24 : FILE MEMORY reference = "17fbc8e10dea69b29093fcf2aa018be4d58fe5462c5a0363a0adde60f448fb26" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Sysrv.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_96bee8b9b0e9c2afd684582301f9e110fd08fcabaea798bfb6259a4216f69be1" + logic_hash = "96bee8b9b0e9c2afd684582301f9e110fd08fcabaea798bfb6259a4216f69be1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111740,7 +111740,7 @@ rule ELASTIC_Linux_Trojan_Mech_D30Ec0A0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mech.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "710d1a0a8c7eecc6d793933c8a97cec66d284b3687efee7655a2dc31d15c0593" - logic_hash = "v1_sha256_268aeb25d6468412d8123bab5eb2c8bd7704828d0ef3c3d771aa036e374127d7" + logic_hash = "268aeb25d6468412d8123bab5eb2c8bd7704828d0ef3c3d771aa036e374127d7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -111769,7 +111769,7 @@ rule ELASTIC_Linux_Trojan_Godropper_Bae099Bd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Godropper.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "704643f3fd11cda1d52260285bf2a03bccafe59cfba4466427646c1baf93881e" - logic_hash = "v1_sha256_ef6274928f7cfc0312122ac3e4153fb0a78dc7d5fb2d68db6cbe4974f5497210" + logic_hash = "ef6274928f7cfc0312122ac3e4153fb0a78dc7d5fb2d68db6cbe4974f5497210" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111798,7 +111798,7 @@ rule ELASTIC_Windows_Trojan_Emotet_18379A8D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Emotet.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827" - logic_hash = "v1_sha256_2ad72ce2a352b91a4fa597ee9e796035298cfcee6fdc13dd3f64579d8da96b97" + logic_hash = "2ad72ce2a352b91a4fa597ee9e796035298cfcee6fdc13dd3f64579d8da96b97" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111827,7 +111827,7 @@ rule ELASTIC_Windows_Trojan_Emotet_5528B3B0 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Emotet.yar#L22-L41" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827" - logic_hash = "v1_sha256_bb784ab0e064bafa8450b6bb15ef534af38254ea3c096807571c2c27f7cdfd76" + logic_hash = "bb784ab0e064bafa8450b6bb15ef534af38254ea3c096807571c2c27f7cdfd76" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111856,7 +111856,7 @@ rule ELASTIC_Windows_Trojan_Emotet_1943Bbf2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Emotet.yar#L43-L62" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5abec3cd6aa066b1ddc0149a911645049ea1da66b656c563f9a384e821c5db38" - logic_hash = "v1_sha256_41838e335b9314b8759922f23ec8709f46e6a26633f3685ac98ada5828191d35" + logic_hash = "41838e335b9314b8759922f23ec8709f46e6a26633f3685ac98ada5828191d35" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111885,7 +111885,7 @@ rule ELASTIC_Windows_Trojan_Emotet_Db7D33Fa : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Emotet.yar#L64-L90" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc" - logic_hash = "v1_sha256_e220c112c15f384fde6fc2286b01c7eb9bedcf4817d02645d0fa7afb05e7b593" + logic_hash = "e220c112c15f384fde6fc2286b01c7eb9bedcf4817d02645d0fa7afb05e7b593" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111921,7 +111921,7 @@ rule ELASTIC_Windows_Trojan_Emotet_D6Ac1Ea4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Emotet.yar#L92-L114" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c6709d5d2e891d1ce26fdb4021599ac10fea93c7773f5c00bea8e5e90404b71" - logic_hash = "v1_sha256_9b37940ea8752c6db52d4f09225de0389438c41468a11a7cda8f28b191192ef9" + logic_hash = "9b37940ea8752c6db52d4f09225de0389438c41468a11a7cda8f28b191192ef9" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111953,7 +111953,7 @@ rule ELASTIC_Windows_Trojan_Emotet_77C667B9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Emotet.yar#L116-L144" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ffac0120c3ae022b807559e8ed7902fde0fa5f7cb9c5c8d612754fa498288572" - logic_hash = "v1_sha256_f11769fe5e9789b451e8826c5fd22bde5b3eb9f7af1d5fec7eec71700fc1f482" + logic_hash = "f11769fe5e9789b451e8826c5fd22bde5b3eb9f7af1d5fec7eec71700fc1f482" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -111991,7 +111991,7 @@ rule ELASTIC_Windows_Trojan_Emotet_8B9449C1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Emotet.yar#L146-L166" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ffac0120c3ae022b807559e8ed7902fde0fa5f7cb9c5c8d612754fa498288572" - logic_hash = "v1_sha256_5501354ebc1d97fe5ce894d5907adb29440f557f2dd235e1e983ae2d109199a2" + logic_hash = "5501354ebc1d97fe5ce894d5907adb29440f557f2dd235e1e983ae2d109199a2" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112021,7 +112021,7 @@ rule ELASTIC_Windows_Vulndriver_Amifldrv_E387D5Ad : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_VulnDriver_Amifldrv.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330" - logic_hash = "v1_sha256_14d75b5aff2c82d69b041c654cdc0840f6b6e37a197f5c0c1c2698c9e8eba3e2" + logic_hash = "14d75b5aff2c82d69b041c654cdc0840f6b6e37a197f5c0c1c2698c9e8eba3e2" score = 60 quality = 55 tags = "FILE" @@ -112050,7 +112050,7 @@ rule ELASTIC_Windows_Hacktool_Gmer_8Aabdd5E : FILE source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Hacktool_Gmer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - logic_hash = "v1_sha256_acdab89a7703a743927cec60fbc84af2fd469403bee6f211c865fb96e9c92498" + logic_hash = "acdab89a7703a743927cec60fbc84af2fd469403bee6f211c865fb96e9c92498" score = 75 quality = 75 tags = "FILE" @@ -112079,7 +112079,7 @@ rule ELASTIC_Windows_Ransomware_Ransomexx_Fabff49C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Ransomware_Ransomexx.yar#L1-L22" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7" - logic_hash = "v1_sha256_67d5123b706685ea5ab939aec31cb1549297778d91dd38b14e109945c52da71a" + logic_hash = "67d5123b706685ea5ab939aec31cb1549297778d91dd38b14e109945c52da71a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112110,7 +112110,7 @@ rule ELASTIC_Linux_Trojan_Rotajakiro_Fb24F399 : FILE MEMORY reference = "023a7f9ed082d9dd7be6eba5942bfa77f8e618c2d15a8bc384d85223c5b91a0c" source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Rotajakiro.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" - logic_hash = "v1_sha256_be33fdda50ef0ea1a0cf45835cc2b7a805cecb3fff371ed6d93e01c2d477d867" + logic_hash = "be33fdda50ef0ea1a0cf45835cc2b7a805cecb3fff371ed6d93e01c2d477d867" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112139,7 +112139,7 @@ rule ELASTIC_Windows_Trojan_Zloader_5Dd0A0Bf : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Zloader.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "v1_sha256_1446a4147e1b06fa66907de857011079c55a8e6bf84276eb8518d33468ba1f83" + logic_hash = "1446a4147e1b06fa66907de857011079c55a8e6bf84276eb8518d33468ba1f83" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112168,7 +112168,7 @@ rule ELASTIC_Windows_Trojan_Zloader_4Fe0F7F1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Zloader.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "v1_sha256_b20fafc9db08c7668b49e18f45632594c3a69ec65fe865e79379c544fc424f8d" + logic_hash = "b20fafc9db08c7668b49e18f45632594c3a69ec65fe865e79379c544fc424f8d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112197,7 +112197,7 @@ rule ELASTIC_Windows_Trojan_Zloader_363C65Ed : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Zloader.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "v1_sha256_d3c530f9929db709067a9e1cc59b9cda9dcd8e19352c79ddaf7af6c91b242afd" + logic_hash = "d3c530f9929db709067a9e1cc59b9cda9dcd8e19352c79ddaf7af6c91b242afd" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112226,7 +112226,7 @@ rule ELASTIC_Windows_Trojan_Zloader_79535191 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Zloader.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "161e657587361b29cdb883a6836566a946d9d3e5175e166a9fe54981d0c667fa" - logic_hash = "v1_sha256_c398a8ca46c6fe3e59481a092867be77a94809b1568cea918aa6450374063857" + logic_hash = "c398a8ca46c6fe3e59481a092867be77a94809b1568cea918aa6450374063857" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112255,7 +112255,7 @@ rule ELASTIC_Linux_Cryptominer_Ccminer_18Fc60E5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Ccminer.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dbb403a00c75ef2a74b41b8b58d08a6749f37f922de6cc19127a8f244d901c60" - logic_hash = "v1_sha256_75db45ccbeb558409ee9398065591472d4aee0382be5980adb9d0fb41e557789" + logic_hash = "75db45ccbeb558409ee9398065591472d4aee0382be5980adb9d0fb41e557789" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112284,7 +112284,7 @@ rule ELASTIC_Linux_Cryptominer_Ccminer_3C593Bc3 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Cryptominer_Ccminer.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dbb403a00c75ef2a74b41b8b58d08a6749f37f922de6cc19127a8f244d901c60" - logic_hash = "v1_sha256_94a0d33b474b3c60e926eaf06147eb0fdc56beac525f25326448bf2a5177d9c0" + logic_hash = "94a0d33b474b3c60e926eaf06147eb0fdc56beac525f25326448bf2a5177d9c0" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112313,7 +112313,7 @@ rule ELASTIC_Linux_Trojan_Mettle_E8Fdbcbd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mettle.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "864eae4f27648b8a9d9b0eb1894169aa739311cdd02b1435a34881acf7059d58" - logic_hash = "v1_sha256_d13c1e7fb815ebbefa78922e9b85a1ced015c03b8f1b2cf1885a9c483b8e0ab3" + logic_hash = "d13c1e7fb815ebbefa78922e9b85a1ced015c03b8f1b2cf1885a9c483b8e0ab3" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112346,7 +112346,7 @@ rule ELASTIC_Linux_Trojan_Mettle_813B9B6C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mettle.yar#L25-L52" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "bb651d974ca3f349858db7b5a86f03a8d47d668294f27e709a823fa11e6963d7" - logic_hash = "v1_sha256_a6a9cf424bf1ca7985e1c4b14123ed236208ffa3f7c9ffebbdd85765a90bfa54" + logic_hash = "a6a9cf424bf1ca7985e1c4b14123ed236208ffa3f7c9ffebbdd85765a90bfa54" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112384,7 +112384,7 @@ rule ELASTIC_Linux_Trojan_Mettle_78Aead1C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Trojan_Mettle.yar#L54-L81" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "864eae4f27648b8a9d9b0eb1894169aa739311cdd02b1435a34881acf7059d58" - logic_hash = "v1_sha256_d68d37379b8a3a2d242030fd14884781488e9785823aa25fedfdd406748f8039" + logic_hash = "d68d37379b8a3a2d242030fd14884781488e9785823aa25fedfdd406748f8039" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112422,7 +112422,7 @@ rule ELASTIC_Windows_Trojan_Grandoreiro_51236Ba2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Windows_Trojan_Grandoreiro.yar#L1-L23" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1bdf381e7080d9bed3f52f4b3db1991a80d3e58120a5790c3d1609617d1f439e" - logic_hash = "v1_sha256_9a8549a1dd82f56458ea8aee5c30243ac073d15c820de28d78a58d2c067b10d6" + logic_hash = "9a8549a1dd82f56458ea8aee5c30243ac073d15c820de28d78a58d2c067b10d6" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112455,7 +112455,7 @@ rule ELASTIC_Linux_Exploit_Enoket_79B52A4C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Enoket.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ae8f7e7df62316400d0c5fe0139d7a48c9f184e92706b552aad3d827d3dbbbf" - logic_hash = "v1_sha256_204082a3be602b3f6aebb013a46e6f9c98b5dad2476350afa60c1954b13598fe" + logic_hash = "204082a3be602b3f6aebb013a46e6f9c98b5dad2476350afa60c1954b13598fe" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112484,7 +112484,7 @@ rule ELASTIC_Linux_Exploit_Enoket_5969A348 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Enoket.yar#L21-L39" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4b4d7ca9e1ffa2c46cb097d4a014c59b1a9feb93b3adcb5936ef6a1dfef9b0ae" - logic_hash = "v1_sha256_e47af0fba86c9152d17911b984070a8419b98da8916538ebb1065a5348da6e31" + logic_hash = "e47af0fba86c9152d17911b984070a8419b98da8916538ebb1065a5348da6e31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112513,7 +112513,7 @@ rule ELASTIC_Linux_Exploit_Enoket_80Fac3E9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Enoket.yar#L41-L59" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3355ad81c566914a7d7734b40c46ded0cfa53aa22c6e834d42e185bf8bbe6128" - logic_hash = "v1_sha256_19cb7f02ca80095293c4a09f7ea616c31364af1e4189a9211aaba54aaa2db14e" + logic_hash = "19cb7f02ca80095293c4a09f7ea616c31364af1e4189a9211aaba54aaa2db14e" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112542,7 +112542,7 @@ rule ELASTIC_Linux_Exploit_Enoket_7Da5F86A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Enoket.yar#L61-L79" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "406b003978d79d453d3e2c21b991b113bf2fc53ffbf3a1724c5b97a4903ef550" - logic_hash = "v1_sha256_df5769a87230f5e563849302f32673b5f5de2595e12de72c27921d45edc58928" + logic_hash = "df5769a87230f5e563849302f32673b5f5de2595e12de72c27921d45edc58928" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112571,7 +112571,7 @@ rule ELASTIC_Linux_Exploit_Enoket_C77C0D6D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Enoket.yar#L81-L99" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ae8f7e7df62316400d0c5fe0139d7a48c9f184e92706b552aad3d827d3dbbbf" - logic_hash = "v1_sha256_504d61715bd5dba7f777fcb2d62eb53d8d54dad2dcf93f2fc2d7dcd359c4b994" + logic_hash = "504d61715bd5dba7f777fcb2d62eb53d8d54dad2dcf93f2fc2d7dcd359c4b994" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112600,7 +112600,7 @@ rule ELASTIC_Linux_Exploit_Enoket_Fbf508E1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Exploit_Enoket.yar#L101-L119" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d1fa8520d3c3811d29c3d5702e7e0e7296b3faef0553835c495223a2bc015214" - logic_hash = "v1_sha256_21b1d69677c3fddb210dcf5947e8321abccd5a1ebbde8438a83fee5d4b29443d" + logic_hash = "21b1d69677c3fddb210dcf5947e8321abccd5a1ebbde8438a83fee5d4b29443d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112629,7 +112629,7 @@ rule ELASTIC_Linux_Generic_Threat_A658B75F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1-L20" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "df430ab9f5084a3e62a6c97c6c6279f2461618f038832305057c51b441c648d9" - logic_hash = "v1_sha256_1ef7267438b8d15ed770f0784a7d428cbc2680144b0ef179337875d5b4038d08" + logic_hash = "1ef7267438b8d15ed770f0784a7d428cbc2680144b0ef179337875d5b4038d08" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112659,7 +112659,7 @@ rule ELASTIC_Linux_Generic_Threat_Ea5Ade9A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L22-L40" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d75189d883b739d9fe558637b1fab7f41e414937a8bae7a9d58347c223a1fcaa" - logic_hash = "v1_sha256_12a9b5e54d6d528ecb559b6e2ea3aa72effa7f0efbf2c33581a4efedc292e4c1" + logic_hash = "12a9b5e54d6d528ecb559b6e2ea3aa72effa7f0efbf2c33581a4efedc292e4c1" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112688,7 +112688,7 @@ rule ELASTIC_Linux_Generic_Threat_80Aea077 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L42-L60" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "002827c41bc93772cd2832bc08dfc413302b1a29008adbb6822343861b9818f0" - logic_hash = "v1_sha256_cab860ad5f0c49555adb845504acb4dbeabb94dbc287202be35020e055e6f27b" + logic_hash = "cab860ad5f0c49555adb845504acb4dbeabb94dbc287202be35020e055e6f27b" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112717,7 +112717,7 @@ rule ELASTIC_Linux_Generic_Threat_2E214A04 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L62-L81" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cad65816cc1a83c131fad63a545a4bd0bdaa45ea8cf039cbc6191e3c9f19dead" - logic_hash = "v1_sha256_0d29aa6214b0a05f9af10cdc080ffa33452156e13c057f31997630cebcda294a" + logic_hash = "0d29aa6214b0a05f9af10cdc080ffa33452156e13c057f31997630cebcda294a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112747,7 +112747,7 @@ rule ELASTIC_Linux_Generic_Threat_0B770605 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L83-L102" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "99418cbe1496d5cd4177a341e6121411bc1fab600d192a3c9772e8e6cd3c4e88" - logic_hash = "v1_sha256_d4aae755870765a119ee7ae648d4388e0786e8ab6f7f196d81c6356be7d0ddfb" + logic_hash = "d4aae755870765a119ee7ae648d4388e0786e8ab6f7f196d81c6356be7d0ddfb" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112777,7 +112777,7 @@ rule ELASTIC_Linux_Generic_Threat_92064B27 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L104-L122" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8e5cfcda52656a98105a48783b9362bad22f61bcb6a12a27207a08de826432d9" - logic_hash = "v1_sha256_adb9ed7280065f77440bd1e106bc800ebe6251119151cd54b76dc2917b013f65" + logic_hash = "adb9ed7280065f77440bd1e106bc800ebe6251119151cd54b76dc2917b013f65" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112806,7 +112806,7 @@ rule ELASTIC_Linux_Generic_Threat_De6Be095 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L124-L143" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2431239d6e60ca24a5440e6c92da62b723a7e35c805f04db6b80f96c8cf9fee6" - logic_hash = "v1_sha256_cbd7578830169703b047adb1785b05d226f2507a65c203ee344d8e2b3a24f6c9" + logic_hash = "cbd7578830169703b047adb1785b05d226f2507a65c203ee344d8e2b3a24f6c9" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112836,7 +112836,7 @@ rule ELASTIC_Linux_Generic_Threat_898D9308 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L145-L164" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ce89863a16787a6f39c25fd15ee48c4d196223668a264217f5d1cea31f8dc8ef" - logic_hash = "v1_sha256_8b5deedf18d660d0b76dc987843ff5cc01432536a04ab4925e9b08269fd847e4" + logic_hash = "8b5deedf18d660d0b76dc987843ff5cc01432536a04ab4925e9b08269fd847e4" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112866,7 +112866,7 @@ rule ELASTIC_Linux_Generic_Threat_23D54A0E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L166-L185" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2b54f789a1c4cbed13e0e2a5ab61e0ce5bb42d44fe52ad4b7dd3da610045257" - logic_hash = "v1_sha256_7e52eaf9c49bd6cbdb89b0c525b448864e1ea55d00bc052898613174fe5956cc" + logic_hash = "7e52eaf9c49bd6cbdb89b0c525b448864e1ea55d00bc052898613174fe5956cc" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112896,7 +112896,7 @@ rule ELASTIC_Linux_Generic_Threat_D7802B0A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L187-L205" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2b54f789a1c4cbed13e0e2a5ab61e0ce5bb42d44fe52ad4b7dd3da610045257" - logic_hash = "v1_sha256_3e1452204fef11d63870af5f143ae73f4b8e5a4db83a53851444fbf8a0ea6a26" + logic_hash = "3e1452204fef11d63870af5f143ae73f4b8e5a4db83a53851444fbf8a0ea6a26" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -112925,7 +112925,7 @@ rule ELASTIC_Linux_Generic_Threat_08E4Ee8C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L207-L225" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "35eeba173fb481ac30c40c1659ccc129eae2d4d922e27cf071047698e8d95aea" - logic_hash = "v1_sha256_a927415afbab32adee49a583fc35bc3d44764f87bbbb3497b38af6feb92cd9a8" + logic_hash = "a927415afbab32adee49a583fc35bc3d44764f87bbbb3497b38af6feb92cd9a8" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -112954,7 +112954,7 @@ rule ELASTIC_Linux_Generic_Threat_D60E5924 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L227-L246" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fdcc2366033541053a7c2994e1789f049e9e6579226478e2b420ebe8a7cebcd3" - logic_hash = "v1_sha256_012111e4a38c1f901dcd830cc26ef8dcfbde7986fcc8b8eebddb8d8b7a0cec6a" + logic_hash = "012111e4a38c1f901dcd830cc26ef8dcfbde7986fcc8b8eebddb8d8b7a0cec6a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -112984,7 +112984,7 @@ rule ELASTIC_Linux_Generic_Threat_6Bed4416 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L248-L266" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a2b54f789a1c4cbed13e0e2a5ab61e0ce5bb42d44fe52ad4b7dd3da610045257" - logic_hash = "v1_sha256_c098e27a12d5d10af67d1b78572bc7daeb500504527428366e1d9a4e55e0f4d7" + logic_hash = "c098e27a12d5d10af67d1b78572bc7daeb500504527428366e1d9a4e55e0f4d7" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113013,7 +113013,7 @@ rule ELASTIC_Linux_Generic_Threat_Fc5B5B86 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L268-L286" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "134b063d9b5faed11c6db6848f800b63748ca81aeca46caa0a7c447d07a9cd9b" - logic_hash = "v1_sha256_a11ed323df7283188cf99ca89abbd18673fef88660df1150d4dc72de04a836a8" + logic_hash = "a11ed323df7283188cf99ca89abbd18673fef88660df1150d4dc72de04a836a8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113042,7 +113042,7 @@ rule ELASTIC_Linux_Generic_Threat_2C8D824C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L288-L306" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9106bdd27e67d6eebfaec5b1482069285949de10afb28a538804ce64add88890" - logic_hash = "v1_sha256_c8fc90ec5e93ff39443f513e83f34140819a30b737da2a412ba97a7b221ca9dc" + logic_hash = "c8fc90ec5e93ff39443f513e83f34140819a30b737da2a412ba97a7b221ca9dc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113071,7 +113071,7 @@ rule ELASTIC_Linux_Generic_Threat_936B24D5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L308-L326" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "fb8eb0c876148a4199cc873b84fd9c1c6abc1341e02d118f72ffb0dae37592a4" - logic_hash = "v1_sha256_972bbc4950c49ff7bc880b1d24b586072eb8541584b97a00ac501fac133a3157" + logic_hash = "972bbc4950c49ff7bc880b1d24b586072eb8541584b97a00ac501fac133a3157" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113100,7 +113100,7 @@ rule ELASTIC_Linux_Generic_Threat_98Bbca63 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L328-L347" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1d4d3d8e089dcca348bb4a5115ee2991575c70584dce674da13b738dd0d6ff98" - logic_hash = "v1_sha256_1728d47b3f364cff02ae61ccf381ecab0c1fe46a5c76d832731fdf7acc1caf55" + logic_hash = "1728d47b3f364cff02ae61ccf381ecab0c1fe46a5c76d832731fdf7acc1caf55" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113130,7 +113130,7 @@ rule ELASTIC_Linux_Generic_Threat_9Aaf894F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L349-L367" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "467ac05956eec6c74217112721b3008186b2802af2cafed6d2038c79621bcb08" - logic_hash = "v1_sha256_b28d6a8c23aba4371e2e5f48861d2bcc8bdfa7212738eda7b1b4a3059d159cf2" + logic_hash = "b28d6a8c23aba4371e2e5f48861d2bcc8bdfa7212738eda7b1b4a3059d159cf2" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113159,7 +113159,7 @@ rule ELASTIC_Linux_Generic_Threat_Ba3A047D : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L369-L388" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3064e89f3585f7f5b69852f1502e34a8423edf5b7da89b93fb8bd0bef0a28b8b" - logic_hash = "v1_sha256_ffcfb90c0c796b7b343adbd2142193759ececddd0700c0bb4e2898947464b1a2" + logic_hash = "ffcfb90c0c796b7b343adbd2142193759ececddd0700c0bb4e2898947464b1a2" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113189,7 +113189,7 @@ rule ELASTIC_Linux_Generic_Threat_902Cfdc5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L390-L408" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3fa5057e1be1cfeb73f6ebcdf84e00c37e9e09f1bec347d5424dd730a2124fa8" - logic_hash = "v1_sha256_0f86914cb598262744660e65048f75d071307ae47d069971bfcd049a7d4b36e5" + logic_hash = "0f86914cb598262744660e65048f75d071307ae47d069971bfcd049a7d4b36e5" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113218,7 +113218,7 @@ rule ELASTIC_Linux_Generic_Threat_094C1238 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L410-L428" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2bfe7d51d59901af345ef06dafd8f0e950dcf8461922999670182bfc7082befd" - logic_hash = "v1_sha256_fb82e16bf153c88377cc8655557bc1f021af6e04e1160129ce9555e078d00a0d" + logic_hash = "fb82e16bf153c88377cc8655557bc1f021af6e04e1160129ce9555e078d00a0d" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113247,7 +113247,7 @@ rule ELASTIC_Linux_Generic_Threat_A8Faf785 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L430-L448" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6028562baf0a7dd27329c8926585007ba3e0648da25088204ebab2ac8f723e70" - logic_hash = "v1_sha256_3ab5d9ba39be2553173f6eb4d2a1ca22bfb9f1bd537fed247f273eba1eabd782" + logic_hash = "3ab5d9ba39be2553173f6eb4d2a1ca22bfb9f1bd537fed247f273eba1eabd782" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113276,7 +113276,7 @@ rule ELASTIC_Linux_Generic_Threat_04E8E4A5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L450-L468" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "248f010f18962c8d1cc4587e6c8b683a120a1e838d091284ba141566a8a01b92" - logic_hash = "v1_sha256_9b04725bf0a75340c011028b201ed08eb9de305a5b4630cc79156c0a847cdc9e" + logic_hash = "9b04725bf0a75340c011028b201ed08eb9de305a5b4630cc79156c0a847cdc9e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113305,7 +113305,7 @@ rule ELASTIC_Linux_Generic_Threat_47B147Ec : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L470-L488" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cc7734a10998a4878b8f0c362971243ea051ce6c1689444ba6e71aea297fb70d" - logic_hash = "v1_sha256_84c68f2ed76d644122daf81d41d4eb0be9aa8b1c82993464d3138ae30992110f" + logic_hash = "84c68f2ed76d644122daf81d41d4eb0be9aa8b1c82993464d3138ae30992110f" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113334,7 +113334,7 @@ rule ELASTIC_Linux_Generic_Threat_887671E9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L490-L508" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "701c7c75ed6a7aaf59f5a1f04192a1f7d49d73c1bd36453aed703ad5560606dc" - logic_hash = "v1_sha256_eefe9391a9ce716dbe16f11b8ccea89d032fdad42fcabd84ffe584409c550847" + logic_hash = "eefe9391a9ce716dbe16f11b8ccea89d032fdad42fcabd84ffe584409c550847" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113363,7 +113363,7 @@ rule ELASTIC_Linux_Generic_Threat_9Cf10F10 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L510-L528" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d07c9be37dc37f43a54c8249fe887dbc4058708f238ff3d95ed21f874cbb84e8" - logic_hash = "v1_sha256_ca4ae64b73fb7013008e8049d17479032d904a3faf5ad0f2ad079971a231a3b8" + logic_hash = "ca4ae64b73fb7013008e8049d17479032d904a3faf5ad0f2ad079971a231a3b8" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113392,7 +113392,7 @@ rule ELASTIC_Linux_Generic_Threat_75813Ab2 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L530-L549" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5819eb73254fd2a698eb71bd738cf3df7beb65e8fb5e866151e8135865e3fd9a" - logic_hash = "v1_sha256_06e5daed278273137e416ef3ee6ac8496b144a9c3ce213ec92881ba61d7db6cb" + logic_hash = "06e5daed278273137e416ef3ee6ac8496b144a9c3ce213ec92881ba61d7db6cb" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113422,7 +113422,7 @@ rule ELASTIC_Linux_Generic_Threat_11041685 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L551-L570" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "296440107afb1c8c03e5efaf862f2e8cc6b5d2cf979f2c73ccac859d4b78865a" - logic_hash = "v1_sha256_19f4109e73981424527ece8c375274f97fd3042427b7875071451a8081a9aae7" + logic_hash = "19f4109e73981424527ece8c375274f97fd3042427b7875071451a8081a9aae7" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113452,7 +113452,7 @@ rule ELASTIC_Linux_Generic_Threat_0D22F19C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L572-L591" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "da5a204af600e73184455d44aa6e01d82be8b480aa787b28a1df88bb281eb4db" - logic_hash = "v1_sha256_ee43796b0717717cb012385d5bb3aece433c11780f1a293d280c39411f9fed98" + logic_hash = "ee43796b0717717cb012385d5bb3aece433c11780f1a293d280c39411f9fed98" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113482,7 +113482,7 @@ rule ELASTIC_Linux_Generic_Threat_4A46B0E1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L593-L612" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "3ba47ba830ab8deebd9bb906ea45c7df1f7a281277b44d43c588c55c11eba34a" - logic_hash = "v1_sha256_e3f6804f502fad8c893fb4c3c27506b6ef17d7e0d0a01399c6d185bad92e895a" + logic_hash = "e3f6804f502fad8c893fb4c3c27506b6ef17d7e0d0a01399c6d185bad92e895a" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113512,7 +113512,7 @@ rule ELASTIC_Linux_Generic_Threat_0A02156C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L614-L633" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "f23d4b1fd10e3cdd5499a12f426e72cdf0a098617e6b178401441f249836371e" - logic_hash = "v1_sha256_3ceea812f0252ec703a92482ce7a3ef0aa65bad149df2aa0107e07a45490b8f1" + logic_hash = "3ceea812f0252ec703a92482ce7a3ef0aa65bad149df2aa0107e07a45490b8f1" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113542,7 +113542,7 @@ rule ELASTIC_Linux_Generic_Threat_6D7Ec30A : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L635-L654" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "1cad1ddad84cdd8788478c529ed4a5f25911fb98d0a6241dcf5f32b0cdfc3eb0" - logic_hash = "v1_sha256_33c705b89a82989c25fc67f50b06aa3a613cae567ec652d86ae64bad4b253c28" + logic_hash = "33c705b89a82989c25fc67f50b06aa3a613cae567ec652d86ae64bad4b253c28" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113572,7 +113572,7 @@ rule ELASTIC_Linux_Generic_Threat_900Ffdd4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L656-L674" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "a3e1a1f22f6d32931d3f72c35a5ee50092b5492b3874e9e6309d015d82bddc5d" - logic_hash = "v1_sha256_eb69bfc146b32e790fffdf4588b583335d2006182070b53fec43bb6e4971d779" + logic_hash = "eb69bfc146b32e790fffdf4588b583335d2006182070b53fec43bb6e4971d779" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113601,7 +113601,7 @@ rule ELASTIC_Linux_Generic_Threat_Cb825102 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L676-L694" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4e24b72b24026e3dfbd65ddab9194bd03d09446f9ff0b3bcec76efbb5c096584" - logic_hash = "v1_sha256_ac48f32ec82aac6df0697729d14aaee65fba82d91173332cd13c6ccccd63b1be" + logic_hash = "ac48f32ec82aac6df0697729d14aaee65fba82d91173332cd13c6ccccd63b1be" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113630,7 +113630,7 @@ rule ELASTIC_Linux_Generic_Threat_3Bcc1630 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L696-L716" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "62a6866e924af2e2f5c8c1f5009ce64000acf700bb5351a47c7cfce6a4b2ffeb" - logic_hash = "v1_sha256_6f602aac6db46ac3f5b7716a1dac53b5dbd2c583505644bfc617d69be0a2d4de" + logic_hash = "6f602aac6db46ac3f5b7716a1dac53b5dbd2c583505644bfc617d69be0a2d4de" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -113661,7 +113661,7 @@ rule ELASTIC_Linux_Generic_Threat_5D5Fd28E : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L718-L738" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5b179a117e946ce639e99ff42ab70616ed9f3953ff90b131b4b3063f970fa955" - logic_hash = "v1_sha256_b29ca34b98ee87151496f900fa3558190127957539afac3fd99db2dc51980213" + logic_hash = "b29ca34b98ee87151496f900fa3558190127957539afac3fd99db2dc51980213" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -113692,7 +113692,7 @@ rule ELASTIC_Linux_Generic_Threat_B0B891Fb : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L740-L759" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d666bc0600075f01d8139f8b09c5f4e4da17fa06a86ebb3fa0dc478562e541ae" - logic_hash = "v1_sha256_9ec82691a230f3240b1253f99a45cd0baa3238b6fd533004a22a6152b6ac9a12" + logic_hash = "9ec82691a230f3240b1253f99a45cd0baa3238b6fd533004a22a6152b6ac9a12" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113722,7 +113722,7 @@ rule ELASTIC_Linux_Generic_Threat_Cd9Ce063 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L761-L779" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "485581520dd73429b662b73083d504aa8118e01c5d37c1c08b21a5db0341a19d" - logic_hash = "v1_sha256_ba070c2147028cad4be1c139b16a770c9d9854456d073373a93ed0b213f7b34c" + logic_hash = "ba070c2147028cad4be1c139b16a770c9d9854456d073373a93ed0b213f7b34c" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113751,7 +113751,7 @@ rule ELASTIC_Linux_Generic_Threat_B8B076F4 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L781-L799" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "4496e77ff00ad49a32e090750cb10c55e773752f4a50be05e3c7faacc97d2677" - logic_hash = "v1_sha256_37f3be4cbda4a93136d66e32d7245d4c962a9fe1c98fb0325f42a1d16d6d9415" + logic_hash = "37f3be4cbda4a93136d66e32d7245d4c962a9fe1c98fb0325f42a1d16d6d9415" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113780,7 +113780,7 @@ rule ELASTIC_Linux_Generic_Threat_1Ac392Ca : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L801-L819" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "dca2d035b1f7191f7876eb727b13c308f63fe8f899cab643526f9492ec0fa16f" - logic_hash = "v1_sha256_6ffa5099c0d18644cd11a0511db542d2f809e4cba974eccca814fedf5a2b0a5b" + logic_hash = "6ffa5099c0d18644cd11a0511db542d2f809e4cba974eccca814fedf5a2b0a5b" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -113809,7 +113809,7 @@ rule ELASTIC_Linux_Generic_Threat_949Bf68C : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L821-L839" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cc1b339ff6b33912a8713c192e8743d1207917825b62b6f585ab7c8d6ab4c044" - logic_hash = "v1_sha256_aaae0a8a2827786513891bc8c3e3418823ae3f3291d891e80e82113b929f7513" + logic_hash = "aaae0a8a2827786513891bc8c3e3418823ae3f3291d891e80e82113b929f7513" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113838,7 +113838,7 @@ rule ELASTIC_Linux_Generic_Threat_Bd35454B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L841-L860" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "cd729507d2e17aea23a56a56e0c593214dbda4197e8a353abe4ed0c5fbc4799c" - logic_hash = "v1_sha256_d3619cdb002b4ac7167716234058f949623c42a64614f5eb7956866b68fff5e4" + logic_hash = "d3619cdb002b4ac7167716234058f949623c42a64614f5eb7956866b68fff5e4" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113868,7 +113868,7 @@ rule ELASTIC_Linux_Generic_Threat_1E047045 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L862-L880" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "2c49772d89bcc4ad4ed0cc130f91ed0ce1e625262762a4e9279058f36f4f5841" - logic_hash = "v1_sha256_0d28df53e030664e7225f1170888b51e94e64833537c5add3e10cfdb4f029a3a" + logic_hash = "0d28df53e030664e7225f1170888b51e94e64833537c5add3e10cfdb4f029a3a" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113897,7 +113897,7 @@ rule ELASTIC_Linux_Generic_Threat_1973391F : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L882-L901" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "7bd76010f18061aeaf612ad96d7c03341519d85f6a1683fc4b2c74ea0508fe1f" - logic_hash = "v1_sha256_632a43b68e498f463ff5dfa78212646b8bd108ea47ff11164c8c1a69e830c1ac" + logic_hash = "632a43b68e498f463ff5dfa78212646b8bd108ea47ff11164c8c1a69e830c1ac" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -113927,7 +113927,7 @@ rule ELASTIC_Linux_Generic_Threat_66D00A84 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L903-L921" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "464e144bcbb54fc34262b4d81143f4e69e350fb526c803ebea1fdcfc8e57bf33" - logic_hash = "v1_sha256_a1d60619d72b3309bfaaf8b4085dd5ed90142ff3e9ebfe80fcd7beba5f14a62e" + logic_hash = "a1d60619d72b3309bfaaf8b4085dd5ed90142ff3e9ebfe80fcd7beba5f14a62e" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113956,7 +113956,7 @@ rule ELASTIC_Linux_Generic_Threat_D2Dca9E7 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L923-L941" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9b10bb3773011c4da44bf3a0f05b83079e4ad30f0b1eb2636a6025b927e03c7f" - logic_hash = "v1_sha256_175b9a80314cf280b995a012f13e65bd4ce7e27faebf02ae5abe978dbd14447c" + logic_hash = "175b9a80314cf280b995a012f13e65bd4ce7e27faebf02ae5abe978dbd14447c" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -113985,7 +113985,7 @@ rule ELASTIC_Linux_Generic_Threat_1F5D056B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L943-L962" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "99d982701b156fe3523b359498c2d03899ea9805d6349416c9702b1067293471" - logic_hash = "v1_sha256_8ad23b593880dc1bebc95c92d0efc3a90e6b1e143c350e30b1a4258502ce7fc7" + logic_hash = "8ad23b593880dc1bebc95c92d0efc3a90e6b1e143c350e30b1a4258502ce7fc7" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -114015,7 +114015,7 @@ rule ELASTIC_Linux_Generic_Threat_D94E1020 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L964-L982" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "96a2bfbb55250b784e94b1006391cc51e4adecbdde1fe450eab53353186f6ff0" - logic_hash = "v1_sha256_e4b4e588588080c66076aec02f56b4764a5f72059922db9651461c0287fe0351" + logic_hash = "e4b4e588588080c66076aec02f56b4764a5f72059922db9651461c0287fe0351" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114044,7 +114044,7 @@ rule ELASTIC_Linux_Generic_Threat_Aa0C23D5 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L984-L1004" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8314290b81b827e1a1d157c41916a41a1c033e4f74876acc6806ed79ebbcc13d" - logic_hash = "v1_sha256_092f0ece2dfca3e02493c00afffe48ca4feccf56ab6f22d952a7ba5f115f3765" + logic_hash = "092f0ece2dfca3e02493c00afffe48ca4feccf56ab6f22d952a7ba5f115f3765" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -114075,7 +114075,7 @@ rule ELASTIC_Linux_Generic_Threat_8299C877 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1006-L1024" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "60c486049ec82b4fa2e0a53293ae6476216b76e2c23238ef1c723ac0a2ae070c" - logic_hash = "v1_sha256_3e0653a02517faa3037fc5f3f01f6fb11164fecafc6eca457a122ef2d1a99010" + logic_hash = "3e0653a02517faa3037fc5f3f01f6fb11164fecafc6eca457a122ef2d1a99010" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114104,7 +114104,7 @@ rule ELASTIC_Linux_Generic_Threat_81Aa5579 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1026-L1044" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6be0e2c98ba5255b76c31f689432a9de83a0d76a898c28dbed0ba11354fec6c2" - logic_hash = "v1_sha256_c94d590daf61217335a72f3e1bc24b09084cf0a5a174c013c5aa97c01707c2bc" + logic_hash = "c94d590daf61217335a72f3e1bc24b09084cf0a5a174c013c5aa97c01707c2bc" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114133,7 +114133,7 @@ rule ELASTIC_Linux_Generic_Threat_F2452362 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1046-L1065" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5ff46c27b5823e55f25c9567d687529a24a0d52dea5bc2423b36345782e6b8f6" - logic_hash = "v1_sha256_95d51077cb7c0f4b089a2e2ee8fcbab204264ade7ddd64fc1ee0176183dc84e0" + logic_hash = "95d51077cb7c0f4b089a2e2ee8fcbab204264ade7ddd64fc1ee0176183dc84e0" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -114163,7 +114163,7 @@ rule ELASTIC_Linux_Generic_Threat_Da28Eb8B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1067-L1086" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "b3b4fcd19d71814d3b4899528ee9c3c2188e4a7a4d8ddb88859b1a6868e8433f" - logic_hash = "v1_sha256_8b0892d0dd8a012a1f9cd87a0ad3321ae751dd17a96205c12e6648946cf2afe2" + logic_hash = "8b0892d0dd8a012a1f9cd87a0ad3321ae751dd17a96205c12e6648946cf2afe2" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -114193,7 +114193,7 @@ rule ELASTIC_Linux_Generic_Threat_A40Aaa96 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1088-L1108" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "6f965252141084524f85d94169b13938721bce24cc986bf870473566b7cfd81b" - logic_hash = "v1_sha256_ab05cbf494b3b78083fd3e71703effed797d803b0203f8a413eb69b746656b1d" + logic_hash = "ab05cbf494b3b78083fd3e71703effed797d803b0203f8a413eb69b746656b1d" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -114224,7 +114224,7 @@ rule ELASTIC_Linux_Generic_Threat_E24558E1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1110-L1130" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "9f483ddd8971cad4b25bb36a5a0cfb95c35a12c7d5cb9124ef0cfd020da63e99" - logic_hash = "v1_sha256_f1f33c719a4b41968c137ed43aa0591f97b4558d4dd9bd160df519dfbbc49205" + logic_hash = "f1f33c719a4b41968c137ed43aa0591f97b4558d4dd9bd160df519dfbbc49205" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -114255,7 +114255,7 @@ rule ELASTIC_Linux_Generic_Threat_Ace836F1 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1132-L1150" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "116aaba80e2f303206d0ba84c8c58a4e3e34b70a8ca2717fa9cf1aa414d5ffcc" - logic_hash = "v1_sha256_c80af9d6f3e4d92cfa53429abbda944069d335fc89421a89e04089d236f5dddf" + logic_hash = "c80af9d6f3e4d92cfa53429abbda944069d335fc89421a89e04089d236f5dddf" score = 75 quality = 73 tags = "FILE, MEMORY" @@ -114284,7 +114284,7 @@ rule ELASTIC_Linux_Generic_Threat_E9Aef030 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1152-L1170" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "5ab72be12cca8275d95a90188a1584d67f95d43a7903987e734002983b5a3925" - logic_hash = "v1_sha256_1d458e147d6667e2e0740d6d26fee05ac02f49e9eba30002852e723308b1b462" + logic_hash = "1d458e147d6667e2e0740d6d26fee05ac02f49e9eba30002852e723308b1b462" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114313,7 +114313,7 @@ rule ELASTIC_Linux_Generic_Threat_A3C5F3Bd : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1172-L1192" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "8c093bcf3d83545ec442519637c956d2af62193ea6fd2769925cacda54e672b6" - logic_hash = "v1_sha256_41e66d1f47e7197662aa661ef49ee1f3191fee07a49538dd631ce9cc6fdd56be" + logic_hash = "41e66d1f47e7197662aa661ef49ee1f3191fee07a49538dd631ce9cc6fdd56be" score = 75 quality = 69 tags = "FILE, MEMORY" @@ -114344,7 +114344,7 @@ rule ELASTIC_Linux_Generic_Threat_3Fa2Df51 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1194-L1213" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "89ec224db6b63936e8bc772415d785ef063bfd9343319892e832034696ff6f15" - logic_hash = "v1_sha256_f43b659dd093a635d9723b2443366763132217aaf28c582ed43f180725f92f19" + logic_hash = "f43b659dd093a635d9723b2443366763132217aaf28c582ed43f180725f92f19" score = 75 quality = 71 tags = "FILE, MEMORY" @@ -114374,7 +114374,7 @@ rule ELASTIC_Linux_Generic_Threat_Be02B1C9 : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Generic_Threat.yar#L1215-L1233" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "ef6d47ed26f9ac96836f112f1085656cf73fc445c8bacdb737b8be34d8e3bcd2" - logic_hash = "v1_sha256_a278c3a8033139d84c99a53901526895b154b5ef363fbeed47095889a5fb8d31" + logic_hash = "a278c3a8033139d84c99a53901526895b154b5ef363fbeed47095889a5fb8d31" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114403,7 +114403,7 @@ rule ELASTIC_Linux_Hacktool_Infectionmonkey_6C84537B : FILE MEMORY source_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/yara/rules/Linux_Hacktool_Infectionmonkey.yar#L1-L19" license_url = "https://github.com/elastic/protections-artifacts//blob/c6eb0081d3784ad249bb8c3aa419fbfe54263215/LICENSE.txt" hash = "d941943046db48cf0eb7f11e144a79749848ae6b50014833c5390936e829f6c3" - logic_hash = "v1_sha256_24cb368040fffe2743d0361a955d45a62a95a31c1744f3de15089169e365bb89" + logic_hash = "24cb368040fffe2743d0361a955d45a62a95a31c1744f3de15089169e365bb89" score = 75 quality = 75 tags = "FILE, MEMORY" @@ -114424,7 +114424,7 @@ rule ELASTIC_Linux_Hacktool_Infectionmonkey_6C84537B : FILE MEMORY * YARA Rule Set * Repository Name: R3c0nst * Repository: https://github.com/fboldewin/YARA-rules/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 54e9e6899b258b72074b2b4db6909257683240c2 * Number of Rules: 26 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -114439,13 +114439,13 @@ rule R3C0NST_ATM_Malware_Xfscashncr : FILE meta: description = "Detects ATM Malware XFSCashNCR" author = "Frank Boldewin (@r3c0nst)" - id = "83ed9f7a-a7f3-595d-b3cf-6e841c8d2e85" + id = "8886cd00-4f4a-5f25-99e0-0806f5e1b4b4" date = "2019-08-28" modified = "2019-08-28" reference = "https://twitter.com/r3c0nst/status/1166773324548063232" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.XFSCashNCR.yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_87f197058d4b515cb4829b5e403a96b88eb95cda81e53a9e1484df8c743d8c4a" + logic_hash = "87f197058d4b515cb4829b5e403a96b88eb95cda81e53a9e1484df8c743d8c4a" score = 75 quality = 90 tags = "FILE" @@ -114471,13 +114471,13 @@ rule R3C0NST_Nighthawk_RAT : FILE meta: description = "Detects Nighthawk RAT" author = "Frank Boldewin (@r3c0nst)" - id = "1918c4cb-ca5b-5610-9afc-8dc8dd956a2a" + id = "7a58b8bf-fb14-5758-bc2a-ad2c6fff1216" date = "2022-11-30" modified = "2022-11-30" reference = "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/nighthawk.yar#L3-L28" license_url = "N/A" - logic_hash = "v1_sha256_5124f7c0186f40cf0a7706e17afe6ba791ca82ac4f4ee940f6fbae5223771a95" + logic_hash = "5124f7c0186f40cf0a7706e17afe6ba791ca82ac4f4ee940f6fbae5223771a95" score = 75 quality = 90 tags = "FILE" @@ -114503,13 +114503,13 @@ rule R3C0NST_ATM_Malware_XFS_ALICE : FILE meta: description = "Detects ATM Malware ALICE" author = "Frank Boldewin (@r3c0nst)" - id = "4f2a179d-acb7-5598-a30e-e8ca091d48ad" + id = "6132730c-4684-517a-b90d-98ed250e2cba" date = "2020-01-09" modified = "2020-08-17" reference = "https://twitter.com/r3c0nst/status/1215265889844637696" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.ALICE.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_7dca049f024f09c2e778b0693a1015d1fc5a006fc564de914e85231cb5d73da3" + logic_hash = "7dca049f024f09c2e778b0693a1015d1fc5a006fc564de914e85231cb5d73da3" score = 75 quality = 90 tags = "FILE" @@ -114534,13 +114534,13 @@ rule R3C0NST_UNC2891_Steelcorgi : FILE meta: description = "Detects UNC2891 Steelcorgi packed ELF binaries" author = "Frank Boldewin (@r3c0nst)" - id = "cad44f28-4757-5844-a2b1-15ac84a202e8" + id = "94da7da5-5fc3-5221-97d6-1854aa7b1959" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Steelcorgi.yar#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_4f956b9eaec66bc606ffd0afa2fe9303194e9a8c12d4c3de6ab2334c9856dd99" + logic_hash = "4f956b9eaec66bc606ffd0afa2fe9303194e9a8c12d4c3de6ab2334c9856dd99" score = 75 quality = 90 tags = "FILE" @@ -114560,13 +114560,13 @@ rule R3C0NST_ATM_Malware_Javadispcash : FILE meta: description = "Detects ATM Malware JavaDispCash" author = "Frank Boldewin (@r3c0nst)" - id = "aaf0bb83-6760-5060-b80d-79bd9d619da1" + id = "606d1cb6-7879-569e-ac36-1e2f6a446dc1" date = "2019-03-28" modified = "2019-03-28" reference = "https://twitter.com/r3c0nst/status/1111254169623674882" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Mal.JavaDispCash.yar#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_dd7c2ccc85038f3ba563f7f814c03668448b292fde36bcf9d06bf20fd341526f" + logic_hash = "dd7c2ccc85038f3ba563f7f814c03668448b292fde36bcf9d06bf20fd341526f" score = 75 quality = 74 tags = "FILE" @@ -114591,13 +114591,13 @@ rule R3C0NST_ATM_Malware_ATMITCH : FILE meta: description = "Detects ATM Malware ATMItch" author = "Frank Boldewin (@r3c0nst)" - id = "7036ee7d-e608-588d-abda-12c831c7ebfd" + id = "4d7e9615-9db6-5fc7-b95e-b8c7b2c034a8" date = "2019-03-18" modified = "2019-03-18" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.ATMItch.yar#L3-L14" license_url = "N/A" - logic_hash = "v1_sha256_4278cbcd8c465ba57b65a166e0bd48dcc73eae8660972478d3116bc0d73cf3c4" + logic_hash = "4278cbcd8c465ba57b65a166e0bd48dcc73eae8660972478d3116bc0d73cf3c4" score = 75 quality = 82 tags = "FILE" @@ -114618,13 +114618,13 @@ rule R3C0NST_ATM_Malware_Dispenserxfs : FILE meta: description = "No description has been set in the source file - R3c0nst" author = "Frank Boldewin" - id = "2cf94883-2fdc-5acc-bb90-fe5981ddc709" + id = "52b1aa57-283b-54d7-bd1b-fb5da5f8d269" date = "2019-02-28" modified = "2019-02-28" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.DispenserXFS.yar#L3-L13" license_url = "N/A" - logic_hash = "v1_sha256_0e588e2ba03d5eb750183600cce278e791a71f86fbf933ba9d7fda352bd37e2f" + logic_hash = "0e588e2ba03d5eb750183600cce278e791a71f86fbf933ba9d7fda352bd37e2f" score = 75 quality = 59 tags = "FILE" @@ -114642,13 +114642,13 @@ rule R3C0NST_Prolock_Malware : FILE meta: description = "Detects Prolock malware in encrypted and decrypted mode" author = "Frank Boldewin (@r3c0nst)" - id = "4bc35837-dada-586c-a152-11ede6268c71" + id = "1440b5f5-f1e7-522e-8852-84c326858bb9" date = "2020-05-17" modified = "2020-05-20" reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Prolock.Malware.yar" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Prolock.Malware.yar#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_7502011eba1e36c8ec699f1b627c4980cc3009bb43c5aa5a58571330e93211ea" + logic_hash = "7502011eba1e36c8ec699f1b627c4980cc3009bb43c5aa5a58571330e93211ea" score = 75 quality = 90 tags = "FILE" @@ -114671,13 +114671,13 @@ rule R3C0NST_Stealbit : FILE meta: description = "Detects Stealbit used by Lockbit 2.0 Ransomware Gang" author = "Frank Boldewin (@r3c0nst)" - id = "c24b0fac-2279-5b4e-9f0e-3e506d040081" + id = "07b466cb-92b3-51f2-a702-2930bb7038c6" date = "2021-08-12" modified = "2021-08-12" reference = "https://raw.githubusercontent.com/fboldewin/YARA-rules/master/Lockbit2.Stealbit.yar" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Lockbit2.Stealbit.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_e5f770cc5887f09af0c5550073d51b9e5ffa9dcfa4db6b77bb28643f0f6224fb" + logic_hash = "e5f770cc5887f09af0c5550073d51b9e5ffa9dcfa4db6b77bb28643f0f6224fb" score = 75 quality = 90 tags = "FILE" @@ -114697,14 +114697,14 @@ rule R3C0NST_ATM_Malware_Atmspitter : FILE meta: description = "Detects ATM Malware ATMSpitter" author = "Frank Boldewin (@r3c0nst)" - id = "f9085803-ed52-5bc6-a7e0-931ea006e85d" + id = "4497f304-6f04-5f5d-91ba-9124e5262078" date = "2016-07-20" modified = "2019-03-29" reference = "https://topics.amcham.com.tw/2017/02/looking-back-at-the-first-banks-atm-heist/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.ATMSpitter.yar#L3-L21" license_url = "N/A" hash = "658b0502b53f718bd0611a638dfd5969" - logic_hash = "v1_sha256_684820ed29c50a41bd262862cb97c70c0cbb8554e7e4be300986519423249c50" + logic_hash = "684820ed29c50a41bd262862cb97c70c0cbb8554e7e4be300986519423249c50" score = 75 quality = 65 tags = "FILE" @@ -114721,13 +114721,13 @@ rule R3C0NST_Exploit_Outlook_CVE_2023_23397 : CVE_2023_23397 FILE meta: description = "Detects Outlook appointments exploiting CVE-2023-23397" author = "Frank Boldewin" - id = "126d94fe-b26d-5237-a1f6-af87cd60bbef" + id = "7e355e5f-93ca-561d-9a12-f73f1d429e4d" date = "2023-03-19" modified = "2023-03-25" reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Exploit_Outlook_CVE_2023_23397.yar#L1-L30" license_url = "N/A" - logic_hash = "v1_sha256_1847e8223b2f6d3ec5108e15ee46ef031ee1e26d3a5e8ed4a70c77b031f6a5b6" + logic_hash = "1847e8223b2f6d3ec5108e15ee46ef031ee1e26d3a5e8ed4a70c77b031f6a5b6" score = 75 quality = 86 tags = "CVE-2023-23397, FILE" @@ -114757,13 +114757,13 @@ rule R3C0NST_Aplib_Decompression : FILE meta: description = "Detects aPLib decompression code often used in malware" author = "@r3c0nst" - id = "03d87988-1fa8-5eee-b48a-083162f37d59" + id = "f45c73f5-d316-5fea-a8c4-fd930733415f" date = "2021-03-24" modified = "2021-03-25" reference = "https://ibsensoftware.com/files/aPLib-1.1.1.zip" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/aPLib_decompression.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_1150701724fdb487ebe8fb959afd12fff37a8e9137cb94e78e976a2566ec5fa4" + logic_hash = "1150701724fdb487ebe8fb959afd12fff37a8e9137cb94e78e976a2566ec5fa4" score = 75 quality = 90 tags = "FILE" @@ -114781,13 +114781,13 @@ rule R3C0NST_UNC2891_Caketap meta: description = "Detects UNC2891 Rootkit Caketap" author = "Frank Boldewin (@r3c0nst)" - id = "418ee3b1-1091-5567-90dc-1f85845f0869" + id = "9c2ffe3d-69ca-5f93-bdb1-40e449139dec" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Caketap.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_530a7d062a218217d2c05460428b2576c3fe2a6099c93940aabde73c513a8914" + logic_hash = "530a7d062a218217d2c05460428b2576c3fe2a6099c93940aabde73c513a8914" score = 75 quality = 88 tags = "" @@ -114806,13 +114806,13 @@ rule R3C0NST_Gamaredon_Getimportbyhash : FILE meta: description = "Detects Gamaredon APIHashing" author = "Frank Boldewin (@r3c0nst)" - id = "c10d6a44-e990-5559-a541-ce0d938592aa" + id = "8f28273e-e8ca-52cb-8dbc-a235598b1975" date = "2021-05-12" modified = "2021-05-12" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/APT.Gamaredon.GetImportByHash.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_b3baebfb745ebc7b9e6df746bfa9622f925b8e8130932e44a148881e7d1fc162" + logic_hash = "b3baebfb745ebc7b9e6df746bfa9622f925b8e8130932e44a148881e7d1fc162" score = 75 quality = 90 tags = "FILE" @@ -114832,13 +114832,13 @@ rule R3C0NST_ATM_Malware_Ripper : ATMRIPPER MALWARE FILE meta: description = "Rule detects Thailand ATM Jackpot malware RIPPER (unpacked)" author = "Frank Boldewin" - id = "6e57c86c-e89d-5bfe-80fd-60140c723704" + id = "38dfda5b-45cc-55d4-b619-91fa31c09a09" date = "2016-08-01" modified = "2019-02-27" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.Ripper.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_bb7b474330defe6d071b9595687d4510961055fa243a26306698c1e029a935f1" + logic_hash = "bb7b474330defe6d071b9595687d4510961055fa243a26306698c1e029a935f1" score = 75 quality = 90 tags = "ATMRIPPER, MALWARE, FILE" @@ -114863,13 +114863,13 @@ rule R3C0NST_ATM_CINEO4060_Blackbox : FILE meta: description = "Detects Malware samples for Diebold Nixdorf CINEO 4060 ATMs used in blackboxing attacks across Europe since May 2021" author = "Frank Boldewin (@r3c0nst)" - id = "9a22c671-a442-5ba2-85b5-24fe5669baa6" + id = "8fa26e1c-2931-59c8-9cec-20dc6684b8d6" date = "2021-05-25" modified = "2022-06-21" reference = "https://twitter.com/r3c0nst/status/1539036442516660224" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM_CINEO4060_Blackbox.yar#L3-L27" license_url = "N/A" - logic_hash = "v1_sha256_80b919d03c1b9a198611994eaf2fafaf8254c73a6f0edb53b2b3eb90ea70d915" + logic_hash = "80b919d03c1b9a198611994eaf2fafaf8254c73a6f0edb53b2b3eb90ea70d915" score = 75 quality = 90 tags = "FILE" @@ -114895,13 +114895,13 @@ rule R3C0NST_UNC2891_Winghook : FILE meta: description = "Detects UNC2891 Winghook Keylogger" author = "Frank Boldewin (@r3c0nst)" - id = "5c45f2d6-d04c-5ea2-b5c5-d0a4cdc38158" + id = "e5955fa0-8204-58e3-88a6-de4b47756ede" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Winghook.yar#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_b821d0809a91c54d06764f5a04c458ec7190b41823b2fe65d198342715f22050" + logic_hash = "b821d0809a91c54d06764f5a04c458ec7190b41823b2fe65d198342715f22050" score = 75 quality = 90 tags = "FILE" @@ -114921,14 +114921,14 @@ rule R3C0NST_ATM_Malware_Loup : FILE meta: description = "Detects ATM Malware Loup" author = "Frank Boldewin (@r3c0nst)" - id = "61ff98bb-b8c4-5437-b9c7-54d920245413" + id = "4786362f-b2c5-5b69-8b06-9216561286e6" date = "2020-08-17" modified = "2020-08-17" reference = "https://twitter.com/r3c0nst/status/1295275546780327936" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.Loup.yar#L1-L16" license_url = "N/A" hash = "6c9e9f78963ab3e7acb43826906af22571250dc025f9e7116e0201b805dc1196" - logic_hash = "v1_sha256_39efced4ee3a6147acf5732e4be3a5e9859268b35b79f5e8e87d7c4d77a588c0" + logic_hash = "39efced4ee3a6147acf5732e4be3a5e9859268b35b79f5e8e87d7c4d77a588c0" score = 75 quality = 90 tags = "FILE" @@ -114946,13 +114946,13 @@ rule R3C0NST_Shellcode_Apihashing_FIN8 meta: description = "Detects FIN8 Shellcode APIHashing" author = "Frank Boldewin (@r3c0nst)" - id = "ddd4bc7c-f71a-54f4-a4c5-fe8157519dd2" + id = "a5b4a925-c4cc-5d3a-a2f1-3372f77ceea2" date = "2021-03-16" modified = "2021-03-25" reference = "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Shellcode.APIHashing.FIN8.yar#L1-L74" license_url = "N/A" - logic_hash = "v1_sha256_958d6a3c0c78ad22fb56896d6a97b9fe79c56813dc36a37385f3ce5621008624" + logic_hash = "958d6a3c0c78ad22fb56896d6a97b9fe79c56813dc36a37385f3ce5621008624" score = 75 quality = 90 tags = "" @@ -114970,14 +114970,14 @@ rule R3C0NST_ATM_Malware_NVISOSPIT : FILE meta: description = "Detects ATM Malware NVISOSPIT" author = "Frank Boldewin (@r3c0nst)" - id = "c98eb677-32cd-5cc6-b401-9dcc7b3484f2" + id = "faf9e78e-9d7a-5c9b-a08e-90b895333d5c" date = "2019-05-31" modified = "2019-05-31" reference = "https://twitter.com/r3c0nst/status/1134403094157115392" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.NVISOSPIT.yar#L3-L18" license_url = "N/A" hash = "d7ce7b152f0da49e96fa32a9336b35253905d9940b001288d0df55d8f8b3951f" - logic_hash = "v1_sha256_11c1fea74b72a7821ce76a95846a2caff7354e71906496d9530cb44339a49a98" + logic_hash = "11c1fea74b72a7821ce76a95846a2caff7354e71906496d9530cb44339a49a98" score = 75 quality = 90 tags = "FILE" @@ -114995,13 +114995,13 @@ rule R3C0NST_Ransomware_Germanwiper : FILE meta: description = "Detects RansomWare GermanWiper in Memory or in unpacked state" author = "Frank Boldewin (@r3c0nst)" - id = "9027a17f-0e5c-5b14-8588-e1914fe95ecd" + id = "ea71849e-62a1-5b4d-9cf7-0728192361cc" date = "2019-08-05" modified = "2019-08-05" reference = "https://twitter.com/r3c0nst/status/1158326526766657538" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/Ransomware.Germanwiper.yar#L1-L25" license_url = "N/A" - logic_hash = "v1_sha256_563ad59abd09d9a5fcfcf5ed48dc1e3c48b4bb198c20721d5af531da20d2b0d3" + logic_hash = "563ad59abd09d9a5fcfcf5ed48dc1e3c48b4bb198c20721d5af531da20d2b0d3" score = 75 quality = 90 tags = "FILE" @@ -115029,13 +115029,13 @@ rule R3C0NST_UNC2891_Slapstick : FILE meta: description = "Detects UNC2891 Slapstick pam backdoor" author = "Frank Boldewin (@r3c0nst)" - id = "c7774a73-3eee-5bc9-bc9c-aead8151e7bb" + id = "a731acff-f657-5877-859e-7447230576df" date = "2022-03-30" modified = "2023-01-05" reference = "https://github.com/fboldewin/YARA-rules/" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/UNC2891_Slapstick.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_7777c3b850f5b7ee326be5461ebc3bf37fb201b67ada78b50575fb31f50adf9a" + logic_hash = "7777c3b850f5b7ee326be5461ebc3bf37fb201b67ada78b50575fb31f50adf9a" score = 75 quality = 90 tags = "FILE" @@ -115057,13 +115057,13 @@ rule R3C0NST_ATM_Malware_XFS_DIRECT : FILE meta: description = "Detects ATM Malware XFS_DIRECT" author = "Frank Boldewin (@r3c0nst)" - id = "93684e56-642e-5826-897b-bcd32beec4a5" + id = "d1551c50-d3d2-56fd-a6b7-198d3a26ac72" date = "2019-10-18" modified = "2019-10-19" reference = "https://twitter.com/r3c0nst/status/1185237040583106560" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.XFS_DIRECT.yar#L1-L37" license_url = "N/A" - logic_hash = "v1_sha256_844a334d0eb8516c0ef3780e48e3dbc8e23d41c80bdff10f01407b775e72709e" + logic_hash = "844a334d0eb8516c0ef3780e48e3dbc8e23d41c80bdff10f01407b775e72709e" score = 75 quality = 90 tags = "FILE" @@ -115101,13 +115101,13 @@ rule R3C0NST_ATM_Malware_Ploutusi : FILE meta: description = "Detects Ploutus I .NET samples based on MetabaseQ report" author = "Frank Boldewin (@r3c0nst)" - id = "cdd6a63c-b961-5f01-84a1-27cfc6f59a4c" + id = "02104112-6f81-5d19-935d-45cfcd2fa41c" date = "2021-03-03" modified = "2021-03-04" reference = "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.Ploutus-I.yar#L3-L26" license_url = "N/A" - logic_hash = "v1_sha256_77100d300a40219187f5c4b8270f599a91652b69980fe450b791181b8c30b5a4" + logic_hash = "77100d300a40219187f5c4b8270f599a91652b69980fe450b791181b8c30b5a4" score = 75 quality = 90 tags = "FILE" @@ -115120,20 +115120,20 @@ rule R3C0NST_ATM_Malware_Ploutusi : FILE $Code = {28 ?? 02 00 06 2a} condition: - filesize < 300KB and $Code and pe.pdb_path contains "Diebold.pdb" and pe.imports ( "mscoree.dll" , "_CorExeMain" ) and ( for any i in ( 0 .. pe.number_of_resources - 1 ) : ( pe.resources [ i ] . type == pe.RESOURCE_TYPE_VERSION and ( pe.version_info [ "InternalName" ] contains "Diebold.exe" ) ) ) + filesize < 300KB and $Code and pe.pdb_path contains "Diebold.pdb" and pe.imports ( "mscoree.dll" , "_CorExeMain" ) and ( for any i in ( 0 .. pe.number_of_resources -1 ) : ( pe.resources [ i ] . type == pe.RESOURCE_TYPE_VERSION and ( pe.version_info [ "InternalName" ] contains "Diebold.exe" ) ) ) } rule R3C0NST_ATM_Malware_XFSADM : FILE { meta: description = "Detects ATM Malware XFSADM" author = "Frank Boldewin (@r3c0nst)" - id = "97fcc566-a0a9-5d3e-a142-90bd57280eae" + id = "57124fef-73a1-5978-b165-b1b7d7c1196e" date = "2019-06-21" modified = "2019-07-11" reference = "https://twitter.com/r3c0nst/status/1149043362244308992" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.XFSADM.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_2dd0b9e0a2dd18725c9342a234520c96c6b30cf3ce7196562b2380a39f5f8673" + logic_hash = "2dd0b9e0a2dd18725c9342a234520c96c6b30cf3ce7196562b2380a39f5f8673" score = 75 quality = 84 tags = "FILE" @@ -115160,13 +115160,13 @@ rule R3C0NST_ATM_Malware_Dispcashbr : FILE meta: description = "Detects ATM Malware DispCashBR" author = "Frank Boldewin (@r3c0nst)" - id = "b1d93e57-a37a-54b3-b8c6-0ccddc451d0b" + id = "17d22120-0ca2-5b27-9816-21ab4a6fb20c" date = "2020-02-27" modified = "2020-08-17" reference = "https://twitter.com/r3c0nst/status/1232944566208286720" source_url = "https://github.com/fboldewin/YARA-rules//blob/54e9e6899b258b72074b2b4db6909257683240c2/ATM.Malware.DispCashBR.yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_3fb5d62cb779ddc13e9b938290dfa9d2a3353d7969e639a662c1bcaca945de4d" + logic_hash = "3fb5d62cb779ddc13e9b938290dfa9d2a3353d7969e639a662c1bcaca945de4d" score = 75 quality = 90 tags = "FILE" @@ -115189,10 +115189,10 @@ rule R3C0NST_ATM_Malware_Dispcashbr : FILE * YARA Rule Set * Repository Name: CAPE * Repository: https://github.com/kevoreilly/CAPEv2 - * Retrieval Date: 2024-12-22 - * Git Commit: 47b0665f51d7b3c3938422b92476721282543807 + * Retrieval Date: 2024-12-23 + * Git Commit: ea4449c1e23332c1a504899d99767fd095df9332 * Number of Rules: 165 - * Skipped: 0 (age), 13 (quality), 3 (score), 0 (importance) + * Skipped: 0 (age), 14 (quality), 3 (score), 0 (importance) * * * LICENSE @@ -115868,13 +115868,13 @@ rule CAPE_Themida : FILE meta: description = "Themida Packer" author = "kevoreilly" - id = "aa71ae58-2673-5c86-9c05-153c7d112f45" + id = "cd5c8b08-4864-57f7-b218-1bcb6892bea8" date = "2024-09-11" modified = "2024-09-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/binaries/Themida.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/binaries/Themida.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "c4f1e01a3fe3cb66062ce03253bfe9edc09dc6f1a77db99b281106e8ceff9257" score = 75 quality = 70 tags = "FILE" @@ -115891,13 +115891,13 @@ rule CAPE_Megacortex : FILE meta: description = "MegaCortex Payload" author = "kevoreilly" - id = "e7b56c55-dd08-53cf-9a20-3d15c524318f" + id = "ea3dd937-2cb1-5b0f-98b8-154aacaf8650" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/MegaCortex.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/MegaCortex.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "5de1d8241260070241c91b97f18feb2a90069e3b158e863e2d9f568799c244e6" score = 75 quality = 70 tags = "FILE" @@ -115916,13 +115916,13 @@ rule CAPE_Sedreco : FILE meta: description = "Sedreco encrypt function entry" author = "kevoreilly" - id = "1802d857-dfc9-59fe-b678-5eb28685a697" + id = "5b9ee4af-50a4-597c-8fa5-f2094c312d23" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Sedreco.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_f735549606917f59a19157e604e54766e4456bc5d46e94cae3e0a3c18b52a7ca" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Sedreco.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "f735549606917f59a19157e604e54766e4456bc5d46e94cae3e0a3c18b52a7ca" score = 75 quality = 70 tags = "FILE" @@ -115941,13 +115941,13 @@ rule CAPE_Kronos : FILE meta: description = "Kronos Payload" author = "kevoreilly" - id = "b6a3b572-bc95-5787-8e22-4f84ce0356d0" + id = "921a939b-a037-5973-bd8e-f9f55fce7f0f" date = "2020-07-02" modified = "2020-07-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Kronos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Kronos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "52ce9caf3627efe8ae86df6ca59e51e9f738e13ac0265f797e8d70123dbcaeb3" score = 75 quality = 70 tags = "FILE" @@ -115967,13 +115967,13 @@ rule CAPE_Varenyky : FILE meta: description = "Varenyky Payload" author = "kevoreilly" - id = "40d4c34c-3afe-5681-b894-b133ac4c944e" + id = "e01695fa-72a0-5d8e-86ab-8c909d28b8ec" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Varenyky.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Varenyky.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "602f1b8b60b29565eabe2171fde4eb58546af68f8acecad402a7a51ea9a08ed9" score = 75 quality = 70 tags = "FILE" @@ -115990,14 +115990,14 @@ rule CAPE_Amadey : FILE meta: description = "Amadey Payload" author = "kevoreilly" - id = "e01382a4-3380-57c9-b495-c1b644897e28" + id = "b9d81aa8-5504-5b71-86c7-8c00d75479ad" date = "2023-09-04" modified = "2023-09-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Amadey.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Amadey.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "988258716d5296c1323303e8fe4efd7f4642c87bfdbe970fe9a3bb3f410f70a4" - logic_hash = "v1_sha256_38f710b422a3644c9f0f3e80ad9ff28ef02050368c651a6cc2ce8b152b67bf48" + logic_hash = "38f710b422a3644c9f0f3e80ad9ff28ef02050368c651a6cc2ce8b152b67bf48" score = 75 quality = 70 tags = "FILE" @@ -116016,13 +116016,13 @@ rule CAPE_Rokrat : FILE meta: description = "RokRat Payload" author = "kevoreilly" - id = "59353f62-2563-55c8-bce1-e217c21eae04" + id = "12e05b90-9771-5901-ae82-9fd2ea6263e7" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/RokRat.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/RokRat.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "2aaa7de7ccd59e0da690f4bc0c7deaacf61314d61f8d2aa3ce6f6892f50612ec" score = 75 quality = 70 tags = "FILE" @@ -116040,13 +116040,13 @@ rule CAPE_Eternalromance : FILE meta: description = "EternalRomance Exploit" author = "kevoreilly" - id = "b8510e8b-fd5a-5934-8d97-39910f8a8b1e" + id = "34035076-9dda-5e32-bd0b-d0257a96329b" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/EternalRomance.yar#L1-L33" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/EternalRomance.yar#L1-L33" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "5390fae3e2411a715cdc965df8648c0c4c511d53d5f76031714f1b784b58eb0d" score = 75 quality = 68 tags = "FILE" @@ -116085,13 +116085,13 @@ rule CAPE_Vidar : FILE meta: description = "Vidar Payload" author = "kevoreilly,rony" - id = "0759ea8a-2be5-5402-9cc9-3477c1483924" + id = "9e4e797f-880e-54eb-ad44-caad0ec5683c" date = "2023-04-21" modified = "2023-04-21" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Vidar.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Vidar.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "5d4c030536ed41cf4e0dcb77b2fe4553d789ee2b8095a4b3e050692335a8709d" score = 75 quality = 70 tags = "FILE" @@ -116119,13 +116119,13 @@ rule CAPE_Zeuspanda : FILE meta: description = "ZeusPanda Payload" author = "kevoreilly" - id = "ad0f23bd-9622-567f-89e2-277a6d63b4e8" + id = "7891c021-6687-5457-b9e1-0beb0472647c" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/ZeusPanda.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/ZeusPanda.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "43d8a56cae9fd23c053f6956851734d3270b46a906236854502c136e3bb1e761" score = 75 quality = 70 tags = "FILE" @@ -116143,13 +116143,13 @@ rule CAPE_Nettraveler : FILE meta: description = "NetTraveler Payload" author = "kevoreilly" - id = "70c62d7c-38df-5162-8891-830363008a27" + id = "242e1c3f-5460-5393-9c07-cfab25860796" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/NetTraveler.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_bf5026f1a1cb3d6986a29d22657a9f1904b362391a6715d7468f8f8aca351233" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/NetTraveler.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "bf5026f1a1cb3d6986a29d22657a9f1904b362391a6715d7468f8f8aca351233" score = 75 quality = 70 tags = "FILE" @@ -116168,13 +116168,13 @@ rule CAPE_Buerloader : FILE meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly & Rony (@r0ny_123)" - id = "ae102f11-4258-59e8-ac06-084707d809b4" + id = "95a9b4d7-db1e-50cd-bc08-01e4e4fd6dc4" date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/BuerLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/BuerLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "05c1f008f0a2bb8232867977fb23a5ae8312f10f0637c6265561052596319c29" score = 75 quality = 70 tags = "FILE" @@ -116193,13 +116193,13 @@ rule CAPE_Petya : FILE meta: description = "Petya Payload" author = "kevoreilly" - id = "5f036bc7-a580-5c27-bc5a-955db340102c" + id = "e581747c-c40f-5689-84b4-d55134b532f7" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Petya.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Petya.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "f819261bb34f3b2eb7dc2f843b56be25105570fe902a77940a632a54fbe0d014" score = 75 quality = 70 tags = "FILE" @@ -116218,14 +116218,14 @@ rule CAPE_Oyster meta: description = "Oyster Payload" author = "enzok" - id = "0b785600-5165-5e76-b991-f6e1885884eb" + id = "29443d00-e3de-53fd-b617-df470a30e805" date = "2024-05-30" modified = "2024-05-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Oyster.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Oyster.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "8bae0fa9f589cd434a689eebd7a1fde949cc09e6a65e1b56bb620998246a1650" - logic_hash = "v1_sha256_23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" + logic_hash = "23ab1518712dbce8319b87785d7ffc0c2b61de82c2bbf533ebf0aae39ec33540" score = 75 quality = 70 tags = "" @@ -116249,13 +116249,13 @@ rule CAPE_Zerot : FILE meta: description = "ZeroT Payload" author = "kevoreilly" - id = "73d5355d-7133-5a8a-aeac-0a42194a2603" + id = "dc5dc18c-2ec6-541d-905c-42543f17b16d" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/ZeroT.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/ZeroT.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "f60ae25ac3cd741b8bdc5100b5d3c474b5d9fbe8be88bfd184994bae106c3803" score = 75 quality = 68 tags = "FILE" @@ -116276,13 +116276,13 @@ rule CAPE_Quasarrat : FILE meta: description = "QuasarRAT payload" author = "ditekshen" - id = "f2b5ea2f-bfed-5c69-8771-20e610eeb1b5" + id = "f256b88f-eee6-5f8c-afd6-32ed10ea908d" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/QuasarRAT.yar#L1-L22" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/QuasarRAT.yar#L1-L22" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "556b19dc0980761198ea31a285f281adae084463d24bff1eda15326436ad562b" score = 75 quality = 70 tags = "FILE" @@ -116311,13 +116311,13 @@ rule CAPE_Quasarrat_Kingrat meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "bc63e504-9508-50a1-80de-635ccd5ea275" + id = "dc0139e1-9f69-51da-b28f-212358b2f68b" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/QuasarRAT.yar#L24-L43" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/QuasarRAT.yar#L24-L43" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "1f4296a592134edbe52e256dc353143af02e897ff1afad98f3dac0c5ab13f3f7" score = 75 quality = 70 tags = "" @@ -116344,13 +116344,13 @@ rule CAPE_Ursnif : FILE meta: description = "Ursnif Payload" author = "kevoreilly & enzo" - id = "d6392693-7bcb-52eb-b7ce-5e714a2728d1" + id = "200c2227-0d34-5e4a-b5aa-ab63a077d141" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Ursnif.yar#L1-L19" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Ursnif.yar#L1-L19" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "46e79fde81ff5352314618021e394b2e0322df07170c7279363290b7134935fd" score = 75 quality = 70 tags = "FILE" @@ -116374,13 +116374,13 @@ rule CAPE_Tscookie : FILE meta: description = "TSCookie Payload" author = "kevoreilly" - id = "7ecf4235-c03b-5abf-83cd-72e1cf6694f7" + id = "e1efd356-7170-5454-bf40-68927c71816c" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/TSCookie.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/TSCookie.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "0461c7fd14c74646437654f0a63a4a89d4efad620e197a8ca1e8d390618842c3" score = 75 quality = 70 tags = "FILE" @@ -116399,13 +116399,13 @@ rule CAPE_Dridexv4 : FILE meta: description = "Dridex v4 Payload" author = "kevoreilly" - id = "0ec7095b-fad7-51f7-9d99-ad1b47bfcf24" + id = "c396f664-9f0d-50ac-bce8-33fd8712645a" date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/DridexV4.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/DridexV4.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "cb103fe5f2d4792e3c612db4e2d84a4c8b0ce0f9a8443e9147e2c345f1dbdff6" score = 75 quality = 70 tags = "FILE" @@ -116426,13 +116426,13 @@ rule CAPE_Seduploader : FILE meta: description = "Seduploader decrypt function" author = "kevoreilly" - id = "16204882-e060-5271-b15e-cb02694f22f6" + id = "a7152d8c-a197-5784-8a6d-453d41585df1" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Seduploader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Seduploader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "d70c886699169d4dafc5b063c93682a34af5667df6d293b52256ddc19ab9c516" score = 75 quality = 70 tags = "FILE" @@ -116449,13 +116449,13 @@ rule CAPE_Wanacry : FILE meta: description = "WanaCry Payload" author = "kevoreilly" - id = "5018de3a-dde6-5a49-867b-2ae3629da70e" + id = "a6525e0f-fccd-5542-9be8-e42d708fe502" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/WanaCry.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/WanaCry.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "16d5e39f043d27bbf22f8f21e13971b7e0709b07e44746dd157d11ee4cc51944" score = 75 quality = 70 tags = "FILE" @@ -116476,13 +116476,13 @@ rule CAPE_Bazar : FILE meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "c07c7874-de46-5875-9fa2-b1ca70c563d7" + id = "e042f180-2a82-5c93-9858-77281557dd10" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Bazar.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Bazar.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "9375f59b56e47fd0b90b089afdf3be8f16f960038fc625523a2e2d5509ab099d" score = 75 quality = 70 tags = "FILE" @@ -116500,13 +116500,13 @@ rule CAPE_Remcos : FILE meta: description = "Remcos Payload" author = "kevoreilly" - id = "10ad5554-bfc6-5fad-9be3-0da507b8e5df" + id = "f77295ca-02d5-5b2c-80b8-b6566610bff8" date = "2022-05-10" modified = "2022-05-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Remcos.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Remcos.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "38142e784ad437d9592353b924f74777bb62e5ed176c811230a2021a437d4710" score = 75 quality = 68 tags = "FILE" @@ -116526,13 +116526,13 @@ rule CAPE_Cerber : FILE meta: description = "Cerber Payload" author = "kevoreilly" - id = "ba155915-545e-5806-ba25-54b5ed42019b" + id = "edf08795-cf54-5822-8bc4-35cfba0fe8e8" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Cerber.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Cerber.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "16a8f808c28d3b142c079a305aba7f553f2452e439710bf610a06f8f2924d5a3" score = 75 quality = 70 tags = "FILE" @@ -116551,13 +116551,13 @@ rule CAPE_Nighthawk meta: description = "NightHawk C2" author = "Nikhil Ashok Hegde <@ka1do9>" - id = "e0a97066-f2cc-5888-984a-c54a6a016754" + id = "096b9d13-6aa7-5b6e-aaeb-e25aa7c8c53f" date = "2022-12-05" modified = "2022-12-05" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Nighthawk.yar#L3-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Nighthawk.yar#L3-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "2d77912678e06503ffef0e8ed84aa4f9ac74357480d57742fbae619acebfb5f2" score = 75 quality = 70 tags = "" @@ -116576,14 +116576,14 @@ rule CAPE_Qakbot5 : FILE meta: description = "QakBot v5 Payload" author = "kevoreilly, enzok" - id = "af510223-ed0d-5d2c-abe1-7cec43de61ad" + id = "48866cdd-f60e-50b8-85f9-573710934b0b" date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/QakBot.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/QakBot.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "59559e97962e40a15adb2237c4d01cfead03623aff1725616caeaa5a8d273a35" - logic_hash = "v1_sha256_cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" + logic_hash = "cc23a92f45619d44af824128b743c259dd9dfa7cb5106932f3425f3dfd1dccdf" score = 75 quality = 70 tags = "FILE" @@ -116603,13 +116603,13 @@ rule CAPE_Qakbot4 : FILE meta: description = "QakBot v4 Payload" author = "kevoreilly" - id = "478dd460-a6c7-5491-92a0-d3997d6bed67" + id = "d2c5316c-22cc-5b6d-b6a2-b1d23a06d16b" date = "2024-04-28" modified = "2024-04-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/QakBot.yar#L17-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/QakBot.yar#L17-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "b2870e33abffbb3ff49b7891b0f5c538ab48ee63da5553929d4e37dec921344f" score = 75 quality = 70 tags = "FILE" @@ -116634,13 +116634,13 @@ rule CAPE_Rozena meta: description = "No description has been set in the source file - CAPE" author = "Kevin O'Reilly" - id = "6d92bdd0-f8de-578d-a554-1946611911aa" + id = "38ca9da3-2a0e-500f-8eb8-9de69a7f2da5" date = "2024-03-15" modified = "2024-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Rozena.yar#L1-L10" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Rozena.yar#L1-L10" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "c415a8108b58a125a604031bb8d73b58a8aae5429b5b765e35fa8a4add9cd135" score = 75 quality = 70 tags = "" @@ -116658,14 +116658,14 @@ rule CAPE_Zloader : FILE meta: description = "Zloader Payload" author = "kevoreilly, enzok" - id = "d467fbee-08e8-584f-818a-fd1a48ce1ebb" + id = "ce0662b4-c615-5b87-b5c1-173f90a97db2" date = "2024-05-06" modified = "2024-05-06" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Zloader.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Zloader.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "adbd0c7096a7373be82dd03df1aae61cb39e0a155c00bbb9c67abc01d48718aa" - logic_hash = "v1_sha256_a94efd87c69146cf5771341974e5abe789445d67dde3e045e1b87d3131539ff9" + logic_hash = "a94efd87c69146cf5771341974e5abe789445d67dde3e045e1b87d3131539ff9" score = 75 quality = 70 tags = "FILE" @@ -116688,13 +116688,13 @@ rule CAPE_Doomedloader : FILE meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "4743e58b-45ae-5e7e-95c9-c139c243489c" + id = "88436e71-360e-5719-989f-24e71591ebe0" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/DoomedLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/DoomedLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "54a5962ef49ebf987908c4ea1559788f7c96a7e4ea61d2973636e998a0239c77" score = 75 quality = 70 tags = "FILE" @@ -116713,13 +116713,13 @@ rule CAPE_Icedid meta: description = "IcedID Payload" author = "kevoreilly, threathive" - id = "ae23b8e3-d994-5dbb-959f-18bed53b54ea" + id = "439342be-a1e6-5656-8813-5cebb0e88e98" date = "2021-12-16" modified = "2021-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/IcedID.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/IcedID.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "e60ccbab7a360020744eba65961156ca3e2ae9cf23671014f913d71c1a96a331" score = 75 quality = 45 tags = "" @@ -116743,13 +116743,13 @@ rule CAPE_Gandcrab : FILE meta: description = "Gandcrab Payload" author = "kevoreilly" - id = "62b88cc6-d1da-543d-9c2d-02bbf86a77e2" + id = "0082e8c9-952e-508c-a438-4e17b8031864" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Gandcrab.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Gandcrab.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "354ed566dbafbe8e9531bb771d9846952eb8c0e70ee94c26d09368159ce4142c" score = 75 quality = 70 tags = "FILE" @@ -116769,13 +116769,13 @@ rule CAPE_Rcsession meta: description = "RCSession Payload" author = "kevoreilly" - id = "d481c5be-dc3e-5d87-bca7-db9d03590e01" + id = "841e6bd1-4f09-54dc-8dec-2e9423a34003" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/RCSession.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/RCSession.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "ebd1e9e615a91c35b36332cad55519607323469df738cec4464288b45787630d" score = 75 quality = 70 tags = "" @@ -116793,13 +116793,13 @@ rule CAPE_Ursnifv3 : FILE meta: description = "UrsnifV3 Payload" author = "kevoreilly" - id = "ee5df264-9375-5542-ada3-05895335c509" + id = "9dd32f80-b535-52a3-91e1-4db005362fd4" date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/UrsnifV3.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/UrsnifV3.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "501cd52388aba16f9d33b4555f310e1ad58326916b15358a485c701acb87abd8" score = 75 quality = 70 tags = "FILE" @@ -116823,13 +116823,13 @@ rule CAPE_Formbook meta: description = "Formbook Payload" author = "kevoreilly" - id = "9c31ac6d-3569-5c7a-b3d9-7c3b6f4895b8" + id = "3389c0a7-eb86-5465-8a14-63f812d257db" date = "2023-10-13" modified = "2023-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Formbook.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Formbook.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "63ee4dd6fe5ed2a3e5ee88ba7de48d2c9e0024961a550d0fdb68891c9885e05e" score = 75 quality = 70 tags = "" @@ -116853,13 +116853,13 @@ rule CAPE_Hermes : FILE meta: description = "Hermes Payload" author = "kevoreilly" - id = "7f5f3476-4211-55a3-acac-d87edd001ba7" + id = "0ff44422-9c14-517b-9e71-8e9e19694f06" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Hermes.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Hermes.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "9bc974173f39a57e7adfbf8ae106a20d960557696b4c3ce16e9b4e47d3e9e95b" score = 75 quality = 70 tags = "FILE" @@ -116878,13 +116878,13 @@ rule CAPE_Dcrat : FILE meta: description = "DCRat payload" author = "ditekSHen" - id = "e4ee0c29-3c5d-53b1-b841-e34326584a31" + id = "16c81fe0-2c18-55e9-aa17-cfd4213d6a17" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/DCRat.yar#L1-L66" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/DCRat.yar#L1-L66" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "5a02dcc2b9c7eb3efdba39047e37886240b45fb7e2db3b82aa5b4b9526dfb7f8" score = 75 quality = 45 tags = "FILE" @@ -116952,13 +116952,13 @@ rule CAPE_Dcrat_Kingrat meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "850f416e-cac3-5137-a791-1e5bf6f07d1c" + id = "9b63e361-6678-5c95-be32-777feecd194b" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/DCRat.yar#L68-L87" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/DCRat.yar#L68-L87" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "73ac27c3f0fc71d053e89690b5a7d29c1f8b0ea0a22e8595148a9001799fae54" score = 75 quality = 62 tags = "" @@ -116985,13 +116985,13 @@ rule CAPE_Kpot : FILE meta: description = "Kpot Stealer" author = "kevoreilly" - id = "80abac11-020b-5bc3-8fc6-53e7a61b61c8" + id = "724fd6ac-e734-5952-b459-01cbaffdb89d" date = "2020-10-19" modified = "2020-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Kpot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Kpot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "75abaab9a10e8ac8808425c389238285ab9bd9cb76f0cd03cc1e35b3ea0a1b0f" score = 75 quality = 70 tags = "FILE" @@ -117010,13 +117010,13 @@ rule CAPE_Emotetloader : FILE meta: description = "Emotet Loader" author = "kevoreilly" - id = "b77afddc-0296-55e3-96fa-779f34fcda1b" + id = "aea8ff2e-bdf7-5417-a41c-93566d1dd019" date = "2022-05-31" modified = "2022-05-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/EmotetLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/EmotetLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "410872d25ed3a89a2cba108f952d606cd1c3bf9ccc89ae6ab3377b83665c2773" score = 75 quality = 70 tags = "FILE" @@ -117033,13 +117033,13 @@ rule CAPE_Gootkit : FILE meta: description = "Gootkit Payload" author = "kevoreilly" - id = "cb6409f4-307a-5b27-a3ef-b29a91055413" + id = "8935fd10-ac79-5196-80c2-fc8f2fe185b5" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Gootkit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Gootkit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "26704b6b0adca51933fc9d5e097930320768fd0e9355dcefc725aee7775316e7" score = 75 quality = 70 tags = "FILE" @@ -117056,13 +117056,13 @@ rule CAPE_Kovter : FILE meta: description = "Kovter Payload" author = "kevoreilly" - id = "893f6090-ffa8-5b76-b64e-d49bb5fbca2e" + id = "3dec3c4b-4678-5ed1-a4c3-c3d9abb58b1c" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Kovter.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Kovter.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "888fccb8fbfbe6c05ec63bc5658b4743f8e10a96ef51b3868c2ff94afec76f2d" score = 75 quality = 70 tags = "FILE" @@ -117082,13 +117082,13 @@ rule CAPE_Pikabotloader : FILE meta: description = "Pikabot Loader" author = "kevoreilly" - id = "6662e023-4085-5852-ad18-703d1fbb99d4" + id = "e2c89cdd-0cdb-5367-8aae-2fe685eff972" date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/PikaBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/PikaBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "7e5f1f2911545ee6bd36b54f2627fbdec1b957f4b91df901dd1c6cbd4dff0231" score = 75 quality = 70 tags = "FILE" @@ -117107,13 +117107,13 @@ rule CAPE_Pikabot : FILE meta: description = "Pikabot Payload" author = "kevoreilly" - id = "ae7ad8f5-e27b-5da1-9464-e1c7eb6c192d" + id = "140a3e20-9837-5f66-85dc-af278d75e074" date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/PikaBot.yar#L15-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/PikaBot.yar#L15-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "ed07217c373831a9a67d914854154988696e6fcea70dedabf333385f0e7bb8b7" score = 75 quality = 70 tags = "FILE" @@ -117133,14 +117133,14 @@ rule CAPE_Pik23 : FILE meta: description = "PikaBot Payload February 2023" author = "kevoreilly" - id = "09a74105-77ef-5054-9b24-fa47a45715c3" + id = "fc804c63-fc6c-5b26-92b1-aa5d2fbc4917" date = "2024-03-13" modified = "2024-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/PikaBot.yar#L30-L44" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/PikaBot.yar#L30-L44" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "59f42ecde152f78731e54ea27e761bba748c9309a6ad1c2fd17f0e8b90f8aed1" - logic_hash = "v1_sha256_71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" + logic_hash = "71a71df2f2a075294941c54eed06cafaaa4d3294e45b3a0098c1cffddd0438bc" score = 75 quality = 70 tags = "FILE" @@ -117160,13 +117160,13 @@ rule CAPE_Hancitor : FILE meta: description = "Hancitor Payload" author = "threathive" - id = "68013b43-8cb2-5d51-bcb1-a5f3c9ce7d96" + id = "b4e9a26a-db00-5553-acc2-f35148b0ffd5" date = "2020-10-20" modified = "2020-10-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Hancitor.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Hancitor.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "84003542a2f587b5fbd43731c4240759806f8ee46df2bd96aae4a3c09d97e41c" score = 75 quality = 70 tags = "FILE" @@ -117186,13 +117186,13 @@ rule CAPE_Bruteratel meta: description = "BruteRatel Payload" author = "kevoreilly" - id = "cdae6558-3430-59cb-b1c5-79c66cfd72b1" + id = "61b951e4-0c27-59c0-8ea2-715b673fdcee" date = "2024-07-11" modified = "2024-07-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/BruteRatel.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/BruteRatel.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "0984977c716d6f8e068c045166eb5db77c9fbce27513e555dceca348375f1a66" score = 75 quality = 70 tags = "" @@ -117212,13 +117212,13 @@ rule CAPE_Lokibot : FILE meta: description = "LokiBot Payload" author = "kevoreilly" - id = "8c7da7b6-0f26-55ee-9fee-1dd355de3027" + id = "8cdf69e2-ecac-5241-adba-c458cce0610f" date = "2022-02-01" modified = "2022-02-01" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/LokiBot.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/LokiBot.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "a5b3d518371138740e913d2d6ce4fa22d3da5cea7e034c7d6b4b502e6bf44b06" score = 75 quality = 70 tags = "FILE" @@ -117236,13 +117236,13 @@ rule CAPE_Tclient : FILE meta: description = "TClient Payload" author = "kevoreilly" - id = "1be68238-75ea-5b4e-9cee-12f10bc81aac" + id = "38c9ea20-9d91-5fb0-8b3b-170538ad7ea8" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/TClient.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/TClient.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6edcd01e4722b367723ed77d9596877d16ee35dc4c160885d125f83e45cee24d" score = 75 quality = 70 tags = "FILE" @@ -117259,13 +117259,13 @@ rule CAPE_Rhadamanthys meta: description = "Rhadamanthys Loader" author = "kevoreilly" - id = "ca3578d3-954a-5787-b236-235127563cee" + id = "4683ef43-7397-5546-ae54-b4c000518182" date = "2023-09-18" modified = "2023-09-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Rhadamanthys.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_f71bee3ef1dd7b16a55397645d16c0a20d1fdd3bf662f241c0b11796629b11ff" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Rhadamanthys.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "f71bee3ef1dd7b16a55397645d16c0a20d1fdd3bf662f241c0b11796629b11ff" score = 75 quality = 70 tags = "" @@ -117285,13 +117285,13 @@ rule CAPE_Mole : FILE meta: description = "Mole Payload" author = "kevoreilly" - id = "5bc8532c-5c03-5e72-b878-881201404c84" + id = "1185170f-4a5b-5347-807b-ef2af98a1a09" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Mole.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Mole.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "8be4d190d554a610360c0e04b33da59eb00319395e5b2000d580546ce6503786" score = 75 quality = 70 tags = "FILE" @@ -117310,13 +117310,13 @@ rule CAPE_Magniber : FILE meta: description = "Magniber Payload" author = "kevoreilly" - id = "9d32f3ea-ad4a-53b2-bf93-eb5df496fcb5" + id = "a704914f-2aa2-537d-975d-f8c23427951f" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Magniber.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Magniber.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "1875754bdf98c1886f31f6c6e29992a98180f74d8fa168ae391e2c660d760618" score = 75 quality = 70 tags = "FILE" @@ -117333,13 +117333,13 @@ rule CAPE_Nanolocker : FILE meta: description = "NanoLocker Payload" author = "kevoreilly" - id = "157b15e7-e089-5af8-b744-b5cbdb0f334a" + id = "6fff6a27-a153-5461-9a75-2253c2f7d408" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/NanoLocker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/NanoLocker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "fe6c8a4e259c3c526f8f50771251f6762b2b92a4df2e8bfc705f282489f757db" score = 75 quality = 70 tags = "FILE" @@ -117358,13 +117358,13 @@ rule CAPE_Squirrelwaffle : FILE meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly & R3MRUM" - id = "8a07fb62-834e-564d-8cdd-f9380892cdf1" + id = "0ae75f24-7a2a-57d3-8c6f-a61ac6cc08e7" date = "2021-10-13" modified = "2021-10-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/SquirrelWaffle.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "5f799333398421d537ec7a87ca94f6cc9cf1e53e55b353036a5132440990e500" score = 75 quality = 70 tags = "FILE" @@ -117382,13 +117382,13 @@ rule CAPE_Doppelpaymer : FILE meta: description = "DoppelPaymer Payload" author = "kevoreilly" - id = "a4c8adac-6fb6-56b2-8e3b-da39279ef72d" + id = "c8178906-1722-5908-9ad4-7ee1eef39138" date = "2022-06-27" modified = "2022-06-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/DoppelPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/DoppelPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "73a2575671bafc31a70af3ce072d6f94ae172b12202baebba586a02524cb6f9d" score = 75 quality = 70 tags = "FILE" @@ -117406,13 +117406,13 @@ rule CAPE_Ramnit : FILE meta: description = "Ramnit Payload" author = "kevoreilly" - id = "39de0011-dad7-5def-9c34-12e995d1ca8a" + id = "6df92055-05f6-5985-9268-b9c85e143567" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Ramnit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Ramnit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6f661f47bdf8377b0fb96f190fcb964c0ed2b43ce7ae7880f9dfce9e43837efd" score = 75 quality = 70 tags = "FILE" @@ -117431,13 +117431,13 @@ rule CAPE_Agent_Tesla meta: description = "Detecting HTML strings used by Agent Tesla malware" author = "Stormshield" - id = "040bc4fc-d1ed-5ca5-96d6-8901d1f57bbe" + id = "5383994b-357d-539b-89b1-53be238f759d" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AgentTesla.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AgentTesla.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "3945754129dcc58e0abfd7485f5ff0c0afdd1078ae2cf164ca8f59a6f79db1be" score = 75 quality = 70 tags = "" @@ -117458,13 +117458,13 @@ rule CAPE_Agenttesla : FILE meta: description = "AgentTesla Payload" author = "kevoreilly" - id = "0e5dc336-75d3-5634-8b40-c8909d0b6c36" + id = "f7b930f1-cecb-5d80-809b-9503f282247a" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AgentTesla.yar#L19-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AgentTesla.yar#L19-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "1bf9b26c4cf87e674ddffabe40aba5a45499c6a04d4ff3e43c3cda4cbcb4d188" score = 75 quality = 70 tags = "FILE" @@ -117491,13 +117491,13 @@ rule CAPE_Agentteslav2 : FILE meta: description = "AgenetTesla Type 2 Keylogger payload" author = "ditekshen" - id = "3db36094-1ab9-5f9a-b395-7b2ab1ea7bad" + id = "e60ecee4-0a97-56a1-b21e-47190f8cd1f8" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AgentTesla.yar#L43-L67" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AgentTesla.yar#L43-L67" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "b45296b3b94fa1ff32de48c94329a17402461fb6696e9390565c4dba9738ed78" score = 75 quality = 70 tags = "FILE" @@ -117528,13 +117528,13 @@ rule CAPE_Agentteslav3 : FILE meta: description = "AgentTeslaV3 infostealer payload" author = "ditekshen" - id = "aa88b79d-cca2-5b7f-8f01-85e227aebcb7" + id = "cfe00382-8663-54a4-a7c4-b932ec7ad5e3" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AgentTesla.yar#L69-L111" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_26c4fa0ce8de6982eb599f3872e8ab2a6e83da4741db7f3500c94e0a8fe5d459" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AgentTesla.yar#L69-L111" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "26c4fa0ce8de6982eb599f3872e8ab2a6e83da4741db7f3500c94e0a8fe5d459" score = 75 quality = 68 tags = "FILE" @@ -117582,13 +117582,13 @@ rule CAPE_Agentteslaxor : FILE meta: description = "AgentTesla xor-based config decoding" author = "kevoreilly" - id = "29ae5b7c-dd17-5350-9e45-121272990dd7" + id = "81eeb62f-578f-5c75-bc96-091d5727a20a" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AgentTesla.yar#L113-L123" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AgentTesla.yar#L113-L123" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "54581e83e5fa13fae4bda74016b3fa1d18c92e2659f493ebe54d70fd5f77bba5" score = 75 quality = 20 tags = "FILE" @@ -117605,13 +117605,13 @@ rule CAPE_Agentteslav4 : FILE meta: description = "AgentTesla Payload" author = "kevoreilly" - id = "dfe23345-beda-5619-83fc-1362c1a97366" + id = "a39109ca-84cb-527d-b9c2-d8763fa6e496" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AgentTesla.yar#L125-L138" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AgentTesla.yar#L125-L138" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "0a39036f408728ab312a54ff3354453d171424f57f9a8f3b42af867be3037ca9" score = 75 quality = 70 tags = "FILE" @@ -117631,13 +117631,13 @@ rule CAPE_Agentteslav4Jit meta: description = "AgentTesla JIT-compiled native code" author = "kevoreilly" - id = "3c8fa735-8773-5478-bc84-9fdb3cc2834b" + id = "a87dca44-4974-543c-9565-487ed99be2a6" date = "2024-03-22" modified = "2024-03-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AgentTesla.yar#L140-L153" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AgentTesla.yar#L140-L153" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "8f7144d2a989ce8d291af926b292f5f0f7772e707b0e49797eba13ecf91b90bc" score = 75 quality = 70 tags = "" @@ -117657,13 +117657,13 @@ rule CAPE_Asyncrat : FILE meta: description = "AsyncRAT Payload" author = "kevoreilly, JPCERT/CC Incident Response Group" - id = "75b7df5f-3ce9-5703-9817-2cf4c70b1ccb" + id = "478557fa-2418-5b13-99d9-2395ce83b9a2" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AsyncRAT.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_8f960131bb86e1c09127324bd5877364ab25e0cb37f5f9755230c7fed9094de3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AsyncRAT.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "8f960131bb86e1c09127324bd5877364ab25e0cb37f5f9755230c7fed9094de3" score = 75 quality = 66 tags = "FILE" @@ -117686,13 +117686,13 @@ rule CAPE_Asyncrat_Kingrat meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "4339465b-7a74-56b5-85c7-762ae69b9a49" + id = "8fbab9a0-5736-543e-ba7b-c7598190c9e0" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AsyncRAT.yar#L19-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_2699ef93ae10b205b79025098afc1d1cfe7dbdf192f4d98a6e34a8f3de154810" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AsyncRAT.yar#L19-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "2699ef93ae10b205b79025098afc1d1cfe7dbdf192f4d98a6e34a8f3de154810" score = 75 quality = 62 tags = "" @@ -117720,13 +117720,13 @@ rule CAPE_Locky : FILE meta: description = "Locky Payload" author = "kevoreilly" - id = "28f16221-97dd-588b-8325-91f25fb840c2" + id = "664d0365-af49-5222-a4ed-9260332f6940" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Locky.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Locky.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "9786c54a2644d9581fefe64be11b26e22806398e54e961fa4f19d26eae039cd7" score = 75 quality = 70 tags = "FILE" @@ -117745,13 +117745,13 @@ rule CAPE_Cryptoshield : FILE meta: description = "Cryptoshield Payload" author = "kevoreilly" - id = "54efd2dd-484b-507d-8361-d53217ba85bb" + id = "a7b60a0d-7d46-59c9-8273-ee23bae3fbbc" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Cryptoshield.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Cryptoshield.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "46064b4c69cb1af01330c5d194ef50728e0f0479e9fbf72828822935f8e37ac6" score = 75 quality = 70 tags = "FILE" @@ -117770,13 +117770,13 @@ rule CAPE_Darkgate meta: description = "DarkGate Payload" author = "enzok" - id = "278bd88a-9c5f-52f1-b7cd-bc71b85e71ce" + id = "ce81f452-4096-51d6-97cc-624f9fbefa86" date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/DarkGate.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/DarkGate.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "25c0e77a83676c6a18445f8df0b1f7a9148de5f64eeb532f9a4f4d4652dd8191" score = 75 quality = 70 tags = "" @@ -117798,14 +117798,14 @@ rule CAPE_Carbanak : FILE meta: description = "Carnbanak Payload" author = "enzok" - id = "71c410c8-93ba-58f2-9f03-b5c71558cce1" + id = "e6d395d5-65ba-5efb-bcbc-c6d56a96f0c1" date = "2024-03-18" modified = "2024-03-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Carbanak.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Carbanak.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "c9c1b06cb9c9bd6fc4451f5e2847a1f9524bb2870d7bb6f0ee09b9dd4e3e4c84" - logic_hash = "v1_sha256_8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" + logic_hash = "8ed5ab07f1635dc7cdf296e86a71a0a99d0b2faef8fc460f43d426b24b8c8367" score = 75 quality = 70 tags = "FILE" @@ -117824,15 +117824,15 @@ rule CAPE_Blister : FILE meta: description = "Blister Loader" author = "kevoreilly" - id = "04ed1762-7201-58cd-a3c0-8dc1311a34fc" + id = "525fc600-2afc-5cf6-bf55-4ce0ea264dca" date = "2023-09-20" modified = "2023-09-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "afb77617a4ca637614c429440c78da438e190dd1ca24dc78483aa731d80832c2" hash = "d3eab2a134e7bd3f2e8767a6285b38d19cd3df421e8af336a7852b74f194802c" - logic_hash = "v1_sha256_f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" + logic_hash = "f26d85fdf0eb07e67fe38c43c5f6d024bfb7b2a333cb3411f5cdcff6bf5db12d" score = 75 quality = 70 tags = "FILE" @@ -117853,13 +117853,13 @@ rule CAPE_Jaff : FILE meta: description = "Jaff Payload" author = "kevoreilly" - id = "7dfa9276-9a50-5b91-a56c-a555cf939eec" + id = "6681c1fe-6c88-5a49-bdfa-54ce08ea6707" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Jaff.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Jaff.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6806a5eeee04b7436ff694addc334bfc0f1ee611116904d57be9506acfd47418" score = 75 quality = 70 tags = "FILE" @@ -117879,13 +117879,13 @@ rule CAPE_Ryuk : FILE meta: description = "Ryuk Payload" author = "kevoreilly" - id = "71d3850b-66a1-5b33-b56d-f33f2c8dfa93" + id = "594bbb8d-1f85-5a01-a864-ac2d95c45bf9" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Ryuk.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Ryuk.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "b4463993d8956e402b927a3dcfa2ca9693a959908187f720372f2d3a40e6db0c" score = 75 quality = 70 tags = "FILE" @@ -117905,13 +117905,13 @@ rule CAPE_Smokeloader meta: description = "SmokeLoader Payload" author = "kevoreilly" - id = "ff903365-b0a7-5d3a-86d1-707776939938" + id = "d3ca7c8a-01dc-5174-9928-ee278b6cb107" date = "2024-11-12" modified = "2024-11-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/SmokeLoader.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_779e2ac213e5ced7bc06e6208826b65cf8fc3113a69ede6408b84055542fa76d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/SmokeLoader.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "779e2ac213e5ced7bc06e6208826b65cf8fc3113a69ede6408b84055542fa76d" score = 75 quality = 70 tags = "" @@ -117931,13 +117931,13 @@ rule CAPE_Xworm : FILE meta: description = "Detects XWorm" author = "ditekSHen" - id = "cf15944b-2740-5680-ae0f-3dae4ddcc032" + id = "bf9115a7-850a-5326-860c-a9a71bc7e50c" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/XWorm.yar#L1-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/XWorm.yar#L1-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "5a86c2f0a188135e53d86c176806a208abbe3dd830bde364016859ffa5294bd7" score = 75 quality = 68 tags = "FILE" @@ -117971,13 +117971,13 @@ rule CAPE_Xworm_Kingrat meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "2051f6e5-3450-5aa8-81a7-98f827391d2e" + id = "76332a42-97c9-52fe-83dc-04ceb367f692" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/XWorm.yar#L29-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/XWorm.yar#L29-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "3914be652bb7271e5e6b89d05edf10a54f8ddaf9e22d194b60501aa2cdd495d3" score = 75 quality = 66 tags = "" @@ -118003,14 +118003,14 @@ rule CAPE_Stealc : FILE meta: description = "Stealc Payload" author = "kevoreilly" - id = "cee4d906-ca28-59ae-ba83-5c6739eb66e5" + id = "77567584-7c84-5351-938b-d29d612a042d" date = "2024-09-10" modified = "2024-09-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" - logic_hash = "v1_sha256_a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" + logic_hash = "a6165168b7c74761b91d1691465688c748227b830813067edb4e9bdc934271c4" score = 75 quality = 70 tags = "FILE" @@ -118028,14 +118028,14 @@ rule CAPE_Blackdropper meta: description = "BlackDropper" author = "enzok" - id = "4b238de0-1a2e-5a40-98b2-1f79311ca5f8" + id = "5cb92b67-d12c-5946-84b1-a9fce4a6d242" date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/BlackDropper.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/BlackDropper.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "f8026ae3237bdd885e5fcaceb86bcab4087d8857e50ba472ca79ce44c12bc257" - logic_hash = "v1_sha256_c7f7bc740d413b479ebe45611ddfc04f7e4f2978516b2882069b2569c7acdf28" + logic_hash = "c7f7bc740d413b479ebe45611ddfc04f7e4f2978516b2882069b2569c7acdf28" score = 75 quality = 70 tags = "" @@ -118057,13 +118057,13 @@ rule CAPE_Cobaltstrikestager meta: description = "Cobalt Strike Stager Payload" author = "@dan__mayer " - id = "fc11fa30-8b4f-5e52-9cd9-f8a4200ba6e1" + id = "eedf71b1-9f27-5a6f-afe8-3ddae47f9a06" date = "2023-01-18" modified = "2023-01-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/CobaltStrikeStager.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6a55b0c3ab5f557dfb7a3f8bd616ede1bd9b93198590fc9d52aa19c1154388c5" score = 75 quality = 70 tags = "" @@ -118083,13 +118083,13 @@ rule CAPE_Atlas : FILE meta: description = "Atlas Payload" author = "kevoreilly" - id = "7998bc32-9299-5d76-bdc8-db4be98b01cf" + id = "22322e5c-ded6-56df-8a39-a8f5cbc18239" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Atlas.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Atlas.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "c3f73b29df5caf804dbfe3e6ac07a9e2c772bd2a126f0487e4a65e72bd501e6e" score = 75 quality = 70 tags = "FILE" @@ -118108,14 +118108,14 @@ rule CAPE_Latrodectus meta: description = "Latrodectus Payload" author = "enzok" - id = "fbf6b00e-77e5-5c35-9f95-a6b361a32971" + id = "5fe6ddad-3252-5f49-9359-bd647b974fe6" date = "2024-09-03" modified = "2024-09-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Latrodectus.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Latrodectus.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "a547cff9991a713535e5c128a0711ca68acf9298cc2220c4ea0685d580f36811" - logic_hash = "v1_sha256_2f98d570bf9a490eecd2807599b93023ccacab86f3b7674f0118bbebd4dd2776" + logic_hash = "2f98d570bf9a490eecd2807599b93023ccacab86f3b7674f0118bbebd4dd2776" score = 75 quality = 70 tags = "" @@ -118136,14 +118136,14 @@ rule CAPE_Latrodectus_AES meta: description = "Latrodectus Payload" author = "enzok" - id = "c26cb72f-1541-5e3e-b46b-efa289469d19" + id = "8a3dd88c-7840-54a3-8844-4e1a38f51df5" date = "2024-09-03" modified = "2024-09-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Latrodectus.yar#L18-L34" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Latrodectus.yar#L18-L34" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "5cecb26a3f33c24b92a0c8f6f5175da0664b21d7c4216a41694e4a4cad233ca8" - logic_hash = "v1_sha256_1f00f6f187f15d39a30e15ffd14dae07707141999271ad4ac6a75ff4d93dd54d" + logic_hash = "1f00f6f187f15d39a30e15ffd14dae07707141999271ad4ac6a75ff4d93dd54d" score = 75 quality = 70 tags = "" @@ -118165,13 +118165,13 @@ rule CAPE_Codoso : FILE meta: description = "Codoso Payload" author = "kevoreilly" - id = "ebe80cb4-888a-5f94-b213-a04f7877b1fa" + id = "4c3d8d77-ffa9-576d-bf88-7b5a1bfd1811" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Codoso.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Codoso.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "32c9ed2ac29e8905266977a9ee573a252442d96fb9ec97d88642180deceec3f8" score = 75 quality = 70 tags = "FILE" @@ -118190,13 +118190,13 @@ rule CAPE_Xenorat meta: description = "No description has been set in the source file - CAPE" author = "jeFF0Falltrades" - id = "7944393b-cb0e-5721-8bd5-a85c653a0b25" + id = "9708158d-06fc-5991-a084-df2bfe1d5c96" date = "2024-10-09" modified = "2024-10-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/XenoRAT.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/XenoRAT.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "26f520fb69a52d05786fac0e9e38f5db9601da0a3e7768e00975a9684f3560ef" score = 75 quality = 66 tags = "" @@ -118218,13 +118218,13 @@ rule CAPE_Arkei : FILE meta: description = "Arkei Payload" author = "kevoreilly" - id = "c3426976-58c0-5721-b638-efa5f3204ccf" + id = "22ebe194-19a9-5bf2-9cfc-ea27b7724572" date = "2020-02-11" modified = "2020-02-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Arkei.yar#L1-L24" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_03980827db1c53d4090ab196ba820ca34b5d83dc7140b11ead9182cb5d28c7d3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Arkei.yar#L1-L24" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "03980827db1c53d4090ab196ba820ca34b5d83dc7140b11ead9182cb5d28c7d3" score = 75 quality = 70 tags = "FILE" @@ -118253,13 +118253,13 @@ rule CAPE_Scarab : FILE meta: description = "Scarab Payload" author = "kevoreilly" - id = "d83f0494-9bc9-5a3d-a054-8916f061fe99" + id = "2ba8ae50-1e56-5773-aaea-058161b59c78" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Scarab.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Scarab.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "0d8fa7ab4c8e5699f17f9e9444e85a42563a840a8e7ee9eda54add3a6845d1c6" score = 75 quality = 70 tags = "FILE" @@ -118278,13 +118278,13 @@ rule CAPE_Azorult : FILE meta: description = "Azorult Payload" author = "kevoreilly" - id = "f7b8980e-9e81-5089-a577-73608a48086e" + id = "ca76ec00-001f-56d0-bdbc-9dfd3239fba8" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Azorult.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Azorult.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "4691cf48d513d1965416b0cce1b6e19c8f7b393a940afd68b7c6ca8c0d125d90" score = 75 quality = 70 tags = "FILE" @@ -118302,13 +118302,13 @@ rule CAPE_Bumblebee : FILE meta: description = "BumbleBee Payload" author = "enzo & kevoreilly" - id = "af79e592-7044-5da3-8ef3-f5c446232277" + id = "b3a4dd53-014c-5e16-8ac1-7f3800ae017d" date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/BumbleBee.yar#L35-L50" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_bc7c2ce9d3cd598c9510dc64d78048999f2f89ee5a84cd0d6046dbdfabe260ee" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/BumbleBee.yar#L35-L50" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "bc7c2ce9d3cd598c9510dc64d78048999f2f89ee5a84cd0d6046dbdfabe260ee" score = 75 quality = 70 tags = "FILE" @@ -118330,13 +118330,13 @@ rule CAPE_Bumblebee2024 meta: description = "BumbleBee 2024" author = "enzok" - id = "40e25684-e23c-570b-a1fe-a4e9fbeb88ef" + id = "ba92b894-912d-593c-acf9-99cb6ad6d61f" date = "2024-10-29" modified = "2024-10-29" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/BumbleBee.yar#L52-L68" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/BumbleBee.yar#L52-L68" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "db58272c1ba74bc6e6a90bdacf7e8feec94be5da2b5123e0475ce86448f3edb2" score = 75 quality = 70 tags = "" @@ -118359,13 +118359,13 @@ rule CAPE_Nitrogenloader meta: description = "Nitrogen Loader" author = "enzok" - id = "5b6843f1-0a3d-5448-80bb-2dc298a62f5c" + id = "45628576-3fbf-593d-a113-0bbfb12bd808" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/NitrogenLoader.yar#L1-L23" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_24117d6e04bc964c17c08c9918502410890d7ccdc2e9971f2d01f6f0b41d3836" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/NitrogenLoader.yar#L1-L23" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "24117d6e04bc964c17c08c9918502410890d7ccdc2e9971f2d01f6f0b41d3836" score = 75 quality = 70 tags = "" @@ -118394,13 +118394,13 @@ rule CAPE_Badrabbit : FILE meta: description = "BadRabbit Payload" author = "kevoreilly" - id = "4f74db4c-7d11-5e1c-a78d-d083a3853531" + id = "c7204772-6f14-57b7-88c1-e9156f9897d5" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/BadRabbit.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/BadRabbit.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "309e14ab4ea2f919358631f9d8b2aaff1f51e7708b6114e4e6bf4a9d9a5fc86c" score = 75 quality = 70 tags = "FILE" @@ -118419,13 +118419,13 @@ rule CAPE_Dreambot : FILE meta: description = "Dreambot Payload" author = "kevoreilly" - id = "e5cc7449-9192-5ad0-8475-36dbe7fb2969" + id = "675c2fea-fe48-5afd-9fa1-de919134892f" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Dreambot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Dreambot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "29c6d648d5d38667c5824c2d20a83a20448c2ae6054ddddb2b2b7f8bdb69f74b" score = 75 quality = 70 tags = "FILE" @@ -118445,13 +118445,13 @@ rule CAPE_Fareit : FILE meta: description = "Fareit Payload" author = "kevoreilly" - id = "62d33487-1d1c-5c78-94ea-f93209438f76" + id = "b3c4eb86-d104-5f31-afa4-5bf5f370f64e" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Fareit.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Fareit.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "ed35391ffc949219f380da3f22bc8397a7d5c742bd68e227c3becdebcab5cf83" score = 75 quality = 70 tags = "FILE" @@ -118468,13 +118468,13 @@ rule CAPE_Masslogger : FILE meta: description = "MassLogger" author = "kevoreilly" - id = "1b7fbd5b-1b45-5e66-ae80-198c8917c4b7" + id = "0743421a-36f7-5b7c-859f-b461511151cb" date = "2020-11-24" modified = "2020-11-24" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/MassLogger.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/MassLogger.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "c8d82694810aafbdc6a35a661e7431e9536035e2f7fef90b9359064c4209b66c" score = 75 quality = 70 tags = "FILE" @@ -118492,13 +118492,13 @@ rule CAPE_Lumma : FILE meta: description = "Lumma Payload" author = "kevoreilly" - id = "08b47410-0392-514e-bf6a-5bc40f45c4e8" + id = "6ec1e0dc-028b-5135-9d0a-462718d90fe3" date = "2024-10-22" modified = "2024-10-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Lumma.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_44408ffa7870dbc1a8a31567dd743f46542da01ed8083e5413392920b9d1bafe" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Lumma.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "44408ffa7870dbc1a8a31567dd743f46542da01ed8083e5413392920b9d1bafe" score = 75 quality = 70 tags = "FILE" @@ -118519,13 +118519,13 @@ rule CAPE_Lockbit : FILE meta: description = "Lockbit Payload" author = "kevoreilly" - id = "6ad4325b-8ac8-53ae-8c8d-ef5aa84b6068" + id = "ec9b4fec-0233-5277-b922-07057c2b4b34" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Lockbit.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Lockbit.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "80ab705c8246a0bd5b3de65146cf32b102f39bf9444bdf1d366b5a794c1229b9" score = 75 quality = 70 tags = "FILE" @@ -118546,13 +118546,13 @@ rule CAPE_Aurorastealer : FILE meta: description = "detects Aurora Stealer samples" author = "Johannes Bader @viql" - id = "b8b3663e-4ec1-550e-b2b8-9ede3d88128f" + id = "07779318-3e5d-5e67-8c04-f3f70d7e48b7" date = "2022-12-14" modified = "2023-03-31" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/AuroraStealer.yar#L1-L74" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/AuroraStealer.yar#L1-L74" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "0d10e9268184f494a73d5b4ab0d9a478ad0c26d2ef13d5134f8c9769f028b8f5" score = 75 quality = 45 tags = "FILE" @@ -118626,14 +118626,14 @@ rule CAPE_Koiloader meta: description = "KoiLoader" author = "YungBinary" - id = "12b1c1f6-766a-52b8-ae4a-c87fbea05984" + id = "258e8857-7ea6-5098-9949-06d9d83853d4" date = "2024-10-25" modified = "2024-10-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/KoiLoader.yar#L1-L35" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/KoiLoader.yar#L1-L35" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "b462e3235c7578450b2b56a8aff875a3d99d22f6970a01db3ba98f7ecb6b01a0" - logic_hash = "v1_sha256_264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" + logic_hash = "264a536632f8f11c904b00c9d2e505b3263c733ad8fbc2ef19c25a5ad58cef90" score = 75 quality = 70 tags = "" @@ -118671,14 +118671,14 @@ rule CAPE_Cargobayloader : FILE meta: description = "CargoBay Loader" author = "kevoreilly" - id = "0135d03b-4a3d-5a60-9610-06e607f021d5" + id = "5b347863-0bea-55d2-aaf3-b3d6e604be89" date = "2023-02-20" modified = "2023-02-20" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/CargoBayLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/CargoBayLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "75e975031371741498c5ba310882258c23b39310bd258239277708382bdbee9c" - logic_hash = "v1_sha256_1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" + logic_hash = "1d5c4ca79f97e1fac358189a8c6530be12506974fc2fb42f63b0b621536a45c9" score = 75 quality = 70 tags = "FILE" @@ -118696,13 +118696,13 @@ rule CAPE_Socks5Systemz : FILE meta: description = "Socks5Systemz Payload" author = "kevoreilly" - id = "3c98bc77-b311-5a58-a569-e66f0b3722dc" + id = "75831382-bb43-554e-93b1-f54a2255d8b9" date = "2024-05-22" modified = "2024-05-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Socks5Systemz.yar#L1-L18" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_44b83b6d2ab39b4258ae0d97d00d02afdbb62a3973fd788584e4dea9db69cc1b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Socks5Systemz.yar#L1-L18" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "44b83b6d2ab39b4258ae0d97d00d02afdbb62a3973fd788584e4dea9db69cc1b" score = 75 quality = 70 tags = "FILE" @@ -118726,13 +118726,13 @@ rule CAPE_Conti : FILE meta: description = "Conti Ransomware" author = "kevoreilly" - id = "9b7bb3b8-9321-51ca-8887-430e94f80925" + id = "c94aed07-0eaf-5b51-a81e-e1992543673a" date = "2021-03-15" modified = "2021-03-15" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Conti.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Conti.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "c9842f93d012d0189b9c6f10ad558b37ae66226bbb619ad677f6906ccaf0e848" score = 75 quality = 70 tags = "FILE" @@ -118751,13 +118751,13 @@ rule CAPE_Petrwrap : FILE meta: description = "PetrWrap Payload" author = "kevoreilly" - id = "e52dc8d1-d838-5d4c-a094-b13d729dfbc6" + id = "83762c87-6e96-50fe-b297-e1a5f893be43" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/PetrWrap.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/PetrWrap.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6dd1cf5639b63d0ab41b24080dad68d285f2e3969ad34fd724c83e7a0dd4b968" score = 75 quality = 70 tags = "FILE" @@ -118777,13 +118777,13 @@ rule CAPE_Bitpaymer : FILE meta: description = "BitPaymer Payload" author = "kevoreilly" - id = "98980216-a817-59f6-9e77-5c7b69427df6" + id = "c139b514-a1ba-5d47-8f4d-8e60cddfe2ba" date = "2019-11-27" modified = "2019-11-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/BitPaymer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/BitPaymer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6ae0dc9a36da13e483d8d653276b06f59ecc15c95c754c268dcc91b181677c4c" score = 75 quality = 70 tags = "FILE" @@ -118801,13 +118801,13 @@ rule CAPE_Azer : FILE meta: description = "Azer Payload" author = "kevoreilly" - id = "8e9aa32f-38d5-5135-ab72-c8b6c8d4bbd9" + id = "4bda70c2-3cd9-543f-92f4-886b7dd899a1" date = "2019-10-30" modified = "2019-10-30" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Azer.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Azer.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "48bd4a4e071f10d1911c4173a0cd39c69fed7a3b29eb92beffe709899f4cefa5" score = 75 quality = 70 tags = "FILE" @@ -118826,13 +118826,13 @@ rule CAPE_Nemty : FILE meta: description = "Nemty Ransomware Payload" author = "kevoreilly" - id = "ecfe4eab-58f5-5d63-aa78-d66670ab1165" + id = "3aa8e1d7-f9cb-5b04-923d-7bed15ab8c3f" date = "2020-04-03" modified = "2020-04-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/Nemty.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/Nemty.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "a05974b561c67b4f1e0812639b74831edcf65686a06c0d380f0b45739e342419" score = 75 quality = 70 tags = "FILE" @@ -118851,13 +118851,13 @@ rule CAPE_Trickbot meta: description = "TrickBot Payload" author = "sysopfb & kevoreilly" - id = "f8135db0-c0d6-5269-8743-590c5503823e" + id = "dc88eadd-7b84-5bd0-96d1-aad480632bee" date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/TrickBot.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/TrickBot.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "47cc2070b43957601a72745329a9d14fb3fbfd4d2b31cacc35d4ac750dde31ea" score = 75 quality = 70 tags = "" @@ -118883,14 +118883,14 @@ rule CAPE_Trickbot_Permadll_UEFI_Module meta: description = "Detects TrickBot Banking module permaDll" author = "@VK_Intel | Advanced Intelligence" - id = "6157aceb-0626-584b-a67c-e63e4984c1ce" + id = "ba104164-0a1a-5a4c-8312-7653f7818e96" date = "2023-02-07" modified = "2023-02-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/TrickBot.yar#L22-L38" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/TrickBot.yar#L22-L38" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "491115422a6b94dc952982e6914adc39" - logic_hash = "v1_sha256_564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" + logic_hash = "564055f56fd19bed8900e6d451ba050b4e9013a9208a3bdc3d3d563567d225d2" score = 75 quality = 70 tags = "" @@ -118912,13 +118912,13 @@ rule CAPE_Dridexloader : FILE meta: description = "Dridex v4 dropper C2 parsing function" author = "kevoreilly" - id = "dc3ef02d-b423-50c1-a4ef-1cd4504e983e" + id = "43bd9631-4611-567c-bee5-d926e060b977" date = "2021-03-10" modified = "2021-03-10" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/data/yara/CAPE/DridexLoader.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/data/yara/CAPE/DridexLoader.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "20696b1f14539c8ecf21bffc696596040c20b1ee2fcedc173945482c0baca588" score = 75 quality = 70 tags = "FILE" @@ -118940,13 +118940,13 @@ rule CAPE_Singlestepantihook meta: description = "Single-step anti-hook Bypass" author = "kevoreilly" - id = "86e80370-58c3-5d03-b2de-4c3838283bc4" + id = "f7aca40b-d231-543b-81f3-5f4524abab78" date = "2021-08-26" modified = "2021-08-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/SingleStepAntiHook.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "fc9f36b0ecc13192fe8b6caaff256ac52c1f14480223d629a38ba84e90dd0809" score = 75 quality = 70 tags = "" @@ -118963,13 +118963,13 @@ rule CAPE_Heavenssyscall : FILE meta: description = "Bypass variants of heaven's gate direct syscalls" author = "kevoreilly" - id = "97211e1a-76a6-5fdf-a745-03772f62eb86" + id = "7c60102a-ac8b-5e28-8dbb-4b6c3f4cddff" date = "2024-03-25" modified = "2024-03-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/HeavensSyscall.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "aeb981fcba0936ff8b1be4c601445fd45e5d3b74856a9439d351edd57f5a50c3" score = 75 quality = 70 tags = "FILE" @@ -118988,17 +118988,17 @@ rule CAPE_Gettickcountantivm meta: description = "GetTickCountAntiVM bypass" author = "kevoreilly" - id = "2c118a5c-95d1-5cb6-a7aa-c618b559aff3" + id = "d90b9768-0525-5963-9817-e3a53b1d4cf3" date = "2022-02-25" modified = "2022-02-25" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/GetTickCountAntiVM.yar#L1-L20" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "662bc7839ed7ddd82d5fdafa29fafd9a9ec299c28820fe4104fbba9be1a09c42" hash = "00f1537b13933762e1146e41f3bac668123fac7eacd0aa1f7be0aa37a91ef3ce" hash = "549bca48d0bac94b6a1e6eb36647cd007fed5c0e75a0e4aa315ceabdafe46541" hash = "90c29a66209be554dfbd2740f6a54d12616da35d0e5e4af97eb2376b9d053457" - logic_hash = "v1_sha256_9cdb0b2d2e058e1858c2f2baad67005a2019fbbdcb7ca54571c8d20dfbf33471" + logic_hash = "9cdb0b2d2e058e1858c2f2baad67005a2019fbbdcb7ca54571c8d20dfbf33471" score = 75 quality = 70 tags = "" @@ -119020,13 +119020,13 @@ rule CAPE_Buerloader_1 : FILE meta: description = "BuerLoader RDTSC Trap Bypass" author = "kevoreilly" - id = "a8b922ef-45d4-54ac-95ad-d0ccb71c8ab6" + id = "38f01199-6bd2-5519-b570-8c0f46e74286" date = "2021-03-13" modified = "2021-03-13" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/BuerLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6f9f9b4c01251c0643c61701084cca2bdfeea08ca95f982355565cf05483d940" score = 75 quality = 70 tags = "FILE" @@ -119043,13 +119043,13 @@ rule CAPE_Modiloader : FILE meta: description = "ModiLoader detonation shim" author = "ditekSHen" - id = "b7735d58-09bd-5a5e-b5bb-bd860a0d1abe" + id = "2b3fd8ec-b672-574b-9b50-1a9ca9f43299" date = "2023-10-19" modified = "2023-10-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/ModiLoader.yar#L1-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/ModiLoader.yar#L1-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "fc006377e6d41515503b0b234ff87f59d930a7d9f8b32d2e072de79b9c52ddc4" score = 75 quality = 66 tags = "FILE" @@ -119088,14 +119088,14 @@ rule CAPE_Risepro : FILE meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "fba64cd7-307a-5de1-97d8-551c22accacc" + id = "63d9cb19-0688-5632-8477-ce9b7e986a55" date = "2023-12-16" modified = "2023-12-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/RisePro.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/RisePro.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6" - logic_hash = "v1_sha256_055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" + logic_hash = "055ca8328923b91f93c116e4a856366356fa11155f4e9fde95da31129b51386a" score = 75 quality = 70 tags = "FILE" @@ -119114,13 +119114,13 @@ rule CAPE_Privateloader meta: description = "PrivateLoader indirect syscall capture" author = "kevoreilly" - id = "5fd7457b-c49e-5011-b2e1-0af2bb446765" + id = "3a0b16da-ec84-5761-bcf2-106362c5667d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/PrivateLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "204a86bb3743f19fed0fe55ff5ccd716661f7f315b5966a29e434ccb3e160526" score = 75 quality = 70 tags = "" @@ -119138,13 +119138,13 @@ rule CAPE_Qakbot5_1 : FILE meta: description = "QakBot WMI anti-anti-vm" author = "kevoreilly" - id = "8801195f-5a13-556b-8ae7-068e3ee835c1" + id = "d287b043-15df-5865-ad4c-9eb64ceec04c" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/QakBot.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/QakBot.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "303ea2d8d1a7f0fd0ca5508dae2c1b83c03b1e3e975760f15d36d93bcc152767" score = 75 quality = 70 tags = "FILE" @@ -119163,13 +119163,13 @@ rule CAPE_Qakbot4_1 : FILE meta: description = "QakBot Config Extraction" author = "kevoreilly" - id = "1a39a06c-da71-56b1-a6c9-86cacb05aa0d" + id = "401184cf-bbd7-5afe-9589-470f54721af1" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/QakBot.yar#L15-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/QakBot.yar#L15-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "ad75b07b9b786f634fd46cbe6dc089d3f732673320e70714e8ab058f0392c9f5" score = 75 quality = 70 tags = "FILE" @@ -119190,14 +119190,14 @@ rule CAPE_Qakbotloader : FILE meta: description = "QakBot Export Selection" author = "kevoreilly" - id = "8bae4c72-4e99-5406-ad40-e73417033fed" + id = "b2d5ef1c-0651-5249-9c4b-7e83235d4a30" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/QakBot.yar#L31-L46" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/QakBot.yar#L31-L46" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "6f99171c95a8ed5d056eeb9234dbbee123a6f95f481ad0e0a966abd2844f0e1a" - logic_hash = "v1_sha256_00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" + logic_hash = "00869c0a9bf62cde3f46ca915b0ef689557b09dc58d6de34609e3998abfa7e98" score = 75 quality = 70 tags = "FILE" @@ -119218,14 +119218,14 @@ rule CAPE_Qakbotantivm meta: description = "QakBot AntiVM bypass" author = "kevoreilly" - id = "6ea67e18-79a3-5489-a00a-3fcb53ebef87" + id = "7446522a-788a-512d-ad68-2fcc56169f5a" date = "2024-02-16" modified = "2024-02-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/QakBot.yar#L48-L59" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/QakBot.yar#L48-L59" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "e269497ce458b21c8427b3f6f6594a25d583490930af2d3395cb013b20d08ff7" - logic_hash = "v1_sha256_20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" + logic_hash = "20f1cd28f38945a3aa328e77e78525fb1ffc47ecf54d5a40c2f18264c3973989" score = 75 quality = 70 tags = "" @@ -119242,13 +119242,13 @@ rule CAPE_Zloader_1 : FILE meta: description = "Zloader API Spam Bypass" author = "kevoreilly" - id = "ece349f1-f123-52e3-a32e-f447a34a8b56" + id = "8a8e7102-1138-59e7-95a6-8647d41d8521" date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Zloader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Zloader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "319adca805083c7f5854fe840447cf961addbd748f1f25eb8ec8cdeed7af38aa" score = 75 quality = 70 tags = "FILE" @@ -119266,13 +119266,13 @@ rule CAPE_Zloader_2024 : FILE meta: description = "Zloader Registry and Modulename Bypass" author = "enzok" - id = "b4e5dc9c-f994-5f10-86b2-f33dac27eab8" + id = "7100c27e-021f-552c-9a75-84b07a2f837e" date = "2024-05-03" modified = "2024-05-03" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Zloader.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Zloader.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "38d555ef5f613cf7ca043697c479100a7a22e7f043acf8b6a46f8009eb92fd7e" score = 75 quality = 70 tags = "FILE" @@ -119291,13 +119291,13 @@ rule CAPE_Guloaderprecursor : FILE meta: description = "Guloader precursor" author = "kevoreilly" - id = "8289ae16-bce3-58b9-8799-8045d79d648d" + id = "663f89d7-a18b-5b03-a7cb-52444a887fa4" date = "2023-10-02" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Guloader.yar#L17-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Guloader.yar#L17-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "ea05c352739366a03da302074b01537382ba26f7fd5049004f156e47d284f070" score = 75 quality = 70 tags = "FILE" @@ -119315,13 +119315,13 @@ rule CAPE_Rdtscpantivm meta: description = "RdtscpAntiVM bypass" author = "kevoreilly" - id = "6c0ec43a-2e82-5ffb-b8b2-9879806ddf98" + id = "11dc634b-1e2f-55b4-be60-98e51de42d43" date = "2021-12-11" modified = "2021-12-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/RdtscpAntiVM.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "be0f9b52fb630730a38160f4ad2d50b6b4bea5edd82e3ea4d1e257cf7b090910" score = 75 quality = 70 tags = "" @@ -119338,13 +119338,13 @@ rule CAPE_Icedidsyscallwritemem : FILE meta: description = "IcedID 'syscall' packer bypass - direct write variant" author = "kevoreilly" - id = "d220d853-3236-56c8-be39-9724580aef7f" + id = "67935058-4191-587f-ad19-497defd0eef1" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/IcedID.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/IcedID.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6b068106b038e9efeb9057cadf314d400c1ada1a1cc70336d3272da3a212c993" score = 75 quality = 70 tags = "FILE" @@ -119363,13 +119363,13 @@ rule CAPE_Icedidhook meta: description = "IcedID hook fix" author = "kevoreilly" - id = "994af780-d272-5dbc-8b60-6b5365220eae" + id = "011c9cb7-8080-5f8a-9dca-6397e9bf7bf6" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/IcedID.yar#L15-L25" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/IcedID.yar#L15-L25" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "fd62e0ed6f2a18472fa9336daee0e8a3a55e21779a8385394e85f96da928e24f" score = 75 quality = 70 tags = "" @@ -119386,14 +119386,14 @@ rule CAPE_Icedidpackera : FILE meta: description = "IcedID export selection" author = "kevoreilly" - id = "d7bb4051-8fd2-5cc3-9872-5bd4f732d1d2" + id = "d793d8a1-0e17-56ad-933c-470e2290867b" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/IcedID.yar#L27-L40" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/IcedID.yar#L27-L40" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "fbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe" - logic_hash = "v1_sha256_aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" + logic_hash = "aa0681e7794546355e6d61f739c49035a493cdfca7e666531d74e3835ec44408" score = 75 quality = 70 tags = "FILE" @@ -119412,14 +119412,14 @@ rule CAPE_Icedidpackerb : FILE meta: description = "IcedID export selection" author = "kevoreilly" - id = "fa6544d6-7e2f-54ed-a5e4-bf0483af339b" + id = "6bd0e64d-e60e-5cd2-af79-946a7f6dc9f5" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/IcedID.yar#L42-L56" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/IcedID.yar#L42-L56" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "6517ef2c579002ec62ddeb01a3175917c75d79ceca355c415a4462922c715cb6" - logic_hash = "v1_sha256_fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" + logic_hash = "fde1e2c0124d180b2fa3d0675b35e8d78fdd7b06cd27e9228c148aa29ce30ee7" score = 75 quality = 70 tags = "FILE" @@ -119438,15 +119438,15 @@ rule CAPE_Icedidpackerc : FILE meta: description = "IcedID export selection" author = "kevoreilly" - id = "aab3a0bb-064c-5d33-a14f-0c588b19800d" + id = "fddfd0d2-1bc0-56bb-b983-5850e17a3d0f" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/IcedID.yar#L58-L71" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/IcedID.yar#L58-L71" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "c06805b6efd482c1a671ec60c1469e47772c8937ec0496f74e987276fa9020a5" hash = "265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844" - logic_hash = "v1_sha256_f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" + logic_hash = "f1e75e380ab0947fdfda012b7a5077a1c2ef51163239846ab2dc29cac95ba166" score = 75 quality = 70 tags = "FILE" @@ -119464,14 +119464,14 @@ rule CAPE_Icedidpackerd : FILE meta: description = "IcedID export selection" author = "kevoreilly" - id = "44707ca8-6a1d-5911-9ab1-9a3334a357f4" + id = "df0ca4bd-1ea6-57ef-b85a-7ed0e2a20831" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/IcedID.yar#L73-L86" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/IcedID.yar#L73-L86" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "7b226f8cc05fa7d846c52eb0ec386ab37f9bae04372372509daa6bacc9f885d8" - logic_hash = "v1_sha256_6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" + logic_hash = "6685e0246f5a11ce0ca33447837de06506b447a5f8591423e2b76f2ab0274dc7" score = 75 quality = 70 tags = "FILE" @@ -119490,13 +119490,13 @@ rule CAPE_Icedsleep : FILE meta: description = "IcedID sleep bypass" author = "kevoreilly" - id = "251a448b-7e79-5d56-92bb-0abdbe8a4dfe" + id = "d6bd708b-47bc-5620-b40e-8fe5f1a67ba4" date = "2023-11-28" modified = "2023-11-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/IcedID.yar#L88-L99" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/IcedID.yar#L88-L99" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "0b1a8be95b1b8a3b066837f9e47561ee8202d741b39d64e626c0461c2fbf7c70" score = 75 quality = 70 tags = "FILE" @@ -119514,13 +119514,13 @@ rule CAPE_Ursnifv3_1 meta: description = "Ursnif Config Extraction" author = "kevoreilly" - id = "70a151d0-b5d6-56d8-b023-e166daa06ecf" + id = "4170b638-e51b-59c6-956a-50ff82f629ba" date = "2023-03-23" modified = "2023-03-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/UrsnifV3.yar#L1-L16" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "d679546e37ee58087fce75920b2ce4e6d2b9ae55fb1ef80d14ec14309396757c" score = 75 quality = 70 tags = "" @@ -119542,13 +119542,13 @@ rule CAPE_Formhooka meta: description = "Formbook Anti-hook Bypass" author = "kevoreilly" - id = "c4cf6811-a337-5862-b141-296a73f0acff" + id = "6369de74-99eb-57ae-a315-c15f22effc73" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Formbook.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Formbook.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "21b8101a7039cfad0e9d49cc1f055bc23a2eb4c973dcda2a81a007e452d77a6d" score = 75 quality = 70 tags = "" @@ -119568,13 +119568,13 @@ rule CAPE_Formhookb meta: description = "Formbook Anti-hook Bypass" author = "kevoreilly" - id = "193ac99b-df61-5488-ac16-8d8632b95b23" + id = "479afd45-8e59-5b31-8315-faf8284f0de4" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Formbook.yar#L16-L29" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_b8b677ca239c6c5faf44f7a46c1e3e231f5708fb13aac724fd3ac9f865b965d8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Formbook.yar#L16-L29" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "b8b677ca239c6c5faf44f7a46c1e3e231f5708fb13aac724fd3ac9f865b965d8" score = 75 quality = 70 tags = "" @@ -119594,13 +119594,13 @@ rule CAPE_Formconfa meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "e9b6c12d-1bc0-525f-9842-a7528d4b934d" + id = "f9c3fc92-e2c8-5968-b0f4-80bd8199b7ca" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Formbook.yar#L31-L43" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Formbook.yar#L31-L43" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "b0aa4cec55a21245d8104380c531dd6cc0fdef64fbefd79616eadfb4e95b2d75" score = 75 quality = 70 tags = "" @@ -119619,13 +119619,13 @@ rule CAPE_Formhelper meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "d7bf5b36-3489-5f84-a6c4-41c902683133" + id = "88ff1354-1ae7-5380-a586-ef95212d59df" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Formbook.yar#L45-L57" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_77cdfc94aac089c4f2590f4afbab35351fc6e104e67813548c68c59d27019a63" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Formbook.yar#L45-L57" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "77cdfc94aac089c4f2590f4afbab35351fc6e104e67813548c68c59d27019a63" score = 75 quality = 70 tags = "" @@ -119644,13 +119644,13 @@ rule CAPE_Formconfb meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "9f1770b9-2457-599e-a48e-f83884af35ce" + id = "4c8c7939-07e8-5a1e-92a3-b62e322fb9b6" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Formbook.yar#L59-L73" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_8a96ef5c6cebb51186acd099b795066e8e8b2c2adbed4dcc66b81228f70e5c4f" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Formbook.yar#L59-L73" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "8a96ef5c6cebb51186acd099b795066e8e8b2c2adbed4dcc66b81228f70e5c4f" score = 75 quality = 70 tags = "" @@ -119671,13 +119671,13 @@ rule CAPE_Formconfc meta: description = "Formbook Config Extraction" author = "kevoreilly" - id = "0ba73bf6-0a30-56d4-aab7-b4b9a7bbc156" + id = "cf155b6e-0821-5044-a84e-e4a101e55edd" date = "2024-10-11" modified = "2024-10-11" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Formbook.yar#L75-L87" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_f52bce00d2ec88682115a8720f0a182b7ef7fe7b9b9fc466bb8ddc1779341509" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Formbook.yar#L75-L87" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "f52bce00d2ec88682115a8720f0a182b7ef7fe7b9b9fc466bb8ddc1779341509" score = 75 quality = 70 tags = "" @@ -119696,14 +119696,14 @@ rule CAPE_Emotetpacker : FILE meta: description = "Emotet bypass" author = "kevoreilly" - id = "5f054906-4531-50fc-9cad-ef65817788d6" + id = "67b8e14c-5fa8-52af-bb9a-1663b084fbf0" date = "2022-06-09" modified = "2022-06-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/EmotetPacker.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "5a95d1d87ce69881b58a0e3aafc1929861e2633cdd960021d7b23e2a36409e0d" - logic_hash = "v1_sha256_5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" + logic_hash = "5f27d9d18884f7e0805f69960869b332c1577bf8be8ac103285e8bf98cda0ffd" score = 75 quality = 70 tags = "FILE" @@ -119721,13 +119721,13 @@ rule CAPE_Mysterysnail meta: description = "MysterySnail anti-sandbox bypass" author = "kevoreilly" - id = "57cf8fd9-6719-5171-acba-49fca9de8365" + id = "dfeb820a-3101-5588-8348-3b62a6900538" date = "2021-10-16" modified = "2021-10-16" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/MysterySnail.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "9402dbbbfdd286e2309ee83fc08194f70f73657a3a4e3785dfbcb564dbee86a8" score = 75 quality = 70 tags = "" @@ -119744,13 +119744,13 @@ rule CAPE_Bruteratelsyscall meta: description = "BruteRatel Syscall Bypass" author = "kevoreilly" - id = "aaaa50d1-4d02-5348-990a-bf1192b65196" + id = "0ddc3e0a-c4ca-5342-b029-107ce1f2751e" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/BruteRatel.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "5ed054b3cd5d2659c250945d55d6adac90945963c34ad2af0f8d7436141e86b6" score = 75 quality = 70 tags = "" @@ -119768,13 +119768,13 @@ rule CAPE_Bruteratelpacker meta: description = "BruteRatel Outer Encryption Layer" author = "kevoreilly" - id = "6dc17b53-42db-5dd9-906e-2a55b51bef8b" + id = "631083be-7058-590a-a394-984545f42ad7" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/BruteRatel.yar#L14-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "2ccb17efe378d034df34d20d7580c58171d0fd11c18fef6c9a23f1ba238514e6" score = 75 quality = 70 tags = "" @@ -119793,13 +119793,13 @@ rule CAPE_Bruterateldate meta: description = "BruteRatel Date Check Bypass" author = "kevoreilly" - id = "f7f40466-e17e-5de2-aa1c-db6158e875b7" + id = "94dd5cf3-ed59-51d6-92c8-aee73fe2926b" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/BruteRatel.yar#L28-L39" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "88589b2d08aea03565668ff1b9af20b6fe11cda50d867c60db7cb4d1826b0fd7" score = 75 quality = 70 tags = "" @@ -119817,13 +119817,13 @@ rule CAPE_Bruteratelconfig meta: description = "BruteRatel Config Extraction" author = "kevoreilly" - id = "fafd8e2d-b712-5f66-9e7f-bff0aa347271" + id = "5ae680b0-5ad2-5e82-87f8-b0af4fec18de" date = "2024-07-22" modified = "2024-07-22" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/BruteRatel.yar#L41-L51" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "b1815aafec940ab6c8daafc68ccf294845221ada260de5209dcb7e49ccd061c7" score = 75 quality = 70 tags = "" @@ -119840,13 +119840,13 @@ rule CAPE_Darkgateloader meta: description = "DarkGate Loader" author = "enzok" - id = "d765a863-c52b-5497-9a09-e91605da7735" + id = "ca39f39d-aa89-5018-bb07-008a6ea86c42" date = "2023-10-02" modified = "2023-10-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_56069f38edb7d50b0d5680a847d85b1aabc97e432a37911ac9d28aee3b12f526" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/DarkGateLoader.yar#L1-L15" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "56069f38edb7d50b0d5680a847d85b1aabc97e432a37911ac9d28aee3b12f526" score = 75 quality = 68 tags = "" @@ -119867,13 +119867,13 @@ rule CAPE_Rhadamanthys_1 meta: description = "No description has been set in the source file - CAPE" author = "kevoreilly" - id = "f0c3586c-5cec-5ee3-88b3-19120f8129a3" + id = "d9d387e1-76b3-55f6-a40f-a8c9cb9e9bea" date = "2023-04-18" modified = "2023-04-18" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Rhadamanthys.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "3c8fbfe14f81e099fc900023d9c856e3f45b99af38889ed952b2ac67a636f51d" score = 75 quality = 70 tags = "" @@ -119893,13 +119893,13 @@ rule CAPE_Agentteslav3Jit meta: description = "AgentTesla V3 JIT native string decryption" author = "ClaudioWayne" - id = "2f83838c-c5bf-590e-a636-f2db52e5cfba" + id = "590c5058-c1db-5366-8db5-57449a178999" date = "2024-02-27" modified = "2024-02-27" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/AgentTesla.yar#L16-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "62a49cf4295df637f96ba7c127cfc4aeb9af2fcced497fdf34d726a062edc1ec" score = 75 quality = 70 tags = "" @@ -119916,13 +119916,13 @@ rule CAPE_Blister_1 : FILE meta: description = "Blister Sleep Bypass" author = "kevoreilly" - id = "b7c5be3f-50a8-5bed-b556-4394855f03e9" + id = "34657bab-f100-5ea8-9111-da2806f46b79" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Blister.yar#L1-L17" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Blister.yar#L1-L17" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "aba379b93c85241cf250829832b2c8a5eaafb3abd0ff955dbaf0d06489c00deb" score = 75 quality = 70 tags = "FILE" @@ -119945,13 +119945,13 @@ rule CAPE_Pikahook : FILE meta: description = "Pikabot anti-hook bypass" author = "kevoreilly" - id = "c1da74b4-c806-522d-b815-92ab6ac24abc" + id = "e1b7a807-135f-52d7-bc36-c0419e82b424" date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Pikabot.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Pikabot.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "2a50a5f2d905122a5b7ac8ca3666b47caa24d325e246841129e53807daf2a1dd" score = 75 quality = 70 tags = "FILE" @@ -119971,14 +119971,14 @@ rule CAPE_Pikexport : FILE meta: description = "Pikabot export selection" author = "kevoreilly" - id = "e59f8eae-6f57-5bc4-bdd1-2715b1408426" + id = "7d2432f2-90ae-5ad0-b579-5789a1c14a08" date = "2024-03-12" modified = "2024-03-12" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Pikabot.yar#L16-L28" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Pikabot.yar#L16-L28" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "238dcc5611ed9066b63d2d0109c9b623f54f8d7b61d5f9de59694cfc60a4e646" - logic_hash = "v1_sha256_33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" + logic_hash = "33f58703a0e40c2361343dbdcc17111aafbf5cc912393edda79005c6ec566f42" score = 75 quality = 70 tags = "FILE" @@ -119996,13 +119996,13 @@ rule CAPE_Vbcrypter meta: description = "VBCrypter anti-hook Bypass" author = "kevoreilly" - id = "a65a987a-f6c0-5be4-ad98-9a411a7596d0" + id = "2e010dfd-5096-5e81-af9b-174322a47d87" date = "2021-03-28" modified = "2021-03-28" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/VBCrypter.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "a62bca62ab624ab1a2c2e612c5b7e6d543006026a49c07c46800499e31e41c4e" score = 75 quality = 70 tags = "" @@ -120019,13 +120019,13 @@ rule CAPE_Smokeloader_1 : FILE meta: description = "SmokeLoader Payload" author = "kevoreilly" - id = "af8f85de-4992-5e1b-8564-69cbf83ce275" + id = "9df0eca1-009f-5e7e-af9f-9529581fb4b4" date = "2023-02-06" modified = "2023-02-06" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_4b15162f4b754cdd6a9124f29f0fd979085734063a0b17f2a97a9750f29e2e0b" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/SmokeLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "4b15162f4b754cdd6a9124f29f0fd979085734063a0b17f2a97a9750f29e2e0b" score = 75 quality = 70 tags = "FILE" @@ -120042,13 +120042,13 @@ rule CAPE_Xworm_1 meta: description = "XWorm Config Extractor" author = "kevoreilly" - id = "7764eb2b-ab0b-5214-82ef-221060a895d9" + id = "0f55dbfb-c239-53f2-a1e0-bfa494558d6e" date = "2023-11-07" modified = "2023-11-07" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/XWorm.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/XWorm.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "d8e103f3470e83d71cd4992b74698c0721b8a69d764fdb7a4543997b2853014a" score = 75 quality = 70 tags = "" @@ -120065,14 +120065,14 @@ rule CAPE_Stealcanti : FILE meta: description = "Stealc detonation bypass" author = "kevoreilly" - id = "05e35b14-0465-55f6-bdfa-9a8495aaae64" + id = "32e5c1cf-ef57-58eb-9deb-fab0064cc676" date = "2024-01-19" modified = "2024-01-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Stealc.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Stealc.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "77d6f1914af6caf909fa2a246fcec05f500f79dd56e5d0d466d55924695c702d" - logic_hash = "v1_sha256_4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" + logic_hash = "4132e8094b0b49a89e9f40a8b1a6abbf105bbb04e4ddf3ce739e39fc2baf0d13" score = 75 quality = 70 tags = "FILE" @@ -120090,13 +120090,13 @@ rule CAPE_Stealcstrings : FILE meta: description = "Stealc string decryption" author = "kevoreilly" - id = "0a685017-e4ee-5aed-a9f3-aa1458c6acee" + id = "087b5532-e1e7-5df9-adb2-bf758c8ba352" date = "2024-01-19" modified = "2024-01-19" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Stealc.yar#L15-L26" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Stealc.yar#L15-L26" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "6d402446a979c00b6257ace9924db381d98c530b22968bd2776c66d58c7faefc" score = 75 quality = 70 tags = "FILE" @@ -120114,14 +120114,14 @@ rule CAPE_Latrodectus_1 : FILE meta: description = "Latrodectus export selection" author = "kevoreilly" - id = "c688d6fa-610c-5c94-817c-e6e78bf03688" + id = "7c6f167a-6b76-5509-b164-306d1cd19b0f" date = "2024-02-26" modified = "2024-02-26" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Latrodectus.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "378d220bc863a527c2bca204daba36f10358e058df49ef088f8b1045604d9d05" - logic_hash = "v1_sha256_c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" + logic_hash = "c2c9f23e287253d766425c05eb774f6e07bdcbabc259e04b723a1a87c8b91fbd" score = 75 quality = 70 tags = "FILE" @@ -120138,14 +120138,14 @@ rule CAPE_Anticuckoo : FILE meta: description = "AntiCuckoo bypass: https://github.com/therealdreg/anticuckoo" author = "kevoreilly" - id = "b93d79b5-96f7-573a-982c-d2654e651df4" + id = "e221e57b-313e-5998-a3fc-5b4e9671b989" date = "2023-03-17" modified = "2023-03-17" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/AntiCuckoo.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" hash = "ad5e52f144bb4a1dae3090978c6ecb4c7732538c9b62a6cedd32eccee6094be5" - logic_hash = "v1_sha256_a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" + logic_hash = "a039aeca2dae44980e8bffafacfda90975e107001be50f11ac916b35ad43592e" score = 75 quality = 70 tags = "FILE" @@ -120162,13 +120162,13 @@ rule CAPE_Bumblebeeshellcode_1 meta: description = "BumbleBee Loader 2023" author = "kevoreilly" - id = "7221ce0f-d848-5cda-b300-173db839f01a" + id = "20dd4668-497d-5f37-a61e-c154209503b8" date = "2023-02-08" modified = "2023-02-08" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/BumbleBee.yar#L18-L32" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_865510868ee7c089c2ada0645098e851ca2bb9084a74315ce16296eb19c93ab4" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/BumbleBee.yar#L18-L32" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "865510868ee7c089c2ada0645098e851ca2bb9084a74315ce16296eb19c93ab4" score = 75 quality = 70 tags = "" @@ -120189,13 +120189,13 @@ rule CAPE_Loadersyscall meta: description = "Loader Syscall" author = "enzok" - id = "5dc50e02-3085-5d19-a77e-6f9e03405912" + id = "45193b38-938e-55cf-9ea0-7bd48f0d77e4" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/NitrogenLoader.yar#L1-L13" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "3c7ffd8b95032cffecff7fa7e5f5f561cce13e1109f6a9b30bc743642b495e45" score = 75 quality = 70 tags = "" @@ -120214,13 +120214,13 @@ rule CAPE_Nitrogenloaderaes meta: description = "NitrogenLoader AES and IV" author = "enzok" - id = "359f7461-e468-5ef4-98cb-298ac6b7018b" + id = "c79a00af-52f9-5f07-9c58-e8964e70986f" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/NitrogenLoader.yar#L15-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "de8ed0e98948cfadfd579e334fd9ce9f777ddbd988de897529ba71cb5eb2d396" score = 75 quality = 70 tags = "" @@ -120239,13 +120239,13 @@ rule CAPE_Nitrogenloaderbypass meta: description = "Nitrogen Loader Exit Bypass" author = "enzok" - id = "6a089a05-cf15-5b7e-8af8-9ec6faca49b7" + id = "397b0b79-d569-5a71-bcac-ce0d64f706e6" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/NitrogenLoader.yar#L29-L41" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "3a034d3ddd18723ea1f91814c8c2a2c47a749dfd1496a5d4777d8ff8bfab3457" score = 75 quality = 70 tags = "" @@ -120264,13 +120264,13 @@ rule CAPE_Nitrogenloaderconfig meta: description = "NitrogenLoader Config Extraction" author = "enzok" - id = "b8bd4624-f50e-5657-bfe4-b6586dc5f9d2" + id = "a23d7012-b7b2-5313-9974-d65c1364c630" date = "2024-12-02" modified = "2024-12-02" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L54" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_a1f9e95b8039b16e3926b7288c036e81cf72b2dbb91ab9e69125f18d89fa1a03" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/NitrogenLoader.yar#L43-L54" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "a1f9e95b8039b16e3926b7288c036e81cf72b2dbb91ab9e69125f18d89fa1a03" score = 75 quality = 70 tags = "" @@ -120288,13 +120288,13 @@ rule CAPE_Lumma_1 : FILE meta: description = "Lumma config extraction" author = "kevoreilly" - id = "07d5bdbc-4c50-5208-89a9-486d88868264" + id = "b2166620-3070-5727-b189-e6959cc5b698" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Lumma.yar#L1-L14" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Lumma.yar#L1-L14" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "a8f9212b619796f91f14c4164e4d2f30c66b51118f22f3d6c310841b6707b7b0" score = 75 quality = 70 tags = "FILE" @@ -120314,13 +120314,13 @@ rule CAPE_Lummaremap meta: description = "Lumma ntdll-remap bypass" author = "kevoreilly" - id = "54393835-eef6-52ca-b292-89da953cff80" + id = "93ae37d1-a38a-5f96-8bb3-cc648a49b588" date = "2024-05-09" modified = "2024-05-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/Lumma.yar#L16-L27" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/Lumma.yar#L16-L27" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "51093379fbd041f75bdfe161bc9dfcc7d782c23ce16d625ca558bb58d8d57713" score = 75 quality = 70 tags = "" @@ -120338,13 +120338,13 @@ rule CAPE_Slowloader meta: description = "SlowLoader detonation aide for slow cpus (thread race)" author = "kevoreilly" - id = "cc9d7f48-4e78-5752-bf85-0fddba3a6740" + id = "05724bf4-b767-542d-a2dd-a9ae3e5ea5cc" date = "2024-09-23" modified = "2024-09-23" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/SlowLoader.yar#L1-L12" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "f07528c646ebd980a5e843caa4a4715e31b22c3cd091576600e9fe45d7fc2fe4" score = 75 quality = 70 tags = "" @@ -120362,13 +120362,13 @@ rule CAPE_Dridexloader_1 : FILE meta: description = "DridexLoader API Spam Bypass" author = "kevoreilly" - id = "3f8955e9-f9bb-5930-be9d-a7402ac3fc48" + id = "a8b62f64-87a0-58d3-8876-9b0f6a7deb97" date = "2021-03-09" modified = "2021-03-09" reference = "https://github.com/kevoreilly/CAPEv2" - source_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" - license_url = "https://github.com/kevoreilly/CAPEv2/blob/47b0665f51d7b3c3938422b92476721282543807/LICENSE" - logic_hash = "v1_sha256_00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" + source_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/analyzer/windows/data/yara/DridexLoader.yar#L1-L11" + license_url = "https://github.com/kevoreilly/CAPEv2/blob/ea4449c1e23332c1a504899d99767fd095df9332/LICENSE" + logic_hash = "00a3e4e80a2558ee52035f091e2339fa2dad6f6515b9dc099f2f3800e4c70bce" score = 75 quality = 70 tags = "FILE" @@ -120384,7 +120384,7 @@ rule CAPE_Dridexloader_1 : FILE * YARA Rule Set * Repository Name: BinaryAlert * Repository: https://github.com/airbnb/binaryalert/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: a9c0f06affc35e1f8e45bb77f835b92350c68a0b * Number of Rules: 78 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -120600,13 +120600,13 @@ private rule BINARYALERT_Macho_PRIVATE : FILE meta: description = "Mach-O binaries" author = "Airbnb" - id = "40526d0e-dede-5001-996c-b12f668a7f53" + id = "04e14811-38be-54eb-8ec0-649d5469078a" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/airbnb/binaryalert/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/MachO.yara#L1-L7" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_2e992eb7d4ea47c9f61f3a7d8b0b6e37d0423fb08a626eaf2ddea51bfd928dfc" + logic_hash = "2e992eb7d4ea47c9f61f3a7d8b0b6e37d0423fb08a626eaf2ddea51bfd928dfc" score = 75 quality = 80 tags = "FILE" @@ -120619,13 +120619,13 @@ rule BINARYALERT_Eicar_Av_Test meta: description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly." author = "Austin Byers | Airbnb CSIRT" - id = "74ff23ad-17f4-5a5f-bdd8-45fb756bcb90" + id = "4dbb9d9d-9a8b-56f0-878a-a4a362a2c4f8" date = "2018-04-17" modified = "2018-04-17" reference = "http://www.eicar.org/86-0-Intended-use.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/eicar.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_870db233ca083fae19a88a109e13d086c76df2340b709eb2da565c08574a42bd" + logic_hash = "870db233ca083fae19a88a109e13d086c76df2340b709eb2da565c08574a42bd" score = 50 quality = 80 tags = "" @@ -120641,13 +120641,13 @@ rule BINARYALERT_Eicar_Substring_Test meta: description = "Standard AV test, checking for an EICAR substring" author = "Austin Byers | Airbnb CSIRT" - id = "4fab4178-a047-5700-9d31-5a8a8bdafb59" + id = "43af8d40-16be-5948-839e-b58cb36c4155" date = "2018-04-17" modified = "2018-04-17" reference = "https://github.com/airbnb/binaryalert/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/eicar.yara#L20-L34" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_9dc46b273d12d4431b833d4380235b387de4b3aab1f6211b868ada1d1339383a" + logic_hash = "9dc46b273d12d4431b833d4380235b387de4b3aab1f6211b868ada1d1339383a" score = 50 quality = 40 tags = "" @@ -120663,14 +120663,14 @@ rule BINARYALERT_Malware_Macos_Proton_Rat_Generic meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "be649af5-398a-53ab-9379-9482a8f20bae" + id = "75cfaaff-e8d7-5cd4-953b-7d2011139725" date = "2017-08-11" modified = "2017-08-11" reference = "https://objective-see.com/blog/blog_0x1D.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_proton_rat_generic.yara#L3-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "6a2d0c8b20efc3fa283176a4bc76d6fd" - logic_hash = "v1_sha256_b7d8660320564cba1d8e2d53d1fdc75509140c7e87a572b27931c62201df2d22" + logic_hash = "b7d8660320564cba1d8e2d53d1fdc75509140c7e87a572b27931c62201df2d22" score = 75 quality = 64 tags = "" @@ -120691,13 +120691,13 @@ rule BINARYALERT_Malware_Macos_Bella meta: description = "Bella is a pure python post-exploitation data mining tool & remote administration tool for macOS." author = "@mimeframe" - id = "818dfc39-5f64-501d-82a6-aad09f81e0b6" + id = "ca4ab508-8c97-5307-9aaf-db10cfd6ab35" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/Trietptm-on-Security/Bella" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_bella.yara#L1-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_b9c063b5ec8604958d3417ec8640da4314ebcf60ee55413a2f6fa8d138311614" + logic_hash = "b9c063b5ec8604958d3417ec8640da4314ebcf60ee55413a2f6fa8d138311614" score = 75 quality = 80 tags = "" @@ -120721,14 +120721,14 @@ rule BINARYALERT_Malware_Macos_Apt_Sofacy_Xagent meta: description = "sofacy xagent for macOS" author = "@mimeframe" - id = "acacca78-bd3a-53d3-8b91-ab9e8e6eb855" + id = "91bef771-2ef1-58f6-ae01-3bdde4cc003c" date = "2017-09-12" modified = "2017-09-12" reference = "https://blog.malwarebytes.com/cybercrime/2017/03/two-new-mac-backdoors-discovered/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_apt_sofacy_xagent.yara#L3-L62" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "4fe4b9560e99e33dabca553e2eeee510" - logic_hash = "v1_sha256_d4b1096e4aeb8382e5abf93d3ecf71cd6ae2ed7afbc9a38549a2fc2739539674" + logic_hash = "d4b1096e4aeb8382e5abf93d3ecf71cd6ae2ed7afbc9a38549a2fc2739539674" score = 75 quality = 55 tags = "" @@ -120786,13 +120786,13 @@ rule BINARYALERT_Malware_Macos_Neoneggplant_Eggshell meta: description = "EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python." author = "@mimeframe" - id = "a82fea1e-85c8-53b1-bfe5-3b42ebb555b4" + id = "274a34cc-9403-50e6-aa64-683a41bc30e6" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/neoneggplant/EggShell" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_neoneggplant_eggshell.yara#L1-L24" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_34906db9398313ccb84e67bd98e94324c628aefe3efa6ba3cca2df042b42cbe7" + logic_hash = "34906db9398313ccb84e67bd98e94324c628aefe3efa6ba3cca2df042b42cbe7" score = 50 quality = 80 tags = "" @@ -120818,14 +120818,14 @@ rule BINARYALERT_Malware_Macos_Macspy : FILE meta: description = "macSpy is a malware-as-a-service (MaaS) product advertised as the most sophisticated Mac spyware ever" author = "AlienVault Labs" - id = "0ec647b9-6a78-5cb8-ba29-a2571679ebfd" + id = "5f9a5ed5-a982-552c-a6df-326228eaf459" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_macspy.yara#L3-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "6c03e4a9bcb9afaedb7451a33c214ae4" - logic_hash = "v1_sha256_f04648860c9602e43516113000908008847dacfbe189d79e13737bcd034b68a0" + logic_hash = "f04648860c9602e43516113000908008847dacfbe189d79e13737bcd034b68a0" score = 75 quality = 80 tags = "FILE" @@ -120844,13 +120844,13 @@ rule BINARYALERT_Malware_Macos_Marten4N6_Evilosx meta: description = "EvilOSX is a pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX." author = "@mimeframe" - id = "91459c8f-4829-54bb-adb5-9814e655ba09" + id = "2b2e62ca-f95c-55c5-aaf6-985aab49dfbb" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/Marten4n6/EvilOSX" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/macos/malware_macos_marten4n6_evilosx.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_3402ebf34fd507d0c317416bf77bb3d51b67c8b0f099ce68d15ade6a6a2e302a" + logic_hash = "3402ebf34fd507d0c317416bf77bb3d51b67c8b0f099ce68d15ade6a6a2e302a" score = 75 quality = 80 tags = "" @@ -120870,13 +120870,13 @@ rule BINARYALERT_Malware_Multi_Vesche_Basicrat meta: description = "cross-platform Python 2.x Remote Access Trojan (RAT)" author = "@mimeframe" - id = "82792b2c-96c1-5216-a26f-3988ee8f7193" + id = "e07a684c-3a3d-5dd3-a540-2cc9a5a170dd" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/vesche/basicRAT" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/multi/malware_multi_vesche_basicrat.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_1503ce9de4e721903058c77b305ba057052d654ff1875ea880f4319c3e525a29" + logic_hash = "1503ce9de4e721903058c77b305ba057052d654ff1875ea880f4319c3e525a29" score = 75 quality = 80 tags = "" @@ -120896,13 +120896,13 @@ rule BINARYALERT_Malware_Multi_Pupy_Rat meta: description = "pupy - opensource cross platform rat and post-exploitation tool" author = "@mimeframe" - id = "5878190c-36dd-5060-816b-c9316500b8e8" + id = "b26deb19-85b2-5d39-9ff2-0ab9017f3263" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/n1nj4sec/pupy" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/multi/malware_multi_pupy_rat.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_bb5d1e7f2aea94dc41efe75690ae31409e8f6305aa6c4ec0cd46922ee8fb7241" + logic_hash = "bb5d1e7f2aea94dc41efe75690ae31409e8f6305aa6c4ec0cd46922ee8fb7241" score = 75 quality = 74 tags = "" @@ -120923,14 +120923,14 @@ rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_1 meta: description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts" author = "@fusionrace" - id = "3e59cac6-43ae-517d-b4d0-d9e85e31f7b3" + id = "6b5709fd-a923-56b6-98ab-ae036f9d04c3" date = "2017-09-12" modified = "2017-09-12" reference = "https://securelist.com/introducing-whitebear/81638/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_whitebear_binary_loader_1.yara#L1-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "b099b82acb860d9a9a571515024b35f0" - logic_hash = "v1_sha256_f6706c66a378b80d3cedf118a812d8add60e12b44402a30d941d08ff30c7ab1c" + logic_hash = "f6706c66a378b80d3cedf118a812d8add60e12b44402a30d941d08ff30c7ab1c" score = 75 quality = 80 tags = "" @@ -120955,14 +120955,14 @@ rule BINARYALERT_Malware_Windows_Remcos_Rat meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "d471a7f8-b7b3-531b-9ef2-5aeda6b9e875" + id = "420c135f-3150-5cb9-9c1c-105cd260d713" date = "2017-08-11" modified = "2017-08-11" reference = "https://breaking-security.net/remcos/remcos-changelog/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_remcos_rat.yara#L1-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "c8dafe143fe1d81ae6a3c0cd4724b272" - logic_hash = "v1_sha256_ec1ec69f628111235bafad8177482256ed571c064a81f01b6ec2643dccc926ad" + logic_hash = "ec1ec69f628111235bafad8177482256ed571c064a81f01b6ec2643dccc926ad" score = 75 quality = 80 tags = "" @@ -120986,13 +120986,13 @@ rule BINARYALERT_Ccleaner_Backdoor meta: description = "Ccleaner 5.33 backdoor with a possible APT17/Group72 connection." author = "@fusionrace" - id = "4a5ad694-0367-5957-857e-70456adaf6b5" + id = "769e4fcb-9638-5a5b-8b73-a1cda3bc286a" date = "2017-12-14" modified = "2017-12-14" reference = "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_ccleaner_backdoor.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_ce3fc54d58e337ab17e6f1ba7745c593210483c02ed3969059a8fe6682d87218" + logic_hash = "ce3fc54d58e337ab17e6f1ba7745c593210483c02ed3969059a8fe6682d87218" score = 75 quality = 80 tags = "" @@ -121012,14 +121012,14 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Wipe : FILE meta: description = "Rule to detect log cleaner based on wipe.c" author = "Kaspersky Lab" - id = "cfa2cd74-bf28-508f-99ed-782e893802bc" + id = "35060c3d-b805-54a6-a241-eb6e99168fa8" date = "2017-08-11" modified = "2017-08-11" reference = "http://www.afn.org/~afn28925/wipe.c" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_wipe.yara#L3-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "e69efc504934551c6a77b525d5343241" - logic_hash = "v1_sha256_0241d1ca9f5a4d066f7ed2e80bc18ebae3723c6a2364422e31909e8f0e576675" + logic_hash = "0241d1ca9f5a4d066f7ed2e80bc18ebae3723c6a2364422e31909e8f0e576675" score = 75 quality = 80 tags = "FILE" @@ -121038,13 +121038,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_De_Tool meta: description = "Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool" author = "Kaspersky Lab" - id = "58ac43de-2205-5b5b-91a2-0982a87e2dbf" + id = "8b943c21-eac7-521d-8dc6-90d611aa4d92" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_de_tool.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_836331856200fde9792d3bf97d3a18b7f4497ceaae1cfceb0de7c2949e315b9c" + logic_hash = "836331856200fde9792d3bf97d3a18b7f4497ceaae1cfceb0de7c2949e315b9c" score = 75 quality = 80 tags = "" @@ -121064,13 +121064,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_IRIX_Exploit_GEN : FILE meta: description = "Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers" author = "Kaspersky Lab" - id = "84e347ea-ce69-5197-a4bd-456b839d0c8d" + id = "4f9ab7b0-4fb9-5311-ae23-01d0a9e2e104" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.exploit-db.com/exploits/19274/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_IRIX_exploit_GEN.yara#L3-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_9d55d780c84f2aa4e64c19842b2055ef4bf7c8844ebe622c3942445b06ab8344" + logic_hash = "9d55d780c84f2aa4e64c19842b2055ef4bf7c8844ebe622c3942445b06ab8344" score = 75 quality = 80 tags = "FILE" @@ -121092,14 +121092,14 @@ rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_2 meta: description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts" author = "@fusionrace" - id = "9cd5a7d9-16aa-5969-a5b5-ee71fafb2d28" + id = "d97b7fe1-7ff3-5cc0-9085-140ed523421f" date = "2017-09-12" modified = "2017-09-12" reference = "https://securelist.com/introducing-whitebear/81638/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_whitebear_binary_loader_2.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "06bd89448a10aa5c2f4ca46b4709a879" - logic_hash = "v1_sha256_9bb7fc3b3bf7f91efbba128895bb61b5a1bbdb6625d84836956de5e884ae3fe1" + logic_hash = "9bb7fc3b3bf7f91efbba128895bb61b5a1bbdb6625d84836956de5e884ae3fe1" score = 75 quality = 80 tags = "" @@ -121119,14 +121119,14 @@ rule BINARYALERT_Malware_Windows_Apt_Red_Leaves_Generic meta: description = "Red Leaves malware, related to APT10" author = "David Cannings" - id = "9db152ef-db42-5546-9c6c-7d69343beee0" + id = "e0067b05-eb4a-52ec-8f35-9336a631f03b" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Source/Red%20Leaves%20technical%20note%20v1.0.md" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_red_leaves_generic.yara#L1-L27" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "81df89d6fa0b26cadd4e50ef5350f341" - logic_hash = "v1_sha256_be03bba9d01e6584b5849514656fd7de866c478f343c0bc618d7dbeda1771696" + logic_hash = "be03bba9d01e6584b5849514656fd7de866c478f343c0bc618d7dbeda1771696" score = 75 quality = 80 tags = "" @@ -121156,13 +121156,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Xk_Keylogger meta: description = "Rule to detect Moonlight Maze 'xk' keylogger" author = "Kaspersky Lab" - id = "72b453e3-7dfa-5f6d-beae-a828ef1f8872" + id = "5623021d-0d70-59b3-ae30-522e81552da0" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_xk_keylogger.yara#L1-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_430027b41aeda9a11dadec2e4d3dd2474852ff3a7656ed7128711a1574e66b8f" + logic_hash = "430027b41aeda9a11dadec2e4d3dd2474852ff3a7656ed7128711a1574e66b8f" score = 75 quality = 30 tags = "" @@ -121189,13 +121189,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Encrypted_Keyloger meta: description = "Rule to detect Moonlight Maze encrypted keylogger logs" author = "Kaspersky Lab" - id = "35232b40-ea5f-51ae-acc9-41bc4cedaf85" + id = "4f290d77-5cb5-5f07-98fd-1829e2f00e63" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_encrypted_keyloger.yara#L1-L11" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_cdcbe112ae394ce0922647904f70cfae626d413d1770b0e20d2ba49e1f4e2d2d" + logic_hash = "cdcbe112ae394ce0922647904f70cfae626d413d1770b0e20d2ba49e1f4e2d2d" score = 75 quality = 80 tags = "" @@ -121211,13 +121211,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Custom_Sniffer meta: description = "Rule to detect Moonlight Maze sniffer tools" author = "Kaspersky Lab" - id = "5a120f8a-3845-52b7-a55d-404d5ec867dd" + id = "a9f005e0-8d73-58ff-b010-d3ce08ffdb64" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_custom_sniffer.yara#L1-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_466be027f567fe0afc88c82d94e4e0171b4b7d8f38d27a4c4a18cec4ca2b8b2f" + logic_hash = "466be027f567fe0afc88c82d94e4e0171b4b7d8f38d27a4c4a18cec4ca2b8b2f" score = 75 quality = 80 tags = "" @@ -121240,13 +121240,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Loki2Crypto meta: description = "Rule to detect hardcoded DH modulus used in 1996/1997 Loki2 sourcecode; #ifdef STRONG_CRYPTO /* 384-bit strong prime */" author = "Costin Raiu, Kaspersky Lab" - id = "359943ab-dbc1-54b8-839a-7ea550bc1bf1" + id = "eb5fc283-4994-5db5-965d-e90caad95f4c" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_loki2crypto.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_abb2093844af1b854a9deed5baab3f4d67bd1189a4520f697aa69b7441d9488c" + logic_hash = "abb2093844af1b854a9deed5baab3f4d67bd1189a4520f697aa69b7441d9488c" score = 75 quality = 80 tags = "" @@ -121267,14 +121267,14 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Cle_Tool meta: description = "Rule to detect Moonlight Maze 'cle' log cleaning tool" author = "Kaspersky Lab" - id = "a42b449d-e167-5805-88da-fc9bd102e52d" + id = "d875a3cf-cad1-509f-bb9f-27f0a3a9b79d" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_cle_tool.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "647d7b711f7b4434145ea30d0ef207b0" - logic_hash = "v1_sha256_8f75df1240b9e5e905492106265a7e1342db4140d715529933af4ba5c8ec6331" + logic_hash = "8f75df1240b9e5e905492106265a7e1342db4140d715529933af4ba5c8ec6331" score = 75 quality = 80 tags = "" @@ -121295,13 +121295,13 @@ rule BINARYALERT_Malware_Windows_Xrat_Quasarrat meta: description = "xRAT is a derivative of QuasarRAT; this catches both RATs." author = "@mimeframe" - id = "b876fe20-bf97-5383-a6ac-a3b8c72734b8" + id = "f4db2402-3653-5525-a137-de2de29cef28" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/quasar/QuasarRAT" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_xrat_quasarrat.yara#L1-L31" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_92533157a62ccae5d1bdc9d0bb7511817422c6b5d75d013a15173cd1121d099e" + logic_hash = "92533157a62ccae5d1bdc9d0bb7511817422c6b5d75d013a15173cd1121d099e" score = 75 quality = 30 tags = "" @@ -121334,13 +121334,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_U_Logcleaner : FILE meta: description = "Rule to detect log cleaners based on utclean.c" author = "Kaspersky Lab" - id = "34f7808d-ff4e-562b-b638-1351bc1338cc" + id = "2dc1b796-c8fe-5a87-9d6b-3a322f4a43ab" date = "2017-08-11" modified = "2017-08-11" reference = "http://cd.textfiles.com/cuteskunk/Unix-Hacking-Exploits/utclean.c" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_u_logcleaner.yara#L3-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_65fe29075294dfad06f4cca631d5d2f1283c439e9a5913f503fe6e4bb1f5f70a" + logic_hash = "65fe29075294dfad06f4cca631d5d2f1283c439e9a5913f503fe6e4bb1f5f70a" score = 75 quality = 80 tags = "FILE" @@ -121360,14 +121360,14 @@ rule BINARYALERT_Malware_Windows_Winnti_Loadperf_Dll_Loader meta: description = "Winnti APT group; gzwrite64 imported from loadoerf.ini" author = "@mimeframe" - id = "ec681aca-add9-5f00-a139-3f9df569061f" + id = "41444dd5-41b9-550c-9124-bc7f41326baa" date = "2017-08-11" modified = "2017-08-11" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_winnti_loadperf_dll_loader.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "879ce99e253e598a3c156258a9e81457" - logic_hash = "v1_sha256_b1035174edfff2e142026f3482fc53407af59f5215a6030c0d2a85501152c3db" + logic_hash = "b1035174edfff2e142026f3482fc53407af59f5215a6030c0d2a85501152c3db" score = 75 quality = 80 tags = "" @@ -121384,13 +121384,13 @@ rule BINARYALERT_Malware_Windows_T3Ntman_Crunchrat meta: description = "HTTPS-based Remote Administration Tool (RAT)" author = "@mimeframe" - id = "63011719-c97a-5503-b0cc-0cc0978184dd" + id = "c5b0d183-8822-505a-a1ff-7d6f75a3f174" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/t3ntman/CrunchRAT" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_t3ntman_crunchrat.yara#L1-L19" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_b5216b2b30d22f3d3848e1fb6e4245c558366fb8cd35b70f10fa4e605e211204" + logic_hash = "b5216b2b30d22f3d3848e1fb6e4245c558366fb8cd35b70f10fa4e605e211204" score = 75 quality = 80 tags = "" @@ -121414,14 +121414,14 @@ rule BINARYALERT_Malware_Windows_Apt_Whitebear_Binary_Loader_3 meta: description = "The WhiteBear loader contains a set of messaging and injection components that support continued presence on victim hosts" author = "@fusionrace" - id = "4f47a9d1-63a4-5ee2-b516-f4c5c056deaf" + id = "bdcc0c30-3aa7-5c92-8205-9b360d10ac59" date = "2017-09-12" modified = "2017-09-12" reference = "https://securelist.com/introducing-whitebear/81638/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_apt_whitebear_binary_loader_3.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "b099b82acb860d9a9a571515024b35f0" - logic_hash = "v1_sha256_955aad2d72407baa7fb71e04b51557649a6f91633f5bdb1a8792e328a1587d23" + logic_hash = "955aad2d72407baa7fb71e04b51557649a6f91633f5bdb1a8792e328a1587d23" score = 75 quality = 80 tags = "" @@ -121440,13 +121440,13 @@ rule BINARYALERT_Malware_Windows_Moonlightmaze_Loki meta: description = "Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings" author = "Kaspersky Lab" - id = "32bad2dd-3ea6-5548-b9cf-55cc22f27741" + id = "06eeb6a4-540f-51eb-86f9-4ab49543f645" date = "2017-08-11" modified = "2017-08-11" reference = "https://en.wikipedia.org/wiki/Moonlight_Maze" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_moonlightmaze_loki.yara#L1-L27" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_9a403695ded6ff3626820ba0d4abde7ccd6f3fa6bfd8aa4ceaf0cc009d34c97f" + logic_hash = "9a403695ded6ff3626820ba0d4abde7ccd6f3fa6bfd8aa4ceaf0cc009d34c97f" score = 75 quality = 80 tags = "" @@ -121477,14 +121477,14 @@ rule BINARYALERT_Malware_Windows_Pony_Stealer meta: description = "Pony stealer malware" author = "@mimeframe" - id = "f7fb074b-ad74-50b9-9c26-2e3892c3659c" + id = "77af81cb-36c7-56a7-bd89-14d79628e5c4" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.knowbe4.com/pony-stealer" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/malware/windows/malware_windows_pony_stealer.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "5e52ce394c3be2a685dbb8f435e2f64f" - logic_hash = "v1_sha256_4d4e28e0d4d97412a9129a4abfadc130a464a2ababf46ca8f366a2a30b262261" + logic_hash = "4d4e28e0d4d97412a9129a4abfadc130a464a2ababf46ca8f366a2a30b262261" score = 75 quality = 50 tags = "" @@ -121509,14 +121509,14 @@ rule BINARYALERT_Ransomware_Windows_Petya_Variant_1 meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE" author = "@fusionrace" - id = "ad4c8999-ddfa-5a61-96a7-662909932800" + id = "bf56c0e4-585c-509b-a182-a93c74be7524" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_1.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "v1_sha256_3733834ee2271a483739b09c4222d222aa4899cab48fd8fc558bdbd9a66bf2d6" + logic_hash = "3733834ee2271a483739b09c4222d222aa4899cab48fd8fc558bdbd9a66bf2d6" score = 75 quality = 80 tags = "" @@ -121537,14 +121537,14 @@ rule BINARYALERT_Ransomware_Windows_Petya_Variant_3 meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE" author = "@fusionrace" - id = "7904c9d7-8d39-52b7-9482-db5f305bf057" + id = "cbf06e62-abe8-54af-b4f4-624ba9233e4b" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_3.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "v1_sha256_4f21b394eb2dd0ebf416b018f438934fdc89cb896701d95b593477fc19abfe48" + logic_hash = "4f21b394eb2dd0ebf416b018f438934fdc89cb896701d95b593477fc19abfe48" score = 75 quality = 80 tags = "" @@ -121561,14 +121561,14 @@ rule BINARYALERT_Ransomware_Windows_Cryptolocker meta: description = "The CryptoLocker malware propagated via infected email attachments, and via an existing botnet; when activated, the malware encrypts files stored on local and mounted network drives" author = "@fusionrace" - id = "0759d912-5c03-59ef-8699-701c659f0dba" + id = "be205f4b-d078-5437-bacc-203c816db2fa" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.secureworks.com/research/cryptolocker-ransomware" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_cryptolocker.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "012d9088558072bc3103ab5da39ddd54" - logic_hash = "v1_sha256_317cbc01b4c329befeb5b25478f7827298a26d21b872ae232c519febd9c547fc" + logic_hash = "317cbc01b4c329befeb5b25478f7827298a26d21b872ae232c519febd9c547fc" score = 75 quality = 80 tags = "" @@ -121593,14 +121593,14 @@ rule BINARYALERT_Ransomware_Windows_Petya_Variant_2 meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE" author = "@fusionrace" - id = "ffae8969-c899-5687-9bf7-6b0b89ac8cb8" + id = "6401fd7e-5ef7-58b5-b8d3-a63c70e8daa3" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_2.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "v1_sha256_7e04ffd0423cd1288af5c045bb06930abb732c0ea059e329cafc05faecb4f982" + logic_hash = "7e04ffd0423cd1288af5c045bb06930abb732c0ea059e329cafc05faecb4f982" score = 75 quality = 78 tags = "" @@ -121620,14 +121620,14 @@ rule BINARYALERT_Ransomware_Windows_Zcrypt meta: description = "Zcrypt will encrypt data and append the .zcrypt extension to the filenames" author = "@fusionrace" - id = "dca86d99-d23b-524b-957d-8113d016a0c5" + id = "d79cd266-4e77-562c-975c-8bf72efe7242" date = "2017-08-11" modified = "2017-08-11" reference = "https://blog.malwarebytes.com/threat-analysis/2016/06/zcrypt-ransomware/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_zcrypt.yara#L1-L23" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "d1e75b274211a78d9c5d38c8ff2e1778" - logic_hash = "v1_sha256_df4073363da162e69f29493b5bfb4cb3f3d342357335c13ba6a3ac868607cb25" + logic_hash = "df4073363da162e69f29493b5bfb4cb3f3d342357335c13ba6a3ac868607cb25" score = 75 quality = 78 tags = "" @@ -121652,14 +121652,14 @@ rule BINARYALERT_Ransomware_Windows_Petya_Variant_Bitcoin meta: description = "Petya Ransomware new variant June 2017 using ETERNALBLUE: Bitcoin" author = "@fusionrace" - id = "b0ef902c-38e9-5ba8-a246-1c91e18bcf57" + id = "82d6ecc5-7c90-5d50-90ff-f54f8d87685d" date = "2017-08-11" modified = "2017-08-11" reference = "https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_petya_variant_bitcoin.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "71b6a493388e7d0b40c83ce903bc6b04" - logic_hash = "v1_sha256_9a5e183aa8e1387e76d5df4e967943b730ba780b6758af3ef23e21bb9e4ce3a6" + logic_hash = "9a5e183aa8e1387e76d5df4e967943b730ba780b6758af3ef23e21bb9e4ce3a6" score = 75 quality = 80 tags = "" @@ -121675,13 +121675,13 @@ rule BINARYALERT_Ransomware_Windows_Lazarus_Wannacry : FILE meta: description = "Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta" author = "Costin G. Raiu, Kaspersky Lab" - id = "7edbb117-42c4-50d1-8b89-ac8c07d020ac" + id = "6335bd03-0625-5856-891c-9a5decd7e00f" date = "2017-08-11" modified = "2017-08-11" reference = "https://twitter.com/neelmehta/status/864164081116225536" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_lazarus_wannacry.yara#L3-L32" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_dddff5f74bf3f11baf1d3853d6cb5e5b1e0c5e75445c421d4d5145f7a496fc4b" + logic_hash = "dddff5f74bf3f11baf1d3853d6cb5e5b1e0c5e75445c421d4d5145f7a496fc4b" score = 75 quality = 80 tags = "FILE" @@ -121715,14 +121715,14 @@ rule BINARYALERT_Ransomware_Windows_Hddcryptora meta: description = "The HDDCryptor ransomware encrypts local harddisks as well as resources in network shares via Server Message Block (SMB)" author = "@fusionrace" - id = "0abf4448-48ae-573d-8d0a-1d7b9906af70" + id = "56d7f1f5-811d-58c9-9e1d-d2f48c01e167" date = "2017-08-11" modified = "2017-08-11" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_HDDCryptorA.yara#L1-L23" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "498bdcfb93d13fecaf92e96f77063abf" - logic_hash = "v1_sha256_24c113be31c3df7b544a5789bf055f77471d450c07f0a6729a715e2a82b4d1f0" + logic_hash = "24c113be31c3df7b544a5789bf055f77471d450c07f0a6729a715e2a82b4d1f0" score = 75 quality = 78 tags = "" @@ -121747,14 +121747,14 @@ rule BINARYALERT_Ransomware_Windows_Cerber_Evasion meta: description = "Cerber Ransomware: Evades detection by machine learning applications" author = "@fusionrace" - id = "3919c122-b9b0-524f-b0df-d6a19d2e6a6e" + id = "6e2f44a9-bc0f-5071-9d80-ddfb778cfe5d" date = "2017-08-11" modified = "2017-08-11" reference = "http://www.darkreading.com/vulnerabilities---threats/cerber-ransomware-now-evades-machine-learning/d/d-id/1328506" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_cerber_evasion.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "bc62b557d48f3501c383f25d014f22df" - logic_hash = "v1_sha256_43b3b8be5a23b57f6c671abd8491cdc51af1cf3a3fe8a7be308150697cdb92ea" + logic_hash = "43b3b8be5a23b57f6c671abd8491cdc51af1cf3a3fe8a7be308150697cdb92ea" score = 75 quality = 80 tags = "" @@ -121772,14 +121772,14 @@ rule BINARYALERT_Ransomware_Windows_Hydracrypt meta: description = "HydraCrypt encrypts a victim’s files and appends the filenames with the extension “hydracrypt_ID_*" author = "@fusionrace" - id = "954d9dfd-4f29-5d16-b5d3-70918e2be564" + id = "9ebf205e-b6a9-55a3-b0c3-9b088790dc9a" date = "2017-08-11" modified = "2017-08-11" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/hydracrypt-variant-of-ransomware-distributed-by-angler-exploit-kit/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_hydracrypt.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "08b304d01220f9de63244b4666621bba" - logic_hash = "v1_sha256_3ecb3e6c269f4145e60b0e7bb0e896120ceb2db2123f847bf4bdf5d4490467d5" + logic_hash = "3ecb3e6c269f4145e60b0e7bb0e896120ceb2db2123f847bf4bdf5d4490467d5" score = 75 quality = 80 tags = "" @@ -121799,14 +121799,14 @@ rule BINARYALERT_Ransomware_Windows_Wannacry meta: description = "wannacry ransomware for windows" author = "@fusionrace" - id = "b6cea810-af47-5616-9bcf-7cb7ca36519c" + id = "0269b6f4-a47d-5683-aaaa-2141ca7f04dc" date = "2017-08-11" modified = "2017-08-11" reference = "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_wannacry.yara#L1-L23" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "4fef5e34143e646dbf9907c4374276f5" - logic_hash = "v1_sha256_c01f460c0f5e39cde5f553c966553fe693e5203cb020b8f571eac6fc193fa91b" + logic_hash = "c01f460c0f5e39cde5f553c966553fe693e5203cb020b8f571eac6fc193fa91b" score = 75 quality = 50 tags = "" @@ -121829,14 +121829,14 @@ rule BINARYALERT_Ransomware_Windows_Powerware_Locky meta: description = "PowerWare Ransomware" author = "@fusionrace" - id = "065b8f4e-2bed-5419-b8db-b84b11e9e0f5" + id = "8a1a56af-7a9d-54ed-90b9-daf33735ee1e" date = "2017-08-11" modified = "2017-08-11" reference = "https://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/ransomware/windows/ransomware_windows_powerware_locky.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" hash = "3433a4da9d8794709630eb06afd2b8c1" - logic_hash = "v1_sha256_64de34755f706a9fd4c876c473eed4f8922a4450c7ef135b0ab5e49c67363baf" + logic_hash = "64de34755f706a9fd4c876c473eed4f8922a4450c7ef135b0ab5e49c67363baf" score = 75 quality = 78 tags = "" @@ -121854,13 +121854,13 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Mmetokendecrypt meta: description = "This program decrypts / extracts all authorization tokens on macOS / OS X / OSX." author = "@mimeframe" - id = "8792bf45-9c92-53cf-a288-e38fe2a19642" + id = "2dc01ff3-4c4a-548d-b2f0-b36897ad6a5c" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/manwhoami/MMeTokenDecrypt" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_manwhoami_mmetokendecrypt.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_ccfedfbff0c6eefe41e80fe488d4cae928a33e7b86019c6ec54d1c9005b35147" + logic_hash = "ccfedfbff0c6eefe41e80fe488d4cae928a33e7b86019c6ec54d1c9005b35147" score = 75 quality = 80 tags = "" @@ -121880,13 +121880,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Skreweverything_Swift meta: description = "It is a simple and easy to use keylogger for macOS written in Swift." author = "@mimeframe" - id = "eed3b9bb-e8e4-53b6-8d17-8aa989d8a2fc" + id = "a4918bc3-d3f0-59f4-894f-fd34ee944fac" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/SkrewEverything/Swift-Keylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_skreweverything_swift.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_f400b8ec392417e7443e82a2c2a9adfc868b9795aa1fb29f91d228f6f94efd13" + logic_hash = "f400b8ec392417e7443e82a2c2a9adfc868b9795aa1fb29f91d228f6f94efd13" score = 75 quality = 80 tags = "" @@ -121906,13 +121906,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Logkext meta: description = "LogKext is an open source keylogger for Mac OS X, a product of FSB software." author = "@mimeframe" - id = "849cbd43-288b-55de-b031-09322e49784c" + id = "2e4ad9d0-5780-5a28-a76d-baac401b0648" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/SlEePlEs5/logKext" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_logkext.yara#L1-L25" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_f0e3a7ea8ec4568c319e44f00d71fb368948b6fe08bdf86de4b33f0d2bafbb44" + logic_hash = "f0e3a7ea8ec4568c319e44f00d71fb368948b6fe08bdf86de4b33f0d2bafbb44" score = 75 quality = 80 tags = "" @@ -121938,13 +121938,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Eldeveloper_Keystats meta: description = "A simple keylogger for macOS." author = "@mimeframe" - id = "468bf492-2fab-5658-9744-8967a52457e3" + id = "7fddb502-ae2d-5e14-95f5-115498fa5926" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/ElDeveloper/keystats" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_eldeveloper_keystats.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_c73f5ca2ba0a1bde7c1f9b96173938e40511e12f875c4d850d6d498c63e89385" + logic_hash = "c73f5ca2ba0a1bde7c1f9b96173938e40511e12f875c4d850d6d498c63e89385" score = 75 quality = 80 tags = "" @@ -121962,13 +121962,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Roxlu_Ofxkeylogger meta: description = "ofxKeylogger keylogger." author = "@mimeframe" - id = "622d7da4-25da-56a4-9e60-a225c2eaf0a1" + id = "c0e00b76-9623-5709-b64b-0afe006eba60" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/roxlu/ofxKeylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_roxlu_ofxkeylogger.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_6e2579a10327cc8f1799848b3bcbcd95733a31098faeb849df6ebf99f1ffe808" + logic_hash = "6e2579a10327cc8f1799848b3bcbcd95733a31098faeb849df6ebf99f1ffe808" score = 75 quality = 80 tags = "" @@ -121986,13 +121986,13 @@ rule BINARYALERT_Hacktool_Macos_Exploit_Cve_5889 meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "fbc2c577-6954-51aa-a79f-974f856faf42" + id = "ea70d31c-1b70-5927-ba8d-e13d2114e74e" date = "2017-09-12" modified = "2017-09-12" reference = "https://www.exploit-db.com/exploits/38371/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_exploit_cve_2015_5889.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_b455759ea369cdcf2f05a2735a38000179ebe644667016cd635dfad9beda4459" + logic_hash = "b455759ea369cdcf2f05a2735a38000179ebe644667016cd635dfad9beda4459" score = 75 quality = 80 tags = "" @@ -122013,13 +122013,13 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Osxchromedecrypt meta: description = "Decrypt Google Chrome / Chromium passwords and credit cards on macOS / OS X." author = "@mimeframe" - id = "1cae37d5-2995-55f6-b821-d89334f11b9a" + id = "874cc999-d9c2-5017-83ec-e4be8a659476" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/manwhoami/OSXChromeDecrypt" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_manwhoami_osxchromedecrypt.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_0974c6a5e7875e20380df0f58bf22a589b9a5c718e635ec77b42060abcf99473" + logic_hash = "0974c6a5e7875e20380df0f58bf22a589b9a5c718e635ec77b42060abcf99473" score = 75 quality = 80 tags = "" @@ -122040,13 +122040,13 @@ rule BINARYALERT_Hacktool_Macos_Ptoomey3_Keychain_Dumper meta: description = "Keychain dumping utility." author = "@mimeframe" - id = "7be4b137-619d-5d19-ac31-5c0148a3a77a" + id = "c45abbbe-f5fe-5a87-acd4-dcdb99ceec28" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/ptoomey3/Keychain-Dumper" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_ptoomey3_keychain_dumper.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_f2ef979e4682ce617b37f7503ec2ca520e657b4f6d15a75afad59b62191a1a43" + logic_hash = "f2ef979e4682ce617b37f7503ec2ca520e657b4f6d15a75afad59b62191a1a43" score = 75 quality = 80 tags = "" @@ -122066,13 +122066,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Caseyscarborough meta: description = "A simple and easy to use keylogger for macOS." author = "@mimeframe" - id = "191efd22-3f9e-57da-992f-3cc2ab6ecdfa" + id = "82d9ff7e-b475-5888-82e1-f65c286a9cde" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/caseyscarborough/keylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_caseyscarborough.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_d97fbfefe027a26ec998743b811734e62423e8a5ba4e11d516dcfc9e4831d296" + logic_hash = "d97fbfefe027a26ec998743b811734e62423e8a5ba4e11d516dcfc9e4831d296" score = 75 quality = 80 tags = "" @@ -122091,13 +122091,13 @@ rule BINARYALERT_Hacktool_Macos_Manwhoami_Icloudcontacts meta: description = "Pulls iCloud Contacts for an account. No dependencies. No user notification." author = "@mimeframe" - id = "7c1f218e-c790-50ce-9408-d20747abde2e" + id = "b6595540-7f89-5764-b34e-d32c1a377b6c" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/manwhoami/iCloudContacts" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_manwhoami_icloudcontacts.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_0c5b81454b26de91f5ad126b24f10397e1da5d8561b0bf22c5df128753df0ac2" + logic_hash = "0c5b81454b26de91f5ad126b24f10397e1da5d8561b0bf22c5df128753df0ac2" score = 75 quality = 80 tags = "" @@ -122116,13 +122116,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Dannvix meta: description = "A simple keylogger for macOS." author = "@mimeframe" - id = "175e0f9f-fd57-5306-807f-911031d7537d" + id = "598d6dbc-540d-5f96-8bd1-c15e6194012e" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/dannvix/keylogger-osx" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_dannvix.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_95d0540b1308caf3e7287c70a759954650220192800c0154d225bcb01ed55766" + logic_hash = "95d0540b1308caf3e7287c70a759954650220192800c0154d225bcb01ed55766" score = 75 quality = 80 tags = "" @@ -122140,13 +122140,13 @@ rule BINARYALERT_Hacktool_Macos_Juuso_Keychaindump meta: description = "For reading OS X keychain passwords as root." author = "@mimeframe" - id = "196c6132-b538-5055-a4cb-e2d46723d06e" + id = "10ee6c24-db35-5178-9a40-92f5231948aa" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/juuso/keychaindump" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_juuso_keychaindump.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_dd2fb6249fe4b7381e734ea3a308158159f7e79b39ba5c970241dcd66436d669" + logic_hash = "dd2fb6249fe4b7381e734ea3a308158159f7e79b39ba5c970241dcd66436d669" score = 75 quality = 80 tags = "" @@ -122167,13 +122167,13 @@ rule BINARYALERT_Hacktool_Macos_N0Fate_Chainbreaker meta: description = "chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner." author = "@mimeframe" - id = "6b04050d-006d-56c0-91b4-8dda1c1ff3fa" + id = "565d31c6-8d80-534d-8acc-c01d7af4f8b3" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/n0fate/chainbreaker" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_n0fate_chainbreaker.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_7aedf952756ed2375ff171329179f14a8cdc37ada69e1f003def1f1de5bc1691" + logic_hash = "7aedf952756ed2375ff171329179f14a8cdc37ada69e1f003def1f1de5bc1691" score = 75 quality = 80 tags = "" @@ -122191,13 +122191,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_B4Rsby_Swiftlog meta: description = "Dirty user level command line keylogger hacked together in Swift." author = "@mimeframe" - id = "7f42e787-a723-5e20-99a3-54e1ffa6ccda" + id = "b1ae8284-04a0-5818-9997-0e31eb51ed2b" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/b4rsby/SwiftLog" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_b4rsby_swiftlog.yara#L1-L11" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_c66dcab2da0e543198f97ca104c13533c8950d10b6f7cbd3f906348d0f8c45ff" + logic_hash = "c66dcab2da0e543198f97ca104c13533c8950d10b6f7cbd3f906348d0f8c45ff" score = 75 quality = 80 tags = "" @@ -122213,13 +122213,13 @@ rule BINARYALERT_Hacktool_Macos_Exploit_Tpwn meta: description = "tpwn exploits a null pointer dereference in XNU to escalate privileges to root." author = "@mimeframe" - id = "bfd4765a-2358-5de7-91e6-9c2e1b70780f" + id = "b69c4e1c-554e-5553-9b21-6cdf33aff24e" date = "2017-09-14" modified = "2017-09-14" reference = "https://www.rapid7.com/db/modules/exploit/osx/local/tpwn" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_exploit_tpwn.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_f864d8c137746edd50526b1d3d95a7335f776cf1473d2d2ea28856dbc515dd9f" + logic_hash = "f864d8c137746edd50526b1d3d95a7335f776cf1473d2d2ea28856dbc515dd9f" score = 75 quality = 80 tags = "" @@ -122238,13 +122238,13 @@ rule BINARYALERT_Hacktool_Macos_Keylogger_Giacomolaw meta: description = "A simple keylogger for macOS." author = "@mimeframe" - id = "4a9e4fe6-5f28-5f42-9726-ced687055038" + id = "81fcf792-a0a9-5b97-a71c-4c517a7b910c" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/GiacomoLaw/Keylogger" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_keylogger_giacomolaw.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_45ca583c07b8593ed716306ae6f80eef1c3fc5652aed739454fa8007fae929b4" + logic_hash = "45ca583c07b8593ed716306ae6f80eef1c3fc5652aed739454fa8007fae929b4" score = 75 quality = 80 tags = "" @@ -122262,13 +122262,13 @@ rule BINARYALERT_Hacktool_Macos_Macpmem meta: description = "MacPmem enables read/write access to physical memory on macOS. Can be used by CSIRT teams and attackers." author = "@mimeframe" - id = "26ee217b-a3f3-5742-801e-cdc0684dfd99" + id = "4890598e-936c-5a4d-9004-88ff4fe57c49" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/google/rekall/tree/master/tools/osx/MacPmem" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/macos/hacktool_macos_macpmem.yara#L3-L22" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_d64b5a5423932211e3b72d949028f3f0ed1f1435e9584cffa947f2bd4846c29b" + logic_hash = "d64b5a5423932211e3b72d949028f3f0ed1f1435e9584cffa947f2bd4846c29b" score = 75 quality = 80 tags = "" @@ -122291,13 +122291,13 @@ rule BINARYALERT_Hacktool_Multi_Jtesta_Ssh_Mitm meta: description = "intercepts ssh connections to capture credentials" author = "@fusionrace" - id = "c44ca655-71f8-50d6-b0ec-9a85434d780f" + id = "fa8362e2-83d3-5830-8952-502684ad66f9" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/jtesta/ssh-mitm" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_jtesta_ssh_mitm.yara#L1-L12" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_1d19c83f7d648a0d30074debcd76ff0faf72afa6722251661f8640abdc12a2a9" + logic_hash = "1d19c83f7d648a0d30074debcd76ff0faf72afa6722251661f8640abdc12a2a9" score = 50 quality = 80 tags = "" @@ -122314,13 +122314,13 @@ rule BINARYALERT_Hacktool_Multi_Masscan meta: description = "masscan is a performant port scanner, it produces results similar to nmap" author = "@mimeframe" - id = "7eac2470-b3e3-530a-a123-594776eb1c77" + id = "adb2bb07-2a1a-5eb5-8049-b3f8e6cba48a" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/robertdavidgraham/masscan" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_masscan.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_b35e481f73b1c1722056157f8348e2e06bb109c094b948fc6be2d9a7df070a7f" + logic_hash = "b35e481f73b1c1722056157f8348e2e06bb109c094b948fc6be2d9a7df070a7f" score = 75 quality = 80 tags = "" @@ -122342,13 +122342,13 @@ rule BINARYALERT_Hacktool_Multi_Ncc_ABPTTS meta: description = "Allows for TCP tunneling over HTTP" author = "@mimeframe" - id = "c1efad63-0b43-5314-8cbb-08b8b04a3365" + id = "dd5f6316-9e51-5cc8-b293-dc33b09cc801" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/nccgroup/ABPTTS" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_ncc_ABPTTS.yara#L1-L19" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_09874b1d997ac193ad1afa0226f6fb22836c8720c0599d773b18072b92a3acc4" + logic_hash = "09874b1d997ac193ad1afa0226f6fb22836c8720c0599d773b18072b92a3acc4" score = 75 quality = 80 tags = "" @@ -122369,13 +122369,13 @@ rule BINARYALERT_Hacktool_Multi_Pyrasite_Py meta: description = "A tool for injecting arbitrary code into running Python processes." author = "@fusionrace" - id = "92cef916-5919-562f-ae5a-06a1e79a8197" + id = "0acd0044-a41c-5e9e-bb94-301cd704cf9d" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/lmacken/pyrasite" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_pyrasite_py.yara#L1-L24" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_7f3f3df5bd5c1bee2d85ff97878ad36223ab743926a5f8f1c079b039f724abc9" + logic_hash = "7f3f3df5bd5c1bee2d85ff97878ad36223ab743926a5f8f1c079b039f724abc9" score = 75 quality = 80 tags = "" @@ -122404,13 +122404,13 @@ rule BINARYALERT_Hacktool_Multi_Bloodhound_Owned meta: description = "Bloodhound: Custom queries to document a compromise, find collateral spread of owned nodes, and visualize deltas in privilege gains" author = "@fusionrace" - id = "cffa3b8a-cf55-531b-aa67-ca8a8841bdec" + id = "4d458339-6589-5094-8c23-1ad2baee19f1" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/porterhau5/BloodHound-Owned/" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_bloodhound_owned.yara#L1-L20" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_01ef15a3cd606c46dacb0f22477fe97f94e212a38af1cd5bdd7eb11efe8144dd" + logic_hash = "01ef15a3cd606c46dacb0f22477fe97f94e212a38af1cd5bdd7eb11efe8144dd" score = 75 quality = 80 tags = "" @@ -122435,13 +122435,13 @@ rule BINARYALERT_Hacktool_Multi_Ntlmrelayx meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "e638e9d0-404d-5b48-910c-6b3cd0845b78" + id = "7e0bc28f-9cb7-5c09-aedc-d95af23454aa" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/CoreSecurity/impacket/blob/master/examples/ntlmrelayx.py" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_ntlmrelayx.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_0d5d2d38866eb243e1803c456944e887d9d3920c54b15fd658bf90831fd87bfa" + logic_hash = "0d5d2d38866eb243e1803c456944e887d9d3920c54b15fd658bf90831fd87bfa" score = 75 quality = 80 tags = "" @@ -122461,13 +122461,13 @@ rule BINARYALERT_Hacktool_Multi_Responder_Py meta: description = "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server" author = "@fusionrace" - id = "dbe2f8e0-21fa-55f4-90e1-c6bc2b5403f2" + id = "82699a67-8ba1-5535-9183-3c857e60134c" date = "2017-08-11" modified = "2017-08-11" reference = "http://www.c0d3xpl0it.com/2017/02/compromising-domain-admin-in-internal-pentest.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/multi/hacktool_multi_responder_py.yara#L1-L17" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_a99a806b7c578af1f2163583f957db13fa7269c7426666189d85bec2ac87ad4b" + logic_hash = "a99a806b7c578af1f2163583f957db13fa7269c7426666189d85bec2ac87ad4b" score = 75 quality = 80 tags = "" @@ -122489,13 +122489,13 @@ rule BINARYALERT_Hacktool_Windows_Wmi_Implant meta: description = "A PowerShell based tool that is designed to act like a RAT" author = "@fusionrace" - id = "b32996b2-1706-5af5-ad81-f73d5899c70c" + id = "cd90ef31-6e15-5518-8278-98e99e379916" date = "2017-08-11" modified = "2017-08-11" reference = "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_wmi_implant.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_8b02fd265b04b9675a99b9638fdd179c8a86ed3afd7506195f3d3dcb2417d74d" + logic_hash = "8b02fd265b04b9675a99b9638fdd179c8a86ed3afd7506195f3d3dcb2417d74d" score = 75 quality = 80 tags = "" @@ -122521,13 +122521,13 @@ rule BINARYALERT_Hacktool_Windows_Mimikatz_Sekurlsa meta: description = "Mimikatz credential dump tool" author = "@fusionrace" - id = "a7eb069a-1f6f-5e54-9f34-83aa65fa345e" + id = "08fe62c5-f7a4-5985-a298-1d3c2c1744d4" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_sekurlsa.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_24e958c3cbda8e01dc2d84b3059114ea23f4b38db1676f7b72e5eabfa52b7335" + logic_hash = "24e958c3cbda8e01dc2d84b3059114ea23f4b38db1676f7b72e5eabfa52b7335" score = 75 quality = 80 tags = "" @@ -122550,13 +122550,13 @@ rule BINARYALERT_Hacktool_Windows_Rdp_Cmd_Delivery meta: description = "Delivers a text payload via RDP (rubber ducky)" author = "@fusionrace" - id = "1b00805a-9ea5-5af8-95f8-fd0db0d6cc9f" + id = "8d035721-34ee-566f-8851-1c9501de2704" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/nopernik/mytools/blob/master/rdp-cmd-delivery.sh" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_rdp_cmd_delivery.yara#L1-L14" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_98bc02bb651fba069828b5960ee47542828f0d530e5e280b15abb0573b8e0168" + logic_hash = "98bc02bb651fba069828b5960ee47542828f0d530e5e280b15abb0573b8e0168" score = 75 quality = 80 tags = "" @@ -122575,13 +122575,13 @@ rule BINARYALERT_Hacktool_Windows_Cobaltstrike_Postexploitation : FILE meta: description = "Detection of strings in the post-exploitation modules of Cobalt Strike" author = "@javutin, @mimeframe" - id = "fc50422a-6362-5604-a7ab-7a5f589a90eb" + id = "76c2a5ae-bc7c-50c7-8731-94c75912574f" date = "2017-12-14" modified = "2017-12-14" reference = "https://www.cobaltstrike.com/support" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_cobaltstrike_postexploitation.yara#L1-L13" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_1a89128a0f5774d1333be440d38128e29cb36f9818fa44e60482ef078078aca8" + logic_hash = "1a89128a0f5774d1333be440d38128e29cb36f9818fa44e60482ef078078aca8" score = 75 quality = 80 tags = "FILE" @@ -122597,13 +122597,13 @@ rule BINARYALERT_Hacktool_Windows_Cobaltstrike_Powershell : FILE meta: description = "Detection of the PowerShell payloads from Cobalt Strike" author = "@javutin, @joseselvi" - id = "20f17dc5-1785-5199-88d8-b166e8ae6ea5" + id = "155f181a-56cb-5295-a903-744f79012733" date = "2017-12-14" modified = "2017-12-14" reference = "https://www.cobaltstrike.com/help-payload-generator" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_cobaltstrike_powershell.yara#L1-L21" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_39dd0aaa84d02aae5766d764c3d371f03f9df33acf5f6ae4ab4a8c73dd827213" + logic_hash = "39dd0aaa84d02aae5766d764c3d371f03f9df33acf5f6ae4ab4a8c73dd827213" score = 75 quality = 80 tags = "FILE" @@ -122626,13 +122626,13 @@ rule BINARYALERT_Hacktool_Windows_Mimikatz_Errors meta: description = "Mimikatz credential dump tool: Error messages" author = "@fusionrace" - id = "5b0c12f0-b182-5c24-bde5-2bb3bc2a5a8f" + id = "94d50739-fc84-5bfe-821d-5e2851f681e3" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_errors.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_60fb94b9465b19af3b2df1b26490d4ac19a31a39f2f8c52f1059d37843769b36" + logic_hash = "60fb94b9465b19af3b2df1b26490d4ac19a31a39f2f8c52f1059d37843769b36" score = 75 quality = 80 tags = "" @@ -122653,13 +122653,13 @@ rule BINARYALERT_Hacktool_Windows_Mimikatz_Copywrite meta: description = "Mimikatz credential dump tool: Author copywrite" author = "@fusionrace" - id = "6e7ce709-a546-5725-b7c9-4330f97118d0" + id = "bf7a52b5-c0af-5805-a2da-41ae3842e0c6" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_copywrite.yara#L1-L24" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_f0e8a8b0c7398e7af06bd074eec0433265ba0e675bdbff354e59432c246b0b36" + logic_hash = "f0e8a8b0c7398e7af06bd074eec0433265ba0e675bdbff354e59432c246b0b36" score = 75 quality = 80 tags = "" @@ -122688,13 +122688,13 @@ rule BINARYALERT_Hacktool_Windows_Hot_Potato meta: description = "No description has been set in the source file - BinaryAlert" author = "@mimeframe" - id = "68799fd0-0aac-5c4e-a76c-594d48a5765d" + id = "dee13640-b4a9-5a39-af01-338c0197c995" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/foxglovesec/Potato" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_hot_potato.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_1ccee61660b3478294a5a4e1ca2b16c91156f6c877d0f83848cccd18a3f753f7" + logic_hash = "1ccee61660b3478294a5a4e1ca2b16c91156f6c877d0f83848cccd18a3f753f7" score = 75 quality = 80 tags = "" @@ -122714,13 +122714,13 @@ rule BINARYALERT_Hacktool_Windows_Mimikatz_Files meta: description = "Mimikatz credential dump tool: Files" author = "@fusionrace" - id = "0a489eab-0cd3-53e3-a644-4ffb29a51a7b" + id = "ea4fd443-64dd-5466-8525-40c3a023e229" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_mimikatz_files.yara#L1-L15" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_50d23cda49ca559da2e504e53b46b58679ea8bc07c501ff7764a3d142598adc8" + logic_hash = "50d23cda49ca559da2e504e53b46b58679ea8bc07c501ff7764a3d142598adc8" score = 75 quality = 80 tags = "" @@ -122740,13 +122740,13 @@ rule BINARYALERT_Hacktool_Windows_Moyix_Creddump meta: description = "creddump is a python tool to extract credentials and secrets from Windows registry hives." author = "@mimeframe" - id = "b3147c06-a1a5-53f2-b1f8-78d6474f9bbe" + id = "46df781a-abab-5593-99f9-1a6b993904cb" date = "2017-09-12" modified = "2017-09-12" reference = "https://github.com/moyix/creddump" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_moyix_creddump.yara#L1-L16" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_3f2f4c5069fcb3d3b1d293a471bcf9489f058f27cd385885ab2bb4f719a3bd9d" + logic_hash = "3f2f4c5069fcb3d3b1d293a471bcf9489f058f27cd385885ab2bb4f719a3bd9d" score = 75 quality = 80 tags = "" @@ -122767,13 +122767,13 @@ rule BINARYALERT_Hacktool_Windows_Ncc_Wmicmd meta: description = "Command shell wrapper for WMI" author = "@mimeframe" - id = "16f616e2-120c-5067-b083-957f49cb0baa" + id = "18bc36f7-b97a-5bce-a68b-c349713e9468" date = "2017-08-11" modified = "2017-08-11" reference = "https://github.com/nccgroup/WMIcmd" source_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/rules/public/hacktool/windows/hacktool_windows_ncc_wmicmd.yara#L1-L18" license_url = "https://github.com/airbnb/binaryalert//blob/a9c0f06affc35e1f8e45bb77f835b92350c68a0b/LICENSE" - logic_hash = "v1_sha256_bef6828a706dcfc3b573523fccd391a5ef3fa505235b1621a82527d64d32aaf0" + logic_hash = "bef6828a706dcfc3b573523fccd391a5ef3fa505235b1621a82527d64d32aaf0" score = 75 quality = 80 tags = "" @@ -122795,7 +122795,7 @@ rule BINARYALERT_Hacktool_Windows_Ncc_Wmicmd * YARA Rule Set * Repository Name: DeadBits * Repository: https://github.com/deadbits/yara-rules/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: d002f7ecee23e09142a3ac3e79c84f71dda3f001 * Number of Rules: 19 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -122810,13 +122810,13 @@ rule DEADBITS_Dacls_Trojan_Windows : FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "e5902d25-413b-545e-931c-bf3620894fc6" + id = "424b2c0d-2373-5a72-9a97-52b4bfc5cdcf" date = "2020-01-07" modified = "2020-01-07" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/Dacls_Windows.yara#L1-L30" license_url = "N/A" - logic_hash = "v1_sha256_b77df7e3be9c264d6a63d40dbf49c41e9dd55b4e570c063b5710b849c36cc166" + logic_hash = "b77df7e3be9c264d6a63d40dbf49c41e9dd55b4e570c063b5710b849c36cc166" score = 75 quality = 80 tags = "FILE" @@ -122843,13 +122843,13 @@ rule DEADBITS_Dacls_Trojan_Linux meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "e72e7759-5815-504f-84df-c0c0756f1ede" + id = "bb83ba2b-70a3-5a0f-9588-d93b7f07f67f" date = "2020-01-07" modified = "2020-01-07" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/Dacls_Linux.yara#L1-L32" license_url = "N/A" - logic_hash = "v1_sha256_752d7daf9178e4fa20f2ce781c6ff70f83758f01479696f0808e1588da9a3d78" + logic_hash = "752d7daf9178e4fa20f2ce781c6ff70f83758f01479696f0808e1588da9a3d78" score = 75 quality = 80 tags = "" @@ -122876,13 +122876,13 @@ rule DEADBITS_Silenttrinity_Delivery_Document : FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "8230a28d-55b6-5947-a39d-a59c26f2eb41" + id = "be8cf8b7-d7f8-587d-b7bd-ad10796cda7c" date = "2019-07-19" modified = "2019-07-19" reference = "https://countercept.com/blog/hunting-for-silenttrinity/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/SilentTrinity_Delivery.yara#L1-L30" license_url = "N/A" - logic_hash = "v1_sha256_1efaa317dd250fa127b134ff8e6e6ac48d1056059256f790925d2315a6865033" + logic_hash = "1efaa317dd250fa127b134ff8e6e6ac48d1056059256f790925d2315a6865033" score = 75 quality = 80 tags = "FILE" @@ -122911,13 +122911,13 @@ rule DEADBITS_Godlua_Linux : LINUXMALWARE FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "614eeb4a-ff2b-552e-b711-d791ed80c75c" + id = "1a05c88a-8199-5c6d-9352-9ef60df40078" date = "2019-07-18" modified = "2019-07-22" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/godlua_linux.yara#L1-L57" license_url = "N/A" - logic_hash = "v1_sha256_70a8078f261648f050807e82009493e39fa32c0748576b3df76d8aaaa117103e" + logic_hash = "70a8078f261648f050807e82009493e39fa32c0748576b3df76d8aaaa117103e" score = 75 quality = 51 tags = "LINUXMALWARE, FILE" @@ -122956,13 +122956,13 @@ rule DEADBITS_Jsworm : MALWARE FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "35e88f6c-5193-5a2a-b28a-0bd054a5c8a9" + id = "6d452d04-b475-5241-890c-68119a7a8691" date = "2019-09-06" modified = "2019-09-06" reference = "https://github.com/deadbits/yara-rules/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/JSWorm.yara#L1-L38" license_url = "N/A" - logic_hash = "v1_sha256_99074e25ec15c5b25fa41bef19203f5ddc227acd51fadca1e2c3ece538b3da01" + logic_hash = "99074e25ec15c5b25fa41bef19203f5ddc227acd51fadca1e2c3ece538b3da01" score = 75 quality = 78 tags = "MALWARE, FILE" @@ -122992,13 +122992,13 @@ rule DEADBITS_Silenttrinity : FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "ab0b9ec4-b24c-5d6f-8bee-e27928de2928" + id = "40f9174c-e9a5-5453-b5fa-6c01c46daffa" date = "2019-07-19" modified = "2019-07-19" reference = "https://countercept.com/blog/hunting-for-silenttrinity/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/SilentTrinity_Payload.yara#L1-L55" license_url = "N/A" - logic_hash = "v1_sha256_7fd1775aadfccfdf141c0721f557e6c54b058ac17a59a8e4561dd62ab4a1eff3" + logic_hash = "7fd1775aadfccfdf141c0721f557e6c54b058ac17a59a8e4561dd62ab4a1eff3" score = 75 quality = 78 tags = "FILE" @@ -123048,13 +123048,13 @@ rule DEADBITS_Winnti_Linux : LINUXMALWARE FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "07e06cba-d54a-52a5-b721-ee64245773b5" + id = "d90dec69-1a8b-547c-a302-d00c612a71ed" date = "2019-07-18" modified = "2019-07-22" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/winnti_linux.yara#L1-L37" license_url = "N/A" - logic_hash = "v1_sha256_216c103b4ffceaa0540b8c81645d3fd91a7dab2b32b1cf84ccb85f134c9d23c8" + logic_hash = "216c103b4ffceaa0540b8c81645d3fd91a7dab2b32b1cf84ccb85f134c9d23c8" score = 75 quality = 76 tags = "LINUXMALWARE, FILE" @@ -123092,13 +123092,13 @@ rule DEADBITS_Watchdog_Botnet : BOTNET LINUXMALWARE EXPLOITATION CVE_2019_11581 meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "35288752-f781-5b7b-9d6c-66ff39a44522" + id = "ae95f934-2a9b-5c65-a11f-ea946d7f1bc6" date = "2019-07-22" modified = "2019-07-22" reference = "https://twitter.com/polarply/status/1153232987762376704" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/WatchBog_Linux.yara#L1-L100" license_url = "N/A" - logic_hash = "v1_sha256_aea8afdf118b79f701941ddd4306ee0f1c947ea59de5485ff977beff95e06d35" + logic_hash = "aea8afdf118b79f701941ddd4306ee0f1c947ea59de5485ff977beff95e06d35" score = 75 quality = 78 tags = "BOTNET, LINUXMALWARE, EXPLOITATION, CVE_2019_11581, CVE_2019_10149" @@ -123143,13 +123143,13 @@ rule DEADBITS_Dnspionage : APT DNSCHANGER FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "a28a89b5-a405-5402-9ed1-ad0a623f428f" + id = "9f740645-60dc-5376-94ad-59d8efbf1942" date = "2019-07-18" modified = "2019-07-19" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/DNSpionage.yara#L1-L47" license_url = "N/A" - logic_hash = "v1_sha256_f20c71d0698d98cc58fa199c708ec7bf5cb0ec62503a20b532e752dab9aab920" + logic_hash = "f20c71d0698d98cc58fa199c708ec7bf5cb0ec62503a20b532e752dab9aab920" score = 75 quality = 78 tags = "APT, DNSCHANGER, FILE" @@ -123190,13 +123190,13 @@ rule DEADBITS_Acbackdoor_ELF : LINUX MALWARE BACKDOOR meta: description = "No description has been set in the source file - DeadBits" author = "Adam M. Swanda" - id = "a65f0bbd-0088-59ed-a8a0-8d287914ee05" - date = "2019-11-22" + id = "82eb41bf-cd1d-5b00-973b-31a79c75cfc0" + date = "2019-11-23" modified = "2019-12-04" reference = "https://www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/ACBackdoor_Linux.yara#L1-L41" license_url = "N/A" - logic_hash = "v1_sha256_48d741fba86cdfc8aac779d4b3227d45a17e0e9fba74b19820f1b8308bb93322" + logic_hash = "48d741fba86cdfc8aac779d4b3227d45a17e0e9fba74b19820f1b8308bb93322" score = 75 quality = 55 tags = "LINUX, MALWARE, BACKDOOR" @@ -123230,13 +123230,13 @@ rule DEADBITS_APT32_Ratsnif : APT32 TROJAN WINMALWARE FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "bca2fe6d-5fd8-5246-8046-5232e45354a2" + id = "d3664a84-bb53-5715-8b0d-e63f43d62496" date = "2019-07-18" modified = "2019-08-08" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/APT32_Ratsnif.yara#L1-L65" license_url = "N/A" - logic_hash = "v1_sha256_a33eb2bb9ffe02f9b3fe706bd6a611457c669adc24c34f12d9014ed29ba1399f" + logic_hash = "a33eb2bb9ffe02f9b3fe706bd6a611457c669adc24c34f12d9014ed29ba1399f" score = 75 quality = 55 tags = "APT32, TROJAN, WINMALWARE, FILE" @@ -123296,13 +123296,13 @@ rule DEADBITS_APT34_LONGWATCH : APT34 WINMALWARE KEYLOGGER FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "a4b2fe5a-0f14-5928-8391-ec3210c4c0d6" + id = "74a6a408-2f0e-567d-8968-c304d258df81" date = "2019-07-22" modified = "2019-07-22" reference = "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/APT34_LONGWATCH.yara#L1-L43" license_url = "N/A" - logic_hash = "v1_sha256_8f9ed228325800baea3a2874c71337709c04d93419d4d56821a791dbce6f4582" + logic_hash = "8f9ed228325800baea3a2874c71337709c04d93419d4d56821a791dbce6f4582" score = 75 quality = 78 tags = "APT34, WINMALWARE, KEYLOGGER, FILE" @@ -123341,13 +123341,13 @@ rule DEADBITS_Avemaria_Warzone : AVEMARIA WARZONE WINMALWARE INFOSTEALER FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "dc26a605-63dd-5ff5-8dcf-9e79cbe28728" + id = "1e03927b-d59c-5e1f-bdee-e44dfb172fad" date = "2019-07-18" modified = "2019-08-08" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/avemaria_warzone.yara#L1-L32" license_url = "N/A" - logic_hash = "v1_sha256_1fe55fc8ea80616b11757193c2c74b9cf577ab661ddca4c6c64cfad63a300614" + logic_hash = "1fe55fc8ea80616b11757193c2c74b9cf577ab661ddca4c6c64cfad63a300614" score = 75 quality = 80 tags = "AVEMARIA, WARZONE, WINMALWARE, INFOSTEALER, FILE" @@ -123374,13 +123374,13 @@ rule DEADBITS_APT34_VALUEVAULT : APT34 INFOSTEALER WINMALWARE FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "8db7b3d9-aa31-5511-8138-39c2877c29e2" + id = "11d08fe7-9080-5393-b566-6f01e3eec18b" date = "2020-02-02" modified = "2020-02-02" reference = "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/APT34_VALUEVAULT.yara#L1-L63" license_url = "N/A" - logic_hash = "v1_sha256_311eed153920b29b8d9e99651fe62259d685140d12bb073001e0576811a01198" + logic_hash = "311eed153920b29b8d9e99651fe62259d685140d12bb073001e0576811a01198" score = 75 quality = 78 tags = "APT34, INFOSTEALER, WINMALWARE, FILE" @@ -123432,13 +123432,13 @@ rule DEADBITS_Redghost_Linux : POSTEXPLOITATION LINUXMALWARE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "52659094-c921-51e2-8320-376dbd0a3e1a" + id = "f598e115-f821-5932-aa14-5254bf28092c" date = "2019-08-07" modified = "2019-08-08" reference = "https://github.com/d4rk007/RedGhost/" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/RedGhost_Linux.yara#L1-L45" license_url = "N/A" - logic_hash = "v1_sha256_0b12a0eda0a3b65c3da787770afb010eb5cd36426d41c04aca862ae1b01ab770" + logic_hash = "0b12a0eda0a3b65c3da787770afb010eb5cd36426d41c04aca862ae1b01ab770" score = 75 quality = 80 tags = "POSTEXPLOITATION, LINUXMALWARE" @@ -123474,13 +123474,13 @@ rule DEADBITS_APT34_PICKPOCKET : APT APT34 INFOSTEALER WINMALWARE FILE meta: description = "Detects the PICKPOCKET malware used by APT34, a browser credential-theft tool identified by FireEye in May 2018" author = "Adam Swanda" - id = "fdf72550-4302-5ccf-a57c-320e7bd29c60" + id = "71db5c74-4964-5c5e-a830-242bfd0a2158" date = "2019-07-22" modified = "2019-07-22" reference = "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/APT34_PICKPOCKET.yara#L1-L30" license_url = "N/A" - logic_hash = "v1_sha256_7063cff3eb42c4468e01c9b214161cd306f7126f66650d99d43168730d1dc83a" + logic_hash = "7063cff3eb42c4468e01c9b214161cd306f7126f66650d99d43168730d1dc83a" score = 75 quality = 80 tags = "APT, APT34, INFOSTEALER, WINMALWARE, FILE" @@ -123511,13 +123511,13 @@ rule DEADBITS_TA505_Flowerpippi : TA505 FINANCIAL BACKDOOR WINMALWARE FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "6e887c8e-601a-5444-8d4c-8e8fffe6288e" + id = "1cfcb25e-1de9-53ac-b272-22792844a2d0" date = "2019-07-18" modified = "2019-07-22" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/TA505_FlowerPippi.yara#L1-L65" license_url = "N/A" - logic_hash = "v1_sha256_eb709915f67d7225b024da99bc84a21455f3b9d5fb4bc779bbdf6a4d3ab33489" + logic_hash = "eb709915f67d7225b024da99bc84a21455f3b9d5fb4bc779bbdf6a4d3ab33489" score = 75 quality = 24 tags = "TA505, FINANCIAL, BACKDOOR, WINMALWARE, FILE" @@ -123572,13 +123572,13 @@ rule DEADBITS_Crescentcore_DMG : INSTALLER MACOSMALWARE FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "5b2d9d6a-fc0d-56af-98da-6ca52dfa313a" + id = "2bd03287-3f10-50b0-9560-4c88644f5b20" date = "2019-07-18" modified = "2019-07-22" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/crescentcore_dmg.yara#L1-L48" license_url = "N/A" - logic_hash = "v1_sha256_819f01fdacea1e95f0f4d4f8e59ebae97ff9489a1be2c60e33253580a8f9e418" + logic_hash = "819f01fdacea1e95f0f4d4f8e59ebae97ff9489a1be2c60e33253580a8f9e418" score = 75 quality = 51 tags = "INSTALLER, MACOSMALWARE, FILE" @@ -123612,13 +123612,13 @@ rule DEADBITS_KPOT_V2 : WINMALWARE INFOSTEALER FILE meta: description = "No description has been set in the source file - DeadBits" author = "Adam Swanda" - id = "a3af3f0a-d268-573a-9ae4-9b427dc60ed8" + id = "19e8d261-c658-5d0d-a95c-43fcaf2942e2" date = "2019-08-05" modified = "2019-08-05" reference = "https://github.com/deadbits/yara-rules" source_url = "https://github.com/deadbits/yara-rules//blob/d002f7ecee23e09142a3ac3e79c84f71dda3f001/rules/KPOT_v2.yara#L1-L33" license_url = "N/A" - logic_hash = "v1_sha256_dc8cce2ae3a427f771b19b4d0e027b653ff03a7bf816303460398987535c5351" + logic_hash = "dc8cce2ae3a427f771b19b4d0e027b653ff03a7bf816303460398987535c5351" score = 75 quality = 80 tags = "WINMALWARE, INFOSTEALER, FILE" @@ -123648,7 +123648,7 @@ rule DEADBITS_KPOT_V2 : WINMALWARE INFOSTEALER FILE * YARA Rule Set * Repository Name: DelivrTo * Repository: https://github.com/delivr-to/detections - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 84158c63141cd22c128ff6f016329ffe67112f43 * Number of Rules: 9 * Skipped: 0 (age), 2 (quality), 0 (score), 0 (importance) @@ -123663,13 +123663,13 @@ rule DELIVRTO_SUSP_SVG_Foreignobject_Nov24 meta: description = "Presence of foreignObject in SVG file" author = "delivr.to" - id = "05ef1f08-4251-56b6-93eb-14b7fd78f75f" + id = "148ef54a-4389-58c9-be89-c1714ef08371" date = "2024-11-28" modified = "2024-11-28" reference = "https://github.com/delivr-to/detections" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/svg_foreignobject.yar#L1-L12" license_url = "N/A" - logic_hash = "v1_sha256_51fdc105e826344b9e516a35178c37b6e4620781ee3a9ae64b9be181a13292e7" + logic_hash = "51fdc105e826344b9e516a35178c37b6e4620781ee3a9ae64b9be181a13292e7" score = 40 quality = 51 tags = "" @@ -123686,13 +123686,13 @@ rule DELIVRTO_SUSP_Onenote_Repeated_Filedatareference_Feb23 : FILE meta: description = "Repeated references to files embedded in OneNote file. May indicate multiple copies of file hidden under image, as leveraged by Qakbot et al." author = "delivr.to" - id = "0a168719-aa00-5649-b38e-441a0c810a5f" + id = "2a46d6cc-2800-5645-889c-7ad7d7aa69bd" date = "2023-02-17" modified = "2023-02-17" reference = "https://github.com/delivr-to/detections" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/onenote_repeated_files.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_ef74a128de4d3745af856957931eaae0c0ae5a5583eab1a7c58d6dd666e7fd15" + logic_hash = "ef74a128de4d3745af856957931eaae0c0ae5a5583eab1a7c58d6dd666e7fd15" score = 60 quality = 80 tags = "FILE" @@ -123710,13 +123710,13 @@ rule DELIVRTO_SUSP_CONCAT_ZIP_Nov24 : FILE meta: description = "Zip archives concatenated together, based on the presence of more than one End of Central Directory record signature" author = "delivr.to" - id = "ebfb6d21-3d61-5d74-96f6-36135bd18904" + id = "1b865dfb-380a-531d-97cf-c62a1a37f4a9" date = "2024-11-13" modified = "2024-11-13" reference = "https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/concatenated_zip.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_7a102d677f06fb01b2a23ec61ec0844147f8789e9f2742928869f209e067805b" + logic_hash = "7a102d677f06fb01b2a23ec61ec0844147f8789e9f2742928869f209e067805b" score = 40 quality = 80 tags = "FILE" @@ -123733,13 +123733,13 @@ rule DELIVRTO_SUSP_Onenote_Win_Script_Encoding_Feb23 : FILE meta: description = "Presence of Windows Script Encoding Header in a OneNote file with embedded files" author = "delivr.to" - id = "7fa8e0ab-fab9-5ac9-9699-15e3b6b94ccb" + id = "95cd5ce0-07b3-5503-ad6f-944206bd4fb6" date = "2023-02-19" modified = "2023-02-19" reference = "https://github.com/delivr-to/detections" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/onenote_windows_script_encoding_file.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_b7068f551b3665358f461a076c2d46c82db558d7fa4acb7d3c9c5c2afce31253" + logic_hash = "b7068f551b3665358f461a076c2d46c82db558d7fa4acb7d3c9c5c2afce31253" score = 60 quality = 78 tags = "FILE" @@ -123757,13 +123757,13 @@ rule DELIVRTO_SUSP_ZPAQ_Archive_Nov23 : FILE meta: description = "ZPAQ file archive with expected file and block headers" author = "delivr.to" - id = "e5d69864-244b-5399-800c-a888a4cb4786" + id = "28b6ffbe-be95-5ac8-ad3e-f9713a204d98" date = "2023-11-26" modified = "2023-11-27" reference = "https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/zpaq_archives.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_348144ee7137def00b37e074507e8148e51d34c484802a56bcd6e090d4628f18" + logic_hash = "348144ee7137def00b37e074507e8148e51d34c484802a56bcd6e090d4628f18" score = 40 quality = 80 tags = "FILE" @@ -123780,13 +123780,13 @@ rule DELIVRTO_SUSP_PDF_MHT_Activemime_Sept23 : FILE meta: description = "Presence of MHT ActiveMime within PDF for polyglot file" author = "delivr.to" - id = "c8658db3-0794-5e83-bdfd-545da54e0485" + id = "fbac1371-bad4-5751-a5c4-ce6c270fb83e" date = "2023-09-04" modified = "2023-09-04" reference = "https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/pdf_mht_activemime.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_af1450f649de6daec242f11e3b3c35305d3127fac4ef719a4ddb4edab3ae3651" + logic_hash = "af1450f649de6daec242f11e3b3c35305d3127fac4ef719a4ddb4edab3ae3651" score = 70 quality = 78 tags = "FILE" @@ -123805,13 +123805,13 @@ rule DELIVRTO_SUSP_Msg_CVE_2023_23397_Mar23 : CVE_2023_23397 FILE meta: description = "MSG file with a PidLidReminderFileParameter property, potentially exploiting CVE-2023-23397" author = "delivr.to" - id = "45950a93-eccb-5677-a6cf-5a5d9f617a4c" + id = "a0ede2d3-7789-5662-9575-5d0a5cf4457c" date = "2023-03-15" modified = "2023-03-15" reference = "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/msg_cve_2023_23397.yar#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_0476cf7f93c4f6cc48c19933f31360b62fe5e339f6a2a31dee8ad95f83ce67d7" + logic_hash = "0476cf7f93c4f6cc48c19933f31360b62fe5e339f6a2a31dee8ad95f83ce67d7" score = 60 quality = 80 tags = "CVE-2023-23397, FILE" @@ -123828,13 +123828,13 @@ rule DELIVRTO_SUSP_Onenote_RTLO_Character_Feb23 : FILE meta: description = "Presence of RTLO Unicode Character in a OneNote file with embedded files" author = "delivr.to" - id = "1ff9f30e-73b0-52fb-a917-79205eb13b78" + id = "03d86391-1392-5734-af5f-8a2c7b99167a" date = "2023-02-17" modified = "2023-02-17" reference = "https://github.com/delivr-to/detections" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/onenote_rtlo_filename.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_286bc1ab1f5df0d64634f53cc82357187306c40b063b156f36b602e131262c7a" + logic_hash = "286bc1ab1f5df0d64634f53cc82357187306c40b063b156f36b602e131262c7a" score = 60 quality = 55 tags = "FILE" @@ -123852,13 +123852,13 @@ rule DELIVRTO_SUSP_HTML_WASM_Smuggling meta: description = "Presence of Base64 JavaScript blob loading WASM" author = "delivr.to" - id = "b107215f-9c15-5fbb-8b35-2e83b35478aa" + id = "fc83bb4f-ba8a-52d2-b9ce-632da5341f77" date = "2024-02-28" modified = "2024-05-24" reference = "https://github.com/delivr-to/detections" source_url = "https://github.com/delivr-to/detections/blob/84158c63141cd22c128ff6f016329ffe67112f43/yara-rules/html_wasm.yar#L1-L13" license_url = "N/A" - logic_hash = "v1_sha256_4bca88862c28db947c04c40e40fdecc682223d1eb90c98350fbd6c5d8c6c4636" + logic_hash = "4bca88862c28db947c04c40e40fdecc682223d1eb90c98350fbd6c5d8c6c4636" score = 70 quality = 80 tags = "" @@ -123875,7 +123875,7 @@ rule DELIVRTO_SUSP_HTML_WASM_Smuggling * YARA Rule Set * Repository Name: ESET * Repository: https://github.com/eset/malware-ioc - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 9431ee8ccf63b1c014bfaa5f1a28dc747772d28d * Number of Rules: 103 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -123913,13 +123913,13 @@ private rule ESET_Is_Elf_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "e8bc6a11-8980-537a-aebd-226ddc9c3c6a" + id = "6389dc72-ac97-5366-83f2-2e9bcf618ae4" date = "2016-11-01" modified = "2016-11-01" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/moose/linux-moose.yar#L32-L39" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_2a3c9a875852cd3ce86d43b9e4a6ba786ecbae1f18bba73a3bef5b7e8ba67a3b" + logic_hash = "2a3c9a875852cd3ce86d43b9e4a6ba786ecbae1f18bba73a3bef5b7e8ba67a3b" score = 75 quality = 80 tags = "" @@ -123937,13 +123937,13 @@ private rule ESET_Not_Ms_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "25ebdce5-44fd-59c4-81c9-fee8c60f3865" + id = "7edb96a1-a63a-580e-ac26-66fa14ae97d1" date = "2018-09-05" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L34-L40" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_71f492eaa80bee5e8cc5bec67b2a7fd6f5f71ee2594d9f531043747533c80443" + logic_hash = "71f492eaa80bee5e8cc5bec67b2a7fd6f5f71ee2594d9f531043747533c80443" score = 75 quality = 80 tags = "" @@ -123958,14 +123958,14 @@ private rule ESET_Apachemodule_PRIVATE meta: description = "Apache 2.4 module ELF shared library" author = "ESET, spol. s r.o." - id = "3aa2dbc7-f11a-5ad2-a75d-1eaf8735e8b7" + id = "2082e50e-1726-5540-a962-e0aeca1ebaaf" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L3-L30" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "v1_sha256_213fe381aa0bf9f148e488f7af74ac63073776c2868e42d2dcca7fdbca55fabb" + logic_hash = "213fe381aa0bf9f148e488f7af74ac63073776c2868e42d2dcca7fdbca55fabb" score = 75 quality = 80 tags = "" @@ -123983,13 +123983,13 @@ private rule ESET_Invisimole_Blob_PRIVATE meta: description = "Detects InvisiMole blobs by magic values" author = "ESET Research" - id = "374dcca3-edb2-5644-b4a0-c02b85f594f5" + id = "6a179d91-50f1-5400-b141-0f162efd2431" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L34-L52" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_8bddaf874da58fbe6362498f8979b511f39531fe2b98d4be8c099bdafb6d0067" + logic_hash = "8bddaf874da58fbe6362498f8979b511f39531fe2b98d4be8c099bdafb6d0067" score = 75 quality = 80 tags = "" @@ -124012,13 +124012,13 @@ private rule ESET_IIS_Native_Module_PRIVATE : FILE meta: description = "Signature to match an IIS native module (clean or malicious)" author = "ESET Research" - id = "6e9c8ceb-773e-5168-8f22-e3040fa64eb1" + id = "e3bacdc8-fde1-5e83-ac94-79fc345e888d" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L34-L92" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_5a388dc3253df606e2648d1f9c018e6dde373bbddce66dba69b7aecdd95bac18" + logic_hash = "5a388dc3253df606e2648d1f9c018e6dde373bbddce66dba69b7aecdd95bac18" score = 75 quality = 55 tags = "FILE" @@ -124079,13 +124079,13 @@ private rule ESET_Prikormkaearlyversion_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "b21cb5b7-7b20-5c0b-973e-d777bb996595" + id = "f10e6477-c4bb-50be-8827-66de35a9aea8" date = "2019-08-28" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L112-L128" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_681c7fb322953da162c10b76e453aa8ace6673720012383e3cd5528b59b42de3" + logic_hash = "681c7fb322953da162c10b76e453aa8ace6673720012383e3cd5528b59b42de3" score = 75 quality = 28 tags = "" @@ -124110,13 +124110,13 @@ private rule ESET_Prikormkamodule_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "88d245a7-6d1d-5bc7-8b1f-0e870a10249f" + id = "f99ed5f7-9ccc-5543-9224-6f865578f81e" date = "2019-08-28" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L53-L110" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_d5d7f1a46cbf9ff545c0fa840228d19ee7d45307078b4ae0b5a2fdf1c94d2978" + logic_hash = "d5d7f1a46cbf9ff545c0fa840228d19ee7d45307078b4ae0b5a2fdf1c94d2978" score = 75 quality = 26 tags = "" @@ -124166,13 +124166,13 @@ private rule ESET_Prikormkadropper_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "2fe8d1ac-a012-5cad-9463-15ad1a4f7fa5" + id = "d333693d-5386-5c34-a1c1-7a17e5bde849" date = "2019-08-28" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L33-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_cf524cdf4ffeb5c9280c5c8e7fca524c41e1ce4f9bc46b1fc8cb8b50ea68ec39" + logic_hash = "cf524cdf4ffeb5c9280c5c8e7fca524c41e1ce4f9bc46b1fc8cb8b50ea68ec39" score = 75 quality = 28 tags = "" @@ -124197,13 +124197,13 @@ private rule ESET_Potaosecondstage_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "03c22650-8a38-572b-bfbf-7227b4cfd073" + id = "c1baace9-f481-533a-aa85-df5ba14069f2" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L81-L95" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_55f9fc2da09aa9c2e76725985c836f7b8ba5e0b69a9327fb911e8265b340b88c" + logic_hash = "55f9fc2da09aa9c2e76725985c836f7b8ba5e0b69a9327fb911e8265b340b88c" score = 75 quality = 28 tags = "" @@ -124224,13 +124224,13 @@ private rule ESET_Potaousb_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "59c7bea2-d82b-50d8-b5e9-2f25b3cd6f34" + id = "98fd84cb-d8e8-5aed-a1ac-f1099be5a5db" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L71-L80" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_8f72afbf3b123ea3914b3eade267bd21f7435fbf9fbde4049ca2600513bb31d9" + logic_hash = "8f72afbf3b123ea3914b3eade267bd21f7435fbf9fbde4049ca2600513bb31d9" score = 75 quality = 28 tags = "" @@ -124248,13 +124248,13 @@ private rule ESET_Potaodll_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "4cc637ae-e1b9-50ad-9742-15cd39c290ba" + id = "a53ff170-ed3a-5ee9-a262-bb2f77aba092" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L46-L70" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_1d1154eb10cc70b3252e3ca4a85789e8605f2f3b7044f03ec960fd56ab81886a" + logic_hash = "1d1154eb10cc70b3252e3ca4a85789e8605f2f3b7044f03ec960fd56ab81886a" score = 75 quality = 28 tags = "" @@ -124286,13 +124286,13 @@ private rule ESET_Potaodecoy_PRIVATE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "54ddf4bb-172d-5dac-8c22-05648e18bef0" + id = "215f1821-f70d-547e-b261-335dc1300bf2" date = "2015-07-30" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L32-L45" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_93cbe1d1545d1fb85b3218b68619e67a1dda80d5888d2685a04915b861dfce01" + logic_hash = "93cbe1d1545d1fb85b3218b68619e67a1dda80d5888d2685a04915b861dfce01" score = 75 quality = 28 tags = "" @@ -124314,13 +124314,13 @@ rule ESET_Potao meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "09759e4a-0d53-5b67-9158-8a1a59d9cd8d" + id = "9c755cb8-9e3f-5118-a8e0-4ded9a075cbd" date = "2015-07-29" modified = "2015-07-30" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/potao/PotaoNew.yara#L96-L108" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_c68addb14f7c22cec0c4d58bfffd373b2e3eb5c53a5b65532c84574e073fcbba" + logic_hash = "c68addb14f7c22cec0c4d58bfffd373b2e3eb5c53a5b65532c84574e073fcbba" score = 75 quality = 80 tags = "" @@ -124337,13 +124337,13 @@ rule ESET_Dino meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "41fc9dd7-0580-538f-a6eb-a3b8815dfb6c" + id = "77d0a039-f60c-59ea-bad6-5b4b630007bb" date = "2015-07-14" modified = "2015-08-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/animalfarm/animalfarm.yar#L73-L96" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_898e527eb8b05050135dee7cbe974100710a1a3a6a5cb8eb03563ee1c0aca01f" + logic_hash = "898e527eb8b05050135dee7cbe974100710a1a3a6a5cb8eb03563ee1c0aca01f" score = 75 quality = 80 tags = "" @@ -124372,7 +124372,7 @@ rule ESET_Richheaders_Lazarus_Nukesped_Iconicpayloads_3CX_Q12023 meta: description = "Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12" author = "ESET Research" - id = "df0ed9b0-243b-5966-9771-6b8acc4c2a18" + id = "5c815d14-8a3e-5c6a-9dc3-988e0f31c094" date = "2023-03-31" modified = "2023-04-19" reference = "https://github.com/eset/malware-ioc" @@ -124382,7 +124382,7 @@ rule ESET_Richheaders_Lazarus_Nukesped_Iconicpayloads_3CX_Q12023 hash = "cad1120d91b812acafef7175f949dd1b09c6c21a" hash = "5b03294b72c0caa5fb20e7817002c600645eb475" hash = "7491bd61ed15298ce5ee5ffd01c8c82a2cdb40ec" - logic_hash = "v1_sha256_f11a1db798bfcc534982bdf6afaae154b095b6a1e0896e75e2791c01e51a1c16" + logic_hash = "f11a1db798bfcc534982bdf6afaae154b095b6a1e0896e75e2791c01e51a1c16" score = 75 quality = 80 tags = "" @@ -124395,13 +124395,13 @@ rule ESET_Prikormka meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "02aab8fa-f296-59f2-a7b2-1177486dc9ae" + id = "6073aa34-d385-5ae8-b97d-9b3d61015aae" date = "2016-05-10" modified = "2019-08-28" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/groundbait/prikormka.yar#L130-L141" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_f64195e680fbaefedba248aa15b37ed30ba72f42958cc48963a140165e951bff" + logic_hash = "f64195e680fbaefedba248aa15b37ed30ba72f42958cc48963a140165e951bff" score = 75 quality = 80 tags = "" @@ -124418,14 +124418,14 @@ rule ESET_Cw_Windows_Redline_Panel_Tab_Headers : FILE meta: description = "Matches view headers in Redline Panel" author = "ESET Research" - id = "00b7e7d1-67fd-508d-af9f-40b646a98840" + id = "44a95845-b0a3-59c1-8188-86d415eff0bf" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L32-L55" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "v1_sha256_3198aa9df2814a5f1d5568c6eed5f3189b2f72b3928cc97645f9bf57eebab9ac" + logic_hash = "3198aa9df2814a5f1d5568c6eed5f3189b2f72b3928cc97645f9bf57eebab9ac" score = 75 quality = 80 tags = "FILE" @@ -124450,14 +124450,14 @@ rule ESET_Cw_Windows_Redline_Panel_Distinctive_Strings : FILE meta: description = "Matches rare strings found in Redline panel" author = "ESET Research" - id = "8d60b07a-c5da-5d78-aa0c-79da103e21d4" + id = "d40ccb6b-e777-5c05-b97c-ead910047649" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L57-L77" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "v1_sha256_7ff0239426c4c3b46a269fad71232295c038c09f276cdc3c7f1142c830260a6d" + logic_hash = "7ff0239426c4c3b46a269fad71232295c038c09f276cdc3c7f1142c830260a6d" score = 75 quality = 80 tags = "FILE" @@ -124478,14 +124478,14 @@ rule ESET_Cw_Windows_Redline_Panel_Prompts : FILE meta: description = "Matches prompt messages in Redline panel" author = "ESET Research" - id = "20f9268e-92c3-5f6d-ad2e-8211f8e96a22" + id = "3481586b-ed4b-5a27-82a0-0bbb3eea279e" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L79-L113" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "v1_sha256_0dfab05a9383ba13b3c610f1ab0c81e95804470002f27171ab39706f7723983a" + logic_hash = "0dfab05a9383ba13b3c610f1ab0c81e95804470002f27171ab39706f7723983a" score = 75 quality = 80 tags = "FILE" @@ -124521,14 +124521,14 @@ rule ESET_Cw_Windows_Redline_Panel_Status_Message_Strings : FILE meta: description = "Matches error/success messages in Redline panel" author = "ESET Research" - id = "47fe03ed-7290-5797-aeca-4e03f5c90bdc" + id = "70bdff10-9c86-57e3-b839-e86173a44855" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L115-L142" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "v1_sha256_c60fabc81967b083be72ff564af744ab60441de5d563ea6d88d873c0a99bfbdd" + logic_hash = "c60fabc81967b083be72ff564af744ab60441de5d563ea6d88d873c0a99bfbdd" score = 75 quality = 80 tags = "FILE" @@ -124557,14 +124557,14 @@ rule ESET_Cw_Windows_Redline_Panel_Commands : FILE meta: description = "Matches commands and functionalities in Redline panel" author = "ESET Research" - id = "d4c8fb0f-f3c6-5001-8bb4-929a6350200d" + id = "b479dc47-53a0-5ead-a4c3-bcdfcaf82ef8" date = "2022-10-11" modified = "2024-11-12" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/redline/redline.yar#L144-L172" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "a154dfaedc237c047f419eb6884dab1ef4e2a17d" - logic_hash = "v1_sha256_724516101264aa89259e847e4703d4eb993f330f82bd2df2433176b11d0c8974" + logic_hash = "724516101264aa89259e847e4703d4eb993f330f82bd2df2433176b11d0c8974" score = 75 quality = 55 tags = "FILE" @@ -124596,13 +124596,13 @@ rule ESET_Beds_Plugin meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "63e9bb61-9a08-523a-bb74-95615e71e89f" + id = "7c038e92-1064-503e-9d63-2d2c10f1759e" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L34-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_024cb91288f133e4cdf5993ac0477de6de76d38fa06f7affa348c6a28a4600da" + logic_hash = "024cb91288f133e4cdf5993ac0477de6de76d38fa06f7affa348c6a28a4600da" score = 75 quality = 80 tags = "" @@ -124621,13 +124621,13 @@ rule ESET_Beds_Dropper meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "790b0748-5e98-554b-8ba9-39c0aa02cabb" + id = "47ccab59-253f-55d4-b38a-4441802626fc" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L53-L67" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_4b5d121e182e3fddd766a7a1227c5de273995e9336156e7a6e8a17faad681bea" + logic_hash = "4b5d121e182e3fddd766a7a1227c5de273995e9336156e7a6e8a17faad681bea" score = 75 quality = 80 tags = "" @@ -124644,13 +124644,13 @@ rule ESET_Facebook_Bot : FILE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "c2ea56f7-4741-5834-90d8-d7a0f4f31773" + id = "643b137f-af79-584c-8266-f2335a79f1ba" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L69-L100" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_8ea779f90fa6080398403e3e6f9d342360c35e93c756ed43cb699f090106504e" + logic_hash = "8ea779f90fa6080398403e3e6f9d342360c35e93c756ed43cb699f090106504e" score = 75 quality = 55 tags = "FILE" @@ -124684,13 +124684,13 @@ rule ESET_Pds_Plugins : FILE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "f2ca0f8f-1aa7-52cf-bc03-fa25ee595027" + id = "dfa75db5-f21c-5b5e-84ba-3bfdcc3efdcd" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L102-L130" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_26bbd380b72fb45206178639d67c8737b9984b140ba1048432949e159946c847" + logic_hash = "26bbd380b72fb45206178639d67c8737b9984b140ba1048432949e159946c847" score = 75 quality = 80 tags = "FILE" @@ -124722,13 +124722,13 @@ rule ESET_Stantinko_Pdb meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "c5c69747-c27f-5fa8-8752-32b7d218067e" + id = "24694e53-b89e-5cd3-ad53-e738bbd7d69d" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L132-L148" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_902c0ee086ce1a8def831d2f30c868165198c6c304faac3a93116a524f8e2fbf" + logic_hash = "902c0ee086ce1a8def831d2f30c868165198c6c304faac3a93116a524f8e2fbf" score = 75 quality = 80 tags = "" @@ -124748,13 +124748,13 @@ rule ESET_Stantinko_Droppers : FILE meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "e1bae22e-748a-594d-a287-95ca25bbafa3" + id = "fe2e6987-929a-59e3-a9ec-01a9f55fe589" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L150-L170" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_c56fc85834a3e1bb1c14da37fb509c7de3009bf81d52800fe0093dc489f6deaa" + logic_hash = "c56fc85834a3e1bb1c14da37fb509c7de3009bf81d52800fe0093dc489f6deaa" score = 75 quality = 80 tags = "FILE" @@ -124777,13 +124777,13 @@ rule ESET_Stantinko_D3D meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "d886199c-d8eb-5203-a2fe-79dbf45e3ba6" + id = "6652e55c-96a0-55a7-9941-7f32bbf984e5" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L172-L187" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_4e8da3f11df15e4aa469db62961ae390c4c4df2a5335eec0bdab19b14cc8343d" + logic_hash = "4e8da3f11df15e4aa469db62961ae390c4c4df2a5335eec0bdab19b14cc8343d" score = 75 quality = 80 tags = "" @@ -124800,13 +124800,13 @@ rule ESET_Stantinko_Ihctrl32 meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "289c7939-5207-564a-8575-815e50cd1c5b" + id = "e8ab9f78-f438-5d9b-8407-e6c7e241da2c" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L189-L209" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_1829e08fb2289f738d0e75ad9977169e9a94379da764b1766f23fa47e8bc2543" + logic_hash = "1829e08fb2289f738d0e75ad9977169e9a94379da764b1766f23fa47e8bc2543" score = 75 quality = 80 tags = "" @@ -124830,13 +124830,13 @@ rule ESET_Stantinko_Wsaudio meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "77054970-2964-524a-9730-71b0ff3b90f7" + id = "623f4ac7-03ec-52df-b7bf-0a2055453c52" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L211-L233" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_45d92f1475f316ba50a9a4a3dd519d1186ed16c68bd2debe326736a1e3154562" + logic_hash = "45d92f1475f316ba50a9a4a3dd519d1186ed16c68bd2debe326736a1e3154562" score = 75 quality = 80 tags = "" @@ -124859,13 +124859,13 @@ rule ESET_Stantinko_Ghstore meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "76da8b52-20ad-51a6-acf3-3e176a9ddb3b" + id = "ef9f0c27-35ea-5dd5-925f-09b6e043569d" date = "2017-07-17" modified = "2017-07-20" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/stantinko/stantinko.yar#L235-L255" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_e5628d6ffb2d3684264b3a88c4d7b5d2ce8983aa22badf5839ccb8ba2e3ef2d4" + logic_hash = "e5628d6ffb2d3684264b3a88c4d7b5d2ce8983aa22badf5839ccb8ba2e3ef2d4" score = 75 quality = 80 tags = "" @@ -124889,13 +124889,13 @@ rule ESET_IIS_Group02 meta: description = "Detects Group 2 native IIS malware family" author = "ESET Research" - id = "bfdd1bb1-08e4-55ab-80c5-bc36180e4b57" + id = "945e3748-1072-55f3-abaa-903dfc250294" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L134-L155" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_3fa2b8fed3c580f446b55412a920a5cfed2317b06aa93d059e9f89fdbec8f683" + logic_hash = "3fa2b8fed3c580f446b55412a920a5cfed2317b06aa93d059e9f89fdbec8f683" score = 75 quality = 76 tags = "" @@ -124918,13 +124918,13 @@ rule ESET_IIS_Group03 meta: description = "Detects Group 3 native IIS malware family" author = "ESET Research" - id = "8d8c5692-56ce-501e-8bf3-c0fa006fdf7a" + id = "9caf9b3e-611e-5e0e-a7ee-9e7515679022" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L157-L176" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_d811c2ac610780bf968e86e8fd302cffc9434902e547399d06fdeb30d1719f51" + logic_hash = "d811c2ac610780bf968e86e8fd302cffc9434902e547399d06fdeb30d1719f51" score = 75 quality = 80 tags = "" @@ -124945,13 +124945,13 @@ rule ESET_IIS_Group04_Rgdoor meta: description = "Detects Group 4 native IIS malware family (RGDoor)" author = "ESET Research" - id = "8dedeaf8-640a-551f-b930-a049a77aacee" + id = "64a0e664-a4d9-555b-a11b-5f7d9d0678b1" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L178-L199" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_be615dc0cc8bf0fd52cc5a88a3759c1cb1cd18703de74d16f5cce3eabccf91c6" + logic_hash = "be615dc0cc8bf0fd52cc5a88a3759c1cb1cd18703de74d16f5cce3eabccf91c6" score = 75 quality = 80 tags = "" @@ -124973,13 +124973,13 @@ rule ESET_IIS_Group05_Iistealer meta: description = "Detects Group 5 native IIS malware family (IIStealer)" author = "ESET Research" - id = "f0f5b3ff-0f13-5faa-94dd-19e060656dc5" + id = "598ec6b2-0349-5da7-acad-72ef2468b927" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L201-L232" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_5dff445121fda59df805d6fcb5db3f8f8e52a6e63e2da2a6875f8c9ad9cafc72" + logic_hash = "5dff445121fda59df805d6fcb5db3f8f8e52a6e63e2da2a6875f8c9ad9cafc72" score = 75 quality = 80 tags = "" @@ -125008,13 +125008,13 @@ rule ESET_IIS_Group06_ISN meta: description = "Detects Group 6 native IIS malware family (ISN)" author = "ESET Research" - id = "b8cba1c3-9df8-544a-80f3-32d4b3fcb333" + id = "1f68fc42-61a3-5a7d-9daa-31ae3b561837" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L234-L259" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_2f59034a642a9b92fc88922433cd5923be02332159cba5e16d99d9523ed43205" + logic_hash = "2f59034a642a9b92fc88922433cd5923be02332159cba5e16d99d9523ed43205" score = 75 quality = 80 tags = "" @@ -125040,13 +125040,13 @@ rule ESET_IIS_Group07_Iispy meta: description = "Detects Group 7 native IIS malware family (IISpy)" author = "ESET Research" - id = "17bccdc6-e280-544e-a42e-cdfe48d55000" + id = "64ed0189-a0be-5592-b9c6-1622700a7ed7" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L261-L296" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_ec5db5f36d06f9b0bdfe598fc72431da35afc1473dcc29f437a0f48ea9835a03" + logic_hash = "ec5db5f36d06f9b0bdfe598fc72431da35afc1473dcc29f437a0f48ea9835a03" score = 75 quality = 80 tags = "" @@ -125078,13 +125078,13 @@ rule ESET_IIS_Group08 meta: description = "Detects Group 8 native IIS malware family" author = "ESET Research" - id = "ce5e5ac3-99d8-5009-aca9-3e204bbd99e9" + id = "d0e9a5ec-b7f0-5d3f-93b4-d048503eb210" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L298-L337" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_d5826d454d25ecbbb5da464da974023a247517d873cf10dc0eafa91e185451da" + logic_hash = "d5826d454d25ecbbb5da464da974023a247517d873cf10dc0eafa91e185451da" score = 75 quality = 53 tags = "" @@ -125124,13 +125124,13 @@ rule ESET_IIS_Group09 meta: description = "Detects Group 9 native IIS malware family" author = "ESET Research" - id = "9e31e907-b305-5ccd-8112-4305ff1900a0" + id = "69d176bc-73b1-5c4d-bb7e-463d26e8e6a9" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L339-L387" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_5f89f9488221b8db8d493b3c23b7f5edd957c15511148eca890558886c128192" + logic_hash = "5f89f9488221b8db8d493b3c23b7f5edd957c15511148eca890558886c128192" score = 75 quality = 76 tags = "" @@ -125178,13 +125178,13 @@ rule ESET_IIS_Group10 meta: description = "Detects Group 10 native IIS malware family" author = "ESET Research" - id = "a0cf4e20-ca9c-5421-a080-a8906c1b09e2" + id = "31368b38-9128-594d-888d-e97d3edc7a1f" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L389-L423" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_48701168d7da726222227ef757f1a4005a49c0bf300123319ce03db09445b3ef" + logic_hash = "48701168d7da726222227ef757f1a4005a49c0bf300123319ce03db09445b3ef" score = 75 quality = 80 tags = "" @@ -125219,13 +125219,13 @@ rule ESET_IIS_Group11 meta: description = "Detects Group 11 native IIS malware family" author = "ESET Research" - id = "d14c7c0b-3c56-588e-8632-33d5c567f99c" + id = "e9dac67a-1675-5198-ad26-d555696844f9" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L425-L455" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_a67b6b49b5fc2c7f260c06201c59478f5472de63091c510af82d526c410abb0c" + logic_hash = "a67b6b49b5fc2c7f260c06201c59478f5472de63091c510af82d526c410abb0c" score = 75 quality = 80 tags = "" @@ -125249,13 +125249,13 @@ rule ESET_IIS_Group12 meta: description = "Detects Group 12 native IIS malware family" author = "ESET Research" - id = "125ff157-3a1b-5f77-b08d-5f90a94c73e1" + id = "7278f2df-d18a-5d95-9c21-37906629a7f0" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L457-L495" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_8da03328e3702aff8ea5de77fc220f326030c31972d27c0bd9b5918dca550aba" + logic_hash = "8da03328e3702aff8ea5de77fc220f326030c31972d27c0bd9b5918dca550aba" score = 75 quality = 78 tags = "" @@ -125293,13 +125293,13 @@ rule ESET_IIS_Group13_Iiserpent meta: description = "Detects Group 13 native IIS malware family (IISerpent)" author = "ESET Research" - id = "019d33b8-2a11-5184-8cf1-35776c79fd7b" + id = "f22dffb1-466f-5a7b-b9aa-de7ba991db1a" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L497-L523" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_7077b842c53ee1581ad4150cdfaac3502bfc0fbd3b823190ad648e09f36e442d" + logic_hash = "7077b842c53ee1581ad4150cdfaac3502bfc0fbd3b823190ad648e09f36e442d" score = 75 quality = 80 tags = "" @@ -125327,13 +125327,13 @@ rule ESET_IIS_Group14 meta: description = "Detects Group 14 native IIS malware family" author = "ESET Research" - id = "7165e279-af54-584e-bc99-b5071100e32f" + id = "c773b09e-9f24-5e75-ba80-4be69af70b06" date = "2021-08-04" modified = "2021-08-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/badiis/badiis.yar#L525-L552" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_ef10a4dfb1a9164533677416a7c9ada715ce10bfc1e5f92b56cf54bd890d4575" + logic_hash = "ef10a4dfb1a9164533677416a7c9ada715ce10bfc1e5f92b56cf54bd890d4575" score = 75 quality = 80 tags = "" @@ -125360,13 +125360,13 @@ rule ESET_Apt_Windows_TA410_Tendyron_Dropper meta: description = "TA410 Tendyron Dropper" author = "ESET Research" - id = "5ad87699-5e6e-5a3f-8206-ce269d85ae26" + id = "8d1e16d9-b5c2-5427-a0b4-7dd00a9df5ec" date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L34-L53" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_45f7300a4b85624ad3fda5c73a24f53f53cb7990def4d84e04dcd8e5747f4f2e" + logic_hash = "45f7300a4b85624ad3fda5c73a24f53f53cb7990def4d84e04dcd8e5747f4f2e" score = 75 quality = 80 tags = "" @@ -125389,13 +125389,13 @@ rule ESET_Apt_Windows_TA410_Tendyron_Installer meta: description = "TA410 Tendyron Installer" author = "ESET Research" - id = "53991487-825b-5e00-8d38-488186ded2c3" + id = "95ccad1c-99fb-5d38-aec0-650db3e06b35" date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L55-L73" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_9c3afb924747614f27c31cf2c3d98f4932a9d11597a3ac94263bf93be02801da" + logic_hash = "9c3afb924747614f27c31cf2c3d98f4932a9d11597a3ac94263bf93be02801da" score = 75 quality = 80 tags = "" @@ -125417,13 +125417,13 @@ rule ESET_Apt_Windows_TA410_Tendyron_Downloader meta: description = "TA410 Tendyron Downloader" author = "ESET Research" - id = "0a0e66fb-368f-5840-8bac-be1ba9986a1a" + id = "afd8a2a7-8d58-5a96-b9e0-6f8b859e83c5" date = "2020-12-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L75-L107" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_16030a78ae9af8783f5913644294ceff861c8264ead8ca99435032be6d7949ef" + logic_hash = "16030a78ae9af8783f5913644294ceff861c8264ead8ca99435032be6d7949ef" score = 75 quality = 80 tags = "" @@ -125450,13 +125450,13 @@ rule ESET_Apt_Windows_TA410_X4_Strings meta: description = "Matches various strings found in TA410 X4" author = "ESET Research" - id = "7b920fe9-016d-5ba7-8ea7-589d566901a6" + id = "e6af4516-8b79-5182-8571-7dd530632ddc" date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L109-L125" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_d4b2321a6d0eb0ca8d7c47596af2a45c22b3aef15d1832d64d6588a62cab312a" + logic_hash = "d4b2321a6d0eb0ca8d7c47596af2a45c22b3aef15d1832d64d6588a62cab312a" score = 75 quality = 74 tags = "" @@ -125476,13 +125476,13 @@ rule ESET_Apt_Windows_TA410_X4_Hash_Values : FILE meta: description = "Matches X4 hash function found in TA410 X4" author = "ESET Research" - id = "bac69062-aedf-5a66-84d7-c9165017471a" + id = "859bb977-82d0-5314-b1a8-fb3bb06a1b28" date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L127-L149" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_bcf3891ff888ca99af9aa0e239b29241ae819022607fb829c5731267add308ea" + logic_hash = "bcf3891ff888ca99af9aa0e239b29241ae819022607fb829c5731267add308ea" score = 75 quality = 80 tags = "FILE" @@ -125507,13 +125507,13 @@ rule ESET_Apt_Windows_TA410_X4_Hash_Fct : FILE meta: description = "Matches X4 hash function found in TA410 X4" author = "ESET Research" - id = "0fe8de40-8fc9-527b-aacb-18eeca8963ea" + id = "5ca435a4-7c6e-594d-8c4d-d577735884e6" date = "2020-10-09" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L151-L187" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_3b2d44cb7685a99e9aeb08f886f6876d43ee99d1e52e40705c3fa97ce3bfa9a0" + logic_hash = "3b2d44cb7685a99e9aeb08f886f6876d43ee99d1e52e40705c3fa97ce3bfa9a0" score = 75 quality = 80 tags = "FILE" @@ -125540,13 +125540,13 @@ rule ESET_Apt_Windows_TA410_Lookback_Decryption : FILE meta: description = "Matches encryption/decryption function used by LookBack." author = "ESET Research" - id = "cde7c0cc-7dbd-5ec5-8245-c319cbde7056" + id = "91947c6b-f357-5cf8-8522-4dcd517d01cb" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L189-L254" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_016dca6be654fcd193acc481e6a998efbb77e7ebd09b26614422be1136dd02c0" + logic_hash = "016dca6be654fcd193acc481e6a998efbb77e7ebd09b26614422be1136dd02c0" score = 75 quality = 80 tags = "FILE" @@ -125615,13 +125615,13 @@ rule ESET_Apt_Windows_TA410_Lookback_Loader : FILE meta: description = "Matches the modified function in LookBack libcurl loader." author = "ESET Research" - id = "13c0bcdd-4704-5e05-bea7-4c778fcb8723" + id = "d0aac4f6-f72f-5adf-8f8f-9251bad70131" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L256-L309" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_98390dd664227ad747e5572771d12e7ebd2475d26db27e85508347ac6f44f3bf" + logic_hash = "98390dd664227ad747e5572771d12e7ebd2475d26db27e85508347ac6f44f3bf" score = 75 quality = 80 tags = "FILE" @@ -125680,13 +125680,13 @@ rule ESET_Apt_Windows_TA410_Lookback_Strings : FILE meta: description = "Matches multiple strings and export names in TA410 LookBack." author = "ESET Research" - id = "95cbbbcf-abf5-5512-bd23-b13dbf5d02b6" + id = "b693c468-5abf-579d-bc03-67f67339feb9" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L311-L331" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_d17ed604e3691c20fe489f95197b7b802ec951ed13d538fa6643449485b326b2" + logic_hash = "d17ed604e3691c20fe489f95197b7b802ec951ed13d538fa6643449485b326b2" score = 75 quality = 80 tags = "FILE" @@ -125709,13 +125709,13 @@ rule ESET_Apt_Windows_TA410_Lookback_HTTP : FILE meta: description = "Matches LookBack's hardcoded HTTP request" author = "ESET Research" - id = "d58fec9b-de9f-560f-8055-e6ea3c4b4180" + id = "ca4ee437-5ac9-5715-90fb-e0e74a817bb5" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L333-L349" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_0e777f56136cd11d62abdf4f120410d5fe9cd522cfc06afbf085414a96279bf7" + logic_hash = "0e777f56136cd11d62abdf4f120410d5fe9cd522cfc06afbf085414a96279bf7" score = 75 quality = 80 tags = "FILE" @@ -125734,13 +125734,13 @@ rule ESET_Apt_Windows_TA410_Lookback_Magic : FILE meta: description = "Matches message header creation in LookBack." author = "ESET Research" - id = "9cfdb68d-6e9c-5176-a45b-958717c07431" + id = "5a40a307-772b-5600-9e58-f4bc6dfe6711" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L351-L377" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_442a08a77fd2db03e507c0d5a32b17ab4e5936a209f7af23ef3c33a4b9f3d0d5" + logic_hash = "442a08a77fd2db03e507c0d5a32b17ab4e5936a209f7af23ef3c33a4b9f3d0d5" score = 75 quality = 80 tags = "FILE" @@ -125769,13 +125769,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Loader_Strings : FILE meta: description = "Matches various strings found in TA410 FlowCloud first stage." author = "ESET Research" - id = "012c6333-6e52-5181-b9b1-66f11e576ef9" + id = "a3fb894f-8e26-5cbd-a1f2-8a9ab1db0901" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L379-L415" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_3c90723e009ffe2603910566ac52a324256676ee3ff128d94427681010e10e8b" + logic_hash = "3c90723e009ffe2603910566ac52a324256676ee3ff128d94427681010e10e8b" score = 75 quality = 78 tags = "FILE" @@ -125814,13 +125814,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Header_Decryption : FILE meta: description = "Matches the function used to decrypt resources headers in TA410 FlowCloud" author = "ESET Research" - id = "dad09e87-9e5b-59b7-8eed-b37c2b9e9b35" - date = "2024-01-22" + id = "403c1845-bc25-5a49-8553-8a0be18d6970" + date = "2024-01-23" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L417-L496" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_74b6c42bf2de159b2b0a15637e6bd94069367e3000c887714d6e3b50aa3646be" + logic_hash = "74b6c42bf2de159b2b0a15637e6bd94069367e3000c887714d6e3b50aa3646be" score = 75 quality = 80 tags = "FILE" @@ -125869,13 +125869,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Dll_Hijacking_Strings : FILE meta: description = "Matches filenames inside TA410 FlowCloud malicious DLL." author = "ESET Research" - id = "914e3f3d-7aa8-5888-a5c7-d83ffad5e350" + id = "6636d4d0-0a7f-5971-a7f4-58803042d874" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L498-L517" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_e8082d4216364a12ba395f772b5caed94b3068d26a2b3a97ef711d61a82f65b3" + logic_hash = "e8082d4216364a12ba395f772b5caed94b3068d26a2b3a97ef711d61a82f65b3" score = 75 quality = 80 tags = "FILE" @@ -125898,13 +125898,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Malicious_Dll_Antianalysis : FILE meta: description = "Matches anti-analysis techniques used in TA410 FlowCloud hijacking DLL." author = "ESET Research" - id = "0ee5cb54-cca6-52dd-a7da-8fbf5bf66478" + id = "b38a1d4d-5053-5a6d-be8c-c00261936417" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L519-L552" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_8f14352118d32a43c17f70bd753acc48bd314965f10ab97818e8a434bbda96d9" + logic_hash = "8f14352118d32a43c17f70bd753acc48bd314965f10ab97818e8a434bbda96d9" score = 75 quality = 80 tags = "FILE" @@ -125933,13 +125933,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Pdb : FILE meta: description = "Matches PDB paths found in TA410 FlowCloud." author = "ESET Research" - id = "a2566a1b-c09a-54f4-b0dd-c2d636b394e7" + id = "8bf25768-941e-55c6-bd21-f6b614c9d75d" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L554-L567" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_ff95ab0f8e68efe612a6e0d70cebd8bf815d6b5e3877c098ac0761382dc310d6" + logic_hash = "ff95ab0f8e68efe612a6e0d70cebd8bf815d6b5e3877c098ac0761382dc310d6" score = 75 quality = 80 tags = "FILE" @@ -125954,13 +125954,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Shellcode_Decryption : FILE meta: description = "Matches the decryption function used in TA410 FlowCloud self-decrypting DLL" author = "ESET Research" - id = "aa03d3ad-c2ac-5b0d-84a0-2f353684b234" + id = "8af7b2fa-be40-5ec8-8413-1c982a463a9a" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L569-L615" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_939ffe6a41c957aa5d6c012484b2deab49a5e71a4b7e203a41c180f872803921" + logic_hash = "939ffe6a41c957aa5d6c012484b2deab49a5e71a4b7e203a41c180f872803921" score = 75 quality = 80 tags = "FILE" @@ -125993,13 +125993,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Fcclient_Strings : FILE meta: description = "Strings found in fcClient/rescure.dat module." author = "ESET Research" - id = "6f2dfde7-d8d0-5fc1-8bc0-1cf1a02f7903" + id = "876bae0b-2612-559b-9ead-b633a3789663" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L617-L639" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_c05b7031a5aec1bcf29eca06c010c402edeb24a093a2043dbc21781dff22c7fe" + logic_hash = "c05b7031a5aec1bcf29eca06c010c402edeb24a093a2043dbc21781dff22c7fe" score = 75 quality = 80 tags = "FILE" @@ -126024,13 +126024,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_Fcclientdll_Strings : FILE meta: description = "Strings found in fcClientDll/responsor.dat module." author = "ESET Research" - id = "ff02d23f-8957-5f73-94a5-e4d6980f8180" + id = "80ecaf51-406f-590c-8f9c-59672683de02" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L641-L669" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_3a93f58cf14b57a96157077ec14aa6fb181e3da80f4ba46c0379a58b67c08a0e" + logic_hash = "3a93f58cf14b57a96157077ec14aa6fb181e3da80f4ba46c0379a58b67c08a0e" score = 75 quality = 80 tags = "FILE" @@ -126061,13 +126061,13 @@ rule ESET_Apt_Windows_TA410_Rootkit_Strings : FILE meta: description = "Strings found in TA410's Rootkit" author = "ESET Research" - id = "c6af81b7-76e6-5715-93b7-7ac1db8b2cd3" + id = "a6a97721-571e-5414-9b00-5789d7bcd078" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L671-L697" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_1d3ad63508c5e4bca32b9a44b738cb4a7384ccfa5704ce329260adb342ea4e60" + logic_hash = "1d3ad63508c5e4bca32b9a44b738cb4a7384ccfa5704ce329260adb342ea4e60" score = 75 quality = 80 tags = "FILE" @@ -126098,13 +126098,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V5_Resources : FILE meta: description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 5.0.2" author = "ESET Research" - id = "56f07f5d-93a7-5c25-b0f1-c3f4d8af1ac8" + id = "05a233f0-a823-5154-a47d-cede722d4710" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L699-L720" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_58f75dda53c6d4b3d88f464c452d855ac6dc88add5f4fba2641f52e7a1ae00ed" + logic_hash = "58f75dda53c6d4b3d88f464c452d855ac6dc88add5f4fba2641f52e7a1ae00ed" score = 75 quality = 80 tags = "FILE" @@ -126121,13 +126121,13 @@ rule ESET_Apt_Windows_TA410_Flowcloud_V4_Resources : FILE meta: description = "Matches sequence of PE resource IDs found in TA410 FlowCloud version 4.1.3" author = "ESET Research" - id = "08265212-5eec-5f6b-806f-133b75c0c16d" + id = "57b98823-439f-5a2c-a8cb-ac5e98953b06" date = "2021-10-12" modified = "2022-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/ta410/ta410.yar#L722-L741" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_7b475cfddb5f995f7e8e3293b8e6ae59a9e36143998bc444499b5dce467f8e9d" + logic_hash = "7b475cfddb5f995f7e8e3293b8e6ae59a9e36143998bc444499b5dce467f8e9d" score = 75 quality = 80 tags = "FILE" @@ -126142,13 +126142,13 @@ rule ESET_Apt_Windows_Invisimole_Logs : FILE meta: description = "Detects log files with collected created by InvisiMole's RC2CL backdoor" author = "ESET Research" - id = "1510c337-79f9-5011-ac18-c2eb24429b4e" + id = "151883ad-1f44-55b4-b12a-f0d399527189" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L54-L77" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_d42423ccc768f1823c76d5cb2aec26434c796fc35bd4e2fbf435fcf7997d3ff0" + logic_hash = "d42423ccc768f1823c76d5cb2aec26434c796fc35bd4e2fbf435fcf7997d3ff0" score = 75 quality = 80 tags = "FILE" @@ -126163,13 +126163,13 @@ rule ESET_Apt_Windows_Invisimole_SFX_Dropper : FILE meta: description = "Detects trojanized InvisiMole files: patched RAR SFX droppers with added InvisiMole blobs (config encrypted XOR 2A at the end of a file)" author = "ESET Research" - id = "8318efe0-aa80-5985-8d54-654af3e46fc4" + id = "08490bcd-3139-5fac-9c6c-5a32acb7217a" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L79-L95" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_6ca248d42c1e889988e5931d80df071cb20e623fb0c4a208044cabe073f71ce4" + logic_hash = "6ca248d42c1e889988e5931d80df071cb20e623fb0c4a208044cabe073f71ce4" score = 75 quality = 80 tags = "FILE" @@ -126187,13 +126187,13 @@ rule ESET_Apt_Windows_Invisimole_CPL_Loader : FILE meta: description = "CPL loader" author = "ESET Research" - id = "23d9ca52-f274-57ac-83f6-4d3b0a857e29" + id = "feff8627-6085-5835-ac1b-d4522245f7db" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L97-L118" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_cd5c19e14faa7fd3758b30193ccf2bed3692ad29d8216466523ca25d2abcfe88" + logic_hash = "cd5c19e14faa7fd3758b30193ccf2bed3692ad29d8216466523ca25d2abcfe88" score = 75 quality = 80 tags = "FILE" @@ -126219,13 +126219,13 @@ rule ESET_Apt_Windows_Invisimole_Wrapper_DLL meta: description = "Detects InvisiMole wrapper DLL with embedded RC2CL and RC2FM backdoors, by export and resource names" author = "ESET Research" - id = "5dec4d9a-97bd-5f22-9ae7-9e7d2bc4cd98" + id = "b9609b09-3ef5-5793-a3aa-4692cec367d9" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L120-L138" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_156bc5bc7b0ed5c77a5a15e7799a3077d40150896476a60935cf21a9afe36856" + logic_hash = "156bc5bc7b0ed5c77a5a15e7799a3077d40150896476a60935cf21a9afe36856" score = 75 quality = 80 tags = "" @@ -126240,13 +126240,13 @@ rule ESET_Apt_Windows_Invisimole_DNS_Downloader : FILE meta: description = "InvisiMole DNS downloader" author = "ESET Research" - id = "73835013-57dc-5668-9472-afdf0f26bce4" + id = "1caa6c8b-3798-556e-835e-885b7f3f4511" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L140-L170" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_88d6ed7ec1331153d19afc18473a4be2b214ad8af29fcf7051a2a8e40e088231" + logic_hash = "88d6ed7ec1331153d19afc18473a4be2b214ad8af29fcf7051a2a8e40e088231" score = 75 quality = 80 tags = "FILE" @@ -126277,13 +126277,13 @@ rule ESET_Apt_Windows_Invisimole_RC2CL_Backdoor : FILE meta: description = "InvisiMole RC2CL backdoor" author = "ESET Research" - id = "f9b56c6a-bd6b-5290-a06b-d115d3f92d34" + id = "0228b8ee-bf03-504e-8cdf-8a1c9a79d54e" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L172-L213" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_c38550023515d33eaaf0669cc8b874bcfd09653a07c7edbf72e3344d1cf31541" + logic_hash = "c38550023515d33eaaf0669cc8b874bcfd09653a07c7edbf72e3344d1cf31541" score = 75 quality = 78 tags = "FILE" @@ -126322,13 +126322,13 @@ rule ESET_Apt_Windows_Invisimole : FILE meta: description = "InvisiMole magic values, keys and strings" author = "ESET Research" - id = "86e6be27-2a38-5791-9e2d-2be518609c18" + id = "4d48996b-9792-57ba-a302-349220323712" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L215-L255" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_7a2cff9febe77d718089ba4e1a33f3487594588892e418cec685bf22b156fa2b" + logic_hash = "7a2cff9febe77d718089ba4e1a33f3487594588892e418cec685bf22b156fa2b" score = 75 quality = 80 tags = "FILE" @@ -126354,13 +126354,13 @@ rule ESET_Apt_Windows_Invisimole_C2 : FILE meta: description = "InvisiMole C&C servers" author = "ESET Research" - id = "840d849f-c23e-5f56-a078-4647199533a2" + id = "9279c8cd-2c16-5f90-a7f5-e668d57c805b" date = "2021-05-17" modified = "2021-05-17" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/invisimole/invisimole.yar#L257-L297" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_aff8456ce7a9ebe875c02e51c09b77ee7b1fddfc11d4ad236e12c8c5240a01a8" + logic_hash = "aff8456ce7a9ebe875c02e51c09b77ee7b1fddfc11d4ad236e12c8c5240a01a8" score = 75 quality = 78 tags = "FILE" @@ -126402,13 +126402,13 @@ rule ESET_Onimiki : LINUX_ONIMIKI meta: description = "Linux/Onimiki malicious DNS server" author = "Olivier Bilodeau " - id = "c005baad-5bec-5136-ba66-d3344ae2a564" + id = "3a99799f-fbb4-5fee-a796-3310acd10e17" date = "2014-02-06" modified = "2014-04-04" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/windigo-onimiki.yar#L32-L59" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_eac30f5c9a9606d1d0e14c55e0532c54976fbb0d2e4f5cd2d9f719b77e07161a" + logic_hash = "eac30f5c9a9606d1d0e14c55e0532c54976fbb0d2e4f5cd2d9f719b77e07161a" score = 75 quality = 80 tags = "LINUX/ONIMIKI" @@ -126436,14 +126436,14 @@ rule ESET_Helimodproxy meta: description = "HelimodProxy malicious Apache module" author = "ESET, spol. s r.o." - id = "ebf3f1f6-8790-53ca-bca5-70d7b2075516" + id = "8c05bd0b-9645-580c-ac80-58e45b2a8884" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L32-L54" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "v1_sha256_9e3d57add1042eff41b42f0c8d46ed37af4092d5af4d4b2088b07992a4649bc2" + logic_hash = "9e3d57add1042eff41b42f0c8d46ed37af4092d5af4d4b2088b07992a4649bc2" score = 75 quality = 80 tags = "" @@ -126465,14 +126465,14 @@ rule ESET_Helimodredirect meta: description = "HelimodRedirect malicious Apache module" author = "ESET, spol. s r.o." - id = "c19619a0-b541-5ebe-ab92-bc7f07bbf7ac" + id = "d8fe674d-8895-5501-b2e3-f74c386e10f0" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L56-L79" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "v1_sha256_1a85cae7ee354e5d96e88781b4e0a49757016d8b64dfb80c07a13b36bf9091e2" + logic_hash = "1a85cae7ee354e5d96e88781b4e0a49757016d8b64dfb80c07a13b36bf9091e2" score = 75 quality = 80 tags = "" @@ -126494,14 +126494,14 @@ rule ESET_Helimodsteal meta: description = "HelimodSteal malicious Apache module" author = "ESET, spol. s r.o." - id = "686daa28-449a-5fe0-8f80-e2345e5f6f65" + id = "7b080f21-d6e3-5dda-bfd9-fb9d82fbb98e" date = "2024-04-27" modified = "2024-04-27" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/helimod.yar#L81-L105" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e39667aa137e315bc26eaef791ccab52938fd809" - logic_hash = "v1_sha256_9c0a5842dc986fec667fc7d7ad9d0c63b89b4a5ec87c9c9b72574ca5b15df928" + logic_hash = "9c0a5842dc986fec667fc7d7ad9d0c63b89b4a5ec87c9c9b72574ca5b15df928" score = 75 quality = 80 tags = "" @@ -126526,14 +126526,14 @@ rule ESET_Libkeyutils_With_Ctor meta: description = "This rule detects if a libkeyutils.so shared library has a potentially malicious function to be called when loaded, either via a glibc constructor (DT_INIT + .ctors) or an initializer function in DT_INIT_ARRAY." author = "ESET, spol. s r.o." - id = "edd3daae-1d1e-5684-8fc7-18a8030728f9" + id = "7b466bf7-f895-569d-99b0-eca95a6ebc83" date = "2024-02-01" modified = "2024-04-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/ebury.yar#L3-L54" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e7debd6e453192ad8376db5bab03ed0d87566591" - logic_hash = "v1_sha256_c6172aebc67a05fb044b0450aafcc71c7d1fd2831985587d1a9ad53f59e14214" + logic_hash = "c6172aebc67a05fb044b0450aafcc71c7d1fd2831985587d1a9ad53f59e14214" score = 75 quality = 80 tags = "" @@ -126551,14 +126551,14 @@ rule ESET_Ebury_V1_7_Crypto meta: description = "This rule detects the strings decryption routine in Ebury v1.7 and v1.8" author = "ESET, spol. s r.o." - id = "df629161-4051-56cd-9273-3dc669265b7c" + id = "93dadf5f-b572-5217-8c82-4957c6d24955" date = "2023-08-01" modified = "2024-04-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/windigo/ebury.yar#L56-L97" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" hash = "e7debd6e453192ad8376db5bab03ed0d87566591" - logic_hash = "v1_sha256_41908951069a472d7528f2f228f3681f008d16a0436e341d339909efc4933e66" + logic_hash = "41908951069a472d7528f2f228f3681f008d16a0436e341d339909efc4933e66" score = 75 quality = 80 tags = "" @@ -126597,13 +126597,13 @@ rule ESET_Mozi_Killswitch : FILE meta: description = "Mozi botnet kill switch" author = "Ivan Besina" - id = "13bc2685-367c-5176-a71a-db3081cf9d5e" + id = "e3d34ae0-de06-5ff4-b44b-44d264b6dd29" date = "2023-09-29" modified = "2023-10-31" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/mozi/mozi.yar#L32-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_90eaed2f7f5595b145b2678a46ef6179082192215369fa9235024b0ce1574a49" + logic_hash = "90eaed2f7f5595b145b2678a46ef6179082192215369fa9235024b0ce1574a49" score = 75 quality = 80 tags = "FILE" @@ -126624,13 +126624,13 @@ rule ESET_Keydnap_Downloader meta: description = "OSX/Keydnap Downloader" author = "Marc-Etienne M.Léveillé" - id = "34485838-a8c7-5f84-83dc-3b5fe2962dae" + id = "2b21007a-b143-5538-8777-ba35448d00aa" date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/keydnap/keydnap.yar#L33-L49" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_71c8885193a92fa9c71055c37e629a54d50070cf6820b9216a824ecc4db2ce3c" + logic_hash = "71c8885193a92fa9c71055c37e629a54d50070cf6820b9216a824ecc4db2ce3c" score = 75 quality = 80 tags = "" @@ -126649,13 +126649,13 @@ rule ESET_Keydnap_Backdoor_Packer meta: description = "OSX/Keydnap packed backdoor" author = "Marc-Etienne M.Léveillé" - id = "6ea75f11-d2a8-5771-b1b3-5da958746078" + id = "f29ad5af-bc86-5764-9451-5a8363788c4e" date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/keydnap/keydnap.yar#L51-L67" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_b1740bf38376be81d3b42306c2ce81f578c0b5c9db804f063836bf98f57ed147" + logic_hash = "b1740bf38376be81d3b42306c2ce81f578c0b5c9db804f063836bf98f57ed147" score = 75 quality = 80 tags = "" @@ -126674,13 +126674,13 @@ rule ESET_Keydnap_Backdoor meta: description = "Unpacked OSX/Keydnap backdoor" author = "Marc-Etienne M.Léveillé" - id = "ca0cb509-24bf-5d45-a9ee-fd5ac5746a9d" + id = "099c1796-6237-5ec1-ba25-cd5feca79865" date = "2016-07-06" modified = "2016-07-06" reference = "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-is-hungry-for-credentials" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/keydnap/keydnap.yar#L69-L86" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_fa209577a562ef9088d3ad3df3fbc0edda96f09d19177842f0ddea42c658f530" + logic_hash = "fa209577a562ef9088d3ad3df3fbc0edda96f09d19177842f0ddea42c658f530" score = 75 quality = 80 tags = "" @@ -126701,13 +126701,13 @@ rule ESET_Linux_Rakos meta: description = "Linux/Rakos.A executable" author = "Peter Kálnai" - id = "05ccf096-cd01-5d82-8a8a-86ce09677e48" + id = "3c15401a-22c1-59e2-a979-1f9a6a990ae0" date = "2016-12-13" modified = "2016-12-19" reference = "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/rakos/rakos.yar#L33-L53" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_79a02ada56bf75c5f178b58822eb905977cace3483453ea8cf4dfc32f6b6c30d" + logic_hash = "79a02ada56bf75c5f178b58822eb905977cace3483453ea8cf4dfc32f6b6c30d" score = 75 quality = 80 tags = "" @@ -126729,13 +126729,13 @@ rule ESET_Mumblehard_Packer meta: description = "Mumblehard i386 assembly code responsible for decrypting Perl code" author = "Marc-Etienne M.Léveillé" - id = "ec3d1200-9e00-5d1b-8135-904eea70ecbc" + id = "981c18e3-ac28-54f5-97ab-44b1d12a1389" date = "2015-04-07" modified = "2015-05-01" reference = "http://www.welivesecurity.com" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/mumblehard/mumblehard_packer.yar#L32-L47" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_a04f50a7054c4ce8ad9be4e7f3373ad4f36eb9443e223601974e852c25603f5f" + logic_hash = "a04f50a7054c4ce8ad9be4e7f3373ad4f36eb9443e223601974e852c25603f5f" score = 75 quality = 80 tags = "" @@ -126754,13 +126754,13 @@ rule ESET_Kobalos meta: description = "Kobalos malware" author = "Marc-Etienne M.Léveillé" - id = "dfc3a318-690f-5ed2-86a1-57b7dc428e32" + id = "cdffbe3d-c19d-53a8-9051-48affae00c8a" date = "2020-11-02" modified = "2021-02-01" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/kobalos/kobalos.yar#L32-L56" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_9161d22f9fbb1700dc3121e32104240e34512cb280aaf950aec61513f89061ef" + logic_hash = "9161d22f9fbb1700dc3121e32104240e34512cb280aaf950aec61513f89061ef" score = 75 quality = 80 tags = "" @@ -126786,13 +126786,13 @@ rule ESET_Kobalos_Ssh_Credential_Stealer meta: description = "Kobalos SSH credential stealer seen in OpenSSH client" author = "Marc-Etienne M.Léveillé" - id = "dd64875b-5ef8-54c6-8b82-c4fad7bf95f0" + id = "b1fc5163-de48-57fc-8ae7-1f2be6c64d8a" date = "2020-11-02" modified = "2021-02-01" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/kobalos/kobalos.yar#L58-L73" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_be238f5c2cc976a5638584a8c0fc580f2076735aadfe374e8d4162ba723bce10" + logic_hash = "be238f5c2cc976a5638584a8c0fc580f2076735aadfe374e8d4162ba723bce10" score = 75 quality = 80 tags = "" @@ -126810,13 +126810,13 @@ rule ESET_Generic_Carbon : FILE meta: description = "Turla Carbon malware" author = "ESET Research" - id = "d5a31151-84f8-5ad4-b61f-608c185b6c85" + id = "efdc0d16-a974-5c00-a401-391d60f3081e" date = "2017-03-30" modified = "2017-03-30" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/carbon.yar#L33-L51" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_6481ccafb7c7c78bc52d01881cb96f3aa6209fdd35e090bdc9d5f5105b4e38ea" + logic_hash = "6481ccafb7c7c78bc52d01881cb96f3aa6209fdd35e090bdc9d5f5105b4e38ea" score = 75 quality = 80 tags = "FILE" @@ -126838,13 +126838,13 @@ rule ESET_Carbon_Metadata meta: description = "Turla Carbon malware" author = "ESET Research" - id = "fcad3fdb-e0ef-52ca-838c-117abe6e7e41" + id = "976b6a7d-00bf-5d0f-baf9-84fc5dbd21a2" date = "2017-03-30" modified = "2017-03-30" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/carbon.yar#L53-L69" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_81b59e9566f3b3356acf12dadb80abdcbee28e0b1a9efead66fcb95bf6fc1aa5" + logic_hash = "81b59e9566f3b3356acf12dadb80abdcbee28e0b1a9efead66fcb95bf6fc1aa5" score = 75 quality = 80 tags = "" @@ -126859,13 +126859,13 @@ rule ESET_Turla_Outlook_Gen meta: description = "Turla Outlook malware" author = "ESET Research" - id = "f7c7b0e5-e741-535f-93d2-66b5ff1121c2" + id = "efef2443-c941-54c2-abfa-bbe29c53d930" date = "2018-05-09" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L42-L74" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_f709e517e9d957775601670c426cc9def1c4104cb1ff647d269800d2af4372c7" + logic_hash = "f709e517e9d957775601670c426cc9def1c4104cb1ff647d269800d2af4372c7" score = 75 quality = 78 tags = "" @@ -126902,13 +126902,13 @@ rule ESET_Turla_Outlook_Filenames meta: description = "Turla Outlook filenames" author = "ESET Research" - id = "66a31c76-aa67-5040-be48-75beb47fbc61" + id = "3a08003d-50d6-5fdf-9f74-222335ebfa3e" date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L76-L91" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_3be86c9325de6634c032321beed131fdf1e1952afcb43258fb202d0097610501" + logic_hash = "3be86c9325de6634c032321beed131fdf1e1952afcb43258fb202d0097610501" score = 75 quality = 80 tags = "" @@ -126928,13 +126928,13 @@ rule ESET_Turla_Outlook_Log meta: description = "First bytes of the encrypted Turla Outlook logs" author = "ESET Research" - id = "8dfa0ef7-59d2-5e28-9bc8-6b17d972ef67" + id = "b0031c08-8418-5a02-8a2c-daa7236f46f0" date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L93-L107" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_e7dc00c33a643c0940aaea2096d099192b27df3c81c518f1dc2b3d45a0a74312" + logic_hash = "e7dc00c33a643c0940aaea2096d099192b27df3c81c518f1dc2b3d45a0a74312" score = 75 quality = 80 tags = "" @@ -126954,13 +126954,13 @@ rule ESET_Turla_Outlook_Exports meta: description = "Export names of Turla Outlook Malware" author = "ESET Research" - id = "a45588d9-5280-5194-949a-857aa4467a60" + id = "6df4f75e-711a-539d-94bf-9e4e2063ecd4" date = "2018-08-22" modified = "2018-09-05" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/turla-outlook.yar#L109-L125" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_a961fdb43ea1e99b308f55b8f5e264b1f3fa817eaf463d512e2ad8b98a18ee99" + logic_hash = "a961fdb43ea1e99b308f55b8f5e264b1f3fa817eaf463d512e2ad8b98a18ee99" score = 75 quality = 80 tags = "" @@ -126977,13 +126977,13 @@ rule ESET_Gazer_Certificate_Subject meta: description = "Turla Gazer malware" author = "ESET Research" - id = "b3bd1c45-c002-5ec6-b238-b2c01602501a" + id = "a7719333-b341-538c-a8ed-5c50b653a765" date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/gazer.yar#L33-L46" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_6e870c9cdcee33769162de62ea143ff401af50b22a63d2f212c44d06f5771dec" + logic_hash = "6e870c9cdcee33769162de62ea143ff401af50b22a63d2f212c44d06f5771dec" score = 75 quality = 80 tags = "" @@ -126998,13 +126998,13 @@ rule ESET_Gazer_Certificate : FILE meta: description = "Turla Gazer malware" author = "ESET Research" - id = "9f9e4e3c-f495-51f6-b9de-59040fad66af" + id = "e90bbe53-4e7f-59c4-a505-4893150bf824" date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/gazer.yar#L48-L65" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_eb3afbaefd23d4fc6ded494d3378dc910a0832b160e733ab79c590128dd74cea" + logic_hash = "eb3afbaefd23d4fc6ded494d3378dc910a0832b160e733ab79c590128dd74cea" score = 75 quality = 80 tags = "FILE" @@ -127023,13 +127023,13 @@ rule ESET_Gazer_Logfile_Name : FILE meta: description = "Turla Gazer malware" author = "ESET Research" - id = "c049ecd5-91ee-5342-83fd-bc6ae022818e" + id = "3e1454e9-dddf-5197-b486-b96d725fdb58" date = "2017-08-30" modified = "2017-08-29" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/turla/gazer.yar#L67-L85" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_b50553f4b4b07f124e5bd390e7dc8ac6b60a8ef185f3bc227894f957d6483478" + logic_hash = "b50553f4b4b07f124e5bd390e7dc8ac6b60a8ef185f3bc227894f957d6483478" score = 75 quality = 80 tags = "FILE" @@ -127049,13 +127049,13 @@ rule ESET_Moose_1 meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "3b0dba8a-984c-5c2c-80c7-c285baa45207" + id = "4d228de6-ddbf-57c0-a330-5840c4d40dfc" date = "2015-04-21" modified = "2016-11-01" reference = "https://github.com/eset/malware-ioc/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/moose/linux-moose.yar#L41-L76" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_8bedac80a1f754ce56294ba9786b62a002aacd074f756724401efc61def127e6" + logic_hash = "8bedac80a1f754ce56294ba9786b62a002aacd074f756724401efc61def127e6" score = 75 quality = 30 tags = "" @@ -127094,13 +127094,13 @@ rule ESET_Moose_2 meta: description = "No description has been set in the source file - ESET" author = "ESET TI" - id = "827f0e54-94ff-57fd-a5b4-2718197b2169" + id = "74372984-dace-5665-a5d0-39b8d1002fa1" date = "2016-10-02" modified = "2016-11-01" reference = "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" source_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/moose/linux-moose.yar#L78-L110" license_url = "https://github.com/eset/malware-ioc/blob/9431ee8ccf63b1c014bfaa5f1a28dc747772d28d/LICENSE" - logic_hash = "v1_sha256_3f50d2d81d4c27e44d93804adcf93971017767ed0e020447cdb343931c2fbc43" + logic_hash = "3f50d2d81d4c27e44d93804adcf93971017767ed0e020447cdb343931c2fbc43" score = 75 quality = 80 tags = "" @@ -127139,7 +127139,7 @@ rule ESET_Sparklinggoblin_Chacha20Loader_Richheader meta: description = "Rule matching ChaCha20 loaders rich header" author = "ESET Research" - id = "a9e164e9-7295-5ea0-b807-71d4a8d374d2" + id = "e1dac369-f25e-5cb3-aafa-b0c45f05b295" date = "2021-03-30" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127152,7 +127152,7 @@ rule ESET_Sparklinggoblin_Chacha20Loader_Richheader hash = "4cec7cdc78d95c70555a153963064f216dae8799" hash = "4d4c1a062a0390b20732ba4d65317827f2339b80" hash = "4f6949a4906b834e83ff951e135e0850fe49d5e4" - logic_hash = "v1_sha256_a5c9595036dec0e0aef0a030c590189752217d15d3f53bf3dc537f5b43fae63e" + logic_hash = "a5c9595036dec0e0aef0a030c590189752217d15d3f53bf3dc537f5b43fae63e" score = 75 quality = 80 tags = "" @@ -127166,7 +127166,7 @@ rule ESET_Sparklinggoblin_Chacha20 : FILE meta: description = "SparklingGoblin ChaCha20 implementations" author = "ESET Research" - id = "ad70c9c3-2b57-53e8-ae7d-913e8f574f6a" + id = "c0caceca-f685-5786-82f6-3ab7435f8061" date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127179,7 +127179,7 @@ rule ESET_Sparklinggoblin_Chacha20 : FILE hash = "9bdecb08e16a23d271d0a3e836d9e7f83d7e2c3b" hash = "9ce7650f2c08c391a35d69956e171932d116b8bd" hash = "91b32e030a1f286e7d502ca17e107d4bfbd7394a" - logic_hash = "v1_sha256_b742bc22e0ebbce40607cb109b4d6fb03a40c1fb223c8092d93346dd3dd22789" + logic_hash = "b742bc22e0ebbce40607cb109b4d6fb03a40c1fb223c8092d93346dd3dd22789" score = 75 quality = 80 tags = "FILE" @@ -127477,7 +127477,7 @@ rule ESET_Sparklinggoblin_Etweventwrite meta: description = "SparklingGoblin EtwEventWrite patching" author = "ESET Research" - id = "a1c5685a-f41f-5258-82cf-962e446d93ae" + id = "27b36ee1-a98c-5174-a156-8e0b0d0a58cd" date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127489,7 +127489,7 @@ rule ESET_Sparklinggoblin_Etweventwrite hash = "4668302969fe122874fb2447a80378dcb671c86b" hash = "9bdecb08e16a23d271d0a3e836d9e7f83d7e2c3b" hash = "9ce7650f2c08c391a35d69956e171932d116b8bd" - logic_hash = "v1_sha256_45615dcc5302392c18052818071623a9d1a1008c460bdb24a4acfb4300356c6b" + logic_hash = "45615dcc5302392c18052818071623a9d1a1008c460bdb24a4acfb4300356c6b" score = 75 quality = 80 tags = "" @@ -127573,7 +127573,7 @@ rule ESET_Sparklinggoblin_Mutex meta: description = "SparklingGoblin ChaCha20 loaders mutexes" author = "ESET Research" - id = "bf6e1bd3-90c2-5a78-a06f-eefb2a07b333" + id = "e33d2bc1-29d6-5117-8e0f-31f8bced0979" date = "2021-05-20" modified = "2021-08-26" reference = "https://github.com/eset/malware-ioc/" @@ -127585,7 +127585,7 @@ rule ESET_Sparklinggoblin_Mutex hash = "4668302969fe122874fb2447a80378dcb671c86b" hash = "9bdecb08e16a23d271d0a3e836d9e7f83d7e2c3b" hash = "9ce7650f2c08c391a35d69956e171932d116b8bd" - logic_hash = "v1_sha256_00fbd514c8e2d6dea3b0f175e857a613e158b64caf1f970e814d62f1ebe9d35c" + logic_hash = "00fbd514c8e2d6dea3b0f175e857a613e158b64caf1f970e814d62f1ebe9d35c" score = 75 quality = 80 tags = "" @@ -127602,7 +127602,7 @@ rule ESET_Sparklinggoblin_Mutex * YARA Rule Set * Repository Name: FireEye-RT * Repository: https://github.com/mandiant/red_team_tool_countermeasures/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 3561b71724dbfa3e2bb78106aaa2d7f8b892c43b * Number of Rules: 167 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -127641,14 +127641,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Keefarce_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeeFarce' project." author = "FireEye" - id = "01772245-e359-58b7-9628-e72e56a2d614" + id = "c17add0c-e09f-5ced-a4e1-bf60afad4725" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/KEEFARCE/production/yara/HackTool_MSIL_KeeFarce_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_8db86230849137608880dbe448737fc70068d308772e294cc69301b18ae10908" + logic_hash = "8db86230849137608880dbe448737fc70068d308772e294cc69301b18ae10908" score = 75 quality = 73 tags = "FILE" @@ -127665,14 +127665,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_DTRIM_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'dtrim' project, which is a modified version of SharpSploit." author = "FireEye" - id = "17e3f523-e055-5178-a605-93b34566773e" + id = "9be695a1-6d18-5952-974c-96a30f035e7a" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DTRIM/production/yara/APT_HackTool_MSIL_DTRIM_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_357c1f76631ec9ee342995cd12369fd9ff18c541bffe6f5464b1e8db45057196" + logic_hash = "357c1f76631ec9ee342995cd12369fd9ff18c541bffe6f5464b1e8db45057196" score = 75 quality = 73 tags = "FILE" @@ -127689,7 +127689,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_1 meta: description = "smbexec" author = "FireEye" - id = "77ee7007-3208-587b-b111-8890185af1e1" + id = "992d1132-3136-5e1b-a1ef-dcdf36ebf0f5" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -127697,7 +127697,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_1 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/IMPACKETOBF (Smbexec)/production/yara/HackTool_PY_ImpacketObfuscation_1.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "0b1e512afe24c31531d6db6b47bac8ee" - logic_hash = "v1_sha256_45a4c0426b29b8c8bede9c4e8292131da7e756d48fc3ac4a07d08fd52383d21e" + logic_hash = "45a4c0426b29b8c8bede9c4e8292131da7e756d48fc3ac4a07d08fd52383d21e" score = 75 quality = 75 tags = "" @@ -127719,14 +127719,14 @@ rule FIREEYE_RT_Tool_MSIL_Sharpgrep_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGrep' project." author = "FireEye" - id = "685be367-29e6-5597-8bc5-0596cfccaad2" + id = "c7569d33-f57d-5f9c-aa2a-78866c680b5b" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPPGREP/production/yara/Tool_MSIL_SharpGrep_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_c22bfc50b3ab3c4082006aad3c3c89684cffe1e429b001b0bb08758856a47d04" + logic_hash = "c22bfc50b3ab3c4082006aad3c3c89684cffe1e429b001b0bb08758856a47d04" score = 75 quality = 73 tags = "FILE" @@ -127743,14 +127743,14 @@ rule FIREEYE_RT_Builder_MSIL_Sharpgenerator_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGenerator' project." author = "FireEye" - id = "848bcf14-f7b8-50e3-aa3b-76bd4550e016" + id = "ab661cba-f695-59d2-9071-9b9a90233457" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPGENERATOR/production/yara/Builder_MSIL_SharpGenerator_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_6dc0780e54d33df733aadc8a89077232baa63bf1cbe47c5d164c57ce3185dd71" + logic_hash = "6dc0780e54d33df733aadc8a89077232baa63bf1cbe47c5d164c57ce3185dd71" score = 75 quality = 73 tags = "FILE" @@ -127767,14 +127767,14 @@ rule FIREEYE_RT_Hacktool_MSIL_INVEIGHZERO_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'inveighzero' project." author = "FireEye" - id = "30d562f5-04a7-5b2e-9900-30c32ce7b5cd" + id = "f46fe365-ea50-5597-828e-61a7225e4c6e" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/INVEIGHZERO/production/yara/HackTool_MSIL_INVEIGHZERO_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_5d10557a83dae9508469fe87f4c0c91beec4d2812856eee461a82d5dbb89aa35" + logic_hash = "5d10557a83dae9508469fe87f4c0c91beec4d2812856eee461a82d5dbb89aa35" score = 75 quality = 73 tags = "FILE" @@ -127791,14 +127791,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Rubeus_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project." author = "FireEye" - id = "c769be4d-c991-59a4-9a4a-17c0fb72d7bd" + id = "0ca140ea-2b9f-5904-a4c0-8615229626f0" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/RUBEUS/production/yara/HackTool_MSIL_Rubeus_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "66e0681a500c726ed52e5ea9423d2654" - logic_hash = "v1_sha256_ad954f9922ab564d68cb4515b080f6ee69476a8d87f0038e2ae4c222f0e182d7" + logic_hash = "ad954f9922ab564d68cb4515b080f6ee69476a8d87f0038e2ae4c222f0e182d7" score = 75 quality = 73 tags = "FILE" @@ -127815,14 +127815,14 @@ rule FIREEYE_RT_APT_Loader_Win_PGF_1 : FILE meta: description = "PDB string used in some PGF DLL samples" author = "FireEye" - id = "b552aaef-216d-5d4e-9864-fada36d5ffd6" + id = "14e2102c-3572-5314-999c-ff3f6c94de03" date = "2024-03-04" modified = "2024-03-04" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win_PGF_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "013c7708f1343d684e3571453261b586" - logic_hash = "v1_sha256_9dede268d33a38e980026917bd01bc47a72bfe60ba4a999c91eb727a2f377462" + logic_hash = "9dede268d33a38e980026917bd01bc47a72bfe60ba4a999c91eb727a2f377462" score = 75 quality = 73 tags = "FILE" @@ -127841,7 +127841,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_1 : FILE meta: description = "base.cs" author = "FireEye" - id = "8ab84f6f-a356-5328-9bb7-45e955d62542" + id = "39d9821f-86e8-528a-a0a9-287dbe325484" date = "2020-11-24" date = "2020-11-24" modified = "2020-12-09" @@ -127849,7 +127849,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_MSIL_PGF_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "a495c6d11ff3f525915345fb762f8047" - logic_hash = "v1_sha256_4174ed53336f3951d26282dc81b99b2044ac6350d4b4c0074194a9b4acecefee" + logic_hash = "4174ed53336f3951d26282dc81b99b2044ac6350d4b4c0074194a9b4acecefee" score = 75 quality = 75 tags = "FILE" @@ -127866,7 +127866,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_1 : FILE meta: description = "base dlls: /lib/payload/techniques/unmanaged_exports/" author = "FireEye" - id = "b0a37b7e-3375-5859-81fd-7064a72bbbf5" + id = "1f2280c0-0fdd-5930-947a-931274bccd6f" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127874,7 +127874,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "2b686a8b83f8e1d8b455976ae70dab6e" - logic_hash = "v1_sha256_2e84d614c34b0b7f93fa70fa3312f22e3ff23f2abd33b2e19c00dd6cba7dcfdc" + logic_hash = "2e84d614c34b0b7f93fa70fa3312f22e3ff23f2abd33b2e19c00dd6cba7dcfdc" score = 75 quality = 75 tags = "FILE" @@ -127893,14 +127893,14 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_5 : FILE meta: description = "PGF payload, generated rule based on symfunc/a86b004b5005c0bcdbd48177b5bac7b8" author = "FireEye" - id = "2e1c119b-be25-540c-8d41-0addd949762e" + id = "376875f3-00f2-58d0-ae22-7f52ea566da2" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_5.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "8c91a27bbdbe9fb0877daccd28bd7bb5" - logic_hash = "v1_sha256_dfff615a1d329cf181294f7b0a32c11a21d66ff8a6aa6b9fcd183c9738369623" + logic_hash = "dfff615a1d329cf181294f7b0a32c11a21d66ff8a6aa6b9fcd183c9738369623" score = 75 quality = 75 tags = "FILE" @@ -127920,14 +127920,14 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_3 : FILE meta: description = "PGF payload, generated rule based on symfunc/8a2f2236fdfaa3583ab89076025c6269. Identifies dllmain_hook x64 payloads." author = "FireEye" - id = "76735d69-8d71-5fa1-91c6-1f7d6ee5a2b3" + id = "340ea6d4-7111-520c-9bd4-0465a43ea235" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_3.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3bb34ebd93b8ab5799f4843e8cc829fa" - logic_hash = "v1_sha256_fd82bdec54a76eed12cc8820ef39899f31ea6df21d905530a0d53770b3d9901b" + logic_hash = "fd82bdec54a76eed12cc8820ef39899f31ea6df21d905530a0d53770b3d9901b" score = 75 quality = 75 tags = "FILE" @@ -127947,7 +127947,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_1 : FILE meta: description = "base dlls: /lib/payload/techniques/unmanaged_exports/" author = "FireEye" - id = "889ec46c-ff14-589a-90e3-9e0b024660e1" + id = "1af4f2ce-c540-5836-a749-43a0b08609b1" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127955,7 +127955,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "383161e4deaf7eb2ebeda2c5e9c3204c" - logic_hash = "v1_sha256_d3fb0bd7b678b19ee2e0e846f4e13e4ce7e2629ecda123f34ef52f2af42d2a8e" + logic_hash = "d3fb0bd7b678b19ee2e0e846f4e13e4ce7e2629ecda123f34ef52f2af42d2a8e" score = 75 quality = 75 tags = "FILE" @@ -127974,7 +127974,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_2 : FILE meta: description = "base dlls: /lib/payload/techniques/dllmain/" author = "FireEye" - id = "2904f561-3181-52e2-a4da-f5d67bbfbf7c" + id = "5253cb2a-28fd-57ab-be3d-f11cf2ea24cf" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -127982,7 +127982,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4326a7e863928ffbb5f6bdf63bb9126e" - logic_hash = "v1_sha256_074f6d9ad78ecd4dd8e3d0b5c8b0f61a48374f3935b85c4222305b207b447ec7" + logic_hash = "074f6d9ad78ecd4dd8e3d0b5c8b0f61a48374f3935b85c4222305b207b447ec7" score = 75 quality = 75 tags = "FILE" @@ -128001,7 +128001,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_2 : FILE meta: description = "base.js, ./lib/payload/techniques/jscriptdotnet/jscriptdotnet_payload.py" author = "FireEye" - id = "c66357f8-0508-5f3c-b3cb-ea61d3a378ef" + id = "c5f2ec90-cd9b-53ce-893b-e44192fcd507" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -128009,7 +128009,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_PGF_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_MSIL_PGF_2.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "7c2a06ceb29cdb25f24c06f2a8892fba" - logic_hash = "v1_sha256_b962ea30c063009c0383e25edda3a65202bea4496d0d6228549dcea82bba0d03" + logic_hash = "b962ea30c063009c0383e25edda3a65202bea4496d0d6228549dcea82bba0d03" score = 75 quality = 75 tags = "FILE" @@ -128029,7 +128029,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_2 : FILE meta: description = "base dlls: /lib/payload/techniques/dllmain/" author = "FireEye" - id = "b727f6b9-6e76-5560-b346-9b033850123a" + id = "e11a626b-ce91-5f6c-a514-9a8a02a29cbd" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -128037,7 +128037,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "04eb45f8546e052fe348fda2425b058c" - logic_hash = "v1_sha256_d69f3f31c4964fe933295563e08bdbb36abadd6611541b9ffa55b6829ced1d21" + logic_hash = "d69f3f31c4964fe933295563e08bdbb36abadd6611541b9ffa55b6829ced1d21" score = 75 quality = 75 tags = "FILE" @@ -128056,14 +128056,14 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_5 : FILE meta: description = "PGF payload, generated rule based on symfunc/8167a6d94baca72bac554299d7c7f83c" author = "FireEye" - id = "bf7dd05c-9a1b-5688-86e7-6b21014e7e85" + id = "4fa4a1d6-cb63-582d-801c-b4c89c44d9ca" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_5.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "150224a0ccabce79f963795bf29ec75b" - logic_hash = "v1_sha256_16495ad1e5ce4d4a79f4067f3d687911a1a0a3bfe4c6409ff9de4d111b1ddca6" + logic_hash = "16495ad1e5ce4d4a79f4067f3d687911a1a0a3bfe4c6409ff9de4d111b1ddca6" score = 75 quality = 75 tags = "FILE" @@ -128083,14 +128083,14 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_3 : FILE meta: description = "PGF payload, generated rule based on symfunc/c02594972dbab6d489b46c5dee059e66. Identifies dllmain_hook x86 payloads." author = "FireEye" - id = "2cae5aff-fdae-543b-9973-9758212471f5" + id = "adf91482-6e04-5d11-bc00-4b1c7a802c49" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_3.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4414953fa397a41156f6fa4f9462d207" - logic_hash = "v1_sha256_24d2caad1d740ccbff0cf111a05ecad20ed06f311d530d8de86050d916da32ce" + logic_hash = "24d2caad1d740ccbff0cf111a05ecad20ed06f311d530d8de86050d916da32ce" score = 75 quality = 75 tags = "FILE" @@ -128112,7 +128112,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_4 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "4c2eeca2-9535-52a7-9361-dfd336ba35bb" + id = "d46d9ae9-cb7d-5a25-9ee2-766097c14af6" date = "2020-11-26" date = "2020-11-26" modified = "2020-12-09" @@ -128120,7 +128120,7 @@ rule FIREEYE_RT_APT_Loader_Win32_PGF_4 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win32_PGF_4.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4414953fa397a41156f6fa4f9462d207" - logic_hash = "v1_sha256_4256bfd3713f330d76cad9d1ddbba91e588dbca2e2b6842e9482525805ddc1e8" + logic_hash = "4256bfd3713f330d76cad9d1ddbba91e588dbca2e2b6842e9482525805ddc1e8" score = 75 quality = 75 tags = "FILE" @@ -128138,14 +128138,14 @@ rule FIREEYE_RT_APT_Loader_Win_PGF_2 : FILE meta: description = "PE rich header matches PGF backdoor" author = "FireEye" - id = "e76f2d7c-5d2b-5d90-8fb5-2fdd24e265de" + id = "595c9e2a-3d9d-5366-9449-de1bcf333f78" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win_PGF_2.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "226b1ac427eb5a4dc2a00cc72c163214" - logic_hash = "v1_sha256_b8c024c6b4c3ce9915700b62da8a1f12440215b46f3a56078707f5257e575811" + logic_hash = "b8c024c6b4c3ce9915700b62da8a1f12440215b46f3a56078707f5257e575811" score = 75 quality = 75 tags = "FILE" @@ -128168,7 +128168,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_4 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "f6fae86c-36ed-5cac-b2a1-a4bdfd411e31" + id = "4c93ba76-d3a5-568d-88b8-79a6ebc2edbb" date = "2020-11-26" date = "2020-11-26" modified = "2020-12-09" @@ -128176,7 +128176,7 @@ rule FIREEYE_RT_APT_Loader_Win64_PGF_4 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PGF/production/yara/APT_Loader_Win64_PGF_4.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3bb34ebd93b8ab5799f4843e8cc829fa" - logic_hash = "v1_sha256_fcc92674e58ec6418d7c709e3f3bc2e1ec859fe0cb444412964a978fb69f5234" + logic_hash = "fcc92674e58ec6418d7c709e3f3bc2e1ec859fe0cb444412964a978fb69f5234" score = 75 quality = 75 tags = "FILE" @@ -128194,14 +128194,14 @@ rule FIREEYE_RT_Hacktool_MSIL_SHARPZEROLOGON_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public 'sharpzerologon' project." author = "FireEye" - id = "82543a6e-1d68-52db-aa4e-58965d891c56" + id = "51f22eee-fb96-55b0-8c02-1a0e9910a93e" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPZEROLOGON/production/yara/HackTool_MSIL_SHARPZEROLOGON_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_ed6a9bef5c6ee03aff969b8765b284ace517f2e6a1ef114acb04cf094c69cfa5" + logic_hash = "ed6a9bef5c6ee03aff969b8765b284ace517f2e6a1ef114acb04cf094c69cfa5" score = 75 quality = 73 tags = "FILE" @@ -128218,7 +128218,7 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "c8833af3-335c-5af4-9b27-455b74ab68e7" + id = "c2834bd6-efb0-5dac-adcd-a9450090fc28" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -128226,7 +128226,7 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "v1_sha256_1c71b9641e30c9764f3503e49f8f85472d7e62384c8dd2b420c4fa2b2fccda4f" + logic_hash = "1c71b9641e30c9764f3503e49f8f85472d7e62384c8dd2b420c4fa2b2fccda4f" score = 75 quality = 75 tags = "FILE" @@ -128245,14 +128245,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_3 : FILE meta: description = "This rule looks for .NET PE files that have the strings of various method names in the SharPivot code." author = "FireEye" - id = "16e13c98-2b09-5323-98ae-f2ba92a0f513" + id = "616333fc-4075-5f04-823a-1164717a2b87" date = "2020-12-10" modified = "2020-12-10" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_3.yar#L4-L31" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "v1_sha256_ecf13e47e409efd68b508735a84be6a1627f5b0c0cea6b90434fc9ba5b1d8cf5" + logic_hash = "ecf13e47e409efd68b508735a84be6a1627f5b0c0cea6b90434fc9ba5b1d8cf5" score = 75 quality = 75 tags = "FILE" @@ -128285,14 +128285,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_4 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPivot project." author = "FireEye" - id = "d82beb6f-7452-53c4-aabd-0be84516bf7a" + id = "c1bd64da-6a54-5bc6-8a89-9c8a93dd965c" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_4.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "v1_sha256_7ef883148926d5786861e5e81b1e645aa2e3ca06bd663f2b5f32e04b5852a218" + logic_hash = "7ef883148926d5786861e5e81b1e645aa2e3ca06bd663f2b5f32e04b5852a218" score = 75 quality = 73 tags = "FILE" @@ -128309,14 +128309,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpivot_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "c0beeb2e-2ab5-55c2-97de-e26a4e7ae9a6" + id = "8d6d28ce-de3a-5a38-b654-ba1372d47568" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPIVOT/production/yara/HackTool_MSIL_SharPivot_2.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e4efa759d425e2f26fbc29943a30f5bd" - logic_hash = "v1_sha256_14e4a29a32e8441a6f7f322e09cd9bb9822ae47eaa1fdf8e09c90998b03658f5" + logic_hash = "14e4a29a32e8441a6f7f322e09cd9bb9822ae47eaa1fdf8e09c90998b03658f5" score = 75 quality = 75 tags = "FILE" @@ -128339,14 +128339,14 @@ rule FIREEYE_RT_Loader_MSIL_Wmirunner_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIRunner' project." author = "FireEye" - id = "b77239e5-6282-50aa-88cd-2477a2282722" + id = "04c6acfc-859f-5e4a-8c59-9adf08f21657" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WMIRUNNER/production/yara/Loader_MSIL_WMIRunner_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_49d21756a4f0b29909c4b0fa9f3a98dd0480f9401923032de4b3920814b85f29" + logic_hash = "49d21756a4f0b29909c4b0fa9f3a98dd0480f9401923032de4b3920814b85f29" score = 75 quality = 73 tags = "FILE" @@ -128363,14 +128363,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_NOAMCI_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'noamci' project." author = "FireEye" - id = "e0c6af71-c6db-53b7-b6f7-24debe7fb5f1" + id = "48066258-528f-5a70-81e1-15d6dfd9ff4f" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/NOAMCI/production/yara/APT_HackTool_MSIL_NOAMCI_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_6278cfb4e9af20bbe943f4b99227c7fba276315a9f0059575b3ed4ef96a848c4" + logic_hash = "6278cfb4e9af20bbe943f4b99227c7fba276315a9f0059575b3ed4ef96a848c4" score = 75 quality = 71 tags = "FILE" @@ -128388,14 +128388,14 @@ rule FIREEYE_RT_Loader_MSIL_Allthethings_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'AllTheThings' project." author = "FireEye" - id = "2a433ced-5ad5-5fec-b535-3af8cd00ef1d" + id = "1805b406-2531-56bf-8e08-e63a59ffcc84" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/ALLTHETHINGS/production/yara/Loader_MSIL_AllTheThings_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_e3058095f2a49f8c0f78cb392024795367609b04c1da80210ab8d72c6613ee71" + logic_hash = "e3058095f2a49f8c0f78cb392024795367609b04c1da80210ab8d72c6613ee71" score = 75 quality = 73 tags = "FILE" @@ -128412,13 +128412,13 @@ rule FIREEYE_RT_APT_Backdoor_PS1_BASICPIPESHELL_1 meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "0d188ec5-1be1-516e-9499-59b72dc15990" + id = "8f85d6cc-fd1e-5bf3-8052-440cbeda0ac9" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BASICPIPESHELL/production/yara/APT_Backdoor_PS1_BASICPIPESHELL_1.yar#L5-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "v1_sha256_7a9f0002055ffe826562cab3d02d8babd14c5fcd6d0b528a2988e2649034279d" + logic_hash = "7a9f0002055ffe826562cab3d02d8babd14c5fcd6d0b528a2988e2649034279d" score = 75 quality = 63 tags = "" @@ -128439,14 +128439,14 @@ rule FIREEYE_RT_Loader_MSIL_Sharpy_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharPy' project." author = "FireEye" - id = "1e0c2742-5548-5216-932b-20879f2f0ba5" + id = "7c7bda22-bacc-5901-a650-a30c9cfcdee7" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPY/production/yara/Loader_MSIL_SharPy_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_0f73fab3905b4961b8dbeb120d45a34a2383ecdaae0296f38e34f8b7ab4aeee8" + logic_hash = "0f73fab3905b4961b8dbeb120d45a34a2383ecdaae0296f38e34f8b7ab4aeee8" score = 75 quality = 73 tags = "FILE" @@ -128463,7 +128463,7 @@ rule FIREEYE_RT_APT_Trojan_Linux_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "90ca3ab4-6110-5427-95d7-927208ba0881" + id = "220302bc-4ed3-5e10-9bd2-a8ed2bdaef73" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128471,7 +128471,7 @@ rule FIREEYE_RT_APT_Trojan_Linux_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/supplemental/yara/APT_Trojan_Linux_REDFLARE_1.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e" - logic_hash = "v1_sha256_282f11c4c86d88d05f11e92f5483701d9a54c2dd39f21316cd271aa78a338d0f" + logic_hash = "282f11c4c86d88d05f11e92f5483701d9a54c2dd39f21316cd271aa78a338d0f" score = 75 quality = 75 tags = "FILE" @@ -128492,7 +128492,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_6 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "b3616f8d-7f9e-5b6c-9caa-505a68035ac5" + id = "5875a9ec-c3ee-57f0-a430-4443db585def" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128500,7 +128500,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_6 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/supplemental/yara/APT_Trojan_Win_REDFLARE_6.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "294b1e229c3b1efce29b162e7b3be0ab, 6902862bd81da402e7ac70856afbe6a2" - logic_hash = "v1_sha256_1e6f8320e0c0b601fc72fa4d9c61e46adfbcd84638c97da5988ca848e036312a" + logic_hash = "1e6f8320e0c0b601fc72fa4d9c61e46adfbcd84638c97da5988ca848e036312a" score = 75 quality = 75 tags = "FILE" @@ -128521,7 +128521,7 @@ rule FIREEYE_RT_APT_Downloader_Win32_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "0ef7a449-d215-59ff-9556-f79b3a5d1b61" + id = "e8d7ee31-568e-58ac-98ad-49baa2eb37ea" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128529,7 +128529,7 @@ rule FIREEYE_RT_APT_Downloader_Win32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Downloader_Win32_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "05b99d438dac63a5a993cea37c036673" - logic_hash = "v1_sha256_a340a2a732a9b1aa74ca9d84009a88d1b14b6a03140a859384c0d6e745e4a90a" + logic_hash = "a340a2a732a9b1aa74ca9d84009a88d1b14b6a03140a859384c0d6e745e4a90a" score = 75 quality = 75 tags = "FILE" @@ -128547,7 +128547,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_7 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "3043e608-0ea9-51d3-adf3-81f525bf8939" + id = "f891e477-9ff2-57be-9ca5-dd87d9baee29" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128555,7 +128555,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_7 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_7.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e7beece34bdf67cbb8297833c5953669, 8025bcbe3cc81fc19021ad0fbc11cf9b" - logic_hash = "v1_sha256_6d7822256ac1bef05304d3396df773e2b20a397311ad820d6ec5fe4cb6bdfbbc" + logic_hash = "6d7822256ac1bef05304d3396df773e2b20a397311ad820d6ec5fe4cb6bdfbbc" score = 75 quality = 75 tags = "FILE" @@ -128577,7 +128577,7 @@ rule FIREEYE_RT_APT_Keylogger_Win32_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "13f1b0db-6daf-5b15-a940-1ca38f15f353" + id = "ad14db66-d640-5712-b2c8-a3d42d5a90f3" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128585,7 +128585,7 @@ rule FIREEYE_RT_APT_Keylogger_Win32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Keylogger_Win32_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "d7cfb9fbcf19ce881180f757aeec77dd" - logic_hash = "v1_sha256_aebbaa050bee3775ffac4214ea4ab58284384e7eb41e66ee4838b9359e72821e" + logic_hash = "aebbaa050bee3775ffac4214ea4ab58284384e7eb41e66ee4838b9359e72821e" score = 75 quality = 75 tags = "FILE" @@ -128603,7 +128603,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_8 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "ee114b65-4350-59c0-8acb-9bc37c4e1138" + id = "b090df60-8f4e-51ca-944c-6f9ce2d9c913" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128611,7 +128611,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_8 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_8.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9c8eb908b8c1cda46e844c24f65d9370, 9e85713d615bda23785faf660c1b872c" - logic_hash = "v1_sha256_5b8a0402886daebefb995e7df0877d51727c5b8dc58eeb8ff16ceec5e7811a20" + logic_hash = "5b8a0402886daebefb995e7df0877d51727c5b8dc58eeb8ff16ceec5e7811a20" score = 75 quality = 75 tags = "FILE" @@ -128634,7 +128634,7 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "a821344a-1c0a-5a51-9ed9-739eea2c6f94" + id = "dc162f26-66d3-5359-b1d7-ef2208b359e2" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128642,7 +128642,7 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f20824fa6e5c81e3804419f108445368" - logic_hash = "v1_sha256_2cae245a6aa36dccc2228cccefdc4ca0eb278901f063e072a369000f67d73a55" + logic_hash = "2cae245a6aa36dccc2228cccefdc4ca0eb278901f063e072a369000f67d73a55" score = 75 quality = 75 tags = "FILE" @@ -128660,7 +128660,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_4 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "78f4f2a7-9a11-59f7-a452-d9b37f1c620c" + id = "6e8621b0-a0ee-5fc7-a2b8-1973a42d6e37" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128668,7 +128668,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_4 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_4.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "a8b5dcfea5e87bf0e95176daa243943d, 9dcb6424662941d746576e62712220aa" - logic_hash = "v1_sha256_d027e98ad8fa6d03a49ceffd81fba6a621173e2dbabae652bee2f4e8489bb378" + logic_hash = "d027e98ad8fa6d03a49ceffd81fba6a621173e2dbabae652bee2f4e8489bb378" score = 75 quality = 75 tags = "FILE" @@ -128688,7 +128688,7 @@ rule FIREEYE_RT_APT_Loader_Raw64_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "ee1beadf-49ab-577e-8155-00e597c2a68e" + id = "8e937f6a-404f-53bd-9de2-ed63b1cf48b2" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128696,7 +128696,7 @@ rule FIREEYE_RT_APT_Loader_Raw64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Raw64_REDFLARE_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "5e14f77f85fd9a5be46e7f04b8a144f5" - logic_hash = "v1_sha256_dac122ccece8a6dd35a5fe9d37860a612aa50ab469b79f4375dbe776f60c7b57" + logic_hash = "dac122ccece8a6dd35a5fe9d37860a612aa50ab469b79f4375dbe776f60c7b57" score = 75 quality = 75 tags = "FILE" @@ -128713,7 +128713,7 @@ rule FIREEYE_RT_APT_Builder_PY_REDFLARE_1 meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "7135ee51-5d2a-5ecb-b386-b795d1dcddb1" + id = "3b5ad25d-ce66-572e-9a91-40a73b8fd447" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128721,7 +128721,7 @@ rule FIREEYE_RT_APT_Builder_PY_REDFLARE_1 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Builder_PY_REDFLARE_1.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "d0a830403e56ebaa4bfbe87dbfdee44f" - logic_hash = "v1_sha256_1948cadb7242eb69bffbc222802ce9c1af38d7a846da09b6343b1449fe054e42" + logic_hash = "1948cadb7242eb69bffbc222802ce9c1af38d7a846da09b6343b1449fe054e42" score = 75 quality = 75 tags = "" @@ -128744,7 +128744,7 @@ rule FIREEYE_RT_APT_Controller_Linux_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "17728af3-d6a7-587b-aecd-4e45262a0f20" + id = "79a69740-7209-5c56-ad6f-eb4d0b29beaf" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -128752,7 +128752,7 @@ rule FIREEYE_RT_APT_Controller_Linux_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Controller_Linux_REDFLARE_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e" - logic_hash = "v1_sha256_d6b0cc5f386da9bff8a8293f2b3857406044ab42f7c1bb23d5096052a3c42ce4" + logic_hash = "d6b0cc5f386da9bff8a8293f2b3857406044ab42f7c1bb23d5096052a3c42ce4" score = 75 quality = 75 tags = "FILE" @@ -128772,7 +128772,7 @@ rule FIREEYE_RT_APT_Keylogger_Win64_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "d4dde414-69af-5ee4-be5a-52a3d986574e" + id = "3c980f5a-c775-5c25-ba28-91a93a1b9a85" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128780,7 +128780,7 @@ rule FIREEYE_RT_APT_Keylogger_Win64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Keylogger_Win64_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "fbefb4074f1672a3c29c1a47595ea261" - logic_hash = "v1_sha256_26fe577ba637c484d9a8ccc2173b5892a76328a90a39a2bebbae6bd2a6329485" + logic_hash = "26fe577ba637c484d9a8ccc2173b5892a76328a90a39a2bebbae6bd2a6329485" score = 75 quality = 75 tags = "FILE" @@ -128798,7 +128798,7 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "d1ecdf28-e657-53d2-9ab1-d5daafd1d5e1" + id = "b8a2c388-3b27-5075-b0ee-2773ae0c67ad" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128806,7 +128806,7 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "01d68343ac46db6065f888a094edfe4f" - logic_hash = "v1_sha256_f9165aabe4bad215211cf98559099030ddb8a76175fbfcfee3c6f25d7614bdad" + logic_hash = "f9165aabe4bad215211cf98559099030ddb8a76175fbfcfee3c6f25d7614bdad" score = 75 quality = 75 tags = "FILE" @@ -128824,7 +128824,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_5 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "39a75367-cc48-51cf-a28f-232306f3d81f" + id = "892981d6-f310-5ee8-95b5-dd4bd720a86c" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128832,7 +128832,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_5 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_5.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dfbb1b988c239ade4c23856e42d4127b, 3322fba40c4de7e3de0fda1123b0bf5d" - logic_hash = "v1_sha256_ab38e5ebded026829672941709797b40f8e13fb244b6a8ed3545de4358f727b8" + logic_hash = "ab38e5ebded026829672941709797b40f8e13fb244b6a8ed3545de4358f727b8" score = 75 quality = 75 tags = "FILE" @@ -128853,7 +128853,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_3 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "9ca62954-2d46-5182-b595-0a36d6977f6f" + id = "2f6785c4-f4d0-52ff-8c46-da953e2ca92a" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -128861,7 +128861,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_3 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_3.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9ccda4d7511009d5572ef2f8597fba4e,ece07daca53dd0a7c23dacabf50f56f1" - logic_hash = "v1_sha256_ee104bc145686a134e4d6d620dae7d1dacff7645d47f1a8d7a212327352b8e87" + logic_hash = "ee104bc145686a134e4d6d620dae7d1dacff7645d47f1a8d7a212327352b8e87" score = 75 quality = 75 tags = "FILE" @@ -128881,7 +128881,7 @@ rule FIREEYE_RT_APT_Downloader_Win64_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "11797c6d-ba58-55e2-972d-753d93da1131" + id = "15a5e22b-84b0-5b36-8772-1d496ac447b2" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128889,7 +128889,7 @@ rule FIREEYE_RT_APT_Downloader_Win64_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Downloader_Win64_REDFLARE_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9529c4c9773392893a8a0ab8ce8f8ce1" - logic_hash = "v1_sha256_1b9bece6083403615841c752eac48fd20095e918d6e175563dd122be2885d875" + logic_hash = "1b9bece6083403615841c752eac48fd20095e918d6e175563dd122be2885d875" score = 75 quality = 75 tags = "FILE" @@ -128907,7 +128907,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "fd33d611-b690-5124-abc3-29d0e706e53b" + id = "c3054680-9c87-5d90-b78e-b260904340df" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128915,7 +128915,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_1.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "100d73b35f23b2fe84bf7cd37140bf4d,4e7e90c7147ee8aa01275894734f4492" - logic_hash = "v1_sha256_08ea2151418f7f75a8b138146c393a5ea85647320cc8e9fe1930d75871ab94bb" + logic_hash = "08ea2151418f7f75a8b138146c393a5ea85647320cc8e9fe1930d75871ab94bb" score = 75 quality = 75 tags = "FILE" @@ -128937,7 +128937,7 @@ rule FIREEYE_RT_APT_Loader_Raw32_REDFLARE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "a1dc6b80-149e-50f1-8228-fa3d9f2efef3" + id = "8f8ec27f-afac-5da5-b76f-b984e14e0066" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128945,7 +128945,7 @@ rule FIREEYE_RT_APT_Loader_Raw32_REDFLARE_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Raw32_REDFLARE_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4022baddfda3858a57c9cbb0d49f6f86" - logic_hash = "v1_sha256_05ed89bd82600b4d5ef01ece2e0a9bd84e968988fd2bda1bab4ec316a9a9906b" + logic_hash = "05ed89bd82600b4d5ef01ece2e0a9bd84e968988fd2bda1bab4ec316a9a9906b" score = 75 quality = 75 tags = "FILE" @@ -128962,7 +128962,7 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "c8e0617d-97a9-568a-8cb6-174c4de52160" + id = "6a585401-bfd3-5aad-b484-09b6a30d9af5" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128970,7 +128970,7 @@ rule FIREEYE_RT_APT_Loader_Win32_REDFLARE_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win32_REDFLARE_2.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4e7e90c7147ee8aa01275894734f4492" - logic_hash = "v1_sha256_98dfb71adbde4f8965e612c19f0965d8fa95805825569290fdf72eb1d86cfb70" + logic_hash = "98dfb71adbde4f8965e612c19f0965d8fa95805825569290fdf72eb1d86cfb70" score = 75 quality = 75 tags = "FILE" @@ -128988,7 +128988,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "055ad13d-d65f-57fd-825f-9961105d586e" + id = "84881e5c-05df-5911-af42-ec82e559588c" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -128996,7 +128996,7 @@ rule FIREEYE_RT_APT_Trojan_Win_REDFLARE_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Trojan_Win_REDFLARE_2.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9529c4c9773392893a8a0ab8ce8f8ce1,05b99d438dac63a5a993cea37c036673" - logic_hash = "v1_sha256_1f2e1f644b1932486444dfda30b7dad7f50121f59fa493eb8a1a0528ae46db26" + logic_hash = "1f2e1f644b1932486444dfda30b7dad7f50121f59fa493eb8a1a0528ae46db26" score = 75 quality = 75 tags = "FILE" @@ -129017,7 +129017,7 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "5d42b476-ba68-5907-8952-b6f88fa24b0f" + id = "043f4e29-710d-5e17-a0ed-82cd3a565194" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -129025,7 +129025,7 @@ rule FIREEYE_RT_APT_Loader_Win64_REDFLARE_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE/production/yara/APT_Loader_Win64_REDFLARE_2.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "100d73b35f23b2fe84bf7cd37140bf4d" - logic_hash = "v1_sha256_9fad845ed963fae46ac7ddc44407d5f6ed0a061f6a106764b9f912ef718279b4" + logic_hash = "9fad845ed963fae46ac7ddc44407d5f6ed0a061f6a106764b9f912ef718279b4" score = 75 quality = 75 tags = "FILE" @@ -129044,14 +129044,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpschtask_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpSchtask' project." author = "FireEye" - id = "a43eb60a-e9da-5da4-9f6e-6549cdf78e56" + id = "5c7a5dee-3bc2-54b2-a7e2-be05ba74d4a1" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPSCHTASK/production/yara/HackTool_MSIL_SharpSchtask_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_7437fde82920f4d015a7f149b58924baf6cb220c6f6857d9509e23795ff0811c" + logic_hash = "7437fde82920f4d015a7f149b58924baf6cb220c6f6857d9509e23795ff0811c" score = 75 quality = 73 tags = "FILE" @@ -129068,14 +129068,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Prepshellcode_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'PrepShellcode' project." author = "FireEye" - id = "6449eba5-ffca-5117-9766-4fca17fb946c" + id = "32fb6b1d-e01f-5555-8516-088dca2166cf" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PREPSHELLCODE/production/yara/HackTool_MSIL_PrepShellcode_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_aedae87d84275f6589c982c04175ddc0aee3e4f3ae959ced4b4e2294675522e6" + logic_hash = "aedae87d84275f6589c982c04175ddc0aee3e4f3ae959ced4b4e2294675522e6" score = 75 quality = 73 tags = "FILE" @@ -129092,14 +129092,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_WMISPY_2 : FILE meta: description = "wql searches" author = "FireEye" - id = "dcbdbb39-e85b-586a-853e-61c7fec636f1" + id = "474af878-a657-54bc-a063-04532df928d4" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WMISPY/production/yara/APT_HackTool_MSIL_WMISPY_2.yar#L4-L24" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3651f252d53d2f46040652788499d65a" - logic_hash = "v1_sha256_553fc1e536482a56b3228a5c9ebac843af9083e8ac864bf65c81b36a39ca5e5e" + logic_hash = "553fc1e536482a56b3228a5c9ebac843af9083e8ac864bf65c81b36a39ca5e5e" score = 75 quality = 75 tags = "FILE" @@ -129125,14 +129125,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Wmispy_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIspy' project." author = "FireEye" - id = "a269aaf0-a8a5-59dc-a94f-119dcc291c85" + id = "ac394751-da40-564b-8e24-8f353326b46a" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WMISPY/production/yara/HackTool_MSIL_WMIspy_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_a5a9f7c7a7bfe474e8b21306ea220b4d476832f3ad4fafdd8967a2250d15a701" + logic_hash = "a5a9f7c7a7bfe474e8b21306ea220b4d476832f3ad4fafdd8967a2250d15a701" score = 75 quality = 73 tags = "FILE" @@ -129149,14 +129149,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_1 : FILE meta: description = "This detects if a sample is less than 50KB and has a number of strings found in the Gorat shellcode (stage0 loader). The loader contains an embedded DLL (stage0.dll) that contains a number of unique strings. The 'Cookie' string found in this loader is important as this cookie is needed by the C2 server to download the Gorat implant (stage1 payload)." author = "FireEye" - id = "20d24576-826d-5a49-89a3-e751cd8c875d" + id = "5ac84cf1-49fb-533d-b211-b1a92239063b" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_1.yar#L4-L23" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "66cdaa156e4d372cfa3dea0137850d20" - logic_hash = "v1_sha256_f6a0a923f64375e7ffdc080aec41db19a9e162405f1290ed0bbcce5a342bdadb" + logic_hash = "f6a0a923f64375e7ffdc080aec41db19a9e162405f1290ed0bbcce5a342bdadb" score = 75 quality = 75 tags = "FILE" @@ -129181,14 +129181,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_Gorat_Memory meta: description = "Identifies GoRat malware in memory based on strings." author = "FireEye" - id = "c1113e4f-b351-5403-a6a4-0ef45649e0cc" + id = "16fb1db7-711c-5d8d-9203-738c94f253fe" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GoRat_Memory.yar#L4-L27" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3b926b5762e13ceec7ac3a61e85c93bb" - logic_hash = "v1_sha256_88272e59325d106f96d6b6f1d57daf968823c1e760067dee0334c66c521ce8c2" + logic_hash = "88272e59325d106f96d6b6f1d57daf968823c1e760067dee0334c66c521ce8c2" score = 75 quality = 75 tags = "" @@ -129217,7 +129217,7 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_5 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "38cae6a5-d7ee-5504-9844-3250ac43d94e" + id = "73102bd2-7b94-5c7b-b9a4-cfc9cf5e3212" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129225,7 +129225,7 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_5 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_5.yar#L4-L23" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f" - logic_hash = "v1_sha256_67f85fb3bedfd18a1226c92318f387be3c7ff9566ca2d554c49cf62389482552" + logic_hash = "67f85fb3bedfd18a1226c92318f387be3c7ff9566ca2d554c49cf62389482552" score = 75 quality = 75 tags = "FILE" @@ -129249,14 +129249,14 @@ rule FIREEYE_RT_Trojan_MSIL_GORAT_Plugin_DOTNET_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Plugin - .NET' project." author = "FireEye" - id = "7b35c937-f3ff-5654-b3fb-096c8802b0f4" + id = "faa73d64-4bb1-5c06-a3a5-1f1aa99ea932" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Plugin_DOTNET_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_e979822273c6d1ccdfebd341c9e2cb1040fe34a04e8b41c024885063fd946ad5" + logic_hash = "e979822273c6d1ccdfebd341c9e2cb1040fe34a04e8b41c024885063fd946ad5" score = 75 quality = 71 tags = "FILE" @@ -129274,14 +129274,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_3 : FILE meta: description = "This rule uses the same logic as FE_APT_Trojan_Win_GORAT_1_FEBeta with the addition of one check, to look for strings that are known to be in the Gorat implant when a certain cleaning script is not run against it." author = "FireEye" - id = "1ed4e6ed-82f0-5b0b-bdb4-54788acbea90" + id = "94c195b5-b8e8-56a7-bc11-dbbe2f969b06" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_3.yar#L4-L39" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "995120b35db9d2f36d7d0ae0bfc9c10d" - logic_hash = "v1_sha256_592745e9c67f7adf0cd48975ed1497211d8efeff29b52be1e2d082b9a648bb57" + logic_hash = "592745e9c67f7adf0cd48975ed1497211d8efeff29b52be1e2d082b9a648bb57" score = 75 quality = 28 tags = "FILE" @@ -129322,14 +129322,14 @@ rule FIREEYE_RT_APT_Backdoor_Macos_GORAT_1 : FILE meta: description = "This rule is looking for specific strings associated with network activity found within the MacOS generated variant of GORAT" author = "FireEye" - id = "0350efb2-6327-52f8-98aa-ac24958f385b" + id = "4646eadb-7acf-582f-9ad6-00f012ceed8a" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_MacOS_GORAT_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "68acf11f5e456744262ff31beae58526" - logic_hash = "v1_sha256_2df5f87d44968670511880d21ad184779d0561c7c426a5d6426bcefd0904a9b7" + logic_hash = "2df5f87d44968670511880d21ad184779d0561c7c426a5d6426bcefd0904a9b7" score = 75 quality = 75 tags = "FILE" @@ -129350,14 +129350,14 @@ rule FIREEYE_RT_Trojan_MSIL_GORAT_Module_Powershell_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Module - PowerShell' project." author = "FireEye" - id = "e6c7a1e4-2639-5fc4-a60b-05fefb47715e" + id = "b0fba130-9cd9-5b7f-a806-9ff8099f5731" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/Trojan_MSIL_GORAT_Module_PowerShell_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_e596bc0316a4ef85f04c2683ebc7c94bf9b831843232c33e62c84991e4caeb97" + logic_hash = "e596bc0316a4ef85f04c2683ebc7c94bf9b831843232c33e62c84991e4caeb97" score = 75 quality = 71 tags = "FILE" @@ -129377,14 +129377,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_4 : FILE meta: description = "Verifies that the sample is a Windows PE that is less than 10MB in size and exports numerous functions that are known to be exported by the Gorat implant. This is done in an effort to provide detection for packed samples that may not have other strings but will need to replicate exports to maintain functionality." author = "FireEye" - id = "3cb62012-0414-5842-b3aa-889d41b78ae9" + id = "fa3bcaad-c210-5b9c-8567-fe85b8e78055" date = "2021-03-03" modified = "2021-03-03" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_4.yar#L5-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f59095f0ab15f26a1ead7eed8cdb4902" - logic_hash = "v1_sha256_ec201614cb91fae9d7c89febfa22dfd6ba7f353e0eeb0b2fec6c8d887992e79e" + logic_hash = "ec201614cb91fae9d7c89febfa22dfd6ba7f353e0eeb0b2fec6c8d887992e79e" score = 75 quality = 25 tags = "FILE" @@ -129401,14 +129401,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_GORAT_2 : FILE meta: description = "Verifies that the sample is a Windows PE that is less than 10MB in size and has the Go build ID strings. Then checks for various strings known to be in the Gorat implant including strings used in C2 json, names of methods, and the unique string 'murica' used in C2 comms. A check is done to ensure the string 'rat' appears in the binary over 1000 times as it is the name of the project used by the implant and is present well over 2000 times." author = "FireEye" - id = "882c743d-dc53-5e80-aa78-f876f73c6833" + id = "e2c47711-d088-5cb4-8d21-f8199a865a28" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REDFLARE (Gorat)/production/yara/APT_Backdoor_Win_GORAT_2.yar#L4-L34" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f59095f0ab15f26a1ead7eed8cdb4902" - logic_hash = "v1_sha256_8efc904498386d89879766a5021148a250f639bc328df12a34cfc8d620df6f6c" + logic_hash = "8efc904498386d89879766a5021148a250f639bc328df12a34cfc8d620df6f6c" score = 75 quality = 50 tags = "FILE" @@ -129444,7 +129444,7 @@ rule FIREEYE_RT_Trojan_Win64_Generic_23 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "7e2fdec7-acb4-59aa-a66c-0ae1fd510bcd" + id = "470bfeed-e000-58c6-b115-dfa8aea25bef" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129452,7 +129452,7 @@ rule FIREEYE_RT_Trojan_Win64_Generic_23 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_23.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "b66347ef110e60b064474ae746701d4a" - logic_hash = "v1_sha256_4c1860801b26abbab8c4aea730bf69f388c902083b9945e11e6782af3ab22789" + logic_hash = "4c1860801b26abbab8c4aea730bf69f388c902083b9945e11e6782af3ab22789" score = 75 quality = 75 tags = "FILE" @@ -129475,7 +129475,7 @@ rule FIREEYE_RT_Trojan_Win64_Generic_22 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "fde0e6b8-12a5-5afe-97f5-5a8798f668c5" + id = "e79661a8-5254-5e8e-b92b-edf1ddb072ff" date = "2020-11-26" date = "2020-11-26" modified = "2020-12-09" @@ -129483,7 +129483,7 @@ rule FIREEYE_RT_Trojan_Win64_Generic_22 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/supplemental/yara/Trojan_Win64_Generic_22.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f7d9961463b5110a3d70ee2e97842ed3" - logic_hash = "v1_sha256_52fbe5c0ee7c05df5fcd62c26caaa5498e32352da9c5940e522aa31d6c808028" + logic_hash = "52fbe5c0ee7c05df5fcd62c26caaa5498e32352da9c5940e522aa31d6c808028" score = 75 quality = 75 tags = "FILE" @@ -129506,14 +129506,14 @@ rule FIREEYE_RT_Credtheft_Win_EXCAVATOR_1 : FILE meta: description = "This rule looks for the binary signature of the 'Inject' method found in the main Excavator PE." author = "FireEye" - id = "93079007-63ee-5450-99c8-f7c6c9c1c393" + id = "7cabc230-e55b-5096-996a-b6a8c9693bdc" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f7d9961463b5110a3d70ee2e97842ed3" - logic_hash = "v1_sha256_bf4b776f34a1a9aa5438504f63a63ef452a747363de3b70cec52145d777055bd" + logic_hash = "bf4b776f34a1a9aa5438504f63a63ef452a747363de3b70cec52145d777055bd" score = 75 quality = 75 tags = "FILE" @@ -129533,14 +129533,14 @@ rule FIREEYE_RT_Credtheft_Win_EXCAVATOR_2 : FILE meta: description = "This rule looks for the binary signature of the routine that calls PssFreeSnapshot found in the Excavator-Reflector DLL." author = "FireEye" - id = "9aa2b168-c8a0-52fa-9b5e-90a8ee91e907" + id = "89037b9a-78b0-5a8c-bb60-3d54842d81e1" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/CredTheft_Win_EXCAVATOR_2.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6a9a114928554c26675884eeb40cc01b" - logic_hash = "v1_sha256_408e8862f0c470105648fdba00dc5531ffcd739fa544f89acb70f0fa1b105c03" + logic_hash = "408e8862f0c470105648fdba00dc5531ffcd739fa544f89acb70f0fa1b105c03" score = 75 quality = 75 tags = "FILE" @@ -129560,7 +129560,7 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "b5eed807-5766-5b4a-9616-3d8c9fb6ebac" + id = "e593b589-747d-53c2-a39a-57485e4f7641" date = "2020-11-30" date = "2020-11-30" modified = "2020-12-09" @@ -129568,7 +129568,7 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6a9a114928554c26675884eeb40cc01b" - logic_hash = "v1_sha256_aa06628ddef0f95c4217b97a3476a0ee12e00d04c4827a512730598f3c80f1f6" + logic_hash = "aa06628ddef0f95c4217b97a3476a0ee12e00d04c4827a512730598f3c80f1f6" score = 75 quality = 75 tags = "FILE" @@ -129588,7 +129588,7 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "41ad92ed-8ab3-5627-bbd9-3567bc147815" + id = "4b7640e8-5621-5cc3-8ac9-84347f23f5eb" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129596,7 +129596,7 @@ rule FIREEYE_RT_APT_Hacktool_Win64_EXCAVATOR_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/EXCAVATOR/production/yara/APT_HackTool_Win64_EXCAVATOR_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4fd62068e591cbd6f413e1c2b8f75442" - logic_hash = "v1_sha256_14263c17323cd78df10f7f101bd7a9c74f7818b34a2e42125d45205067399381" + logic_hash = "14263c17323cd78df10f7f101bd7a9c74f7818b34a2e42125d45205067399381" score = 75 quality = 75 tags = "FILE" @@ -129616,7 +129616,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_2 meta: description = "wmiexec" author = "FireEye" - id = "ee6d458a-a2dc-5de4-80e6-e5ba069e429d" + id = "f1059f66-eaff-5866-bafb-c94236cf96a0" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -129624,7 +129624,7 @@ rule FIREEYE_RT_Hacktool_PY_Impacketobfuscation_2 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/IMPACKETOBF (Wmiexec)/production/yara/HackTool_PY_ImpacketObfuscation_2.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f3dd8aa567a01098a8a610529d892485" - logic_hash = "v1_sha256_ccbbe507798f16c7acf0780770fdb81b2e7dc333ab8bc51e6216816276c3f14b" + logic_hash = "ccbbe507798f16c7acf0780770fdb81b2e7dc333ab8bc51e6216816276c3f14b" score = 75 quality = 75 tags = "" @@ -129645,14 +129645,14 @@ rule FIREEYE_RT_Hacktool_MSIL_GETDOMAINPASSWORDPOLICY_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the recon utility 'getdomainpasswordpolicy' project." author = "FireEye" - id = "4d0aab58-eb94-5396-8b3b-59f05763f413" + id = "69745e99-33cc-5171-ae7a-5c98439a0b6d" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/GETDOMAINPASSWORDPOLICY/production/yara/HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_6b2ea3ebfea2c87f16052f4a43b64eb2d595c2dd4a64d45dfce1642668dcf602" + logic_hash = "6b2ea3ebfea2c87f16052f4a43b64eb2d595c2dd4a64d45dfce1642668dcf602" score = 75 quality = 73 tags = "FILE" @@ -129669,7 +129669,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_WILDCHILD_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "4bfdb131-26d3-5ba7-9355-3e94cbc4259b" + id = "b9e0707e-98eb-55da-ad1d-6a84bd113747" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -129677,7 +129677,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_WILDCHILD_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WILDCHILD/production/yara/APT_Loader_MSIL_WILDCHILD_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6f04a93753ae3ae043203437832363c4" - logic_hash = "v1_sha256_a600c3d127f77dc1f99160e4a242e005970de0abd1798296b6a351b968ca1350" + logic_hash = "a600c3d127f77dc1f99160e4a242e005970de0abd1798296b6a351b968ca1350" score = 75 quality = 75 tags = "FILE" @@ -129696,14 +129696,14 @@ rule FIREEYE_RT_Dropper_HTA_Wildchild_1 : FILE meta: description = "This rule looks for strings present in unobfuscated HTAs generated by the WildChild builder." author = "FireEye" - id = "894b69c6-5bd8-59ae-a059-3b674f659390" + id = "f570baa5-7d58-5a0a-b713-769e62076f76" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WILDCHILD/production/yara/Dropper_HTA_WildChild_1.yar#L4-L24" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3e61ca5057633459e96897f79970a46d" - logic_hash = "v1_sha256_60c1d53b8a43b9b7518f3260a4d61c6806641ee894a2a331a3a0a2ea0aff9d99" + logic_hash = "60c1d53b8a43b9b7518f3260a4d61c6806641ee894a2a331a3a0a2ea0aff9d99" score = 75 quality = 75 tags = "FILE" @@ -129729,14 +129729,14 @@ rule FIREEYE_RT_Loader_MSIL_Wildchild_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the WildChild project." author = "FireEye" - id = "ac56f673-76aa-504f-a5fb-721722f6bc2d" + id = "350dd658-46c9-573b-b532-07e4b437ba8d" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WILDCHILD/production/yara/Loader_MSIL_WildChild_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "7e6bc0ed11c2532b2ae7060327457812" - logic_hash = "v1_sha256_e4320e33770613542182518ec787e4ccbb32f83c8afca5ec957d4846e6f4eb04" + logic_hash = "e4320e33770613542182518ec787e4ccbb32f83c8afca5ec957d4846e6f4eb04" score = 75 quality = 73 tags = "FILE" @@ -129753,14 +129753,14 @@ rule FIREEYE_RT_Hunting_LNK_Win_Genericlauncher : FILE meta: description = "Signature to detect LNK files or OLE objects with embedded LNK files and generic launcher commands, except powershell which is large enough to have its own gene" author = "FireEye" - id = "d6892435-a809-5c29-a4f5-ff30bcea5dd1" + id = "1a12e475-bb18-55ab-b629-47b711c10e6b" date = "2018-09-04" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/LNKSMASHER/supplemental/yara/Hunting_LNK_Win_GenericLauncher.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "14dd758e8f89f14612c8df9f862c31e4" - logic_hash = "v1_sha256_a654cd3594e2d09950fb11bf8721a5cdb89f5d5be6e706f12e18c7fcdf7dd0fe" + logic_hash = "a654cd3594e2d09950fb11bf8721a5cdb89f5d5be6e706f12e18c7fcdf7dd0fe" score = 60 quality = 53 tags = "FILE" @@ -129783,14 +129783,14 @@ rule FIREEYE_RT_Dropper_LNK_Lnksmasher_1 : FILE meta: description = "The LNKSmasher project contains a prebuilt LNK file that has pieces added based on various configuration items. Because of this, several artifacts are present in every single LNK file generated by LNKSmasher, including the Drive Serial #, the File Droid GUID, and the GUID CLSID." author = "FireEye" - id = "8f6ef575-d02a-5aa2-8cd0-c7fe2cc6d186" + id = "1b93ddf8-9578-5e47-b479-4c9e8a40b4f4" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/LNKSMASHER/production/yara/Dropper_LNK_LNKSmasher_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "0a86d64c3b25aa45428e94b6e0be3e08" - logic_hash = "v1_sha256_61d1ac67ac0d332ad842a522cbebe1b9af1482d58a210b50fb45209355c0aeeb" + logic_hash = "61d1ac67ac0d332ad842a522cbebe1b9af1482d58a210b50fb45209355c0aeeb" score = 75 quality = 75 tags = "FILE" @@ -129810,14 +129810,14 @@ rule FIREEYE_RT_Methodology_OLE_CHARENCODING_2 : FILE meta: description = "Looking for suspicious char encoding" author = "FireEye" - id = "ced72149-36f5-5eab-b2b2-54d8de5dee1e" + id = "7abd1a11-7a55-50ac-aa6b-537e7c59a5ab" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SINFULOFFICE/supplemental/yara/Methodology_OLE_CHARENCODING_2.yar#L4-L23" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "41b70737fa8dda75d5e95c82699c2e9b" - logic_hash = "v1_sha256_20843295531dfd88934fe0902a5101c5c0828e82df3289d7f263f16df9c92324" + logic_hash = "20843295531dfd88934fe0902a5101c5c0828e82df3289d7f263f16df9c92324" score = 65 quality = 75 tags = "FILE" @@ -129842,14 +129842,14 @@ rule FIREEYE_RT_Builder_MSIL_Sinfuloffice_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SinfulOffice' project." author = "FireEye" - id = "27e47bdc-4ef1-51b3-bc29-8cc46ff12171" + id = "cf020fb3-751b-5346-8c0d-dc0a552599a3" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SINFULOFFICE/production/yara/Builder_MSIL_SinfulOffice_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_b5d49a8720e4daa21e95ec66299daec42e65906017de886ea91f7bb6bfb04c77" + logic_hash = "b5d49a8720e4daa21e95ec66299daec42e65906017de886ea91f7bb6bfb04c77" score = 75 quality = 73 tags = "FILE" @@ -129866,14 +129866,14 @@ rule FIREEYE_RT_Loader_MSIL_Generic_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "c00f45cf-ac73-5a72-967c-1c69f426585c" + id = "f919e3fc-cf76-53af-8f04-24921830666f" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/supplemental/yara/Loader_MSIL_Generic_1.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "b8415b4056c10c15da5bba4826a44ffd" - logic_hash = "v1_sha256_06cddd7e1c1c778348539cfd50f01d55f86689dec86c045d7ce7b9cd71690e07" + logic_hash = "06cddd7e1c1c778348539cfd50f01d55f86689dec86c045d7ce7b9cd71690e07" score = 75 quality = 75 tags = "FILE" @@ -129897,7 +129897,7 @@ rule FIREEYE_RT_Loader_Win_Generic_19 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "d7c3a10c-df14-534f-9f76-dfaae40c5f07" + id = "4f4427ee-0f7d-5442-98a6-402d8b797289" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129905,7 +129905,7 @@ rule FIREEYE_RT_Loader_Win_Generic_19 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/supplemental/yara/Loader_Win_Generic_19.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "3fb9341fb11eca439b50121c6f7c59c7" - logic_hash = "v1_sha256_6db9696663c19857c1f89339b8cc9b0565e877f34e8d8cf77b89ef22b3f41683" + logic_hash = "6db9696663c19857c1f89339b8cc9b0565e877f34e8d8cf77b89ef22b3f41683" score = 75 quality = 75 tags = "FILE" @@ -129925,7 +129925,7 @@ rule FIREEYE_RT_Loader_Win_Generic_20 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "1b08c0a8-1a05-5fc2-8f30-82b5808134d7" + id = "d1d3eff8-d12e-53f6-8c30-06ecedaf3f49" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -129933,7 +129933,7 @@ rule FIREEYE_RT_Loader_Win_Generic_20 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/supplemental/yara/Loader_Win_Generic_20.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "5125979110847d35a338caac6bff2aa8" - logic_hash = "v1_sha256_9611aed2b4e4278d40254cb5c4fe94a458cfa19f10e6fe888bc7ceb166669cc6" + logic_hash = "9611aed2b4e4278d40254cb5c4fe94a458cfa19f10e6fe888bc7ceb166669cc6" score = 75 quality = 75 tags = "FILE" @@ -129953,14 +129953,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_REDTEAMMATERIALS_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'red_team_materials' project." author = "FireEye" - id = "dc012c59-eef2-5175-a22b-9119c4ccbe3a" + id = "272cd3e9-884a-566b-ae90-4a79ee726a8d" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_REDTEAMMATERIALS_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_ca54a1e8335c4256295fc643f5d31eae2e89f020dc7a9b571c4772edaad08022" + logic_hash = "ca54a1e8335c4256295fc643f5d31eae2e89f020dc7a9b571c4772edaad08022" score = 75 quality = 71 tags = "FILE" @@ -129978,14 +129978,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPDACL_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpdacl' project." author = "FireEye" - id = "599b10e5-318b-5c23-8cf7-e19da0da6956" + id = "13f4e3ea-1e36-5fad-9197-66511d6f026a" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPDACL_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_5f44ec5ddded18fb3a9132b469b2fe7ccbffb3f907325485f0f72fe3d6bbfa23" + logic_hash = "5f44ec5ddded18fb3a9132b469b2fe7ccbffb3f907325485f0f72fe3d6bbfa23" score = 75 quality = 73 tags = "FILE" @@ -130002,14 +130002,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPWEBCRAWLER_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpwebcrawler' project." author = "FireEye" - id = "f9f74cf4-9200-52ca-b257-882d6f17ce94" + id = "29b2a410-bcc4-58df-b192-7a413b3db1c0" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPWEBCRAWLER_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_8df328663a813ca0a6864ae0503cbc1b03cfdf839215b9b4f2bb7962adf09bf8" + logic_hash = "8df328663a813ca0a6864ae0503cbc1b03cfdf839215b9b4f2bb7962adf09bf8" score = 75 quality = 73 tags = "FILE" @@ -130026,14 +130026,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSQLCLIENT_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpsqlclient' project." author = "FireEye" - id = "a8fe10e4-c20e-5925-912d-b89bd38e0104" + id = "4d526c36-f56f-53cf-9bdf-b7a15619eb41" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPSQLCLIENT_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_bc79f80582f4fadecf54d926abdcf61694224654ba5075203f0d1123cf11afc1" + logic_hash = "bc79f80582f4fadecf54d926abdcf61694224654ba5075203f0d1123cf11afc1" score = 75 quality = 73 tags = "FILE" @@ -130050,14 +130050,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPNFS_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpnfs' project." author = "FireEye" - id = "6cb20e48-276c-5a13-bc3a-3c794550e367" + id = "b9d1b4e8-644a-5611-85e8-a124f915b443" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPNFS_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_e7f9883376b153849970599d9ecc308882eb86a67834cfd8ab06b44539346125" + logic_hash = "e7f9883376b153849970599d9ecc308882eb86a67834cfd8ab06b44539346125" score = 75 quality = 73 tags = "FILE" @@ -130074,14 +130074,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPDNS_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpdns' project." author = "FireEye" - id = "ce7ae7b5-97c7-5f94-9ce4-6cbb0052702f" + id = "db6b45be-f42f-5d0f-b50a-32e7a2cbfce6" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPDNS_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_bab36f9b1532c3b24c2aea2907006820ed7cf1c90dae7a8138962e14ac9eff55" + logic_hash = "bab36f9b1532c3b24c2aea2907006820ed7cf1c90dae7a8138962e14ac9eff55" score = 75 quality = 73 tags = "FILE" @@ -130098,14 +130098,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPPATCHCHECK_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharppatchcheck' project." author = "FireEye" - id = "8b0a4243-d6a1-51b6-94a6-7200bb97723a" + id = "dedc12b9-b9e7-5c13-ad6d-2e286aba2302" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPPATCHCHECK_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_dec6231b656eed1526d4f70fe1b9a476bfb06246f0a7c25f2687d8c68886d400" + logic_hash = "dec6231b656eed1526d4f70fe1b9a476bfb06246f0a7c25f2687d8c68886d400" score = 75 quality = 73 tags = "FILE" @@ -130122,14 +130122,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_MODIFIEDSHARPVIEW_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'modifiedsharpview' project." author = "FireEye" - id = "acf9e600-04e7-5ab3-ac18-670f07c13698" + id = "e07d3d4b-fba3-5df7-85f4-927bb8cec2d1" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "db0eaad52465d5a2b86fdd6a6aa869a5" - logic_hash = "v1_sha256_a47c48da998243fab92665649fb9d6ecc6ac32e1fd884c2c0d5ccecb05290c10" + logic_hash = "a47c48da998243fab92665649fb9d6ecc6ac32e1fd884c2c0d5ccecb05290c10" score = 75 quality = 73 tags = "FILE" @@ -130146,14 +130146,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPNATIVEZIPPER_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpnativezipper' project." author = "FireEye" - id = "f5a07068-b035-5295-9ec7-df626dd6b06c" + id = "c48835a7-06fe-5b30-be4d-086d98dc7a21" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPNATIVEZIPPER_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_fa54375b21abbb613e695f70a15233575fbe6e0536716544bb3b527f5e3ed8c6" + logic_hash = "fa54375b21abbb613e695f70a15233575fbe6e0536716544bb3b527f5e3ed8c6" score = 75 quality = 73 tags = "FILE" @@ -130170,14 +130170,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_DNSOVERHTTPS_C2_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public 'DoHC2' External C2 project." author = "FireEye" - id = "0c23b84a-cef2-508d-b8cb-0fb7e7dae977" + id = "ee71be6c-e3c8-5365-9f32-157f00066c49" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_DNSOVERHTTPS_C2_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_a482161bbd8e249977f28466ff1381d4693495f8b8ccd9183ae4fde1ec1471eb" + logic_hash = "a482161bbd8e249977f28466ff1381d4693495f8b8ccd9183ae4fde1ec1471eb" score = 75 quality = 71 tags = "FILE" @@ -130195,14 +130195,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPTEMPLATE_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharptemplate' project." author = "FireEye" - id = "016cacca-a0d5-51f1-94de-85dcd964aaf1" + id = "0ca9a13c-e0a0-588b-be13-5954b17d95b1" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPTEMPLATE_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_9746c1ab7b945d311c53fbdf95993d255369e06b23a3279c9f2e8a4df73ab63c" + logic_hash = "9746c1ab7b945d311c53fbdf95993d255369e06b23a3279c9f2e8a4df73ab63c" score = 75 quality = 73 tags = "FILE" @@ -130219,14 +130219,14 @@ rule FIREEYE_RT_Credtheft_MSIL_Credsnatcher_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CredSnatcher' project." author = "FireEye" - id = "3e5726f5-b45f-5d74-8e5d-b6720349ff50" + id = "0d8f7495-4748-577d-8ef2-ccc4829fc165" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/CredTheft_MSIL_CredSnatcher_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_2c86be1bcf29bcb2c167f9248dee0ab4a5a5c6740fb1f18784ee2e380176df91" + logic_hash = "2c86be1bcf29bcb2c167f9248dee0ab4a5a5c6740fb1f18784ee2e380176df91" score = 75 quality = 73 tags = "FILE" @@ -130243,14 +130243,14 @@ rule FIREEYE_RT_Credtheft_MSIL_Wcmdump_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WCMDump' project." author = "FireEye" - id = "10b38597-8f7f-5806-8005-4ae269513eb6" + id = "22796ccb-a01e-59d8-8c3a-6cbb62899940" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/CredTheft_MSIL_WCMDump_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_9fbf53e551342695b306b10f30a3fe32dff359bd70e84e1fa1f190772f5dcbe3" + logic_hash = "9fbf53e551342695b306b10f30a3fe32dff359bd70e84e1fa1f190772f5dcbe3" score = 75 quality = 73 tags = "FILE" @@ -130267,14 +130267,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPZIPLIBZIPPER_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpziplibzipper' project." author = "FireEye" - id = "1e4b7a6f-183d-5cd4-b170-88547011de5b" + id = "392a52be-29ae-58e1-b517-1ab34a1e1fb8" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPZIPLIBZIPPER_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_19354edb91a0d79fdf79437f7247bcf155514db40340af91a3320b556dc2e4c2" + logic_hash = "19354edb91a0d79fdf79437f7247bcf155514db40340af91a3320b556dc2e4c2" score = 75 quality = 73 tags = "FILE" @@ -130291,14 +130291,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_PRAT_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'prat' project." author = "FireEye" - id = "fb38ea69-a7e9-54f2-84ca-93e3147c6579" + id = "4a876eb0-ed2f-5ef2-a9b3-ba728b07c8c0" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_PRAT_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_d707f017b56b0a873f1edca085ad40fc70cb24e8c9844f377bc28871a941d0b4" + logic_hash = "d707f017b56b0a873f1edca085ad40fc70cb24e8c9844f377bc28871a941d0b4" score = 75 quality = 67 tags = "FILE" @@ -130318,14 +130318,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPGOPHER_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpgopher' project." author = "FireEye" - id = "75e19faf-b636-5603-8937-7124b74209a8" + id = "cc8eb9cd-9a51-5fab-b0a4-247baaa69dd7" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/UNCATEGORIZED/production/yara/APT_HackTool_MSIL_SHARPGOPHER_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_ac37f77440cb76d7dafa4c9b4130471ca6ca760f6d72691db9ebb8cbaaad0c58" + logic_hash = "ac37f77440cb76d7dafa4c9b4130471ca6ca760f6d72691db9ebb8cbaaad0c58" score = 75 quality = 73 tags = "FILE" @@ -130342,14 +130342,14 @@ rule FIREEYE_RT_Tool_MSIL_Csharputils_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CSharpUtils' project." author = "FireEye" - id = "be8917c6-eadc-59a6-8cf2-6bb44c2fab2b" + id = "a0e8c45a-759a-5611-aa2a-3113a75fb651" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPUTILS/production/yara/Tool_MSIL_CSharpUtils_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_11dfd44fb4ee1e610c2e4a941b3a1e88eafc30a2a2237529150e73bceb2a1324" + logic_hash = "11dfd44fb4ee1e610c2e4a941b3a1e88eafc30a2a2237529150e73bceb2a1324" score = 75 quality = 65 tags = "FILE" @@ -130370,14 +130370,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpstomp_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharpStomp project." author = "FireEye" - id = "3889e8c2-1b76-50e3-b2a5-3fa8966a6e79" + id = "e113c221-fabe-5af4-b763-463c4f86288d" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPSTOMP/production/yara/HackTool_MSIL_SharpStomp_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "83ed748cd94576700268d35666bf3e01" - logic_hash = "v1_sha256_fd0a3d046734d48be74d9a74f27570468550d21911c54ca82c81a1d64e9fdd17" + logic_hash = "fd0a3d046734d48be74d9a74f27570468550d21911c54ca82c81a1d64e9fdd17" score = 75 quality = 73 tags = "FILE" @@ -130394,7 +130394,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSTOMP_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e164e66a-1e77-5e88-b328-aedbe60c39b7" + id = "d1a3477d-55c6-5c33-bd65-5b1e0d65f24b" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -130402,7 +130402,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSTOMP_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPSTOMP/production/yara/APT_HackTool_MSIL_SHARPSTOMP_2.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "83ed748cd94576700268d35666bf3e01" - logic_hash = "v1_sha256_4ed1553f12c607792d7d4e7026ecb36231cd417a06eba8b2925c2c643436b5fe" + logic_hash = "4ed1553f12c607792d7d4e7026ecb36231cd417a06eba8b2925c2c643436b5fe" score = 75 quality = 75 tags = "FILE" @@ -130425,7 +130425,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSTOMP_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e02d15b8-497d-53ca-888b-1609436b6a4f" + id = "4b4a54c8-9717-5fbb-8130-a49162bc6b07" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -130433,7 +130433,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSTOMP_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPSTOMP/production/yara/APT_HackTool_MSIL_SHARPSTOMP_1.yar#L4-L24" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "83ed748cd94576700268d35666bf3e01" - logic_hash = "v1_sha256_af8aa0e87d8b6623a908fde5014f3849cd0ca20d5926c798be82ce4eab2668bb" + logic_hash = "af8aa0e87d8b6623a908fde5014f3849cd0ca20d5926c798be82ce4eab2668bb" score = 75 quality = 71 tags = "FILE" @@ -130458,14 +130458,14 @@ rule FIREEYE_RT_APT_Backdoor_Win_Dshell_2 : FILE meta: description = "This rule looks for strings specific to the D programming language in combination with a selection of Windows functions that are present within a DShell payload" author = "FireEye" - id = "4dbea9f6-ec01-5d9d-bcb5-14fa81c69fb7" + id = "538e150f-0fb9-5a85-9299-9b4a57f8a606" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DSHELL/supplemental/yara/APT_Backdoor_Win_DShell_2.yar#L4-L132" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e0683f8ee787313cfd2c61cd0995a830" - logic_hash = "v1_sha256_2b4d33c17cac35153346002c48457d9b46010f1c052df632c647c22c8d96b54c" + logic_hash = "2b4d33c17cac35153346002c48457d9b46010f1c052df632c647c22c8d96b54c" score = 60 quality = 20 tags = "FILE" @@ -130599,7 +130599,7 @@ rule FIREEYE_RT_APT_Loader_Win32_Dshell_3 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "385b2fd9-a1e0-5296-806e-c55a1846cdb7" + id = "6b6fccef-ac93-5f1b-b9b6-c2d3ee4d8da7" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -130607,7 +130607,7 @@ rule FIREEYE_RT_APT_Loader_Win32_Dshell_3 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DSHELL/production/yara/APT_Loader_Win32_DShell_3.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "12c3566761495b8353f67298f15b882c" - logic_hash = "v1_sha256_ec2a8b0abc6cb6d1861199b892fbe84782b42babb08e3ea203d10ab17ff7a20a" + logic_hash = "ec2a8b0abc6cb6d1861199b892fbe84782b42babb08e3ea203d10ab17ff7a20a" score = 75 quality = 75 tags = "FILE" @@ -130627,7 +130627,7 @@ rule FIREEYE_RT_APT_Loader_Win32_Dshell_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "2591120c-c97c-50c6-8db4-fcf8eb577608" + id = "ae34d547-d979-5ce2-bcf8-a5b4e4567de3" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -130635,7 +130635,7 @@ rule FIREEYE_RT_APT_Loader_Win32_Dshell_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DSHELL/production/yara/APT_Loader_Win32_DShell_2.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "590d98bb74879b52b97d8a158af912af" - logic_hash = "v1_sha256_958ff45add46c0a43e839e8007c1d9296ee89ddd8c045b8ec6b031b225207a6c" + logic_hash = "958ff45add46c0a43e839e8007c1d9296ee89ddd8c045b8ec6b031b225207a6c" score = 75 quality = 75 tags = "FILE" @@ -130657,7 +130657,7 @@ rule FIREEYE_RT_APT_Loader_Win32_Dshell_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e2784967-a95d-5758-a917-989eae057db3" + id = "dad763bd-0e4a-542a-9920-ece11d23ce24" date = "2020-11-27" date = "2020-11-27" modified = "2020-12-09" @@ -130665,7 +130665,7 @@ rule FIREEYE_RT_APT_Loader_Win32_Dshell_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DSHELL/production/yara/APT_Loader_Win32_DShell_1.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "12c3566761495b8353f67298f15b882c" - logic_hash = "v1_sha256_79643f9c252765647d80f6fe1ee7bb698fbc6a6c3a0ff1fd819a09bff031907c" + logic_hash = "79643f9c252765647d80f6fe1ee7bb698fbc6a6c3a0ff1fd819a09bff031907c" score = 75 quality = 75 tags = "FILE" @@ -130686,7 +130686,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_FLUFFY_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e2b7ad62-5ae3-5532-9727-2fa8a2f21db3" + id = "ce39710e-7649-5f7d-bbbe-65dc30f678e8" date = "2020-12-04" date = "2020-12-04" modified = "2020-12-09" @@ -130694,7 +130694,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_FLUFFY_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/FLUFFY/production/yara/APT_HackTool_MSIL_FLUFFY_2.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "11b5aceb428c3e8c61ed24a8ca50553e" - logic_hash = "v1_sha256_872ab717668375a49d6c7b1927a680747b405c0198fe4fc6f43ccc562870eb37" + logic_hash = "872ab717668375a49d6c7b1927a680747b405c0198fe4fc6f43ccc562870eb37" score = 75 quality = 75 tags = "FILE" @@ -130716,7 +130716,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_FLUFFY_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "d35d3cf9-e208-5ce1-9d6e-2ae75457d5fb" + id = "6593202d-9b30-59ed-98c0-3e730fb5ceb7" date = "2020-12-04" date = "2020-12-04" modified = "2020-12-09" @@ -130724,7 +130724,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_FLUFFY_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/FLUFFY/production/yara/APT_HackTool_MSIL_FLUFFY_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "11b5aceb428c3e8c61ed24a8ca50553e" - logic_hash = "v1_sha256_4d91c96ab7b628e88f79ee193612acc959448fe2220ef54371f5f5c6e7305d86" + logic_hash = "4d91c96ab7b628e88f79ee193612acc959448fe2220ef54371f5f5c6e7305d86" score = 75 quality = 75 tags = "FILE" @@ -130743,14 +130743,14 @@ rule FIREEYE_RT_MSIL_Launcher_DUEDLLIGENCE_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'DUEDLLIGENCE' project." author = "FireEye" - id = "91054593-376e-559c-a5a0-995fed98cb1b" + id = "86f0ebe5-110b-53e2-bba5-676f00c2cddd" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DUEDLLIGENCE/production/yara/MSIL_Launcher_DUEDLLIGENCE_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "a91bf61cc18705be2288a0f6f125068f" - logic_hash = "v1_sha256_bd6abaa909f0c776d81ed1115e875888336661c91df3881f4f3ea5dd27e115f8" + logic_hash = "bd6abaa909f0c776d81ed1115e875888336661c91df3881f4f3ea5dd27e115f8" score = 75 quality = 73 tags = "FILE" @@ -130767,14 +130767,14 @@ rule FIREEYE_RT_Hacktool_MSIL_HOLSTER_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the a customized version of the 'DUEDLLIGENCE' project." author = "FireEye" - id = "78538dd6-2ce0-55da-af2d-3dda8c09b06c" + id = "e1e8979e-2dee-5061-a11d-00dcfba476c3" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DUEDLLIGENCE/production/yara/HackTool_MSIL_HOLSTER_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "a91bf61cc18705be2288a0f6f125068f" - logic_hash = "v1_sha256_bc254a1ab71f2a6092f139ce5a85347a7a4976f963603ffbbebb9b0d6ce6573c" + logic_hash = "bc254a1ab71f2a6092f139ce5a85347a7a4976f963603ffbbebb9b0d6ce6573c" score = 75 quality = 73 tags = "FILE" @@ -130791,13 +130791,13 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "9a464f4a-0c3e-5ef8-82b5-764e423cacd5" + id = "b10b476a-0d38-53e4-80cf-559618729268" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_2.yar#L5-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "v1_sha256_5a2e0559e3b47c1957a42929fbbeba7a53c21619125381b01dcd8453b6ec4802" + logic_hash = "5a2e0559e3b47c1957a42929fbbeba7a53c21619125381b01dcd8453b6ec4802" score = 75 quality = 75 tags = "FILE" @@ -130815,13 +130815,13 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_3 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "d64c1de1-d2a8-5302-8c89-1ccfca46efeb" + id = "42e4e777-6d51-5733-97df-dc27f13a27b7" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_3.yar#L5-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "v1_sha256_41cc6a4c7765b1e5e88d12660b69e434c83938ca974b9ccf6545b4dd5dd78378" + logic_hash = "41cc6a4c7765b1e5e88d12660b69e434c83938ca974b9ccf6545b4dd5dd78378" score = 75 quality = 75 tags = "FILE" @@ -130840,13 +130840,13 @@ rule FIREEYE_RT_Loader_MSIL_DUEDLLIGENCE_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "7ec29155-855e-56e2-9c48-05e1f73f7405" + id = "d438575f-3cb2-5cff-b5d4-733044f62e61" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/DUEDLLIGENCE/production/yara/Loader_MSIL_DUEDLLIGENCE_1.yar#L5-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "v1_sha256_56237d686b954950849adeedc87d5f9fbff2335a0ff033ba8571b3e3b93f587c" + logic_hash = "56237d686b954950849adeedc87d5f9fbff2335a0ff033ba8571b3e3b93f587c" score = 75 quality = 75 tags = "FILE" @@ -130864,14 +130864,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Corehound_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CoreHound' project." author = "FireEye" - id = "e78cdb17-d4d1-5ed0-8a16-8a24ab478c13" + id = "8c914b34-3e3d-53ae-a5e4-9dbfdff45a24" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/COREHOUND/production/yara/HackTool_MSIL_CoreHound_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_b0f759709428d5c9404507a13259bf85cb8c405d38b807539098f7cc871023d8" + logic_hash = "b0f759709428d5c9404507a13259bf85cb8c405d38b807539098f7cc871023d8" score = 75 quality = 73 tags = "FILE" @@ -130888,7 +130888,7 @@ rule FIREEYE_RT_Loader_Win_Generic_17 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "9fc06c64-0498-5606-8616-d6bea2700655" + id = "4e5bf741-c1e3-54af-9580-02925ba6fc6a" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -130896,7 +130896,7 @@ rule FIREEYE_RT_Loader_Win_Generic_17 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BEACON/supplemental/yara/Loader_Win_Generic_17.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "562ecbba043552d59a0f23f61cea0983" - logic_hash = "v1_sha256_5c20472c3af0c5b8c825671b12763900d6a711695ed04661b33cbf442422348d" + logic_hash = "5c20472c3af0c5b8c825671b12763900d6a711695ed04661b33cbf442422348d" score = 75 quality = 75 tags = "FILE" @@ -130916,7 +130916,7 @@ rule FIREEYE_RT_Trojan_Win_Generic_101 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "42e93143-87c1-518f-a09a-021e871a8bbe" + id = "0290aaea-d65b-5883-97f9-549d107e3e1f" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -130924,7 +130924,7 @@ rule FIREEYE_RT_Trojan_Win_Generic_101 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BEACON/supplemental/yara/Trojan_Win_Generic_101.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "2e67c62bd0307c04af469ee8dcb220f2" - logic_hash = "v1_sha256_e530183f3cab01560b1abc91e2111e5d9e5aadc1c8134027ac07d8917f9419a0" + logic_hash = "e530183f3cab01560b1abc91e2111e5d9e5aadc1c8134027ac07d8917f9419a0" score = 75 quality = 75 tags = "FILE" @@ -130945,7 +130945,7 @@ rule FIREEYE_RT_Trojan_Raw_Generic_4 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "b8ea8a99-aaf6-5109-b1a5-acb5dc76e1c2" + id = "9092f9bb-cab6-55c0-9452-70a6407db93a" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -130953,7 +130953,7 @@ rule FIREEYE_RT_Trojan_Raw_Generic_4 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BEACON/supplemental/yara/Trojan_Raw_Generic_4.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "f41074be5b423afb02a74bc74222e35d" - logic_hash = "v1_sha256_8ffd23631c1a9d1abe6695858ec34d61261b3b3f097be94372f3f34e46e7211e" + logic_hash = "8ffd23631c1a9d1abe6695858ec34d61261b3b3f097be94372f3f34e46e7211e" score = 75 quality = 75 tags = "FILE" @@ -130971,7 +130971,7 @@ rule FIREEYE_RT_Loader_Win_Generic_18 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "e1df0f66-0e93-5855-9813-888f97068a1f" + id = "6f44bd64-29bd-50e2-8b61-7ba61bb1f688" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -130979,7 +130979,7 @@ rule FIREEYE_RT_Loader_Win_Generic_18 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BEACON/supplemental/yara/Loader_Win_Generic_18.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "c74ebb6c238bbfaefd5b32d2bf7c7fcc" - logic_hash = "v1_sha256_28c9497f646fcf3daf7007d7afd37971dd85382062c064173f13049ad419fef1" + logic_hash = "28c9497f646fcf3daf7007d7afd37971dd85382062c064173f13049ad419fef1" score = 75 quality = 75 tags = "FILE" @@ -130999,14 +130999,14 @@ rule FIREEYE_RT_Hacktool_MSIL_SEATBELT_1 : FILE meta: description = "This rule looks for .NET PE files that have regex and format strings found in the public tool SeatBelt. Due to the nature of the regex and format strings used for detection, this rule should detect custom variants of the SeatBelt project." author = "FireEye" - id = "b249aafc-e1ee-5ab7-b2cc-be9e18a8574b" + id = "46477f87-2458-5b8e-894a-9aa536a441ad" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BELTALOWDA/production/yara/HackTool_MSIL_SEATBELT_1.yar#L4-L25" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "848837b83865f3854801be1f25cb9f4d" - logic_hash = "v1_sha256_4248e5561ef60e725c23efc89c899d6fc8be5bf2142f700fb70daecd72c30dd8" + logic_hash = "4248e5561ef60e725c23efc89c899d6fc8be5bf2142f700fb70daecd72c30dd8" score = 75 quality = 30 tags = "FILE" @@ -131033,14 +131033,14 @@ rule FIREEYE_RT_Hacktool_MSIL_SEATBELT_2 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SeatBelt project." author = "FireEye" - id = "ad506948-35f2-565d-bf22-be4a0fe5fefd" + id = "225b42fe-c73a-59c0-a1f4-1d6dff6e76e1" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/BELTALOWDA/production/yara/HackTool_MSIL_SEATBELT_2.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "9f401176a9dd18fa2b5b90b4a2aa1356" - logic_hash = "v1_sha256_e48474c5025fd88e3c2824e1e943ff56cde0ea05984aad0249ccf73caa6d4a36" + logic_hash = "e48474c5025fd88e3c2824e1e943ff56cde0ea05984aad0249ccf73caa6d4a36" score = 75 quality = 73 tags = "FILE" @@ -131057,14 +131057,14 @@ rule FIREEYE_RT_Loader_MSIL_Inmemorycompilation_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'In-MemoryCompilation' project." author = "FireEye" - id = "14d782eb-a59b-5e4a-83a7-4d3108cec20d" + id = "80234352-a449-5292-9f0c-beb7a1d39a6c" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MEMCOMP/production/yara/Loader_MSIL_InMemoryCompilation_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_a964a186eb02a2792db01727a31ddaa2414fe9df83cda9b1c9db15d94603303a" + logic_hash = "a964a186eb02a2792db01727a31ddaa2414fe9df83cda9b1c9db15d94603303a" score = 75 quality = 73 tags = "FILE" @@ -131081,14 +131081,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpersist_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "85f8ae70-5f1e-5e05-a06f-8bb6072756ed" + id = "49d7891e-b97a-52a8-acfd-bbf986732d6c" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPERSIST/production/yara/HackTool_MSIL_SharPersist_2.yar#L4-L23" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "98ecf58d48a3eae43899b45cec0fc6b7" - logic_hash = "v1_sha256_57387352f8fd08e8b859dffc1164d46370f248b337526c265634160010572a00" + logic_hash = "57387352f8fd08e8b859dffc1164d46370f248b337526c265634160010572a00" score = 75 quality = 75 tags = "FILE" @@ -131114,14 +131114,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharpersist_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPersist project." author = "FireEye" - id = "9a2fb205-2f1e-5a99-bc51-2e03518a15a9" + id = "586e6c91-6970-57d1-8d8c-05ae9eb6117a" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPERSIST/production/yara/HackTool_MSIL_SharPersist_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "98ecf58d48a3eae43899b45cec0fc6b7" - logic_hash = "v1_sha256_cf480026c31b522850e25ba2d7986773d9c664242a2667ecd33151621c98c91e" + logic_hash = "cf480026c31b522850e25ba2d7986773d9c664242a2667ecd33151621c98c91e" score = 75 quality = 73 tags = "FILE" @@ -131138,14 +131138,14 @@ rule FIREEYE_RT_Loader_MSIL_Csharpsectioninjection_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'C_Sharp_SectionInjection' project." author = "FireEye" - id = "c0d32b27-050c-5f1c-a145-db627ade6ed1" + id = "ca5bf5cd-1950-53ed-8984-e880a15e658e" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPSECTIONINJECTION/production/yara/Loader_MSIL_CSharpSectionInjection_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_011cf4dffe6ef90a79cdfabb0e297152c00b0404b1801f56fd7e703ab90b1692" + logic_hash = "011cf4dffe6ef90a79cdfabb0e297152c00b0404b1801f56fd7e703ab90b1692" score = 75 quality = 73 tags = "FILE" @@ -131162,7 +131162,7 @@ rule FIREEYE_RT_Hacktool_Win32_Andrewspecial_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "45309439-9b67-5a21-b6a1-bd0c255485d9" + id = "69e27e92-d68e-5543-bada-170e32733dbb" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -131170,7 +131170,7 @@ rule FIREEYE_RT_Hacktool_Win32_Andrewspecial_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TITOSPECIAL/production/yara/HackTool_Win32_AndrewSpecial_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e89efa88e3fda86be48c0cc8f2ef7230" - logic_hash = "v1_sha256_529a49fb21250069111d03a174901dc2e1623ee2a1f446aae1bdb1579a227dd3" + logic_hash = "529a49fb21250069111d03a174901dc2e1623ee2a1f446aae1bdb1579a227dd3" score = 75 quality = 75 tags = "FILE" @@ -131189,14 +131189,14 @@ rule FIREEYE_RT_Credtheft_MSIL_Titospecial_2 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the TitoSpecial project. There are 2 GUIDs in this rule as the x86 and x64 versions of this tool use a different ProjectGuid." author = "FireEye" - id = "5d091e1e-204f-5c97-9c99-9ec005b1560b" + id = "0262c720-e6b8-5bf2-a242-19a7f044973f" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TITOSPECIAL/production/yara/CredTheft_MSIL_TitoSpecial_2.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4bf96a7040a683bd34c618431e571e26" - logic_hash = "v1_sha256_2f621f8de2a4679e6cbce7f41859eaa3095ca54090c8bfccd3b767590ac91f2c" + logic_hash = "2f621f8de2a4679e6cbce7f41859eaa3095ca54090c8bfccd3b767590ac91f2c" score = 75 quality = 71 tags = "FILE" @@ -131214,14 +131214,14 @@ rule FIREEYE_RT_Credtheft_MSIL_Titospecial_1 : FILE meta: description = "This rule looks for .NET PE files that have the strings of various method names in the TitoSpecial code." author = "FireEye" - id = "6cc98531-bcf1-5ead-a5b5-b8da6520076c" + id = "932bb013-03de-5cf7-89e9-b3232151d303" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TITOSPECIAL/production/yara/CredTheft_MSIL_TitoSpecial_1.yar#L4-L27" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4bf96a7040a683bd34c618431e571e26" - logic_hash = "v1_sha256_4ac9a5ede4aea5d73545b459eb635f87ce08ba521afa48b76d2cfa94f1379226" + logic_hash = "4ac9a5ede4aea5d73545b459eb635f87ce08ba521afa48b76d2cfa94f1379226" score = 75 quality = 75 tags = "FILE" @@ -131250,7 +131250,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_TITOSPECIAL_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "dd2992ec-d99b-5cf0-8b1e-d199c61569a2" + id = "b12490ba-41f6-5469-bcbb-0d2e0055c193" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -131258,7 +131258,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_TITOSPECIAL_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TITOSPECIAL/production/yara/APT_HackTool_MSIL_TITOSPECIAL_1.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4bf96a7040a683bd34c618431e571e26" - logic_hash = "v1_sha256_6def0c667d38c1bad9233628e509bdcaed322e75be4ff3823b0f788c391e090c" + logic_hash = "6def0c667d38c1bad9233628e509bdcaed322e75be4ff3823b0f788c391e090c" score = 75 quality = 75 tags = "FILE" @@ -131279,7 +131279,7 @@ rule FIREEYE_RT_Hacktool_Win64_Andrewspecial_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "2b12f9f3-4e8c-559f-9b7e-e4c6e547da8c" + id = "20ce4902-4eb3-5ecf-aa8c-0515965dde57" date = "2020-11-25" date = "2020-11-25" modified = "2020-12-09" @@ -131287,7 +131287,7 @@ rule FIREEYE_RT_Hacktool_Win64_Andrewspecial_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TITOSPECIAL/production/yara/HackTool_Win64_AndrewSpecial_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "4456e52f6f8543c3ba76cb25ea3e9bd2" - logic_hash = "v1_sha256_96f06c46dfec795fcfd08c188853d0a3f781003ae118833719a175eb59049c0d" + logic_hash = "96f06c46dfec795fcfd08c188853d0a3f781003ae118833719a175eb59049c0d" score = 75 quality = 75 tags = "FILE" @@ -131306,14 +131306,14 @@ rule FIREEYE_RT_Loader_MSIL_Netassemblyinject_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NET-Assembly-Inject' project." author = "FireEye" - id = "15ac2d3d-feb4-5ef9-ae3e-3c1414c131f1" + id = "62a7dc4c-678b-5f13-9661-4679eafe1c72" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/NETASSEMBLYINJECT/production/yara/Loader_MSIL_NETAssemblyInject_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_9a43df9ee26a44f4db5c2d22fbc1a6c86c5af0c9d44a79c6627a4cc8cf31bb8d" + logic_hash = "9a43df9ee26a44f4db5c2d22fbc1a6c86c5af0c9d44a79c6627a4cc8cf31bb8d" score = 75 quality = 69 tags = "FILE" @@ -131332,13 +131332,13 @@ rule FIREEYE_RT_FE_APT_Loader_MSIL_REVOLVER_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "1303f53e-74d5-5e12-82b6-99b484b6b222" + id = "d99620e0-39ed-58db-acce-0d885a9e0bf7" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REVOLVER/production/yara/APT_Loader_MSIL_REVOLVER_1.yar#L5-L14" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "v1_sha256_1231f4c961dec122ebcb142052c2c7c03acf9b556cdb71a3efabde6bcf50a939" + logic_hash = "1231f4c961dec122ebcb142052c2c7c03acf9b556cdb71a3efabde6bcf50a939" score = 75 quality = 75 tags = "FILE" @@ -131355,14 +131355,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_REVOLVER_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'revolver' project." author = "FireEye" - id = "7946b3d8-ddbb-5b96-a546-1a9de85526cc" + id = "8fa5adb7-dc66-51bc-9f60-2308515f33a8" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/REVOLVER/production/yara/APT_HackTool_MSIL_REVOLVER_1.yar#L4-L16" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_8df8a56ed55b7857adb95daa643d544a49eb5f1952b4ad3ef757c34dad2ce317" + logic_hash = "8df8a56ed55b7857adb95daa643d544a49eb5f1952b4ad3ef757c34dad2ce317" score = 75 quality = 71 tags = "FILE" @@ -131380,14 +131380,14 @@ rule FIREEYE_RT_Hacktool_MSIL_PXELOOT_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the PXE And Loot project." author = "FireEye" - id = "bf6a1eba-c96d-591f-b527-dd9060ba71d4" + id = "5a72a6ff-bae4-57f5-a19b-a4595ac57293" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PXELOOT/production/yara/HackTool_MSIL_PXELOOT_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "82e33011ac34adfcced6cddc8ea56a81" - logic_hash = "v1_sha256_c9892adcb9ff5471235e45988f6662d3b8f984fdafca7024a5781eed50f6c0b3" + logic_hash = "c9892adcb9ff5471235e45988f6662d3b8f984fdafca7024a5781eed50f6c0b3" score = 75 quality = 73 tags = "FILE" @@ -131404,7 +131404,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_TRIMBISHOP_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "634c4bcb-3624-50f7-b933-cd7664c83ca5" + id = "1a3f4247-25f4-51ca-b881-209c0753b915" date = "2020-12-03" date = "2020-12-03" modified = "2020-12-09" @@ -131412,7 +131412,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_TRIMBISHOP_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TRIMBISHOP/production/yara/APT_Loader_MSIL_TRIMBISHOP_1.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e91670423930cbbd3dbf5eac1f1a7cb6" - logic_hash = "v1_sha256_f020efff58c8b7761d700c662c422a9e1ffdf8fe5f6648e421b7c257e3b8d078" + logic_hash = "f020efff58c8b7761d700c662c422a9e1ffdf8fe5f6648e421b7c257e3b8d078" score = 75 quality = 75 tags = "FILE" @@ -131435,14 +131435,14 @@ rule FIREEYE_RT_Loader_MSIL_Ruralbishop_3 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public RuralBishop project." author = "FireEye" - id = "9056d9c0-ffb4-5636-bbce-51a1ac6a51df" + id = "55a060ef-74e2-50d9-9090-558aaa04d97d" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TRIMBISHOP/production/yara/Loader_MSIL_RuralBishop_3.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "09bdbad8358b04994e2c04bb26a160ef" - logic_hash = "v1_sha256_a4c55dede432c249e36e96ca09555448b0343969d389bfdb4bd459fe34e05ea1" + logic_hash = "a4c55dede432c249e36e96ca09555448b0343969d389bfdb4bd459fe34e05ea1" score = 75 quality = 73 tags = "FILE" @@ -131459,7 +131459,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_TRIMBISHOP_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "28fd8856-8579-5236-a7f5-b0a301d50f6c" + id = "90ee2569-2e68-517b-b2d7-8c4015d92683" date = "2020-12-03" date = "2020-12-03" modified = "2020-12-09" @@ -131467,7 +131467,7 @@ rule FIREEYE_RT_APT_Loader_MSIL_TRIMBISHOP_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TRIMBISHOP/production/yara/APT_Loader_MSIL_TRIMBISHOP_2.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "c0598321d4ad4cf1219cc4f84bad4094" - logic_hash = "v1_sha256_4cccfca0c06954105f762066741b6c35599a6c28df8b7c255a2659059169578f" + logic_hash = "4cccfca0c06954105f762066741b6c35599a6c28df8b7c255a2659059169578f" score = 75 quality = 75 tags = "FILE" @@ -131490,14 +131490,14 @@ rule FIREEYE_RT_Loader_MSIL_Trimbishop_1 : FILE meta: description = "This rule looks for .NET PE files that have the string 'msg' more than 60 times as well as numerous function names unique to or used by the TrimBishop tool. All strings found in RuralBishop are reversed in TrimBishop and stored in a variable with the format 'msg##'. With the exception of 'msg', 'DTrim', and 'ReverseString' the other strings referenced in this rule may be shared with RuralBishop." author = "FireEye" - id = "f41e4fa7-318f-5a0c-bb18-662c1298a308" + id = "4d58f0a2-bf16-584c-8e92-c8ef54427767" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TRIMBISHOP/production/yara/Loader_MSIL_TrimBishop_1.yar#L4-L26" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "09bdbad8358b04994e2c04bb26a160ef" - logic_hash = "v1_sha256_018e87542301db22c384fda2709e8d49711c0fa041d1ef591f98ee7a70dbb677" + logic_hash = "018e87542301db22c384fda2709e8d49711c0fa041d1ef591f98ee7a70dbb677" score = 75 quality = 50 tags = "FILE" @@ -131525,7 +131525,7 @@ rule FIREEYE_RT_Loader_MSIL_RURALBISHOP_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "30be2169-83e5-5c66-8dbc-04e422803d31" + id = "1b5f1f39-9fa2-5940-8da3-03808e4b7a5d" date = "2020-12-03" date = "2020-12-03" modified = "2020-12-09" @@ -131533,7 +131533,7 @@ rule FIREEYE_RT_Loader_MSIL_RURALBISHOP_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TRIMBISHOP/new/yara/Loader_MSIL_RURALBISHOP_1.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e91670423930cbbd3dbf5eac1f1a7cb6" - logic_hash = "v1_sha256_f2244c6761639c1162a77a5e82296903c3cc21fbf46d262c779c5e4d6a2ef937" + logic_hash = "f2244c6761639c1162a77a5e82296903c3cc21fbf46d262c779c5e4d6a2ef937" score = 75 quality = 75 tags = "FILE" @@ -131556,7 +131556,7 @@ rule FIREEYE_RT_Loader_MSIL_RURALBISHOP_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "f449e36c-48bb-5ddc-a209-0d2bebb04c08" + id = "3befb3f2-81d1-5db2-84d9-773158b9837c" date = "2020-12-03" date = "2020-12-03" modified = "2020-12-09" @@ -131564,7 +131564,7 @@ rule FIREEYE_RT_Loader_MSIL_RURALBISHOP_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/TRIMBISHOP/new/yara/Loader_MSIL_RURALBISHOP_2.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "e91670423930cbbd3dbf5eac1f1a7cb6" - logic_hash = "v1_sha256_0467532d643cf0200c6561b0724c884230892bf59db163c311b7d4f8acbb63d6" + logic_hash = "0467532d643cf0200c6561b0724c884230892bf59db163c311b7d4f8acbb63d6" score = 75 quality = 75 tags = "FILE" @@ -131587,14 +131587,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_GPOHUNT_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'gpohunt' project." author = "FireEye" - id = "0f15c2c4-6ba2-5418-9a10-cbf857a03dd3" + id = "e4325f11-103c-5893-8978-9a72f7ca6105" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/GPOHUNT/production/yara/APT_HackTool_MSIL_GPOHUNT_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_4b1f175dac123a6340494e2730d66c718478fb7618dc5611315992ed33e0f6c7" + logic_hash = "4b1f175dac123a6340494e2730d66c718478fb7618dc5611315992ed33e0f6c7" score = 50 quality = 73 tags = "FILE" @@ -131611,13 +131611,13 @@ rule FIREEYE_RT_APT_Loader_MSIL_LUALOADER_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "b1edf3ed-a0bf-5d9e-bddd-f6804692f27d" + id = "f2826dbb-f0a4-5361-94d1-8509c60c4131" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/LUALOADER/production/yara/APT_Loader_MSIL_LUALOADER_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "v1_sha256_700927768669eda6976071306e991bfaae136279f4265980521597c699fbed88" + logic_hash = "700927768669eda6976071306e991bfaae136279f4265980521597c699fbed88" score = 75 quality = 75 tags = "FILE" @@ -131640,13 +131640,13 @@ rule FIREEYE_RT_APT_Loader_MSIL_LUALOADER_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "25374fb5-62ac-5b72-a2a4-5fb8d702f92e" + id = "970a869e-bd69-5609-bb8d-77bfa78b0630" date = "2020-12-18" modified = "2020-12-18" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/LUALOADER/production/yara/APT_Loader_MSIL_LUALOADER_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" - logic_hash = "v1_sha256_2d73d434ac39ebde990aca817a54208cd04bfbce33f1bcadcf48a50d9389658c" + logic_hash = "2d73d434ac39ebde990aca817a54208cd04bfbce33f1bcadcf48a50d9389658c" score = 75 quality = 75 tags = "FILE" @@ -131667,14 +131667,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_LUALOADER_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'lualoader' project." author = "FireEye" - id = "d3f1cce8-21f0-53fb-9eb7-a0f84c72762e" + id = "e8480cf8-1852-5572-8e92-c0ae676b7507" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/LUALOADER/production/yara/APT_HackTool_MSIL_LUALOADER_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_7e9f9836ec91aa66c8779588cfceff718487f0cb5048d17538c947aba687a4cf" + logic_hash = "7e9f9836ec91aa66c8779588cfceff718487f0cb5048d17538c947aba687a4cf" score = 75 quality = 73 tags = "FILE" @@ -131691,14 +131691,14 @@ rule FIREEYE_RT_Loader_MSIL_Netshshellcoderunner_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NetshShellCodeRunner' project." author = "FireEye" - id = "714fda48-c2d7-5551-b1fe-47489b271028" + id = "b3521812-7ea3-5f80-89bd-3bdd71b687f2" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/NETSHSHELLCODERUNNER/production/yara/Loader_MSIL_NetshShellCodeRunner_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_97f6475a9d42697f633e06a9b04a85021ca4920145eb4af257d71b431448f0e9" + logic_hash = "97f6475a9d42697f633e06a9b04a85021ca4920145eb4af257d71b431448f0e9" score = 75 quality = 73 tags = "FILE" @@ -131715,14 +131715,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Wmisharp_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMISharp' project." author = "FireEye" - id = "a577ee06-dce7-56e6-b7d6-eefc70d63fce" + id = "97b9d057-30d3-5af7-bac6-4dd53f47650f" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/WMISHARP/production/yara/HackTool_MSIL_WMISharp_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_d119d52c1410291d582696d5c4c1de3db9008db963c76a9e344959d869c3acc0" + logic_hash = "d119d52c1410291d582696d5c4c1de3db9008db963c76a9e344959d869c3acc0" score = 75 quality = 73 tags = "FILE" @@ -131739,14 +131739,14 @@ rule FIREEYE_RT_Hacktool_MSIL_SAFETYKATZ_4 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project." author = "FireEye" - id = "3fa4e007-6e81-56e0-ad0a-c30c80d0291b" + id = "e160b75d-cc39-5e16-86e1-cba9fe64a6b6" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SAFETYKATZ/production/yara/HackTool_MSIL_SAFETYKATZ_4.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "45736deb14f3a68e88b038183c23e597" - logic_hash = "v1_sha256_a02b4acea691d485f427ed26487f2f601065901324a8dcd6cd8de9502d8cd897" + logic_hash = "a02b4acea691d485f427ed26487f2f601065901324a8dcd6cd8de9502d8cd897" score = 75 quality = 73 tags = "FILE" @@ -131763,7 +131763,7 @@ rule FIREEYE_RT_Trojan_Macro_RESUMEPLEASE_1 meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "5accaacf-8629-532c-aa6e-0c368a17e142" + id = "068662f6-28b8-5538-8bc3-6506565305ae" date = "2020-12-01" date = "2020-12-01" modified = "2020-12-09" @@ -131771,7 +131771,7 @@ rule FIREEYE_RT_Trojan_Macro_RESUMEPLEASE_1 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/RESUMEPLEASE/production/yara/Trojan_Macro_RESUMEPLEASE_1.yar#L4-L21" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "d5d3d23c8573d999f1c48d3e211b1066" - logic_hash = "v1_sha256_040457bc446e496431129ff4623ddda5d9c2ce339ba65a7fbe42114626f36c60" + logic_hash = "040457bc446e496431129ff4623ddda5d9c2ce339ba65a7fbe42114626f36c60" score = 75 quality = 75 tags = "" @@ -131793,14 +131793,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Keepersist_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeePersist' project." author = "FireEye" - id = "f13ad998-f00d-51d1-bac1-cf6082492d02" + id = "950a4744-2696-5eb7-8524-7f689cb5dbb0" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/KEEPERSIST/production/yara/HackTool_MSIL_KeePersist_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_eae67c77a64ca07f9ef59a356bb2c3f3131f14e7f17c898ef8857a21090ace0e" + logic_hash = "eae67c77a64ca07f9ef59a356bb2c3f3131f14e7f17c898ef8857a21090ace0e" score = 75 quality = 73 tags = "FILE" @@ -131817,7 +131817,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_Adpasshunt_1 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "82e5e1ff-54da-5bca-a5c1-6d465f974bf7" + id = "736b5300-215b-5314-9234-69ff0050b73e" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -131825,7 +131825,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_Adpasshunt_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/ADPASSHUNT/production/yara/APT_HackTool_MSIL_ADPassHunt_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6efb58cf54d1bb45c057efcfbbd68a93" - logic_hash = "v1_sha256_63135c81c1a6b967cb26cced628afc0e7ef485923e6a7fd70a4d4672118d6a8c" + logic_hash = "63135c81c1a6b967cb26cced628afc0e7ef485923e6a7fd70a4d4672118d6a8c" score = 50 quality = 75 tags = "FILE" @@ -131843,14 +131843,14 @@ rule FIREEYE_RT_Credtheft_MSIL_Adpasshunt_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "d5201505-e006-5ea5-a176-7c331d5d9807" + id = "b6103e23-8d1c-5d01-b283-f4545ccb924e" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/ADPASSHUNT/production/yara/CredTheft_MSIL_ADPassHunt_2.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6efb58cf54d1bb45c057efcfbbd68a93" - logic_hash = "v1_sha256_e7282905a8baeaeb8ec156171fbf2bc4ac811facb80959a88394f4938a145cc1" + logic_hash = "e7282905a8baeaeb8ec156171fbf2bc4ac811facb80959a88394f4938a145cc1" score = 50 quality = 75 tags = "FILE" @@ -131872,14 +131872,14 @@ rule FIREEYE_RT_Credtheft_MSIL_Adpasshunt_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public ADPassHunt project." author = "FireEye" - id = "632f452b-1204-5a1a-a1cc-fb9f5a7c34d1" + id = "35fb8032-c73a-549f-9bd9-409f7050bdb0" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/ADPASSHUNT/production/yara/CredTheft_MSIL_ADPassHunt_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6efb58cf54d1bb45c057efcfbbd68a93" - logic_hash = "v1_sha256_85c7c147d6bf5b7cb417ff2910a3e7ab3be5e8a3651758c07f8f0ed42b5964d8" + logic_hash = "85c7c147d6bf5b7cb417ff2910a3e7ab3be5e8a3651758c07f8f0ed42b5964d8" score = 50 quality = 73 tags = "FILE" @@ -131896,7 +131896,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_Adpasshunt_2 : FILE meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "3400e351-c895-5e08-b269-2c936d3b7532" + id = "a3b12fd7-e82d-5ef0-9125-7c069cd9bec4" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -131904,7 +131904,7 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_Adpasshunt_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/ADPASSHUNT/production/yara/APT_HackTool_MSIL_ADPassHunt_2.yar#L4-L23" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "6efb58cf54d1bb45c057efcfbbd68a93" - logic_hash = "v1_sha256_e2dc7db1860eef04a569f007c32abd507dd588d1392613efbb31f42ca66ff735" + logic_hash = "e2dc7db1860eef04a569f007c32abd507dd588d1392613efbb31f42ca66ff735" score = 50 quality = 75 tags = "FILE" @@ -131928,7 +131928,7 @@ rule FIREEYE_RT_APT_Dropper_Win_MATRYOSHKA_1 : FILE meta: description = "matryoshka_dropper.rs" author = "FireEye" - id = "b8e0fa03-8dd7-5521-89f3-e6dd9ea85d03" + id = "7fd305c7-0b1b-5d91-b968-7f1fb0a8ae47" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -131936,7 +131936,7 @@ rule FIREEYE_RT_APT_Dropper_Win_MATRYOSHKA_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MATRYOSHKA/production/yara/APT_Dropper_Win_MATRYOSHKA_1.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "edcd58ba5b1b87705e95089002312281" - logic_hash = "v1_sha256_a7bf7599ec9b4b1d09a8c90b70ae565a9396fb31d449da3c1492d6fa336d9c5e" + logic_hash = "a7bf7599ec9b4b1d09a8c90b70ae565a9396fb31d449da3c1492d6fa336d9c5e" score = 75 quality = 75 tags = "FILE" @@ -131956,7 +131956,7 @@ rule FIREEYE_RT_APT_Builder_Win64_MATRYOSHKA_1 : FILE meta: description = "matryoshka_pe_to_shellcode.rs" author = "FireEye" - id = "36470e90-a9ae-541e-8b91-e4289571d4dd" + id = "0afcf13e-5cd3-5c1c-897e-b6d0c283ab0f" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -131964,7 +131964,7 @@ rule FIREEYE_RT_APT_Builder_Win64_MATRYOSHKA_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MATRYOSHKA/production/yara/APT_Builder_Win64_MATRYOSHKA_1.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "8d949c34def898f0f32544e43117c057" - logic_hash = "v1_sha256_b370d7dea44bccc92fc8dbd4ea0ee9bec523820108bf8bc67acb17ebf9835f74" + logic_hash = "b370d7dea44bccc92fc8dbd4ea0ee9bec523820108bf8bc67acb17ebf9835f74" score = 75 quality = 75 tags = "FILE" @@ -131984,7 +131984,7 @@ rule FIREEYE_RT_APT_Dropper_Win64_MATRYOSHKA_1 : FILE meta: description = "matryoshka_dropper.rs" author = "FireEye" - id = "e4a222f0-c203-594d-9392-4511153a13df" + id = "1406aafd-6217-51ef-b3af-107ee88f9c99" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -131992,7 +131992,7 @@ rule FIREEYE_RT_APT_Dropper_Win64_MATRYOSHKA_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MATRYOSHKA/production/yara/APT_Dropper_Win64_MATRYOSHKA_1.yar#L4-L18" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "edcd58ba5b1b87705e95089002312281" - logic_hash = "v1_sha256_23f811f8e9387ca6a1257a31af66de9739733e4728adba0a3e3f74b5e5c0a556" + logic_hash = "23f811f8e9387ca6a1257a31af66de9739733e4728adba0a3e3f74b5e5c0a556" score = 75 quality = 75 tags = "FILE" @@ -132010,7 +132010,7 @@ rule FIREEYE_RT_APT_Builder_PY_MATRYOSHKA_1 meta: description = "No description has been set in the source file - FireEye-RT" author = "FireEye" - id = "779574c8-6a26-5aa4-a196-a633651de846" + id = "0135f3bb-28b3-5fc4-85a2-b12c46c8bc45" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -132018,7 +132018,7 @@ rule FIREEYE_RT_APT_Builder_PY_MATRYOSHKA_1 source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MATRYOSHKA/production/yara/APT_Builder_PY_MATRYOSHKA_1.yar#L4-L22" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "25a97f6dba87ef9906a62c1a305ee1dd" - logic_hash = "v1_sha256_71b26f4b319429ac356b55d22bccd1da85894d61f8c96452422de78d2d893420" + logic_hash = "71b26f4b319429ac356b55d22bccd1da85894d61f8c96452422de78d2d893420" score = 75 quality = 75 tags = "" @@ -132041,7 +132041,7 @@ rule FIREEYE_RT_APT_Loader_Win64_MATRYOSHKA_2 : FILE meta: description = "matryoshka.rs" author = "FireEye" - id = "dfd4f3ef-206b-5b13-8715-56be78c61bc5" + id = "25f916bc-6ee1-5175-903c-4266b0a086e1" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -132049,7 +132049,7 @@ rule FIREEYE_RT_APT_Loader_Win64_MATRYOSHKA_2 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MATRYOSHKA/production/yara/APT_Loader_Win64_MATRYOSHKA_2.yar#L4-L20" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "7f8102b789303b7861a03290c79feba0" - logic_hash = "v1_sha256_daa6f6d526bf959c268b2c5a4cae33307cfec5e9ca51283131bbfa66a582b505" + logic_hash = "daa6f6d526bf959c268b2c5a4cae33307cfec5e9ca51283131bbfa66a582b505" score = 75 quality = 75 tags = "FILE" @@ -132069,7 +132069,7 @@ rule FIREEYE_RT_APT_Loader_Win64_MATRYOSHKA_1 : FILE meta: description = "matryoshka_process_hollow.rs" author = "FireEye" - id = "eedb5645-ff4e-5e7f-a03b-bb611a320d6d" + id = "69919a80-8ed1-5b8c-911a-ceb75570f11f" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -132077,7 +132077,7 @@ rule FIREEYE_RT_APT_Loader_Win64_MATRYOSHKA_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MATRYOSHKA/production/yara/APT_Loader_Win64_MATRYOSHKA_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "44887551a47ae272d7873a354d24042d" - logic_hash = "v1_sha256_46e5480dc95ce8b9d8385c2e44a50b21629301535b93833c13cc3db319ac15dd" + logic_hash = "46e5480dc95ce8b9d8385c2e44a50b21629301535b93833c13cc3db319ac15dd" score = 75 quality = 75 tags = "FILE" @@ -132096,7 +132096,7 @@ rule FIREEYE_RT_APT_Loader_Win_MATRYOSHKA_1 : FILE meta: description = "matryoshka_process_hollow.rs" author = "FireEye" - id = "03ef8dfb-3d81-5982-b847-915b029bebbb" + id = "c07fb67e-ded5-593d-b5dc-d0e2c3b5a352" date = "2020-12-02" date = "2020-12-02" modified = "2020-12-09" @@ -132104,7 +132104,7 @@ rule FIREEYE_RT_APT_Loader_Win_MATRYOSHKA_1 : FILE source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/MATRYOSHKA/production/yara/APT_Loader_Win_MATRYOSHKA_1.yar#L4-L24" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "44887551a47ae272d7873a354d24042d" - logic_hash = "v1_sha256_8f762684ffd3984630bf41ededa78b8993b53b22591a59912cabfe635775de53" + logic_hash = "8f762684ffd3984630bf41ededa78b8993b53b22591a59912cabfe635775de53" score = 75 quality = 75 tags = "FILE" @@ -132128,14 +132128,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Puppyhound_1 : FILE meta: description = "This is a modification of an existing FireEye detection for SharpHound. However, it looks for the string 'PuppyHound' instead of 'SharpHound' as this is all that was needed to detect the PuppyHound variant of SharpHound." author = "FireEye" - id = "d888ffc0-28fb-5dd0-953b-bcffa63262f5" + id = "1155f959-c8bc-597a-8a80-abee8d95b6ec" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PUPPYHOUND/production/yara/HackTool_MSIL_PuppyHound_1.yar#L4-L19" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "eeedc09570324767a3de8205f66a5295" - logic_hash = "v1_sha256_39073bbfef15ecd28c1772e5d01e54c3d5774ecb4c90f0076bda5dc400abacba" + logic_hash = "39073bbfef15ecd28c1772e5d01e54c3d5774ecb4c90f0076bda5dc400abacba" score = 75 quality = 75 tags = "FILE" @@ -132156,14 +132156,14 @@ rule FIREEYE_RT_Hacktool_MSIL_Sharphound_3 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project." author = "FireEye" - id = "2b135b38-4c84-5db3-8344-45b5b9839bf5" + id = "456b3208-1e8d-5eb7-81ee-39f1c886c5a7" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/PUPPYHOUND/production/yara/HackTool_MSIL_SharpHound_3.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "eeedc09570324767a3de8205f66a5295" - logic_hash = "v1_sha256_baeea6cae42c755ee389378229b2b206c82f60f75a5ce5f9cfa06871fc9507d1" + logic_hash = "baeea6cae42c755ee389378229b2b206c82f60f75a5ce5f9cfa06871fc9507d1" score = 75 quality = 73 tags = "FILE" @@ -132180,14 +132180,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_SHARPSACK_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpsack' project." author = "FireEye" - id = "5624e821-23df-5acd-aead-0168d1dd96ac" + id = "8e344acb-73c4-5509-be9d-85cf6fe94445" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/SHARPSACK/production/yara/APT_HackTool_MSIL_SHARPSACK_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_ecc3250e65e34595b4b827add3eb3062edad6a3373930048bfd6225d4a229e93" + logic_hash = "ecc3250e65e34595b4b827add3eb3062edad6a3373930048bfd6225d4a229e93" score = 75 quality = 73 tags = "FILE" @@ -132204,14 +132204,14 @@ rule FIREEYE_RT_APT_Hacktool_MSIL_JUSTASK_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'justask' project." author = "FireEye" - id = "a7a4dd2c-0fcd-5078-860e-b676a0e4f7c5" + id = "06a03d82-db69-5b5a-a578-a8053814e917" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/JUSTASK/production/yara/APT_HackTool_MSIL_JUSTASK_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "dd8805d0e470e59b829d98397507d8c2" - logic_hash = "v1_sha256_24d2f8e3838c4f02cd80644a396ce7cf105761d2feba54e39973564ca5e97571" + logic_hash = "24d2f8e3838c4f02cd80644a396ce7cf105761d2feba54e39973564ca5e97571" score = 75 quality = 73 tags = "FILE" @@ -132228,14 +132228,14 @@ rule FIREEYE_RT_Builder_MSIL_G2JS_1 : FILE meta: description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the Gadget2JScript project." author = "FireEye" - id = "868392e4-af14-58bc-ad73-bf3aec1f2ab3" + id = "484202c2-ac7d-5e6c-8bf1-3452a357c668" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/G2JS/production/yara/Builder_MSIL_G2JS_1.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "fa255fdc88ab656ad9bc383f9b322a76" - logic_hash = "v1_sha256_487d8e8deef218412f241d99ce32b63bfeb3568d23048b9dd4afff8f401bfea5" + logic_hash = "487d8e8deef218412f241d99ce32b63bfeb3568d23048b9dd4afff8f401bfea5" score = 75 quality = 73 tags = "FILE" @@ -132252,14 +132252,14 @@ rule FIREEYE_RT_Hunting_B64Engine_Dotnettojscript_Dos meta: description = "This file may enclude a Base64 encoded .NET executable. This technique is used by the project DotNetToJScript which is used by many malware families including GadgetToJScript." author = "FireEye" - id = "f5c6bcb9-73c1-50b4-a3f1-005347cae837" + id = "24c9c259-9bb9-5f46-9278-4fa20eb3c8c4" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/G2JS/production/yara/Hunting_B64Engine_DotNetToJScript_Dos.yar#L4-L15" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "7af24305a409a2b8f83ece27bb0f7900" - logic_hash = "v1_sha256_e2afb43af469f8ae02f6fd21db6dbd45c997fb003e3aeeaa0d4ff3e85c64159a" + logic_hash = "e2afb43af469f8ae02f6fd21db6dbd45c997fb003e3aeeaa0d4ff3e85c64159a" score = 50 quality = 75 tags = "" @@ -132276,14 +132276,14 @@ rule FIREEYE_RT_Hunting_Gadgettojscript_1 meta: description = "This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling." author = "FireEye" - id = "a6b65227-6a90-5c30-9cf1-d092a40cbf17" + id = "76c932e0-55b3-56ef-bab6-eb6997b51ee7" date = "2020-12-09" modified = "2020-12-09" reference = "https://github.com/mandiant/red_team_tool_countermeasures/" source_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/rules/G2JS/production/yara/Hunting_GadgetToJScript_1.yar#L4-L17" license_url = "https://github.com/mandiant/red_team_tool_countermeasures//blob/3561b71724dbfa3e2bb78106aaa2d7f8b892c43b/LICENSE.txt" hash = "7af24305a409a2b8f83ece27bb0f7900" - logic_hash = "v1_sha256_a880c20e61376dacd4e3a04f2cf065f19067c29371180b1dec186172cadf9564" + logic_hash = "a880c20e61376dacd4e3a04f2cf065f19067c29371180b1dec186172cadf9564" score = 50 quality = 75 tags = "" @@ -132301,7 +132301,7 @@ rule FIREEYE_RT_Hunting_Gadgettojscript_1 * YARA Rule Set * Repository Name: GCTI * Repository: https://github.com/chronicle/GCTI - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 1c5fd42b1895098527fde00c2d9757edf6b303bb * Number of Rules: 90 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -132518,14 +132518,14 @@ rule GCTI_Cobaltstrike_Resources_Bypassuac_X64_Dll_V3_3_To_V3_14_And_Sleeve_Bypa meta: description = "Cobalt Strike's resources/bypassuac-x64.dll from v3.3 to v3.14 (64-bit version) and sleeve/bypassuac.x64.dll from v4.0 to at least v4.4" author = "gssincla@google.com" - id = "8a86bc07-71b3-54cc-b549-2240a397d297" + id = "eef83901-63d9-55a3-b115-03f420416177" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_x64_Dll_v3_3_to_v3_14_and_Sleeve_Bypassuac_x64_Dll_v4_0_and_v4_x.yara#L17-L86" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "9ecf56e9099811c461d592c325c65c4f9f27d947cbdf3b8ef8a98a43e583aecb" - logic_hash = "v1_sha256_d76e3601f61ae164a8df9048d59d15cd6913e64adb93132244e83f40bf67d86a" + logic_hash = "d76e3601f61ae164a8df9048d59d15cd6913e64adb93132244e83f40bf67d86a" score = 75 quality = 85 tags = "" @@ -132566,14 +132566,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_HA_X86_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.HA.x86.o (HeapAlloc) Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "3d93c55d-bb2a-5add-9e01-a08bf67f13dc" + id = "0ee3fa6f-367c-596f-a3bc-3bcfa61b97aa" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L17-L59" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "8e4a1862aa3693f0e9011ade23ad3ba036c76ae8ccfb6585dc19ceb101507dcd" - logic_hash = "v1_sha256_d02257bc556d0b1675997ab6af1b28cf5f498855d6254e3c1cd7eb4a0c4d2715" + logic_hash = "d02257bc556d0b1675997ab6af1b28cf5f498855d6254e3c1cd7eb4a0c4d2715" score = 75 quality = 85 tags = "" @@ -132600,14 +132600,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_MVF_X86_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.MVF.x86.o (MapViewOfFile) Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "5d69e555-8888-5999-9646-55c3d1c191ae" + id = "3f7c0553-989e-53e7-87a9-3fa1c47f4b62" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L61-L111" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "cded3791caffbb921e2afa2de4c04546067c3148c187780066e8757e67841b44" - logic_hash = "v1_sha256_dd831fb01a403213c06e3d07daf3da5f56655619a686149f9d4beec2331fe6ca" + logic_hash = "dd831fb01a403213c06e3d07daf3da5f56655619a686149f9d4beec2331fe6ca" score = 75 quality = 85 tags = "" @@ -132638,14 +132638,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_VA_X86_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.VA.x86.o (VirtualAlloc) Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "625c360c-945c-552c-aaf4-4ffe8b0b491e" + id = "5f89c4be-f4c5-54d3-b923-d125de53902f" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L114-L194" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1" - logic_hash = "v1_sha256_19b2297986bd72204fb117560cddcfb512f5db6c157d9730b5802bf9f968eef4" + logic_hash = "19b2297986bd72204fb117560cddcfb512f5db6c157d9730b5802bf9f968eef4" score = 75 quality = 85 tags = "" @@ -132692,14 +132692,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_X86_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.x86.o Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "9744f011-42e3-5832-8c42-161753ec7cdc" + id = "32a47966-f3bb-52c3-a977-82a1b09ddf2c" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L196-L276" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "94d1b993a9d5786e0a9b44ea1c0dc27e225c9eb7960154881715c47f9af78cc1" - logic_hash = "v1_sha256_cab5441ce7d919101fc04aa469e77b71a4c444443e44c752f18cbbc5b17ed5c2" + logic_hash = "cab5441ce7d919101fc04aa469e77b71a4c444443e44c752f18cbbc5b17ed5c2" score = 75 quality = 85 tags = "" @@ -132746,14 +132746,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_HA_X64_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.HA.x64.o (HeapAlloc) Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "f2a3ecb0-4cad-5174-9609-6a3e07a547da" + id = "9b16ff13-2d8e-51dc-9f99-6c45eff76feb" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L281-L323" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "d64f10d5a486f0f2215774e8ab56087f32bef19ac666e96c5627c70d345a354d" - logic_hash = "v1_sha256_b712a0c218e473f6c64fdead22b291d7fb0bac8ba614adcf1ba6431e854a5e65" + logic_hash = "b712a0c218e473f6c64fdead22b291d7fb0bac8ba614adcf1ba6431e854a5e65" score = 75 quality = 85 tags = "" @@ -132780,14 +132780,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_MVF_X64_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.MVF.x64.o (MapViewOfFile) Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "a95d0058-ce63-58f5-a9b2-bece542ab702" + id = "38e063db-3d76-5a94-812a-945fcf46a232" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L326-L374" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "9d5b6ccd0d468da389657309b2dc325851720390f9a5f3d3187aff7d2cd36594" - logic_hash = "v1_sha256_6224000342d87041fd3336656897479c644e94ea36fc061c27fcd64233047c2c" + logic_hash = "6224000342d87041fd3336656897479c644e94ea36fc061c27fcd64233047c2c" score = 75 quality = 85 tags = "" @@ -132817,14 +132817,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_VA_X64_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "36f5e2e3-1751-56c6-8baa-c742773dc2d8" + id = "8ca04f82-a8a8-5162-8b0c-8a7bce678a85" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L376-L456" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9" - logic_hash = "v1_sha256_17402e952d71d02274a9b2814512b28a402e8d11a6c2a2375844fe24719f87a6" + logic_hash = "17402e952d71d02274a9b2814512b28a402e8d11a6c2a2375844fe24719f87a6" score = 75 quality = 85 tags = "" @@ -132870,14 +132870,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beaconloader_X64_O_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/BeaconLoader.x64.o (Base) Versions 4.3 through at least 4.6" author = "gssincla@google.com" - id = "f87a112f-fa5b-5aff-83a1-910406726914" + id = "07f751e4-f001-5b95-b229-31fbaa867cea" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Sleeve_BeaconLoader_all.yara#L458-L555" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9" - logic_hash = "v1_sha256_50d9da466e2c074b3fb634203c8840d45da8f8e3094790d7c4354a5703b583ef" + logic_hash = "50d9da466e2c074b3fb634203c8840d45da8f8e3094790d7c4354a5703b583ef" score = 75 quality = 85 tags = "" @@ -132932,14 +132932,14 @@ rule GCTI_Cobaltstrike_Resources__Template_Vbs_V3_3_To_V4_X meta: description = "Cobalt Strike's resources/btemplate.vbs signature for versions v3.3 to v4.x" author = "gssincla@google.com" - id = "9204f6ed-97d8-5093-a88f-90b76724edef" + id = "62f35d02-1e4e-5651-b575-888ce06b8bdd" date = "2022-11-18" modified = "2022-11-22" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Template_Vbs_v3_3_to_v4_x.yara#L17-L41" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "e0683f953062e63b2aabad7bc6d76a78748504b114329ef8e2ece808b3294135" - logic_hash = "v1_sha256_c9df0e287eb0eacf7c6cfcf3f6d1043ae6f2fdacd3b22bd42ac71f4b0d7226ff" + logic_hash = "c9df0e287eb0eacf7c6cfcf3f6d1043ae6f2fdacd3b22bd42ac71f4b0d7226ff" score = 75 quality = 83 tags = "" @@ -132964,14 +132964,14 @@ rule GCTI_Cobaltstrike_Resources_Template__X32_X64_Ps1_V1_45_To_V2_5_And_V3_11_T meta: description = "Cobalt Strike's resources/template.x64.ps1, resources/template.x32 from v3.11 to v3.14 and resources/template.ps1 from v1.45 to v2.5 " author = "gssincla@google.com" - id = "1e5fa79e-1d6f-5328-bd0f-6e0498824146" + id = "c9fa6a39-0098-5dde-9762-94bc6b2df299" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Template__x32_x64_Ps1_v1_45_to_v2_5_and_v3_11_to_v3_14.yara#L17-L43" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87" - logic_hash = "v1_sha256_5196f111f257239d2e7e4ca342e7fc8bac1687743bc8c7ff23addf1f094b2e93" + logic_hash = "5196f111f257239d2e7e4ca342e7fc8bac1687743bc8c7ff23addf1f094b2e93" score = 75 quality = 85 tags = "" @@ -132994,14 +132994,14 @@ rule GCTI_Cobaltstrike_Resources_Elevate_X64_Dll_V3_0_To_V3_14_And_Sleeve_Elevat meta: description = "Cobalt Strike's resources/elevate.x64.dll signature for v3.0 to v3.14 and sleeve/elevate.x64.dll for v4.x" author = "gssincla@google.com" - id = "91062285-e181-5997-94eb-79a40cd940a1" + id = "91d5c343-1084-5cfc-9dfa-46f530eb9625" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_X64_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_X64_Dll_v4_x.yara#L17-L71" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "c3ee8a9181fed39cec3bd645b32b611ce98d2e84c5a9eff31a8acfd9c26410ec" - logic_hash = "v1_sha256_6f23bcf6a0c360d2f83140ce633440b13d8b691e75c5560c65656cf8a6114224" + logic_hash = "6f23bcf6a0c360d2f83140ce633440b13d8b691e75c5560c65656cf8a6114224" score = 75 quality = 85 tags = "" @@ -133036,14 +133036,14 @@ rule GCTI_Cobaltstrike__Resources_Browserpivot_Bin_V1_48_To_V3_14_And_Sleeve_Bro meta: description = "Cobalt Strike's resources/browserpivot.bin from v1.48 to v3.14 and sleeve/browserpivot.dll from v4.0 to at least v4.4" author = "gssincla@google.com" - id = "bb057b90-f292-5e33-8e92-6ee025df6508" + id = "55086544-6684-526b-914f-505a562be458" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_Dll_v4_0_to_v4_x.yara#L17-L60" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "12af9f5a7e9bfc49c82a33d38437e2f3f601639afbcdc9be264d3a8d84fd5539" - logic_hash = "v1_sha256_416554d31c105fd96aeaef508847efe2889590909c8d0025e3862e5b24078131" + logic_hash = "416554d31c105fd96aeaef508847efe2889590909c8d0025e3862e5b24078131" score = 75 quality = 85 tags = "" @@ -133072,14 +133072,14 @@ rule GCTI_Cobaltstrike_Resources_Httpstager64_Bin_V3_2_Through_V4_X meta: description = "Cobalt Strike's resources/httpstager64.bin signature for versions v3.2 to v4.x" author = "gssincla@google.com" - id = "bad3b597-7643-510b-b8e0-ee63788ba639" + id = "5530dce8-e5a1-5133-9b05-464e3397084a" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager64_Bin_v3_2_through_v4_x.yara#L17-L85" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "ad93d1ee561bc25be4a96652942f698eac9b133d8b35ab7e7d3489a25f1d1e76" - logic_hash = "v1_sha256_23666169565c6b3e5fa71767dc31096e7a25be049eeab16b074053d76c97c70b" + logic_hash = "23666169565c6b3e5fa71767dc31096e7a25be049eeab16b074053d76c97c70b" score = 75 quality = 85 tags = "" @@ -133118,14 +133118,14 @@ rule GCTI_Cobaltstrike_Resources_Bypassuactoken_X64_Dll_V3_11_To_V3_14 meta: description = "Cobalt Strike's resources/bypassuactoken.x64.dll from v3.11 to v3.14 (64-bit version)" author = "gssincla@google.com" - id = "6d7354d3-f158-509b-9d06-6167c756b78c" + id = "c89befcd-a622-5947-9ce3-a6031901a45a" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_x64_Dll_v3_11_to_v3_14.yara#L17-L118" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "853068822bbc6b1305b2a9780cf1034f5d9d7127001351a6917f9dbb42f30d67" - logic_hash = "v1_sha256_adfd212f2e470f666ab8a2168e976c11d3032c31dab7cf56963dae5fc0f6c5f9" + logic_hash = "adfd212f2e470f666ab8a2168e976c11d3032c31dab7cf56963dae5fc0f6c5f9" score = 75 quality = 85 tags = "" @@ -133182,14 +133182,14 @@ rule GCTI_Cobaltstrike_Resources_Httpstager_Bin_V2_5_Through_V4_X meta: description = "Cobalt Strike's resources/httpstager.bin signature for versions 2.5 to 4.x" author = "gssincla@google.com" - id = "91eb82bb-93de-5a2c-97ca-874f4c91cb23" + id = "86109485-c26c-5c51-8d04-dd1add9a8c57" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Httpstager_Bin_v2_5_through_v4_x.yara#L17-L93" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "a47569af239af092880751d5e7b68d0d8636d9f678f749056e702c9b063df256" - logic_hash = "v1_sha256_3baab08b0118e00432f1869ba5daa4fc6383bfc020119bfbb3047a008c33fe72" + logic_hash = "3baab08b0118e00432f1869ba5daa4fc6383bfc020119bfbb3047a008c33fe72" score = 75 quality = 85 tags = "" @@ -133233,14 +133233,14 @@ rule GCTI_Cobaltstrike_Resources_Httpsstager_Bin_V2_5_Through_V4_X meta: description = "Cobalt Strike's resources/httpsstager.bin signature for versions 2.5 to 4.x" author = "gssincla@google.com" - id = "6ff55324-759b-52c0-8ad2-49ba1d625ead" + id = "f45aa40a-3936-50f9-a60e-de7181862d19" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager_Bin_v2_5_through_v4_x.yara#L17-L95" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "5ebe813a4c899b037ac0ee0962a439833964a7459b7a70f275ac73ea475705b3" - logic_hash = "v1_sha256_d2f722809a59faf8ecd85e46eadf58bf23ba5f515ad9c949843f1e6bfeec1fbf" + logic_hash = "d2f722809a59faf8ecd85e46eadf58bf23ba5f515ad9c949843f1e6bfeec1fbf" score = 75 quality = 85 tags = "" @@ -133285,14 +133285,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V1_44 meta: description = "Cobalt Strike's resources/beacon.dll Version 1.44" author = "gssincla@google.com" - id = "116817ac-fa23-50c5-b155-0c30e9b2efe7" + id = "935ee27f-ce1b-5491-b4a3-cb78f199ab1b" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L17-L49" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "75102e8041c58768477f5f982500da7e03498643b6ece86194f4b3396215f9c2" - logic_hash = "v1_sha256_ebed8b6dc0b929164b1aa25b491b9d2fbb61d380a8b1268df7d424afe90f613d" + logic_hash = "ebed8b6dc0b929164b1aa25b491b9d2fbb61d380a8b1268df7d424afe90f613d" score = 75 quality = 85 tags = "" @@ -133309,14 +133309,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V1_45 meta: description = "Cobalt Strike's resources/beacon.dll Version 1.45" author = "gssincla@google.com" - id = "c73a6bf4-5443-5503-9d8b-080c98dac372" + id = "04d4d0ee-f1ee-5888-8108-ca55243c770a" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L51-L84" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "1a92b2024320f581232f2ba1e9a11bef082d5e9723429b3e4febb149458d1bb1" - logic_hash = "v1_sha256_b1472907e0fe0cb26219c268f23483681cc076dab96c1b0f2f0ee472ad319b4f" + logic_hash = "b1472907e0fe0cb26219c268f23483681cc076dab96c1b0f2f0ee472ad319b4f" score = 75 quality = 85 tags = "" @@ -133333,14 +133333,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V1_46 meta: description = "Cobalt Strike's resources/beacon.dll Version 1.46" author = "gssincla@google.com" - id = "b05adb4b-9b67-58ad-b82e-d42463141384" + id = "79715042-1963-5e48-8b64-7d915da58d84" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L86-L115" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "44e34f4024878024d4804246f57a2b819020c88ba7de160415be38cd6b5e2f76" - logic_hash = "v1_sha256_1a5c63c8b5527c0442830a73ded8458cf82a9d8ecb9b31e9a02c10b27ed6195e" + logic_hash = "1a5c63c8b5527c0442830a73ded8458cf82a9d8ecb9b31e9a02c10b27ed6195e" score = 75 quality = 85 tags = "" @@ -133357,14 +133357,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V1_47 meta: description = "Cobalt Strike's resources/beacon.dll Version 1.47" author = "gssincla@google.com" - id = "4ba49ade-6da4-5413-835a-b9b0b3258154" + id = "ac2249a9-210c-581f-8dd1-7619356dca7d" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L117-L144" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "8ff6dc80581804391183303bb39fca2a5aba5fe13d81886ab21dbd183d536c8d" - logic_hash = "v1_sha256_8c463d3122f3f79ff5d9b88e3d4f5ed14e6c581edfdfafba8a0c596c494ac1b1" + logic_hash = "8c463d3122f3f79ff5d9b88e3d4f5ed14e6c581edfdfafba8a0c596c494ac1b1" score = 75 quality = 85 tags = "" @@ -133381,14 +133381,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V1_48 meta: description = "Cobalt Strike's resources/beacon.dll Version 1.48" author = "gssincla@google.com" - id = "aa3b02db-6d59-5471-ad4c-b10f160b96a9" + id = "dd15099f-ad19-58df-9ed4-ce66d7ee8540" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L146-L178" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "dd4e445572cd5e32d7e9cc121e8de337e6f19ff07547e3f2c6b7fce7eafd15e4" - logic_hash = "v1_sha256_3f789eaf334c9bb3236d2834f38156aa92b22a5b674450977086378d195dd216" + logic_hash = "3f789eaf334c9bb3236d2834f38156aa92b22a5b674450977086378d195dd216" score = 75 quality = 85 tags = "" @@ -133405,14 +133405,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V1_49 meta: description = "Cobalt Strike's resources/beacon.dll Version 1.49" author = "gssincla@google.com" - id = "50656a60-84df-5265-9801-68221c099195" + id = "871e28c9-b580-5a32-8529-2290ded1a1b6" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L180-L211" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "52b4bd87e21ee0cbaaa0fc007fd3f894c5fc2c4bae5cbc2a37188de3c2c465fe" - logic_hash = "v1_sha256_935232d5ddccdc0401b4d911cdc73a48305347b495219c8c893615fe918f32f1" + logic_hash = "935232d5ddccdc0401b4d911cdc73a48305347b495219c8c893615fe918f32f1" score = 75 quality = 85 tags = "" @@ -133429,14 +133429,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V2_0_49 meta: description = "Cobalt Strike's resources/beacon.dll Version 2.0.49" author = "gssincla@google.com" - id = "61809a33-84bb-5a88-a2b9-63758b7f7165" + id = "087c584a-5ceb-536a-8842-53fbd668df54" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L213-L243" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "ed08c1a21906e313f619adaa0a6e5eb8120cddd17d0084a30ada306f2aca3a4e" - logic_hash = "v1_sha256_3616579dabcfd0ba413d17b4fbd0da5313b9beca94f7bf8e41f05d6679b4a215" + logic_hash = "3616579dabcfd0ba413d17b4fbd0da5313b9beca94f7bf8e41f05d6679b4a215" score = 75 quality = 85 tags = "" @@ -133453,14 +133453,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V2_1_And_V2_2 meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.1 and 2.2" author = "gssincla@google.com" - id = "fa2ba694-f882-5bd3-a318-9afffe41422a" + id = "384fb247-aae7-52e1-a45d-6bda0f80a04e" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L245-L276" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "ae7a1d12e98b8c9090abe19bcaddbde8db7b119c73f7b40e76cdebb2610afdc2" - logic_hash = "v1_sha256_eee3702d6fde08b8e9f5533f903fa33fb3da808a3b76ca43e4d5029f9ce91ad0" + logic_hash = "eee3702d6fde08b8e9f5533f903fa33fb3da808a3b76ca43e4d5029f9ce91ad0" score = 75 quality = 85 tags = "" @@ -133477,14 +133477,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V2_3 meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.3" author = "gssincla@google.com" - id = "ec68a71a-5566-53b3-9ced-63b3b003ba81" + id = "aed092f1-fbb1-5efe-be8d-fb7c5aba1cde" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L278-L308" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "00dd982cb9b37f6effb1a5a057b6571e533aac5e9e9ee39a399bb3637775ff83" - logic_hash = "v1_sha256_286d7ffa83634b82160788abaf1c5b319a09c4a1243af2401799f327be76ad75" + logic_hash = "286d7ffa83634b82160788abaf1c5b319a09c4a1243af2401799f327be76ad75" score = 75 quality = 85 tags = "" @@ -133501,14 +133501,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V2_4 meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.4" author = "gssincla@google.com" - id = "7152a59d-4216-5b89-b104-c72a37e6dd8b" + id = "347a6b06-84a8-53ff-80a1-05fa1a48a412" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L310-L340" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "78c6f3f2b80e6140c4038e9c2bcd523a1b205d27187e37dc039ede4cf560beed" - logic_hash = "v1_sha256_087ec6f585e90b84c00e746beb37cb8365cb7b4d07ebd0c48e3ba3d5df94dba2" + logic_hash = "087ec6f585e90b84c00e746beb37cb8365cb7b4d07ebd0c48e3ba3d5df94dba2" score = 75 quality = 85 tags = "" @@ -133525,14 +133525,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V2_5 meta: description = "Cobalt Strike's resources/beacon.dll Versions 2.5" author = "gssincla@google.com" - id = "d33bd450-af71-5164-b663-1292196e4d5d" + id = "a89f9239-099c-5b97-b1df-e8ce2b95ea52" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L342-L372" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "d99693e3e521f42d19824955bef0cefb79b3a9dbf30f0d832180577674ee2b58" - logic_hash = "v1_sha256_f2d0ca1414a60bf855543d99777ae5e83c451db41aba5e255e4c10b1e0bb7b47" + logic_hash = "f2d0ca1414a60bf855543d99777ae5e83c451db41aba5e255e4c10b1e0bb7b47" score = 75 quality = 85 tags = "" @@ -133549,14 +133549,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_0 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.0" author = "gssincla@google.com" - id = "299dc825-53ae-5f42-b210-c9a3ad1b54c6" + id = "132a1be8-f529-5141-ba03-fdf6df3d55d4" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L374-L404" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "30251f22df7f1be8bc75390a2f208b7514647835f07593f25e470342fd2e3f52" - logic_hash = "v1_sha256_951f1b52c14010261022f9f920d53d3c1e88f41461798a23e72083c981f9de76" + logic_hash = "951f1b52c14010261022f9f920d53d3c1e88f41461798a23e72083c981f9de76" score = 75 quality = 85 tags = "" @@ -133573,14 +133573,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_1 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.1" author = "gssincla@google.com" - id = "e209454d-0b22-5f31-a68d-047b98680f73" + id = "aa511dee-69ea-53bd-be90-d2d03d08c550" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L406-L461" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "4de723e784ef4e1633bbbd65e7665adcfb03dd75505b2f17d358d5a40b7f35cf" - logic_hash = "v1_sha256_2d91add3aefe69b4525f93f7ea9f2fcbd7a6c506a224997ff73a2eeef63a8cd4" + logic_hash = "2d91add3aefe69b4525f93f7ea9f2fcbd7a6c506a224997ff73a2eeef63a8cd4" score = 75 quality = 85 tags = "" @@ -133597,14 +133597,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_2 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.2" author = "gssincla@google.com" - id = "1fd0b19f-62a6-53af-a632-2b141515e506" + id = "3ccbc0f2-241c-5c10-8930-4a3d264d3b57" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L463-L528" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "b490eeb95d150530b8e155da5d7ef778543836a03cb5c27767f1ae4265449a8d" - logic_hash = "v1_sha256_e1fe0d58d86ad8c845d65608314007ce08e3e524fb92cdb33ddae860c640e3e9" + logic_hash = "e1fe0d58d86ad8c845d65608314007ce08e3e524fb92cdb33ddae860c640e3e9" score = 75 quality = 85 tags = "" @@ -133623,14 +133623,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_3 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.3" author = "gssincla@google.com" - id = "cd976880-9d4c-5dd3-95ca-96ba8914a99f" + id = "7cce26c9-1403-535f-bd9d-19667c7e313c" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L530-L560" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "158dba14099f847816e2fc22f254c60e09ac999b6c6e2ba6f90c6dd6d937bc42" - logic_hash = "v1_sha256_f9b9b669aacc156a4e07eab0c6a638f9b9d828e018d1db89e9e2c922641744ac" + logic_hash = "f9b9b669aacc156a4e07eab0c6a638f9b9d828e018d1db89e9e2c922641744ac" score = 75 quality = 85 tags = "" @@ -133647,14 +133647,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_4 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.4" author = "gssincla@google.com" - id = "297a7d98-68f4-58a2-9401-4ad290cb8b81" + id = "58a34ab6-c061-59a2-b929-8519d3d844e7" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L562-L592" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "5c40bfa04a957d68a095dd33431df883e3a075f5b7dea3e0be9834ce6d92daa3" - logic_hash = "v1_sha256_f3372bc538092e30c62d9599f76f2115dc73faf7a5fd6f86c8d4cfaa35473810" + logic_hash = "f3372bc538092e30c62d9599f76f2115dc73faf7a5fd6f86c8d4cfaa35473810" score = 75 quality = 85 tags = "" @@ -133671,14 +133671,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_5_Hf1_And_3_5_1 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.5-hf1 and 3.5.1 (3.5.x)" author = "gssincla@google.com" - id = "39637bc3-8bd9-5936-86e1-276e80d91758" + id = "1532596e-be0e-58c2-8d3b-5120c793d677" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L594-L625" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "c78e70cd74f4acda7d1d0bd85854ccacec79983565425e98c16a9871f1950525" - logic_hash = "v1_sha256_c2e975678815638803b04261d46bca216bc0b2f894a1f72fd0d5b949493401d1" + logic_hash = "c2e975678815638803b04261d46bca216bc0b2f894a1f72fd0d5b949493401d1" score = 75 quality = 85 tags = "" @@ -133695,14 +133695,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_6 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.6" author = "gssincla@google.com" - id = "43060c91-4001-576b-8c39-4449a43d01e7" + id = "7e7b5c22-82b3-5298-b794-b06d94a668d5" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L627-L657" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "495a744d0a0b5f08479c53739d08bfbd1f3b9818d8a9cbc75e71fcda6c30207d" - logic_hash = "v1_sha256_3bd3f0b8625e131726fa92d68de041dae6c3d5642cbf22ac596d1d82da1d4a07" + logic_hash = "3bd3f0b8625e131726fa92d68de041dae6c3d5642cbf22ac596d1d82da1d4a07" score = 75 quality = 85 tags = "" @@ -133719,14 +133719,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_7 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.7" author = "gssincla@google.com" - id = "58980042-c86e-50f2-a68f-c1c20fb1e0f5" + id = "6352a31c-34b8-5886-8e34-ef9221c22e6e" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L659-L689" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "f18029e6b12158fb3993f4951dab2dc6e645bb805ae515d205a53a1ef41ca9b2" - logic_hash = "v1_sha256_6ceb2cec8402a4679bad42d367156c74e897af4188442fdebc70d6ce2dd78bd6" + logic_hash = "6ceb2cec8402a4679bad42d367156c74e897af4188442fdebc70d6ce2dd78bd6" score = 75 quality = 85 tags = "" @@ -133743,14 +133743,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_8 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.8" author = "gssincla@google.com" - id = "03e215ab-072b-55f5-8a68-010a491ab8a6" + id = "f76712a4-df1c-5e6b-b5ac-9c74f2e202fc" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L691-L731" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "67b6557f614af118a4c409c992c0d9a0cc800025f77861ecf1f3bbc7c293d603" - logic_hash = "v1_sha256_a0c78dd7cda055bc76a8661b0416a302d7b05d03eeea483d2d1695093cd6dc90" + logic_hash = "a0c78dd7cda055bc76a8661b0416a302d7b05d03eeea483d2d1695093cd6dc90" score = 75 quality = 85 tags = "" @@ -133771,14 +133771,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_11 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.11" author = "gssincla@google.com" - id = "583f15b6-380f-5285-9ece-f5d674bdcbdf" + id = "00e42396-db81-5d43-90ee-5a97b379019e" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L739-L770" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "2428b93464585229fd234677627431cae09cfaeb1362fe4f648b8bee59d68f29" - logic_hash = "v1_sha256_24ca0a9c2249d1872a53dc228234bdc6803bdfe9e80847995e0951184a8d935c" + logic_hash = "24ca0a9c2249d1872a53dc228234bdc6803bdfe9e80847995e0951184a8d935c" score = 75 quality = 85 tags = "" @@ -133795,14 +133795,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_11_Bugfix_And_V3_12 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.11-bugfix and 3.12" author = "gssincla@google.com" - id = "33c1a25c-a88f-522c-a213-e7ca9047a1c5" + id = "08ff2a2f-97bd-5839-b414-d67fbf2cdb0f" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L772-L804" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "5912c96fffeabb2c5c5cdd4387cfbfafad5f2e995f310ace76ca3643b866e3aa" - logic_hash = "v1_sha256_566eb14f918ad422d5a273390263e63ac37b00cd10ac3561e038fb1a27f85d80" + logic_hash = "566eb14f918ad422d5a273390263e63ac37b00cd10ac3561e038fb1a27f85d80" score = 75 quality = 85 tags = "" @@ -133820,14 +133820,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_13 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.13" author = "gssincla@google.com" - id = "e8e03fa0-e075-5925-8506-4f650ee144a0" + id = "98dd32e6-9bb5-57b2-a5e5-1c74a0d1e6d3" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L806-L836" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "362119e3bce42e91cba662ea80f1a7957a5c2b1e92075a28352542f31ac46a0c" - logic_hash = "v1_sha256_adafac8692ad676b0168b3e829bc7948db72953b95c79d483ae1a05f1d4f9b2b" + logic_hash = "adafac8692ad676b0168b3e829bc7948db72953b95c79d483ae1a05f1d4f9b2b" score = 75 quality = 85 tags = "" @@ -133844,14 +133844,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_Dll_V3_14 meta: description = "Cobalt Strike's resources/beacon.dll Versions 3.14" author = "gssincla@google.com" - id = "55e188cd-22b7-5b4b-9882-cb5edace174c" + id = "00edfc72-c7b8-5100-8275-ae3548b96e49" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L838-L866" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "254c68a92a7108e8c411c7b5b87a2f14654cd9f1324b344f036f6d3b6c7accda" - logic_hash = "v1_sha256_6faed2b69647b87d86d46ae73ad92cfe7b2746c306cd7480dc9f0c484c8882e2" + logic_hash = "6faed2b69647b87d86d46ae73ad92cfe7b2746c306cd7480dc9f0c484c8882e2" score = 75 quality = 85 tags = "" @@ -133869,14 +133869,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_Dll_V4_0_Suspected meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.0 (suspected, not confirmed)" author = "gssincla@google.com" - id = "58643098-bdce-5c0a-bcd3-81e3154d0d3c" + id = "50ff6e44-ebc0-5000-a816-b385a6675768" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L868-L901" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "e2b2b72454776531bbc6a4a5dd579404250901557f887a6bccaee287ac71b248" - logic_hash = "v1_sha256_6875099bc6df26f829f9f64e70bd7fdac6ac7b83a5596fc9359c127fef4e6db5" + logic_hash = "6875099bc6df26f829f9f64e70bd7fdac6ac7b83a5596fc9359c127fef4e6db5" score = 75 quality = 85 tags = "" @@ -133893,14 +133893,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_Dll_V4_1_And_V4_2 meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.1 and 4.2" author = "gssincla@google.com" - id = "4c124251-7c0f-51a8-b82a-ff7e6abdb8da" + id = "793df916-bdf7-5743-b008-0113caf38bae" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L903-L934" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "daa42f4380cccf8729129768f3588bb98e4833b0c40ad0620bb575b5674d5fc3" - logic_hash = "v1_sha256_7280a5c3f478ea40b6b72fb4669d5b8c21603e7fbfbc3815a83bc462ee19c0f5" + logic_hash = "7280a5c3f478ea40b6b72fb4669d5b8c21603e7fbfbc3815a83bc462ee19c0f5" score = 75 quality = 85 tags = "" @@ -133918,14 +133918,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_Dll_V4_3_V4_4_V4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.3 and 4.4" author = "gssincla@google.com" - id = "a87eac51-ad8f-5103-812a-df7ecadf53fc" + id = "976e087c-f371-5fc6-85f8-9c803a91f549" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L936-L967" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "51490c01c72c821f476727c26fbbc85bdbc41464f95b28cdc577e5701790845f" - logic_hash = "v1_sha256_6608a84c4fd3bf77fd5b426da8be250d8b99878bd746fa23789f4791a164ce33" + logic_hash = "6608a84c4fd3bf77fd5b426da8be250d8b99878bd746fa23789f4791a164ce33" score = 75 quality = 85 tags = "" @@ -133943,14 +133943,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_Dll_V4_7_Suspected meta: description = "Cobalt Strike's sleeve/beacon.dll Versions 4.7 (suspected, not confirmed)" author = "gssincla@google.com" - id = "6ad36e38-48b8-51a5-9fc3-d867ce12cdad" + id = "4b6f90dd-69f3-5555-9195-6a0aed0fff58" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L969-L1002" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "da9e91b3d8df3d53425dd298778782be3bdcda40037bd5c92928395153160549" - logic_hash = "v1_sha256_297ff7c3acfe6f9676dc6c265c548f017f39ccc5217617344e3bccc704ac4c78" + logic_hash = "297ff7c3acfe6f9676dc6c265c548f017f39ccc5217617344e3bccc704ac4c78" score = 75 quality = 85 tags = "" @@ -133967,14 +133967,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_2 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.2" author = "gssincla@google.com" - id = "3ccb1e97-c457-50fc-95aa-91eec1be49cc" + id = "61188243-0b90-5bff-bcc8-50f10ed941f6" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1029-L1068" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "5993a027f301f37f3236551e6ded520e96872723a91042bfc54775dcb34c94a1" - logic_hash = "v1_sha256_3803aaac537aec0b188870177e510a3789a71c19be576569b59aa146b2ba62c5" + logic_hash = "3803aaac537aec0b188870177e510a3789a71c19be576569b59aa146b2ba62c5" score = 75 quality = 85 tags = "" @@ -133993,14 +133993,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_3 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.3" author = "gssincla@google.com" - id = "2df2980a-ed67-58fe-839b-4cdcba6c5006" + id = "fb96ecff-809e-5704-974e-a2d8ef022daa" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1070-L1109" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "7b00721efeff6ed94ab108477d57b03022692e288cc5814feb5e9d83e3788580" - logic_hash = "v1_sha256_514d491b8066ed7127ebb152a27efbe65e1121da3b5460afe6987920a91f2863" + logic_hash = "514d491b8066ed7127ebb152a27efbe65e1121da3b5460afe6987920a91f2863" score = 75 quality = 85 tags = "" @@ -134019,14 +134019,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_4 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.4" author = "gssincla@google.com" - id = "f7952efd-e6a8-5f94-8da3-c17d8e27a172" + id = "97ef152c-86c7-513c-a881-e7d594d38dcf" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1111-L1148" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "5a4d48c2eda8cda79dc130f8306699c8203e026533ce5691bf90363473733bf0" - logic_hash = "v1_sha256_65aa42265133038f6f568c021c0228440e84e236829af50796a73f6923f46395" + logic_hash = "65aa42265133038f6f568c021c0228440e84e236829af50796a73f6923f46395" score = 75 quality = 85 tags = "" @@ -134045,14 +134045,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_5_Hf1_And_V3_5_1 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.5-hf1 and 3.5.1" author = "gssincla@google.com" - id = "71bf6f95-173c-5a9b-8c74-3d4809f413b4" + id = "0c0e87d3-e0e2-5ddc-9d89-5e56443da4b8" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1150-L1189" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "934134ab0ee65ec76ae98a9bb9ad0e9571d80f4bf1eb3491d58bacf06d42dc8d" - logic_hash = "v1_sha256_5cd69554edb91956f4ec4c3c5e55f4cd9c3665656c318220ba3a270c0bb0a690" + logic_hash = "5cd69554edb91956f4ec4c3c5e55f4cd9c3665656c318220ba3a270c0bb0a690" score = 75 quality = 85 tags = "" @@ -134071,14 +134071,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_6 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.6" author = "gssincla@google.com" - id = "c20ea571-0959-5d87-a8e1-51ee51d3b3c0" + id = "9651a1ca-d8ea-5b0b-bcba-a850c2e07791" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1191-L1233" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "92b0a4aec6a493bcb1b72ce04dd477fd1af5effa0b88a9d8283f26266bb019a1" - logic_hash = "v1_sha256_d6aff186a01386992f004cb775d280f9b6e7e16d7ecee662d61e3485b0bc088b" + logic_hash = "d6aff186a01386992f004cb775d280f9b6e7e16d7ecee662d61e3485b0bc088b" score = 75 quality = 85 tags = "" @@ -134098,14 +134098,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_7 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.7" author = "gssincla@google.com" - id = "9cd2b623-f6b9-503e-b201-c2f743baf87d" + id = "27fad98a-2882-5c52-af6e-c7dcf5559624" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1235-L1274" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "81296a65a24c0f6f22208b0d29e7bb803569746ce562e2fa0d623183a8bcca60" - logic_hash = "v1_sha256_89499e01acd607b2fbcdd134c74ca4a901c00c7c9cf70dd241cc538c1c0d083a" + logic_hash = "89499e01acd607b2fbcdd134c74ca4a901c00c7c9cf70dd241cc538c1c0d083a" score = 75 quality = 85 tags = "" @@ -134124,14 +134124,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_8 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.8" author = "gssincla@google.com" - id = "f756ca5d-99ec-5717-8fa8-d37e6db75fe6" + id = "89809d81-9a8b-5cf3-a251-689bf52e98e0" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1276-L1310" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "547d44669dba97a32cb9e95cfb8d3cd278e00599e6a11080df1a9d09226f33ae" - logic_hash = "v1_sha256_8845b71ce4401fd194eb88f04dbf1f313af8b4853da004e63261ca3158fcb1d4" + logic_hash = "8845b71ce4401fd194eb88f04dbf1f313af8b4853da004e63261ca3158fcb1d4" score = 75 quality = 85 tags = "" @@ -134149,14 +134149,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_11 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.11 (two subversions)" author = "gssincla@google.com" - id = "7b2e7c9b-406e-5de4-bfb2-7093ff2e85e7" + id = "bf0c7661-2583-5fca-beb5-abb2b50c860d" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1312-L1366" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "64007e104dddb6b5d5153399d850f1e1f1720d222bed19a26d0b1c500a675b1a" - logic_hash = "v1_sha256_9c34b23b659463a0ab92949031a9b3246aa95256d1548b2f0ad53fe3d379997d" + logic_hash = "9c34b23b659463a0ab92949031a9b3246aa95256d1548b2f0ad53fe3d379997d" score = 75 quality = 85 tags = "" @@ -134183,14 +134183,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_12 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.12" author = "gssincla@google.com" - id = "67486dcf-adc3-5d59-8ada-589f1e2c36a8" + id = "6eeae9f4-96e0-5a98-a8dc-779c916cd968" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1368-L1404" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "8a28b7a7e32ace2c52c582d0076939d4f10f41f4e5fa82551e7cc8bdbcd77ebc" - logic_hash = "v1_sha256_7457b20f2a7dc7e8c3317cedbcfccae30ecc8dc164188c0321f9485fdfab0f6e" + logic_hash = "7457b20f2a7dc7e8c3317cedbcfccae30ecc8dc164188c0321f9485fdfab0f6e" score = 75 quality = 85 tags = "" @@ -134208,14 +134208,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_13 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.13" author = "gssincla@google.com" - id = "56485d8c-8e09-5ff0-a944-496725cd8eda" + id = "202eb8ea-7afb-515b-9306-67514abf5e55" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1407-L1440" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "945e10dcd57ba23763481981c6035e0d0427f1d3ba71e75decd94b93f050538e" - logic_hash = "v1_sha256_81571a6c30802430d0df9980e005736d58464bde98c0889b48bf8d0c7e88d247" + logic_hash = "81571a6c30802430d0df9980e005736d58464bde98c0889b48bf8d0c7e88d247" score = 75 quality = 85 tags = "" @@ -134233,14 +134233,14 @@ rule GCTI_Cobaltstrike_Resources_Beacon_X64_V3_14 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 3.14" author = "gssincla@google.com" - id = "6f58f850-2ff1-5370-ab92-020232f409c9" + id = "d69171e3-86f4-5187-8874-5eee2045f746" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1442-L1477" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "297a8658aaa4a76599a7b79cb0da5b8aa573dd26c9e2c8f071e591200cf30c93" - logic_hash = "v1_sha256_87cf465154d4294eeda9cf99c6c160da80cfa8a65244bc083737c0c87163431d" + logic_hash = "87cf465154d4294eeda9cf99c6c160da80cfa8a65244bc083737c0c87163431d" score = 75 quality = 85 tags = "" @@ -134259,14 +134259,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_Dll_X86_V4_0_Suspected meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.0 (suspected, not confirmed)" author = "gssincla@google.com" - id = "13469495-6972-5d9e-87d3-7c0ccb7bb058" + id = "28a735c4-87d1-5e14-9379-46a6fd0cdd2a" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1480-L1515" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "55aa2b534fcedc92bb3da54827d0daaa23ece0f02a10eb08f5b5247caaa63a73" - logic_hash = "v1_sha256_0dbf6a75dc74f4c2a7604072a01e2dbaaee15f5e57c765f24138d85c248fb305" + logic_hash = "0dbf6a75dc74f4c2a7604072a01e2dbaaee15f5e57c765f24138d85c248fb305" score = 75 quality = 85 tags = "" @@ -134285,14 +134285,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_X64_V4_1_And_V_4_2 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.1 and 4.2" author = "gssincla@google.com" - id = "e3320fbf-c715-54db-a47f-7c399e66827a" + id = "dc320d17-98fc-5df3-ba05-4d134129317e" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1517-L1553" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "29ec171300e8d2dad2e1ca2b77912caf0d5f9d1b633a81bb6534acb20a1574b2" - logic_hash = "v1_sha256_9b262ec18f79ab5ae63ad26d3685af088b5feb2d66de6ad3ba584cafbe2ee221" + logic_hash = "9b262ec18f79ab5ae63ad26d3685af088b5feb2d66de6ad3ba584cafbe2ee221" score = 75 quality = 85 tags = "" @@ -134311,14 +134311,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_X64_V4_3 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Version 4.3" author = "gssincla@google.com" - id = "3d84b95d-5853-5200-8da2-8a7aaf23a8f1" + id = "572616c7-d1ec-5aa1-b142-4f2edf73737f" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1555-L1590" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "3ac9c3525caa29981775bddec43d686c0e855271f23731c376ba48761c27fa3d" - logic_hash = "v1_sha256_0c8934e997583339145749a3167ac010d8c77b2ed878d2c999de68ec2a98101d" + logic_hash = "0c8934e997583339145749a3167ac010d8c77b2ed878d2c999de68ec2a98101d" score = 75 quality = 85 tags = "" @@ -134336,14 +134336,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_X64_V4_4_V_4_5_And_V4_6 meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.4 through at least 4.6" author = "gssincla@google.com" - id = "fad5cf41-e4b0-51ee-affe-7fe656342bc9" + id = "79b6bfd4-1e45-5bd9-ac5c-19eb176ce698" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1593-L1628" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "3280fec57b7ca94fd2bdb5a4ea1c7e648f565ac077152c5a81469030ccf6ab44" - logic_hash = "v1_sha256_be0bbf58a176f8089924b3ce58268d906f49dde51d863524971e46f4bada43a3" + logic_hash = "be0bbf58a176f8089924b3ce58268d906f49dde51d863524971e46f4bada43a3" score = 75 quality = 85 tags = "" @@ -134361,14 +134361,14 @@ rule GCTI_Cobaltstrike_Sleeve_Beacon_X64_V4_5_Variant meta: description = "Cobalt Strike's sleeve/beacon.x64.dll Versions 4.5 (variant)" author = "gssincla@google.com" - id = "7f2b08a8-f5ec-529b-a892-0543b4b146c0" + id = "45715da9-8f16-5304-b216-1ca36c508c77" date = "2022-11-18" modified = "2023-12-04" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Beacon_Dll_All_Versions_MemEnabled.yara#L1630-L1665" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "8f0da7a45945b630cd0dfb5661036e365dcdccd085bc6cff2abeec6f4c9f1035" - logic_hash = "v1_sha256_31a108168489a24d1bc297d722741f3fd19abd1bed4c76d54967c73986d18123" + logic_hash = "31a108168489a24d1bc297d722741f3fd19abd1bed4c76d54967c73986d18123" score = 75 quality = 85 tags = "" @@ -134386,14 +134386,14 @@ rule GCTI_Cobaltstrike_Resources_Browserpivot_X64_Bin_V1_48_To_V3_14_And_Sleeve_ meta: description = "Cobalt Strike's resources/browserpivot.x64.bin from v1.48 to v3.14 and sleeve/browserpivot.x64.dll from v4.0 to at least v4.4" author = "gssincla@google.com" - id = "ed405ef7-8a32-59fa-8970-2d73a9f8937b" + id = "a5dfae85-ff9c-5ca5-9ac0-041c6108a6ed" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Browserpivot_x64_Bin_v1_48_to_v3_14_and_Sleeve_Browserpivot_x64_Dll_v4_0_to_v4_x.yara#L17-L64" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "0ad32bc4fbf3189e897805cec0acd68326d9c6f714c543bafb9bc40f7ac63f55" - logic_hash = "v1_sha256_a59f19b6e258b724ed88b4255717d066319ba5fb0838d6c6ed11355e9d9b1c22" + logic_hash = "a59f19b6e258b724ed88b4255717d066319ba5fb0838d6c6ed11355e9d9b1c22" score = 75 quality = 85 tags = "" @@ -134424,14 +134424,14 @@ rule GCTI_Cobaltstrike_Resources_Dnsstager_Bin_V1_47_Through_V4_X meta: description = "Cobalt Strike's resources/dnsstager.bin signature for versions 1.47 to 4.x" author = "gssincla@google.com" - id = "0c575b3c-f450-550d-b5d0-bc8c0f38684e" + id = "e1b0e368-9bcf-5d9b-b2b3-8414742f213e" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Dnsstager_Bin_v1_47_through_v4_x.yara#L17-L78" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "10f946b88486b690305b87c14c244d7bc741015c3fef1c4625fa7f64917897f1" - logic_hash = "v1_sha256_d4500d8a83a821e1df9e808b17a87c1207d78ea0e03886544a632176fe93ccd0" + logic_hash = "d4500d8a83a821e1df9e808b17a87c1207d78ea0e03886544a632176fe93ccd0" score = 75 quality = 83 tags = "" @@ -134469,14 +134469,14 @@ rule GCTI_Cobaltstrike_Resources_Xor_Bin__64Bit_V3_12_To_V4_X meta: description = "Cobalt Strike's resource/xor64.bin signature for version 3.12 through 4.x" author = "gssincla@google.com" - id = "8885f04b-2629-55fa-aa16-80a1abf1f527" + id = "5bb465ee-3bbd-5bfe-8b63-1f243de217bc" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__64bit_v3_12_to_4_x.yara#L17-L38" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "01dba8783768093b9a34a1ea2a20f72f29fd9f43183f3719873df5827a04b744" - logic_hash = "v1_sha256_aabaad09408ae292a0bbc678c334f9f54364b4f6b882846072c303bf826fc2da" + logic_hash = "aabaad09408ae292a0bbc678c334f9f54364b4f6b882846072c303bf826fc2da" score = 75 quality = 85 tags = "" @@ -134494,14 +134494,14 @@ rule GCTI_Cobaltstrike_Resources_Bypassuactoken_Dll_V3_11_To_V3_14 meta: description = "Cobalt Strike's resources/bypassuactoken.dll from v3.11 to v3.14 (32-bit version)" author = "gssincla@google.com" - id = "50dde2ce-a8b4-562c-9cc5-73837008965c" + id = "b9f25fa5-bd1d-5ba0-9b1d-bb97e1dbf76b" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuactoken_Dll_v3_11_to_v3_14.yara#L17-L151" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "df1c7256dfd78506e38c64c54c0645b6a56fc56b2ffad8c553b0f770c5683070" - logic_hash = "v1_sha256_fe0780b7f4c16b55cfa00ea7de4da8ce349ec8a72de763b72e816ebc8e934b6d" + logic_hash = "fe0780b7f4c16b55cfa00ea7de4da8ce349ec8a72de763b72e816ebc8e934b6d" score = 75 quality = 85 tags = "" @@ -134575,14 +134575,14 @@ rule GCTI_Cobaltstrike_Resources_Artifact32Svc_Exe_V3_1_V3_2_V3_14_And_V4_X meta: description = "Cobalt Strike's resources/artifact32svc(big).exe signature for versions 3.1 and 3.2 (with overlap with v3.14 through v4.x)" author = "gssincla@google.com" - id = "59632661-4f93-5101-8ed2-9498cbd74665" + id = "732169be-e334-5774-b0ac-54b217a8b681" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32svc_Exe_v1_49_to_v4_x.yara#L53-L77" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "871390255156ce35221478c7837c52d926dfd581173818620b738b4b029e6fd9" - logic_hash = "v1_sha256_b55211fc2dbe100edb19c3f3a000be513144e3556c4bce8a29a3c0b77451ba96" + logic_hash = "b55211fc2dbe100edb19c3f3a000be513144e3556c4bce8a29a3c0b77451ba96" score = 75 quality = 85 tags = "" @@ -134598,14 +134598,14 @@ rule GCTI_Cobaltstrike_Resources_Covertvpn_Dll_V2_1_To_V4_X meta: description = "Cobalt Strike's resources/covertvpn.dll signature for version v2.2 to v4.4" author = "gssincla@google.com" - id = "3372c79d-98f5-5267-a738-bc22a0db8d70" + id = "a65b855c-5703-5b9f-bb57-da8ebf898f9b" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_Dll_v2_1_to_v4_x.yara#L17-L120" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "0a452a94d53e54b1df6ba02bc2f02e06d57153aad111171a94ec65c910d22dcf" - logic_hash = "v1_sha256_1f6e4254fdfd4f9b13c2000333aabbb7da90d2df7ee1b12faa6ea3c066351468" + logic_hash = "1f6e4254fdfd4f9b13c2000333aabbb7da90d2df7ee1b12faa6ea3c066351468" score = 75 quality = 85 tags = "" @@ -134664,14 +134664,14 @@ rule GCTI_Cobaltstrike_Resources_Artifact64_V1_49_V2_X_V3_0_V3_3_Thru_V3_14 meta: description = "Cobalt Strike's resources/artifact64{.dll,.exe,big.exe,big.dll,bigsvc.exe,big.x64.dll} and resources/rtifactuac(alt)64.dll signature for versions v1.49, v2.x, v3.0, and v3.3 through v3.14" author = "gssincla@google.com" - id = "0a46ffe7-adcd-5daf-88fa-4919d41197ad" + id = "67902782-500e-5a89-8b2a-59ee21bcba3e" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara#L17-L54" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "9ec57d306764517b5956b49d34a3a87d4a6b26a2bb3d0fdb993d055e0cc9920d" - logic_hash = "v1_sha256_289950e89fc743ff4a1b7dcb91c561c7d829cfe3ade1c2f1a09f2e9701cce461" + logic_hash = "289950e89fc743ff4a1b7dcb91c561c7d829cfe3ade1c2f1a09f2e9701cce461" score = 75 quality = 85 tags = "" @@ -134687,14 +134687,14 @@ rule GCTI_Cobaltstrike_Resources_Artifact64_V3_1_V3_2_V3_14_And_V4_0 meta: description = "Cobalt Strike's resources/artifact64{svcbig.exe,.dll,big.dll,svc.exe} and resources/artifactuac(big)64.dll signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x" author = "gssincla@google.com" - id = "b4a5bd03-e18e-518d-92c9-27dbb3dc7b84" + id = "c9e9b8e0-16fe-5abc-b1fe-0e3e586f6db6" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara#L56-L84" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "2e7a39bd6ac270f8f548855b97c4cef2c2ce7f54c54dd4d1aa0efabeecf3ba90" - logic_hash = "v1_sha256_e5af04baa1d18d5a2a2c005b40bf93fe6a7b2d7116dfcf3c5b3fa36657448eb9" + logic_hash = "e5af04baa1d18d5a2a2c005b40bf93fe6a7b2d7116dfcf3c5b3fa36657448eb9" score = 75 quality = 85 tags = "" @@ -134710,14 +134710,14 @@ rule GCTI_Cobaltstrike_Resources_Artifact64_V3_14_To_V4_X meta: description = "Cobalt Strike's resources/artifact64{.exe,.dll,svc.exe,svcbig.exe,big.exe,big.dll,.x64.dll,big.x64.dll} and resource/artifactuac(alt)64.exe signature for versions v3.14 through v4.x" author = "gssincla@google.com" - id = "9c810ee4-c04b-5ff2-a2c6-d415a0ce4692" + id = "1c7731d3-429b-57aa-9c17-8de7d0841b1e" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Artifact64_v1_49_to_v4_x.yara#L86-L128" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "decfcca0018f2cec4a200ea057c804bb357300a67c6393b097d52881527b1c44" - logic_hash = "v1_sha256_af8ba6ba62bf1179510b0940e60f893f61b3ba10c81001dd90fe4c3521e56a37" + logic_hash = "af8ba6ba62bf1179510b0940e60f893f61b3ba10c81001dd90fe4c3521e56a37" score = 75 quality = 85 tags = "" @@ -134746,14 +134746,14 @@ rule GCTI_Cobaltstrike_Resources_Template_X64_Ps1_V3_0_To_V4_X_Excluding_3_12_3_ meta: description = "Cobalt Strike's resources/template.x64.ps1, resources/template.hint.x64.ps1 and resources/template.hint.x32.ps1 from v3.0 to v4.x except 3.12 and 3.13" author = "gssincla@google.com" - id = "3626bf40-c6ce-5040-869d-11b899b87653" + id = "5a808113-aacb-56ca-b3ec-166c73c54b85" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Template_x64_Ps1_v3_0_to_v4_x_excluding_3_12_3_13.yara#L17-L37" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "ff743027a6bcc0fee02107236c1f5c96362eeb91f3a5a2e520a85294741ded87" - logic_hash = "v1_sha256_80823b8590004686ebd83958cad16094ea2f6958a837d87934507531a00df77a" + logic_hash = "80823b8590004686ebd83958cad16094ea2f6958a837d87934507531a00df77a" score = 75 quality = 81 tags = "" @@ -134775,14 +134775,14 @@ rule GCTI_Cobaltstrike_Resources_Bind64_Bin_V2_5_Through_V4_X meta: description = "Cobalt Strike's resources/bind64.bin signature for versions v2.5 to v4.x" author = "gssincla@google.com" - id = "9ceccb62-eba8-5c59-8b6d-63cb8be6478c" + id = "a01e7bc3-40e9-5f87-8fd6-926972be273b" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Bind64_Bin_v2_5_through_v4_x.yara#L17-L109" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "5dd136f5674f66363ea6463fd315e06690d6cb10e3cc516f2d378df63382955d" - logic_hash = "v1_sha256_ba79abc5cfeaccb94699c0d85c16b2ddf6820bc148c0fd1c9b33c07222e36cb6" + logic_hash = "ba79abc5cfeaccb94699c0d85c16b2ddf6820bc148c0fd1c9b33c07222e36cb6" score = 75 quality = 85 tags = "" @@ -134832,14 +134832,14 @@ rule GCTI_Cobaltstrike_Resources_Covertvpn_Injector_Exe_V1_44_To_V2_0_49 meta: description = "Cobalt Strike's resources/covertvpn-injector.exe signature for version v1.44 to v2.0.49" author = "gssincla@google.com" - id = "91cc4182-3201-5799-a5a9-5da75a11f563" + id = "48485ae2-1d99-5fa8-b8e8-0047e92ef447" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Covertvpn_injector_Exe_v1_44_to_v2_0_49.yara#L17-L116" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "d741751520f46602f5a57d1ed49feaa5789115aeeba7fa4fc7cbb534ee335462" - logic_hash = "v1_sha256_119602efe6243d8c0dc7b8f4468eb9b3be292620920f69dc8a560f900ac7f622" + logic_hash = "119602efe6243d8c0dc7b8f4468eb9b3be292620920f69dc8a560f900ac7f622" score = 75 quality = 85 tags = "" @@ -134896,14 +134896,14 @@ rule GCTI_Cobaltstrike_Resources_Reverse_Bin_V2_5_Through_V4_X meta: description = "Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x" author = "gssincla@google.com" - id = "ee4072c6-518c-51b0-b3d6-2faed6bf10bc" + id = "182dbcd0-1180-5516-abe3-cf2eebbd0e39" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Reverse_Bin_v2_5_through_v4_x.yara#L17-L104" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7" - logic_hash = "v1_sha256_c6c4fc477c7654ec07eb6ef4c6d53805a9b4881ba288754e1f50b3e4b134333c" + logic_hash = "c6c4fc477c7654ec07eb6ef4c6d53805a9b4881ba288754e1f50b3e4b134333c" score = 75 quality = 85 tags = "" @@ -134951,14 +134951,14 @@ rule GCTI_Cobaltstrike_Resources_Reverse64_Bin_V2_5_Through_V4_X meta: description = "Cobalt Strike's resources/reverse64.bin signature for versions v2.5 to v4.x" author = "gssincla@google.com" - id = "3c46bd39-f4da-5506-9cb5-8c916aa941af" + id = "966e6e4c-85e2-5c94-8245-25367802b7d2" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Reverse64_Bin_v2_5_through_v4_x.yara#L17-L99" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "d2958138c1b7ef681a63865ec4a57b0c75cc76896bf87b21c415b7ec860397e8" - logic_hash = "v1_sha256_c657234156293b9ac363b677490739ab0b5cc2ef149c9d9c37332dab9bb012f6" + logic_hash = "c657234156293b9ac363b677490739ab0b5cc2ef149c9d9c37332dab9bb012f6" score = 75 quality = 85 tags = "" @@ -135004,14 +135004,14 @@ rule GCTI_Cobaltstrike_Resources_Smbstager_Bin_V2_5_Through_V4_X meta: description = "Cobalt Strike's resources/smbstager.bin signature for versions 2.5 to 4.x" author = "gssincla@google.com" - id = "88928947-6091-56f3-9442-aa9c73fc31bd" + id = "074b7d83-e3d8-541c-804b-2417c21f54d5" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Smbstager_Bin_v2_5_through_v4_x.yara#L17-L95" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "946af5a23e5403ea1caccb2e0988ec1526b375a3e919189f16491eeabc3e7d8c" - logic_hash = "v1_sha256_b0f6535069df16a64de44ca0638ec060c1ff264a7820c94710d61ca7e8474450" + logic_hash = "b0f6535069df16a64de44ca0638ec060c1ff264a7820c94710d61ca7e8474450" score = 75 quality = 85 tags = "" @@ -135056,14 +135056,14 @@ rule GCTI_Cobaltstrike_Resources_Artifact32_And_Resources_Dropper_V1_49_To_V3_14 meta: description = "Cobalt Strike's resources/artifact32{.exe,.dll,big.exe,big.dll} and resources/dropper.exe signature for versions 1.49 to 3.14" author = "gssincla@google.com" - id = "5c2a2c02-8b74-588a-ab49-bb82736ef6f7" + id = "243e3761-cbea-561c-97da-f6ba12ebc7ee" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara#L17-L32" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "40fc605a8b95bbd79a3bd7d9af73fbeebe3fada577c99e7a111f6168f6a0d37a" - logic_hash = "v1_sha256_437706c808bca28384a6e8e24fa3ae120a4ebe4166fa4ca3564c58b881fb23a8" + logic_hash = "437706c808bca28384a6e8e24fa3ae120a4ebe4166fa4ca3564c58b881fb23a8" score = 75 quality = 85 tags = "" @@ -135079,14 +135079,14 @@ rule GCTI_Cobaltstrike_Resources_Artifact32_V3_1_And_V3_2 meta: description = "Cobalt Strike's resources/artifact32{.dll,.exe,svc.exe,big.exe,big.dll,bigsvc.exe} and resources/artifact32uac(alt).dll signature for versions 3.1 and 3.2" author = "gssincla@google.com" - id = "864e85b7-0bca-5a88-8aba-c20f07f3fa16" + id = "4fff7f42-9f50-5945-8ec0-2438ac5c7000" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara#L34-L60" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "4f14bcd7803a8e22e81e74d6061d0df9e8bac7f96f1213d062a29a8523ae4624" - logic_hash = "v1_sha256_7a0d33d0260c762b4aa67e4084d7474338c60aa684fd3e622614745d90350da8" + logic_hash = "7a0d33d0260c762b4aa67e4084d7474338c60aa684fd3e622614745d90350da8" score = 75 quality = 85 tags = "" @@ -135102,14 +135102,14 @@ rule GCTI_Cobaltstrike_Resources_Artifact32_V3_14_To_V4_X meta: description = "Cobalt Strike's resources/artifact32{.dll,.exe,big.exe,big.dll,bigsvc.exe} signature for versions 3.14 to 4.x and resources/artifact32svc.exe for 3.14 to 4.x and resources/artifact32uac.dll for v3.14 and v4.0" author = "gssincla@google.com" - id = "4c1ed311-3a9e-54be-85b8-c65fff352737" + id = "8a010305-dce5-55f4-b2dd-a736721efe22" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Artifact32_and_Resources_Dropper_v1_45_to_v4_x.yara#L62-L89" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "888bae8d89c03c1d529b04f9e4a051140ce3d7b39bc9ea021ad9fc7c9f467719" - logic_hash = "v1_sha256_fc5c353c568e33df80fa5bab14d11112ca211e269043b83dba8b7d1a6a008a7b" + logic_hash = "fc5c353c568e33df80fa5bab14d11112ca211e269043b83dba8b7d1a6a008a7b" score = 75 quality = 85 tags = "" @@ -135126,14 +135126,14 @@ rule GCTI_Cobaltstrike_Resources_Bind_Bin_V2_5_Through_V4_X meta: description = "Cobalt Strike's resources/bind.bin signature for versions 2.5 to 4.x" author = "gssincla@google.com" - id = "c4c1cd7a-2bff-5b7e-bf58-91022ddb4471" + id = "32f129c1-9845-5843-9e16-7d9af217b8e2" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Bind_Bin_v2_5_through_v4_x.yara#L17-L111" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "3727542c0e3c2bf35cacc9e023d1b2d4a1e9e86ee5c62ee5b66184f46ca126d1" - logic_hash = "v1_sha256_cf04e257590cf0673059348f5c15926918eb8aee40e864ae65979360aca80013" + logic_hash = "cf04e257590cf0673059348f5c15926918eb8aee40e864ae65979360aca80013" score = 75 quality = 85 tags = "" @@ -135185,14 +135185,14 @@ rule GCTI_Cobaltstrike_Resources_Xor_Bin_V2_X_To_V4_X meta: description = "Cobalt Strike's resource/xor.bin signature for version 2.x through 4.x" author = "gssincla@google.com" - id = "ddacf656-95cb-514c-909c-96bf276cf041" + id = "1754746c-3a42-5f7d-808a-ba2e1c0a270e" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Xor_Bin__32bit_v2_x_to_4_x.yara#L17-L36" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "211ccc5d28b480760ec997ed88ab2fbc5c19420a3d34c1df7991e65642638a6f" - logic_hash = "v1_sha256_ad662a263ede6c3ba964baf8abe4848ed1e994f2c236d4315cb60c1d51442620" + logic_hash = "ad662a263ede6c3ba964baf8abe4848ed1e994f2c236d4315cb60c1d51442620" score = 75 quality = 85 tags = "" @@ -135209,14 +135209,14 @@ rule GCTI_Cobaltstrike_Resources_Command_Ps1_V2_5_To_V3_7_And_Resources_Compress meta: description = "Cobalt Strike's resources/command.ps1 for versions 2.5 to v3.7 and resources/compress.ps1 from v3.8 to v4.x" author = "gssincla@google.com" - id = "3a7d3f5f-4c04-5a4b-91c6-0aea915151ad" + id = "c0b81deb-ed20-5f7e-8e15-e6a9e9362594" date = "2022-11-18" modified = "2022-11-22" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Command_Ps1_v2_5_to_v3_7_and_Resources_Compress_Ps1_v3_8_to_v4_x.yara#L17-L33" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "932dec24b3863584b43caf9bb5d0cfbd7ed1969767d3061a7abdc05d3239ed62" - logic_hash = "v1_sha256_31cf47060757b086d325cd205724a7be8931bbbc6ff2f4be67a6179ee99c42ca" + logic_hash = "31cf47060757b086d325cd205724a7be8931bbbc6ff2f4be67a6179ee99c42ca" score = 75 quality = 85 tags = "" @@ -135233,14 +135233,14 @@ rule GCTI_Cobaltstrike_Resources_Template_Sct_V3_3_To_V4_X meta: description = "Cobalt Strike's resources/template.sct signature for versions v3.3 to v4.x" author = "gssincla@google.com" - id = "b1d0f969-7cc5-591e-90f7-0355388816f1" + id = "9d2b1dfa-5f76-503f-9198-6ed0d039e0cb" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Template_Sct_v3_3_to_v4_x.yara#L17-L38" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "fc66cb120e7bc9209882620f5df7fdf45394c44ca71701a8662210cf3a40e142" - logic_hash = "v1_sha256_8868445ced4945c469764b7f311d6cb11c99cf0f2d770113e5e617e0187a962c" + logic_hash = "8868445ced4945c469764b7f311d6cb11c99cf0f2d770113e5e617e0187a962c" score = 75 quality = 85 tags = "" @@ -135263,14 +135263,14 @@ rule GCTI_Cobaltstrike_Resources_Httpsstager64_Bin_V3_2_Through_V4_X meta: description = "Cobalt Strike's resources/httpsstager64.bin signature for versions v3.2 to v4.x" author = "gssincla@google.com" - id = "aa8d003b-b1a5-51ce-a50a-624a53a25d31" + id = "c16e73fc-484a-5f7e-8127-d85a0254d842" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x.yara#L17-L90" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "109b8c55816ddc0defff360c93e8a07019ac812dd1a42209ea7e95ba79b5a573" - logic_hash = "v1_sha256_4889a23c1f2780044b9fb2a0207676d57e82e6c1275614b684a5a9cbe984b761" + logic_hash = "4889a23c1f2780044b9fb2a0207676d57e82e6c1275614b684a5a9cbe984b761" score = 75 quality = 85 tags = "" @@ -135312,14 +135312,14 @@ rule GCTI_Cobaltstrike_Resources_Template_Py_V3_3_To_V4_X meta: description = "Cobalt Strike's resources/template.py signature for versions v3.3 to v4.x" author = "gssincla@google.com" - id = "ea7f611c-670d-58dd-b2a1-3c106fcbb681" + id = "16aef9a9-b217-5462-93dc-f6273c99ddd0" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Template_Py_v3_3_to_v4_x.yara#L17-L36" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "d5cb406bee013f51d876da44378c0a89b7b3b800d018527334ea0c5793ea4006" - logic_hash = "v1_sha256_3c26cea4b8f2b200bf58e939ae9ead7a7339d4ec0de8c72b3d9c7da897600081" + logic_hash = "3c26cea4b8f2b200bf58e939ae9ead7a7339d4ec0de8c72b3d9c7da897600081" score = 75 quality = 85 tags = "" @@ -135340,14 +135340,14 @@ rule GCTI_Cobaltstrike_Resources_Elevate_Dll_V3_0_To_V3_14_And_Sleeve_Elevate_Dl meta: description = "Cobalt Strike's resources/elevate.dll signature for v3.0 to v3.14 and sleeve/elevate.dll for v4.x" author = "gssincla@google.com" - id = "c402bcd9-f842-53a5-9fbd-64b92b1bf01e" + id = "170f62a2-ba4f-5be8-9ec5-402eb7bbde4e" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Elevate_Dll_v3_0_to_v3_14_and_Sleeve_Elevate_Dll_v4_x.yara#L17-L68" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "6deeb2cafe9eeefe5fc5077e63cc08310f895e9d5d492c88c4e567323077aa2f" - logic_hash = "v1_sha256_766a0a390ed8cefe43d82a054a9b2cfec7eced75e0d7ee10231215043577b75e" + logic_hash = "766a0a390ed8cefe43d82a054a9b2cfec7eced75e0d7ee10231215043577b75e" score = 75 quality = 85 tags = "" @@ -135380,14 +135380,14 @@ rule GCTI_Cobaltstrike_Resources_Template_X86_Vba_V3_8_To_V4_X meta: description = "Cobalt Strike's resources/template.x86.vba signature for versions v3.8 to v4.x" author = "gssincla@google.com" - id = "288e243e-37e3-5463-9e97-caf69c7a74df" + id = "11c7758e-93b2-5fe3-873d-b98de579d2b4" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Template_x86_Vba_v3_8_to_v4_x.yara#L17-L37" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "fc66cb120e7bc9209882620f5df7fdf45394c44ca71701a8662210cf3a40e142" - logic_hash = "v1_sha256_7114515477d82651806eccef34f599f6ffd4614f987dee29417ac6ef7a1a1c38" + logic_hash = "7114515477d82651806eccef34f599f6ffd4614f987dee29417ac6ef7a1a1c38" score = 75 quality = 85 tags = "" @@ -135409,14 +135409,14 @@ rule GCTI_Cobaltstrike_Resources_Bypassuac_Dll_V1_49_To_V3_14_And_Sleeve_Bypassu meta: description = "Cobalt Strike's resources/bypassuac(-x86).dll from v1.49 to v3.14 (32-bit version) and sleeve/bypassuac.dll from v4.0 to at least v4.4" author = "gssincla@google.com" - id = "3fc12270-5a0e-5b84-a2dc-ce599ed0a203" + id = "614046b5-cf81-56a5-8824-b3a7e14a8ed5" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/CobaltStrike/CobaltStrike__Resources_Bypassuac_Dll_v1_49_to_v3_14_and_Sleeve_Bypassuac_Dll_v4_0_to_v4_x.yara#L17-L94" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "91d12e1d09a642feedee5da966e1c15a2c5aea90c79ac796e267053e466df365" - logic_hash = "v1_sha256_7d59c0286f1936e386519a919472d01581b68a8167c89bd3cd3108d45251119a" + logic_hash = "7d59c0286f1936e386519a919472d01581b68a8167c89bd3cd3108d45251119a" score = 75 quality = 85 tags = "" @@ -135461,14 +135461,14 @@ rule GCTI_Sliver_Implant_64Bit meta: description = "Sliver 64-bit implant (with and without --debug flag at compile)" author = "gssincla@google.com" - id = "dec5c958-31fb-57ed-b381-5207b14b5cef" + id = "b84db933-0e11-5871-821d-43697c015665" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/Sliver/Sliver__Implant_64bit.yara#L17-L84" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "2d1c9de42942a16c88a042f307f0ace215cdc67241432e1152080870fe95ea87" - logic_hash = "v1_sha256_ad4ceef08a732174c8ccbcacf0370b26acb9e5ec0784d8827c8104618e018a26" + logic_hash = "ad4ceef08a732174c8ccbcacf0370b26acb9e5ec0784d8827c8104618e018a26" score = 75 quality = 85 tags = "" @@ -135490,14 +135490,14 @@ rule GCTI_Sliver_Implant_32Bit meta: description = "Sliver 32-bit implant (with and without --debug flag at compile)" author = "gssincla@google.com" - id = "54ad2237-5440-50f1-bef3-e4daf8de1367" + id = "6bc4d7d1-64cf-5920-8f07-54a8a7a94f26" date = "2022-11-18" modified = "2022-11-19" reference = "https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse" source_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/YARA/Sliver/Sliver__Implant_32bit.yara#L17-L81" license_url = "https://github.com/chronicle/GCTI/blob/1c5fd42b1895098527fde00c2d9757edf6b303bb/LICENSE" hash = "911f4106350871ddb1396410d36f2d2eadac1166397e28a553b28678543a9357" - logic_hash = "v1_sha256_5b394a198f691b6777438a69d20a423798525daa84a09a0ce346eca5bb66f850" + logic_hash = "5b394a198f691b6777438a69d20a423798525daa84a09a0ce346eca5bb66f850" score = 60 quality = 35 tags = "" @@ -135518,7 +135518,7 @@ rule GCTI_Sliver_Implant_32Bit * YARA Rule Set * Repository Name: Malpedia * Repository: https://github.com/malpedia/signator-rules/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 6558c417dcf07146b1309b6acde6be0aa96dea10 * Number of Rules: 1469 * Skipped: 0 (age), 15 (quality), 0 (score), 0 (importance) @@ -135533,13 +135533,13 @@ rule MALPEDIA_Win_Rook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4c91e458-1502-57ec-8022-46dc872c8890" + id = "f7d50ee5-0cf7-58f1-9491-c0b1413c9c03" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rook_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_8ce4aaa97754380ef7f8444fbf7c6b6bdd739dd7cb13bc80ec0f235cec755f83" + logic_hash = "8ce4aaa97754380ef7f8444fbf7c6b6bdd739dd7cb13bc80ec0f235cec755f83" score = 75 quality = 75 tags = "FILE" @@ -135572,13 +135572,13 @@ rule MALPEDIA_Win_Roseam_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fe65241a-3751-5bd3-9a37-0239dcb9ff3b" + id = "5720401d-650c-5ffa-937c-009deb00b79f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.roseam_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_6405b276e56fbb6391489a72f41f1ba4fb7da1db3c06ee822f393f99823911b5" + logic_hash = "6405b276e56fbb6391489a72f41f1ba4fb7da1db3c06ee822f393f99823911b5" score = 75 quality = 75 tags = "FILE" @@ -135611,13 +135611,13 @@ rule MALPEDIA_Win_Qaccel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3686b107-6e11-5934-95f7-d405cc141c29" + id = "1024ae4a-8ecf-5647-a954-71832685cf06" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.qaccel_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_5f2f18c31debd22ba8cc6fab103208438701251a4ea3f2ead7d07424fdf86ff4" + logic_hash = "5f2f18c31debd22ba8cc6fab103208438701251a4ea3f2ead7d07424fdf86ff4" score = 75 quality = 75 tags = "FILE" @@ -135650,13 +135650,13 @@ rule MALPEDIA_Win_Bedep_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2c9080c-de0e-5165-b6d1-664456bc54d8" + id = "50676d12-901b-5467-9cc0-ebfacf6cdb1b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bedep_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_3972e680d8fcfe1f525b24f026ad26b3e506bdc906b9b363e15bad8bf5e7bda8" + logic_hash = "3972e680d8fcfe1f525b24f026ad26b3e506bdc906b9b363e15bad8bf5e7bda8" score = 75 quality = 75 tags = "FILE" @@ -135689,13 +135689,13 @@ rule MALPEDIA_Win_Liteduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6448d454-0572-5249-b1ba-1a5edacf26ce" + id = "0d5b03ab-c51a-5be5-8e11-3fd3c042290f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.liteduke_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_7fa217ead580adfe5b357dd72935fa5df636ba1480b849cad849e2ead7958d39" + logic_hash = "7fa217ead580adfe5b357dd72935fa5df636ba1480b849cad849e2ead7958d39" score = 75 quality = 75 tags = "FILE" @@ -135728,13 +135728,13 @@ rule MALPEDIA_Win_Lokipws_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23a8980f-bee8-57b8-b204-996ba8081d92" + id = "5db76a16-385c-53b6-855b-1bbc58a2e30f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lokipws_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_f7396cac0e0e8581cb9065a2315499eb607a41e3e7300cb035a34c55b22b36af" + logic_hash = "f7396cac0e0e8581cb9065a2315499eb607a41e3e7300cb035a34c55b22b36af" score = 75 quality = 75 tags = "FILE" @@ -135767,13 +135767,13 @@ rule MALPEDIA_Win_Freenki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ecd448bd-e2ef-558d-a481-7910dd9ca6bb" + id = "90a961ff-4b9f-5590-858d-04fe0571f818" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.freenki_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_2dca0dd103141182e01ae8912e5d010c4bde1802bf1b8f905ac7a8ec2594845a" + logic_hash = "2dca0dd103141182e01ae8912e5d010c4bde1802bf1b8f905ac7a8ec2594845a" score = 75 quality = 75 tags = "FILE" @@ -135806,13 +135806,13 @@ rule MALPEDIA_Win_Cryptoshuffler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9945ca59-a572-505f-b2a6-9b49e3b33fad" + id = "f4c7e6b7-7f12-5acd-8436-2c3134e8001d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptoshuffler_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_4b559d81f694922613ae9b35eca370b9546b803a67169819f510f86751d1ed9d" + logic_hash = "4b559d81f694922613ae9b35eca370b9546b803a67169819f510f86751d1ed9d" score = 75 quality = 75 tags = "FILE" @@ -135845,13 +135845,13 @@ rule MALPEDIA_Win_Isspace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bf6e9a6f-b149-5d98-b62f-13f21c218d71" + id = "b06e0b56-5b2e-5927-89d7-5a1fa4e89bfc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.isspace_auto.yar#L1-L99" license_url = "N/A" - logic_hash = "v1_sha256_f9cfbe43c7bd218df762aeca13b65476ac7bccb2b29d82571f83ea3511bd9d7b" + logic_hash = "f9cfbe43c7bd218df762aeca13b65476ac7bccb2b29d82571f83ea3511bd9d7b" score = 75 quality = 75 tags = "FILE" @@ -135882,13 +135882,13 @@ rule MALPEDIA_Win_Karius_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fd737c86-3a17-5fb2-a12c-958f9bcf83f8" + id = "bdd5efaf-1311-50f9-afba-26e352ee7308" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.karius_auto.yar#L1-L247" license_url = "N/A" - logic_hash = "v1_sha256_c2392952453e4a9f29da2ad06ae05ba8bdd1282ea8bcab3057e95c6647f70010" + logic_hash = "c2392952453e4a9f29da2ad06ae05ba8bdd1282ea8bcab3057e95c6647f70010" score = 75 quality = 73 tags = "FILE" @@ -135937,13 +135937,13 @@ rule MALPEDIA_Win_Winsloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "136f6691-2fe7-593d-b667-4ca49f3d0bec" + id = "2a9fc14a-5291-5130-a2b1-9b0355619f7f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.winsloader_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_55e07c31479b98d0a2305c5dcdb238979b21006495ecfde106eb27274a497408" + logic_hash = "55e07c31479b98d0a2305c5dcdb238979b21006495ecfde106eb27274a497408" score = 75 quality = 75 tags = "FILE" @@ -135982,13 +135982,13 @@ rule MALPEDIA_Win_Risepro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "909db302-30da-59c5-8039-025eac3151dc" + id = "dda5214f-af54-5ca2-a7cc-1bcc410f868f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.risepro" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.risepro_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_d29313e60d544119ebfa72aa2a82b5ab903014cb2fa565cd9721952588d526d1" + logic_hash = "d29313e60d544119ebfa72aa2a82b5ab903014cb2fa565cd9721952588d526d1" score = 75 quality = 75 tags = "FILE" @@ -136021,13 +136021,13 @@ rule MALPEDIA_Win_Rockloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ab585fc-2d51-59bc-983d-2f5fa3f435c7" + id = "96a7a61e-00d6-5fd3-8dcd-0a299f4f2b93" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rockloader_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_7138f3c287966f118168a5a68bdeb5d70100d456e15e650d1baf5a7a96ef38bb" + logic_hash = "7138f3c287966f118168a5a68bdeb5d70100d456e15e650d1baf5a7a96ef38bb" score = 75 quality = 75 tags = "FILE" @@ -136060,13 +136060,13 @@ rule MALPEDIA_Win_Bee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fea1f24b-56c5-5c8f-bb06-3c77a6cf8b2f" + id = "db73c98e-464c-5a10-86d4-5be67acb42ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bee" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bee_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_5ff9293be730d91df0bdf17c2150532b12e666a23f61e90864080eb355a44306" + logic_hash = "5ff9293be730d91df0bdf17c2150532b12e666a23f61e90864080eb355a44306" score = 75 quality = 75 tags = "FILE" @@ -136099,13 +136099,13 @@ rule MALPEDIA_Win_Red_Gambler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b421c228-0479-5792-80f9-c7ef45206c48" + id = "48807a37-e904-5314-8d0b-afd101b942b7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.red_gambler_auto.yar#L1-L307" license_url = "N/A" - logic_hash = "v1_sha256_5df98b37982fcd6fe80d2e1e665e4de08feffa39ad75db51ff52df159597061f" + logic_hash = "5df98b37982fcd6fe80d2e1e665e4de08feffa39ad75db51ff52df159597061f" score = 75 quality = 73 tags = "FILE" @@ -136160,13 +136160,13 @@ rule MALPEDIA_Win_Elise_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e10e65b-6e45-59fb-8349-224e4be08804" + id = "11ed4b5e-b7d9-57f1-b779-a93a47cbf173" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.elise_auto.yar#L1-L209" license_url = "N/A" - logic_hash = "v1_sha256_09615a6853721651624e029a2091d82fab132dd6d80506edb16bc08b652a8438" + logic_hash = "09615a6853721651624e029a2091d82fab132dd6d80506edb16bc08b652a8438" score = 75 quality = 73 tags = "FILE" @@ -136210,13 +136210,13 @@ rule MALPEDIA_Win_Ahtapot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b58846a8-6e6a-5b5a-9600-3965ec9abd01" + id = "205853ed-0c62-5497-8ae7-152aba719174" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ahtapot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ahtapot_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_392656dae04b266a3580579c812b8abd790d9485771e5a66abe1a48d413d41a8" + logic_hash = "392656dae04b266a3580579c812b8abd790d9485771e5a66abe1a48d413d41a8" score = 75 quality = 75 tags = "FILE" @@ -136249,13 +136249,13 @@ rule MALPEDIA_Win_Eternal_Petya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f673e817-0117-59ef-88ce-75ec50cad455" + id = "5412d86d-0c91-551e-8b1c-043b9779137a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.eternal_petya_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "v1_sha256_3d823703098c3ea98ac24fd4bb7c283e7fba6eebd623c0da8c21f46950e9dc6a" + logic_hash = "3d823703098c3ea98ac24fd4bb7c283e7fba6eebd623c0da8c21f46950e9dc6a" score = 75 quality = 75 tags = "FILE" @@ -136294,13 +136294,13 @@ rule MALPEDIA_Win_Micrass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d71bb5b5-d4d4-5e0a-ab90-1d193fd2211d" + id = "d96a8185-8065-503d-97cd-f54a64309e1a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.micrass_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_faa5276115d7780fcc63dd8ad050c766a7977fec6ea03be4a57f43d14c048567" + logic_hash = "faa5276115d7780fcc63dd8ad050c766a7977fec6ea03be4a57f43d14c048567" score = 75 quality = 75 tags = "FILE" @@ -136333,13 +136333,13 @@ rule MALPEDIA_Win_Sedll_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b9ad94e3-8478-5b98-b9be-481fb978e0b3" + id = "ecd5bad1-bc54-5597-9a03-6b9de2dff623" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sedll_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_fc4557f56af955238bdd97487f20282917cc4ee0a9fe525b8866f2a10d37bfda" + logic_hash = "fc4557f56af955238bdd97487f20282917cc4ee0a9fe525b8866f2a10d37bfda" score = 75 quality = 75 tags = "FILE" @@ -136372,13 +136372,13 @@ rule MALPEDIA_Win_Nabucur_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dbc3096a-3c46-5e8d-9b05-ae73996e4f75" + id = "af73c704-0513-5e82-a77f-ce8e36675074" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nabucur_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_ff7129cae3af06c4bcbd1090aa15a0e8967082d3699d9e4f74992cad1754f8c1" + logic_hash = "ff7129cae3af06c4bcbd1090aa15a0e8967082d3699d9e4f74992cad1754f8c1" score = 75 quality = 75 tags = "FILE" @@ -136417,13 +136417,13 @@ rule MALPEDIA_Win_Predator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8cf0766b-3a94-5a44-bb6a-c2c4752fb221" + id = "2b266341-4566-5b09-970f-78abdb005204" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.predator_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_3bb19506092c3990d39445359bc46f20b598a2af4c01b1d17206710e9f68b421" + logic_hash = "3bb19506092c3990d39445359bc46f20b598a2af4c01b1d17206710e9f68b421" score = 75 quality = 75 tags = "FILE" @@ -136456,13 +136456,13 @@ rule MALPEDIA_Win_Odinaff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ea1c23c-adfc-5d9a-aaf1-297c5253c44d" + id = "91e538b8-49fb-59bb-b141-8774c9ea7c3a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.odinaff_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_30f018bdaf01e341e417353febba3580b7f1e98a76ca0b650eefbf84ad5901ef" + logic_hash = "30f018bdaf01e341e417353febba3580b7f1e98a76ca0b650eefbf84ad5901ef" score = 75 quality = 75 tags = "FILE" @@ -136495,13 +136495,13 @@ rule MALPEDIA_Win_Chairsmack_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd8f23e0-c9d8-5ba1-a188-0153432284ff" + id = "2de2e9d5-c2ea-5429-bfd2-5525076f44e7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chairsmack" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chairsmack_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_97781ffb695d6aa345e6e0e1fc6bc5189db5a22419050af0ce259dc4d2e28203" + logic_hash = "97781ffb695d6aa345e6e0e1fc6bc5189db5a22419050af0ce259dc4d2e28203" score = 75 quality = 75 tags = "FILE" @@ -136534,13 +136534,13 @@ rule MALPEDIA_Win_Bankshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6e78fa0-b555-5ee2-83ff-716222be9f75" + id = "86c817d0-2034-5c81-834f-97c8e0010057" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bankshot_auto.yar#L1-L425" license_url = "N/A" - logic_hash = "v1_sha256_c44d83d86e3231c57414d81c161d108153b74cf74b3e3cc50eaea1f55952d16d" + logic_hash = "c44d83d86e3231c57414d81c161d108153b74cf74b3e3cc50eaea1f55952d16d" score = 75 quality = 50 tags = "FILE" @@ -136608,13 +136608,13 @@ rule MALPEDIA_Win_Wininetloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9de52feb-db3b-5bf2-a7a8-8a392a00058d" + id = "7ea47534-c96c-52ac-bf22-909791f16181" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wininetloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wininetloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_b330f726e24dbb98ed7560a78537474ae8441347d679ef8681cdcfe81bca90ca" + logic_hash = "b330f726e24dbb98ed7560a78537474ae8441347d679ef8681cdcfe81bca90ca" score = 75 quality = 75 tags = "FILE" @@ -136647,13 +136647,13 @@ rule MALPEDIA_Win_Slothfulmedia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f42f05c9-bb7c-5c30-879b-2f78bb33bfe4" + id = "2e039255-65fc-54b3-b80d-fbd83d62f398" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.slothfulmedia_auto.yar#L1-L177" license_url = "N/A" - logic_hash = "v1_sha256_4478c19c5b75da4be13e2a5e0ada629ab254eb002384f45d3b79eb582f1a6eaf" + logic_hash = "4478c19c5b75da4be13e2a5e0ada629ab254eb002384f45d3b79eb582f1a6eaf" score = 75 quality = 75 tags = "FILE" @@ -136692,13 +136692,13 @@ rule MALPEDIA_Win_Banatrix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aabea560-ce0a-5c60-9d70-5fd56dc7a038" + id = "702dab13-4bb6-5a8c-a445-48baade0f697" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.banatrix_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_b32ec448caee97c1e074a70cc1c0b66b914a64f46a4b1bc215e4633ee2c8f80d" + logic_hash = "b32ec448caee97c1e074a70cc1c0b66b914a64f46a4b1bc215e4633ee2c8f80d" score = 75 quality = 75 tags = "FILE" @@ -136731,13 +136731,13 @@ rule MALPEDIA_Win_Lockergoga_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ebba3c8-33d7-523f-89d9-7d3075743a89" + id = "098a7a92-b383-59d8-91b6-0fe20ed4e757" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lockergoga_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_c582e783be4f8c1eccf17c3665e883eb649b80d6c64ac8df726791d94d7fb2de" + logic_hash = "c582e783be4f8c1eccf17c3665e883eb649b80d6c64ac8df726791d94d7fb2de" score = 75 quality = 75 tags = "FILE" @@ -136770,13 +136770,13 @@ rule MALPEDIA_Win_Tuoni_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a88e6fe8-501b-599b-abec-2019edaa94d2" + id = "04148cf8-207a-5f06-9dd5-362667335e9a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tuoni" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tuoni_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_21517c25b667838bd9ce6eb05310b526a84de45e68772e4427c4bd14266f2821" + logic_hash = "21517c25b667838bd9ce6eb05310b526a84de45e68772e4427c4bd14266f2821" score = 75 quality = 75 tags = "FILE" @@ -136809,13 +136809,13 @@ rule MALPEDIA_Win_Revil_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1998ed2a-3df3-5090-a5d0-8f0c1baef56f" + id = "45dad52d-586b-5209-8ce9-2a48da5b7435" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.revil_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_120e5cbd30d90d4dc063fdbdb97cb211c1d8a67c5a1d2649d0974884fd7ebfbf" + logic_hash = "120e5cbd30d90d4dc063fdbdb97cb211c1d8a67c5a1d2649d0974884fd7ebfbf" score = 75 quality = 75 tags = "FILE" @@ -136848,13 +136848,13 @@ rule MALPEDIA_Win_Hotcroissant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d3a7c73e-4d05-5879-82e5-b6563c6e1a58" + id = "041c170b-cb82-5079-a120-00d45f6cb95f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hotcroissant_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_9f9dd22a171d10237a5cfe7e750b40557b2e5ee36c0e5da30f363ab0cd99d478" + logic_hash = "9f9dd22a171d10237a5cfe7e750b40557b2e5ee36c0e5da30f363ab0cd99d478" score = 75 quality = 75 tags = "FILE" @@ -136887,13 +136887,13 @@ rule MALPEDIA_Win_Former_First_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ee58f962-2a6c-5e83-9931-f6b1319373e2" + id = "a1272d8c-4064-59bd-8cdc-a01b1d547c30" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.former_first_rat_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_ce211a46152dbbb02c8c895324876bff740383a9e542511dce112b8640015613" + logic_hash = "ce211a46152dbbb02c8c895324876bff740383a9e542511dce112b8640015613" score = 75 quality = 75 tags = "FILE" @@ -136932,13 +136932,13 @@ rule MALPEDIA_Win_Dadstache_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c6c241a-31b4-5759-b9ab-ff72e3963a8b" + id = "83ac24de-2d4c-56ca-a52b-b61e76854726" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dadstache_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_25ccaa507f10be35b704008ec9887b279a6b66e6fbc6fcb0d9200b947fa69258" + logic_hash = "25ccaa507f10be35b704008ec9887b279a6b66e6fbc6fcb0d9200b947fa69258" score = 75 quality = 75 tags = "FILE" @@ -136977,13 +136977,13 @@ rule MALPEDIA_Win_Broler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fd688eae-eb69-5561-bf9c-1646cded5a61" + id = "e5ddbcf2-267f-50c4-9a07-ee97c0a66c40" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.broler" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.broler_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_a1c6e2e8a7e6cd7262212833aaeef2ea07ebc3af38a6241bbd7582277c8df1b7" + logic_hash = "a1c6e2e8a7e6cd7262212833aaeef2ea07ebc3af38a6241bbd7582277c8df1b7" score = 75 quality = 75 tags = "FILE" @@ -137016,13 +137016,13 @@ rule MALPEDIA_Win_No_Justice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e8a9a586-9436-5ac6-a4b2-ffd7630add7e" + id = "9c76a62e-45df-5e55-95c7-3fd18c7cd11d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.no_justice" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.no_justice_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_27fb4d87fb503a879f5ac0f508a221856b21d7d81edc4c17f436773a20141500" + logic_hash = "27fb4d87fb503a879f5ac0f508a221856b21d7d81edc4c17f436773a20141500" score = 75 quality = 75 tags = "FILE" @@ -137055,13 +137055,13 @@ rule MALPEDIA_Win_Floki_Bot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d516c12-8322-5222-9f0d-2e4f0b9fa702" + id = "25c81d04-9abf-5940-8e55-7e5abeb99153" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.floki_bot_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_e2f9df61c4df036b71f6882cf4c35419384506db07aa4de7d79fcad14d6710ad" + logic_hash = "e2f9df61c4df036b71f6882cf4c35419384506db07aa4de7d79fcad14d6710ad" score = 75 quality = 75 tags = "FILE" @@ -137094,13 +137094,13 @@ rule MALPEDIA_Win_Mystic_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "263d8a2b-1554-5020-90d2-11f29f6c1a30" + id = "2aee59e1-5390-5b6c-ba5d-d62a358c2fe1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystic_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mystic_stealer_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_5074dde9add0d24e82d880c50882d8de92cc1c57bceb2be1475c662a7640d829" + logic_hash = "5074dde9add0d24e82d880c50882d8de92cc1c57bceb2be1475c662a7640d829" score = 75 quality = 75 tags = "FILE" @@ -137133,13 +137133,13 @@ rule MALPEDIA_Win_Cloudwizard_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2c785f61-26aa-5ef1-a281-8aef7f215619" + id = "fa68961f-75e7-584f-a390-9baec9fbd3c5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudwizard" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cloudwizard_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_b90f140d158cbf9ceed90cefa4231cadc7a59a82c187cabca82f362a5d65baf4" + logic_hash = "b90f140d158cbf9ceed90cefa4231cadc7a59a82c187cabca82f362a5d65baf4" score = 75 quality = 75 tags = "FILE" @@ -137172,13 +137172,13 @@ rule MALPEDIA_Win_Gozi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0f4f3e90-2d85-5f2f-b6c4-a965ab1e2ee2" + id = "aac9b6f0-8c81-5a6b-8a62-7eb8449e0397" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gozi_auto.yar#L1-L301" license_url = "N/A" - logic_hash = "v1_sha256_6d080496b0bc709b18cae762326b65ba3fe68298a3c52833320cbdca2a2db665" + logic_hash = "6d080496b0bc709b18cae762326b65ba3fe68298a3c52833320cbdca2a2db665" score = 75 quality = 73 tags = "FILE" @@ -137233,13 +137233,13 @@ rule MALPEDIA_Win_Crosswalk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "753937ec-aed8-5b9c-8607-aee41ca0b742" + id = "a1fb3b2b-1a2f-578d-9401-68574e21a388" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crosswalk_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "v1_sha256_84206cda2a660daf3146c7ad3e0c02d63ad7f2eb5361ae4afeb3936cb61d00b4" + logic_hash = "84206cda2a660daf3146c7ad3e0c02d63ad7f2eb5361ae4afeb3936cb61d00b4" score = 75 quality = 75 tags = "FILE" @@ -137278,13 +137278,13 @@ rule MALPEDIA_Win_Fickerstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "74332adf-e030-52e9-bdf5-0813256e3985" + id = "9f6a3748-f0ba-5d54-bc6b-9a386da9e8f6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fickerstealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0126c62412dad879a43e44f06017fe0625a540d4c54a2a3f5410236702fb1a45" + logic_hash = "0126c62412dad879a43e44f06017fe0625a540d4c54a2a3f5410236702fb1a45" score = 75 quality = 75 tags = "FILE" @@ -137317,13 +137317,13 @@ rule MALPEDIA_Win_Spyder_Patchwork_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e146b050-a506-5819-9c4e-7aa422df1338" + id = "79eb8f27-1301-5204-b70a-f074d773e2a2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder_patchwork" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spyder_patchwork_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_88e656ab24018abde08f518b393d747f56ac10af0939df2743e80e35c10ea588" + logic_hash = "88e656ab24018abde08f518b393d747f56ac10af0939df2743e80e35c10ea588" score = 75 quality = 75 tags = "FILE" @@ -137356,13 +137356,13 @@ rule MALPEDIA_Win_Moontag_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "27ef2c4f-4d3a-5d31-963a-125ffdac03be" + id = "252dd0ca-7f51-52f0-be53-827b6e26bc25" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moontag" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moontag_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_370fc05010b7ffbaa6352b0066ee43dee7ad1117e24576294ef38cbd09f73c67" + logic_hash = "370fc05010b7ffbaa6352b0066ee43dee7ad1117e24576294ef38cbd09f73c67" score = 75 quality = 75 tags = "FILE" @@ -137395,13 +137395,13 @@ rule MALPEDIA_Win_Unidentified_063_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b61b56d-d400-5439-a91e-b4970eb6f8ba" + id = "d22cba4e-b95b-5578-ac95-09534bd7dc14" date = "2022-11-21" modified = "2022-11-25" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_063" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_063_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_14c180eecdf0e6fbf2b936d6c444ad58c2e649e1fa770106e8719057ee1aefbd" + logic_hash = "14c180eecdf0e6fbf2b936d6c444ad58c2e649e1fa770106e8719057ee1aefbd" score = 75 quality = 75 tags = "FILE" @@ -137434,13 +137434,13 @@ rule MALPEDIA_Win_Unidentified_013_Korean_Malware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b18c8de4-0b60-5cfa-8ade-2f1961e54cd5" + id = "9565c5c7-2061-57e3-9feb-b946c3a86959" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_013_korean_malware_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_821fb0825aa17f5a4d3c05e9768273454f282d58ecf369f512d9a619a9aa5b99" + logic_hash = "821fb0825aa17f5a4d3c05e9768273454f282d58ecf369f512d9a619a9aa5b99" score = 75 quality = 75 tags = "FILE" @@ -137473,13 +137473,13 @@ rule MALPEDIA_Win_Lyposit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "31cc476d-5e66-54b9-b177-f7b3e6b104ae" + id = "6a1182ef-14f9-5ae8-9cfb-f5f8b2d96cab" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lyposit_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_249026f12880d5f66834071d41f0c2254bacd8b35bc56d04ae3c23c7c93561c7" + logic_hash = "249026f12880d5f66834071d41f0c2254bacd8b35bc56d04ae3c23c7c93561c7" score = 75 quality = 75 tags = "FILE" @@ -137512,13 +137512,13 @@ rule MALPEDIA_Win_Http_Troy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4990d435-313c-5509-8c4a-0287e91f4a8b" + id = "ce73b438-aadd-590a-8f29-6294af71df05" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.http_troy_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0940e5bc37e1b157bd6ecfd92ed3054d2dd55689c30354c0593d0b04427adfc7" + logic_hash = "0940e5bc37e1b157bd6ecfd92ed3054d2dd55689c30354c0593d0b04427adfc7" score = 75 quality = 75 tags = "FILE" @@ -137551,13 +137551,13 @@ rule MALPEDIA_Win_Wastedloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "479045f4-019a-5b37-849c-fa2a7ac6ddf4" + id = "c9b391e1-a439-5c84-8bc6-d01e7837fa3f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wastedloader_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "v1_sha256_f52a5046711dc64fff342d42959b67fac6d384f1f957f74196d547273f13eb4f" + logic_hash = "f52a5046711dc64fff342d42959b67fac6d384f1f957f74196d547273f13eb4f" score = 75 quality = 75 tags = "FILE" @@ -137590,13 +137590,13 @@ rule MALPEDIA_Win_Alureon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "729295b8-efd1-53ff-babc-c7ca65f466ac" + id = "a73dc24e-01b5-5374-84bf-44615f6f8c40" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.alureon_auto.yar#L1-L177" license_url = "N/A" - logic_hash = "v1_sha256_3ffa46b9256035a0465adbbc3bd0212addd530491396c5f57b5bebbc944d0354" + logic_hash = "3ffa46b9256035a0465adbbc3bd0212addd530491396c5f57b5bebbc944d0354" score = 75 quality = 75 tags = "FILE" @@ -137635,13 +137635,13 @@ rule MALPEDIA_Win_Kimsuky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "064f4716-b747-5d89-bd34-556d692d0311" + id = "f4610f8d-61c2-57de-821a-2002989958af" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kimsuky_auto.yar#L1-L287" license_url = "N/A" - logic_hash = "v1_sha256_838ee4b29f510aa7418362f03ac18e28c0399175424b76481d712ac3c06c7bee" + logic_hash = "838ee4b29f510aa7418362f03ac18e28c0399175424b76481d712ac3c06c7bee" score = 75 quality = 73 tags = "FILE" @@ -137695,13 +137695,13 @@ rule MALPEDIA_Win_Data_Exfiltrator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "28e76e03-080b-5522-9952-9e6cfa908324" + id = "1c3e80a4-d035-5215-adaa-66329eac9671" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.data_exfiltrator_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_6297c1d8a56d8255bac738410a860d5a8da8f6a36d36d069cc390dc91a10d95e" + logic_hash = "6297c1d8a56d8255bac738410a860d5a8da8f6a36d36d069cc390dc91a10d95e" score = 75 quality = 75 tags = "FILE" @@ -137734,13 +137734,13 @@ rule MALPEDIA_Win_Asruex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3d0d81e2-9636-5a4f-9f77-f2e171a7f6fb" + id = "899abd0f-c835-5f70-819c-92570cc9b462" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.asruex_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "v1_sha256_a14db0e4e44f1156fe16afe843345aa29b9b1f1eb3cc060b10e0bcdf06eb97d4" + logic_hash = "a14db0e4e44f1156fe16afe843345aa29b9b1f1eb3cc060b10e0bcdf06eb97d4" score = 75 quality = 75 tags = "FILE" @@ -137773,13 +137773,13 @@ rule MALPEDIA_Win_Pitou_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8215809f-11de-57a3-8a72-68016a5ad06c" + id = "d3bdfc17-2f62-5214-be4f-5a36d3b3ac21" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pitou_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "v1_sha256_7616b15e54bbcbd8174c3b9ed1b89eebeb0789927a8a07e3c44e1d6842f140f7" + logic_hash = "7616b15e54bbcbd8174c3b9ed1b89eebeb0789927a8a07e3c44e1d6842f140f7" score = 75 quality = 75 tags = "FILE" @@ -137812,13 +137812,13 @@ rule MALPEDIA_Win_Smanager_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9173831f-7d13-5bec-841f-fc80e44bac7d" + id = "0adcac8e-452d-57ad-977c-a9125f7183b0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.smanager_auto.yar#L1-L223" license_url = "N/A" - logic_hash = "v1_sha256_3f482517aa3a2ee02c64524a13e643b42a87540d5888bda3f974015b63620502" + logic_hash = "3f482517aa3a2ee02c64524a13e643b42a87540d5888bda3f974015b63620502" score = 75 quality = 73 tags = "FILE" @@ -137865,13 +137865,13 @@ rule MALPEDIA_Win_Suncrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57185f8e-0d35-5507-b50e-6414f7b31221" + id = "c1bd9658-a178-589d-b259-6cb82442d52c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.suncrypt_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_49201b307b7d384a9877d33cd9429c04ac8ef7ebb302c664ae5e0393ef621a39" + logic_hash = "49201b307b7d384a9877d33cd9429c04ac8ef7ebb302c664ae5e0393ef621a39" score = 75 quality = 75 tags = "FILE" @@ -137904,13 +137904,13 @@ rule MALPEDIA_Win_Swen_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45228c93-3b93-576d-991b-4ca00aa634c6" + id = "d8e32210-7f2c-5375-83fe-4881f384b16a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.swen" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.swen_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_ac8d371caed7f28c7b47b5b751d92511f3b33ed896fd2d2cdf37fc7b9a540873" + logic_hash = "ac8d371caed7f28c7b47b5b751d92511f3b33ed896fd2d2cdf37fc7b9a540873" score = 75 quality = 75 tags = "FILE" @@ -137943,13 +137943,13 @@ rule MALPEDIA_Win_Ketrum_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2682ba4-6f99-543a-8980-d98cb53da966" + id = "d00476b6-2e4b-5fca-a576-2efa8a16d1f4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ketrum_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "v1_sha256_f6a51a224da39f596220ff41861daa2df80eaaa43f4fe6e9b132d503abfda3ac" + logic_hash = "f6a51a224da39f596220ff41861daa2df80eaaa43f4fe6e9b132d503abfda3ac" score = 75 quality = 75 tags = "FILE" @@ -137988,13 +137988,13 @@ rule MALPEDIA_Win_Ngioweb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "449dac3f-a6b3-50e0-9f2f-d3c5741c6937" + id = "e5c8d819-248e-5981-b002-cb1c74e63a09" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ngioweb_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_f7e87273e17bbe0f3332951c955e0d14e92adbe20014736bed11afb8541960a1" + logic_hash = "f7e87273e17bbe0f3332951c955e0d14e92adbe20014736bed11afb8541960a1" score = 75 quality = 75 tags = "FILE" @@ -138027,13 +138027,13 @@ rule MALPEDIA_Win_Terminator_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "770de3c6-fc4b-5c78-956c-6be90e1a83d5" + id = "e470c3b5-74cd-53c3-b4cc-acdce03aa8dd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.terminator_rat_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_0c5a38ab087b1b21acdc43ba4e7c8b1be9b6d593b69dd3e7b8053959b3c291c4" + logic_hash = "0c5a38ab087b1b21acdc43ba4e7c8b1be9b6d593b69dd3e7b8053959b3c291c4" score = 75 quality = 75 tags = "FILE" @@ -138066,13 +138066,13 @@ rule MALPEDIA_Win_Havoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fa7755c6-bd1d-509d-8c0b-5ba951b2ef95" + id = "e49338ce-e5b7-5533-8149-1afd3e757884" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.havoc_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_b1a82d03442de3dfd518e07ebf86436482be6a35139d23b15b46564ec29f5896" + logic_hash = "b1a82d03442de3dfd518e07ebf86436482be6a35139d23b15b46564ec29f5896" score = 75 quality = 75 tags = "FILE" @@ -138105,13 +138105,13 @@ rule MALPEDIA_Win_Clambling_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2783c042-267f-5c8f-bb46-2e3ef9f791b5" + id = "e480c0cb-e19c-5e93-97bb-00caac1a9f2e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.clambling_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_f3f0a4943735cbe1e2ffa9646f9d73cc0975851d00f58a2bf60f2536a8d04784" + logic_hash = "f3f0a4943735cbe1e2ffa9646f9d73cc0975851d00f58a2bf60f2536a8d04784" score = 75 quality = 75 tags = "FILE" @@ -138144,13 +138144,13 @@ rule MALPEDIA_Win_Regin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fdf865a9-833d-5728-8211-36ba4be51969" + id = "a1cb1e4e-ea57-57da-8035-cea9e62b8eb8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.regin_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_091fb04af94706b8fbe2a391afd54e9835ec0bf475e2ed1c52d68af6529e0a7e" + logic_hash = "091fb04af94706b8fbe2a391afd54e9835ec0bf475e2ed1c52d68af6529e0a7e" score = 75 quality = 75 tags = "FILE" @@ -138183,13 +138183,13 @@ rule MALPEDIA_Win_Darkme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "60e56bbf-b8dd-55bd-b7ab-fcdc178e8ad1" + id = "48faa238-7c8d-58c0-88b3-9aef8ec2075d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkme" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkme_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_3cf45d3e46e2f9013414d4d68a45acd13e79993e633a174a46aa5a37d07153ec" + logic_hash = "3cf45d3e46e2f9013414d4d68a45acd13e79993e633a174a46aa5a37d07153ec" score = 75 quality = 75 tags = "FILE" @@ -138222,13 +138222,13 @@ rule MALPEDIA_Win_Rhadamanthys_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aa514acf-bc77-5233-bba9-b59344d72791" + id = "a80a8ef9-ea3f-56c2-85d5-70398e8fed62" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rhadamanthys_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_33afe88ed91c55c9115df6fb51e8b7670279afd4e605824b7c9b26fba3c0f08d" + logic_hash = "33afe88ed91c55c9115df6fb51e8b7670279afd4e605824b7c9b26fba3c0f08d" score = 75 quality = 75 tags = "FILE" @@ -138261,13 +138261,13 @@ rule MALPEDIA_Win_Prikormka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8cb7af4e-394a-5051-9323-1e396b6abced" + id = "2164d528-1794-5deb-b46c-b3d81c69fad8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.prikormka_auto.yar#L1-L416" license_url = "N/A" - logic_hash = "v1_sha256_6a6b4101990a4a459b0787e75e4b68bca1a92474214a272dc57d00cd454ce776" + logic_hash = "6a6b4101990a4a459b0787e75e4b68bca1a92474214a272dc57d00cd454ce776" score = 75 quality = 50 tags = "FILE" @@ -138336,13 +138336,13 @@ rule MALPEDIA_Win_Snowflake_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2161e05d-98fd-5407-9c6d-88aa4139de7b" + id = "bc09d07d-0ef6-59f5-8fc9-74662cfa791b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snowflake_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.snowflake_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_9c9e75fd4eed4eb18eb308bb8329401876776f47e6918bf3c298e3ce6d294888" + logic_hash = "9c9e75fd4eed4eb18eb308bb8329401876776f47e6918bf3c298e3ce6d294888" score = 75 quality = 75 tags = "FILE" @@ -138375,13 +138375,13 @@ rule MALPEDIA_Win_Astralocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "588e9540-2e62-5844-a3b0-e31cb6467e95" + id = "44156298-552d-5dee-871e-065e8177c7e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.astralocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.astralocker_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_a5647fc347475c8a37d856421ffd217ff32a1a45599157161a2296f0a4c958b5" + logic_hash = "a5647fc347475c8a37d856421ffd217ff32a1a45599157161a2296f0a4c958b5" score = 75 quality = 75 tags = "FILE" @@ -138414,13 +138414,13 @@ rule MALPEDIA_Win_Scanline_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b4a059de-ab3f-5291-9022-b16d28bb10d9" + id = "13552250-a8d4-5ee7-b407-74524f6111b2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanline" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.scanline_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_2bc008243e0f7161ac1c675c6c0b345104d3837ab2d3042dba054ab6d07a500d" + logic_hash = "2bc008243e0f7161ac1c675c6c0b345104d3837ab2d3042dba054ab6d07a500d" score = 75 quality = 75 tags = "FILE" @@ -138453,13 +138453,13 @@ rule MALPEDIA_Elf_Bashlite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b17da16f-4418-5572-9d9a-7dc49af4263d" + id = "4d68ff86-b62a-56f4-900d-a8e2f982b0ab" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.bashlite_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_46d8bef4c939db6a89af35372d5c8a74e31ae90669b6477bbd5c0d09039a9b9b" + logic_hash = "46d8bef4c939db6a89af35372d5c8a74e31ae90669b6477bbd5c0d09039a9b9b" score = 75 quality = 75 tags = "FILE" @@ -138492,13 +138492,13 @@ rule MALPEDIA_Win_Industrial_Spy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "486efaaf-b71c-57eb-a324-592ada83d910" + id = "7da79c63-fa14-572c-88ac-b76f6cdc6221" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industrial_spy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.industrial_spy_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_7a3233469624bdad85e090a4dc1c96ea6796ab995a15b629b5d495e015c5b4df" + logic_hash = "7a3233469624bdad85e090a4dc1c96ea6796ab995a15b629b5d495e015c5b4df" score = 75 quality = 75 tags = "FILE" @@ -138531,13 +138531,13 @@ rule MALPEDIA_Win_Httpdropper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f0ac20f2-4680-5e00-b7a1-15fe1b2ae911" + id = "fe74c397-b0b6-56ba-ab68-0472f7992b43" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.httpdropper_auto.yar#L1-L157" license_url = "N/A" - logic_hash = "v1_sha256_1f304e411e6e19a3397e572e7a13609bae133af12f0a3672cddde2eef3a5cdf3" + logic_hash = "1f304e411e6e19a3397e572e7a13609bae133af12f0a3672cddde2eef3a5cdf3" score = 75 quality = 75 tags = "FILE" @@ -138576,13 +138576,13 @@ rule MALPEDIA_Win_Yahoyah_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ddf466c-062b-5333-97ec-a05d5b03e7e5" + id = "7d580a73-e71e-51e5-b9b2-111f677f9e42" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yahoyah_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_3c235d0922e2b2ae3e259f93f1da8403405399a9b438615162581b244056f37a" + logic_hash = "3c235d0922e2b2ae3e259f93f1da8403405399a9b438615162581b244056f37a" score = 75 quality = 75 tags = "FILE" @@ -138620,13 +138620,13 @@ rule MALPEDIA_Win_Urausy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd52fe5f-53dc-555a-9f14-f9de69205d1e" + id = "d79fe72f-f8e2-58e2-a433-7994c2651777" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.urausy_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_4006e3f78a3f573ba923955b3cfcab3f192d2740ed20a89eb62b4be1b215c9a4" + logic_hash = "4006e3f78a3f573ba923955b3cfcab3f192d2740ed20a89eb62b4be1b215c9a4" score = 75 quality = 75 tags = "FILE" @@ -138659,13 +138659,13 @@ rule MALPEDIA_Win_Fatal_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "629b0cc1-4a16-5e0a-8396-0b0f5420830d" + id = "a3ab53f5-ddae-5778-83ad-a5bc6a6b2154" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fatal_rat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_18acd6224a0284d907688395a284887997a86c92f189b4ab24835c18aeeace4b" + logic_hash = "18acd6224a0284d907688395a284887997a86c92f189b4ab24835c18aeeace4b" score = 75 quality = 75 tags = "FILE" @@ -138698,13 +138698,13 @@ rule MALPEDIA_Win_Atomsilo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4dd27a9-92b2-5bb4-9eeb-84182738842c" + id = "3435600a-ea5a-5a3a-a6f8-26d97e3c0136" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atomsilo_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_e09362cc7b2f3a6215eeee28b5549da2887bc59c3f8b5fb41ad869fd5e8818fd" + logic_hash = "e09362cc7b2f3a6215eeee28b5549da2887bc59c3f8b5fb41ad869fd5e8818fd" score = 75 quality = 75 tags = "FILE" @@ -138737,13 +138737,13 @@ rule MALPEDIA_Win_Blister_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2ac255cc-7d5a-5d1a-929c-2bf17f55a609" + id = "75a4d5c1-fad1-5de9-baeb-706545e990e7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blister_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_cf8a8615a4d489a259d535fb620f06fe5362163915633c0aacc9d77eb620d2b5" + logic_hash = "cf8a8615a4d489a259d535fb620f06fe5362163915633c0aacc9d77eb620d2b5" score = 60 quality = 25 tags = "FILE" @@ -138776,13 +138776,13 @@ rule MALPEDIA_Win_Taintedscribe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06fe48c4-6a7b-5b77-8186-8b26d6256db5" + id = "f1cc2e00-4207-5694-9f4b-262fcd7729da" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taintedscribe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.taintedscribe_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_5d981495a3922cbb61b73e09b9b5becae7637fb3153cbba90f67db62eec8bfc1" + logic_hash = "5d981495a3922cbb61b73e09b9b5becae7637fb3153cbba90f67db62eec8bfc1" score = 75 quality = 75 tags = "FILE" @@ -138815,13 +138815,13 @@ rule MALPEDIA_Win_Vapor_Rage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2030256f-03d6-5d21-933c-e503b719ef2f" + id = "557acb15-65a4-5ee1-85fd-aeddfe817272" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vapor_rage" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vapor_rage_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_f25f99fbbd5c20118e31285e56e8f0280cb5b6b08bdd8f0f37cb8cec6e554ab7" + logic_hash = "f25f99fbbd5c20118e31285e56e8f0280cb5b6b08bdd8f0f37cb8cec6e554ab7" score = 75 quality = 75 tags = "FILE" @@ -138854,13 +138854,13 @@ rule MALPEDIA_Win_Wndtest_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ae54a31-8453-56e9-bd32-c3f514126976" + id = "4e765db5-5f4c-5512-83db-9314a470b113" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wndtest_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_6715ba88802d5ba703391f2c7044c94873e31517f5f99099b0c4158e2dd1a5c1" + logic_hash = "6715ba88802d5ba703391f2c7044c94873e31517f5f99099b0c4158e2dd1a5c1" score = 50 quality = 75 tags = "FILE" @@ -138893,13 +138893,13 @@ rule MALPEDIA_Win_Xpan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af623a92-6f8d-5454-a525-45f171c93c7d" + id = "6b6d87b0-cd4f-5f1f-ad41-a91b081050bf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xpan_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_53afdb60ad3d527db39db546f8bfd19e69fe202e95aaa870b577cf5bc58b7794" + logic_hash = "53afdb60ad3d527db39db546f8bfd19e69fe202e95aaa870b577cf5bc58b7794" score = 75 quality = 75 tags = "FILE" @@ -138932,13 +138932,13 @@ rule MALPEDIA_Win_Oatboat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c3c6c3f-0eb6-5f22-8c96-53c41b0a0cf0" + id = "c48265c6-7a9b-56ea-94f6-25b8465cba6b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oatboat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.oatboat_auto.yar#L1-L109" license_url = "N/A" - logic_hash = "v1_sha256_56315385a1ed981e34ba70026cf854697ce902e66d4a4a661e8df69530ad3228" + logic_hash = "56315385a1ed981e34ba70026cf854697ce902e66d4a4a661e8df69530ad3228" score = 75 quality = 75 tags = "FILE" @@ -138969,13 +138969,13 @@ rule MALPEDIA_Win_Atlantida_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1de71b06-23cc-59da-8280-9749ba7dd46d" + id = "869bb208-99fc-58cc-b6f3-123be4e2dd14" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlantida" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atlantida_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_de93365ad64d88523ed488fd5b5635b3ae5e4c0d8a34a9201e696d8414f63e31" + logic_hash = "de93365ad64d88523ed488fd5b5635b3ae5e4c0d8a34a9201e696d8414f63e31" score = 75 quality = 75 tags = "FILE" @@ -139008,13 +139008,13 @@ rule MALPEDIA_Win_Lockbit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a12ea9d-4d1f-5195-8b6e-fa72ce3d5421" + id = "6f3385a8-2122-56da-ae67-c32b266b8bf0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lockbit_auto.yar#L1-L209" license_url = "N/A" - logic_hash = "v1_sha256_f9cfb53a3d4bcd6fa0ccd32df2c087610c559fdf32ede817bcfaa297f48ef893" + logic_hash = "f9cfb53a3d4bcd6fa0ccd32df2c087610c559fdf32ede817bcfaa297f48ef893" score = 75 quality = 75 tags = "FILE" @@ -139057,13 +139057,13 @@ rule MALPEDIA_Win_Mim221_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53aac4d3-a514-57ff-8000-644ecadae218" + id = "73f86bbf-82d0-5204-a2d1-b26dcb4711e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mim221" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mim221_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_bd2938d5a81d44d76221abdf1ea92c7bf7be6210ea127474e453ccedb94f51d9" + logic_hash = "bd2938d5a81d44d76221abdf1ea92c7bf7be6210ea127474e453ccedb94f51d9" score = 75 quality = 75 tags = "FILE" @@ -139096,13 +139096,13 @@ rule MALPEDIA_Win_Zumanek_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1093a058-bb69-54d8-a9a5-74aa119d09c7" + id = "87aee693-fd24-5045-ad68-bbf967fca577" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zumanek_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_692948458546aa7f1172f720f7a047815fbd39df276c694923c84a71f1135e40" + logic_hash = "692948458546aa7f1172f720f7a047815fbd39df276c694923c84a71f1135e40" score = 75 quality = 75 tags = "FILE" @@ -139135,13 +139135,13 @@ rule MALPEDIA_Win_Cmsbrute_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "33f1843a-dd10-5a5d-b57b-0fd78c796395" + id = "da0817c1-f424-5734-8385-f31d5907ea91" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cmsbrute_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_d6f710add367d46059e77fa037926a5f1978933090d5b5fe00daae5ae1015f3d" + logic_hash = "d6f710add367d46059e77fa037926a5f1978933090d5b5fe00daae5ae1015f3d" score = 75 quality = 75 tags = "FILE" @@ -139174,13 +139174,13 @@ rule MALPEDIA_Win_M0Yv_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ea203ee-f923-5212-becf-4b3406f562e7" + id = "8b6ddfd9-e72e-5c1f-8455-077da1ba000c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.m0yv_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_7fb594619e0043ac0fe0e642705f4afbb65953751fccf49008dc2c100af6a96a" + logic_hash = "7fb594619e0043ac0fe0e642705f4afbb65953751fccf49008dc2c100af6a96a" score = 75 quality = 75 tags = "FILE" @@ -139213,13 +139213,13 @@ rule MALPEDIA_Win_Remcos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bd26bc44-82d4-5f4e-b989-fcdaf98a6d37" + id = "a82de676-3cc8-5fb4-a200-4d5a92641294" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.remcos_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_a7cd1a6ac531bf59ce4eeb2a4df184c30ea794355d77ce56d9d521351da0d837" + logic_hash = "a7cd1a6ac531bf59ce4eeb2a4df184c30ea794355d77ce56d9d521351da0d837" score = 75 quality = 75 tags = "FILE" @@ -139252,13 +139252,13 @@ rule MALPEDIA_Win_Moonwind_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5cf5cc1c-074e-57f2-a890-2cd366175da7" + id = "c3fad56f-d87f-5c82-8de0-ae938da1f3ea" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moonwind_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_e8ac75896a4e3b1235e6b43c3207bc2e4011dd5892e4b54601195386441510bf" + logic_hash = "e8ac75896a4e3b1235e6b43c3207bc2e4011dd5892e4b54601195386441510bf" score = 75 quality = 75 tags = "FILE" @@ -139291,13 +139291,13 @@ rule MALPEDIA_Win_Beatdrop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0dffa0eb-ec15-5cd4-930a-5ef9e22ca0fa" + id = "ff3c4e57-abd7-50b6-b4a8-35e3251008c1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.beatdrop_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_fb95caaadd3d9eb43e82310b2c0d02a31a3bc14c45800fa5e72d0081477812d0" + logic_hash = "fb95caaadd3d9eb43e82310b2c0d02a31a3bc14c45800fa5e72d0081477812d0" score = 75 quality = 75 tags = "FILE" @@ -139330,13 +139330,13 @@ rule MALPEDIA_Win_Cradlecore_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9658cdf1-2399-5b0a-a082-04c961c98d69" + id = "c02dd3cc-a2fa-5db2-b15e-6536b0232a3b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cradlecore_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_e4b2ddac2d160e24e50f2cbbb671c4c77a767dbac5be4d1bf9ebefaf8002be13" + logic_hash = "e4b2ddac2d160e24e50f2cbbb671c4c77a767dbac5be4d1bf9ebefaf8002be13" score = 75 quality = 75 tags = "FILE" @@ -139369,13 +139369,13 @@ rule MALPEDIA_Win_Vendetta_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e3036780-bcab-5cb6-8ac8-9f1dac374de8" + id = "966ae160-05eb-53d3-b86d-ed42268f2f0c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vendetta" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vendetta_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_4fce9b15fe513b7322e530a7cc2cb9b1afb7d5162c1238338f15db6a45fbd5fd" + logic_hash = "4fce9b15fe513b7322e530a7cc2cb9b1afb7d5162c1238338f15db6a45fbd5fd" score = 75 quality = 75 tags = "FILE" @@ -139408,13 +139408,13 @@ rule MALPEDIA_Win_Pipemon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1e74a93d-d489-5c95-9ed5-c1fc9e9f7e9f" + id = "4aaf45d7-d465-5241-bf1c-8e05e9105546" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pipemon_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_81e25c1dde542bb643a4ac77dae07f1869016dd02282de1f135701fd67f912a5" + logic_hash = "81e25c1dde542bb643a4ac77dae07f1869016dd02282de1f135701fd67f912a5" score = 75 quality = 75 tags = "FILE" @@ -139447,13 +139447,13 @@ rule MALPEDIA_Win_Get2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "44d7289f-e31f-582f-9b67-150267cc4809" + id = "3d0e8698-7ca7-5de8-bc9d-fbf1a289749b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.get2_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "v1_sha256_3e4ed8755efbe8103bdeb8a3d5374ebaab1badd22c715ede9aefa416798b3d3f" + logic_hash = "3e4ed8755efbe8103bdeb8a3d5374ebaab1badd22c715ede9aefa416798b3d3f" score = 75 quality = 75 tags = "FILE" @@ -139492,13 +139492,13 @@ rule MALPEDIA_Win_Atmii_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5caf0692-69cb-5a87-930c-8fee3f96d453" + id = "07359bf0-199f-5425-bfa3-1b99e24213c7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atmii_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_0000b9c68134784a20204e48d35d09ba08981bd4ad498b87f530c8bc9d180475" + logic_hash = "0000b9c68134784a20204e48d35d09ba08981bd4ad498b87f530c8bc9d180475" score = 75 quality = 75 tags = "FILE" @@ -139537,13 +139537,13 @@ rule MALPEDIA_Win_Medusalocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b9b5304-5a09-55b9-8fac-82361fe774c7" + id = "c7b2a72f-78dd-502c-b029-e85b0ed2945e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.medusalocker_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_7df5844b357690737586e0cd4cc89af865edb4da022c679b11e7f73e8fc7409a" + logic_hash = "7df5844b357690737586e0cd4cc89af865edb4da022c679b11e7f73e8fc7409a" score = 75 quality = 75 tags = "FILE" @@ -139576,13 +139576,13 @@ rule MALPEDIA_Win_Squidloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d595190-9f06-59bd-b11c-b635ba932baf" + id = "e1ae0a2d-727c-526d-ba6d-df7206fb7292" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squidloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.squidloader_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_457a1f3d7d17509f684b88b8b92c880d3534d76469a8f93e7dd90a9494a02ca3" + logic_hash = "457a1f3d7d17509f684b88b8b92c880d3534d76469a8f93e7dd90a9494a02ca3" score = 75 quality = 75 tags = "FILE" @@ -139617,13 +139617,13 @@ rule MALPEDIA_Win_Netsupportmanager_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9307d02-3fd8-5d5d-a221-a8013979b300" + id = "65413a95-8602-50e7-8fc9-1bdaa9aea637" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.netsupportmanager_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0f21dd65c8f16f53e4a346f9dcfa8568aaa15104451879c8529729394d81f81d" + logic_hash = "0f21dd65c8f16f53e4a346f9dcfa8568aaa15104451879c8529729394d81f81d" score = 75 quality = 75 tags = "FILE" @@ -139656,13 +139656,13 @@ rule MALPEDIA_Win_Grimplant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cbcc1324-d1a3-51a6-8cc1-ff8f4505b58a" + id = "00b5fa06-fa9c-594f-a510-4c191fcf8f32" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grimplant_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_cbccd823b10050710a9d07b6e6e07157320e71de997cbe30ef0383cab26da835" + logic_hash = "cbccd823b10050710a9d07b6e6e07157320e71de997cbe30ef0383cab26da835" score = 75 quality = 75 tags = "FILE" @@ -139695,13 +139695,13 @@ rule MALPEDIA_Win_Artfulpie_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc9c8954-db1c-5d3d-ac7d-a08f285a6a2e" + id = "196adf33-8b22-5c74-a62b-042eb2b3d59f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.artfulpie_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_bdd4f2999d6ecf7d7a96f23629ce24760f5dc31c13fa4dc261ca04838f018c57" + logic_hash = "bdd4f2999d6ecf7d7a96f23629ce24760f5dc31c13fa4dc261ca04838f018c57" score = 75 quality = 75 tags = "FILE" @@ -139734,13 +139734,13 @@ rule MALPEDIA_Win_Attor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91c4903c-c243-5ef4-8e00-ff32ce68f87b" + id = "28ef2855-ea16-5908-a1e2-a1862e0a74d3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.attor_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "v1_sha256_de7f5a512e50826529d9df83eea4ee3f508c57e991d51c9dd6e574d86869905a" + logic_hash = "de7f5a512e50826529d9df83eea4ee3f508c57e991d51c9dd6e574d86869905a" score = 75 quality = 75 tags = "FILE" @@ -139779,13 +139779,13 @@ rule MALPEDIA_Win_Kuaibu8_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2310a054-f702-5b75-b47f-dcea1fb33810" + id = "feff23df-fba9-50da-bdd6-d56c077ee020" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kuaibu8_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_1c5187ee4041920ae10034915fbc8c0e2946de36b7825290c30788ee24d4d482" + logic_hash = "1c5187ee4041920ae10034915fbc8c0e2946de36b7825290c30788ee24d4d482" score = 75 quality = 75 tags = "FILE" @@ -139818,13 +139818,13 @@ rule MALPEDIA_Win_Gh0Sttimes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8d52836b-ad28-594a-aeac-d041fdad3fea" + id = "45c172b9-1490-520d-9674-c2fea272cf58" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gh0sttimes_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "v1_sha256_b365988442ea76655e7c2dc8b1db33d5df97fce16bdb0e3992e0bc9191760298" + logic_hash = "b365988442ea76655e7c2dc8b1db33d5df97fce16bdb0e3992e0bc9191760298" score = 75 quality = 75 tags = "FILE" @@ -139863,13 +139863,13 @@ rule MALPEDIA_Win_Cryptoshield_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b974459f-7dd7-5dbe-a529-b52117562980" + id = "d469a41b-f805-5bc0-8014-b5aff846fede" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptoshield_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_51b27f3518a9a59f8c494e0c229ea4ed8eee50ea1c264f413a97b5fd3e98710d" + logic_hash = "51b27f3518a9a59f8c494e0c229ea4ed8eee50ea1c264f413a97b5fd3e98710d" score = 75 quality = 75 tags = "FILE" @@ -139902,13 +139902,13 @@ rule MALPEDIA_Win_Dorkbot_Ngrbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d9d0818b-bd0f-562b-aefa-5bbee0b7e81e" + id = "59e43108-0eea-5a85-94be-e4f2f553739a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dorkbot_ngrbot_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_e7e0ed048f71ac1a9fd0b9da304618de36953790efcba8c3991a4e9c9121ea29" + logic_hash = "e7e0ed048f71ac1a9fd0b9da304618de36953790efcba8c3991a4e9c9121ea29" score = 75 quality = 75 tags = "FILE" @@ -139941,13 +139941,13 @@ rule MALPEDIA_Win_Unidentified_116_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25e0e046-d3fd-57ed-89e6-7bc281e76313" + id = "dcbb6fc8-8b09-5285-9468-49ab6b078756" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_116" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_116_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_cbb333fd9c34e1cf4f6b4bb87d2c0b2963e42381083d5b2c6bc817e5ca64d87b" + logic_hash = "cbb333fd9c34e1cf4f6b4bb87d2c0b2963e42381083d5b2c6bc817e5ca64d87b" score = 75 quality = 75 tags = "FILE" @@ -139980,13 +139980,13 @@ rule MALPEDIA_Win_Reactorbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "745913b4-11b3-5cb3-9137-2451c250eccb" + id = "a4f3c70a-5bf3-5f9e-9dd8-eacb62aa112d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.reactorbot_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "v1_sha256_577d7a26f158c3905b8b827065bc6c12a25adcae231dbaf0bdeb91e6773e1cc2" + logic_hash = "577d7a26f158c3905b8b827065bc6c12a25adcae231dbaf0bdeb91e6773e1cc2" score = 75 quality = 75 tags = "FILE" @@ -140025,13 +140025,13 @@ rule MALPEDIA_Win_Diztakun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3f86c50c-6846-5b55-a6dc-ac3684e55ed7" + id = "b37620d3-10d5-5e3b-870d-9fcc520704b1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diztakun" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.diztakun_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_a3712f3787a19a9586caeb79806d7a5b14b9c57af185546c9c7b23f90c084141" + logic_hash = "a3712f3787a19a9586caeb79806d7a5b14b9c57af185546c9c7b23f90c084141" score = 75 quality = 75 tags = "FILE" @@ -140064,13 +140064,13 @@ rule MALPEDIA_Win_Mofksys_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0e7e9fe-e4c6-563c-84f4-6aff125e4b8d" + id = "5b460e3c-29c6-5db2-a32f-e1a99c684da5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mofksys_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_8c9a7d93274bbf5d514b6dd91aa6e0270b7fa1be2a34ea8caa7a062178ba1dc3" + logic_hash = "8c9a7d93274bbf5d514b6dd91aa6e0270b7fa1be2a34ea8caa7a062178ba1dc3" score = 75 quality = 75 tags = "FILE" @@ -140103,13 +140103,13 @@ rule MALPEDIA_Win_Mailto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49766494-de36-5802-b008-5a4b1b5b0396" + id = "e0688f37-3d60-5119-a0ac-dc5f19aa3f15" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mailto_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_4dc12b92c2c7f2a09f935b0b6cb8c34c3ae7e4e45623def262729c72d8213e08" + logic_hash = "4dc12b92c2c7f2a09f935b0b6cb8c34c3ae7e4e45623def262729c72d8213e08" score = 75 quality = 75 tags = "FILE" @@ -140142,13 +140142,13 @@ rule MALPEDIA_Win_Exaramel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ac538952-246d-5fa0-8c22-5afd691bfcaf" + id = "35622950-7b6c-5e19-8133-d0f2264aa9e8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.exaramel_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_18c202b1bcb977a24c7c95e5ee5eaa9ad9563136df2ac39652d73a4b9f53b5e1" + logic_hash = "18c202b1bcb977a24c7c95e5ee5eaa9ad9563136df2ac39652d73a4b9f53b5e1" score = 75 quality = 75 tags = "FILE" @@ -140181,13 +140181,13 @@ rule MALPEDIA_Win_Xbot_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2cd4c943-8352-5255-b7b9-c09d87b33b51" + id = "2a6bf949-203e-5838-9302-120351d13e42" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xbot_pos_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_64b7d710b96434b08fc5c38afe005807adccf502aa66b286ce03ea7fb875f890" + logic_hash = "64b7d710b96434b08fc5c38afe005807adccf502aa66b286ce03ea7fb875f890" score = 75 quality = 75 tags = "FILE" @@ -140220,13 +140220,13 @@ rule MALPEDIA_Win_9002_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "041a8568-9b03-5f7e-9ee1-ddf7eea1932c" + id = "9aa2661d-b448-5e86-992b-d0dd1273bcc5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.9002_auto.yar#L1-L343" license_url = "N/A" - logic_hash = "v1_sha256_a9799983d6a402fa0d92d4f2eccaf317bd81e0e8019f92bfd3f7e50ba619a3a3" + logic_hash = "a9799983d6a402fa0d92d4f2eccaf317bd81e0e8019f92bfd3f7e50ba619a3a3" score = 75 quality = 73 tags = "FILE" @@ -140287,13 +140287,13 @@ rule MALPEDIA_Win_Dlrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0b17e691-e2a7-5de6-8f0c-05c251ae3213" + id = "c5494bd6-4fc0-5b83-8b92-b9ca3f87216d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dlrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dlrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_fad702107ce086ed634b62a81fd30395fc9fa896e743ae2abff0224916d86383" + logic_hash = "fad702107ce086ed634b62a81fd30395fc9fa896e743ae2abff0224916d86383" score = 75 quality = 75 tags = "FILE" @@ -140326,13 +140326,13 @@ rule MALPEDIA_Win_Yty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5d3aaf94-b207-5600-89b8-7117a2f924a2" + id = "9e49fc42-83f5-52d0-90c6-9df681f170fe" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yty_auto.yar#L1-L512" license_url = "N/A" - logic_hash = "v1_sha256_24d2496487d3e8a74d1838cfbb75ce014466580ad0212ac1fc21d0ad856e5f75" + logic_hash = "24d2496487d3e8a74d1838cfbb75ce014466580ad0212ac1fc21d0ad856e5f75" score = 75 quality = 50 tags = "FILE" @@ -140410,13 +140410,13 @@ rule MALPEDIA_Win_Rombertik_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad2419fc-770c-5705-8657-278d8fdd6b61" + id = "0947e6c1-9998-521a-99a5-cdd6a4e22a09" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rombertik_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_353c590302f7523faeb3c60893558a9f0763683879e3f9985cd798caf9881314" + logic_hash = "353c590302f7523faeb3c60893558a9f0763683879e3f9985cd798caf9881314" score = 75 quality = 75 tags = "FILE" @@ -140449,13 +140449,13 @@ rule MALPEDIA_Win_Portdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bc8b8bbb-a447-5378-b5a0-28de13e4d774" + id = "f90b2eef-c6a0-58b2-8785-46346ca37f1b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.portdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.portdoor_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_979d5d744cc74395bacd5f81861791359824c98484ee261c7c39edba432e34ef" + logic_hash = "979d5d744cc74395bacd5f81861791359824c98484ee261c7c39edba432e34ef" score = 75 quality = 73 tags = "FILE" @@ -140488,13 +140488,13 @@ rule MALPEDIA_Win_Doppeldridex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3c07b60c-2436-5c12-aae8-60ab7cc84321" + id = "7bc1de9c-56ca-5544-aabb-578c6d2a6765" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doppeldridex_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_f94875582e8b5aa2ebc993fa0b95159a94408b6d25288caadf3c8433582dd0a1" + logic_hash = "f94875582e8b5aa2ebc993fa0b95159a94408b6d25288caadf3c8433582dd0a1" score = 75 quality = 75 tags = "FILE" @@ -140533,13 +140533,13 @@ rule MALPEDIA_Win_Whiskerspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "79e4518d-ffd8-50c8-8292-6b923d170327" + id = "1f71cc7d-dee3-58c1-b7e7-0db4f27f7b73" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiskerspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.whiskerspy_auto.yar#L1-L152" license_url = "N/A" - logic_hash = "v1_sha256_42f604644f01d6d1eab2ff27df4abe182b18b8311684ef0837061e88ea8bd127" + logic_hash = "42f604644f01d6d1eab2ff27df4abe182b18b8311684ef0837061e88ea8bd127" score = 75 quality = 75 tags = "FILE" @@ -140577,13 +140577,13 @@ rule MALPEDIA_Win_Webc2_Adspace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4779271c-bc6a-551e-bd05-d59516dc6470" + id = "31690ec3-53d2-516a-a2ac-2daa7b554ffe" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_adspace_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_7852a8a7e96f78b645860237edf52acf830636cf13e5faeed5b1eb81bda4c09a" + logic_hash = "7852a8a7e96f78b645860237edf52acf830636cf13e5faeed5b1eb81bda4c09a" score = 75 quality = 75 tags = "FILE" @@ -140616,13 +140616,13 @@ rule MALPEDIA_Win_Stealhook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8914340f-9cfd-5464-8c0a-16ef5a21afb7" + id = "519c47bf-6262-59f6-ba96-b268e3554c31" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealhook" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stealhook_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_34472d9d45445d7f0701c527e6f0fa4bcdf4882e35f9c62ec30365acd8243253" + logic_hash = "34472d9d45445d7f0701c527e6f0fa4bcdf4882e35f9c62ec30365acd8243253" score = 75 quality = 75 tags = "FILE" @@ -140655,13 +140655,13 @@ rule MALPEDIA_Win_Sisfader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "346b3f07-25fe-5dda-a7a0-ca2008e53f1d" + id = "ac94263f-1708-5e52-9df6-f609af38fa64" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sisfader_auto.yar#L1-L276" license_url = "N/A" - logic_hash = "v1_sha256_5ae29b623b53b54fbc47f6ef4a5785e5e7b4cfe669d9c31d6f6094ced51ab6b7" + logic_hash = "5ae29b623b53b54fbc47f6ef4a5785e5e7b4cfe669d9c31d6f6094ced51ab6b7" score = 75 quality = 73 tags = "FILE" @@ -140714,13 +140714,13 @@ rule MALPEDIA_Win_Woolger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "22368fe9-389d-53b1-9ecc-06256670ca8a" + id = "3c730e5d-f238-51dc-9ad2-e2cb34cd5f3e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.woolger_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_a6736c829d032e2c9f6601605bc9a8797d9883ec84504553869cd4b3046fa27f" + logic_hash = "a6736c829d032e2c9f6601605bc9a8797d9883ec84504553869cd4b3046fa27f" score = 75 quality = 75 tags = "FILE" @@ -140753,13 +140753,13 @@ rule MALPEDIA_Win_Tellyouthepass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "90d01636-97e5-57aa-9632-94fffe89e719" + id = "b0d976f4-0236-5ffd-9bc3-701324f1d00b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tellyouthepass_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_ecb0bbbbbf71d6e52cc61fe6d246b41bf4e7a6e9ebef1f549c3bac2b8ab00a58" + logic_hash = "ecb0bbbbbf71d6e52cc61fe6d246b41bf4e7a6e9ebef1f549c3bac2b8ab00a58" score = 75 quality = 75 tags = "FILE" @@ -140792,13 +140792,13 @@ rule MALPEDIA_Win_Thanatos_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "38718466-1870-5000-b370-ed426d9dd275" + id = "ab4a7e75-8b1e-5a05-9767-529b8f947adc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.thanatos_ransom_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_92f92876fe7a3f7974d946f7e2104d595ba94070884727a043f8a6a9bbc163b3" + logic_hash = "92f92876fe7a3f7974d946f7e2104d595ba94070884727a043f8a6a9bbc163b3" score = 75 quality = 75 tags = "FILE" @@ -140831,13 +140831,13 @@ rule MALPEDIA_Win_Suppobox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9334dcc1-5629-513d-9209-270cb5a9538c" + id = "177ef819-f180-537c-8a5b-50145cc2ea86" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.suppobox_auto.yar#L1-L191" license_url = "N/A" - logic_hash = "v1_sha256_a5e7699d7d2692f12be7c31662694dcf4bf84741bea11b2882b9a09666e09210" + logic_hash = "a5e7699d7d2692f12be7c31662694dcf4bf84741bea11b2882b9a09666e09210" score = 75 quality = 73 tags = "FILE" @@ -140882,13 +140882,13 @@ rule MALPEDIA_Win_Asprox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c777123e-59d0-5b5a-96a5-66cd34d63034" + id = "0520b3a3-9483-5d2a-9f24-050358cf9005" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.asprox_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_45002ecaaab3dadffe3aed1cfa4261799259027c0d201b2024f1681cd43bb771" + logic_hash = "45002ecaaab3dadffe3aed1cfa4261799259027c0d201b2024f1681cd43bb771" score = 75 quality = 75 tags = "FILE" @@ -140921,13 +140921,13 @@ rule MALPEDIA_Win_Satana_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6bb02351-1e08-5ef8-b53b-7a5fc366f645" + id = "ed6576e9-0bbc-54e1-95d8-b27f8b1348bf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.satana_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_b7981beec1674ab80a9c4719e1b8a6cb3eebb0c2a5e13afc377fa72d8a4a6216" + logic_hash = "b7981beec1674ab80a9c4719e1b8a6cb3eebb0c2a5e13afc377fa72d8a4a6216" score = 75 quality = 75 tags = "FILE" @@ -140960,13 +140960,13 @@ rule MALPEDIA_Win_Unidentified_107_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bd31913c-3d73-55d4-903a-9f34941a120e" + id = "81c12c66-8304-5991-b574-5a315c388de3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_107" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_107_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_c653c14e4c7ef56015dec3b1522bf0d3fe051f290ecd82f4142246fe6c534c52" + logic_hash = "c653c14e4c7ef56015dec3b1522bf0d3fe051f290ecd82f4142246fe6c534c52" score = 75 quality = 75 tags = "FILE" @@ -140999,13 +140999,13 @@ rule MALPEDIA_Win_Andromeda_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b7be653-c44b-5212-bec2-eee1b1c6892a" + id = "1eaf3713-eaf3-56ba-93e1-406275c53353" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.andromeda_auto.yar#L1-L304" license_url = "N/A" - logic_hash = "v1_sha256_9e39961b4372e3bc922b40be7e1f53c18cfcecc85e79e89fe6975047795ee278" + logic_hash = "9e39961b4372e3bc922b40be7e1f53c18cfcecc85e79e89fe6975047795ee278" score = 75 quality = 73 tags = "FILE" @@ -141060,13 +141060,13 @@ rule MALPEDIA_Win_Koobface_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2148d451-4209-5fe0-8ef2-436a6d9e94d3" + id = "c6a2ece4-bdc3-570c-90b1-bf28a4d5b166" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.koobface_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_c65c2ad17a47311f43f81d1b6ae6bd5717f8484a20158d9b796e403e5d9ce6a0" + logic_hash = "c65c2ad17a47311f43f81d1b6ae6bd5717f8484a20158d9b796e403e5d9ce6a0" score = 75 quality = 75 tags = "FILE" @@ -141099,13 +141099,13 @@ rule MALPEDIA_Win_Nullmixer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1eef6597-4638-503e-bc1d-185384cce661" + id = "b38b3d85-051a-5533-80ac-2c20e10e6e40" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nullmixer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_bed10b9aa89a73eeb2144099fe0c5f1e459e50018915c4280b459d1a0374a95d" + logic_hash = "bed10b9aa89a73eeb2144099fe0c5f1e459e50018915c4280b459d1a0374a95d" score = 75 quality = 75 tags = "FILE" @@ -141138,13 +141138,13 @@ rule MALPEDIA_Win_Wscspl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3d3f03df-6cc4-5053-b4a7-59adb4fc8599" + id = "d7761c27-1c76-50ce-a49d-adbb7174eed5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wscspl_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_1b757c1efc9452507637d1df12d4e19d7f55d5ea9e93d3fda8eef85d6e83088d" + logic_hash = "1b757c1efc9452507637d1df12d4e19d7f55d5ea9e93d3fda8eef85d6e83088d" score = 75 quality = 75 tags = "FILE" @@ -141177,13 +141177,13 @@ rule MALPEDIA_Win_Unidentified_112_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a19c8eb-4db8-59e3-a7e5-65b25d2a5ebb" + id = "bca61e0b-9af5-5227-9c81-6d76a750fd95" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_112_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_bc9d9c0da4edb02fe1e586c7d9968e528daf3c2c022493f4878a3ccbbc90f116" + logic_hash = "bc9d9c0da4edb02fe1e586c7d9968e528daf3c2c022493f4878a3ccbbc90f116" score = 75 quality = 75 tags = "FILE" @@ -141216,13 +141216,13 @@ rule MALPEDIA_Win_Hoplight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7e9c577d-b1a3-5285-8e45-8842120811e3" + id = "a2aa7245-0542-5f03-ac64-64c8e4dfd14a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hoplight_auto.yar#L1-L106" license_url = "N/A" - logic_hash = "v1_sha256_00943ab9210fcdddaf459f640db07e69da7180851bcc89590390e262f5274de2" + logic_hash = "00943ab9210fcdddaf459f640db07e69da7180851bcc89590390e262f5274de2" score = 75 quality = 75 tags = "FILE" @@ -141253,13 +141253,13 @@ rule MALPEDIA_Win_Nevada_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "85459fa7-7cbb-5f51-9a63-10df2635c9e2" + id = "0fb24068-87ce-54a0-ba82-bfdd95f811de" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nevada" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nevada_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_e8b202252b082c203b7b36b32325aea4ef97f49142f8ff76e8fa7afc9a175f74" + logic_hash = "e8b202252b082c203b7b36b32325aea4ef97f49142f8ff76e8fa7afc9a175f74" score = 75 quality = 75 tags = "FILE" @@ -141292,13 +141292,13 @@ rule MALPEDIA_Win_Iconic_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3981302b-cd82-58a0-99ee-ab4e4bd1925a" + id = "380edff9-b58c-56a7-886b-9f1f08a2730a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.iconic_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_79bfb58f74bc25ff74aa194b90c6f55ae1a1814931feba358207424fda4b9135" + logic_hash = "79bfb58f74bc25ff74aa194b90c6f55ae1a1814931feba358207424fda4b9135" score = 75 quality = 75 tags = "FILE" @@ -141331,13 +141331,13 @@ rule MALPEDIA_Win_Ccleaner_Backdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2bbec010-d115-54e8-a276-7f50d25354d7" + id = "d39b3ad8-e53b-51c7-9c43-1241d438c62d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ccleaner_backdoor_auto.yar#L1-L273" license_url = "N/A" - logic_hash = "v1_sha256_7e02daa93489db738904f39e35741a7860a222dd47acd23737d3bf7b398eab73" + logic_hash = "7e02daa93489db738904f39e35741a7860a222dd47acd23737d3bf7b398eab73" score = 75 quality = 73 tags = "FILE" @@ -141390,13 +141390,13 @@ rule MALPEDIA_Win_Nimrev_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7299dc70-d966-5faa-b705-ec15dfe82948" + id = "20b95ee4-71e8-5d91-8f08-c93eb8ecb6e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimrev" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nimrev_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_c34627db4cecbf30356b0f5270911b9f9949d87d96e11dd97e4475658561ec16" + logic_hash = "c34627db4cecbf30356b0f5270911b9f9949d87d96e11dd97e4475658561ec16" score = 75 quality = 75 tags = "FILE" @@ -141429,13 +141429,13 @@ rule MALPEDIA_Win_Dinodas_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "78780122-9a1c-553a-847d-9b1d2225a2a1" + id = "3767f57e-77fd-50ff-a070-72ae08d30433" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dinodas_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dinodas_rat_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_d711c805d5ef765c5b6b2b0b58b4e9853b9a582e9b5d986c36d846c104a514b8" + logic_hash = "d711c805d5ef765c5b6b2b0b58b4e9853b9a582e9b5d986c36d846c104a514b8" score = 75 quality = 75 tags = "FILE" @@ -141468,13 +141468,13 @@ rule MALPEDIA_Win_Proto8_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e88dfe00-d828-5298-be94-a1b6ae944a17" + id = "083740c0-add4-5086-9bb3-129b00384856" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.proto8_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.proto8_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_f52122f494b07ec03552d51c6b0687cd994e16514778e5ef2160e099630dd732" + logic_hash = "f52122f494b07ec03552d51c6b0687cd994e16514778e5ef2160e099630dd732" score = 75 quality = 75 tags = "FILE" @@ -141507,13 +141507,13 @@ rule MALPEDIA_Win_Paladin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4cdeec2f-bbc5-5f32-a557-0ac7c6929f3a" + id = "13b994af-533a-5dbe-b8e1-24beb3442212" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.paladin_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_686a1e9450a5c31100baeb4f1e4232469278fd6c7cba4e878a1957caee81dcdc" + logic_hash = "686a1e9450a5c31100baeb4f1e4232469278fd6c7cba4e878a1957caee81dcdc" score = 75 quality = 75 tags = "FILE" @@ -141546,13 +141546,13 @@ rule MALPEDIA_Win_Contopee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f978fc92-1dc9-5dcc-949a-541edeaec786" + id = "2c889060-56d8-5d54-aa2d-c629c52f97ce" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.contopee_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_5a1991aadc5915c8d606191fa7b0860d33c2887b1b0f8a8e7eb2cdfcb613029d" + logic_hash = "5a1991aadc5915c8d606191fa7b0860d33c2887b1b0f8a8e7eb2cdfcb613029d" score = 75 quality = 75 tags = "FILE" @@ -141585,13 +141585,13 @@ rule MALPEDIA_Win_Bleachgap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b5cf03f9-45a0-5717-a806-a301afc2c22c" + id = "0b3bd641-91e1-5a44-a4c8-6d070b78b23b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bleachgap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bleachgap_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_3130a827d52ec3314a8f25fbc828dbf76548d8c3f7d1048f0043a6b2ade8d5de" + logic_hash = "3130a827d52ec3314a8f25fbc828dbf76548d8c3f7d1048f0043a6b2ade8d5de" score = 75 quality = 75 tags = "FILE" @@ -141624,13 +141624,13 @@ rule MALPEDIA_Win_Ice_Ix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a1a29da-9a77-552d-ab49-60e56fe55998" + id = "3971da01-8501-5ba0-8d5a-dc36a272dee6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ice_ix_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_297f8752913927ba432b9de91965d7e2bc2305cd2fc61a756292f8224e68d59e" + logic_hash = "297f8752913927ba432b9de91965d7e2bc2305cd2fc61a756292f8224e68d59e" score = 75 quality = 75 tags = "FILE" @@ -141663,13 +141663,13 @@ rule MALPEDIA_Win_Cinobi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "60dd9dbf-5a6a-5755-898e-4b9fcb354305" + id = "50908ef8-eb52-5007-8c2a-256211d7237f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cinobi_auto.yar#L1-L156" license_url = "N/A" - logic_hash = "v1_sha256_1ae8fc64307c077f4211ff04fa6a49a6ca1181e14e0c37993b50c43b3f285591" + logic_hash = "1ae8fc64307c077f4211ff04fa6a49a6ca1181e14e0c37993b50c43b3f285591" score = 75 quality = 75 tags = "FILE" @@ -141707,13 +141707,13 @@ rule MALPEDIA_Win_Mistcloak_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e73cfb01-d0f1-55b3-ac90-d55853c1abdc" + id = "bcb29aaa-c37e-5c55-be1e-5d06aa41cabd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistcloak" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mistcloak_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_6962ced189f702e03fc18d236cee46a2a0844476537e8c819ea6f1c43f9c0922" + logic_hash = "6962ced189f702e03fc18d236cee46a2a0844476537e8c819ea6f1c43f9c0922" score = 75 quality = 75 tags = "FILE" @@ -141746,13 +141746,13 @@ rule MALPEDIA_Win_Redshawl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "797d8e55-a82b-5e57-8de5-80f9f4633a60" + id = "d449834a-6ec8-5065-8b96-a5a49ffb3034" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.redshawl_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_b20acd5fb5af80ab78c14cd6c74a0396c69511a94b51759668c7b067e28aed11" + logic_hash = "b20acd5fb5af80ab78c14cd6c74a0396c69511a94b51759668c7b067e28aed11" score = 75 quality = 75 tags = "FILE" @@ -141785,13 +141785,13 @@ rule MALPEDIA_Win_Ghostemperor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "16713637-aec8-5602-8356-b8ef28e75e33" + id = "f7621211-4b28-566a-b3ea-8ff428be0537" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ghostemperor_auto.yar#L1-L213" license_url = "N/A" - logic_hash = "v1_sha256_52e1433fc52738b98f2cb3208f8e4210fe3ef53162cc193cfeb7b527c13f1b16" + logic_hash = "52e1433fc52738b98f2cb3208f8e4210fe3ef53162cc193cfeb7b527c13f1b16" score = 75 quality = 73 tags = "FILE" @@ -141837,13 +141837,13 @@ rule MALPEDIA_Win_Lockfile_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4a4174e5-717b-5e92-a93f-163eb015a449" + id = "06969e31-f5a2-5625-9b28-348da0894916" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lockfile_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_ccc239fdec0009df6e27636b6ceb3da4ca587bf03dbd6e51ebddd7a3a56ef524" + logic_hash = "ccc239fdec0009df6e27636b6ceb3da4ca587bf03dbd6e51ebddd7a3a56ef524" score = 75 quality = 75 tags = "FILE" @@ -141876,13 +141876,13 @@ rule MALPEDIA_Win_Pittytiger_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a9de98fb-b9c0-57da-913c-3bff6364e4ff" + id = "ff8da921-664f-5df1-a82d-04fd7f26f2bd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pittytiger_rat_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_8acc632550999ec997897892dc652dc9572154a1b019a4992ae2e09d0384f83b" + logic_hash = "8acc632550999ec997897892dc652dc9572154a1b019a4992ae2e09d0384f83b" score = 75 quality = 75 tags = "FILE" @@ -141915,13 +141915,13 @@ rule MALPEDIA_Win_Unidentified_053_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71e33504-63fd-5643-92db-7fd89acf8170" + id = "44778796-93f3-5879-994d-5e3e2324b3e0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_053_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_0ba9fcbf3221aa7fe9aa16ac81cd13a3c2e0b0b30a12bf9f5e09619187f5d921" + logic_hash = "0ba9fcbf3221aa7fe9aa16ac81cd13a3c2e0b0b30a12bf9f5e09619187f5d921" score = 75 quality = 75 tags = "FILE" @@ -141954,13 +141954,13 @@ rule MALPEDIA_Win_Leouncia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0a3408d9-3c1c-51aa-b01a-99d4854f7776" + id = "32ec41a2-2da2-577f-8d90-05e26877f66a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.leouncia_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_f4b700de9db33424264876c9622563c2f372a2b66a216a2beabd8c8a0520c076" + logic_hash = "f4b700de9db33424264876c9622563c2f372a2b66a216a2beabd8c8a0520c076" score = 75 quality = 75 tags = "FILE" @@ -141993,13 +141993,13 @@ rule MALPEDIA_Win_Fast_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a5a85db4-e9a4-5b6a-b56d-ca00ed273aa6" + id = "5897ada5-fa61-53c9-92cd-a8ff361bb8f1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fast_pos_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_ad79c209e4e736c9fd75da8ae33e4c5c82b2aa09007c974afa8089a55c049530" + logic_hash = "ad79c209e4e736c9fd75da8ae33e4c5c82b2aa09007c974afa8089a55c049530" score = 75 quality = 75 tags = "FILE" @@ -142032,13 +142032,13 @@ rule MALPEDIA_Win_Azov_Wiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "871674c5-e22c-5325-9280-7d0355266cec" + id = "3b7f586d-ba57-5a04-8f68-255a064cb459" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.azov_wiper_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_011364438eb01e088c781e3c84797626beea4dfb11a3cc9222e67a61e76881e5" + logic_hash = "011364438eb01e088c781e3c84797626beea4dfb11a3cc9222e67a61e76881e5" score = 75 quality = 75 tags = "FILE" @@ -142071,13 +142071,13 @@ rule MALPEDIA_Win_Wormhole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b73e0f79-3a43-5eeb-89a8-97c7596be875" + id = "e1610a26-8f6a-525e-a150-ab4ce6e346e4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wormhole_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_98b6efb48ef674cd1e4efeda549804876add0f8847a14dfa9ff2b839bd666e8b" + logic_hash = "98b6efb48ef674cd1e4efeda549804876add0f8847a14dfa9ff2b839bd666e8b" score = 75 quality = 75 tags = "FILE" @@ -142110,13 +142110,13 @@ rule MALPEDIA_Win_Zeus_Mailsniffer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45a3877b-72a7-596c-b794-745f8c90203e" + id = "cfc6ae1c-00c8-513e-86f0-d4e28caf1338" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zeus_mailsniffer_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_fa3a7d3b021e61998435bd86dd4adccaaab84e20b590af9e4f54303f32d0d67f" + logic_hash = "fa3a7d3b021e61998435bd86dd4adccaaab84e20b590af9e4f54303f32d0d67f" score = 75 quality = 75 tags = "FILE" @@ -142149,13 +142149,13 @@ rule MALPEDIA_Win_Lowball_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bcdb31fe-627b-5bd2-ad66-8b9373ee17bb" + id = "94fba641-8dbf-5316-b4e6-0a547aece5a2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lowball_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_75931b935ec88e9d9d484d9216c8a6d089fe4ea50136062678650dec871b0d9d" + logic_hash = "75931b935ec88e9d9d484d9216c8a6d089fe4ea50136062678650dec871b0d9d" score = 75 quality = 75 tags = "FILE" @@ -142188,13 +142188,13 @@ rule MALPEDIA_Win_Stinger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b42eea05-2d91-51ec-a1b7-a7e3b5cbafba" + id = "03e2d1ca-b846-5787-b683-28feb74dae3e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stinger_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_64d2d0bb18e9f4889ac80d1e49c5ab473a950fa26645e6f561f71db4e8eb08f3" + logic_hash = "64d2d0bb18e9f4889ac80d1e49c5ab473a950fa26645e6f561f71db4e8eb08f3" score = 75 quality = 75 tags = "FILE" @@ -142227,13 +142227,13 @@ rule MALPEDIA_Win_Shakti_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "73cd602a-d787-5ad7-b0bd-3b2682c06bca" + id = "5b5fdc29-c870-550c-b3e7-47224f030c24" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shakti_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_f9488b8a8445549b2d17849193cda20ba79220110ad09656a16f1b56d9644dea" + logic_hash = "f9488b8a8445549b2d17849193cda20ba79220110ad09656a16f1b56d9644dea" score = 75 quality = 75 tags = "FILE" @@ -142272,13 +142272,13 @@ rule MALPEDIA_Win_Maudi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9585da38-7bc7-522c-abc7-488f556dbca6" + id = "3e4205bc-621f-57ac-9783-0d7a80e63274" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.maudi_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_ae4372c99a5ab8731cfa27286c0755a13272fa053f753c6557e155320ea94c91" + logic_hash = "ae4372c99a5ab8731cfa27286c0755a13272fa053f753c6557e155320ea94c91" score = 75 quality = 75 tags = "FILE" @@ -142311,13 +142311,13 @@ rule MALPEDIA_Win_Poison_Ivy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e1e1230c-345c-5889-b8b6-b4d0feb3826c" + id = "ec8c2f98-412f-543c-9758-b1aacde91b4e" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poison_ivy_auto.yar#L1-L91" license_url = "N/A" - logic_hash = "v1_sha256_431acfd8496c54390529508a28488eb12118d11f97e2de9a76cce0e819bacb59" + logic_hash = "431acfd8496c54390529508a28488eb12118d11f97e2de9a76cce0e819bacb59" score = 75 quality = 75 tags = "FILE" @@ -142347,13 +142347,13 @@ rule MALPEDIA_Win_Vsingle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6a445c31-4561-5c68-886f-692f74ff5034" + id = "cc9fe25a-3024-59d5-8bbd-cc483f35b4a0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vsingle" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vsingle_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_ea6b709a9def94eb8d7fd51d94ddf5ae4235a8cf02f9fd365b88bc3b6358449b" + logic_hash = "ea6b709a9def94eb8d7fd51d94ddf5ae4235a8cf02f9fd365b88bc3b6358449b" score = 75 quality = 75 tags = "FILE" @@ -142392,13 +142392,13 @@ rule MALPEDIA_Win_Sodamaster_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b8da3aff-d4bc-582c-ac23-ed04f0c90bc7" + id = "d1f7db4a-f731-535e-9ec7-0f94492b7206" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sodamaster_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_fa1144cbcb2ad99084cc1ee6d93d89428028e0238c89b4c179e1b18530e08c7f" + logic_hash = "fa1144cbcb2ad99084cc1ee6d93d89428028e0238c89b4c179e1b18530e08c7f" score = 75 quality = 75 tags = "FILE" @@ -142431,13 +142431,13 @@ rule MALPEDIA_Win_Mylobot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ec36786-e338-557a-9ca9-41c2f20515d8" + id = "10f8483b-f798-51f2-8a0d-4ad60f69bcdb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mylobot_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "v1_sha256_a859373208876596e4d4c654a67f12e66a950382de85503fc39b74c533ee7259" + logic_hash = "a859373208876596e4d4c654a67f12e66a950382de85503fc39b74c533ee7259" score = 75 quality = 75 tags = "FILE" @@ -142476,13 +142476,13 @@ rule MALPEDIA_Win_Backconfig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "763c364a-5b83-5429-b30b-25fe38b5c650" + id = "18fd149c-ad9b-5433-8651-ac1dcd92de05" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backconfig" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.backconfig_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_dc29e43fa81d60d5f53e6f4d5e158937c417e8f12650929b20d71338a8cb5ead" + logic_hash = "dc29e43fa81d60d5f53e6f4d5e158937c417e8f12650929b20d71338a8cb5ead" score = 75 quality = 75 tags = "FILE" @@ -142515,13 +142515,13 @@ rule MALPEDIA_Win_Broomstick_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bd129123-fee8-53d9-89a1-3ea7c1a6acdf" + id = "ac676bf4-a9fb-5087-a5ff-f584bac2c26e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.broomstick_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_f03767b95c94bb52a9880746cdaa45b8005de1fc3a428f79c36aad1a9accc086" + logic_hash = "f03767b95c94bb52a9880746cdaa45b8005de1fc3a428f79c36aad1a9accc086" score = 75 quality = 75 tags = "FILE" @@ -142554,13 +142554,13 @@ rule MALPEDIA_Win_Akira_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ca8c2e0c-b8a1-5e98-9af3-19a44f3ca576" + id = "15bec9b6-593f-5024-bdc9-f9c22915c4b9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.akira_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_df165485c04575afe03a18bf0b6e5a6197bfd9f8e4bf586c974ab0f67dd9d7c7" + logic_hash = "df165485c04575afe03a18bf0b6e5a6197bfd9f8e4bf586c974ab0f67dd9d7c7" score = 75 quality = 75 tags = "FILE" @@ -142593,13 +142593,13 @@ rule MALPEDIA_Win_Flawedammyy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "37d06f4a-f334-5d02-9560-4b2dd2d2a5c6" + id = "869ded56-7b9a-5ec5-b348-fd92c863b7a6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flawedammyy_auto.yar#L1-L306" license_url = "N/A" - logic_hash = "v1_sha256_1cd6d61d60d4c415e6c8e37367c9ce0c64744bcdc60e8edfc1af0f4b4c964dec" + logic_hash = "1cd6d61d60d4c415e6c8e37367c9ce0c64744bcdc60e8edfc1af0f4b4c964dec" score = 75 quality = 33 tags = "FILE" @@ -142654,13 +142654,13 @@ rule MALPEDIA_Win_Vyveva_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "16abf643-74f3-5f62-8fbd-180ea44ef435" + id = "609ee890-2ca7-5a62-be35-cd1b7bd5751c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vyveva_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_0673ae4749420e7fc0134b23031a9015b50b7275847c92099461dcf3a81aa83d" + logic_hash = "0673ae4749420e7fc0134b23031a9015b50b7275847c92099461dcf3a81aa83d" score = 75 quality = 73 tags = "FILE" @@ -142693,13 +142693,13 @@ rule MALPEDIA_Win_Victorygate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "419c6932-6089-5f4d-be3f-2c30bf9fb586" + id = "967fc783-d9bc-5b76-9b75-3a087d6a66b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.victorygate_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_427b2d98b9c3c2aa99b815ff597c75e43d477300e8035fd3554b7df3486b4eb0" + logic_hash = "427b2d98b9c3c2aa99b815ff597c75e43d477300e8035fd3554b7df3486b4eb0" score = 75 quality = 75 tags = "FILE" @@ -142732,13 +142732,13 @@ rule MALPEDIA_Win_Lumar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "767e23d9-c345-5e7b-a99d-444c3884439a" + id = "7f6eed55-2de5-5fd1-92bb-28b323fbad6c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lumar_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_4c7ebe5b3b93aaa9cf6694e15922d9cba2c0b75a9c7cd0df2741c632bee6f36c" + logic_hash = "4c7ebe5b3b93aaa9cf6694e15922d9cba2c0b75a9c7cd0df2741c632bee6f36c" score = 75 quality = 75 tags = "FILE" @@ -142771,13 +142771,13 @@ rule MALPEDIA_Win_Blackbyte_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8434c6e4-6a34-5f0d-87c4-6508ac542b35" + id = "452fd00b-5b18-59a5-8a83-8658b17c13ef" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackbyte_auto.yar#L1-L156" license_url = "N/A" - logic_hash = "v1_sha256_3e97ee9c8cf8b212a848f172ac3c7f3f16e8569d16a1ada661dd50af9fb2d432" + logic_hash = "3e97ee9c8cf8b212a848f172ac3c7f3f16e8569d16a1ada661dd50af9fb2d432" score = 75 quality = 75 tags = "FILE" @@ -142816,13 +142816,13 @@ rule MALPEDIA_Win_Dispcashbr_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b58023e4-0972-5577-a1b2-8505a5639a1f" + id = "70fd1e85-83ca-549b-b752-3572dac97120" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dispcashbr_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_1d5a00b182201f928fd4d6b3f1036a475f5957d210fb4c8d3527862a6527bc4d" + logic_hash = "1d5a00b182201f928fd4d6b3f1036a475f5957d210fb4c8d3527862a6527bc4d" score = 75 quality = 75 tags = "FILE" @@ -142855,13 +142855,13 @@ rule MALPEDIA_Win_Mortalkombat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "07f2783e-4bcc-5cff-84ef-9f4268864f5f" + id = "5eb05f16-7725-598c-b79d-b9528e7759ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mortalkombat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mortalkombat_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_44f11e1302873d7b8732182da9f21833a01d02537c804d5a52bde5d4fbe797c8" + logic_hash = "44f11e1302873d7b8732182da9f21833a01d02537c804d5a52bde5d4fbe797c8" score = 75 quality = 75 tags = "FILE" @@ -142894,13 +142894,13 @@ rule MALPEDIA_Win_Salgorea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fe67924e-b4c1-5152-8fa6-9cc73b1b8dd9" + id = "e83328a9-575c-5760-8b43-23537ecb114c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.salgorea_auto.yar#L1-L157" license_url = "N/A" - logic_hash = "v1_sha256_84460b5404731160a6417d2e0703563ce9ec3d697d914eab182f90119819d293" + logic_hash = "84460b5404731160a6417d2e0703563ce9ec3d697d914eab182f90119819d293" score = 75 quality = 75 tags = "FILE" @@ -142939,13 +142939,13 @@ rule MALPEDIA_Win_Gameover_P2P_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ba52587-7045-51d8-85f5-83abe71e1470" + id = "f5c0a78b-346b-519f-ad74-638351724851" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gameover_p2p_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_6bb48450821c79bc0f52b1eda3804ae910335d753ba80db1932c028cecce35a3" + logic_hash = "6bb48450821c79bc0f52b1eda3804ae910335d753ba80db1932c028cecce35a3" score = 75 quality = 75 tags = "FILE" @@ -142978,13 +142978,13 @@ rule MALPEDIA_Win_Gazer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fba94e00-6015-51fe-829f-d33596e00303" + id = "c74a4922-e38b-5cfc-86b0-8679816aca6f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gazer_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_168f0b268a65ddb10248870588fd54b58308fd12a6c3f9d75de33b31a206d1b2" + logic_hash = "168f0b268a65ddb10248870588fd54b58308fd12a6c3f9d75de33b31a206d1b2" score = 75 quality = 75 tags = "FILE" @@ -143017,13 +143017,13 @@ rule MALPEDIA_Win_Donex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c6b68e3e-b431-5ff8-8cb1-81e6cc8e30d3" + id = "8482aba2-5d7c-5acf-8ac0-6f701bcd4c3c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.donex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.donex_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_791a2daeadd431298c15aca6e723243f3ba034df68a0c21a097c95582d44c9bb" + logic_hash = "791a2daeadd431298c15aca6e723243f3ba034df68a0c21a097c95582d44c9bb" score = 75 quality = 75 tags = "FILE" @@ -143056,13 +143056,13 @@ rule MALPEDIA_Win_Mewsei_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14645e7d-8651-5a36-a0a0-5b4fb8650482" + id = "584cb11c-0c0a-56b4-a94f-bac12775ad8c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mewsei_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_ee5e42e21ccf04345d72bb9f3d49fdb8dd733d6140538e230075cf58e7ebb4a5" + logic_hash = "ee5e42e21ccf04345d72bb9f3d49fdb8dd733d6140538e230075cf58e7ebb4a5" score = 75 quality = 75 tags = "FILE" @@ -143095,13 +143095,13 @@ rule MALPEDIA_Win_Unidentified_101_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d7dad6f-4cc0-5e95-b48e-473d8e8353f4" + id = "1e5a977c-e7e9-5732-97b6-6aadc4f691fc" date = "2023-03-28" modified = "2023-04-07" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_101" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_101_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_71f0751fbd77a928634515b558d06922b4bf4a312042d6abbd6ba70171c64843" + logic_hash = "71f0751fbd77a928634515b558d06922b4bf4a312042d6abbd6ba70171c64843" score = 75 quality = 75 tags = "FILE" @@ -143134,13 +143134,13 @@ rule MALPEDIA_Win_Acehash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2f798c01-99e3-54f8-9ec5-8142eecd1e16" + id = "c02dd1c8-b3e7-50ce-a7de-221cfd645c47" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.acehash_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_000cf5b63c50e8cdae527d807554d2033db615c3997c132b3125d4523298d8fb" + logic_hash = "000cf5b63c50e8cdae527d807554d2033db615c3997c132b3125d4523298d8fb" score = 75 quality = 75 tags = "FILE" @@ -143173,13 +143173,13 @@ rule MALPEDIA_Win_Underminer_Ek_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1e581e3a-4ce5-5e17-b147-fb1bd9e1c677" + id = "f11b78f3-676c-503e-af81-133bd7b27942" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.underminer_ek" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.underminer_ek_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "v1_sha256_2f91a4d4f297062b3d3b07b58a9c1bfef73e9c0060b6e1680dc04cf736854cd4" + logic_hash = "2f91a4d4f297062b3d3b07b58a9c1bfef73e9c0060b6e1680dc04cf736854cd4" score = 75 quality = 75 tags = "FILE" @@ -143218,13 +143218,13 @@ rule MALPEDIA_Win_Nim_Blackout_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08ccea82-53b6-5e1a-b132-9b350539c760" + id = "ff725f8e-78d8-573e-b72f-f808485072b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nim_blackout" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nim_blackout_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_8bcac4d517a5c0195b2a1f86c54202d4da8e70268566b060cf8dd1e9526230c9" + logic_hash = "8bcac4d517a5c0195b2a1f86c54202d4da8e70268566b060cf8dd1e9526230c9" score = 75 quality = 75 tags = "FILE" @@ -143257,13 +143257,13 @@ rule MALPEDIA_Win_Xbtl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "306baa3e-4dd4-50ad-a748-be50f2e2c4e2" + id = "cc674cdb-617d-59f2-a495-aa1cae2d983f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xbtl_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_f0bc6d62656eb26327c6c65c34f325364618e94666f302ef6065ecc9e58e240b" + logic_hash = "f0bc6d62656eb26327c6c65c34f325364618e94666f302ef6065ecc9e58e240b" score = 75 quality = 75 tags = "FILE" @@ -143296,13 +143296,13 @@ rule MALPEDIA_Win_Phobos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "22bf527f-03f9-57e5-a4a9-73bac54fe75c" + id = "50012a05-a115-568a-af1b-c38bab4b83db" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.phobos_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_c0587de91f9b07bd28460653ab9d55aeeffabbc31465d7d7ac9b9413a4a57c0d" + logic_hash = "c0587de91f9b07bd28460653ab9d55aeeffabbc31465d7d7ac9b9413a4a57c0d" score = 75 quality = 75 tags = "FILE" @@ -143335,13 +143335,13 @@ rule MALPEDIA_Win_Gamotrol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d31b4af3-7070-5392-9920-f34a603c4507" + id = "6d872926-0049-5e26-8ed8-52fa5b44bb44" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gamotrol_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_41c3f31b322da6e7305bb8343f876e03d328f1fa9fbb5d6f4dcd6733da8fcf8b" + logic_hash = "41c3f31b322da6e7305bb8343f876e03d328f1fa9fbb5d6f4dcd6733da8fcf8b" score = 75 quality = 75 tags = "FILE" @@ -143374,13 +143374,13 @@ rule MALPEDIA_Win_Unidentified_105_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a44dd9aa-1b70-5914-af4d-a775b0e02cfd" + id = "eddc8e7d-c7d8-56a8-9cd5-0e8cda2282d2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_105" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_105_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_4e03e917de401318ff8b0ae85a40744aaa875bb14cd2721a1a9fd7b49998e501" + logic_hash = "4e03e917de401318ff8b0ae85a40744aaa875bb14cd2721a1a9fd7b49998e501" score = 75 quality = 75 tags = "FILE" @@ -143413,13 +143413,13 @@ rule MALPEDIA_Win_Heloag_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ecc57929-11a6-500d-95dc-b2f7a7e93cde" + id = "b40ebeb0-65d9-5544-943f-e43dc7de3667" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.heloag_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_3cbec035b3658dcc2108c96dd5a7b448e19c5bb5b801b5096a103c1055c563fa" + logic_hash = "3cbec035b3658dcc2108c96dd5a7b448e19c5bb5b801b5096a103c1055c563fa" score = 75 quality = 75 tags = "FILE" @@ -143458,13 +143458,13 @@ rule MALPEDIA_Win_Govrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c8d64311-791e-5c61-a29c-1121b35e5733" + id = "ff29bbeb-8470-59b6-8c8d-ff2db3e011bb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.govrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_c76f210fc8b3b328515ee8d578bc776ba7dc3be5b77e3088a18f7d949286c3a2" + logic_hash = "c76f210fc8b3b328515ee8d578bc776ba7dc3be5b77e3088a18f7d949286c3a2" score = 75 quality = 75 tags = "FILE" @@ -143497,13 +143497,13 @@ rule MALPEDIA_Win_Gpcode_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cdadfd29-c5dc-5a82-a1eb-75e3eb83c669" + id = "e33e0b1f-76e7-5d87-9046-4de404cd3f75" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gpcode_auto.yar#L1-L198" license_url = "N/A" - logic_hash = "v1_sha256_8f09c23237c11f87162aa59c119a2d6f06242220cf4c97226be012f001eb9b62" + logic_hash = "8f09c23237c11f87162aa59c119a2d6f06242220cf4c97226be012f001eb9b62" score = 75 quality = 75 tags = "FILE" @@ -143546,13 +143546,13 @@ rule MALPEDIA_Win_Ketrican_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9cf7bcc1-4d94-5d56-ac68-712675cf3be7" + id = "439971d8-746c-55ae-9bfc-c8ec84b9bdc0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ketrican_auto.yar#L1-L232" license_url = "N/A" - logic_hash = "v1_sha256_bd65d425e881a2f25fb5439fad465d4c0696f8064b1ba4643c58eae4b61b8ee6" + logic_hash = "bd65d425e881a2f25fb5439fad465d4c0696f8064b1ba4643c58eae4b61b8ee6" score = 75 quality = 73 tags = "FILE" @@ -143598,13 +143598,13 @@ rule MALPEDIA_Win_Rtpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e21c5de7-106d-5f97-9004-21ddae8d8545" + id = "959dc55e-8b27-5e8d-9c83-fdb4eeace02c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rtpos_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_e4e59ac435d46c5a64df569379669b4dd97e2cfaff34fac6f768e0380b69204e" + logic_hash = "e4e59ac435d46c5a64df569379669b4dd97e2cfaff34fac6f768e0380b69204e" score = 75 quality = 75 tags = "FILE" @@ -143637,13 +143637,13 @@ rule MALPEDIA_Win_Poscardstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5c45d24-0f74-5252-a2b0-35be003a378c" + id = "5940fce6-5171-52a7-adbd-1bfc9feaf26a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poscardstealer_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_45ecc712be3203f41628cc2ab4db40cb265e98700000888fd4a766a5ab62d728" + logic_hash = "45ecc712be3203f41628cc2ab4db40cb265e98700000888fd4a766a5ab62d728" score = 75 quality = 75 tags = "FILE" @@ -143676,13 +143676,13 @@ rule MALPEDIA_Win_Grok_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e2c8d541-a019-50ec-a800-1ff880518519" + id = "ccf14bb2-6a3c-5675-9d8f-13b9833157ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grok_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_2243923e42742fbe3a7e4306a1c12f85ff68d294ee642e4a1bb4afaaacaacbf5" + logic_hash = "2243923e42742fbe3a7e4306a1c12f85ff68d294ee642e4a1bb4afaaacaacbf5" score = 75 quality = 75 tags = "FILE" @@ -143715,13 +143715,13 @@ rule MALPEDIA_Win_Abaddon_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9d0ac3f-dfc3-52d8-a5ad-4b87cffdd770" + id = "be050b96-89fd-5c20-8efb-0926890fbf17" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.abaddon_pos_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_1a83ebbcd5f12576760f9d6a9d7b6611b9e3fe508d3c27448de58b24db2266af" + logic_hash = "1a83ebbcd5f12576760f9d6a9d7b6611b9e3fe508d3c27448de58b24db2266af" score = 75 quality = 75 tags = "FILE" @@ -143759,13 +143759,13 @@ rule MALPEDIA_Win_Cutwail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a42628b8-e458-512c-b6e7-981f4808dc5c" + id = "74edd1da-0a31-5dc7-9e3f-137bbcc67ffb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cutwail_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_19ab3f1dd76c95a9fd39a987b454b861d51946958edf6894a04ce0a4e884e4fd" + logic_hash = "19ab3f1dd76c95a9fd39a987b454b861d51946958edf6894a04ce0a4e884e4fd" score = 75 quality = 75 tags = "FILE" @@ -143804,13 +143804,13 @@ rule MALPEDIA_Win_Smarteyes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "261d0ff2-5fd3-56b3-b8c3-b6289d7482a1" + id = "8c7fb874-a11f-5f55-9cef-395ee0219165" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smarteyes" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.smarteyes_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_c5287c273b80d8410483f16228152973a803d8ac51015792b4ca7695eb66f818" + logic_hash = "c5287c273b80d8410483f16228152973a803d8ac51015792b4ca7695eb66f818" score = 75 quality = 75 tags = "FILE" @@ -143843,13 +143843,13 @@ rule MALPEDIA_Win_Ruckguv_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1fba5b85-f3ec-537a-b32d-511ee0f4b217" + id = "8f499e75-91f2-52c8-a94a-c83686f92c36" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ruckguv_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_6d10b38eb1f1d62aeb4e76b727620952b9c0cf6c443b89f37ac94de3a6d9e6ee" + logic_hash = "6d10b38eb1f1d62aeb4e76b727620952b9c0cf6c443b89f37ac94de3a6d9e6ee" score = 75 quality = 75 tags = "FILE" @@ -143882,13 +143882,13 @@ rule MALPEDIA_Win_Hacksfase_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1e9d7c59-4c96-5cdc-a517-691673a18d8e" + id = "e8964081-a2ab-5f17-84d6-f60be8a25bb6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hacksfase_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_e471c3c94524d0ea367845eb4bddab6e1e071bddbe6451c868738ead26f24319" + logic_hash = "e471c3c94524d0ea367845eb4bddab6e1e071bddbe6451c868738ead26f24319" score = 75 quality = 75 tags = "FILE" @@ -143921,13 +143921,13 @@ rule MALPEDIA_Win_Stegoloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "edd62bdb-6f36-59e2-b96d-c1f4c3014611" + id = "9b5ddd81-f495-5df3-b903-3b034270cab3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stegoloader_auto.yar#L1-L175" license_url = "N/A" - logic_hash = "v1_sha256_94caf24cac0989b6c0d5f1d1f91d703a3bc60fcd01d5e92e33c9c96d7f83e047" + logic_hash = "94caf24cac0989b6c0d5f1d1f91d703a3bc60fcd01d5e92e33c9c96d7f83e047" score = 75 quality = 75 tags = "FILE" @@ -143966,13 +143966,13 @@ rule MALPEDIA_Win_Kapeka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "26967ccd-492c-5358-bf19-4b808875cc6a" + id = "e9faddcc-105b-5a04-b8c8-ec1325abdf07" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kapeka" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kapeka_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_f9f8a4abde4cdfc67b53dadf6bbb3bb8155ff6c1c3c5e817a852cd16859c5b00" + logic_hash = "f9f8a4abde4cdfc67b53dadf6bbb3bb8155ff6c1c3c5e817a852cd16859c5b00" score = 75 quality = 75 tags = "FILE" @@ -144005,13 +144005,13 @@ rule MALPEDIA_Win_Crutch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1b9bebca-6dfc-5346-9493-3e6ae8046e1d" + id = "36959a18-dba5-5b13-9b8a-5318a7ab018e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crutch_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_6e39432bedc9454e05a5557719c4ba13f7f6afdacb986523a0105dea7f4efdfa" + logic_hash = "6e39432bedc9454e05a5557719c4ba13f7f6afdacb986523a0105dea7f4efdfa" score = 75 quality = 75 tags = "FILE" @@ -144044,13 +144044,13 @@ rule MALPEDIA_Win_Valley_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4f9089f3-7fb8-57c7-873e-14ab00bc2dae" + id = "5dc86c73-fc1a-55cb-84b1-f3d8a7354032" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.valley_rat_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_cd2ba628443a3060bd3912a9438622a07d0947ed73efff5cb92a491d2061eff0" + logic_hash = "cd2ba628443a3060bd3912a9438622a07d0947ed73efff5cb92a491d2061eff0" score = 60 quality = 45 tags = "FILE" @@ -144083,13 +144083,13 @@ rule MALPEDIA_Win_Mount_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fecac4c2-aa8f-5e2e-8d6a-99ee4592b1ca" + id = "2ef861fc-00f6-570d-889b-9134868ef5a0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mount_locker_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_7b77b6c0c433631050c62ceb54745fc365be8fc933570e0c4c919105bbc01b03" + logic_hash = "7b77b6c0c433631050c62ceb54745fc365be8fc933570e0c4c919105bbc01b03" score = 75 quality = 75 tags = "FILE" @@ -144128,13 +144128,13 @@ rule MALPEDIA_Win_Quickmute_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dab191d5-511b-5e96-ae69-220a734293ba" + id = "9346c7aa-034b-5306-98dc-f15f081cecb5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickmute" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.quickmute_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_d5f635b1bfde0d275999edc49a14531f110db04930e1d0cd71d09b7e6594ac87" + logic_hash = "d5f635b1bfde0d275999edc49a14531f110db04930e1d0cd71d09b7e6594ac87" score = 75 quality = 75 tags = "FILE" @@ -144167,13 +144167,13 @@ rule MALPEDIA_Win_Rerdom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2aebdde9-806d-55ff-91ea-ec1c0569ba09" + id = "fe806d9a-6a04-5e79-b88b-ee8b8a204978" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rerdom_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_a2ea86fac59908c343fcb877dddd42001d84b6d42ea05066c82f8a9e14242c06" + logic_hash = "a2ea86fac59908c343fcb877dddd42001d84b6d42ea05066c82f8a9e14242c06" score = 75 quality = 75 tags = "FILE" @@ -144206,13 +144206,13 @@ rule MALPEDIA_Win_Socelars_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "61ef1ab7-42e0-54a5-986c-e1311bd1cf35" + id = "392a881e-8204-5538-905a-79f8339a81a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.socelars_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_b8094e8a90fbd4b228aeee4fe07a815ac53358ef07b587d100a6e2f0f5e01dbf" + logic_hash = "b8094e8a90fbd4b228aeee4fe07a815ac53358ef07b587d100a6e2f0f5e01dbf" score = 75 quality = 75 tags = "FILE" @@ -144245,13 +144245,13 @@ rule MALPEDIA_Win_Rokku_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e1d7627b-21f1-5681-bc91-eb95fd36d705" + id = "715ad7bc-d28a-5156-87eb-1255d9ce2084" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rokku_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_1d23d8f4257081bb086c98f92ac75f2d433e54c9fb6c0c1b7b21d511b54ccc0a" + logic_hash = "1d23d8f4257081bb086c98f92ac75f2d433e54c9fb6c0c1b7b21d511b54ccc0a" score = 75 quality = 75 tags = "FILE" @@ -144284,13 +144284,13 @@ rule MALPEDIA_Win_Feodo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f3900884-3f77-518e-915a-c925e3e96973" + id = "8c5efd3c-e45d-5795-9ce3-096920bca9de" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.feodo_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_4783bf3b64d586d0a2a41312eeb5a0cc464046d24e2955ae05259fe1fa6e0781" + logic_hash = "4783bf3b64d586d0a2a41312eeb5a0cc464046d24e2955ae05259fe1fa6e0781" score = 75 quality = 75 tags = "FILE" @@ -144329,13 +144329,13 @@ rule MALPEDIA_Win_Bit_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b535955c-2a89-5b34-85bb-29d3699c1d05" + id = "e331727c-f0b9-570e-98b3-15c7435a6eef" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bit_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_7643b584b9c6d670261c45703563f4fa44b2a6b3543e3f79d5e148454f73feea" + logic_hash = "7643b584b9c6d670261c45703563f4fa44b2a6b3543e3f79d5e148454f73feea" score = 75 quality = 75 tags = "FILE" @@ -144368,13 +144368,13 @@ rule MALPEDIA_Win_Jimmy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bd14235f-798c-5d53-99b5-1c55d04a484e" + id = "e00c47ff-70b5-5db3-a3df-5549a310a9aa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jimmy_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_1b3730a9d32503c4a70a6daa21a4c8b83fd1ef93162a202906ad5585e6f013b5" + logic_hash = "1b3730a9d32503c4a70a6daa21a4c8b83fd1ef93162a202906ad5585e6f013b5" score = 75 quality = 75 tags = "FILE" @@ -144407,13 +144407,13 @@ rule MALPEDIA_Win_Skipper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "58d022f3-1c49-5dc5-b6d4-58497d9610d6" + id = "64a2fa4c-6691-570a-b99c-c64694f81fbb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.skipper_auto.yar#L1-L436" license_url = "N/A" - logic_hash = "v1_sha256_a0d077545acb481645aa7b1b148ae369d0e9c4615de07cc8af0856e7c8c6f15a" + logic_hash = "a0d077545acb481645aa7b1b148ae369d0e9c4615de07cc8af0856e7c8c6f15a" score = 75 quality = 50 tags = "FILE" @@ -144482,13 +144482,13 @@ rule MALPEDIA_Win_Lightlesscan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e72cc578-4cf0-5743-aec3-e162c728f671" + id = "2e37f7e0-e58a-5e11-9705-46b3e404ff4c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightlesscan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lightlesscan_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_065574078c0aa4243fb06e1821f47ea5dd0c55644c6efc29c5c042e930dc4c7f" + logic_hash = "065574078c0aa4243fb06e1821f47ea5dd0c55644c6efc29c5c042e930dc4c7f" score = 75 quality = 75 tags = "FILE" @@ -144521,13 +144521,13 @@ rule MALPEDIA_Win_Webc2_Greencat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "feaa9948-79d0-5b16-9375-f1d650f0f672" + id = "a0848a27-48e1-5e07-b0d1-bb056774f373" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_greencat_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_b537e733fea445e18ae7f3686bce35348807c75f49bc5b86c1bc51245964fe49" + logic_hash = "b537e733fea445e18ae7f3686bce35348807c75f49bc5b86c1bc51245964fe49" score = 75 quality = 75 tags = "FILE" @@ -144560,13 +144560,13 @@ rule MALPEDIA_Win_Dexter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cbc66d7e-ebe0-5776-a4f9-abc86323f52b" + id = "5d3d372c-0686-511d-bba6-815685b0b441" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dexter_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_537f3a05b932c01193b62b9eef1199d3fcfbbcfba0cd35a2f7ef69253c025c83" + logic_hash = "537f3a05b932c01193b62b9eef1199d3fcfbbcfba0cd35a2f7ef69253c025c83" score = 75 quality = 75 tags = "FILE" @@ -144599,13 +144599,13 @@ rule MALPEDIA_Win_Sakula_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59979515-1a9f-52f0-8da9-b4de88e626e3" + id = "86323bfd-db14-578a-8cfe-f67cc00a757a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sakula_rat_auto.yar#L1-L230" license_url = "N/A" - logic_hash = "v1_sha256_19fb36915bb248bef0dadfadf28e10045720b8ee2d6f5e400ec2d27910f47a25" + logic_hash = "19fb36915bb248bef0dadfadf28e10045720b8ee2d6f5e400ec2d27910f47a25" score = 75 quality = 73 tags = "FILE" @@ -144651,13 +144651,13 @@ rule MALPEDIA_Win_Ddkong_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "169b4d19-19b7-54e7-a53f-b96512ffd7c6" + id = "b5952305-5353-5501-a1a7-08eb6dbe1f60" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ddkong_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_63fd2294d146377f9037ca4f08ce95fd06d019686efc226016c406199e6b874d" + logic_hash = "63fd2294d146377f9037ca4f08ce95fd06d019686efc226016c406199e6b874d" score = 75 quality = 75 tags = "FILE" @@ -144690,13 +144690,13 @@ rule MALPEDIA_Win_Finfisher_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41870e8b-b9d9-557f-a025-cbc9b5680242" + id = "b4569af7-ca7f-5273-a891-62c4b9307c04" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.finfisher_auto.yar#L1-L148" license_url = "N/A" - logic_hash = "v1_sha256_d86e06755c4d193ae8f6772e0ecac909342d4c797dca10b9ca38c301b921ec55" + logic_hash = "d86e06755c4d193ae8f6772e0ecac909342d4c797dca10b9ca38c301b921ec55" score = 75 quality = 75 tags = "FILE" @@ -144733,13 +144733,13 @@ rule MALPEDIA_Win_Zeroaccess_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b2608ab9-d28e-5303-b318-2037ed3e7455" + id = "89374e4f-79aa-58be-a3f5-45921879c769" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zeroaccess_auto.yar#L1-L147" license_url = "N/A" - logic_hash = "v1_sha256_b8098d3dcd80de1c46676c7e1dd2cdf56db87599f68b360b87ffc70001011948" + logic_hash = "b8098d3dcd80de1c46676c7e1dd2cdf56db87599f68b360b87ffc70001011948" score = 75 quality = 75 tags = "FILE" @@ -144776,13 +144776,13 @@ rule MALPEDIA_Win_Kimjongrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ce6af32-8a39-5c51-b3ad-dc1084c1959e" + id = "6fc69770-2665-5839-9d6a-97fd73d156df" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimjongrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kimjongrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_edaec54e18eb1d3289f1a7f5442afe5f1403cb37fea612fda6550402130dfa44" + logic_hash = "edaec54e18eb1d3289f1a7f5442afe5f1403cb37fea612fda6550402130dfa44" score = 75 quality = 75 tags = "FILE" @@ -144815,13 +144815,13 @@ rule MALPEDIA_Win_Powerloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c56ab2fd-5c88-5ca9-938e-4d6cb3f80507" + id = "a8055861-0eb8-5c59-854d-6c838621a56f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.powerloader_auto.yar#L1-L106" license_url = "N/A" - logic_hash = "v1_sha256_49acbf4818653ec3c37c64918d36c8fbd597bf611facefb0fe7af9324dfdd104" + logic_hash = "49acbf4818653ec3c37c64918d36c8fbd597bf611facefb0fe7af9324dfdd104" score = 75 quality = 75 tags = "FILE" @@ -144854,13 +144854,13 @@ rule MALPEDIA_Win_Lightwork_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f8b11044-331f-5ccb-b67b-c35c0a949e59" + id = "5b31d092-dcc8-5a1c-ab90-287cfb331c0c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightwork" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lightwork_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_27c40b18d2800b0d83c68dd39a56494e6158b954f55a7dafaeb8933b3fe805f1" + logic_hash = "27c40b18d2800b0d83c68dd39a56494e6158b954f55a7dafaeb8933b3fe805f1" score = 75 quality = 75 tags = "FILE" @@ -144893,13 +144893,13 @@ rule MALPEDIA_Win_Compfun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db36b487-02a3-5045-8add-828f0c56c24b" + id = "3d58a754-0068-5ddf-8df3-41773f9f7343" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.compfun_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "v1_sha256_f91830d32accaa1a970b31fd97ff26cbec286fc3877ecca166a49e3ceef0861e" + logic_hash = "f91830d32accaa1a970b31fd97ff26cbec286fc3877ecca166a49e3ceef0861e" score = 75 quality = 75 tags = "FILE" @@ -144938,13 +144938,13 @@ rule MALPEDIA_Win_Byeby_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08d46b36-e57a-5f89-8828-8645c52a6729" + id = "9611b4e7-8337-551b-9691-e65f61744e7f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.byeby_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_50a28d5ba51c4cf2da918fb2e13d81e48eb5727c5e9589337c757040c753f599" + logic_hash = "50a28d5ba51c4cf2da918fb2e13d81e48eb5727c5e9589337c757040c753f599" score = 75 quality = 75 tags = "FILE" @@ -144977,13 +144977,13 @@ rule MALPEDIA_Win_Aveo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6fbffd98-68db-5ae0-9400-852fb7fdc7eb" + id = "2f9547a9-d06a-5a97-a838-f674793ec8c9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.aveo_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_b370a3150ecdba2fa7b9c1b3f8a88674c2ef9b3deea9a9096a8ec474751f8a90" + logic_hash = "b370a3150ecdba2fa7b9c1b3f8a88674c2ef9b3deea9a9096a8ec474751f8a90" score = 75 quality = 75 tags = "FILE" @@ -145016,13 +145016,13 @@ rule MALPEDIA_Win_Satan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ccb3da2e-5da5-5317-9db2-f14a3ea21275" + id = "30dbe56c-8c73-5146-b780-34e6bf716dbf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.satan_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_684fd8d03725a857adc2201582faa570633fcd21041d464e35a18c1f078d9ea5" + logic_hash = "684fd8d03725a857adc2201582faa570633fcd21041d464e35a18c1f078d9ea5" score = 75 quality = 75 tags = "FILE" @@ -145055,13 +145055,13 @@ rule MALPEDIA_Win_Cohhoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c1527ca5-07f2-523d-aade-6ae246f7aa30" + id = "79f1d359-2e68-5ef2-92e4-7c353f021a83" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cohhoc_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_408be9b45dccb2589014666e6c29650297e9a497c2f3518d6cebc0080adee530" + logic_hash = "408be9b45dccb2589014666e6c29650297e9a497c2f3518d6cebc0080adee530" score = 75 quality = 75 tags = "FILE" @@ -145094,13 +145094,13 @@ rule MALPEDIA_Win_Screencap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f1642ae8-7b12-500c-adaa-5f5c91028963" + id = "c09ded30-7ed9-5627-bd4b-b5b9719d1b79" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.screencap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.screencap_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_fe7ef238cffaf8f0702b709313aa3e525535b37ee9076ff1908a7fc171fcfe6f" + logic_hash = "fe7ef238cffaf8f0702b709313aa3e525535b37ee9076ff1908a7fc171fcfe6f" score = 75 quality = 75 tags = "FILE" @@ -145133,13 +145133,13 @@ rule MALPEDIA_Win_Jinxloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "31c5f8da-e0ad-55d5-b95a-76f6e5c745dd" + id = "cb454fe4-e9ad-5069-aba0-8fdb369e6db4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jinxloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jinxloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_c58b02af334fd67d7a0c2822fadcfa6594a39ce2fb1e10101df77761efab8668" + logic_hash = "c58b02af334fd67d7a0c2822fadcfa6594a39ce2fb1e10101df77761efab8668" score = 75 quality = 75 tags = "FILE" @@ -145172,13 +145172,13 @@ rule MALPEDIA_Win_Hellokitty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fedc7078-2c8e-55ce-95ca-2e66efb7c17e" + id = "85d82fef-e1ef-5538-a8ca-f2e16ab22789" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hellokitty_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_fc4ce366fe91b18117b1ec99ae5affdf6560b9a7558856d80c31c8511e65fec9" + logic_hash = "fc4ce366fe91b18117b1ec99ae5affdf6560b9a7558856d80c31c8511e65fec9" score = 75 quality = 75 tags = "FILE" @@ -145211,13 +145211,13 @@ rule MALPEDIA_Win_Ransomlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57e171f4-474e-5661-9cce-ab4c4df2d602" + id = "42563703-564f-5a14-8829-64d9a4cd308b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ransomlock_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_9226a9c11140386a0aeef708faad6314d93055d8b25dc4f728e9575057eabf60" + logic_hash = "9226a9c11140386a0aeef708faad6314d93055d8b25dc4f728e9575057eabf60" score = 75 quality = 75 tags = "FILE" @@ -145250,13 +145250,13 @@ rule MALPEDIA_Win_Cova_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2a8e7311-5979-5810-a13b-1bfb80679853" + id = "fa07deb6-c177-5206-9d19-f63251440ec2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cova" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cova_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "v1_sha256_d5e67f28620dc0f740b402e9f8384fb0d05494020e9e1fdf2531ffdb1df92592" + logic_hash = "d5e67f28620dc0f740b402e9f8384fb0d05494020e9e1fdf2531ffdb1df92592" score = 75 quality = 75 tags = "FILE" @@ -145289,13 +145289,13 @@ rule MALPEDIA_Win_Malumpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a9a28d86-a2d6-5de6-9fbf-b075d5308600" + id = "8c530445-714c-5545-b19e-0b83bc49baf4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.malumpos_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_3114be15227a95c744ccca089995ccddd28287774a7cad476fe879d040c5b1ad" + logic_hash = "3114be15227a95c744ccca089995ccddd28287774a7cad476fe879d040c5b1ad" score = 75 quality = 75 tags = "FILE" @@ -145328,13 +145328,13 @@ rule MALPEDIA_Win_Whiteblackcrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fb0579e7-9a13-5207-9c7e-f92f2618d7b6" + id = "39243d42-8305-573c-a47b-e4b6dd139aef" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.whiteblackcrypt_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_660907780e4078f0416bec5591629e01f78308bd70eb5a7d32026bca72fd8322" + logic_hash = "660907780e4078f0416bec5591629e01f78308bd70eb5a7d32026bca72fd8322" score = 75 quality = 75 tags = "FILE" @@ -145367,13 +145367,13 @@ rule MALPEDIA_Win_Spybot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "835dee45-86f6-55eb-9b9e-358257903ce8" + id = "a4cba476-a2c7-50aa-a7bf-4af17da5b6df" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spybot_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_d537b785313261fc15df85466bf871fb981ce27e93c3d7cf670a5bb54b105b2b" + logic_hash = "d537b785313261fc15df85466bf871fb981ce27e93c3d7cf670a5bb54b105b2b" score = 75 quality = 75 tags = "FILE" @@ -145406,13 +145406,13 @@ rule MALPEDIA_Win_Tinytyphon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5a63871-4352-5eed-b5ad-44bcc3178f2e" + id = "5b03e241-fb6f-559b-bde6-deb493402fa5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tinytyphon_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_f9788ed24c5ff9be6cbd5ec91e29693ea290ace26342cc375a5a9e76cbe49f63" + logic_hash = "f9788ed24c5ff9be6cbd5ec91e29693ea290ace26342cc375a5a9e76cbe49f63" score = 75 quality = 75 tags = "FILE" @@ -145445,13 +145445,13 @@ rule MALPEDIA_Win_Stresspaint_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b80d62fa-861d-550f-8ac5-b0ccce676422" + id = "1c5fe12e-e2db-536e-9708-f093f3acd070" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stresspaint_auto.yar#L1-L157" license_url = "N/A" - logic_hash = "v1_sha256_d6c444a9c27d97e7ed3d7b7007c87aa66e22a92b316794a07d87a908d3a44119" + logic_hash = "d6c444a9c27d97e7ed3d7b7007c87aa66e22a92b316794a07d87a908d3a44119" score = 75 quality = 75 tags = "FILE" @@ -145490,13 +145490,13 @@ rule MALPEDIA_Win_Loup_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "748719a6-4f58-5ced-a02b-b941281d3dba" + id = "2089eb01-8adc-5d71-ab0c-e9de7e386d03" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.loup" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.loup_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_ecdd5b2ea3515331e17a7116f826dcace78b7e88cf24fcea19298195170a6a4f" + logic_hash = "ecdd5b2ea3515331e17a7116f826dcace78b7e88cf24fcea19298195170a6a4f" score = 75 quality = 75 tags = "FILE" @@ -145529,13 +145529,13 @@ rule MALPEDIA_Win_Lightrail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6eae4f56-4645-540b-85b8-fea993016166" + id = "a2a74e32-804b-5428-a5eb-18775f1f39d2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightrail" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lightrail_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_ac0b981cc1c6ed97eba28af6c8430a26e5eab1fbb0f4ef4ac4d4556d0f8dc830" + logic_hash = "ac0b981cc1c6ed97eba28af6c8430a26e5eab1fbb0f4ef4ac4d4556d0f8dc830" score = 75 quality = 75 tags = "FILE" @@ -145568,13 +145568,13 @@ rule MALPEDIA_Win_Heyoka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a1f96f3-2cba-5d8c-b192-0248f550971d" + id = "f0f9fc3a-3361-5bee-bcdd-e0c602dd58ea" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.heyoka" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.heyoka_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_175329e4bd3a0dd34afbec31b74492ffb1225426c5eb776fbf2c975880999184" + logic_hash = "175329e4bd3a0dd34afbec31b74492ffb1225426c5eb776fbf2c975880999184" score = 75 quality = 75 tags = "FILE" @@ -145607,13 +145607,13 @@ rule MALPEDIA_Win_Powershellrunner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4fb10186-cca8-5cd5-b0bc-b80fc1a75fd5" + id = "46b69b90-7940-5db2-80f3-f8192ab438b0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.powershellrunner_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_b42437163f86140159e67a0a5b01330144313dc98950bc6641d4e09d38867635" + logic_hash = "b42437163f86140159e67a0a5b01330144313dc98950bc6641d4e09d38867635" score = 75 quality = 75 tags = "FILE" @@ -145646,13 +145646,13 @@ rule MALPEDIA_Win_Op_Blockbuster_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aefd8bd4-a81a-57af-b03f-01b86337074d" + id = "54037fb5-02e6-50fe-b72a-3b42b6ceaa52" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.op_blockbuster_auto.yar#L1-L326" license_url = "N/A" - logic_hash = "v1_sha256_4209e51c2985f19271abc0c98d2263ec2c893b90a69757edcf9738231e4cef57" + logic_hash = "4209e51c2985f19271abc0c98d2263ec2c893b90a69757edcf9738231e4cef57" score = 75 quality = 73 tags = "FILE" @@ -145709,13 +145709,13 @@ rule MALPEDIA_Win_Radrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "07d0ca48-f958-5448-a9fd-087738ff2201" + id = "94a4381e-af30-56d4-9d5d-0552148c1f7c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.radrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_67ebe4ff9f98e9eca0e16834a563e516c10727efd1f7a1ab36f600d08a7aa26c" + logic_hash = "67ebe4ff9f98e9eca0e16834a563e516c10727efd1f7a1ab36f600d08a7aa26c" score = 75 quality = 75 tags = "FILE" @@ -145748,13 +145748,13 @@ rule MALPEDIA_Win_Flagpro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59c5e63f-2c46-56c4-ac13-4c7a93f21197" + id = "de33fb8c-8ab6-5256-a88a-80e461ec2d83" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flagpro_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_654c55cf6ed0a2b532ad215de02e3b03b4d1dd22a33c5bbcc5cdd9807575a5d9" + logic_hash = "654c55cf6ed0a2b532ad215de02e3b03b4d1dd22a33c5bbcc5cdd9807575a5d9" score = 75 quality = 75 tags = "FILE" @@ -145787,13 +145787,13 @@ rule MALPEDIA_Win_Babyshark_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "03250fe3-bb44-5ef5-a807-0d913166bd45" + id = "bba62dea-b8fb-5177-af59-ee7484609223" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.babyshark_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_170a55c792dd841a430b5276e4b7ea8cd0c0e2d28c406b503a22728951bd6c1d" + logic_hash = "170a55c792dd841a430b5276e4b7ea8cd0c0e2d28c406b503a22728951bd6c1d" score = 75 quality = 75 tags = "FILE" @@ -145826,13 +145826,13 @@ rule MALPEDIA_Win_Sierras_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f3be1ddb-8bda-512e-abbc-a6a663289c1b" + id = "70c5a6f9-c2e5-57b1-90d8-8b9060fdf637" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sierras_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "v1_sha256_c05b0e9c28fed253d00c96c986fab4dbaf0e644651c700ec0227f1b00097c981" + logic_hash = "c05b0e9c28fed253d00c96c986fab4dbaf0e644651c700ec0227f1b00097c981" score = 75 quality = 75 tags = "FILE" @@ -145871,13 +145871,13 @@ rule MALPEDIA_Win_Chrgetpdsi_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c599ccb6-5fce-5f70-a116-1fc4c32fc404" + id = "12254ac4-43e6-5705-9880-6efd82324f77" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chrgetpdsi_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chrgetpdsi_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_f510ed1d9dd9ee7e68c40131d1a59b2b1ef7a35fe613361e1f3e48c7e065108c" + logic_hash = "f510ed1d9dd9ee7e68c40131d1a59b2b1ef7a35fe613361e1f3e48c7e065108c" score = 75 quality = 75 tags = "FILE" @@ -145910,13 +145910,13 @@ rule MALPEDIA_Win_Tonedeaf_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a420ead1-113b-58d3-a680-f0c49495d775" + id = "15deba33-5fb4-592a-90c3-bca364871ec1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tonedeaf_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_7f00488f24cf89d345c0d8aa4f5fd46f86ca2b90c3b462b66a07f10b957268c4" + logic_hash = "7f00488f24cf89d345c0d8aa4f5fd46f86ca2b90c3b462b66a07f10b957268c4" score = 75 quality = 75 tags = "FILE" @@ -145949,13 +145949,13 @@ rule MALPEDIA_Win_Skinnyboy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14b998a2-82da-5a12-a683-dd4d889380f1" + id = "fad10de8-1dee-57f5-9740-77610ecb50ba" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skinnyboy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.skinnyboy_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_c9afcf0da0b1a37ea370d6affaf9ae89cf13a4478cab0becac117427110aff91" + logic_hash = "c9afcf0da0b1a37ea370d6affaf9ae89cf13a4478cab0becac117427110aff91" score = 75 quality = 75 tags = "FILE" @@ -145988,13 +145988,13 @@ rule MALPEDIA_Win_Session_Manager_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50066e8e-a4ba-58ae-83e0-70f3c03b0acc" + id = "c7a55698-35d0-50fe-9be2-ce1d92ad4335" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.session_manager" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.session_manager_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_d5175a76f3322d7804a37437b75d91825889aed645aa1d99d4aedae744a409da" + logic_hash = "d5175a76f3322d7804a37437b75d91825889aed645aa1d99d4aedae744a409da" score = 75 quality = 75 tags = "FILE" @@ -146027,13 +146027,13 @@ rule MALPEDIA_Win_Sappycache_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a0d6914c-c9a6-54b7-b11e-d2b5f62527e2" + id = "5cde3466-1a40-5c62-84c0-18f8fb0eb5bd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sappycache_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_accd6826861cb14b3264b0a3eac9debd4934e0de6f313d816d6bcd533efab795" + logic_hash = "accd6826861cb14b3264b0a3eac9debd4934e0de6f313d816d6bcd533efab795" score = 75 quality = 75 tags = "FILE" @@ -146066,13 +146066,13 @@ rule MALPEDIA_Win_7Ev3N_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3720d7d9-e38c-5e3d-9522-9f232f468e0e" + id = "a2a11178-3257-5261-9f41-b916299315d7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.7ev3n_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_df56762186f095df1883a52e337f3ee36e53ef81834d91aa6fccabc217e84eca" + logic_hash = "df56762186f095df1883a52e337f3ee36e53ef81834d91aa6fccabc217e84eca" score = 75 quality = 75 tags = "FILE" @@ -146105,13 +146105,13 @@ rule MALPEDIA_Win_Hemigate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59fb8ad5-c980-5464-adf2-7b11e9830547" + id = "0161e2c6-92a2-598c-bebd-ec068752da7a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hemigate" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hemigate_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_e109cb20ab0eaf9ed1c42d9088faaba592aaa23fc85ca45654d9c255b46038b9" + logic_hash = "e109cb20ab0eaf9ed1c42d9088faaba592aaa23fc85ca45654d9c255b46038b9" score = 75 quality = 75 tags = "FILE" @@ -146144,13 +146144,13 @@ rule MALPEDIA_Win_Bitsran_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d42773dd-2647-56d1-a3e5-91bfac287d92" + id = "704b65b3-af59-52e9-9dfb-e042a4dda0d0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bitsran_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_e79bcb054b07fb9e07c55e5ca091a76d8b3025c95f8242bfc1e649f657a93d3b" + logic_hash = "e79bcb054b07fb9e07c55e5ca091a76d8b3025c95f8242bfc1e649f657a93d3b" score = 75 quality = 75 tags = "FILE" @@ -146183,13 +146183,13 @@ rule MALPEDIA_Win_Abcsync_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43fbb86c-a69f-5c63-b400-d3924c915363" + id = "d5810457-8b12-50ce-8030-bdbd5a136267" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.abcsync" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.abcsync_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_02ae937251ee063be53e02e33e98dc9b276f9fd2074f9431e5bc0ede2973fadf" + logic_hash = "02ae937251ee063be53e02e33e98dc9b276f9fd2074f9431e5bc0ede2973fadf" score = 75 quality = 75 tags = "FILE" @@ -146222,13 +146222,13 @@ rule MALPEDIA_Win_Ismdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4036ec6b-f5fe-529f-b9b7-d616bb567975" + id = "83a6746f-b3b5-5b57-a445-904bcf5ea3d8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ismdoor_auto.yar#L1-L152" license_url = "N/A" - logic_hash = "v1_sha256_b2a8beb2bbf9a7e436997cbc54636f7d3af94cae5a6618f143e6a6f5f28950e2" + logic_hash = "b2a8beb2bbf9a7e436997cbc54636f7d3af94cae5a6618f143e6a6f5f28950e2" score = 75 quality = 75 tags = "FILE" @@ -146266,13 +146266,13 @@ rule MALPEDIA_Win_Globeimposter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "80bf31e9-67f0-5eb5-b9e0-4dfcf990ea3a" + id = "9dd6e8ba-63ad-5aaa-964a-871b7e1e06e1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.globeimposter_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_f943f3ca79204de3fa7ffd520d4eead395fff4b80988c5a103deba289f7c4696" + logic_hash = "f943f3ca79204de3fa7ffd520d4eead395fff4b80988c5a103deba289f7c4696" score = 75 quality = 75 tags = "FILE" @@ -146305,13 +146305,13 @@ rule MALPEDIA_Win_Alphanc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2012a665-33f2-5667-82f6-b7338b17d78c" + id = "ebf0ef1c-787d-588a-9f36-5c61e5121c6c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.alphanc_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_c1872178a4528cd6c6c1bbe8c32caefd5306a7f5c047a004c099269a20f7813d" + logic_hash = "c1872178a4528cd6c6c1bbe8c32caefd5306a7f5c047a004c099269a20f7813d" score = 75 quality = 75 tags = "FILE" @@ -146344,13 +146344,13 @@ rule MALPEDIA_Win_Joao_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "18a5b088-839d-5300-88d9-abcd57de6914" + id = "0c5eae5c-6b71-5c2d-8653-d15d55163143" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.joao_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_a16bd14cef032c190157889a218a60983ef70bb2ccc40760ffd00615dd49093e" + logic_hash = "a16bd14cef032c190157889a218a60983ef70bb2ccc40760ffd00615dd49093e" score = 75 quality = 75 tags = "FILE" @@ -146383,13 +146383,13 @@ rule MALPEDIA_Win_Remsec_Strider_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bee82a3e-1820-57f1-873c-7d01d6ecbf2c" + id = "8ffafd3c-1118-56d9-b912-84b2d6b6409b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.remsec_strider_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_5867115fb4def3b071a615d256fa1eed563d65b07c2fc4fbbe85633ada999202" + logic_hash = "5867115fb4def3b071a615d256fa1eed563d65b07c2fc4fbbe85633ada999202" score = 75 quality = 75 tags = "FILE" @@ -146422,13 +146422,13 @@ rule MALPEDIA_Elf_Satori_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc86f72f-bc31-54f6-b2cd-26892a51a8d7" + id = "7bafa756-820c-5aa5-a514-aecea3797f7c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.satori_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_971903fb2922c6e0d29023431fedc1f613a69ac9544f2c3e1cb57d7bab55e6a5" + logic_hash = "971903fb2922c6e0d29023431fedc1f613a69ac9544f2c3e1cb57d7bab55e6a5" score = 75 quality = 75 tags = "FILE" @@ -146461,13 +146461,13 @@ rule MALPEDIA_Win_Anchor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d298409b-33db-584d-8259-a19153aedd74" + id = "3aabb030-7441-5b84-a113-08295754555e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.anchor_auto.yar#L1-L208" license_url = "N/A" - logic_hash = "v1_sha256_3a0df58657b834f57e58b8e626451593809f6f92127cc7c303935ce966927900" + logic_hash = "3a0df58657b834f57e58b8e626451593809f6f92127cc7c303935ce966927900" score = 75 quality = 73 tags = "FILE" @@ -146512,13 +146512,13 @@ rule MALPEDIA_Win_Daolpu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2a06a7e-0823-599c-a1ad-a477f93debf3" + id = "3b934422-e9dc-512e-b748-acfa3a6df0b8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daolpu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.daolpu_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_75ecbdb2c7e8916d3ac65192115d743be9db42508dfb2c41a685a14b393ff7b1" + logic_hash = "75ecbdb2c7e8916d3ac65192115d743be9db42508dfb2c41a685a14b393ff7b1" score = 75 quality = 75 tags = "FILE" @@ -146551,13 +146551,13 @@ rule MALPEDIA_Win_Taurus_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b24c6ef7-06d0-52a0-9f9b-989d8bf49b04" + id = "5276d323-6b6a-5024-a34e-199bec8325fa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.taurus_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_97e3f8c58ab1394f8abf2308bd9b8032a5e1fd7c003ba327319dfca1b156cb9c" + logic_hash = "97e3f8c58ab1394f8abf2308bd9b8032a5e1fd7c003ba327319dfca1b156cb9c" score = 75 quality = 75 tags = "FILE" @@ -146590,13 +146590,13 @@ rule MALPEDIA_Win_Tempedreve_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "949fdf36-689f-5f9e-9a59-bef8d67f42b6" + id = "9e025c63-22da-56b2-8f0f-12b35d9ea5db" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tempedreve_auto.yar#L1-L156" license_url = "N/A" - logic_hash = "v1_sha256_ff28ad4e45522fd6ad775c186581b049a8c3b1257f6ade7f519c8365bdcce952" + logic_hash = "ff28ad4e45522fd6ad775c186581b049a8c3b1257f6ade7f519c8365bdcce952" score = 75 quality = 75 tags = "FILE" @@ -146635,13 +146635,13 @@ rule MALPEDIA_Win_Typeframe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a8b9d33e-2e86-5732-ba20-f54dd191e7e4" + id = "54b5c61d-baac-5ee7-bf22-feb7211e94de" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.typeframe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.typeframe_auto.yar#L1-L148" license_url = "N/A" - logic_hash = "v1_sha256_80d5f324e45f06373a108fe4a18abca87604cdaaeb894c2ac4120a591e037164" + logic_hash = "80d5f324e45f06373a108fe4a18abca87604cdaaeb894c2ac4120a591e037164" score = 75 quality = 75 tags = "FILE" @@ -146680,13 +146680,13 @@ rule MALPEDIA_Win_Mokes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a79d430e-beab-5fce-9328-3383f93c3b5e" + id = "c2ac2973-931f-5609-90a2-11e20fcc17b8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mokes_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_4e4c9d74cc0d3144676404e81ee560de6bc14d4b048ed928b0226c3699c7f157" + logic_hash = "4e4c9d74cc0d3144676404e81ee560de6bc14d4b048ed928b0226c3699c7f157" score = 75 quality = 75 tags = "FILE" @@ -146719,13 +146719,13 @@ rule MALPEDIA_Win_Tidepool_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41c81638-da0a-5423-b60e-033d305b4f06" + id = "c47d0b4d-1c2a-583a-a083-2239d9e6be2a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tidepool_auto.yar#L1-L265" license_url = "N/A" - logic_hash = "v1_sha256_81ef950afde11d443ee135cd0277277468eb293508aa726a79916bd48024f136" + logic_hash = "81ef950afde11d443ee135cd0277277468eb293508aa726a79916bd48024f136" score = 75 quality = 73 tags = "FILE" @@ -146776,13 +146776,13 @@ rule MALPEDIA_Win_Socksbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3aaf471b-86a9-5b73-9759-377e9196214c" + id = "b5f93aff-75da-58af-bf18-de683a7c9eb8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.socksbot_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_be6f7343dfb40a0e2f1dec96db93036928644c868cacce36ad5e92217ff2c80d" + logic_hash = "be6f7343dfb40a0e2f1dec96db93036928644c868cacce36ad5e92217ff2c80d" score = 75 quality = 75 tags = "FILE" @@ -146815,13 +146815,13 @@ rule MALPEDIA_Win_Miuref_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "498b85e4-54b1-5e1c-905a-32296824e668" + id = "4c12abfd-56eb-5794-a878-e360bcdd710f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.miuref_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_5ba2d5449e6730857e7b4a98904adc38cf054939f52a1a5bc78d4b800b88b99f" + logic_hash = "5ba2d5449e6730857e7b4a98904adc38cf054939f52a1a5bc78d4b800b88b99f" score = 75 quality = 75 tags = "FILE" @@ -146854,13 +146854,13 @@ rule MALPEDIA_Win_Teleport_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "70b7281f-78ff-575c-a4ef-76f09ebbc848" + id = "27108ab3-6cb2-5111-9364-d7f24d03816a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.teleport" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.teleport_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_833087ce8b406b0ed8db8d58a090084d0531be2127d4429df6d3e776d65bddb6" + logic_hash = "833087ce8b406b0ed8db8d58a090084d0531be2127d4429df6d3e776d65bddb6" score = 75 quality = 75 tags = "FILE" @@ -146893,13 +146893,13 @@ rule MALPEDIA_Win_Glooxmail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4277b9d1-06a3-5149-9f7f-f7159ed5789d" + id = "c8b40bc0-2701-5e85-b527-dfec9c8227da" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.glooxmail_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_0702baea6e45ee40dbbd470cae1ae641eba3358089995e7fe66a20e43c2df933" + logic_hash = "0702baea6e45ee40dbbd470cae1ae641eba3358089995e7fe66a20e43c2df933" score = 75 quality = 75 tags = "FILE" @@ -146932,13 +146932,13 @@ rule MALPEDIA_Win_Azorult_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "47bb3a07-3300-5c3a-be9f-7eb231dc2b81" + id = "78ceafa4-342d-5f15-9b14-b1abd4927873" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.azorult_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_41a9a9a645aa649d01575fa1735f856598b52bd5cebd3453810c05cbd7a89f47" + logic_hash = "41a9a9a645aa649d01575fa1735f856598b52bd5cebd3453810c05cbd7a89f47" score = 75 quality = 75 tags = "FILE" @@ -146977,13 +146977,13 @@ rule MALPEDIA_Win_Gsecdump_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d411f208-fe8c-5bba-b9ca-aed5a818ebac" + id = "ce480a68-e8bd-5d8c-86f5-be48ddeea1ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gsecdump_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_a72a04a740244a6cb1848f1152ab924ea33c81fae0f1332c81f641d1b7e5f823" + logic_hash = "a72a04a740244a6cb1848f1152ab924ea33c81fae0f1332c81f641d1b7e5f823" score = 75 quality = 75 tags = "FILE" @@ -147016,13 +147016,13 @@ rule MALPEDIA_Win_Navrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dab4fe33-4958-57c2-bce9-1afc87689ca4" + id = "c873f75a-bac6-59c1-887a-5d663acd72dd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.navrat_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_c07b699c6f0dfc54b32e135d358bdfb08bd5b26e1aa027b1f4dd7fec4dc44720" + logic_hash = "c07b699c6f0dfc54b32e135d358bdfb08bd5b26e1aa027b1f4dd7fec4dc44720" score = 75 quality = 75 tags = "FILE" @@ -147055,13 +147055,13 @@ rule MALPEDIA_Win_Emdivi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d380665-2301-5770-a240-0525d22cf6a4" + id = "04ac374c-dabe-58e4-92b7-b141ee96d84c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.emdivi_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_17250ab484761cd3c4abb0e5e481a1578bae8e41059cc5bbab60b36acc5f6199" + logic_hash = "17250ab484761cd3c4abb0e5e481a1578bae8e41059cc5bbab60b36acc5f6199" score = 75 quality = 75 tags = "FILE" @@ -147094,13 +147094,13 @@ rule MALPEDIA_Win_Vflooder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43fdb812-f49d-5121-9492-69743bff8e58" + id = "76477b84-f3c3-5da1-86fd-c61daea161aa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vflooder_auto.yar#L1-L106" license_url = "N/A" - logic_hash = "v1_sha256_d33638034753d47f1d3c882a126dc14f7048d70033f800573b6ecd2c27103b12" + logic_hash = "d33638034753d47f1d3c882a126dc14f7048d70033f800573b6ecd2c27103b12" score = 75 quality = 75 tags = "FILE" @@ -147133,13 +147133,13 @@ rule MALPEDIA_Win_Atmosphere_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c519d676-e755-5e4c-a9fb-aaade788dfcd" + id = "b490d7b3-3c9f-56a0-8e37-e6b8aeb02255" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atmosphere_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_09ff5db5949a2315ec4eb307f77f435859e4dd2533efb70945aee06235bab5f1" + logic_hash = "09ff5db5949a2315ec4eb307f77f435859e4dd2533efb70945aee06235bab5f1" score = 75 quality = 75 tags = "FILE" @@ -147172,13 +147172,13 @@ rule MALPEDIA_Win_Photoloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3c6b83cb-1b9a-504a-99e7-9b0fc2b9e3d8" + id = "a08024a5-b726-5fe7-bae6-d20cf144169e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.photoloader_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "v1_sha256_23120e8333171e7b242a43c78525c83b36a92ed0c9ad8db34350941d5629fd06" + logic_hash = "23120e8333171e7b242a43c78525c83b36a92ed0c9ad8db34350941d5629fd06" score = 75 quality = 75 tags = "FILE" @@ -147217,13 +147217,13 @@ rule MALPEDIA_Win_Atmitch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d48b8ecf-0351-5ee8-a914-74ddb5f23d23" + id = "72b8ffe7-fc9a-5d92-9de1-9193b095fc04" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atmitch_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_e051c844a76319030fd5ab69ee7c6a522b22df21eb94d4b042bb698655f157ac" + logic_hash = "e051c844a76319030fd5ab69ee7c6a522b22df21eb94d4b042bb698655f157ac" score = 75 quality = 75 tags = "FILE" @@ -147256,13 +147256,13 @@ rule MALPEDIA_Win_Htran_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f9718339-bb60-5788-b05c-b833f02af94b" + id = "791ab88f-729e-59ed-af49-9775d8f95bf2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.htran_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_644467af100df6d78907af875b29f835634dff017ff5ecb28fa828ec75819c6e" + logic_hash = "644467af100df6d78907af875b29f835634dff017ff5ecb28fa828ec75819c6e" score = 75 quality = 75 tags = "FILE" @@ -147295,13 +147295,13 @@ rule MALPEDIA_Win_Spora_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "77d97716-69e7-59b6-b779-3a62bb5cbb90" + id = "5d94c115-8898-5fd2-9400-bd1b65702971" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spora_ransom_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_8cb28aa2ca756a794bdd2f8c19a9ebbdf2da0e5ca39f0f44ec247ce30af41008" + logic_hash = "8cb28aa2ca756a794bdd2f8c19a9ebbdf2da0e5ca39f0f44ec247ce30af41008" score = 75 quality = 75 tags = "FILE" @@ -147334,13 +147334,13 @@ rule MALPEDIA_Win_Yarat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59a1d27e-be3a-5c95-a973-ab970b6db6d9" + id = "26d63431-4d21-54e8-9725-9df9b9ea5db9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yarat_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_48d9368820ba368c523115d54deddffc1bdeeafa57938343dae7eabda399b87d" + logic_hash = "48d9368820ba368c523115d54deddffc1bdeeafa57938343dae7eabda399b87d" score = 75 quality = 75 tags = "FILE" @@ -147373,13 +147373,13 @@ rule MALPEDIA_Win_5T_Downloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c4b3776-51ea-58ea-919a-36d4e5c3b1c7" + id = "5362fc02-7c1d-5a3b-a300-446438d04597" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.5t_downloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.5t_downloader_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "v1_sha256_89d6b68b4695f52c4102e727ccfceba9dea8c1d372d4dac3b5353663c79c51c0" + logic_hash = "89d6b68b4695f52c4102e727ccfceba9dea8c1d372d4dac3b5353663c79c51c0" score = 75 quality = 75 tags = "FILE" @@ -147412,13 +147412,13 @@ rule MALPEDIA_Win_Httpbrowser_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "389c63c8-c428-503c-9081-f3df3016471d" + id = "adff80ab-eb6c-5a3c-b157-43b2baed9ae7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.httpbrowser_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "v1_sha256_00c38478a4fbc51d8b9ca5fb24e8846e76e8f61512ecf76046dde9dd700684fd" + logic_hash = "00c38478a4fbc51d8b9ca5fb24e8846e76e8f61512ecf76046dde9dd700684fd" score = 75 quality = 75 tags = "FILE" @@ -147457,13 +147457,13 @@ rule MALPEDIA_Win_Regretlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ff95a38-d8aa-553c-b49a-099a488d3ca1" + id = "a9ec355a-0ebd-5eae-9855-3c394e286080" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.regretlocker_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_f3fb26e7f48e7fc6e56408b23120104bca26438c533527ef9b1632b5882b6ef9" + logic_hash = "f3fb26e7f48e7fc6e56408b23120104bca26438c533527ef9b1632b5882b6ef9" score = 75 quality = 75 tags = "FILE" @@ -147496,13 +147496,13 @@ rule MALPEDIA_Win_Tclient_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d5205af-befc-5ffa-ad18-6cd0c32427e2" + id = "3639f84f-4aec-569c-9a4b-faa8f23f8b5c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tclient_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_27c191c2603bf7d7ea682fd55fb7f07be28d5958dc675e32b4f634f07d524410" + logic_hash = "27c191c2603bf7d7ea682fd55fb7f07be28d5958dc675e32b4f634f07d524410" score = 75 quality = 75 tags = "FILE" @@ -147535,13 +147535,13 @@ rule MALPEDIA_Win_Phorpiex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96630fec-df6b-5713-817d-5748e735db55" + id = "93126ddf-7d23-57a9-b11d-b555411adf12" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.phorpiex_auto.yar#L1-L281" license_url = "N/A" - logic_hash = "v1_sha256_ecdba64c76b9c6ee0e76612106be4a9e4db8b2914c6804e0ef9feb32643b1afb" + logic_hash = "ecdba64c76b9c6ee0e76612106be4a9e4db8b2914c6804e0ef9feb32643b1afb" score = 75 quality = 73 tags = "FILE" @@ -147594,13 +147594,13 @@ rule MALPEDIA_Win_Neutrino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "746d0447-6d3c-5ee0-8906-e1871b461e16" + id = "9a95af10-a741-56c4-8bb8-54cc2e65dd52" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.neutrino_auto.yar#L1-L330" license_url = "N/A" - logic_hash = "v1_sha256_326fe9ea9352871202c596bbb0d54c8449971285bd5a9b495a305700faaa6e71" + logic_hash = "326fe9ea9352871202c596bbb0d54c8449971285bd5a9b495a305700faaa6e71" score = 60 quality = 43 tags = "FILE" @@ -147657,13 +147657,13 @@ rule MALPEDIA_Win_Korlia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7b00fcdb-1c05-5e04-b35d-00fa11611f59" + id = "f4183d87-ea91-5bb4-a600-f9953387c71f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.korlia_auto.yar#L1-L479" license_url = "N/A" - logic_hash = "v1_sha256_05ee31919c5d4bc6056f376629b9d7ad98c63e5082d49653926cef5a9130bcaf" + logic_hash = "05ee31919c5d4bc6056f376629b9d7ad98c63e5082d49653926cef5a9130bcaf" score = 75 quality = 50 tags = "FILE" @@ -147738,13 +147738,13 @@ rule MALPEDIA_Win_Kutaki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c695176c-0715-528c-a08a-6aa7590e2362" + id = "3c87fe1d-05a9-5edb-bd70-90267ed2d35f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kutaki_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_f474749c1cd094eae743101c28ca84cb1920c476698848136df3aa022b49d368" + logic_hash = "f474749c1cd094eae743101c28ca84cb1920c476698848136df3aa022b49d368" score = 75 quality = 75 tags = "FILE" @@ -147777,13 +147777,13 @@ rule MALPEDIA_Win_Snojan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6de97aba-1369-529d-ad06-40ab7993fb55" + id = "9f201807-eca2-5671-8fb1-4c54ce96e5b1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.snojan_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_1d25311cfd419aa863c883b495c4bbb0986a7541ebe6286749992456a12c9723" + logic_hash = "1d25311cfd419aa863c883b495c4bbb0986a7541ebe6286749992456a12c9723" score = 75 quality = 75 tags = "FILE" @@ -147816,13 +147816,13 @@ rule MALPEDIA_Win_Makop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c56efb6-5379-553d-a390-75b3b16a7501" + id = "55bb2009-0773-50d3-bf67-d639c1dcecf4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.makop_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_15bd73a7e0423413ca2025ecc2d41d366425fcba5c6c678e6bdd7d61fffbeff6" + logic_hash = "15bd73a7e0423413ca2025ecc2d41d366425fcba5c6c678e6bdd7d61fffbeff6" score = 75 quality = 75 tags = "FILE" @@ -147855,13 +147855,13 @@ rule MALPEDIA_Win_Reaver_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "86c6dd24-ac1b-542b-9c5c-f9b080e5f2d1" + id = "3d8bacff-8149-5ea1-b108-9a71e294cb35" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.reaver_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_48c5b411e85068c0dc8fd141ff59dabcc3c0e5a62fed45c81149c84c9623f348" + logic_hash = "48c5b411e85068c0dc8fd141ff59dabcc3c0e5a62fed45c81149c84c9623f348" score = 75 quality = 75 tags = "FILE" @@ -147894,13 +147894,13 @@ rule MALPEDIA_Win_Spyder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ccb3e2e-e879-5e46-bc2b-10825dd2c91f" + id = "5e1aebf0-6155-5533-b005-6b02cbbc8082" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spyder_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "v1_sha256_0a4823dcbe7cde22c22d2c4c8ece9fed1a6046b4847d90f2e0d8e717ed405fab" + logic_hash = "0a4823dcbe7cde22c22d2c4c8ece9fed1a6046b4847d90f2e0d8e717ed405fab" score = 75 quality = 75 tags = "FILE" @@ -147939,13 +147939,13 @@ rule MALPEDIA_Win_Lightneuron_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d15a0f84-cdc2-5a4f-be26-fbaa6fc8a842" + id = "4c2cf7c9-a6e0-519d-9025-fdcf709d68d0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lightneuron_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_5722f811a0c9c408e5a8640f3b100c752da3b058e0e2eee886d08d397042326e" + logic_hash = "5722f811a0c9c408e5a8640f3b100c752da3b058e0e2eee886d08d397042326e" score = 75 quality = 75 tags = "FILE" @@ -147978,13 +147978,13 @@ rule MALPEDIA_Win_Soul_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b40796a0-c091-5ac4-a3c1-a61762694868" + id = "e9dd6236-3340-50b4-b5d0-39eff17887cc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soul" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.soul_auto.yar#L1-L235" license_url = "N/A" - logic_hash = "v1_sha256_006ca2db66b727a223c7e1c69f1643e1ec1c7be66a86b7b95f1d15a0130986f8" + logic_hash = "006ca2db66b727a223c7e1c69f1643e1ec1c7be66a86b7b95f1d15a0130986f8" score = 75 quality = 73 tags = "FILE" @@ -148030,13 +148030,13 @@ rule MALPEDIA_Win_Webc2_Kt3_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "70f5cf9f-8081-5bbd-9801-53020f901207" + id = "93781915-1cb2-5abd-9774-3e668f8666c9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_kt3_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_44b6f2b326248f3f927f1e4016d6365a022a7c825a43b779fc8768d5c422e7ad" + logic_hash = "44b6f2b326248f3f927f1e4016d6365a022a7c825a43b779fc8768d5c422e7ad" score = 75 quality = 75 tags = "FILE" @@ -148069,13 +148069,13 @@ rule MALPEDIA_Win_Webc2_Bolid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3314ae20-692b-5078-b98e-94b105d135a7" + id = "dd418f60-6f65-5186-bdc9-d3ec62c1747f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_bolid_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_d5bb74d5c966a3742a98e85309bd13720d314db10e6aa05f8d544024f31adb6b" + logic_hash = "d5bb74d5c966a3742a98e85309bd13720d314db10e6aa05f8d544024f31adb6b" score = 75 quality = 75 tags = "FILE" @@ -148108,13 +148108,13 @@ rule MALPEDIA_Win_Nexster_Bot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "666b4883-a7ba-5fa1-90f5-47983a441b20" + id = "f3849f7f-92fa-5a27-8fce-5cf70a6092f1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nexster_bot_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_68d99297d7676950ef20645c2f54f180e697aada925cf75041287d48b2b4b344" + logic_hash = "68d99297d7676950ef20645c2f54f180e697aada925cf75041287d48b2b4b344" score = 75 quality = 75 tags = "FILE" @@ -148147,13 +148147,13 @@ rule MALPEDIA_Win_Bagle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b3ce2038-7c96-5cae-ad9f-9739e07898eb" + id = "a1b117c6-ef70-5a17-abcf-06072ab81225" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bagle_auto.yar#L1-L102" license_url = "N/A" - logic_hash = "v1_sha256_78371b093ac9a1cbad80f2768798d5c43910e03f8eb339710028eb9343ade350" + logic_hash = "78371b093ac9a1cbad80f2768798d5c43910e03f8eb339710028eb9343ade350" score = 75 quality = 75 tags = "FILE" @@ -148184,13 +148184,13 @@ rule MALPEDIA_Win_Threebyte_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6bc2b4e0-c8b3-578b-84c5-d3b4a8cc8af9" + id = "db751837-d9fe-5bbc-8e37-81fa1047a177" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.threebyte_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_b532d976fb568c958de01f6c83348e2db5990a266537c8833f6f4b97f2236efc" + logic_hash = "b532d976fb568c958de01f6c83348e2db5990a266537c8833f6f4b97f2236efc" score = 75 quality = 75 tags = "FILE" @@ -148223,13 +148223,13 @@ rule MALPEDIA_Win_Chinotto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0169454b-d842-5e4c-b1f0-81822c57a20d" + id = "0573d972-e907-5e4b-a894-f42d60689ebb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chinotto_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_7b0ad7ae03649166d50ba1fc6b2d39b3f99f903efd2a6958d5ba06fcea9fb997" + logic_hash = "7b0ad7ae03649166d50ba1fc6b2d39b3f99f903efd2a6958d5ba06fcea9fb997" score = 75 quality = 75 tags = "FILE" @@ -148262,13 +148262,13 @@ rule MALPEDIA_Win_Grabbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e9cd0d9-adb9-558a-85e6-e393bbb88cba" + id = "6b177866-b328-5532-b1df-c68c15ec705b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grabbot_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_c94d3ff4eb131743923dc6cd096207359254fdb038801b45a5051cbbd0d7bf96" + logic_hash = "c94d3ff4eb131743923dc6cd096207359254fdb038801b45a5051cbbd0d7bf96" score = 75 quality = 75 tags = "FILE" @@ -148307,13 +148307,13 @@ rule MALPEDIA_Win_Jupiter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ac98490-953b-5a75-9cc2-084e4548f7f2" + id = "d73fbb35-6ded-5d84-b301-32a821a6ff22" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupiter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jupiter_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "v1_sha256_1e4ba4252b0bc544e9c72fa0e946f1d0b7c34c44b8125a03ca9d26d89c2795b2" + logic_hash = "1e4ba4252b0bc544e9c72fa0e946f1d0b7c34c44b8125a03ca9d26d89c2795b2" score = 75 quality = 75 tags = "FILE" @@ -148346,13 +148346,13 @@ rule MALPEDIA_Win_Taidoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1e40cb7-e7f3-5eef-94d8-38b31642282e" + id = "ba437ab9-6c90-576a-83d2-5801ebb87e42" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.taidoor_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_7b8ed6f15654e580fefed39d2d4fea0473e69a1fd6a98339a075f2fbcf4be749" + logic_hash = "7b8ed6f15654e580fefed39d2d4fea0473e69a1fd6a98339a075f2fbcf4be749" score = 75 quality = 75 tags = "FILE" @@ -148385,13 +148385,13 @@ rule MALPEDIA_Win_Polyglot_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f633df67-0284-5c2f-83b9-ce3651dd32f0" + id = "0ac13ffc-60b5-57b4-bdac-0ba216f69178" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.polyglot_ransom_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_207fa5f26622dfd1aef2c3f100c53d4dd46542c0aab03454309445c1893ebb78" + logic_hash = "207fa5f26622dfd1aef2c3f100c53d4dd46542c0aab03454309445c1893ebb78" score = 75 quality = 73 tags = "FILE" @@ -148424,13 +148424,13 @@ rule MALPEDIA_Win_Gooseegg_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "85f84ff3-a343-5bfc-8c0a-fc91ca53edda" + id = "2b01e34b-c4f4-52eb-8cca-5f132c510659" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gooseegg" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gooseegg_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_40532f14598b07ba3f10571e0b95a9ef51b8ec16ffc21df237328572ddb56a5f" + logic_hash = "40532f14598b07ba3f10571e0b95a9ef51b8ec16ffc21df237328572ddb56a5f" score = 75 quality = 75 tags = "FILE" @@ -148463,13 +148463,13 @@ rule MALPEDIA_Win_Manjusaka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a6480f0-057a-59ae-b632-224d7f21dd50" + id = "e3ef2c8a-601e-5fad-bcaf-45a15d46a182" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.manjusaka" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.manjusaka_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_b609fc5a0f646080989595e70a17261ca84aa420275082a0a377fc146648363a" + logic_hash = "b609fc5a0f646080989595e70a17261ca84aa420275082a0a377fc146648363a" score = 75 quality = 75 tags = "FILE" @@ -148502,13 +148502,13 @@ rule MALPEDIA_Win_Tinba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af546549-7dc5-59d8-9e36-f1d5d46af16d" + id = "8dfb27e2-54cb-58f0-8a40-15de14b5671d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tinba_auto.yar#L1-L138" license_url = "N/A" - logic_hash = "v1_sha256_12776db9a2ca5e4e1bee242492b810213115a7f9fd4fce223ca3d2d59532f5e7" + logic_hash = "12776db9a2ca5e4e1bee242492b810213115a7f9fd4fce223ca3d2d59532f5e7" score = 75 quality = 75 tags = "FILE" @@ -148544,13 +148544,13 @@ rule MALPEDIA_Win_Hive_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b522ceb-8b28-533d-83e1-7f384e6d6f02" + id = "648fda14-26aa-5cb6-b0b0-33ac82fa76a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hive_auto.yar#L1-L193" license_url = "N/A" - logic_hash = "v1_sha256_b786ded85189e10c8f992d72b9f33dda53290c7d2488c59423c5787b80ba3c77" + logic_hash = "b786ded85189e10c8f992d72b9f33dda53290c7d2488c59423c5787b80ba3c77" score = 75 quality = 73 tags = "FILE" @@ -148594,13 +148594,13 @@ rule MALPEDIA_Win_Darkbit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fea2e91e-7962-57c8-9a2f-0a9a437feeca" + id = "17d9f575-1833-580e-9f9a-26ac57d772c0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkbit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkbit_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a8284822bcb0339f6639d77d907a6e073020f408fd2caaa614e40aa5d0446833" + logic_hash = "a8284822bcb0339f6639d77d907a6e073020f408fd2caaa614e40aa5d0446833" score = 75 quality = 75 tags = "FILE" @@ -148633,13 +148633,13 @@ rule MALPEDIA_Win_Megumin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "93179f80-435d-5232-9dc3-d373e03b14ae" + id = "37ab0bcc-cdac-5d31-a456-2de10ec33215" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.megumin_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_a365528e95f0493decec29de859395bb6581a0dddcbbf2af0b80b92938590fb4" + logic_hash = "a365528e95f0493decec29de859395bb6581a0dddcbbf2af0b80b92938590fb4" score = 75 quality = 75 tags = "FILE" @@ -148672,13 +148672,13 @@ rule MALPEDIA_Win_Matsnu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2e7543f7-a3c3-50f1-bc86-910a59e983ab" + id = "0f71c5ab-0c82-5153-bcd8-045c162f2f63" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.matsnu_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_95216433634cb314b9cc2cf8428b6a5d974607cd960d3ec0665086600fff0829" + logic_hash = "95216433634cb314b9cc2cf8428b6a5d974607cd960d3ec0665086600fff0829" score = 75 quality = 75 tags = "FILE" @@ -148711,13 +148711,13 @@ rule MALPEDIA_Win_Slub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7187e274-d9ca-51e9-ad7b-390e7a93f115" + id = "94a02bf2-7103-5d7e-aa8d-633d7fba4826" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.slub_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_aee363d67e6a37d8547028a75375273379b56a2505a09b01f68a1ed9e200ef20" + logic_hash = "aee363d67e6a37d8547028a75375273379b56a2505a09b01f68a1ed9e200ef20" score = 75 quality = 75 tags = "FILE" @@ -148750,13 +148750,13 @@ rule MALPEDIA_Win_Brutpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "afec37c8-1f13-5db9-a13e-d0840174d51a" + id = "bb6abccd-59b3-5a30-9e67-ccbe498737a5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.brutpos_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_89d0bc6a7e52ba9f63dface96ebbf483b03be0cbf8144ed32f3b88bf360b4eda" + logic_hash = "89d0bc6a7e52ba9f63dface96ebbf483b03be0cbf8144ed32f3b88bf360b4eda" score = 75 quality = 75 tags = "FILE" @@ -148789,13 +148789,13 @@ rule MALPEDIA_Win_Warhawk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ebb0da9-c667-54f4-b2c8-3db66f24538c" + id = "d92d335d-f362-53f6-93fa-a01200e00bae" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warhawk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.warhawk_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_d9e9a0b8b1caa43bf9cbeab42b90b2f052f6c3a1e02d41041e6ffa8282518c4f" + logic_hash = "d9e9a0b8b1caa43bf9cbeab42b90b2f052f6c3a1e02d41041e6ffa8282518c4f" score = 75 quality = 75 tags = "FILE" @@ -148828,13 +148828,13 @@ rule MALPEDIA_Win_Nightsky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7b7f44d7-d36d-5641-9a52-615f60737c19" + id = "4a533df6-d2c4-5b9b-962a-f564ffc19b28" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nightsky_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_8ca19ad5375675bc771b33a25611cc75796ee0768ba76a94df6cf267eb73de25" + logic_hash = "8ca19ad5375675bc771b33a25611cc75796ee0768ba76a94df6cf267eb73de25" score = 75 quality = 75 tags = "FILE" @@ -148867,13 +148867,13 @@ rule MALPEDIA_Win_Unidentified_087_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "61f2a49b-fb0c-5ace-abf0-db6f11b92f9f" + id = "bb2770ef-ba3c-5373-be21-3fb31c73a40c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_087" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_087_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "v1_sha256_10f141206749e7e53bb829c93df64c19732ef1dad0c95b847ac5042b772c3c95" + logic_hash = "10f141206749e7e53bb829c93df64c19732ef1dad0c95b847ac5042b772c3c95" score = 75 quality = 75 tags = "FILE" @@ -148912,13 +148912,13 @@ rule MALPEDIA_Win_Silon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f7b7af5d-47db-5e40-a65a-e4e1d2b64721" + id = "79ca4e66-80c4-54d1-ad2d-bb8c124436f4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.silon_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_874421a098d05c259305f60b2d95c6c3b7ec16195697a960df4680d8169470c0" + logic_hash = "874421a098d05c259305f60b2d95c6c3b7ec16195697a960df4680d8169470c0" score = 75 quality = 75 tags = "FILE" @@ -148951,13 +148951,13 @@ rule MALPEDIA_Win_Aytoke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c76f72f2-92af-5530-9087-b7c78cf6d19e" + id = "b5ab25e2-4341-5ae9-b651-f00d8ee54d3c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.aytoke_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_fd830f88f9db36bca6c8ff77c03edf20db894b0cd51609c00e9abcdd21defeac" + logic_hash = "fd830f88f9db36bca6c8ff77c03edf20db894b0cd51609c00e9abcdd21defeac" score = 75 quality = 75 tags = "FILE" @@ -148990,13 +148990,13 @@ rule MALPEDIA_Win_Cobint_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6458d531-aa75-5422-b324-1c12226f26c0" + id = "dd3cfa53-3afd-5f13-9cc9-77e829d3a136" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cobint_auto.yar#L1-L242" license_url = "N/A" - logic_hash = "v1_sha256_20f11bf7d864567f810adcdb08276a34acb4cfe1ecb4d7216907f33469c0f11b" + logic_hash = "20f11bf7d864567f810adcdb08276a34acb4cfe1ecb4d7216907f33469c0f11b" score = 75 quality = 73 tags = "FILE" @@ -149043,13 +149043,13 @@ rule MALPEDIA_Win_Netwire_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57957c09-a49a-56ce-ac61-f4310bba33a6" + id = "2c3233b5-61d2-5539-be18-0c5c0b8c6392" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.netwire_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "v1_sha256_0b138a1b5ce5fce5b2fe27d94e6291c8b6ec4ddfb907147d54fe206b7b73d328" + logic_hash = "0b138a1b5ce5fce5b2fe27d94e6291c8b6ec4ddfb907147d54fe206b7b73d328" score = 75 quality = 75 tags = "FILE" @@ -149082,13 +149082,13 @@ rule MALPEDIA_Win_Highnote_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "32e61eeb-a6b9-5d0d-b2a1-1023ecead382" + id = "42430ae0-711a-5af0-8cf0-021ee7268750" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.highnote_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_9c56af2f565860a63358a81454cb924c53c1536bda24fa1a3a598c536c013797" + logic_hash = "9c56af2f565860a63358a81454cb924c53c1536bda24fa1a3a598c536c013797" score = 75 quality = 75 tags = "FILE" @@ -149121,13 +149121,13 @@ rule MALPEDIA_Win_Cerber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "86800e0d-80e9-5d62-823b-23a665fb3da5" + id = "8ad318b2-fd4e-5d92-a12e-9e1971af4667" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cerber_auto.yar#L1-L103" license_url = "N/A" - logic_hash = "v1_sha256_ae8e4dedfae2653bfc99d378ae78948f80a8248c771063fd5aaf09788296968e" + logic_hash = "ae8e4dedfae2653bfc99d378ae78948f80a8248c771063fd5aaf09788296968e" score = 75 quality = 75 tags = "FILE" @@ -149158,13 +149158,13 @@ rule MALPEDIA_Win_Zeus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "60ee791a-83bf-5453-a098-f33879806498" + id = "4fe3f9dd-2485-552f-9a89-ff72673ef49c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zeus_auto.yar#L1-L222" license_url = "N/A" - logic_hash = "v1_sha256_5c96f3aec91f480609a26c2c5106b944c5143184de972e1c667aa8b1ec8b4815" + logic_hash = "5c96f3aec91f480609a26c2c5106b944c5143184de972e1c667aa8b1ec8b4815" score = 75 quality = 73 tags = "FILE" @@ -149210,13 +149210,13 @@ rule MALPEDIA_Win_Megacortex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bc2d4c61-efe6-547c-84bb-99a81fc19a0d" + id = "ada38623-7613-5dfe-bdcd-0251e4cadd44" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.megacortex_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_708d38e954539c490225999d6efcff9513f99a24765329194cd39e598c2360c1" + logic_hash = "708d38e954539c490225999d6efcff9513f99a24765329194cd39e598c2360c1" score = 75 quality = 75 tags = "FILE" @@ -149249,13 +149249,13 @@ rule MALPEDIA_Win_Oddjob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3d7aba48-e344-588c-8be1-07f3a125e99e" + id = "32aa97fe-459e-54bb-b312-8c16abdd023e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.oddjob_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_c90a8570c9226524a00ad8a64dc22040d6bcfc4b7b8994bff5525418a1842496" + logic_hash = "c90a8570c9226524a00ad8a64dc22040d6bcfc4b7b8994bff5525418a1842496" score = 75 quality = 75 tags = "FILE" @@ -149288,13 +149288,13 @@ rule MALPEDIA_Win_Classfon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69a2fdb6-528d-5155-a586-b6aa5d8d8f9a" + id = "a25f42c4-4355-51f7-b6ab-00b467c76376" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.classfon_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_66ac3b2c234be6c5adfcd77cebd772d5254febc41066bba0a145357a351f1537" + logic_hash = "66ac3b2c234be6c5adfcd77cebd772d5254febc41066bba0a145357a351f1537" score = 75 quality = 75 tags = "FILE" @@ -149327,13 +149327,13 @@ rule MALPEDIA_Win_Newcore_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "59013bac-5647-55c7-aa35-6bbf37a758e8" + id = "1da70a7f-a318-54ce-916c-cf7245c92f4f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.newcore_rat_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_4e9038b9cb3dfc5a1f725a1c7c7f2099a8bbce01f729092f2f2495b7d4912fe0" + logic_hash = "4e9038b9cb3dfc5a1f725a1c7c7f2099a8bbce01f729092f2f2495b7d4912fe0" score = 75 quality = 75 tags = "FILE" @@ -149366,13 +149366,13 @@ rule MALPEDIA_Win_Maggie_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9881719-23b8-5ad3-8e01-0833c99e7def" + id = "0ba792f1-dd78-5b98-8593-543560b6dc1a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maggie" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.maggie_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_f79cbc6ae2d70c9e6484e5066353afb6506cea51f8ea75e10ee4458493abfd34" + logic_hash = "f79cbc6ae2d70c9e6484e5066353afb6506cea51f8ea75e10ee4458493abfd34" score = 75 quality = 75 tags = "FILE" @@ -149405,13 +149405,13 @@ rule MALPEDIA_Win_Godzilla_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41da1397-135b-5a47-a2ce-811200f05191" + id = "9353009a-9ab6-50d2-b27c-912bbfae24ce" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.godzilla_loader_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_15db96ce18a2f3fdeaf72974bdf0f4fdfaa545b5ea238cf268df493277052de4" + logic_hash = "15db96ce18a2f3fdeaf72974bdf0f4fdfaa545b5ea238cf268df493277052de4" score = 75 quality = 75 tags = "FILE" @@ -149444,13 +149444,13 @@ rule MALPEDIA_Win_Blackcat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dd12af1b-62b9-57dd-97cf-b509aff96cf3" + id = "96a105c9-de9b-58fc-9332-46741d0ee4b6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackcat_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_ca17c8ec53cce7ae9541a2b17fcd5b20eeda404acb33b9d6489549a59a5a4868" + logic_hash = "ca17c8ec53cce7ae9541a2b17fcd5b20eeda404acb33b9d6489549a59a5a4868" score = 75 quality = 75 tags = "FILE" @@ -149483,13 +149483,13 @@ rule MALPEDIA_Win_Httpsuploader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cb1020cc-79ed-521b-bda1-bce5aab10d78" + id = "be17d448-1d90-5f75-8f13-d63b39944dc3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.httpsuploader_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_5be7e6e5938fcb4fa9787510fb0867a1f442345e4d8453db75c177a24413afa4" + logic_hash = "5be7e6e5938fcb4fa9787510fb0867a1f442345e4d8453db75c177a24413afa4" score = 75 quality = 75 tags = "FILE" @@ -149522,13 +149522,13 @@ rule MALPEDIA_Win_Corebot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5227a3de-c7f7-5dd6-8576-1aa6a2e3e765" + id = "3997db80-c772-5b73-a963-36ab17758ace" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.corebot_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "v1_sha256_39cc93a6c914fbc005d1108deabcbfdb71a7ef825d8251a576b5ab326c580118" + logic_hash = "39cc93a6c914fbc005d1108deabcbfdb71a7ef825d8251a576b5ab326c580118" score = 75 quality = 75 tags = "FILE" @@ -149567,13 +149567,13 @@ rule MALPEDIA_Win_Stop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e712ff8-9881-5ab0-bd2e-92b36a2402f1" + id = "de89cbb5-1ad4-59ee-8eda-db1d3b1226e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stop_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_1680007e54c6e417cda892af6931e2e17f934d49d2fb7326d537897be6e026a2" + logic_hash = "1680007e54c6e417cda892af6931e2e17f934d49d2fb7326d537897be6e026a2" score = 75 quality = 75 tags = "FILE" @@ -149606,13 +149606,13 @@ rule MALPEDIA_Win_Ntospy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71b76504-eafe-50cf-8f52-21b6495d196f" + id = "b4a63087-adf5-553a-badd-9c3b2b74fa54" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ntospy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ntospy_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_cce1d343f3ff134391791227274b4a5b285b13f3052430b7eb6796387898d86b" + logic_hash = "cce1d343f3ff134391791227274b4a5b285b13f3052430b7eb6796387898d86b" score = 75 quality = 75 tags = "FILE" @@ -149645,13 +149645,13 @@ rule MALPEDIA_Win_Innaput_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "751ac78f-e4a8-51b8-ac5e-190c36a0784d" + id = "8696fe6d-5c5e-50d1-8126-e510e7272553" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.innaput_rat_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_9fc4a0f22b0936282c888c32e9151fce9421447e6433604a7df7c0949331d6ed" + logic_hash = "9fc4a0f22b0936282c888c32e9151fce9421447e6433604a7df7c0949331d6ed" score = 75 quality = 75 tags = "FILE" @@ -149684,13 +149684,13 @@ rule MALPEDIA_Win_Hunter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2aac78f8-645c-5712-a8b3-30997e5e96ea" + id = "114c619e-d3db-54d7-bef7-7645d901bc94" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hunter_auto.yar#L1-L90" license_url = "N/A" - logic_hash = "v1_sha256_776a5d8eb049aeb15b1138e40f903b0e7294cf0475240df008d707aa37c36610" + logic_hash = "776a5d8eb049aeb15b1138e40f903b0e7294cf0475240df008d707aa37c36610" score = 75 quality = 75 tags = "FILE" @@ -149721,13 +149721,13 @@ rule MALPEDIA_Win_Gophe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d41d4706-0fd5-5f02-8360-c600b11108df" + id = "ec866cdd-740c-530f-890b-7218c8279731" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gophe_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "v1_sha256_040add08167375d6afc19889da745c342bfdae4cd932188be1ff896b4e36f3aa" + logic_hash = "040add08167375d6afc19889da745c342bfdae4cd932188be1ff896b4e36f3aa" score = 75 quality = 75 tags = "FILE" @@ -149766,13 +149766,13 @@ rule MALPEDIA_Win_Caddywiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "74642776-d252-5710-bdd3-1b19b140a83d" + id = "a5109c69-dce6-5bdc-a837-95fd9e608c27" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.caddywiper_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_e3d56965e8598d86c97b50c37aebd90c5841d385e5b67b4fcd4ffac110956cd1" + logic_hash = "e3d56965e8598d86c97b50c37aebd90c5841d385e5b67b4fcd4ffac110956cd1" score = 75 quality = 75 tags = "FILE" @@ -149805,13 +149805,13 @@ rule MALPEDIA_Win_Spaceship_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5f9c3e6-d34a-549a-815c-65d822e8f30f" + id = "cf82a1e6-2655-5412-8f93-024883bc5cc4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spaceship_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_c325451a252fdb438f6f512d14d550b1461b33c1e3170612d6dfec64ac9a2b26" + logic_hash = "c325451a252fdb438f6f512d14d550b1461b33c1e3170612d6dfec64ac9a2b26" score = 75 quality = 75 tags = "FILE" @@ -149844,13 +149844,13 @@ rule MALPEDIA_Win_Backbend_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e4ee50b8-62ce-58b4-9ba0-5fd0ca77fbb9" + id = "a22a893e-f0d0-5f47-b17e-12aba9db7e5e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.backbend_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_917ffc9b273790f466925eaea42d05e106cbb5d93ffca6efcba917e5ff6beb38" + logic_hash = "917ffc9b273790f466925eaea42d05e106cbb5d93ffca6efcba917e5ff6beb38" score = 75 quality = 75 tags = "FILE" @@ -149883,13 +149883,13 @@ rule MALPEDIA_Win_Shifu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4e2848b2-64a0-522b-bddf-400f5c4637f2" + id = "48f59764-98d3-5e1f-a9c7-a0c8becc007a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shifu_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_6ab041a16a39f77276573be25c06c5ab679b44b2bef49091360ddb3582fc5f89" + logic_hash = "6ab041a16a39f77276573be25c06c5ab679b44b2bef49091360ddb3582fc5f89" score = 75 quality = 75 tags = "FILE" @@ -149922,13 +149922,13 @@ rule MALPEDIA_Win_Alpc_Lpe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "60cd2da1-59d0-520e-a38e-76f948e75225" + id = "2d2adcb6-f098-569a-bf85-49ff70d8e48c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.alpc_lpe_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_f41b95cac61aef76c7f2f31b4e9f327d93351cd15a34ca1f25e406b880001510" + logic_hash = "f41b95cac61aef76c7f2f31b4e9f327d93351cd15a34ca1f25e406b880001510" score = 75 quality = 75 tags = "FILE" @@ -149961,13 +149961,13 @@ rule MALPEDIA_Win_Pgift_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "331425ac-3ef4-54a9-ad92-e2de966c6eb9" + id = "5134e180-c701-504d-b27b-1f2a37782304" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pgift_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_86543d2a9c2965bb35bf9078bd182bce16bae717918e12d47f187ce1755d9b8f" + logic_hash = "86543d2a9c2965bb35bf9078bd182bce16bae717918e12d47f187ce1755d9b8f" score = 75 quality = 75 tags = "FILE" @@ -150000,13 +150000,13 @@ rule MALPEDIA_Win_Fk_Undead_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "63b7b953-7efc-57e4-aa47-1f579e883217" + id = "09ebce3e-04fb-58d5-b09d-0377a5f5743c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fk_undead" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fk_undead_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_abdf12f66e02014f48d8c0536c0de5b8efd3d3aad1408262170db0f8bbb09349" + logic_hash = "abdf12f66e02014f48d8c0536c0de5b8efd3d3aad1408262170db0f8bbb09349" score = 75 quality = 75 tags = "FILE" @@ -150039,13 +150039,13 @@ rule MALPEDIA_Win_Ninerat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8d0c1425-f81c-55ad-b5ef-c23bb1f341da" + id = "56fcbf79-427d-50d3-bca3-31de15eac399" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ninerat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ninerat_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "v1_sha256_7c80943a7e234598d055453bf04aeb26119fa41707d1bc3f20d9f334282eb72d" + logic_hash = "7c80943a7e234598d055453bf04aeb26119fa41707d1bc3f20d9f334282eb72d" score = 75 quality = 75 tags = "FILE" @@ -150084,13 +150084,13 @@ rule MALPEDIA_Win_Portstarter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ddfbb80-0e58-59f3-a2ac-4adf84c56f9b" + id = "87b6322a-7ef6-5bd0-bab4-2d7f3526e302" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.portstarter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.portstarter_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_370c6c0b9e8b4d5e29811c239d93b7467412e95f00ce8f657934e0617f7c9264" + logic_hash = "370c6c0b9e8b4d5e29811c239d93b7467412e95f00ce8f657934e0617f7c9264" score = 75 quality = 75 tags = "FILE" @@ -150123,13 +150123,13 @@ rule MALPEDIA_Win_Aperetif_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "838286a7-89f9-59c1-b04e-2fbaa1c6b646" + id = "795b83b3-4cb3-590f-beec-45294ced14b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aperetif" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.aperetif_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_9b2b21b13b2a3f0effe3ce03cc46e7cfe39d710a1bc6f103bbb173ad06ff9edf" + logic_hash = "9b2b21b13b2a3f0effe3ce03cc46e7cfe39d710a1bc6f103bbb173ad06ff9edf" score = 75 quality = 75 tags = "FILE" @@ -150162,13 +150162,13 @@ rule MALPEDIA_Win_Outlook_Backdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cf68a4e7-3dfe-5664-a150-9f8d4c382ad2" + id = "02559762-15b6-5207-804c-a16ddeee8406" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.outlook_backdoor_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_3a281d78de1c71eb339e38944e06a51b382bc71a750ef84181f02e7a83ac1311" + logic_hash = "3a281d78de1c71eb339e38944e06a51b382bc71a750ef84181f02e7a83ac1311" score = 75 quality = 75 tags = "FILE" @@ -150201,13 +150201,13 @@ rule MALPEDIA_Win_Invisimole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "67a0d721-1b35-5937-8292-464488152692" + id = "55a375db-e677-582e-bce8-b3a68908eaf5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.invisimole_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_8f39140cf09da2962c64c906a5e356fe5a001c88884a167cc322923fa7d9bdf4" + logic_hash = "8f39140cf09da2962c64c906a5e356fe5a001c88884a167cc322923fa7d9bdf4" score = 75 quality = 75 tags = "FILE" @@ -150240,13 +150240,13 @@ rule MALPEDIA_Win_Rumish_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "060bb356-a9fc-54be-887f-b4b56f40d269" + id = "39ff2947-af25-5616-8af4-3255d7aff8f4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rumish_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_a573540e20ab8e039d32cb674dc87b90cf57e8c3eeb462c1c864991bf4880267" + logic_hash = "a573540e20ab8e039d32cb674dc87b90cf57e8c3eeb462c1c864991bf4880267" score = 75 quality = 75 tags = "FILE" @@ -150279,13 +150279,13 @@ rule MALPEDIA_Win_Grateful_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0be6344b-1f63-5544-a45c-1cd89d6ba2a3" + id = "9ee923d9-386a-5d32-9440-a8b85e81712d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grateful_pos_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "v1_sha256_ee462fd47d72681e88085a94b5322cb383fccf63de7910d0f50a42105a7d61e3" + logic_hash = "ee462fd47d72681e88085a94b5322cb383fccf63de7910d0f50a42105a7d61e3" score = 75 quality = 75 tags = "FILE" @@ -150324,13 +150324,13 @@ rule MALPEDIA_Win_Kwampirs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d70d2ab2-210f-5a0d-aea8-f77c96b878de" + id = "0c831c38-f3af-5c4b-940a-effdace44ac1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kwampirs_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_05da0209b4ac4234af04c94a25b568ea854e2af3b982527383637ef20b197483" + logic_hash = "05da0209b4ac4234af04c94a25b568ea854e2af3b982527383637ef20b197483" score = 75 quality = 75 tags = "FILE" @@ -150363,13 +150363,13 @@ rule MALPEDIA_Win_Purplefox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aaae760e-0e97-5c3d-8bdf-4e41de524280" + id = "e0153672-5fee-5a98-93dd-cdb37613f00c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.purplefox_auto.yar#L1-L389" license_url = "N/A" - logic_hash = "v1_sha256_bc347e2a2c2675d6f613a457b6f24810b2ee549a3110e9ad4ab849ea2adb4170" + logic_hash = "bc347e2a2c2675d6f613a457b6f24810b2ee549a3110e9ad4ab849ea2adb4170" score = 75 quality = 73 tags = "FILE" @@ -150432,13 +150432,13 @@ rule MALPEDIA_Win_Explosive_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9bf65318-914b-5762-b7d7-0e9a514c476c" + id = "7b0d5ce8-6828-5e32-af59-28d083ff4edd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.explosive_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.explosive_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_40a44221da76d27c5ed05de925a337ead09b51104536f440f38ebfb4960fa91d" + logic_hash = "40a44221da76d27c5ed05de925a337ead09b51104536f440f38ebfb4960fa91d" score = 75 quality = 75 tags = "FILE" @@ -150471,13 +150471,13 @@ rule MALPEDIA_Win_Roopy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c94f76d0-8c84-5e1b-bee4-b0bee9e665f2" + id = "9d1cd38d-a1c4-5021-82c4-ab42553b0148" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.roopy_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_635b23691aea648c5b01623163933331eba5c241a10085695aa02ee95522aae1" + logic_hash = "635b23691aea648c5b01623163933331eba5c241a10085695aa02ee95522aae1" score = 75 quality = 75 tags = "FILE" @@ -150510,13 +150510,13 @@ rule MALPEDIA_Win_Buhtrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5b4b10ee-def2-5989-b13d-0f364333b76d" + id = "05dfe1b7-7658-5a73-95c7-d9332b18397d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.buhtrap_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_93883b1f6de8bbb29347fc147d93effe74e75beef64981374094d11349e65af7" + logic_hash = "93883b1f6de8bbb29347fc147d93effe74e75beef64981374094d11349e65af7" score = 75 quality = 75 tags = "FILE" @@ -150554,13 +150554,13 @@ rule MALPEDIA_Win_Stabuniq_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "490297b0-e3ca-5b8e-b0fd-c03252e9f514" + id = "aceb592e-d7b5-5f4a-8a9e-1d7eba65be7f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stabuniq_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_8abe8b1e5433d79ecca06d79534ec6148ee9460e9d28a8041508dc1cd6d954c1" + logic_hash = "8abe8b1e5433d79ecca06d79534ec6148ee9460e9d28a8041508dc1cd6d954c1" score = 75 quality = 75 tags = "FILE" @@ -150593,13 +150593,13 @@ rule MALPEDIA_Win_Powerpool_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b03195a-f2c0-54c1-a01d-d020e615fb7d" + id = "4c6bacc6-3c31-5308-8644-c77bb5f04b3b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.powerpool_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_fc225d3ab668ac0553c91764abb5591ff765822f57f79bb166f528bf2dc805b8" + logic_hash = "fc225d3ab668ac0553c91764abb5591ff765822f57f79bb166f528bf2dc805b8" score = 75 quality = 75 tags = "FILE" @@ -150638,13 +150638,13 @@ rule MALPEDIA_Win_Waterspout_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e9dd747-7499-596a-84d9-0616cf5d92d1" + id = "312b289d-c89a-504c-8e5c-23fd2356f776" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.waterspout_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_ca34650795bef65f517e7b6e56e86508cb7b6332fa50178472230b7d745dfa16" + logic_hash = "ca34650795bef65f517e7b6e56e86508cb7b6332fa50178472230b7d745dfa16" score = 75 quality = 75 tags = "FILE" @@ -150677,13 +150677,13 @@ rule MALPEDIA_Win_Roll_Sling_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4c3bae15-ac91-528d-8337-6d63f83ab01e" + id = "b7e33442-8180-54e6-9eaf-af122cb4c9a7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roll_sling" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.roll_sling_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_9fbb0c1a994cbf47daa8ad072c8bc3b15bcfbdc43d87e63c5668a5130ba7c10c" + logic_hash = "9fbb0c1a994cbf47daa8ad072c8bc3b15bcfbdc43d87e63c5668a5130ba7c10c" score = 75 quality = 75 tags = "FILE" @@ -150716,13 +150716,13 @@ rule MALPEDIA_Win_Upas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "60d61bbc-751e-57de-be13-c7613d0d7314" + id = "ff6fa077-a4cc-5245-b43e-d462dbb909cf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.upas_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_2dbc02d44bc44069a95867e1264648df697162b7220114880dd132223d4a0c26" + logic_hash = "2dbc02d44bc44069a95867e1264648df697162b7220114880dd132223d4a0c26" score = 75 quality = 75 tags = "FILE" @@ -150755,13 +150755,13 @@ rule MALPEDIA_Win_Cameleon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0d8cec30-8baa-5b96-9dff-f09e5e732875" + id = "806efc2e-ee4f-5af0-8004-774edaa0c90c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cameleon_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_98c6fbda2b8586d2f1ae140ba5c66b5e26a402ce2bed7b89a93ce40a7f3c9c1d" + logic_hash = "98c6fbda2b8586d2f1ae140ba5c66b5e26a402ce2bed7b89a93ce40a7f3c9c1d" score = 75 quality = 75 tags = "FILE" @@ -150794,13 +150794,13 @@ rule MALPEDIA_Win_Unidentified_069_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c74a5bfb-c56e-58d1-b442-eda87175edce" + id = "e6d12ecf-2105-5a78-ac5d-ef3697e64524" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_069_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_ca9594399e09dcc31b85088d5c725560cc890838ff6242191d21562960d61f9b" + logic_hash = "ca9594399e09dcc31b85088d5c725560cc890838ff6242191d21562960d61f9b" score = 75 quality = 75 tags = "FILE" @@ -150833,13 +150833,13 @@ rule MALPEDIA_Win_Saint_Bot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef27ab33-fc34-54b5-9452-abef87b90a60" + id = "92ea573f-6995-5968-986f-4f6e838a873b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.saint_bot_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_8fc12017b3bbd916bf7702bbd87ca92c11f29e697b9a76fb35dc7516e7e5512c" + logic_hash = "8fc12017b3bbd916bf7702bbd87ca92c11f29e697b9a76fb35dc7516e7e5512c" score = 75 quality = 75 tags = "FILE" @@ -150872,13 +150872,13 @@ rule MALPEDIA_Win_Shadowhammer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43be02f3-4284-54bc-b509-d36f6f2574f6" + id = "b57d4c23-f9b4-522a-89ba-c4ac79dc31ec" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shadowhammer_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_9c0187702056fafb079efbd5dab5b93b10eb6c78f6f641de1a14fc5c3fa972f5" + logic_hash = "9c0187702056fafb079efbd5dab5b93b10eb6c78f6f641de1a14fc5c3fa972f5" score = 75 quality = 75 tags = "FILE" @@ -150911,13 +150911,13 @@ rule MALPEDIA_Win_Computrace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ab10cbc-15c9-5fe4-aca4-7c8225add349" + id = "7d3f36b5-1638-54d3-9aa2-d37f8e7401b6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.computrace_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_b73f0b7c109f121cef0d44673877d18ab031d29ad8713526e9f7233d01c0d2e0" + logic_hash = "b73f0b7c109f121cef0d44673877d18ab031d29ad8713526e9f7233d01c0d2e0" score = 75 quality = 75 tags = "FILE" @@ -150950,13 +150950,13 @@ rule MALPEDIA_Win_Wannacryptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bb3b423e-7eb9-5942-b518-b3fadcc0f53a" + id = "64c0c24a-16a6-55da-a692-97069f01b9dc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wannacryptor_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_afdf6a6730d9f47a6baac4eceac9faa53fb74580c5a732dc9532925b43ed27e8" + logic_hash = "afdf6a6730d9f47a6baac4eceac9faa53fb74580c5a732dc9532925b43ed27e8" score = 75 quality = 75 tags = "FILE" @@ -150989,13 +150989,13 @@ rule MALPEDIA_Win_Thanatos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4fd57bca-e9ee-55ff-912d-d777ceb28ac1" + id = "a5721dfd-b447-5b95-8938-1157e68dfcc1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.thanatos_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_53b5f2fa82e8c7501726e7b2943f1eca40b261bf73b7a493f709f61c94b8f1bb" + logic_hash = "53b5f2fa82e8c7501726e7b2943f1eca40b261bf73b7a493f709f61c94b8f1bb" score = 75 quality = 75 tags = "FILE" @@ -151028,13 +151028,13 @@ rule MALPEDIA_Win_Keyboy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e2f085d2-ee09-5b23-9e05-230c50dbc159" + id = "e3c6834d-0c67-5748-994c-227d3722e6aa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.keyboy_auto.yar#L1-L236" license_url = "N/A" - logic_hash = "v1_sha256_b020d013796e2ff9bcbc5f453861ded4cb6f63e612a44995496ca47a3bf65fc0" + logic_hash = "b020d013796e2ff9bcbc5f453861ded4cb6f63e612a44995496ca47a3bf65fc0" score = 75 quality = 73 tags = "FILE" @@ -151082,13 +151082,13 @@ rule MALPEDIA_Win_H1N1_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f5acab44-b273-5068-80b7-813fee699829" + id = "4f9432ad-24eb-5be0-8c5c-f54b004537b1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.h1n1_auto.yar#L1-L177" license_url = "N/A" - logic_hash = "v1_sha256_e395b19b788b5872e8b41a06c72576193d2b704eacffdfa539ea6dd0de9a681c" + logic_hash = "e395b19b788b5872e8b41a06c72576193d2b704eacffdfa539ea6dd0de9a681c" score = 75 quality = 75 tags = "FILE" @@ -151127,13 +151127,13 @@ rule MALPEDIA_Win_Remcom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71b609fc-a9a4-5ea4-9b67-569874f4adfb" + id = "ef2d4f9d-a666-5fde-8a7c-ad9caf209507" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.remcom_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_da940079f0fa67fd9b07a963cb1c1d587eae7e882a70fa0b1512503623264f37" + logic_hash = "da940079f0fa67fd9b07a963cb1c1d587eae7e882a70fa0b1512503623264f37" score = 75 quality = 75 tags = "FILE" @@ -151166,13 +151166,13 @@ rule MALPEDIA_Win_Pseudo_Manuscrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c09f21a5-d50f-55b6-984c-71afa2e51e22" + id = "42bd2b8b-9456-5653-89f8-7f91defd35ef" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pseudo_manuscrypt_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_cbfecfd1106bc0d6ac7282a9292b2494a3e1d213712be19f881b75451b2a5e68" + logic_hash = "cbfecfd1106bc0d6ac7282a9292b2494a3e1d213712be19f881b75451b2a5e68" score = 75 quality = 75 tags = "FILE" @@ -151205,13 +151205,13 @@ rule MALPEDIA_Win_Cadelspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6f45cd6e-2c7b-596f-8316-07ff8f4e87f3" + id = "860c18ff-53ed-5d9c-b2bc-98b95f4d188d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cadelspy_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_b3c44a014ad2fbee54fda667170619e7a6ae94d19236eba6a66ccc77fd775cd1" + logic_hash = "b3c44a014ad2fbee54fda667170619e7a6ae94d19236eba6a66ccc77fd775cd1" score = 75 quality = 75 tags = "FILE" @@ -151244,13 +151244,13 @@ rule MALPEDIA_Win_Rorschach_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c7f86b72-1f3e-5d2a-88ed-def8713577a5" + id = "11b24b2d-bfea-5a8c-988f-bea7ea32170c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rorschach" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rorschach_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_3819d2826273a95ad95ce552fb76b197f4eb30ddd0b4d089208f0442591f4b17" + logic_hash = "3819d2826273a95ad95ce552fb76b197f4eb30ddd0b4d089208f0442591f4b17" score = 75 quality = 75 tags = "FILE" @@ -151283,13 +151283,13 @@ rule MALPEDIA_Win_Daserf_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "330cdca3-8a2a-5522-b7a5-32b48eb0dc54" + id = "a6f15599-4f13-54ba-bcec-a3b5030d8753" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.daserf_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_1bad6c4b5752fd8c6fe15d5fabea81e1efa1678a4e2b8ef0d9b688e6637ca84b" + logic_hash = "1bad6c4b5752fd8c6fe15d5fabea81e1efa1678a4e2b8ef0d9b688e6637ca84b" score = 75 quality = 75 tags = "FILE" @@ -151328,13 +151328,13 @@ rule MALPEDIA_Win_Rhysida_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6677c27d-f1dd-561e-a49b-94709f2613b4" + id = "b37d7cef-6bec-51b1-8798-0b8311f7db61" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rhysida_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_25239cc1b2d1119e4ce01e339bf005e03f9d77aa5443040b6232d8bc07fad544" + logic_hash = "25239cc1b2d1119e4ce01e339bf005e03f9d77aa5443040b6232d8bc07fad544" score = 75 quality = 75 tags = "FILE" @@ -151367,13 +151367,13 @@ rule MALPEDIA_Win_Donot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20729286-78a5-5fc0-83b9-bc39d4e7fc50" + id = "0d8c8de4-b5bc-5e41-9f0a-3ce84556a33b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.donot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.donot_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_c988e567c68890dfe0605ba69d12ded06e141c854ed633d34ee6899ee2b466e8" + logic_hash = "c988e567c68890dfe0605ba69d12ded06e141c854ed633d34ee6899ee2b466e8" score = 75 quality = 75 tags = "FILE" @@ -151406,13 +151406,13 @@ rule MALPEDIA_Win_Ratankba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84cb08e1-023d-54d5-a8ae-db0e4f32bcb9" + id = "5b767439-8a52-5082-a849-b72a22dc7deb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ratankba_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_28a3493a9c6143ba99ec99eb8912043c44e1319e93a131fe32deda9f1f93952d" + logic_hash = "28a3493a9c6143ba99ec99eb8912043c44e1319e93a131fe32deda9f1f93952d" score = 75 quality = 75 tags = "FILE" @@ -151445,13 +151445,13 @@ rule MALPEDIA_Win_Unidentified_103_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "641ae62a-d72b-5dd5-bf2f-4574b656ad16" + id = "887a2a34-16c4-5940-84aa-60b8d12f0d1d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_103_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_e05c648365bd2898e5f79fec6ee4b7da15c9961641307154c17359b01f91ade3" + logic_hash = "e05c648365bd2898e5f79fec6ee4b7da15c9961641307154c17359b01f91ade3" score = 75 quality = 75 tags = "FILE" @@ -151484,13 +151484,13 @@ rule MALPEDIA_Win_Dridex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "785ce937-2de0-58b0-9e32-3a2328977cf3" + id = "82474897-84ac-57c0-bc01-9735ab6cae7c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dridex_auto.yar#L1-L1014" license_url = "N/A" - logic_hash = "v1_sha256_1b034dcf6182675bbb8a5eb0a34d263edee95de935cc41e9152b6cc845885549" + logic_hash = "1b034dcf6182675bbb8a5eb0a34d263edee95de935cc41e9152b6cc845885549" score = 75 quality = 50 tags = "FILE" @@ -151638,13 +151638,13 @@ rule MALPEDIA_Win_Cotx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "249eac10-6f5c-5279-ada0-837791cbeec0" + id = "618247d4-de94-5a5b-8702-f02eb35ee904" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cotx_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_3b8fe5510fd419b8c1ff3124a08904512765ac561abd89e88faa984449f17fc2" + logic_hash = "3b8fe5510fd419b8c1ff3124a08904512765ac561abd89e88faa984449f17fc2" score = 75 quality = 75 tags = "FILE" @@ -151677,13 +151677,13 @@ rule MALPEDIA_Win_Bluenoroff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9827c15a-1428-57e7-891d-e6fa67df00b6" + id = "87ca0fae-dc2d-5a54-9ef5-56b7a04644cb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluenoroff" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bluenoroff_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_02d8b21ae6c3a55707ae999f347bdd0e2eb71f8cb543624eb25090baef53d3be" + logic_hash = "02d8b21ae6c3a55707ae999f347bdd0e2eb71f8cb543624eb25090baef53d3be" score = 75 quality = 75 tags = "FILE" @@ -151716,13 +151716,13 @@ rule MALPEDIA_Win_Sinowal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4a001a4e-e1a1-526c-9f6d-02addcefc995" + id = "00c85bb6-b85e-5ec4-8327-f739c9d5f422" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sinowal_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_ad21744a631baee0751cfa9148a29030265ec00175eb1018f5bd88e3be28754b" + logic_hash = "ad21744a631baee0751cfa9148a29030265ec00175eb1018f5bd88e3be28754b" score = 75 quality = 75 tags = "FILE" @@ -151755,13 +151755,13 @@ rule MALPEDIA_Win_Arik_Keylogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0323a15b-7005-5558-a8c3-1a63b41462b3" + id = "7cfe77b9-498e-52b0-a1e5-e481078fb2b8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.arik_keylogger_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_efa31a5efe80de4c661e6c1fa566389f67f3059a66f1ad3d5cfcbb40b493c756" + logic_hash = "efa31a5efe80de4c661e6c1fa566389f67f3059a66f1ad3d5cfcbb40b493c756" score = 75 quality = 75 tags = "FILE" @@ -151794,13 +151794,13 @@ rule MALPEDIA_Win_Dnespy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c371d46-d668-57dc-b314-2f4528c6959f" + id = "dd2f9ed7-2d6f-5933-9493-a41c942bf03f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dnespy_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_eee42a6a521e66ad81f34fb24c5fab011a7b4af2844dffcdf7998746a9a87ff5" + logic_hash = "eee42a6a521e66ad81f34fb24c5fab011a7b4af2844dffcdf7998746a9a87ff5" score = 75 quality = 75 tags = "FILE" @@ -151833,13 +151833,13 @@ rule MALPEDIA_Win_Badflick_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d350566f-7970-56bc-a420-0099831c8cd4" + id = "d5d1b93f-b8ef-5919-881c-41cd371c0e33" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.badflick_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_254e8105548798f084c01ec737c733ae7316a19998160441541107c24531856e" + logic_hash = "254e8105548798f084c01ec737c733ae7316a19998160441541107c24531856e" score = 75 quality = 75 tags = "FILE" @@ -151872,13 +151872,13 @@ rule MALPEDIA_Win_Cmstar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dde9f655-3c07-5f18-9ad9-d1fce5113c4e" + id = "573d55cd-4176-58c6-b881-46544636e3cc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cmstar_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "v1_sha256_a019849b15c13075d7ee37f6ab493df0eaba09a0dd6bc46a1e79b4c730b7a0f1" + logic_hash = "a019849b15c13075d7ee37f6ab493df0eaba09a0dd6bc46a1e79b4c730b7a0f1" score = 75 quality = 75 tags = "FILE" @@ -151917,13 +151917,13 @@ rule MALPEDIA_Win_Domino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "671ecd56-ff8e-5805-905d-4e2ed6134392" + id = "5d360219-88f3-51b6-b0a7-8c0e8e115450" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.domino" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.domino_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_0494b0021734ccd5b5bbf5e2e5a90aaa191fbeb0b0a8f17de8e34620de4c33b7" + logic_hash = "0494b0021734ccd5b5bbf5e2e5a90aaa191fbeb0b0a8f17de8e34620de4c33b7" score = 75 quality = 75 tags = "FILE" @@ -151956,13 +151956,13 @@ rule MALPEDIA_Win_Unidentified_031_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e7a5e430-774e-521d-be84-8683951f52ef" + id = "a72a563f-a4f8-5666-a877-ef8f429f5482" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_031_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_433c3a1b1a13dcc2934f251d10014182069dee4462cd06fa5b97124ebfc25ecc" + logic_hash = "433c3a1b1a13dcc2934f251d10014182069dee4462cd06fa5b97124ebfc25ecc" score = 75 quality = 75 tags = "FILE" @@ -151995,13 +151995,13 @@ rule MALPEDIA_Win_Badcall_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0af4c21-6129-5b8a-97ea-314889c51d00" + id = "6dc89352-23be-508c-aee9-54c70773ba33" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.badcall_auto.yar#L1-L232" license_url = "N/A" - logic_hash = "v1_sha256_f469c22ea661fc33aaf4e709b2c352b5b8bb3d75d2b5706e6fcd20955f630b93" + logic_hash = "f469c22ea661fc33aaf4e709b2c352b5b8bb3d75d2b5706e6fcd20955f630b93" score = 75 quality = 73 tags = "FILE" @@ -152048,13 +152048,13 @@ rule MALPEDIA_Win_Webc2_Ugx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8a4f0126-f18b-5943-91bb-7a957129e438" + id = "1c23cedb-b71d-5193-aa31-e8153ab4c4b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_ugx_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_7d4c482dc506453890fdde88d716a3ceb2e3f8b35a1cb1eec11dbba57393fe56" + logic_hash = "7d4c482dc506453890fdde88d716a3ceb2e3f8b35a1cb1eec11dbba57393fe56" score = 75 quality = 75 tags = "FILE" @@ -152087,13 +152087,13 @@ rule MALPEDIA_Win_Findpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c3bd0109-5fcf-5c98-9a30-9313f7a8efbc" + id = "0a568c8d-936e-5180-b48c-3459a7de3f2c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.findpos_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_16968f111dc679e93555d1d3b7ae27dea3f4769dc763c7bf583a162ef6a1f34f" + logic_hash = "16968f111dc679e93555d1d3b7ae27dea3f4769dc763c7bf583a162ef6a1f34f" score = 75 quality = 75 tags = "FILE" @@ -152126,13 +152126,13 @@ rule MALPEDIA_Win_Lolsnif_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "672cbbd8-c358-5c31-8e92-e8026af45b3b" + id = "0289e06c-9994-5dbb-86c9-fe5c529484d1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lolsnif_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_722f048f7ac9bac7fbc30da76accd223a5f740835920efce86d99d762f17104c" + logic_hash = "722f048f7ac9bac7fbc30da76accd223a5f740835920efce86d99d762f17104c" score = 75 quality = 75 tags = "FILE" @@ -152165,13 +152165,13 @@ rule MALPEDIA_Win_Rad_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec71653f-5373-518c-b9ce-f9314e6322f8" + id = "cf7df94d-6d22-5657-82bf-7d35a5482def" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rad" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rad_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_1eec20ddabb813a5b7c10180af0c0f122f744f026c6b5d60bcc21414af7a0dac" + logic_hash = "1eec20ddabb813a5b7c10180af0c0f122f744f026c6b5d60bcc21414af7a0dac" score = 75 quality = 75 tags = "FILE" @@ -152204,13 +152204,13 @@ rule MALPEDIA_Win_Decaf_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "443699c8-ac99-50e2-a581-2f2c1ce79a88" + id = "67190af4-1ce0-57cf-b346-2c883278a90f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.decaf" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.decaf_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_7a70ed6fa2a0ce3cf4802d2d0ae4afe2a54da0a94bb0916dbc97593071b29978" + logic_hash = "7a70ed6fa2a0ce3cf4802d2d0ae4afe2a54da0a94bb0916dbc97593071b29978" score = 75 quality = 75 tags = "FILE" @@ -152243,13 +152243,13 @@ rule MALPEDIA_Win_Metadatabin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14502636-a1a7-5eaf-80bd-9a4cfc6f1c4f" + id = "d06dd743-35cf-5bb7-aeb8-d54914ce18a9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.metadatabin_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_6937a202ef9f0a455ba922507557ae6df15b8a9ec19545fd7cb48a075af80798" + logic_hash = "6937a202ef9f0a455ba922507557ae6df15b8a9ec19545fd7cb48a075af80798" score = 75 quality = 75 tags = "FILE" @@ -152282,13 +152282,13 @@ rule MALPEDIA_Win_Warezov_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec4ef575-df18-595a-9f3a-855f46e92644" + id = "daf7c87f-56d6-5ca2-a05f-f2106f7af4ec" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warezov" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.warezov_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_76ba225e2c2800078c3a09fe679ba4718fd1f03fa3d573bef216fead7a711c12" + logic_hash = "76ba225e2c2800078c3a09fe679ba4718fd1f03fa3d573bef216fead7a711c12" score = 75 quality = 75 tags = "FILE" @@ -152321,13 +152321,13 @@ rule MALPEDIA_Win_Atmspitter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "041b44ee-0e32-5ca5-9fb9-9f5bf4b65baf" + id = "a7fa682f-eefe-55e1-939b-4455645ebe46" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atmspitter_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_0ed0ab3302f4e8054faec9b20c1025a14f4da75cd75a5c59684b771cac871b40" + logic_hash = "0ed0ab3302f4e8054faec9b20c1025a14f4da75cd75a5c59684b771cac871b40" score = 75 quality = 75 tags = "FILE" @@ -152360,13 +152360,13 @@ rule MALPEDIA_Win_Colony_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "79f37368-7aae-5f9a-8d81-93221db62781" + id = "742a0cb8-c4dd-5eda-a40e-a63b7bd8505f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.colony_auto.yar#L1-L235" license_url = "N/A" - logic_hash = "v1_sha256_3b9749137439fa6695b6427d299f35f295a8c9c596ab6c8986a3096d5875940b" + logic_hash = "3b9749137439fa6695b6427d299f35f295a8c9c596ab6c8986a3096d5875940b" score = 75 quality = 73 tags = "FILE" @@ -152413,13 +152413,13 @@ rule MALPEDIA_Win_Forest_Tiger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23f62365-cc91-570b-bd97-10fa1fe64ab9" + id = "c5055f82-5e25-5cec-b6f9-75913bef33b5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.forest_tiger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.forest_tiger_auto.yar#L1-L149" license_url = "N/A" - logic_hash = "v1_sha256_398de9d2907c8260eaacbe3112d8affc7b628942665baa833cce575671a0ed06" + logic_hash = "398de9d2907c8260eaacbe3112d8affc7b628942665baa833cce575671a0ed06" score = 75 quality = 75 tags = "FILE" @@ -152457,13 +152457,13 @@ rule MALPEDIA_Win_Ghostsocks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7bc7fb62-e5b8-5761-91aa-1c8a4b99f8a3" + id = "a81e901b-dc82-5aba-9b0a-b793b5feee2d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostsocks" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ghostsocks_auto.yar#L1-L148" license_url = "N/A" - logic_hash = "v1_sha256_bfb13a4898f7d810671a9ba5dbd8796a5c6a94275321bb29cfaca043cafc81f2" + logic_hash = "bfb13a4898f7d810671a9ba5dbd8796a5c6a94275321bb29cfaca043cafc81f2" score = 75 quality = 75 tags = "FILE" @@ -152502,13 +152502,13 @@ rule MALPEDIA_Win_Cloudeye_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ac49c68-1cb2-59ea-a5df-be4ba04598ca" + id = "44608db0-2b3b-55a4-82c4-1c5317afcfea" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cloudeye_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_54d2e3ccac7509c285f63d14127016b59266a9af9b4d7112de2a7058fc6a0ca1" + logic_hash = "54d2e3ccac7509c285f63d14127016b59266a9af9b4d7112de2a7058fc6a0ca1" score = 75 quality = 75 tags = "FILE" @@ -152541,13 +152541,13 @@ rule MALPEDIA_Win_Scranos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "34bc89f1-0df4-5c42-b990-c9ad30fb4dd6" + id = "3bc50a28-b6e6-5463-a597-05290715703b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.scranos_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_55c9e24c122b178b35286bb9d84ccadcfb35aee7a1a2177725fac28566a869c1" + logic_hash = "55c9e24c122b178b35286bb9d84ccadcfb35aee7a1a2177725fac28566a869c1" score = 75 quality = 75 tags = "FILE" @@ -152580,13 +152580,13 @@ rule MALPEDIA_Win_Tiger_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c207ce9-9738-5e40-b34b-fe092bd0a77c" + id = "67f423d7-2fad-5807-a6c5-0c99b540e781" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tiger_rat_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_6751f9ead0a49726ec5dc792ec4931ab1c6ffa2fe50674026329e51b931ea082" + logic_hash = "6751f9ead0a49726ec5dc792ec4931ab1c6ffa2fe50674026329e51b931ea082" score = 75 quality = 75 tags = "FILE" @@ -152625,13 +152625,13 @@ rule MALPEDIA_Win_Hzrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f700530a-7b62-530a-aec4-b24952bea630" + id = "a3d57e55-1483-5768-a078-1e6af35b2fc8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hzrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hzrat_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_caebe3b063bb24ee2db19144295d7a39f41baf69a2ce331f663ee48cf20d8acf" + logic_hash = "caebe3b063bb24ee2db19144295d7a39f41baf69a2ce331f663ee48cf20d8acf" score = 75 quality = 75 tags = "FILE" @@ -152664,13 +152664,13 @@ rule MALPEDIA_Win_Nautilus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b7981457-9f20-5572-93ae-ed4c2a0504b0" + id = "5820a14f-f3d2-5304-9417-3caef70672d9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nautilus_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_3519ef9bb4f52e1cd4586752506ba79e61c0e796a4c0e30324274e519044d1d2" + logic_hash = "3519ef9bb4f52e1cd4586752506ba79e61c0e796a4c0e30324274e519044d1d2" score = 75 quality = 75 tags = "FILE" @@ -152703,13 +152703,13 @@ rule MALPEDIA_Win_Mykings_Spreader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "428ad789-5d7e-56b8-bd6d-516794a9d4c1" + id = "96a12e80-b15f-580e-920d-d6c0d35464b0" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mykings_spreader_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_1bcd674173fea4b83a2f4219e8f61306a972490f94a89cfaf5e1f466fdec8eff" + logic_hash = "1bcd674173fea4b83a2f4219e8f61306a972490f94a89cfaf5e1f466fdec8eff" score = 75 quality = 75 tags = "FILE" @@ -152742,13 +152742,13 @@ rule MALPEDIA_Win_Ghole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1b445ad4-8796-5a52-9ac6-529cee130be9" + id = "6e862057-2c23-515e-8722-3cd2a9153bb9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ghole_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_7b940f8a5e148214fddbb5db105fb5b0301dfcf2c7e2cf8b7ad48df7aac652b0" + logic_hash = "7b940f8a5e148214fddbb5db105fb5b0301dfcf2c7e2cf8b7ad48df7aac652b0" score = 75 quality = 75 tags = "FILE" @@ -152781,13 +152781,13 @@ rule MALPEDIA_Win_Gcman_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e5a7f0d-1406-577c-aea2-263ba4812547" + id = "e71f2c5a-eff6-5ad7-8a03-8a2026572314" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gcman_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_0044f6cfe83ca73eacc555f31b65cfd944699d03aa8981a24b8fc516dccbcc72" + logic_hash = "0044f6cfe83ca73eacc555f31b65cfd944699d03aa8981a24b8fc516dccbcc72" score = 75 quality = 75 tags = "FILE" @@ -152820,13 +152820,13 @@ rule MALPEDIA_Win_Pushdo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "17d9acf1-c817-57a7-96f2-7d39ac1d3409" + id = "b6d886fe-4960-5326-a389-c445ba8e11b5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pushdo_auto.yar#L1-L204" license_url = "N/A" - logic_hash = "v1_sha256_31b4c4806bd17184721cedae96bf0c20e18e459a29e411d56b72098b9cc5e475" + logic_hash = "31b4c4806bd17184721cedae96bf0c20e18e459a29e411d56b72098b9cc5e475" score = 75 quality = 73 tags = "FILE" @@ -152870,13 +152870,13 @@ rule MALPEDIA_Win_Silence_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d50126df-47c0-5221-877e-2f2b7d71bea8" + id = "1d33ad52-7f8b-5849-8776-4b47a03b0b3b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.silence_auto.yar#L1-L413" license_url = "N/A" - logic_hash = "v1_sha256_20bb026c801a434e63744ede6d8b88ca9db1780c69681a4497ad49040c78c67b" + logic_hash = "20bb026c801a434e63744ede6d8b88ca9db1780c69681a4497ad49040c78c67b" score = 75 quality = 50 tags = "FILE" @@ -152946,13 +152946,13 @@ rule MALPEDIA_Win_Electricfish_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6aeb7441-25c8-5c13-8801-7c73cfd04c30" + id = "54f0ee66-bee9-5fd6-90c5-67fcbb00bae7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.electricfish_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_570c92a12a35054e6d1b5030b781194881d1880fcbe3006781ca116a918ce32a" + logic_hash = "570c92a12a35054e6d1b5030b781194881d1880fcbe3006781ca116a918ce32a" score = 75 quality = 75 tags = "FILE" @@ -152985,13 +152985,13 @@ rule MALPEDIA_Win_Scarecrow_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "627b1aea-4d5c-5b23-869f-f6c0037c9e92" + id = "7b0ea4aa-06b5-57ee-9a11-48d883c1ac9c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarecrow" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.scarecrow_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_e0a208d3de2959898d45be13d981ab096036ca0d633a326493a23160fdc8d314" + logic_hash = "e0a208d3de2959898d45be13d981ab096036ca0d633a326493a23160fdc8d314" score = 75 quality = 75 tags = "FILE" @@ -153024,13 +153024,13 @@ rule MALPEDIA_Elf_Persirai_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e05f6b8-5238-5355-977c-6fe779f0e659" + id = "996dcf89-95a6-5052-ad1f-80d616d26c39" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.persirai_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_c89a0c1c6fb24b2cd2b602725441f1c71ea63a845e8a02036d6cfd2667993400" + logic_hash = "c89a0c1c6fb24b2cd2b602725441f1c71ea63a845e8a02036d6cfd2667993400" score = 75 quality = 75 tags = "FILE" @@ -153063,13 +153063,13 @@ rule MALPEDIA_Win_Purelocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "681535d3-2585-589a-b0c1-cd49838676e6" + id = "53ddd96f-5e42-581c-bfdc-76e557b9eeb0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.purelocker_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_cefb5bbad76b31deb583172c70f982572bba50fe45f5283eaffece3891fb88ee" + logic_hash = "cefb5bbad76b31deb583172c70f982572bba50fe45f5283eaffece3891fb88ee" score = 75 quality = 75 tags = "FILE" @@ -153102,13 +153102,13 @@ rule MALPEDIA_Win_Cryptowall_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49afbf27-c16f-5afa-8e03-7a37d5f58857" + id = "0b206dc1-5d58-50e7-8b0b-4a1659e8c327" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptowall_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_ce5a2f67f32819e2223821b9858e69dbea24618850279ae1bc1fe9c840f1999e" + logic_hash = "ce5a2f67f32819e2223821b9858e69dbea24618850279ae1bc1fe9c840f1999e" score = 75 quality = 75 tags = "FILE" @@ -153141,13 +153141,13 @@ rule MALPEDIA_Win_Lunchmoney_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d48e97c-2a52-5cc3-be2d-ea0b9a7a134c" + id = "a8ab5f04-a830-5276-852a-dc32304e8dce" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lunchmoney_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_6507a60182b28ed10fdd4ed1c7e21ccd1e2f0dc103e23e1d246a1843603fe4d9" + logic_hash = "6507a60182b28ed10fdd4ed1c7e21ccd1e2f0dc103e23e1d246a1843603fe4d9" score = 75 quality = 75 tags = "FILE" @@ -153180,13 +153180,13 @@ rule MALPEDIA_Win_Webc2_Div_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "99e07ab9-7c38-5486-8d69-e88bd86930af" + id = "c6b6bbf1-febf-5755-a6ac-7cf5cb612b94" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_div_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_45af776ac19cdd47801cee033d12281de26b6a70cf2be832cbeda5a468ce01ab" + logic_hash = "45af776ac19cdd47801cee033d12281de26b6a70cf2be832cbeda5a468ce01ab" score = 75 quality = 75 tags = "FILE" @@ -153219,13 +153219,13 @@ rule MALPEDIA_Win_Dyre_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "98dc9ece-d4cf-5408-b98a-4675703464bd" + id = "dfd82ad1-18fa-5929-a163-6bbf986e9f0e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dyre_auto.yar#L1-L226" license_url = "N/A" - logic_hash = "v1_sha256_0632ac932a1fda05bb4d709a552a76b91b864a446705dbf518e55fdb6e3d3885" + logic_hash = "0632ac932a1fda05bb4d709a552a76b91b864a446705dbf518e55fdb6e3d3885" score = 75 quality = 73 tags = "FILE" @@ -153271,13 +153271,13 @@ rule MALPEDIA_Win_Sharpknot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88e74d41-35da-597f-b814-20e54cee12c7" + id = "e73f10d7-589d-5303-bfd9-088b7ddd5e13" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sharpknot_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_56a2b51a444e0193080b0e96d12a6b29053b987612719c6a66e8111156406cdd" + logic_hash = "56a2b51a444e0193080b0e96d12a6b29053b987612719c6a66e8111156406cdd" score = 75 quality = 75 tags = "FILE" @@ -153310,13 +153310,13 @@ rule MALPEDIA_Win_Darkrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b86605e7-b4a9-5d86-ab18-20dac2210800" + id = "d801447e-13d8-558d-ac93-3bc625f7fc26" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkrat_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_e8461586b168e71b04b888d3fef9b643bcbbe5ebaeef3515951b1dcd9d78d8ef" + logic_hash = "e8461586b168e71b04b888d3fef9b643bcbbe5ebaeef3515951b1dcd9d78d8ef" score = 75 quality = 75 tags = "FILE" @@ -153349,13 +153349,13 @@ rule MALPEDIA_Win_Woodyrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53793c11-887d-57a1-9da7-ab8fc4311dc7" + id = "55420983-c976-5f63-817e-19c52006bc78" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woodyrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.woodyrat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_6c11e1a243653fb86d63eb1e0cef34e9f23e5fe6ae8acbf4e40cedaa8f4a73ea" + logic_hash = "6c11e1a243653fb86d63eb1e0cef34e9f23e5fe6ae8acbf4e40cedaa8f4a73ea" score = 75 quality = 75 tags = "FILE" @@ -153388,13 +153388,13 @@ rule MALPEDIA_Win_T34Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09410b31-5c52-5c7c-a8ca-d3d21fa56757" + id = "284a2fef-7ae8-56b0-9c93-6269ff81a414" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.t34loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.t34loader_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_f0b1763253e4022aabc3df13d81fa3a04dd6aace513ad41ab61bf012fd6fd102" + logic_hash = "f0b1763253e4022aabc3df13d81fa3a04dd6aace513ad41ab61bf012fd6fd102" score = 75 quality = 75 tags = "FILE" @@ -153427,13 +153427,13 @@ rule MALPEDIA_Win_Amadey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5bf2298d-4d18-5fb7-86f6-f51d946500a9" + id = "b3fa836d-4682-51f6-8e5a-a32138bd7f60" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.amadey_auto.yar#L1-L207" license_url = "N/A" - logic_hash = "v1_sha256_47b9b6106a12c197931c79a9b3b33bf3efcee93c9479f6b1617cd096d3785a21" + logic_hash = "47b9b6106a12c197931c79a9b3b33bf3efcee93c9479f6b1617cd096d3785a21" score = 75 quality = 73 tags = "FILE" @@ -153477,13 +153477,13 @@ rule MALPEDIA_Win_Arkei_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "65ffafe7-46bb-563a-8c75-640941f43bdc" + id = "1a0abd06-565e-5d05-9c7f-92841d5839a1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.arkei_stealer_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_fe6b8a6d2dda0769d1bf75ba6fd29670ffe1d15e24be98e7feb6639e87efec8a" + logic_hash = "fe6b8a6d2dda0769d1bf75ba6fd29670ffe1d15e24be98e7feb6639e87efec8a" score = 75 quality = 75 tags = "FILE" @@ -153516,13 +153516,13 @@ rule MALPEDIA_Win_Stealbit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "199f57bb-017b-5d5a-9504-212348a77af6" + id = "64063c47-cdf5-5614-a83c-80647057336b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stealbit_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_744b036a3f78a167f444b112707f7176ea1e1a362d653a3e610f6fa57bd7d98b" + logic_hash = "744b036a3f78a167f444b112707f7176ea1e1a362d653a3e610f6fa57bd7d98b" score = 75 quality = 75 tags = "FILE" @@ -153555,13 +153555,13 @@ rule MALPEDIA_Win_Mimic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d45027db-9941-502f-8d7e-022537c2ecaf" + id = "b7917b34-b106-57a3-b31d-217974d73754" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mimic_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_ea5e4099bfde229f604346a64d8a2d013028ba263c49de05a138be9fade4fcfb" + logic_hash = "ea5e4099bfde229f604346a64d8a2d013028ba263c49de05a138be9fade4fcfb" score = 75 quality = 75 tags = "FILE" @@ -153594,13 +153594,13 @@ rule MALPEDIA_Win_Radamant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0d606c00-d792-5c88-b887-544513f50edf" + id = "095ef047-a04b-56b2-b6e4-91844a8ad08b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.radamant_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_13bfcc591423cf31741a962660c228f2fa259842a594b9b818753a98c248ff00" + logic_hash = "13bfcc591423cf31741a962660c228f2fa259842a594b9b818753a98c248ff00" score = 75 quality = 75 tags = "FILE" @@ -153633,13 +153633,13 @@ rule MALPEDIA_Win_Misfox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fac0bf18-7c70-5086-bc7e-92b0681ee10f" + id = "4f561487-7df3-5819-8af4-11354d9ab382" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.misfox_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "v1_sha256_edbf452d1e5320fd7ba0f107fb137baa64797e4d5896d9322787053f0ee80ff3" + logic_hash = "edbf452d1e5320fd7ba0f107fb137baa64797e4d5896d9322787053f0ee80ff3" score = 75 quality = 75 tags = "FILE" @@ -153678,13 +153678,13 @@ rule MALPEDIA_Win_Unidentified_068_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "425f1c59-cf82-5d0b-bf2e-542efda59688" + id = "1ce41a1d-9111-5664-971b-18b33f290c67" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_068_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_cf7d5521a90e4f10a4d7ed99e1e2829b2e957d2aba56d598bf0190ab6bc75eb5" + logic_hash = "cf7d5521a90e4f10a4d7ed99e1e2829b2e957d2aba56d598bf0190ab6bc75eb5" score = 75 quality = 75 tags = "FILE" @@ -153717,13 +153717,13 @@ rule MALPEDIA_Elf_Nosedive_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7820db23-0530-5ad5-a976-7b30f47e3a86" + id = "455c512f-a4d2-5592-873b-6a0f8d7aa60b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nosedive" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.nosedive_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_437edcb731a71f57346014b7f168c5a7e19b62836d7ab5266e2b058730d6e731" + logic_hash = "437edcb731a71f57346014b7f168c5a7e19b62836d7ab5266e2b058730d6e731" score = 75 quality = 75 tags = "FILE" @@ -153756,13 +153756,13 @@ rule MALPEDIA_Win_Orcarat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "12107530-be05-5aeb-844e-f22bfe47c29d" + id = "66428b7d-391a-549a-8224-a32cd382ad2d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.orcarat_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_5f94f67164edef88389c383016b172885e074830b2ead0db2794d29f7191cd25" + logic_hash = "5f94f67164edef88389c383016b172885e074830b2ead0db2794d29f7191cd25" score = 75 quality = 75 tags = "FILE" @@ -153795,13 +153795,13 @@ rule MALPEDIA_Win_Mindware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "15842d1c-3431-5676-8587-0500114a22ff" + id = "47e4869b-800b-5557-a4d9-867ae32fc71e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mindware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mindware_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_cdf7a7da50c91df9825bab58a751a2b3b443f392a26a7c4ddad4a0902a0837ae" + logic_hash = "cdf7a7da50c91df9825bab58a751a2b3b443f392a26a7c4ddad4a0902a0837ae" score = 75 quality = 75 tags = "FILE" @@ -153834,13 +153834,13 @@ rule MALPEDIA_Win_Ssload_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9f3eff03-375e-55fb-85c7-3709b25fddf9" + id = "f6ceb229-a7e1-5841-bcaa-d6789358d285" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ssload_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_816793f1c924d2fa45e62fdcb0930a6aeafd4fdc18acca20a05a5227b74cb23d" + logic_hash = "816793f1c924d2fa45e62fdcb0930a6aeafd4fdc18acca20a05a5227b74cb23d" score = 75 quality = 75 tags = "FILE" @@ -153879,13 +153879,13 @@ rule MALPEDIA_Win_Unidentified_077_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "38bb5c26-1944-5c86-aca3-8b15cab69259" + id = "c7f9be79-20b6-5aa4-9bbd-94e7c4c6bef7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_077_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_90028d042242a66c9237db24c75f8aa2228010ebd44b2069db8290680e688e20" + logic_hash = "90028d042242a66c9237db24c75f8aa2228010ebd44b2069db8290680e688e20" score = 75 quality = 75 tags = "FILE" @@ -153918,13 +153918,13 @@ rule MALPEDIA_Win_Bandook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "18b8ca95-c93e-549c-94d2-d78db6ef9e35" + id = "e41ee65d-d778-576e-8219-d5b7551a8280" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bandook_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_3158dd6369626bf2143d645ab9a0e41f6f517c0e8f9383586a9041884da647b4" + logic_hash = "3158dd6369626bf2143d645ab9a0e41f6f517c0e8f9383586a9041884da647b4" score = 75 quality = 75 tags = "FILE" @@ -153957,13 +153957,13 @@ rule MALPEDIA_Win_Ironwind_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "167573c1-1f4b-5f81-89c5-0a6f86bf904e" + id = "b7b3278a-33a9-59fb-98d9-d012cae38570" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironwind" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ironwind_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_df52b853e06a9bac2fed032f09d4a195b27f234efb72e316b71f02accfc6c4ed" + logic_hash = "df52b853e06a9bac2fed032f09d4a195b27f234efb72e316b71f02accfc6c4ed" score = 75 quality = 75 tags = "FILE" @@ -153996,13 +153996,13 @@ rule MALPEDIA_Win_Artra_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "591aa1f8-19f1-57d1-82ea-83a04118de0b" + id = "ff75386e-794e-5ca3-b572-9b037a957102" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.artra_auto.yar#L1-L262" license_url = "N/A" - logic_hash = "v1_sha256_0d6b75a232d52a887969f43b5d876701bc36067b1aa62db809423e4fc76fc56c" + logic_hash = "0d6b75a232d52a887969f43b5d876701bc36067b1aa62db809423e4fc76fc56c" score = 75 quality = 73 tags = "FILE" @@ -154051,13 +154051,13 @@ rule MALPEDIA_Win_Downeks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ac8a3f9-286e-5134-b276-d2e998bff98d" + id = "30c812bc-f8ec-5caf-b497-f38e34394a41" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.downeks_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_d7bf58e8bb3246f569b98be2a709ed5695e812ca867b1dab085a6c76aff4235d" + logic_hash = "d7bf58e8bb3246f569b98be2a709ed5695e812ca867b1dab085a6c76aff4235d" score = 75 quality = 75 tags = "FILE" @@ -154090,13 +154090,13 @@ rule MALPEDIA_Win_Cuegoe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81fc0173-e89a-5fb7-a8fd-a3421bc4c478" + id = "f801c54c-d3a8-51b1-91c4-e3ef8af3f7f9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cuegoe_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_d0e6e6925a0e42ac5470513773688ead9a134439bb7102ccc5d0a7edc70c0169" + logic_hash = "d0e6e6925a0e42ac5470513773688ead9a134439bb7102ccc5d0a7edc70c0169" score = 75 quality = 75 tags = "FILE" @@ -154129,13 +154129,13 @@ rule MALPEDIA_Win_Unidentified_092_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "618087a8-2d44-5307-9aa3-0ccc66f294a0" + id = "a832d924-1526-5b98-85cb-a6a677c2763a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_092" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_092_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_652402e87963cd0c6ff5366fe9ef518c3ad3cc147775da4e4b2ee294d04144ab" + logic_hash = "652402e87963cd0c6ff5366fe9ef518c3ad3cc147775da4e4b2ee294d04144ab" score = 75 quality = 75 tags = "FILE" @@ -154168,13 +154168,13 @@ rule MALPEDIA_Win_Dorshel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7bc63644-9263-5cef-870a-6ecdd6fecb6f" + id = "550d8628-f52a-56de-91a7-ece0c38b96fb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dorshel_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_364203df24c6a83e17731caab6caa244bb9a531055fdc65fef6d763de8c4fb40" + logic_hash = "364203df24c6a83e17731caab6caa244bb9a531055fdc65fef6d763de8c4fb40" score = 75 quality = 75 tags = "FILE" @@ -154207,13 +154207,13 @@ rule MALPEDIA_Win_Unidentified_001_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c959ad45-f3b8-55a4-93c4-ba74f31b98d9" + id = "2b4764d2-9d12-5e82-8bd8-6d5008485440" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_001_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_81eac2ebab9009f83937098bc70d4667382c46b0593ed411973170676729479d" + logic_hash = "81eac2ebab9009f83937098bc70d4667382c46b0593ed411973170676729479d" score = 75 quality = 75 tags = "FILE" @@ -154246,13 +154246,13 @@ rule MALPEDIA_Win_Minibus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6f0e6d1-3da7-5366-b89f-4cff334a42f7" + id = "1ad5e3c7-76e6-5ca8-ae27-272222a9f62c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.minibus_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_f2e35e1c340980cefeddf2362242a94c8425d63f412b36fb6c1988b6b9f9c6f1" + logic_hash = "f2e35e1c340980cefeddf2362242a94c8425d63f412b36fb6c1988b6b9f9c6f1" score = 75 quality = 75 tags = "FILE" @@ -154285,13 +154285,13 @@ rule MALPEDIA_Win_Snifula_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c5cef86-fd96-514d-898a-c7e74fdfae7c" + id = "7eb0b095-555b-5c46-a556-09b78e129a51" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.snifula_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_8cd858ad508ccf0d5980ca44f29c7ac0d1ef182e09e60747d07a1ef2744ff82a" + logic_hash = "8cd858ad508ccf0d5980ca44f29c7ac0d1ef182e09e60747d07a1ef2744ff82a" score = 75 quality = 75 tags = "FILE" @@ -154324,13 +154324,13 @@ rule MALPEDIA_Win_Syscon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c39a2603-e856-5e78-bdc3-81020fbbd264" + id = "62914e2c-226d-5cbb-90b0-89a5b7c1ce63" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.syscon_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "v1_sha256_302ef373551197e8ed957c8603c0bcf0757f29f0db7a8e8349d7ddb01c77aa30" + logic_hash = "302ef373551197e8ed957c8603c0bcf0757f29f0db7a8e8349d7ddb01c77aa30" score = 75 quality = 75 tags = "FILE" @@ -154369,13 +154369,13 @@ rule MALPEDIA_Win_Beepservice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b2069396-d965-57ca-8256-1b1f59c4fc62" + id = "600fce17-5c83-5bc3-9824-37a0fdef0a67" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.beepservice_auto.yar#L1-L268" license_url = "N/A" - logic_hash = "v1_sha256_e9b2216bc0e3755a16cf68b15ef3152aac9ea65a9d59c9db364017acc5ba848e" + logic_hash = "e9b2216bc0e3755a16cf68b15ef3152aac9ea65a9d59c9db364017acc5ba848e" score = 75 quality = 73 tags = "FILE" @@ -154425,13 +154425,13 @@ rule MALPEDIA_Win_Unidentified_115_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f5becd2c-0d19-5574-b46d-2b6d47f60521" + id = "be30f947-2ea3-5dbe-8a22-d2eff226f388" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_115" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_115_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_0dce5979f7403c0c98c10384045967ec938948f605faa1b9ed353ecbedbd1370" + logic_hash = "0dce5979f7403c0c98c10384045967ec938948f605faa1b9ed353ecbedbd1370" score = 75 quality = 75 tags = "FILE" @@ -154464,13 +154464,13 @@ rule MALPEDIA_Win_Orchard_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b202d060-af79-5a4a-b5f8-97050be85991" + id = "17f17024-3843-5eab-9d60-b1508d38046a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.orchard_auto.yar#L1-L153" license_url = "N/A" - logic_hash = "v1_sha256_138080fd95f8adafa6f2759bdbd81f59c5234a21d6fcbf8907de2c121b106fe9" + logic_hash = "138080fd95f8adafa6f2759bdbd81f59c5234a21d6fcbf8907de2c121b106fe9" score = 75 quality = 75 tags = "FILE" @@ -154509,13 +154509,13 @@ rule MALPEDIA_Win_Glasses_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e579822d-2b95-511e-91a7-3526070be5b5" + id = "f78200de-17f0-543a-b1bc-b07d12f718a7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.glasses_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_f33966ab45324eba7508399d9cadcd3a853fcf3a139e1b51ccdad3cd57192d5a" + logic_hash = "f33966ab45324eba7508399d9cadcd3a853fcf3a139e1b51ccdad3cd57192d5a" score = 75 quality = 75 tags = "FILE" @@ -154548,13 +154548,13 @@ rule MALPEDIA_Win_Torrentlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4256340d-76b1-5bd8-b911-dea709feb21f" + id = "78a2f41d-b3cc-50c3-94fa-009892ee7a43" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.torrentlocker_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_3dd062623227a3c969fbf6874bc33a690192fa1b5ef820c50984975d7d603139" + logic_hash = "3dd062623227a3c969fbf6874bc33a690192fa1b5ef820c50984975d7d603139" score = 75 quality = 75 tags = "FILE" @@ -154593,13 +154593,13 @@ rule MALPEDIA_Win_Dreambot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fdc946e9-c514-55bf-948a-b42411e40712" + id = "ca125658-e0a0-53ce-a980-872204f0b2dd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dreambot_auto.yar#L1-L1010" license_url = "N/A" - logic_hash = "v1_sha256_376288f0c1af3049ba5a8f21b0bc3eb4e04085f83d0b86e461c7b5d308181cec" + logic_hash = "376288f0c1af3049ba5a8f21b0bc3eb4e04085f83d0b86e461c7b5d308181cec" score = 75 quality = 50 tags = "FILE" @@ -154741,13 +154741,13 @@ rule MALPEDIA_Win_Unidentified_074_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ada9f9d3-0429-5b23-82e0-3c84e2ccdba7" + id = "18d2173e-134a-5069-ab8f-b9abd19f1bd3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_074_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_6dab9e5ae43cc86eae4e300f173218fa8732c7df5d913a5bb2fedc84e5de19c3" + logic_hash = "6dab9e5ae43cc86eae4e300f173218fa8732c7df5d913a5bb2fedc84e5de19c3" score = 75 quality = 75 tags = "FILE" @@ -154780,13 +154780,13 @@ rule MALPEDIA_Win_Smominru_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "491e11c1-7290-510a-9080-b4d2882ba05d" + id = "c1a10c0a-1a81-5633-ba39-5fbcedc45f65" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.smominru_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_e46f6fcc506b8533ee7578778771fd23a12eff0b58e9a48260ec14f4febd7c2f" + logic_hash = "e46f6fcc506b8533ee7578778771fd23a12eff0b58e9a48260ec14f4febd7c2f" score = 75 quality = 75 tags = "FILE" @@ -154819,13 +154819,13 @@ rule MALPEDIA_Win_Yayih_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c1201ed-f54e-5604-8884-509fdc809780" + id = "6b0b123b-a2d0-5239-b990-6d6c98b897d2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yayih_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_2fc47407627eaa9d0405e17fbf6ef6d14584c29b56705d065c0a11f1cb55f981" + logic_hash = "2fc47407627eaa9d0405e17fbf6ef6d14584c29b56705d065c0a11f1cb55f981" score = 75 quality = 75 tags = "FILE" @@ -154858,13 +154858,13 @@ rule MALPEDIA_Win_Mapiget_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "563da301-9906-518c-bdaf-2f5d65fd03b4" + id = "b7a42e52-aa49-5fa2-9228-6b144ce76bdc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mapiget_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_9a5d011e54dd8be32162fd28789dfb313e466b4c449ca547e52393f68f4438eb" + logic_hash = "9a5d011e54dd8be32162fd28789dfb313e466b4c449ca547e52393f68f4438eb" score = 75 quality = 75 tags = "FILE" @@ -154897,13 +154897,13 @@ rule MALPEDIA_Win_Molerat_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dfc808ff-c4b6-5977-8bd3-a9b09015159c" + id = "bbb2773d-16c5-5ea1-96c6-2ff80ea4ab38" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.molerat_loader_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_f7f702f0dc9bfb0fb7a2fb852c5b313a67822e64049d201a13fd2318ed509e52" + logic_hash = "f7f702f0dc9bfb0fb7a2fb852c5b313a67822e64049d201a13fd2318ed509e52" score = 75 quality = 75 tags = "FILE" @@ -154936,13 +154936,13 @@ rule MALPEDIA_Win_New_Ct_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4f5e91a2-58c1-5215-bcbc-3fb78fe4139b" + id = "f53de876-cc73-580f-b656-21e621d4769e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.new_ct_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_a95efc922552cce6ba568c288715d7230a5249b577e6fe1c26585a82d20cee63" + logic_hash = "a95efc922552cce6ba568c288715d7230a5249b577e6fe1c26585a82d20cee63" score = 75 quality = 75 tags = "FILE" @@ -154975,13 +154975,13 @@ rule MALPEDIA_Win_Getmail_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41c0883f-6235-59e1-93ce-6be58ea5f374" + id = "4780e834-4739-57cb-8526-1265945d26d9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.getmail_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_f392c7d302de7668ac9b3700c0372997d2f7bd630f275b38a7b8618bbfecba8b" + logic_hash = "f392c7d302de7668ac9b3700c0372997d2f7bd630f275b38a7b8618bbfecba8b" score = 75 quality = 75 tags = "FILE" @@ -155014,13 +155014,13 @@ rule MALPEDIA_Win_Comebacker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06e47e48-7174-5e4c-bf77-2d389855c1d0" + id = "19b11e1a-a1ff-5098-8869-502d6ab34aa7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.comebacker_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_e448a9fe85529eabd811145723dc68a4c09b7b0e6109ed9890120aa2245173a6" + logic_hash = "e448a9fe85529eabd811145723dc68a4c09b7b0e6109ed9890120aa2245173a6" score = 75 quality = 75 tags = "FILE" @@ -155058,13 +155058,13 @@ rule MALPEDIA_Win_Lambload_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06af1674-69ea-53d3-92d6-29f089b02b18" + id = "8b136788-015d-54fc-bdcb-34985ee91d28" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambload" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lambload_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_360d04776b8fecec7b17892571b2e470304fba03fb5a7a2f8f66e392936ecb21" + logic_hash = "360d04776b8fecec7b17892571b2e470304fba03fb5a7a2f8f66e392936ecb21" score = 75 quality = 75 tags = "FILE" @@ -155097,13 +155097,13 @@ rule MALPEDIA_Win_Lookback_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6609e2c0-f23b-54b4-8d79-f0a645ffbb1d" + id = "7580e9e2-80f6-511a-b25c-1dcedd746da6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lookback_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_23f3d5d64aa0691d5c11d11eeaa6c946ceb564753a29d81b27fd2ba0df02b692" + logic_hash = "23f3d5d64aa0691d5c11d11eeaa6c946ceb564753a29d81b27fd2ba0df02b692" score = 75 quality = 75 tags = "FILE" @@ -155136,13 +155136,13 @@ rule MALPEDIA_Win_Etumbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f2deb39a-f623-532e-8deb-a6fd8054fe3a" + id = "7578b31c-0ed7-55b3-8074-02b9b6496821" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.etumbot_auto.yar#L1-L321" license_url = "N/A" - logic_hash = "v1_sha256_619819745936f9a40c560bb9c0dbcb5d200dd2306f9f732e72d34a6b9dc82070" + logic_hash = "619819745936f9a40c560bb9c0dbcb5d200dd2306f9f732e72d34a6b9dc82070" score = 75 quality = 73 tags = "FILE" @@ -155202,13 +155202,13 @@ rule MALPEDIA_Win_Cryptbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fde3a9fe-e1c5-5c34-a250-fe42f67d01e7" + id = "a8c726cc-365c-50aa-acf5-f55e8b642760" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptbot_auto.yar#L1-L208" license_url = "N/A" - logic_hash = "v1_sha256_47b1a044cb1a45373d0f5744b4acc6b2f29c9cc05af6ad96b3c4efc10032c638" + logic_hash = "47b1a044cb1a45373d0f5744b4acc6b2f29c9cc05af6ad96b3c4efc10032c638" score = 75 quality = 73 tags = "FILE" @@ -155254,13 +155254,13 @@ rule MALPEDIA_Win_Vohuk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2330c8b4-f795-567d-89e5-d568d1cf860f" + id = "3b59df29-d94c-5e14-b293-d94b874e6f12" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vohuk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vohuk_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_a782dfb427f32a7fe3f5e7a12676df6b8f0aca1f4f78c54f0e9a25741f4d58aa" + logic_hash = "a782dfb427f32a7fe3f5e7a12676df6b8f0aca1f4f78c54f0e9a25741f4d58aa" score = 75 quality = 75 tags = "FILE" @@ -155293,13 +155293,13 @@ rule MALPEDIA_Win_Dyepack_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d0e566e-5899-5b38-9fa1-94e0c198e4fa" + id = "3c6c274a-3d73-5c98-98aa-7fd5f4c3842b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dyepack_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_b32504dab3948f7d9f4359ced9850f6b13ecbdf66af15ac79005f7fe62b0a577" + logic_hash = "b32504dab3948f7d9f4359ced9850f6b13ecbdf66af15ac79005f7fe62b0a577" score = 75 quality = 75 tags = "FILE" @@ -155332,13 +155332,13 @@ rule MALPEDIA_Win_Karma_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9afbadeb-c6e3-54f1-a046-32813fb04adf" + id = "dbba8d60-5e3c-5b62-b524-df57562af200" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.karma_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_3819fc1d726604395f257c41732abcfd39c86d6c5f38e2d6dd6e88cb0f6eea5a" + logic_hash = "3819fc1d726604395f257c41732abcfd39c86d6c5f38e2d6dd6e88cb0f6eea5a" score = 75 quality = 75 tags = "FILE" @@ -155371,13 +155371,13 @@ rule MALPEDIA_Win_Webc2_Yahoo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06d555ef-2c39-55a5-8ac2-48c3896741aa" + id = "4eedce59-ab20-52b2-90a4-b849754d3956" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_yahoo_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_3d2dd09691f298cf3eef54b62db7cef2339bebabc7bbad3cbeaa6cf7557fae03" + logic_hash = "3d2dd09691f298cf3eef54b62db7cef2339bebabc7bbad3cbeaa6cf7557fae03" score = 75 quality = 75 tags = "FILE" @@ -155410,13 +155410,13 @@ rule MALPEDIA_Win_Bachosens_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bb4532a2-7b2f-50a0-9fa1-d1dedba3fd6b" + id = "fad5470b-a756-574b-813e-1cdf42efa6b2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bachosens" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bachosens_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_0a45763c922e1378fcd981d3ff76c84b7a49bb1ac5b3430f86089ebe86f29abf" + logic_hash = "0a45763c922e1378fcd981d3ff76c84b7a49bb1ac5b3430f86089ebe86f29abf" score = 75 quality = 75 tags = "FILE" @@ -155449,13 +155449,13 @@ rule MALPEDIA_Win_Bangat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3c9e6590-cd21-5d9f-9334-4e159636e66d" + id = "e21234e1-ab1b-5ed7-845e-28d0f46bef68" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bangat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_527e6766d19f3aa2fef4247d1ea1a8fda60b88b70c01d8ada16ce4d5757a0e35" + logic_hash = "527e6766d19f3aa2fef4247d1ea1a8fda60b88b70c01d8ada16ce4d5757a0e35" score = 75 quality = 75 tags = "FILE" @@ -155488,13 +155488,13 @@ rule MALPEDIA_Win_Hermes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b2602de-8aea-500c-af8a-3951c8e66df9" + id = "5ac17fa7-a096-5e04-8e0d-a201ab441e04" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hermes_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "v1_sha256_43e558aafd9a673bf17e8773d823614dc4de0d10e8aa93baebe8c03b07e12d71" + logic_hash = "43e558aafd9a673bf17e8773d823614dc4de0d10e8aa93baebe8c03b07e12d71" score = 75 quality = 75 tags = "FILE" @@ -155527,13 +155527,13 @@ rule MALPEDIA_Elf_Mirai_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "038ba5f0-6787-5fdf-a844-5a1f7d0b8ffe" + id = "49bbb193-8df3-5413-98b4-2dd8215ff30b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.mirai_auto.yar#L1-L108" license_url = "N/A" - logic_hash = "v1_sha256_73e144a4e19cc6b3055073cf3ad82cd5b793db0175f18a71bb7c0cd3632a6c7c" + logic_hash = "73e144a4e19cc6b3055073cf3ad82cd5b793db0175f18a71bb7c0cd3632a6c7c" score = 75 quality = 75 tags = "FILE" @@ -155566,13 +155566,13 @@ rule MALPEDIA_Win_Nimplant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4cfd3fd5-9909-5b4a-9c38-b12ab937da5d" + id = "ab9ad292-a36d-5023-b871-7d5dcf59a376" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimplant" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nimplant_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_78100de3c1ed8ac731d4871e0295c4754b22f71e68f7be54c12e992f0adcf829" + logic_hash = "78100de3c1ed8ac731d4871e0295c4754b22f71e68f7be54c12e992f0adcf829" score = 75 quality = 75 tags = "FILE" @@ -155605,13 +155605,13 @@ rule MALPEDIA_Win_Torisma_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9896cf1a-a0b3-5748-a878-30d5e847d631" + id = "0c8b0e1d-5ff0-52a0-901d-e5a98754d385" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.torisma_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_5f2db125f988ab78c395c9bd2de9be120817934423d4d9849c1bfeec7d230b1e" + logic_hash = "5f2db125f988ab78c395c9bd2de9be120817934423d4d9849c1bfeec7d230b1e" score = 75 quality = 75 tags = "FILE" @@ -155647,13 +155647,13 @@ rule MALPEDIA_Elf_Gobrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb6bec73-5256-53a4-bece-21473236e5cc" + id = "9cb05d8e-88df-5069-9152-096fc77aac24" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gobrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.gobrat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_29d6047280b8adce38a5f6a7e3d8112ab4747228198bdfc531ab746feecbff32" + logic_hash = "29d6047280b8adce38a5f6a7e3d8112ab4747228198bdfc531ab746feecbff32" score = 60 quality = 35 tags = "FILE" @@ -155686,13 +155686,13 @@ rule MALPEDIA_Win_Netspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "98b825f0-315b-514d-8860-505064c356fb" + id = "d080908e-0a12-5fdc-839c-5d0458a92f12" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.netspy_auto.yar#L1-L100" license_url = "N/A" - logic_hash = "v1_sha256_66a516dd000926156bcdfd45ff83678e3971de0f2826970552469344651d0e0a" + logic_hash = "66a516dd000926156bcdfd45ff83678e3971de0f2826970552469344651d0e0a" score = 75 quality = 75 tags = "FILE" @@ -155723,13 +155723,13 @@ rule MALPEDIA_Win_Makop_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "631cc0ef-be14-583c-bc7f-f76054f5dc84" + id = "cd34e745-9497-5ffc-bd73-ecb5996e2067" date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.makop_ransomware_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_3c7cc3419f322a8e9eb8473ecaf54fc5da0725e8a0f35ff3f90245e28389848b" + logic_hash = "3c7cc3419f322a8e9eb8473ecaf54fc5da0725e8a0f35ff3f90245e28389848b" score = 75 quality = 75 tags = "FILE" @@ -155762,13 +155762,13 @@ rule MALPEDIA_Win_Hyperbro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "29be42e5-d27b-5ae6-bfa8-40b725f3597e" + id = "928fd5bd-5df8-568b-aeb6-54067fcb6b3c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hyperbro_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_8b88d94d4bfcc0d3fb17142bb489e5f64650c522e571881733fdf16c084eb88b" + logic_hash = "8b88d94d4bfcc0d3fb17142bb489e5f64650c522e571881733fdf16c084eb88b" score = 75 quality = 75 tags = "FILE" @@ -155801,13 +155801,13 @@ rule MALPEDIA_Win_Ironhalo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91c88c4b-8048-54a2-81b2-c4204ef5a9f3" + id = "b2edd4d8-243a-5455-b301-d36fe2c3ed3d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ironhalo_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_3a1ed5f7cc69a5a02f4dcd285f3d5642f43e5c8d6d88cc34ecaa1d07c458876f" + logic_hash = "3a1ed5f7cc69a5a02f4dcd285f3d5642f43e5c8d6d88cc34ecaa1d07c458876f" score = 75 quality = 75 tags = "FILE" @@ -155840,13 +155840,13 @@ rule MALPEDIA_Win_Blackshades_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e4f60ab6-31a0-5e48-9596-08c0c8696a4d" + id = "be0044cc-ffdd-5ce8-9261-6f20deb49ec5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackshades_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_5be1fd8de19e4a88da957f4843427153e72a697b528878c27f4d0e3032429536" + logic_hash = "5be1fd8de19e4a88da957f4843427153e72a697b528878c27f4d0e3032429536" score = 75 quality = 75 tags = "FILE" @@ -155879,13 +155879,13 @@ rule MALPEDIA_Win_Bluelight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "90aa3877-a95b-52d7-bc86-d1983c051ddd" + id = "9ab2727d-5272-5ca8-92a4-f15ef9dc3660" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluelight" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bluelight_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_807d4d695fef666ac0d7be4d86c77f03bfb065bf15881d360fd3af2db66d4f22" + logic_hash = "807d4d695fef666ac0d7be4d86c77f03bfb065bf15881d360fd3af2db66d4f22" score = 75 quality = 75 tags = "FILE" @@ -155918,13 +155918,13 @@ rule MALPEDIA_Win_Moriya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c459566-c39b-5491-8a40-26f1ee14a154" + id = "45383b38-ad7d-58f1-bbb1-9d0f7680c4d8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moriya_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_1ab9803873e98ee1cb5c5f8b1cc931b7d333aed621e9979986cfb9846e4dee1c" + logic_hash = "1ab9803873e98ee1cb5c5f8b1cc931b7d333aed621e9979986cfb9846e4dee1c" score = 75 quality = 75 tags = "FILE" @@ -155957,13 +155957,13 @@ rule MALPEDIA_Win_Quarterrig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4352b939-cb90-567a-a53b-06d3539406d2" + id = "768adc6e-04ee-5553-a73f-cf738ca33079" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.quarterrig_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_b7e9c1f7a0f9288f7f968855b7e176a67e0d0fef09a3da04bc264465377e4dae" + logic_hash = "b7e9c1f7a0f9288f7f968855b7e176a67e0d0fef09a3da04bc264465377e4dae" score = 75 quality = 75 tags = "FILE" @@ -155996,13 +155996,13 @@ rule MALPEDIA_Win_Netkey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "149640d5-fb5a-5d2a-9395-f4f21d9a6b1a" + id = "a13a2f78-42fb-5eb6-88d7-3a64826b180e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.netkey_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_11cc566a64ecf8a198c36c98aeaff38f948208170139e520619905a90909c22c" + logic_hash = "11cc566a64ecf8a198c36c98aeaff38f948208170139e520619905a90909c22c" score = 75 quality = 75 tags = "FILE" @@ -156035,13 +156035,13 @@ rule MALPEDIA_Win_Miancha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e61236da-6989-5e55-aa0d-972a25ac29ba" + id = "0fca04e0-92f2-5b94-88d0-1960dbccd943" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.miancha_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_265db074bcd13da1887f66f32f80a00bfe9fccbd1f685bc2e9a0d53a7fe9cd80" + logic_hash = "265db074bcd13da1887f66f32f80a00bfe9fccbd1f685bc2e9a0d53a7fe9cd80" score = 75 quality = 75 tags = "FILE" @@ -156074,13 +156074,13 @@ rule MALPEDIA_Win_Dented_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1f004cb1-ea85-5c8f-800e-217b31d3da62" + id = "3499a500-5e01-578b-aa3c-ab625e855061" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dented_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_2522b2401dbe103d35106dff38664664351f596847e13ae16367587c7b9e72e4" + logic_hash = "2522b2401dbe103d35106dff38664664351f596847e13ae16367587c7b9e72e4" score = 75 quality = 75 tags = "FILE" @@ -156113,13 +156113,13 @@ rule MALPEDIA_Win_Eyservice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ada94cec-b0d7-53b1-bf19-f66cc7283897" + id = "589ff6f4-47d8-50d3-88a8-cdfa19ccb778" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.eyservice_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_9d569b1b4aa245beb2c0397a0750c9c20deb66d33a0ec235ace59e3da184607d" + logic_hash = "9d569b1b4aa245beb2c0397a0750c9c20deb66d33a0ec235ace59e3da184607d" score = 75 quality = 75 tags = "FILE" @@ -156152,13 +156152,13 @@ rule MALPEDIA_Win_Murofet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "13b4e2ad-bb0b-5f4d-80d4-c72f68507e34" + id = "2ee51841-1931-5e92-8698-30f3c51730b7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.murofet_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_9298e47cf759c52371e794c7e892c3c0542296ba15da499ce2f22bd9f2d8e48e" + logic_hash = "9298e47cf759c52371e794c7e892c3c0542296ba15da499ce2f22bd9f2d8e48e" score = 75 quality = 75 tags = "FILE" @@ -156191,13 +156191,13 @@ rule MALPEDIA_Win_Pirpi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7af51a56-8856-58a9-8626-fd53a7930ff0" + id = "87b6b6f2-e4ed-52ab-9d18-a97a5c488a2f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pirpi_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_ac2a9b729be997048deec428ae0fd8035f83f34266d3bcf665ee32e11696cc21" + logic_hash = "ac2a9b729be997048deec428ae0fd8035f83f34266d3bcf665ee32e11696cc21" score = 75 quality = 75 tags = "FILE" @@ -156230,13 +156230,13 @@ rule MALPEDIA_Win_Recordbreaker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bd131d19-f7c9-58e8-9cd2-2fb41ea4cbe4" + id = "9dc0ca6e-db62-51b1-9019-1c46d30aeec8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.recordbreaker_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_a0221e50197a38d94db3feaa17095d8a8348850bd5ac357aa5c929b1c8bf609a" + logic_hash = "a0221e50197a38d94db3feaa17095d8a8348850bd5ac357aa5c929b1c8bf609a" score = 75 quality = 75 tags = "FILE" @@ -156269,13 +156269,13 @@ rule MALPEDIA_Win_Fudmodule_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "012c0e90-ad75-5a40-87a7-7fa2ccebdd96" + id = "bbb969f6-fc21-5df2-98a0-24465f1a52fb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fudmodule_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_3c836db347337427da5b8480cbffb4c9a34ff35d9d7cf56625d940236b49e08c" + logic_hash = "3c836db347337427da5b8480cbffb4c9a34ff35d9d7cf56625d940236b49e08c" score = 75 quality = 75 tags = "FILE" @@ -156314,13 +156314,13 @@ rule MALPEDIA_Win_Client_Maximus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a2b0cb8a-5f2c-5ac4-9103-a52b29d63c77" + id = "7644986b-8879-5e3c-bd1e-48cdc3ff2e40" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.client_maximus_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_2b5d2ecf5b1f20897666cf19bda4b06d4863b096982d3499177f71ebee7c8979" + logic_hash = "2b5d2ecf5b1f20897666cf19bda4b06d4863b096982d3499177f71ebee7c8979" score = 75 quality = 75 tags = "FILE" @@ -156353,13 +156353,13 @@ rule MALPEDIA_Win_Jaff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8f900f3d-624c-5752-a34e-76a3e132e300" + id = "dbcef186-9c65-5f08-b104-968bef8d25a5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jaff_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_9a989bf52696173e65a2ed9949d803cbd331438ebfe4f480f702f5669476fb7a" + logic_hash = "9a989bf52696173e65a2ed9949d803cbd331438ebfe4f480f702f5669476fb7a" score = 75 quality = 75 tags = "FILE" @@ -156392,13 +156392,13 @@ rule MALPEDIA_Win_Apocalypse_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1d351fa6-bae9-5952-a3f6-44d8d5d41c8f" + id = "b5ccf1f6-f470-5408-b195-08329344ed8e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.apocalypse_ransom_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_18df20f7eebe1c78a082ce30f5a4491f9ac67772b997a33222fc4d85121626f7" + logic_hash = "18df20f7eebe1c78a082ce30f5a4491f9ac67772b997a33222fc4d85121626f7" score = 75 quality = 75 tags = "FILE" @@ -156431,13 +156431,13 @@ rule MALPEDIA_Win_Ramsay_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84514f24-fd77-5c3b-a098-71f64c8d29f5" + id = "ca34f65f-e875-5b7a-bc28-21fb62ed4b88" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ramsay_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_9a41eaab55357b928cd2c1b68d94938a51a46b8558bc541d5b896032a4300700" + logic_hash = "9a41eaab55357b928cd2c1b68d94938a51a46b8558bc541d5b896032a4300700" score = 75 quality = 75 tags = "FILE" @@ -156476,13 +156476,13 @@ rule MALPEDIA_Win_Crylocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "adaf89d9-4938-5a60-a816-f8e038f10748" + id = "2b5ef66c-1ec0-5c10-8396-507384c0e395" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crylocker_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_d90969734d25e11d990569603034674764175d320f05923dcd1a4fc7e127f4a1" + logic_hash = "d90969734d25e11d990569603034674764175d320f05923dcd1a4fc7e127f4a1" score = 75 quality = 75 tags = "FILE" @@ -156515,13 +156515,13 @@ rule MALPEDIA_Win_Elirks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "282ef60d-7d1d-562d-82ea-eaeabd29d78e" + id = "2f83629f-d917-5544-9557-f1c734a140a5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.elirks_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_23afc2f901e3fd2aa39a45f20d3907f7b1b87b547d67ae2e0da6482231d3ff66" + logic_hash = "23afc2f901e3fd2aa39a45f20d3907f7b1b87b547d67ae2e0da6482231d3ff66" score = 75 quality = 75 tags = "FILE" @@ -156554,13 +156554,13 @@ rule MALPEDIA_Win_Milkmaid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ffd42f4-958e-526f-806b-4327e9ba064f" + id = "5948a1f6-8eaf-5535-ac9f-e8e1c89ea107" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.milkmaid_auto.yar#L1-L98" license_url = "N/A" - logic_hash = "v1_sha256_b839dfa6db2fa7bf81ab8ee61b0a1d4a011d7a0ef5b792c9852059c0fc803283" + logic_hash = "b839dfa6db2fa7bf81ab8ee61b0a1d4a011d7a0ef5b792c9852059c0fc803283" score = 75 quality = 75 tags = "FILE" @@ -156591,13 +156591,13 @@ rule MALPEDIA_Win_Thunker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "748dec3d-0cc4-58b4-8555-00158b54f582" + id = "6a7578c2-9954-5c27-9789-75ce33a8978d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.thunker_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_324dbb01ab87806e82adbcf168652688ad932f1c3e2806c75596e6aeba36cca3" + logic_hash = "324dbb01ab87806e82adbcf168652688ad932f1c3e2806c75596e6aeba36cca3" score = 75 quality = 75 tags = "FILE" @@ -156630,13 +156630,13 @@ rule MALPEDIA_Win_Htprat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2ea3cfad-7b4f-54cb-9159-13e3337ec376" + id = "6c918b98-1bd6-5c2a-a08e-afe038715c4f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.htprat_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_3d036a590536bfddf1556e3ceddf3bf5bcdba928f7034561835a6a007a09cb31" + logic_hash = "3d036a590536bfddf1556e3ceddf3bf5bcdba928f7034561835a6a007a09cb31" score = 75 quality = 75 tags = "FILE" @@ -156669,13 +156669,13 @@ rule MALPEDIA_Win_Scanpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ee53f97e-2075-5800-a5b7-94c046722429" + id = "68b120db-1dba-5584-bc59-126fea6e111e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.scanpos_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_a62211e1eb96c58c9bf699a15d117ca283e56d459f8aea50975f3891740e6968" + logic_hash = "a62211e1eb96c58c9bf699a15d117ca283e56d459f8aea50975f3891740e6968" score = 75 quality = 75 tags = "FILE" @@ -156708,13 +156708,13 @@ rule MALPEDIA_Win_Deltas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "444bd17c-f51e-5797-bdfc-594bf0f154e8" + id = "25a7191c-2842-5745-a11d-ea324cb5fa9f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.deltas_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_c404323fb1d2a8c3fdb1b29caf32d56e1cbc5b9f3900009b6282344552f18e72" + logic_hash = "c404323fb1d2a8c3fdb1b29caf32d56e1cbc5b9f3900009b6282344552f18e72" score = 75 quality = 75 tags = "FILE" @@ -156747,13 +156747,13 @@ rule MALPEDIA_Win_Diceloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "505eb238-d8a5-53d1-81c7-57cffabe8b76" + id = "593cd06d-f8dd-5a0b-859e-ad7b04c5325f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diceloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.diceloader_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_e070fb94fcf5f24a6795b4dab69a3a87130002e18415d4a25f346061fa315110" + logic_hash = "e070fb94fcf5f24a6795b4dab69a3a87130002e18415d4a25f346061fa315110" score = 75 quality = 75 tags = "FILE" @@ -156786,13 +156786,13 @@ rule MALPEDIA_Win_Stowaway_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "daf5703b-c62f-5ac3-beaa-486132784e5f" + id = "6f8ce329-6af5-534d-8e65-b76b0e9206b8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stowaway_auto.yar#L1-L182" license_url = "N/A" - logic_hash = "v1_sha256_3f7831026b9a760683489b7cb3923fc1a6ee7aeca5e5576ea427cb584360b368" + logic_hash = "3f7831026b9a760683489b7cb3923fc1a6ee7aeca5e5576ea427cb584360b368" score = 75 quality = 75 tags = "FILE" @@ -156834,13 +156834,13 @@ rule MALPEDIA_Win_Crat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6acd2928-fb11-5292-98a6-da75591e7cc2" + id = "02c75bda-cef6-5d61-9783-dd39d3c8cee4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crat_auto.yar#L1-L181" license_url = "N/A" - logic_hash = "v1_sha256_723ada0a4601efb2490dd7b222473b1f376d5e93aa2040691bdff635e0b77048" + logic_hash = "723ada0a4601efb2490dd7b222473b1f376d5e93aa2040691bdff635e0b77048" score = 75 quality = 75 tags = "FILE" @@ -156881,13 +156881,13 @@ rule MALPEDIA_Win_Sunorcal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "37b763eb-e42a-5850-a825-6b4c719e44fe" + id = "a8968f16-8557-51ad-9926-5303f4012f89" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sunorcal_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_7356cfcbffaef559e7c55d9c230d0091548077f346f07c94d1eede7494054ef4" + logic_hash = "7356cfcbffaef559e7c55d9c230d0091548077f346f07c94d1eede7494054ef4" score = 75 quality = 75 tags = "FILE" @@ -156920,13 +156920,13 @@ rule MALPEDIA_Win_Zerocleare_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "31edd6d2-d158-5351-8d68-2c34a14fdde9" + id = "433422a9-8155-5253-967a-d468274de85b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zerocleare_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_27ba0960de329e73790bd0fb19cb3129bd1f124ee5eb512b9aca888dc53e16b5" + logic_hash = "27ba0960de329e73790bd0fb19cb3129bd1f124ee5eb512b9aca888dc53e16b5" score = 75 quality = 75 tags = "FILE" @@ -156959,13 +156959,13 @@ rule MALPEDIA_Win_Minibike_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b1c7582-32fb-5bb1-8484-2c0d94b019d0" + id = "64fb33a7-6775-549a-bd66-e303dd414aa4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibike" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.minibike_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_bd38364b90ab98904e008cf661267157cc33bb2a7b72870b77767ef9d697acf9" + logic_hash = "bd38364b90ab98904e008cf661267157cc33bb2a7b72870b77767ef9d697acf9" score = 75 quality = 75 tags = "FILE" @@ -156998,13 +156998,13 @@ rule MALPEDIA_Win_Tandfuy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0926a8e9-376e-530e-8c2c-e92ec11a82ba" + id = "98faff68-6444-5057-abe1-4d454646340b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tandfuy_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_0d29f36f5ce30fba44a6664f50cc897adc5bd707aa4ee8b0311232ce455481f7" + logic_hash = "0d29f36f5ce30fba44a6664f50cc897adc5bd707aa4ee8b0311232ce455481f7" score = 75 quality = 75 tags = "FILE" @@ -157037,13 +157037,13 @@ rule MALPEDIA_Win_Zitmo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "48662fa9-abd1-5b53-894e-d4b5a4b1fb5a" + id = "d2638537-3a4e-5c8e-ade0-4e7713d00050" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zitmo_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_0686a29e962228ecc50738c63dd8a09a1caddb201f651468d74323cba829436b" + logic_hash = "0686a29e962228ecc50738c63dd8a09a1caddb201f651468d74323cba829436b" score = 75 quality = 75 tags = "FILE" @@ -157076,13 +157076,13 @@ rule MALPEDIA_Win_Fakeword_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f45499ff-df39-512f-bcd8-9574bf1070ef" + id = "7169860f-e999-5507-9589-e70286203456" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fakeword_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_76d399ff443db77ecdb848e572804a47dc4d5691a8ae699933905dad0bc0467f" + logic_hash = "76d399ff443db77ecdb848e572804a47dc4d5691a8ae699933905dad0bc0467f" score = 75 quality = 75 tags = "FILE" @@ -157115,13 +157115,13 @@ rule MALPEDIA_Win_Bernhardpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dbb86fb6-1c3c-50bd-8716-d819d9427823" + id = "e53bca0c-e390-5052-8af3-50fac1bc5855" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bernhardpos_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_1e1ede6b562cb821e225ab092cfdf0abf71f1c6115a9127ed5d67b3e3afac78f" + logic_hash = "1e1ede6b562cb821e225ab092cfdf0abf71f1c6115a9127ed5d67b3e3afac78f" score = 75 quality = 75 tags = "FILE" @@ -157154,13 +157154,13 @@ rule MALPEDIA_Win_Rdat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "65f19b38-5794-5985-99d1-b86b08e58bb9" + id = "c05f84d4-de9e-5fb2-ae60-330892f73174" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rdat_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "v1_sha256_2e9377d4369bfead5bccbe7fe48c6c763a624a3a6df0438cb4949c8e1a10afb4" + logic_hash = "2e9377d4369bfead5bccbe7fe48c6c763a624a3a6df0438cb4949c8e1a10afb4" score = 60 quality = 45 tags = "FILE" @@ -157199,13 +157199,13 @@ rule MALPEDIA_Win_Unidentified_094_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ee055037-656b-5257-a169-88743ad9f2dd" + id = "f5bdd8f3-d974-5222-9555-3631072a29c0" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_094" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_094_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_f3d0ed91e99c9ab03a6ddd24a2a28007a40b7e677077c8b725a5a67f32cc52a7" + logic_hash = "f3d0ed91e99c9ab03a6ddd24a2a28007a40b7e677077c8b725a5a67f32cc52a7" score = 75 quality = 75 tags = "FILE" @@ -157238,13 +157238,13 @@ rule MALPEDIA_Win_Silentgh0St_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "908889b6-ce71-5631-89ac-1f81f975e382" + id = "4a960624-dc10-5985-85b4-1cf5514d3775" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.silentgh0st" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.silentgh0st_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a3ef882d6032b75964ce0bbd68389a460d9ac4c6db1e56db70620c83eabc0109" + logic_hash = "a3ef882d6032b75964ce0bbd68389a460d9ac4c6db1e56db70620c83eabc0109" score = 75 quality = 75 tags = "FILE" @@ -157277,13 +157277,13 @@ rule MALPEDIA_Win_Ghost_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9b5ee7f-f861-5b03-81a9-9aee37152852" + id = "e442a566-13fc-5122-ba83-74fd22421a05" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ghost_rat_auto.yar#L1-L316" license_url = "N/A" - logic_hash = "v1_sha256_ec6224b8ae12982eada904cedab10d4c1635a00f1f82b5bceec6389113a6ffb4" + logic_hash = "ec6224b8ae12982eada904cedab10d4c1635a00f1f82b5bceec6389113a6ffb4" score = 75 quality = 73 tags = "FILE" @@ -157339,13 +157339,13 @@ rule MALPEDIA_Win_Bruh_Wiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3dfb3381-f584-5019-8d30-457301dcd554" + id = "8004678f-c7f1-56db-b368-30e9334ba4b0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bruh_wiper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bruh_wiper_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_26b32a2c0d923fc99fb91e4beb18e36e72d9c523fef8bdb0bb63ddd5fd11ff5a" + logic_hash = "26b32a2c0d923fc99fb91e4beb18e36e72d9c523fef8bdb0bb63ddd5fd11ff5a" score = 75 quality = 75 tags = "FILE" @@ -157378,13 +157378,13 @@ rule MALPEDIA_Win_Retro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "065cd0cd-b996-5b14-b0fd-286d7af35d12" + id = "137253c4-c80f-5441-8b2d-57b863c1f908" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.retro_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_603d0a826a833e930e158367f2340675f42fda3d145846edecb7422d26e8a466" + logic_hash = "603d0a826a833e930e158367f2340675f42fda3d145846edecb7422d26e8a466" score = 75 quality = 75 tags = "FILE" @@ -157417,13 +157417,13 @@ rule MALPEDIA_Win_Atharvan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "17036e60-4897-50ff-87ec-d1da3a1ce294" + id = "3c02a0c3-381c-58dd-b6d4-bea79ed0706c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atharvan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atharvan_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_0acd4bed1957d388586b468893d24540b89fb41ef5b3efe72287a455a5c18d66" + logic_hash = "0acd4bed1957d388586b468893d24540b89fb41ef5b3efe72287a455a5c18d66" score = 75 quality = 75 tags = "FILE" @@ -157456,13 +157456,13 @@ rule MALPEDIA_Win_Dircrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ecff248-877d-5e8c-b84d-c78d67df2154" + id = "6dfaa124-348a-5731-9f6e-b3677fe125b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dircrypt_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_62b8e91a741487003e5f68773b4563818c6ceb487f0acf4f30c08c003042c088" + logic_hash = "62b8e91a741487003e5f68773b4563818c6ceb487f0acf4f30c08c003042c088" score = 75 quality = 75 tags = "FILE" @@ -157495,13 +157495,13 @@ rule MALPEDIA_Elf_Blackcat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "409c3abf-2440-55a7-b1bd-946b2ec9d48d" + id = "a1fea123-6f91-5435-8619-28347a7f06ff" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.blackcat_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "v1_sha256_630d3dc7c9122b8f92125090dcb7617ef29586df7b1f7e85bb11a06ca666eb4d" + logic_hash = "630d3dc7c9122b8f92125090dcb7617ef29586df7b1f7e85bb11a06ca666eb4d" score = 60 quality = 45 tags = "FILE" @@ -157534,13 +157534,13 @@ rule MALPEDIA_Win_Greetingghoul_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "36a0925e-eb3d-55e7-bb34-808ef1445086" + id = "881721a5-e164-51b8-a287-1242b24b8d86" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.greetingghoul" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.greetingghoul_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_21010fe53cfb0bf5a0ef36b612c93204fe24237a4c71d13df9cbc88f88795750" + logic_hash = "21010fe53cfb0bf5a0ef36b612c93204fe24237a4c71d13df9cbc88f88795750" score = 75 quality = 75 tags = "FILE" @@ -157573,13 +157573,13 @@ rule MALPEDIA_Win_Vermilion_Strike_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a5d7e547-7144-5fe6-a301-9699ffe89d28" + id = "0cca6268-ed67-5b5d-8d1e-c4b1c4763f8b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermilion_strike" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vermilion_strike_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_ffc8a6cd25f24a5bbb4ecf81a74aa2be97f9696d5656c7bc8cb3391d29c69c5d" + logic_hash = "ffc8a6cd25f24a5bbb4ecf81a74aa2be97f9696d5656c7bc8cb3391d29c69c5d" score = 75 quality = 75 tags = "FILE" @@ -157612,13 +157612,13 @@ rule MALPEDIA_Win_Shady_Hammock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ef81bd7-bed2-5fc7-aa7d-8a5e30c4d797" + id = "36740afa-cc52-5013-823b-4d67eb5edc24" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shady_hammock" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shady_hammock_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_fa878708757191f1b63841f4404f6fa30ea9e29c95ad0fe726f8dc83ae6686cd" + logic_hash = "fa878708757191f1b63841f4404f6fa30ea9e29c95ad0fe726f8dc83ae6686cd" score = 75 quality = 75 tags = "FILE" @@ -157651,13 +157651,13 @@ rule MALPEDIA_Win_Photolite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5b63f155-b41f-5869-ae36-204f39a48989" + id = "b838fe06-7cef-5999-9706-bfe3b9dcfde8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photolite" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.photolite_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_5ed47a87d33839515eff080f5efa80e00a8db9b392140f3655d5bd0ad6753f13" + logic_hash = "5ed47a87d33839515eff080f5efa80e00a8db9b392140f3655d5bd0ad6753f13" score = 75 quality = 75 tags = "FILE" @@ -157696,13 +157696,13 @@ rule MALPEDIA_Win_Glassrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "12150720-7431-5841-99c7-8c1b3fc2b9d0" + id = "42f75008-33b0-5628-aa20-35cf904b2cc2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.glassrat_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_4ee9c1e6fb6f5290f1ce6d0e335f981f784c2b61e1aa9e3c4c33ebb2644983ee" + logic_hash = "4ee9c1e6fb6f5290f1ce6d0e335f981f784c2b61e1aa9e3c4c33ebb2644983ee" score = 75 quality = 75 tags = "FILE" @@ -157735,13 +157735,13 @@ rule MALPEDIA_Win_Bunnyloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ef1725a-7574-5390-9d8f-5468a6213572" + id = "ece611ac-2894-5ce7-8657-b8f35c78c42b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunnyloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bunnyloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_129a4ff66c7e006295a1adc8f4f2d85689837626bb7a785d4d174a96334a4fa5" + logic_hash = "129a4ff66c7e006295a1adc8f4f2d85689837626bb7a785d4d174a96334a4fa5" score = 75 quality = 75 tags = "FILE" @@ -157774,13 +157774,13 @@ rule MALPEDIA_Win_Expiro_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fe986843-314b-59a9-a933-b857b5ee2f9e" + id = "537fff19-bacc-5fad-8e62-d15e873151bb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.expiro_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_9d4a4b6071f8efe24f30549b3b2d217f52995878f6039fe924a8169a6f93625b" + logic_hash = "9d4a4b6071f8efe24f30549b3b2d217f52995878f6039fe924a8169a6f93625b" score = 75 quality = 75 tags = "FILE" @@ -157813,13 +157813,13 @@ rule MALPEDIA_Win_Tonerjam_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c5b5112b-71de-5313-88bb-929e375547a1" + id = "82fd263f-2277-5710-bde1-c5f381e7b3bb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonerjam" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tonerjam_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_099b04145c5c37971e7ea839a0239f9aa67c9ef01dc57a28edbabde3d3d1e624" + logic_hash = "099b04145c5c37971e7ea839a0239f9aa67c9ef01dc57a28edbabde3d3d1e624" score = 75 quality = 75 tags = "FILE" @@ -157852,13 +157852,13 @@ rule MALPEDIA_Win_Trickbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "16262160-f49b-52a1-beaa-88cab82c5e8b" + id = "b628fd83-f3fd-51c9-94aa-b13e26229dea" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.trickbot_auto.yar#L1-L652" license_url = "N/A" - logic_hash = "v1_sha256_c6087fe2aa4e485109cf9851f9f0a342724e7430c1979121c1548b3fca1551c6" + logic_hash = "c6087fe2aa4e485109cf9851f9f0a342724e7430c1979121c1548b3fca1551c6" score = 75 quality = 48 tags = "FILE" @@ -157960,13 +157960,13 @@ rule MALPEDIA_Win_Phandoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d09b0e82-8e5f-5db2-8b05-4af196364870" + id = "0e2d27b4-00ed-575d-8906-80ec3438892e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.phandoor_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_672e69f8a19e82fd9345f6016aa6bea0d13d3c04e81e3fb7b10e21c796057271" + logic_hash = "672e69f8a19e82fd9345f6016aa6bea0d13d3c04e81e3fb7b10e21c796057271" score = 75 quality = 75 tags = "FILE" @@ -158005,13 +158005,13 @@ rule MALPEDIA_Win_Nighthawk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "58d08abf-c440-5ee3-875c-90fc1b4d34b1" + id = "031218c2-08fe-51c2-a9be-67ba73d1aae5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nighthawk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nighthawk_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_477ee6b7607005d8498fab8a4f21f58e1d0451668a3652d5802801764720896d" + logic_hash = "477ee6b7607005d8498fab8a4f21f58e1d0451668a3652d5802801764720896d" score = 75 quality = 75 tags = "FILE" @@ -158044,13 +158044,13 @@ rule MALPEDIA_Win_Excalibur_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2dbd052a-04f4-5dbd-8ea6-13cd84cfdea5" + id = "2243999a-f912-5283-8db6-7a7e597c07e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.excalibur_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_58bc3d918cc2c57a1f8a313886d8855731ce5abe92983e974335457efdd3438d" + logic_hash = "58bc3d918cc2c57a1f8a313886d8855731ce5abe92983e974335457efdd3438d" score = 75 quality = 75 tags = "FILE" @@ -158083,13 +158083,13 @@ rule MALPEDIA_Win_Hermeticwizard_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b250eb67-ca43-5e90-bfb3-dabc14e566e8" + id = "d95bc7c2-314b-5852-896f-2ab463620583" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hermeticwizard_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_a04b957d824c192d4445e19ff2c64beb34502a356441d2497a3f568d12cc4736" + logic_hash = "a04b957d824c192d4445e19ff2c64beb34502a356441d2497a3f568d12cc4736" score = 75 quality = 75 tags = "FILE" @@ -158122,13 +158122,13 @@ rule MALPEDIA_Win_Nitrogen_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d8a09283-e69a-54c7-a36b-969877b2407b" + id = "3b860399-f17f-5be6-a7fa-0d462134408c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitrogen" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nitrogen_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_7fc10887629eb8cbe7591a0bc8e19e89881d6b530c9068ab47e88598472a7314" + logic_hash = "7fc10887629eb8cbe7591a0bc8e19e89881d6b530c9068ab47e88598472a7314" score = 75 quality = 75 tags = "FILE" @@ -158161,13 +158161,13 @@ rule MALPEDIA_Win_Urlzone_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c54a2943-2739-5726-91ee-b6260dcf5787" + id = "66cd5cda-0cf5-5934-9baf-6b5f820d2f06" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.urlzone_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_7c1a2ac73460b5e428df7b91964316f5979631407a0a74f2db057df15dd1651b" + logic_hash = "7c1a2ac73460b5e428df7b91964316f5979631407a0a74f2db057df15dd1651b" score = 75 quality = 75 tags = "FILE" @@ -158200,13 +158200,13 @@ rule MALPEDIA_Win_Mangzamel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "03d21ea2-a38c-5936-9b9b-b83c0b0f2bc2" + id = "b83ef951-bd5b-5678-b2df-639cf3b41b3c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mangzamel_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_f6c1e5305bfe68c66a3ef4b49c38bfc3eb7f92ef914438435cd55d230265d8d5" + logic_hash = "f6c1e5305bfe68c66a3ef4b49c38bfc3eb7f92ef914438435cd55d230265d8d5" score = 75 quality = 75 tags = "FILE" @@ -158239,13 +158239,13 @@ rule MALPEDIA_Win_Tabmsgsql_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ccf25bc9-85af-5cad-9bb8-f81b491f4115" + id = "46efd2fa-703e-5a59-aba6-3e76ded2c28a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tabmsgsql_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_b7af53703ea2c2d22f99bfde61f6f08676ed98de77314180af9bbcb3621e1f8d" + logic_hash = "b7af53703ea2c2d22f99bfde61f6f08676ed98de77314180af9bbcb3621e1f8d" score = 75 quality = 75 tags = "FILE" @@ -158278,13 +158278,13 @@ rule MALPEDIA_Win_Industroyer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7e10bfba-e95c-5232-a609-7cabac7abc64" + id = "4666d9b8-e696-5bb0-aac9-aa0f0ad9f1b7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.industroyer_auto.yar#L1-L376" license_url = "N/A" - logic_hash = "v1_sha256_6dea509664f187f90fcd96f2db4ab697e4dc6a135630fab4d4323ee78e00c0a5" + logic_hash = "6dea509664f187f90fcd96f2db4ab697e4dc6a135630fab4d4323ee78e00c0a5" score = 75 quality = 73 tags = "FILE" @@ -158347,13 +158347,13 @@ rule MALPEDIA_Win_Unidentified_110_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e383d071-3d7f-5d17-b729-08cdc57acdaa" + id = "de50c299-8c19-5206-82ae-12d89e1364a2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_110_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_7703e37b095cb10c8692d1e0e6db116fd89428e35c2b0f841b802fc9c40d7edf" + logic_hash = "7703e37b095cb10c8692d1e0e6db116fd89428e35c2b0f841b802fc9c40d7edf" score = 75 quality = 75 tags = "FILE" @@ -158386,13 +158386,13 @@ rule MALPEDIA_Win_Observer_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "03646501-baeb-5686-b93d-368b3cd4a584" + id = "24de6ab1-f92f-5eeb-9448-e6d3e6bd0612" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.observer_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.observer_stealer_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_408c29e400138ccd9118763d2259592c2d4bc7c8429c89ee21feadbbd649bc7c" + logic_hash = "408c29e400138ccd9118763d2259592c2d4bc7c8429c89ee21feadbbd649bc7c" score = 75 quality = 75 tags = "FILE" @@ -158425,13 +158425,13 @@ rule MALPEDIA_Win_Voidoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a274838c-9bb5-5c9b-9bd6-410d4d83e5a7" + id = "92ea84a1-8606-53ec-b061-29e92893f1a1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.voidoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.voidoor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_c7810f3b0438aab57f906bea825e4f8545638ef9f814f76d8e4defd0ecb553e3" + logic_hash = "c7810f3b0438aab57f906bea825e4f8545638ef9f814f76d8e4defd0ecb553e3" score = 75 quality = 75 tags = "FILE" @@ -158464,13 +158464,13 @@ rule MALPEDIA_Win_Wslink_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1bb9bfd9-05f7-56f5-b41c-4992c9bcfbdf" + id = "fab4adfe-31ab-528e-91bb-69ff368202dc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wslink_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_043911efcdbe30576afee29cea013b6adde98869fbb9875f474aa30d6ea1369e" + logic_hash = "043911efcdbe30576afee29cea013b6adde98869fbb9875f474aa30d6ea1369e" score = 75 quality = 75 tags = "FILE" @@ -158503,13 +158503,13 @@ rule MALPEDIA_Win_Raccoon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eed3aab4-aa50-5fdf-a7d7-edf60fe41be2" + id = "a1c26303-9125-5fd7-aa51-ad1eac6fcf97" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.raccoon_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_490a547d291c29560eb0a750de21265ccd9b82463cd0d04b08babd8cc5f3ca9a" + logic_hash = "490a547d291c29560eb0a750de21265ccd9b82463cd0d04b08babd8cc5f3ca9a" score = 75 quality = 75 tags = "FILE" @@ -158542,13 +158542,13 @@ rule MALPEDIA_Win_Wmighost_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "150f42df-d28c-5edd-8a19-218c510e14e5" + id = "4ae59171-3faf-5182-8f52-dee99c964f8d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wmighost_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_e0508af85bc342ca28af7aa1d71f7f0ca199aee7b1652eae79524bd3a3802f63" + logic_hash = "e0508af85bc342ca28af7aa1d71f7f0ca199aee7b1652eae79524bd3a3802f63" score = 75 quality = 75 tags = "FILE" @@ -158581,13 +158581,13 @@ rule MALPEDIA_Win_Miragefox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea851d9c-b896-5424-a254-13a94022839e" + id = "8bf05d8f-c582-5717-9f26-33fdbc027523" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.miragefox_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_fae00ba596fafa75e5c73049938b7e9042d943cf7a2a8e03f73ab30fb5fff604" + logic_hash = "fae00ba596fafa75e5c73049938b7e9042d943cf7a2a8e03f73ab30fb5fff604" score = 75 quality = 75 tags = "FILE" @@ -158620,13 +158620,13 @@ rule MALPEDIA_Win_Nosu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1adb740e-c3e2-5297-98ca-d3b0aaf7a3c6" + id = "fdc65506-7690-528c-80ea-bfae31870e43" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nosu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nosu_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_63b3125b2fa7b440ce66614e4988544ad3a96e52c6fcd77e2718549a9b26e496" + logic_hash = "63b3125b2fa7b440ce66614e4988544ad3a96e52c6fcd77e2718549a9b26e496" score = 75 quality = 75 tags = "FILE" @@ -158659,13 +158659,13 @@ rule MALPEDIA_Win_Termite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "30258368-19cb-5e46-88cc-6c59ab391b7e" + id = "ee31374f-70c6-5ab3-95b3-0fe1e417c08c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.termite_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_f0f791f686acda15650442706f1dd42f13979090335dd24cb4b6c5332386c748" + logic_hash = "f0f791f686acda15650442706f1dd42f13979090335dd24cb4b6c5332386c748" score = 75 quality = 75 tags = "FILE" @@ -158698,13 +158698,13 @@ rule MALPEDIA_Win_Madmax_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e517bcc4-e3b3-5d69-a734-6d121989d027" + id = "9d1cbce1-ade8-5d76-a04c-20b098c8480b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.madmax_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_ad33eff006b5d6cb56b22d8686bde1b21a59becc38b8876b1c999d0a4976f07a" + logic_hash = "ad33eff006b5d6cb56b22d8686bde1b21a59becc38b8876b1c999d0a4976f07a" score = 75 quality = 75 tags = "FILE" @@ -158737,13 +158737,13 @@ rule MALPEDIA_Win_Sys10_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e58fc9eb-1f13-5170-b0b6-1ab1ab282203" + id = "8102506f-afd2-556d-bce7-166bae2224bf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sys10_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_55e8ffe5ea66b378dbdb046d53bca4c06889e1977a823bfc6a76defa2eb61357" + logic_hash = "55e8ffe5ea66b378dbdb046d53bca4c06889e1977a823bfc6a76defa2eb61357" score = 75 quality = 75 tags = "FILE" @@ -158776,13 +158776,13 @@ rule MALPEDIA_Win_Deltastealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91b58700-659b-5b32-b63b-232ef11dcb11" + id = "ae1ce1b2-5800-51da-891a-7d0ee714cc8c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.deltastealer_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_7a995bc7de4a09d620f7c56a219adce0b4fee73dcf5dde633c44a4fcc3f98e63" + logic_hash = "7a995bc7de4a09d620f7c56a219adce0b4fee73dcf5dde633c44a4fcc3f98e63" score = 75 quality = 75 tags = "FILE" @@ -158815,13 +158815,13 @@ rule MALPEDIA_Win_Unidentified_108_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ccb690f-0a4f-5016-b1a6-2add293ce2f9" + id = "91d0ee32-15d3-5f4b-b0c7-e219a3fb056f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_108" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_108_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_bc8d7e8276cd214c62a44b786052de8d0d6c82c70c52e7e29cb797627cab2825" + logic_hash = "bc8d7e8276cd214c62a44b786052de8d0d6c82c70c52e7e29cb797627cab2825" score = 75 quality = 75 tags = "FILE" @@ -158854,13 +158854,13 @@ rule MALPEDIA_Win_Locky_Decryptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "860b1823-05e4-5b32-9d07-562b644a1808" + id = "efee58a7-3550-5808-a11a-aa56167214d6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.locky_decryptor_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_b6828e87e6bd376fe16778fc8bf9496b415a17dfa2572d88c3351b8ea18cb0b2" + logic_hash = "b6828e87e6bd376fe16778fc8bf9496b415a17dfa2572d88c3351b8ea18cb0b2" score = 75 quality = 73 tags = "FILE" @@ -158893,13 +158893,13 @@ rule MALPEDIA_Win_Kardonloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce07fa68-3e88-5159-a57d-a960021ea375" + id = "1fc9d8e7-57f1-59f6-8755-7f22512ea4b8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kardonloader_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_af6ba3e21c382f2fd654060dcfde8b3eb16b50330472c81358760501218ffed8" + logic_hash = "af6ba3e21c382f2fd654060dcfde8b3eb16b50330472c81358760501218ffed8" score = 75 quality = 75 tags = "FILE" @@ -158932,13 +158932,13 @@ rule MALPEDIA_Win_Play_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ece5df03-47d2-5686-830a-40d4d02e3312" + id = "4738940b-7da5-50c4-88b2-14247a6e9490" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.play" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.play_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_5818fd91a2bec1f70682fe35fe8b96ef11658990dd8b01971531f81d25cdc716" + logic_hash = "5818fd91a2bec1f70682fe35fe8b96ef11658990dd8b01971531f81d25cdc716" score = 75 quality = 75 tags = "FILE" @@ -158971,13 +158971,13 @@ rule MALPEDIA_Win_Gameover_Dga_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "72f31668-51c8-5a8f-9321-bd2ccb2eb19d" + id = "bc53f1bb-3d03-5486-b6a3-f98ff0c8f6cd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gameover_dga_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a8d5697f9821aacef2a257fe69d3238c984983b11a8fa8e5567f601d47382d80" + logic_hash = "a8d5697f9821aacef2a257fe69d3238c984983b11a8fa8e5567f601d47382d80" score = 75 quality = 75 tags = "FILE" @@ -159010,13 +159010,13 @@ rule MALPEDIA_Win_Floxif_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "82426cdc-81df-52ed-8e0f-64fb16a3f8fd" + id = "41f034c6-3e3f-5292-917b-f675df5b6d2a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.floxif_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_f5031af55712b6d9a11fdedff6451f65aebc55a1ba940596ca5431dc225391dd" + logic_hash = "f5031af55712b6d9a11fdedff6451f65aebc55a1ba940596ca5431dc225391dd" score = 75 quality = 75 tags = "FILE" @@ -159049,13 +159049,13 @@ rule MALPEDIA_Win_Tapaoux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "adc6039d-41d5-5b12-9928-9b8b413a8855" + id = "bce56a96-656f-5b7c-a7ef-d9facfa97150" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tapaoux_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_6c80ff6e5416b0acf89a64b88900eb504acb14643be57ceb13e02da18a2fedde" + logic_hash = "6c80ff6e5416b0acf89a64b88900eb504acb14643be57ceb13e02da18a2fedde" score = 75 quality = 75 tags = "FILE" @@ -159088,13 +159088,13 @@ rule MALPEDIA_Win_Metastealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af795cbe-b27f-576b-8b6c-69c3385c8a0e" + id = "03175067-a9b5-54bf-936c-98a9cdf892a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.metastealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_88c2cf894d34c5f1940f86cdfe567315a89acface2e055dfbbf9e01110d9ea97" + logic_hash = "88c2cf894d34c5f1940f86cdfe567315a89acface2e055dfbbf9e01110d9ea97" score = 75 quality = 75 tags = "FILE" @@ -159127,13 +159127,13 @@ rule MALPEDIA_Win_Ryuk_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ca825c3-ea46-5d76-8a75-afdbccab5cf1" + id = "28c4a97d-0c23-5f05-a50b-7fc331a8ef51" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ryuk_stealer_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_f104c51f76af6a34fecb95d90a97bc0fef4b38e853341fac8b68ac59b1274295" + logic_hash = "f104c51f76af6a34fecb95d90a97bc0fef4b38e853341fac8b68ac59b1274295" score = 75 quality = 75 tags = "FILE" @@ -159166,13 +159166,13 @@ rule MALPEDIA_Win_Lodeinfo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "289474f2-43a6-5339-9b3e-bf1a24673520" + id = "fef4135b-c37b-592e-9b9c-4313e3ff89af" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lodeinfo_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_e42d005c217ef3b217f52a6115c139a42c70e499d47cac23508862c48ef328f6" + logic_hash = "e42d005c217ef3b217f52a6115c139a42c70e499d47cac23508862c48ef328f6" score = 75 quality = 75 tags = "FILE" @@ -159205,13 +159205,13 @@ rule MALPEDIA_Win_Icexloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8320fc6a-994c-5710-a231-0274ac5ab1ed" + id = "f39d0ab5-8213-59e6-b937-084e69d35431" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icexloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.icexloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_ebc5d7149c8501657e5a8c66abb5a20df9b61fa7b96a5f5c2d43922a15f6b368" + logic_hash = "ebc5d7149c8501657e5a8c66abb5a20df9b61fa7b96a5f5c2d43922a15f6b368" score = 75 quality = 75 tags = "FILE" @@ -159244,13 +159244,13 @@ rule MALPEDIA_Win_Avcrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "aa6de4e3-58b0-5528-ba50-45c2564cab2c" + id = "00cf27fe-b3f2-52f3-b9ce-ac448ef85802" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.avcrypt_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_ff0922ac16f60a78ce69b391d1f6f13ac39e840f62a7ba24855ffe003dee4073" + logic_hash = "ff0922ac16f60a78ce69b391d1f6f13ac39e840f62a7ba24855ffe003dee4073" score = 75 quality = 75 tags = "FILE" @@ -159283,13 +159283,13 @@ rule MALPEDIA_Win_Soraya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "38dac795-51e9-54dc-a510-940f48b3a8b8" + id = "c1b5e4fb-ecf1-56e9-b7ee-f112f17e5f08" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.soraya_auto.yar#L1-L234" license_url = "N/A" - logic_hash = "v1_sha256_9c021471b4a00823554f7973fdcdc5043a2447611e50ed019058643f5ab74f68" + logic_hash = "9c021471b4a00823554f7973fdcdc5043a2447611e50ed019058643f5ab74f68" score = 75 quality = 73 tags = "FILE" @@ -159335,13 +159335,13 @@ rule MALPEDIA_Win_Pandora_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "548192a9-97d6-5e2c-8741-8b68aef14350" + id = "29457312-58e8-5036-91e5-0a52a49209e8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pandora_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_22cda535b77940d9842b4e203432bc4f86a63cc5bae293ffa14fa51707bd5eff" + logic_hash = "22cda535b77940d9842b4e203432bc4f86a63cc5bae293ffa14fa51707bd5eff" score = 75 quality = 75 tags = "FILE" @@ -159374,13 +159374,13 @@ rule MALPEDIA_Win_Playwork_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91fefd00-b1a4-554d-856a-de83bd3b1599" + id = "04893cf6-e630-529b-badc-29b196733e23" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.playwork_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_7105c3ff4bb7347e4c96600c56543cdd3a8eee25d86105d64120af9ee3e9d2c3" + logic_hash = "7105c3ff4bb7347e4c96600c56543cdd3a8eee25d86105d64120af9ee3e9d2c3" score = 75 quality = 75 tags = "FILE" @@ -159413,13 +159413,13 @@ rule MALPEDIA_Win_Sepsys_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "779e3da6-2d90-5a0b-9e59-afac54253330" + id = "ae60c103-173f-5306-92ac-d702be74a065" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sepsys_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_652d59df346d9da22c7542823cefcfc7111985f5ad38199ac4913217f1dfac22" + logic_hash = "652d59df346d9da22c7542823cefcfc7111985f5ad38199ac4913217f1dfac22" score = 75 quality = 75 tags = "FILE" @@ -159452,13 +159452,13 @@ rule MALPEDIA_Win_Meterpreter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a22bd661-90d6-5733-9e49-0b695c40f1a4" + id = "33d2907b-ab63-5a72-98c0-3e3546cda7ba" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.meterpreter_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_1631dc247baef420a5deaf156c823d0d4f3e3c68f2c5cd0e3fcbf8155c8e3d6f" + logic_hash = "1631dc247baef420a5deaf156c823d0d4f3e3c68f2c5cd0e3fcbf8155c8e3d6f" score = 75 quality = 75 tags = "FILE" @@ -159491,13 +159491,13 @@ rule MALPEDIA_Win_Noxplayer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "502c063b-386c-53c5-be0d-38574c754131" + id = "fab5d56f-e9c6-515a-ae0f-470960c542fb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.noxplayer_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_77744292ebf109ed57f41d00cb6e30b7a306c1c6c824a437b236cefc116466ee" + logic_hash = "77744292ebf109ed57f41d00cb6e30b7a306c1c6c824a437b236cefc116466ee" score = 75 quality = 75 tags = "FILE" @@ -159530,13 +159530,13 @@ rule MALPEDIA_Win_Onionduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ccc73ba5-cd16-562a-8d73-65f4fa1f2253" + id = "938d9d3c-e9aa-58a2-a276-ad33d72e5ddf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.onionduke_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_68b93f2d8ab375a631a7b5d240fe20b360c3a52f2b84ec1bedaa31bed5aee8b0" + logic_hash = "68b93f2d8ab375a631a7b5d240fe20b360c3a52f2b84ec1bedaa31bed5aee8b0" score = 75 quality = 75 tags = "FILE" @@ -159569,13 +159569,13 @@ rule MALPEDIA_Win_Lcpdot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f80a98b4-16da-5b9f-bbae-b99cfd4d29d3" + id = "722ca0df-2e50-52e0-943d-1427766ffd0e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lcpdot_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "v1_sha256_4f9e99ce8bcf6813bbe31f126896fdedd8b3b4250e6a5e72eec4968c5a5d08a6" + logic_hash = "4f9e99ce8bcf6813bbe31f126896fdedd8b3b4250e6a5e72eec4968c5a5d08a6" score = 75 quality = 75 tags = "FILE" @@ -159613,13 +159613,13 @@ rule MALPEDIA_Win_Vmzeus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7bf1c14e-fc48-5cf0-adb7-36a4caacf6fd" + id = "66c6a017-6d01-5f54-977c-810778bd36c9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vmzeus_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_21af12598bbe8c129f701b1173aa31044d5a02d195bccea2272138762380a86c" + logic_hash = "21af12598bbe8c129f701b1173aa31044d5a02d195bccea2272138762380a86c" score = 75 quality = 75 tags = "FILE" @@ -159652,13 +159652,13 @@ rule MALPEDIA_Win_Appleseed_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66385188-1f6c-58d4-8bb7-d1e314a52615" + id = "2cab059a-3093-5ea8-b4c6-461dc05f5c9c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.appleseed_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_7ca6e2559d781302d777182a28464c5fa026ffa48945f1841212525a74a1af82" + logic_hash = "7ca6e2559d781302d777182a28464c5fa026ffa48945f1841212525a74a1af82" score = 75 quality = 75 tags = "FILE" @@ -159691,13 +159691,13 @@ rule MALPEDIA_Win_Jaku_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f38e7c1f-6c85-5731-be20-f17b5e523e35" + id = "0112e8e2-bdef-5365-8ac6-db0d7a5331a7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jaku_auto.yar#L1-L267" license_url = "N/A" - logic_hash = "v1_sha256_48ece9688342db3652fd3070c7f85ee33a0b73ea4b91e59fc03cc271dad9fdd8" + logic_hash = "48ece9688342db3652fd3070c7f85ee33a0b73ea4b91e59fc03cc271dad9fdd8" score = 75 quality = 73 tags = "FILE" @@ -159749,13 +159749,13 @@ rule MALPEDIA_Win_Icedid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0faf794c-70e2-5d2a-8d5a-8d8122f80197" + id = "68e0204c-83cb-5a2b-b638-0e50311a0431" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.icedid_auto.yar#L1-L292" license_url = "N/A" - logic_hash = "v1_sha256_e8c9e17a917aa63cbf96d9c82905a16b279179aa1e4dde7e0caa78f60904db7b" + logic_hash = "e8c9e17a917aa63cbf96d9c82905a16b279179aa1e4dde7e0caa78f60904db7b" score = 75 quality = 73 tags = "FILE" @@ -159810,13 +159810,13 @@ rule MALPEDIA_Win_Coreshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e562c28a-d37f-55c3-952f-c38c65ce72a2" + id = "27d46fdb-7250-5f28-b02a-5095dbf27fe3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.coreshell_auto.yar#L1-L449" license_url = "N/A" - logic_hash = "v1_sha256_038145c7338b3ef0cec3ae46e0288d3925695dd56d293f3ab89cfa76d758deaa" + logic_hash = "038145c7338b3ef0cec3ae46e0288d3925695dd56d293f3ab89cfa76d758deaa" score = 75 quality = 50 tags = "FILE" @@ -159891,13 +159891,13 @@ rule MALPEDIA_Win_Zeus_Openssl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b3b4b51-2e0f-595b-b697-7065e0dc605a" + id = "550619dc-6f15-5f3b-ac49-6d6bb9526626" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zeus_openssl_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_ad90787c109d806e4177874e3ce46219d993226aadc9cde55e3f2e9866998d97" + logic_hash = "ad90787c109d806e4177874e3ce46219d993226aadc9cde55e3f2e9866998d97" score = 75 quality = 75 tags = "FILE" @@ -159930,13 +159930,13 @@ rule MALPEDIA_Win_Mrac_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2c2fc927-e794-52e8-997d-bda14a34c25a" + id = "6bcb64df-21fc-5709-b420-056c81f6920b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrac" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mrac_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_ba522542908668fac0a08420f8f0d725096dd1b2d5fd44a72d657a9aa822b86c" + logic_hash = "ba522542908668fac0a08420f8f0d725096dd1b2d5fd44a72d657a9aa822b86c" score = 75 quality = 75 tags = "FILE" @@ -159969,13 +159969,13 @@ rule MALPEDIA_Win_Mozart_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6ec740b8-e9e8-561a-96ac-3f6a33d14e1f" + id = "658c5c82-39a0-5f12-babc-c6dbc8b0b70f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mozart_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_ebee3e9c74f8823fb3c803b1df028db4b37d86893944724b3d21b6503c5bed66" + logic_hash = "ebee3e9c74f8823fb3c803b1df028db4b37d86893944724b3d21b6503c5bed66" score = 75 quality = 75 tags = "FILE" @@ -160008,13 +160008,13 @@ rule MALPEDIA_Win_Bamital_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6d4733b0-6321-58fc-b5f2-89e10dfdf939" + id = "9e41d3b4-c83b-5900-9fce-309a5ed93679" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bamital_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_5e66490a96474a739f708c54bb1198a62bba1cb62437d954f80417ba9cecdcf4" + logic_hash = "5e66490a96474a739f708c54bb1198a62bba1cb62437d954f80417ba9cecdcf4" score = 75 quality = 75 tags = "FILE" @@ -160047,13 +160047,13 @@ rule MALPEDIA_Win_Magala_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b34a5a8a-977f-5d1e-ac98-a1bd5b23724e" + id = "dd5a4c9f-df80-534d-9f59-9c3cdf877b1e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.magala_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_e8f124f03a02dce9fd7ad1355c64c37bef0ae56bc832afec7217c51b4b91da06" + logic_hash = "e8f124f03a02dce9fd7ad1355c64c37bef0ae56bc832afec7217c51b4b91da06" score = 75 quality = 75 tags = "FILE" @@ -160086,13 +160086,13 @@ rule MALPEDIA_Win_Mediapi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c6e6a739-91ed-53ee-b1c9-34cd79bad2e9" + id = "aef2b227-dc8a-5a2e-a50c-294091b1c8ca" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mediapi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mediapi_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_05b9f202f6ca93b9b901cbe156248c6d5653f1e57951835cd81ee0a4bf1d3fbf" + logic_hash = "05b9f202f6ca93b9b901cbe156248c6d5653f1e57951835cd81ee0a4bf1d3fbf" score = 75 quality = 75 tags = "FILE" @@ -160125,13 +160125,13 @@ rule MALPEDIA_Win_Fengine_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "97897bb2-ed08-565b-be38-3a59978f984a" + id = "86d29f99-f72a-503a-9d9e-5f6528fd35ad" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fengine" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fengine_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_478947e69dab969c41feba1f394b054f84256d37e12b1c78c512e724084a67ab" + logic_hash = "478947e69dab969c41feba1f394b054f84256d37e12b1c78c512e724084a67ab" score = 75 quality = 75 tags = "FILE" @@ -160164,13 +160164,13 @@ rule MALPEDIA_Win_Deathransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2f7a8c4a-5bf2-5065-965d-b978d39b54cb" + id = "a114591a-b780-5a40-a9ea-b0c6b9cb905d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.deathransom_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_51420be8374b7a80642a50bf14b9acdb6936ed5b62767040db7c66a1d7ee7900" + logic_hash = "51420be8374b7a80642a50bf14b9acdb6936ed5b62767040db7c66a1d7ee7900" score = 75 quality = 75 tags = "FILE" @@ -160203,13 +160203,13 @@ rule MALPEDIA_Win_Equationdrug_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e4234c11-3e7d-5375-a9df-39a7630d38de" + id = "3c043b62-e6cf-528c-b34b-4fab7307ccc3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.equationdrug_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_bfe71e1dede0b483002d6bdc1803bedc3b70169ecaeef47717be14607c4ca6a2" + logic_hash = "bfe71e1dede0b483002d6bdc1803bedc3b70169ecaeef47717be14607c4ca6a2" score = 75 quality = 75 tags = "FILE" @@ -160242,13 +160242,13 @@ rule MALPEDIA_Win_Glupteba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eb21d676-302f-532b-8d46-e553391c54da" + id = "d40588ac-e7a2-58c9-9ca8-ed52b13d9b71" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.glupteba_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "v1_sha256_aabdfe0b9a7f1b7f6f6d9d5fd0bc40fb64823f7ef8d103971b20ab4de2b081ab" + logic_hash = "aabdfe0b9a7f1b7f6f6d9d5fd0bc40fb64823f7ef8d103971b20ab4de2b081ab" score = 75 quality = 75 tags = "FILE" @@ -160287,13 +160287,13 @@ rule MALPEDIA_Win_Ayegent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2dcb4e0a-21ec-54fb-9a59-dfee9d6444e3" + id = "86255cdd-1f1d-55c6-b402-dbeb5a16b330" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ayegent_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_3b986bb07fdbef1927d912b3187f0b83148fd82afd809d6a4ef770e3327faaed" + logic_hash = "3b986bb07fdbef1927d912b3187f0b83148fd82afd809d6a4ef770e3327faaed" score = 75 quality = 75 tags = "FILE" @@ -160326,13 +160326,13 @@ rule MALPEDIA_Win_Rustock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09ad8688-b69a-5e12-a0af-7ad03a803eec" + id = "2ee0956c-f0f1-5810-b10e-703861aef3b0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rustock_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_3641dcae675b230edb174a50f5ec564e4adb4fc1e74afa68371b58ccaf9cdb5a" + logic_hash = "3641dcae675b230edb174a50f5ec564e4adb4fc1e74afa68371b58ccaf9cdb5a" score = 75 quality = 75 tags = "FILE" @@ -160365,13 +160365,13 @@ rule MALPEDIA_Win_Plugx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a1aacd93-52f1-5ab9-977d-111071ad24e9" + id = "3f86c5a3-fd23-59bc-bcb0-3d1decf01c2c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.plugx_auto.yar#L1-L291" license_url = "N/A" - logic_hash = "v1_sha256_15190bb8aae3c81242a3f62c3118fe86de191513b0096b3d3022dcd142f4bd88" + logic_hash = "15190bb8aae3c81242a3f62c3118fe86de191513b0096b3d3022dcd142f4bd88" score = 75 quality = 73 tags = "FILE" @@ -160427,13 +160427,13 @@ rule MALPEDIA_Win_Hamweq_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69cf0294-cc3a-585c-91fa-49fc3ea90084" + id = "472b9f91-ae73-5b23-84d5-48c0a12f0ce8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hamweq_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_97fb94f14abe15a4280f753f2ae96a2750195cd748cddbf78c3df32e07994a82" + logic_hash = "97fb94f14abe15a4280f753f2ae96a2750195cd748cddbf78c3df32e07994a82" score = 75 quality = 75 tags = "FILE" @@ -160466,13 +160466,13 @@ rule MALPEDIA_Win_Cobra_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8fbe42a2-da2b-5f55-8f9d-650521dabd6c" + id = "b7889e85-8a86-5887-854a-7a6437d9a16b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cobra_auto.yar#L1-L476" license_url = "N/A" - logic_hash = "v1_sha256_652efe51bbd71c6c383988a4a5e7893f0deae6bcb5db842e07957bb56af5eae8" + logic_hash = "652efe51bbd71c6c383988a4a5e7893f0deae6bcb5db842e07957bb56af5eae8" score = 75 quality = 50 tags = "FILE" @@ -160551,13 +160551,13 @@ rule MALPEDIA_Win_Kegotip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1141879-3d3d-542a-be12-905442037661" + id = "600762c6-ac4d-5eb5-bbbf-0bef37409a30" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kegotip_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_6330aef57e16076515b4a4781ca5f76d2c7b12c38d9df7aca1927a38f8ab1a7a" + logic_hash = "6330aef57e16076515b4a4781ca5f76d2c7b12c38d9df7aca1927a38f8ab1a7a" score = 75 quality = 75 tags = "FILE" @@ -160590,13 +160590,13 @@ rule MALPEDIA_Win_Spider_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e7dff4ac-07c7-582d-8798-5eb51f6ade4f" + id = "a31996a5-e3ca-592f-95bc-8fa380f84c48" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spider_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_a5e11d471849c9a1ee46ff091a234f4718c14598ff1efe77b39f8fba97b05619" + logic_hash = "a5e11d471849c9a1ee46ff091a234f4718c14598ff1efe77b39f8fba97b05619" score = 75 quality = 75 tags = "FILE" @@ -160629,13 +160629,13 @@ rule MALPEDIA_Win_Roadsweep_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b67775e3-5213-5c6e-a003-9ece02a40651" + id = "02905efb-d1f3-5f29-9698-5892918b9e96" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roadsweep" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.roadsweep_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_10ecfffb9395be461cfda7fab93323fb263ae9a44a4ace806928ac7c12ed7628" + logic_hash = "10ecfffb9395be461cfda7fab93323fb263ae9a44a4ace806928ac7c12ed7628" score = 75 quality = 75 tags = "FILE" @@ -160668,13 +160668,13 @@ rule MALPEDIA_Win_Spedear_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "01006849-6746-5161-ae71-06d1bb95b43f" + id = "2a2db92d-f6f5-5c96-a401-91440ad20972" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spedear_auto.yar#L1-L261" license_url = "N/A" - logic_hash = "v1_sha256_124ef5d3fdd777d79cde8845a98f346f93848e564de2656d201aff5229611681" + logic_hash = "124ef5d3fdd777d79cde8845a98f346f93848e564de2656d201aff5229611681" score = 75 quality = 71 tags = "FILE" @@ -160724,13 +160724,13 @@ rule MALPEDIA_Win_Koiloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4602880b-e77b-5b80-bf1d-b7bc754c9e65" + id = "ee5d9fec-2843-5af7-aeb3-cee6becb76b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koiloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.koiloader_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_4094e110b8bc0bb992d288f6dc9a43aa3cc0b1cd494d242faeb097d68b45bf0d" + logic_hash = "4094e110b8bc0bb992d288f6dc9a43aa3cc0b1cd494d242faeb097d68b45bf0d" score = 75 quality = 75 tags = "FILE" @@ -160763,13 +160763,13 @@ rule MALPEDIA_Win_Catb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af30f5c9-c5e5-5476-b3be-839fc150713c" + id = "7782ecd0-01e3-5ca1-93ff-bd4a61ae70c3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.catb" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.catb_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_49ea54be47b78595def43aa15eb04fc0e876132d1319a21babeae83d5fcf1c52" + logic_hash = "49ea54be47b78595def43aa15eb04fc0e876132d1319a21babeae83d5fcf1c52" score = 75 quality = 75 tags = "FILE" @@ -160802,13 +160802,13 @@ rule MALPEDIA_Win_Moonwalk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ffcfaacf-f2c6-555e-8256-dc0b880905be" + id = "fd39fa26-9d1a-515b-b730-f6f9e30e5941" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwalk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moonwalk_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_1c19a679d272620c40c7a55b8a8c2eabaee5ff1d6dffe1b79863d345d92546d6" + logic_hash = "1c19a679d272620c40c7a55b8a8c2eabaee5ff1d6dffe1b79863d345d92546d6" score = 75 quality = 75 tags = "FILE" @@ -160841,13 +160841,13 @@ rule MALPEDIA_Win_Acronym_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4c0b1b3-6320-5c33-8bdc-1a9f03f5cfb4" + id = "c38cb44e-5275-529c-849b-aac482405c26" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.acronym_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_62c9feab89deca514303e2d96ba97df762d7107dad9f170f73597a4727ca0781" + logic_hash = "62c9feab89deca514303e2d96ba97df762d7107dad9f170f73597a4727ca0781" score = 75 quality = 75 tags = "FILE" @@ -160880,13 +160880,13 @@ rule MALPEDIA_Win_Latentbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5791dec0-ae4b-562d-a2c8-b70720affdb3" + id = "6a00a894-4935-5534-b5e9-c8d6ecaeaacd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.latentbot_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_0b0eb24e4417089c175072116bffcac1a7119a8a9d763a31cda53b89f6d3beef" + logic_hash = "0b0eb24e4417089c175072116bffcac1a7119a8a9d763a31cda53b89f6d3beef" score = 75 quality = 75 tags = "FILE" @@ -160919,13 +160919,13 @@ rule MALPEDIA_Win_Gaudox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20c8bd94-2344-545e-85f8-38a881f191fc" + id = "15dc0059-f613-5f22-9f93-85ef1cdd6f7e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gaudox_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_cb1127199cac9fdec74f4f176c228a4ea35dac692422428d5b8a3d96735f1430" + logic_hash = "cb1127199cac9fdec74f4f176c228a4ea35dac692422428d5b8a3d96735f1430" score = 75 quality = 75 tags = "FILE" @@ -160958,13 +160958,13 @@ rule MALPEDIA_Win_Nitol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "32abd733-c5ca-5811-b12b-7bc0d55f2ccc" + id = "564f8c6d-172d-53bc-8a35-617f93dc2b3b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nitol_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_f965a0fe296415280cef677cfeda82c56822d9b36e24511179288d488384a005" + logic_hash = "f965a0fe296415280cef677cfeda82c56822d9b36e24511179288d488384a005" score = 75 quality = 75 tags = "FILE" @@ -160997,13 +160997,13 @@ rule MALPEDIA_Win_Catchamas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4100a4db-fe01-520f-844c-f3919032a8a3" + id = "169e4746-2f72-5821-b507-b8a47f5cbc09" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.catchamas_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_23c971887be94861d8baba1aeb0cd2edf205b86ca05876ee11e3ee91d8d84d51" + logic_hash = "23c971887be94861d8baba1aeb0cd2edf205b86ca05876ee11e3ee91d8d84d51" score = 75 quality = 75 tags = "FILE" @@ -161036,13 +161036,13 @@ rule MALPEDIA_Win_Gacrux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "58a69f4e-5b8f-5444-b136-8c50ec46fcf5" + id = "74bca4e5-6c17-575a-bd9e-7779af62a65b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gacrux_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_4b479a315235bf10794aaaf7db4a148e9833fd69e020e24b4a290812be385016" + logic_hash = "4b479a315235bf10794aaaf7db4a148e9833fd69e020e24b4a290812be385016" score = 75 quality = 75 tags = "FILE" @@ -161075,13 +161075,13 @@ rule MALPEDIA_Win_Cobalt_Strike_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0230f861-fa9c-59c7-aff4-646e791b4b90" + id = "1adbbac8-6bfc-5d06-9cad-1cba809f72a0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cobalt_strike_auto.yar#L1-L236" license_url = "N/A" - logic_hash = "v1_sha256_516cb9bee5b249c5388cc4f59266e6454e546903dcdda98af8bfbaa75e737812" + logic_hash = "516cb9bee5b249c5388cc4f59266e6454e546903dcdda98af8bfbaa75e737812" score = 75 quality = 73 tags = "FILE" @@ -161128,13 +161128,13 @@ rule MALPEDIA_Win_Ati_Agent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b34d8d72-ff5b-5245-b73b-75c490ae0b5b" + id = "63f89f4a-1d36-5323-b29e-727f0aaf8a03" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ati_agent_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_7c411e9ca433461f4c960c7a6933d449b1b0c508c2b59dbdab9cb50ad78bd018" + logic_hash = "7c411e9ca433461f4c960c7a6933d449b1b0c508c2b59dbdab9cb50ad78bd018" score = 75 quality = 75 tags = "FILE" @@ -161167,13 +161167,13 @@ rule MALPEDIA_Win_Klrd_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba96c6ce-9747-58c6-984d-bf9ed1d60d07" + id = "f2ac53cd-82a8-55ea-badd-f6f1aae58f93" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.klrd_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_0fc6f030ea4bb49d87359f96c6eceeeaeffbdd94bdee42030f76f2d7ec66a19a" + logic_hash = "0fc6f030ea4bb49d87359f96c6eceeeaeffbdd94bdee42030f76f2d7ec66a19a" score = 75 quality = 75 tags = "FILE" @@ -161206,13 +161206,13 @@ rule MALPEDIA_Win_Boaxxe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b9548a9-2942-5eba-8384-969de0bd10e5" + id = "1250eef8-010c-5e96-be9a-abfd5ef5d010" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.boaxxe_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_8a3a4e3c549e35ded84e2465f19cea84a5ad121ff4106ae44ae1865048bfef1a" + logic_hash = "8a3a4e3c549e35ded84e2465f19cea84a5ad121ff4106ae44ae1865048bfef1a" score = 75 quality = 75 tags = "FILE" @@ -161245,13 +161245,13 @@ rule MALPEDIA_Win_Royal_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b4fc490-a1ae-5b9e-bc01-0483e2a68a93" + id = "a9b95381-6997-59af-bb2e-993bae34608b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.royal_ransom_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_05ad7a29faf1ca692a5b6df2d422be2fdcf12c3fc6c9f7021ff0ef0bb4b8bcb3" + logic_hash = "05ad7a29faf1ca692a5b6df2d422be2fdcf12c3fc6c9f7021ff0ef0bb4b8bcb3" score = 75 quality = 75 tags = "FILE" @@ -161284,13 +161284,13 @@ rule MALPEDIA_Win_Cookiebag_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b672328-9300-57a2-9671-01e310134d63" + id = "ac3bf6d4-71cf-5c5b-be8e-0bd3c3ef57c9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cookiebag_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_679ac50c0d3fc2601e0f2f772686754e8efa393c4c8cfd8d8fb7af71ce9952bb" + logic_hash = "679ac50c0d3fc2601e0f2f772686754e8efa393c4c8cfd8d8fb7af71ce9952bb" score = 75 quality = 75 tags = "FILE" @@ -161323,13 +161323,13 @@ rule MALPEDIA_Win_Deputydog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd25dd4b-3cc0-55a6-a832-41812d710d3d" + id = "3df82804-d079-5fb4-95b9-354c74dddd14" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.deputydog_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_d4b2e1db63035282e2b2efcdd04dae6225d4a7dc6ab7fb9164349c69dbcffada" + logic_hash = "d4b2e1db63035282e2b2efcdd04dae6225d4a7dc6ab7fb9164349c69dbcffada" score = 75 quality = 75 tags = "FILE" @@ -161362,13 +161362,13 @@ rule MALPEDIA_Win_Lpeclient_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5d1b6e45-5bb1-5212-ad10-23d043c1691b" + id = "6292aca0-d7ac-5cd7-a6d4-3438fdd1076c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lpeclient_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_fa5662e58821dbe4e01d6876bcd73f389c9fb3b6d70b4d7afea75bf844e373c6" + logic_hash = "fa5662e58821dbe4e01d6876bcd73f389c9fb3b6d70b4d7afea75bf844e373c6" score = 75 quality = 75 tags = "FILE" @@ -161401,13 +161401,13 @@ rule MALPEDIA_Win_Diavol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ab1eda6-e7a2-57c2-9498-8fe51d4187f1" + id = "ced056a0-d7eb-5608-bc7f-4327dfcdc8b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.diavol_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_3e39473296ffc516b0ed9d4653cc00f465f30bb27ef43ae2429115fd3af11eb5" + logic_hash = "3e39473296ffc516b0ed9d4653cc00f465f30bb27ef43ae2429115fd3af11eb5" score = 75 quality = 75 tags = "FILE" @@ -161440,13 +161440,13 @@ rule MALPEDIA_Win_Sparrow_Door_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "279757cd-9302-534f-b947-e5f5a801364d" + id = "2a622c79-b97a-50d2-8520-df68de9886c5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sparrow_door_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_9af3d65106033b3806f02bea374bf6db582af3aecda2d52e70b68fd5a5b6e2c8" + logic_hash = "9af3d65106033b3806f02bea374bf6db582af3aecda2d52e70b68fd5a5b6e2c8" score = 75 quality = 75 tags = "FILE" @@ -161479,13 +161479,13 @@ rule MALPEDIA_Win_Warmcookie_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "92fdc956-3faa-577f-a590-38bdf0d32664" + id = "c556795a-a9b2-5224-af08-851a57d361f5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.warmcookie" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.warmcookie_auto.yar#L1-L195" license_url = "N/A" - logic_hash = "v1_sha256_205c15eced2ed79efcc622047f0495a7c9e5251bb4fd9a4d1e0ae8a704e7e82e" + logic_hash = "205c15eced2ed79efcc622047f0495a7c9e5251bb4fd9a4d1e0ae8a704e7e82e" score = 75 quality = 73 tags = "FILE" @@ -161529,13 +161529,13 @@ rule MALPEDIA_Win_Isaacwiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "963e0428-30cd-585a-bef4-56ba4d662071" + id = "49055172-29cc-5c36-b567-edf9c776fb50" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.isaacwiper_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_9dc7297f4b8c766d788d99fcb182487835c35f1c6c8fa9d0d296f8378105b942" + logic_hash = "9dc7297f4b8c766d788d99fcb182487835c35f1c6c8fa9d0d296f8378105b942" score = 75 quality = 75 tags = "FILE" @@ -161568,13 +161568,13 @@ rule MALPEDIA_Win_Bubblewrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f2487da3-9ad9-5b23-aa21-f1aa7fb8a76b" + id = "0adb22b2-c291-5da7-a49f-6252c3b1a007" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bubblewrap_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_0ab9a85f4803bb9809d1835ce4819efcd3e97bce18ea2653e803520f80f6784f" + logic_hash = "0ab9a85f4803bb9809d1835ce4819efcd3e97bce18ea2653e803520f80f6784f" score = 75 quality = 75 tags = "FILE" @@ -161607,13 +161607,13 @@ rule MALPEDIA_Win_Teslacrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6065cbf8-486e-503e-8097-21a3ad6c8417" + id = "b4c671eb-91dc-5665-a0e1-4c4ec53aea8a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.teslacrypt_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "v1_sha256_028a2cbfed6bdff0ce2536414ae610c52e3d43ebb868ac2645461114e681877e" + logic_hash = "028a2cbfed6bdff0ce2536414ae610c52e3d43ebb868ac2645461114e681877e" score = 75 quality = 75 tags = "FILE" @@ -161652,13 +161652,13 @@ rule MALPEDIA_Win_Unidentified_109_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "95449ebc-044a-5682-94c5-8bf4709c8425" + id = "d4a6c411-a7e9-5954-916e-935ded59522f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_109" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_109_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_758f313f75d70626faf4a10de9d767fa1ab2c47be3c297f5f181d9298dc68601" + logic_hash = "758f313f75d70626faf4a10de9d767fa1ab2c47be3c297f5f181d9298dc68601" score = 75 quality = 75 tags = "FILE" @@ -161691,13 +161691,13 @@ rule MALPEDIA_Win_Qadars_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d6de220c-8540-56de-bf45-8e916ad88aca" + id = "0a2bf787-2e79-532d-b549-325462dde16c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.qadars_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_1b2a593b94764cfdb9793ab67d53c7287007841a19e7fe336bf33e3d401fbe52" + logic_hash = "1b2a593b94764cfdb9793ab67d53c7287007841a19e7fe336bf33e3d401fbe52" score = 75 quality = 75 tags = "FILE" @@ -161736,13 +161736,13 @@ rule MALPEDIA_Win_Cloudburst_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "57c4947a-7f76-50d7-9034-45e370b4bcd6" + id = "b338a4c1-8ad1-5066-b3d2-7c247a054c09" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cloudburst_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_68d67b600a1326ab834c6a6b6204bba9f511b6494e369c94d17eaf52125b8157" + logic_hash = "68d67b600a1326ab834c6a6b6204bba9f511b6494e369c94d17eaf52125b8157" score = 75 quality = 75 tags = "FILE" @@ -161775,13 +161775,13 @@ rule MALPEDIA_Win_Gold_Dragon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ffca35a3-68f9-5506-95c2-84de569edb40" + id = "991ba939-2d9f-52cd-813d-6925dfb8d9c9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gold_dragon_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_1d3ddf008eb509566d50c074a1778063d25aa540d5f914350cb60f472b9c159b" + logic_hash = "1d3ddf008eb509566d50c074a1778063d25aa540d5f914350cb60f472b9c159b" score = 75 quality = 75 tags = "FILE" @@ -161814,13 +161814,13 @@ rule MALPEDIA_Win_Lazarloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "99b8324b-aa7d-5442-9a84-7ea265a339f2" + id = "4eef2499-48c5-5b94-8dd0-29267a0265f8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lazarloader_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_176d7f7f65178334e7677ff59a660edd6b016ed103feffa239e5ccc53e031e90" + logic_hash = "176d7f7f65178334e7677ff59a660edd6b016ed103feffa239e5ccc53e031e90" score = 75 quality = 75 tags = "FILE" @@ -161853,13 +161853,13 @@ rule MALPEDIA_Win_Orpcbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ab5ac9a3-9608-575d-8bc9-a8bb91049f60" + id = "315509a3-d1f8-5dc1-9f12-edd6db041fca" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orpcbackdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.orpcbackdoor_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_89d46489afd17625d89dcf271ed3d1e11fa0fe1e28ec9d95da8becb11eb31f60" + logic_hash = "89d46489afd17625d89dcf271ed3d1e11fa0fe1e28ec9d95da8becb11eb31f60" score = 75 quality = 75 tags = "FILE" @@ -161892,13 +161892,13 @@ rule MALPEDIA_Win_Starcruft_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f6cd34e8-696c-51c0-b7b4-1a543222502d" + id = "44a05616-8be0-5d16-896e-a5310b288a10" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.starcruft_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_8a7d60fd25a814377ba2a7789857a75b6ee211239e9e01336654dc519259df0c" + logic_hash = "8a7d60fd25a814377ba2a7789857a75b6ee211239e9e01336654dc519259df0c" score = 75 quality = 75 tags = "FILE" @@ -161931,13 +161931,13 @@ rule MALPEDIA_Win_Furtim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7266a9bc-6574-5373-b93b-9f73fc4d5177" + id = "13c151d6-8fd6-5f90-84f5-0ee50200b32d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.furtim_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_fe578793812b3cd44b1ebd86df72331630f9c46ef93b0c93a291bf5ca64790a1" + logic_hash = "fe578793812b3cd44b1ebd86df72331630f9c46ef93b0c93a291bf5ca64790a1" score = 75 quality = 75 tags = "FILE" @@ -161970,13 +161970,13 @@ rule MALPEDIA_Win_Powerduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "243484cb-a44b-5815-966b-05d00d528264" + id = "658a1cda-5f77-56de-9f18-f831b8e1b259" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.powerduke_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_d2182db867ff6a53a7d17e85e856d89d6c3d1d584f315f5e805e29753b64695e" + logic_hash = "d2182db867ff6a53a7d17e85e856d89d6c3d1d584f315f5e805e29753b64695e" score = 75 quality = 75 tags = "FILE" @@ -162009,13 +162009,13 @@ rule MALPEDIA_Win_Anatova_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ef6758f-4def-561b-ad40-64733431ed34" + id = "e12c2517-7ef6-5ecc-b756-da754e1b9232" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.anatova_ransom_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_48354275540a19e149a3ec749fb4eeaa508568399fc971259b74ddc21d53a5fe" + logic_hash = "48354275540a19e149a3ec749fb4eeaa508568399fc971259b74ddc21d53a5fe" score = 75 quality = 75 tags = "FILE" @@ -162048,13 +162048,13 @@ rule MALPEDIA_Win_Sphijacker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1d9fa1de-fae8-5629-914f-5f847d79f437" + id = "209b4753-8fba-5f0f-8267-5050665ba5bc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sphijacker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sphijacker_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_a99b1a8ce4f2ca018676a9e46f28df0afb5f7a80b3caa10c6423eb9f11e6c670" + logic_hash = "a99b1a8ce4f2ca018676a9e46f28df0afb5f7a80b3caa10c6423eb9f11e6c670" score = 75 quality = 75 tags = "FILE" @@ -162087,13 +162087,13 @@ rule MALPEDIA_Win_Hdmr_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "307a1086-3781-58d7-baa5-6caab9731e40" + id = "85c97022-d8c5-5e21-a936-553f640fe4f6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hdmr_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_9a001b5acc5aa25620fae4ae86be71364f80188dbdc0b08b5c1ad9fa793fd746" + logic_hash = "9a001b5acc5aa25620fae4ae86be71364f80188dbdc0b08b5c1ad9fa793fd746" score = 75 quality = 75 tags = "FILE" @@ -162126,13 +162126,13 @@ rule MALPEDIA_Win_Tor_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b8b8c482-241b-5af7-99d2-b1614f65fd0c" + id = "97401572-684c-58d7-8ba8-1e13d7e2a1eb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tor_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tor_loader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_67a7f7312503fc884654411fbd541d429d107c00f30e61663f00f8de9ff4e54f" + logic_hash = "67a7f7312503fc884654411fbd541d429d107c00f30e61663f00f8de9ff4e54f" score = 75 quality = 75 tags = "FILE" @@ -162165,13 +162165,13 @@ rule MALPEDIA_Win_Usbferry_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3f8a361c-e691-5e51-9749-00ec97a6db10" + id = "7bb46c52-bfd6-5303-a607-4235821612d8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.usbferry_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_246be59259afe1548e2a4d266237ef3554d233c2ef89881c3d19b399601a13ef" + logic_hash = "246be59259afe1548e2a4d266237ef3554d233c2ef89881c3d19b399601a13ef" score = 75 quality = 75 tags = "FILE" @@ -162210,13 +162210,13 @@ rule MALPEDIA_Win_Locky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a58672d-08bd-5585-85be-2c9e9fa0e291" + id = "9434ac8a-f19d-5097-9718-4e0bcd7c3bb7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.locky_auto.yar#L1-L181" license_url = "N/A" - logic_hash = "v1_sha256_cfd0780ce81a27b30c6ff7ba29e871c926663b6bd8e9b266836319c43aec3bb1" + logic_hash = "cfd0780ce81a27b30c6ff7ba29e871c926663b6bd8e9b266836319c43aec3bb1" score = 75 quality = 75 tags = "FILE" @@ -162256,13 +162256,13 @@ rule MALPEDIA_Win_Lurk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b72c3e40-9917-57f0-8c87-5ac5fc4f6f20" + id = "d33e5d41-4c33-52cb-9d86-097c6e297a69" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lurk_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "v1_sha256_49386f4cf56b83db74fc2cce7fdb3bbe57cfb7600cc336d7243ab2a9983dbda5" + logic_hash = "49386f4cf56b83db74fc2cce7fdb3bbe57cfb7600cc336d7243ab2a9983dbda5" score = 75 quality = 75 tags = "FILE" @@ -162301,13 +162301,13 @@ rule MALPEDIA_Win_Harnig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4f728fac-f478-5cea-84ae-29e0f1cdbba9" + id = "2adef0b1-84b8-5d38-81de-8e96334fdf2c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.harnig_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_6b0da0575293c2afced8a49894e42bab87f6771cbe3d56035db53ed07d7267fe" + logic_hash = "6b0da0575293c2afced8a49894e42bab87f6771cbe3d56035db53ed07d7267fe" score = 75 quality = 75 tags = "FILE" @@ -162340,13 +162340,13 @@ rule MALPEDIA_Win_Hardrain_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "826f0057-2189-5e30-b5f1-3542bee48fb9" + id = "1a6618b8-7c70-57f8-b6a6-f8de7a4fa76c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hardrain_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_04e06a92a16a529e591abeaa4beba2487be2e1ac947f5b4db02fe0ee80e8f06b" + logic_hash = "04e06a92a16a529e591abeaa4beba2487be2e1ac947f5b4db02fe0ee80e8f06b" score = 75 quality = 75 tags = "FILE" @@ -162379,13 +162379,13 @@ rule MALPEDIA_Win_Jripbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cf43bbf6-fe3f-5705-b4f4-deca9dafd61a" + id = "d8a957a2-00cf-53c5-96bc-d79d0345ba47" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jripbot_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_fc945105d57ad1b4469be79b8a34ff87923dbb08f76d1d337925be7cac82b3ca" + logic_hash = "fc945105d57ad1b4469be79b8a34ff87923dbb08f76d1d337925be7cac82b3ca" score = 75 quality = 75 tags = "FILE" @@ -162418,13 +162418,13 @@ rule MALPEDIA_Win_Ksl0T_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "86099738-560c-59c5-9450-4d5c588d28d1" + id = "a3ab9e8a-b9b1-5fdf-a960-56956519148f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ksl0t_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "v1_sha256_e91b3156f2e9e5f9c8a906372d50f3aa236f543969f133a16425c0f118830109" + logic_hash = "e91b3156f2e9e5f9c8a906372d50f3aa236f543969f133a16425c0f118830109" score = 75 quality = 75 tags = "FILE" @@ -162463,13 +162463,13 @@ rule MALPEDIA_Win_Safenet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c5a4f20-8fc4-5787-a83d-e82a15bd01ba" + id = "44c128f1-e37d-585a-b061-6d17f8062460" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.safenet" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.safenet_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_6d1c99e82abc5d35c1a893047f41638ddfbde9bad49f347bcf5718bfe865543c" + logic_hash = "6d1c99e82abc5d35c1a893047f41638ddfbde9bad49f347bcf5718bfe865543c" score = 75 quality = 75 tags = "FILE" @@ -162502,13 +162502,13 @@ rule MALPEDIA_Win_Dexbia_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "17d43ab5-3946-5528-a8e9-9430c1f9cdf7" + id = "d4032cc9-0c2b-5612-9b25-c1c6f50e458e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dexbia_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_1dcaac0ec64ac5a8c76c0fa411e7e39bdabd41113089ec01c21fddb197f9dd6c" + logic_hash = "1dcaac0ec64ac5a8c76c0fa411e7e39bdabd41113089ec01c21fddb197f9dd6c" score = 75 quality = 75 tags = "FILE" @@ -162541,13 +162541,13 @@ rule MALPEDIA_Win_Croxloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0f56bd95-5f73-5a15-8785-ae87c7d35420" + id = "5f8b8916-f9ec-55d4-b465-31935c48c0ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.croxloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.croxloader_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_040078157977ad881b28f3c9384cda36c377a63a849b31c6b1d6ac06966284a5" + logic_hash = "040078157977ad881b28f3c9384cda36c377a63a849b31c6b1d6ac06966284a5" score = 75 quality = 75 tags = "FILE" @@ -162580,13 +162580,13 @@ rule MALPEDIA_Win_Auriga_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "19fb43d1-d990-51e8-ad9f-78d48389a59b" + id = "b04a7a23-d5dd-51a9-9bcd-b8623a771f3d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.auriga_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_ba5e317ff80a4f54d11462b8caf5c19d9418687fbcd32874c6803873b6103354" + logic_hash = "ba5e317ff80a4f54d11462b8caf5c19d9418687fbcd32874c6803873b6103354" score = 75 quality = 75 tags = "FILE" @@ -162619,13 +162619,13 @@ rule MALPEDIA_Win_Parallax_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "933906c9-772b-5750-83c8-62efccf41a3d" + id = "f999aded-327c-50dd-9dd2-6822fe568c2e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.parallax_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_598728667b89c1a79c35abfecdd8c0a41fda3612c3bf2021240a756e9bc3373e" + logic_hash = "598728667b89c1a79c35abfecdd8c0a41fda3612c3bf2021240a756e9bc3373e" score = 75 quality = 75 tags = "FILE" @@ -162658,13 +162658,13 @@ rule MALPEDIA_Win_Felismus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b664708-a6fc-5180-bfa8-df389195d7bb" + id = "82db284d-423c-5d27-9839-6fb28439fb0e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.felismus_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_4546b8db4538dafe5bc8d041a61c766239a1afc6f98e209750b1eab9012fff52" + logic_hash = "4546b8db4538dafe5bc8d041a61c766239a1afc6f98e209750b1eab9012fff52" score = 75 quality = 75 tags = "FILE" @@ -162697,13 +162697,13 @@ rule MALPEDIA_Win_Moure_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "461082aa-343b-57eb-b7b1-06d9634ba1a8" + id = "d5ea53f7-d6a1-5284-9152-98034607f388" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moure_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_e394b210e6ac1eaa6569608ddb349d4dd1ae50231f20d0924074c460f1fa6782" + logic_hash = "e394b210e6ac1eaa6569608ddb349d4dd1ae50231f20d0924074c460f1fa6782" score = 75 quality = 75 tags = "FILE" @@ -162736,13 +162736,13 @@ rule MALPEDIA_Win_Systembc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "102ffd94-56e8-5644-ab1c-200f202e0551" + id = "78762f50-0312-5144-8487-9132a843d75d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.systembc_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_0c55a2c050a3bb97541957e7a554780d9460670263a6f5688965634c91b9bb06" + logic_hash = "0c55a2c050a3bb97541957e7a554780d9460670263a6f5688965634c91b9bb06" score = 75 quality = 75 tags = "FILE" @@ -162775,13 +162775,13 @@ rule MALPEDIA_Win_Nemim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fba2f6ee-3c72-5cab-b7e9-3b7b5fff6ce6" + id = "23401018-c6d9-5370-9496-23a34b1b2310" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nemim_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_a74c5cc417011139586470805b653eee06eb07d9c80d556280876db9d2f1564f" + logic_hash = "a74c5cc417011139586470805b653eee06eb07d9c80d556280876db9d2f1564f" score = 75 quality = 75 tags = "FILE" @@ -162814,13 +162814,13 @@ rule MALPEDIA_Win_Sysget_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8593e890-bd08-5900-91f0-2f37a1263b28" + id = "6dbd418c-6815-50a8-abcf-151d7391ffca" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sysget_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_902f9069de33837221babbb397abede3730b90e4c77213918173008758853f78" + logic_hash = "902f9069de33837221babbb397abede3730b90e4c77213918173008758853f78" score = 75 quality = 75 tags = "FILE" @@ -162853,13 +162853,13 @@ rule MALPEDIA_Win_Zardoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "77d8be3e-6721-5f79-92b8-ee79dc5cef7c" + id = "0edcabb6-39f3-5cd6-ada5-74eb513ae7ba" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zardoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zardoor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_dcbde80565a6988222a931ad27e9d322a3f8d97571d82cdb176504031bc2daa5" + logic_hash = "dcbde80565a6988222a931ad27e9d322a3f8d97571d82cdb176504031bc2daa5" score = 75 quality = 75 tags = "FILE" @@ -162892,13 +162892,13 @@ rule MALPEDIA_Win_Maoloa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6c9a16d-9a9c-51fd-b341-bb35d62ce163" + id = "7a2b1982-b20a-5388-b0ef-52864066a031" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.maoloa_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_db1d30099f88e9731a955a855e8ff6fe8bdddafcf359d763b17d4e94ad2fc492" + logic_hash = "db1d30099f88e9731a955a855e8ff6fe8bdddafcf359d763b17d4e94ad2fc492" score = 75 quality = 75 tags = "FILE" @@ -162931,13 +162931,13 @@ rule MALPEDIA_Win_Allaple_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3db268c8-a0e1-5485-9b5d-a6ec43caf75b" + id = "c8febfcb-b725-537f-8f54-423e8f8493e3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.allaple_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_f37966362a7b1531336f0a212f7c22ad8f69248a7c762c12dc2134fd4316ec00" + logic_hash = "f37966362a7b1531336f0a212f7c22ad8f69248a7c762c12dc2134fd4316ec00" score = 75 quality = 75 tags = "FILE" @@ -162970,13 +162970,13 @@ rule MALPEDIA_Win_Emotet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c8fee857-3561-5b76-b297-7d288611243c" + id = "85da1a2d-a5c5-5b7b-9770-0decc7a1a09c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.emotet_auto.yar#L1-L629" license_url = "N/A" - logic_hash = "v1_sha256_833ebe5d59874650225701086c74088b08c5f926b449dc8bc3e0d02e1708d1c4" + logic_hash = "833ebe5d59874650225701086c74088b08c5f926b449dc8bc3e0d02e1708d1c4" score = 75 quality = 50 tags = "FILE" @@ -163075,13 +163075,13 @@ rule MALPEDIA_Win_Konni_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23763a87-5654-5bc2-ab14-7d12686d3c11" + id = "b496c86d-77c9-50ca-bd29-c6ba6090731f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.konni_auto.yar#L1-L487" license_url = "N/A" - logic_hash = "v1_sha256_4a537b4460e51cec9389cef999baf5dfc7c64c03085bd38519060ea921833d74" + logic_hash = "4a537b4460e51cec9389cef999baf5dfc7c64c03085bd38519060ea921833d74" score = 75 quality = 50 tags = "FILE" @@ -163157,13 +163157,13 @@ rule MALPEDIA_Win_Meow_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43bdc1a7-1948-514a-9f35-efe5b15eed37" + id = "7bfddd3d-be4f-534c-b012-013271dcd1ec" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meow" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.meow_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_3492cd8205784aeb9b05674679a1cd09e5a722fe3928b65cba6a5afbb0a0fecc" + logic_hash = "3492cd8205784aeb9b05674679a1cd09e5a722fe3928b65cba6a5afbb0a0fecc" score = 75 quality = 75 tags = "FILE" @@ -163196,13 +163196,13 @@ rule MALPEDIA_Win_Lilith_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "108de4b7-72ff-5b98-9821-c916919c37c6" + id = "82364ac2-deb7-51b6-ba0e-2be91de6e553" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lilith_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_e60f46a761d89df2badd5fa4f4597b68f40a30e0a662e1d347c30e5849d899e2" + logic_hash = "e60f46a761d89df2badd5fa4f4597b68f40a30e0a662e1d347c30e5849d899e2" score = 75 quality = 75 tags = "FILE" @@ -163235,13 +163235,13 @@ rule MALPEDIA_Win_Nimbo_C2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b5a21f90-5664-5b03-a4c5-45d79b5ab827" + id = "3fbf9b9f-3200-52f3-a15f-1eaff92b5ed0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nimbo_c2_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_8589aa9b6f63efad7fde0dd033ffc7aedc0446802bcc3cc8f7fcdbf116768199" + logic_hash = "8589aa9b6f63efad7fde0dd033ffc7aedc0446802bcc3cc8f7fcdbf116768199" score = 75 quality = 75 tags = "FILE" @@ -163274,13 +163274,13 @@ rule MALPEDIA_Win_Ismagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "775a30eb-9694-503e-b962-b31a47507d84" + id = "24afa0f1-f712-53a2-912d-b18acc3ca8ea" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ismagent_auto.yar#L1-L100" license_url = "N/A" - logic_hash = "v1_sha256_9ef409a40f890c9792a656e6f1a7b3222e5613b22517076da29bfdc0316f39e4" + logic_hash = "9ef409a40f890c9792a656e6f1a7b3222e5613b22517076da29bfdc0316f39e4" score = 75 quality = 75 tags = "FILE" @@ -163311,13 +163311,13 @@ rule MALPEDIA_Win_Yanluowang_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f23a6412-14a3-5202-881e-967d9eefa634" + id = "80b6830b-5b54-5c8d-ad9b-1e91ef44f5d3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yanluowang_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_6212a7300d814763a89ad52de44e628c3e76a732777f6c6e8d98550e60e1baf9" + logic_hash = "6212a7300d814763a89ad52de44e628c3e76a732777f6c6e8d98550e60e1baf9" score = 75 quality = 75 tags = "FILE" @@ -163350,13 +163350,13 @@ rule MALPEDIA_Win_Buzus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c6d0c027-cf40-5628-a424-35e9d29c4948" + id = "f2c6c20b-b508-5a77-9b4a-9c4e0b2d073d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.buzus_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_8e43adb8c81d9beeeff3e46894b189cae5a523720c80cbd55f0f1970ef5f7600" + logic_hash = "8e43adb8c81d9beeeff3e46894b189cae5a523720c80cbd55f0f1970ef5f7600" score = 75 quality = 75 tags = "FILE" @@ -163389,13 +163389,13 @@ rule MALPEDIA_Win_Ddkeylogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c0e58b1-127f-571e-98b1-ebde366bf43b" + id = "3fb8455b-5bc3-5fd3-8427-a0f169965730" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ddkeylogger_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_fadbff39943f10b1213064afba0274f50487808fd2b1956572db1fecae4dc6f6" + logic_hash = "fadbff39943f10b1213064afba0274f50487808fd2b1956572db1fecae4dc6f6" score = 75 quality = 75 tags = "FILE" @@ -163428,13 +163428,13 @@ rule MALPEDIA_Win_Grillmark_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6eb7de8-f6e8-5bbf-bb79-7dff28122bee" + id = "f964c2f0-0000-5336-8c75-c1988fed5207" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grillmark_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_3b34499d4c29c52da57dd97a7dde84f3954319d72fae7b0456cb1c1378f5429f" + logic_hash = "3b34499d4c29c52da57dd97a7dde84f3954319d72fae7b0456cb1c1378f5429f" score = 75 quality = 75 tags = "FILE" @@ -163467,13 +163467,13 @@ rule MALPEDIA_Win_Goldenspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "389cd896-9df6-5cf6-80b8-4b8fd038e886" + id = "5e7dd5e3-178b-5910-8098-c42b951969b2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.goldenspy_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_b60928ded54ec1e6882e1e84d68fbc49ae085baf6e4863bae7fd0036613f3bf4" + logic_hash = "b60928ded54ec1e6882e1e84d68fbc49ae085baf6e4863bae7fd0036613f3bf4" score = 75 quality = 75 tags = "FILE" @@ -163506,13 +163506,13 @@ rule MALPEDIA_Win_Eagerbee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c62283d0-7a01-58c9-9581-1c338170a92d" + id = "2914e030-5e45-5c35-a3c7-d9acb5cc0ce1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eagerbee" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.eagerbee_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_3bba3fefff572c4fd61435a0b0fa92dfc257235bdf724d5d11ca53b01740914f" + logic_hash = "3bba3fefff572c4fd61435a0b0fa92dfc257235bdf724d5d11ca53b01740914f" score = 75 quality = 75 tags = "FILE" @@ -163545,13 +163545,13 @@ rule MALPEDIA_Win_Rhino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e106be9-dec1-5445-8ebf-5071398172c2" + id = "d85fe477-4e99-588f-91e6-0f1b3f138c82" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rhino_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_00639a2283c7cb43c3dac639e40d4b9a0594ea339862d60e983925c4aeea1ea1" + logic_hash = "00639a2283c7cb43c3dac639e40d4b9a0594ea339862d60e983925c4aeea1ea1" score = 75 quality = 75 tags = "FILE" @@ -163584,13 +163584,13 @@ rule MALPEDIA_Win_Doppelpaymer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ce154ab-a0d9-59d3-887c-51799d1f2635" + id = "fb3d1d6a-8d0f-5691-b315-4261f48416f9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doppelpaymer_auto.yar#L1-L187" license_url = "N/A" - logic_hash = "v1_sha256_5a0db62aabb073b4fe7086dc27996528fad3daef4ecf82aaa9e666c8187cc6f8" + logic_hash = "5a0db62aabb073b4fe7086dc27996528fad3daef4ecf82aaa9e666c8187cc6f8" score = 75 quality = 75 tags = "FILE" @@ -163631,13 +163631,13 @@ rule MALPEDIA_Win_Nachocheese_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "075bca15-eca8-5165-b2c5-8966598a1271" + id = "119ab577-2997-5077-8fbd-28bff11c20d6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nachocheese_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_cadb77319f92fe40994b6aeeeca327d5d465905297aa3f5228d474dfd2f50f6d" + logic_hash = "cadb77319f92fe40994b6aeeeca327d5d465905297aa3f5228d474dfd2f50f6d" score = 75 quality = 75 tags = "FILE" @@ -163676,13 +163676,13 @@ rule MALPEDIA_Win_Collectorgoomba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "473d036f-8770-56bc-ae8e-5762604ba0be" + id = "5bb538af-60a7-5a3c-af65-3701cf208563" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.collectorgoomba_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_ad69a85577b2886d7cccd50f51e68db7322b59aae6c81464fad54090e92dc915" + logic_hash = "ad69a85577b2886d7cccd50f51e68db7322b59aae6c81464fad54090e92dc915" score = 75 quality = 75 tags = "FILE" @@ -163715,13 +163715,13 @@ rule MALPEDIA_Win_Lumma_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5b199ea-61b6-5de1-9c98-594e4ee3c2da" + id = "1dee4d5d-9b7b-5ecd-98af-fd03e9ff26e5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lumma_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_3a8b83c4e573eb9f46c2ea015108cf5619d754c9ccdb93831085f7f3bab02530" + logic_hash = "3a8b83c4e573eb9f46c2ea015108cf5619d754c9ccdb93831085f7f3bab02530" score = 75 quality = 73 tags = "FILE" @@ -163762,13 +163762,13 @@ rule MALPEDIA_Win_Fobber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "73bc7618-be72-5cd4-a8c2-dd1e26715899" + id = "1c71dc66-f917-5ba2-9fb8-1fb21c7a75f0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fobber_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_61538df65ce7e18f8d160f3c894437f915290dca7e112a40d32b84ca774989b9" + logic_hash = "61538df65ce7e18f8d160f3c894437f915290dca7e112a40d32b84ca774989b9" score = 75 quality = 75 tags = "FILE" @@ -163807,13 +163807,13 @@ rule MALPEDIA_Win_Miniblindingcan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84563a1d-37e7-50a1-800b-850f3d6a2d17" + id = "7798fac4-4e5d-566f-a335-bf730671b981" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniblindingcan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.miniblindingcan_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_58b505c72082d28e67c192bf52fda135efb347b75fec700d41c24b4ca9aa0285" + logic_hash = "58b505c72082d28e67c192bf52fda135efb347b75fec700d41c24b4ca9aa0285" score = 75 quality = 75 tags = "FILE" @@ -163846,13 +163846,13 @@ rule MALPEDIA_Win_Avos_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d03ba9d-4af2-5922-981d-b8bc9f61602a" + id = "9aee42e1-3c32-52f2-9afa-ee2f50391d41" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.avos_locker_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a821f2b32080b52bc69d3070def6e8f696a536519430ac8aacf9142d4b2280c1" + logic_hash = "a821f2b32080b52bc69d3070def6e8f696a536519430ac8aacf9142d4b2280c1" score = 75 quality = 75 tags = "FILE" @@ -163885,13 +163885,13 @@ rule MALPEDIA_Win_Krdownloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53080e69-d6de-59fa-ac5f-b383c536345e" + id = "10ef2ce3-6275-5734-8773-8e4b907d8dbf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.krdownloader_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_5c0e3ed0b3f2de4235868995565358a807a3f9a7ed056ed4108e22469b818ef9" + logic_hash = "5c0e3ed0b3f2de4235868995565358a807a3f9a7ed056ed4108e22469b818ef9" score = 75 quality = 75 tags = "FILE" @@ -163924,13 +163924,13 @@ rule MALPEDIA_Win_Flame_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b122e43-3e5c-560a-82c6-2c503ddca7bc" + id = "b53c0a2c-8618-5e74-aa3e-ccb8cf016906" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flame_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "v1_sha256_0f55b9dade05164e67ff141163e2392fbdf01e6db384f40da8132a7d5263b81a" + logic_hash = "0f55b9dade05164e67ff141163e2392fbdf01e6db384f40da8132a7d5263b81a" score = 75 quality = 75 tags = "FILE" @@ -163968,13 +163968,13 @@ rule MALPEDIA_Win_Chewbacca_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "165a59b9-fadd-5c0c-ba01-43d37d8353e1" + id = "390231b1-3e2b-54db-9803-32024f965f10" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chewbacca_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_e7a38996a98134785fc7654ab24d9b2f764c6a77f5e2b53f68cf035bd47e7345" + logic_hash = "e7a38996a98134785fc7654ab24d9b2f764c6a77f5e2b53f68cf035bd47e7345" score = 75 quality = 75 tags = "FILE" @@ -164007,13 +164007,13 @@ rule MALPEDIA_Win_Pss_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e10cce7b-1591-549d-b232-8d0976d555f3" + id = "5d7a2f66-332a-5d9c-b5c1-576c5e994461" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pss_auto.yar#L1-L139" license_url = "N/A" - logic_hash = "v1_sha256_51611bab605bb2ace0ab1fa2af33625cc29dd81f64a8b665b3e9018994b265fd" + logic_hash = "51611bab605bb2ace0ab1fa2af33625cc29dd81f64a8b665b3e9018994b265fd" score = 75 quality = 75 tags = "FILE" @@ -164049,13 +164049,13 @@ rule MALPEDIA_Win_Badhatch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1cdd5620-62a5-57d6-9a39-a4e158499da1" + id = "129c68ce-5b2e-52de-a1c8-87ec196923a8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.badhatch_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_d1799db66ba63d047ab24cbcf38644792982827a0f2e3a856828a5d589d13430" + logic_hash = "d1799db66ba63d047ab24cbcf38644792982827a0f2e3a856828a5d589d13430" score = 75 quality = 75 tags = "FILE" @@ -164088,13 +164088,13 @@ rule MALPEDIA_Win_Defray_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "eddd5742-e4d2-5454-9d5c-d1807b3c3b9f" + id = "23c37ae2-467d-5f29-b754-9bdc94cdef46" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.defray_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_d9d1b63e76728813771527a0e75abb334c604ad0cc64db1ac03a90b90d9454be" + logic_hash = "d9d1b63e76728813771527a0e75abb334c604ad0cc64db1ac03a90b90d9454be" score = 75 quality = 75 tags = "FILE" @@ -164127,13 +164127,13 @@ rule MALPEDIA_Win_Fatduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f499c16c-09cd-5c36-9a65-b65ff66c55c7" + id = "62118afa-94f3-55fc-9df2-3b95dac75d0a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fatduke_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_2b9fcfe8a4ef7a6057f27cf4a92527f05cca75754ce0db88d74fae66934b4810" + logic_hash = "2b9fcfe8a4ef7a6057f27cf4a92527f05cca75754ce0db88d74fae66934b4810" score = 75 quality = 75 tags = "FILE" @@ -164166,13 +164166,13 @@ rule MALPEDIA_Win_R77_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "980cabfe-5418-5025-9b5e-aad0da931ac7" + id = "82a35666-90fe-5251-926e-d8ec55b813d1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.r77" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.r77_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "v1_sha256_a6240af5ccc4c53bc37ef2e7a551ebc739733179f6b77ecd5d71bb872b7b54ae" + logic_hash = "a6240af5ccc4c53bc37ef2e7a551ebc739733179f6b77ecd5d71bb872b7b54ae" score = 75 quality = 75 tags = "FILE" @@ -164209,13 +164209,13 @@ rule MALPEDIA_Win_Quickheal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f221228b-f593-5ca4-b566-4d6459f09c2d" + id = "7d4dca96-7d89-573a-86d8-cd5cf725e16a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.quickheal_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_a577fc33ace43aa6e0de60cf56eae847992f0d2ae90d4e16ade87fbe86c88038" + logic_hash = "a577fc33ace43aa6e0de60cf56eae847992f0d2ae90d4e16ade87fbe86c88038" score = 75 quality = 75 tags = "FILE" @@ -164248,13 +164248,13 @@ rule MALPEDIA_Win_Bumblebee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b0c8c8f1-d2cb-5eb3-80ca-7c6a8a8fa6ea" + id = "bb13bacf-dfd1-5f67-a954-b108745cbd18" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bumblebee_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_1740917da778479acf746acdc75f2beb6821c321be8f136bbd653a625bc1c0f8" + logic_hash = "1740917da778479acf746acdc75f2beb6821c321be8f136bbd653a625bc1c0f8" score = 75 quality = 75 tags = "FILE" @@ -164287,13 +164287,13 @@ rule MALPEDIA_Win_Crypt0L0Cker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e3427e9-9d33-5037-b41d-d4230f3a9bca" + id = "e6b39d07-e23b-5484-8b7e-294315d68726" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crypt0l0cker_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_11804f6d364478c710393f9e456002818242d521693fa2a4f73173b108217067" + logic_hash = "11804f6d364478c710393f9e456002818242d521693fa2a4f73173b108217067" score = 75 quality = 75 tags = "FILE" @@ -164326,13 +164326,13 @@ rule MALPEDIA_Win_Parasite_Http_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2cbcc8ac-76c6-5517-b01f-422448bf18a9" + id = "b5a52ac1-7407-5488-8891-0827582e53ff" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.parasite_http_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_b1b7675b20fef7b5b4abd1833972b96c480194b45d3d066a629b96c3dbbd6baa" + logic_hash = "b1b7675b20fef7b5b4abd1833972b96c480194b45d3d066a629b96c3dbbd6baa" score = 75 quality = 75 tags = "FILE" @@ -164365,13 +164365,13 @@ rule MALPEDIA_Win_Zerot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f30bb7fd-eb03-583e-993e-be5ccc198bba" + id = "ca921115-39c5-5d82-8694-1a7256cdc82c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zerot_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_85e45f7b3fe13ccc106bda70bf9add1f5b39cb8a82aaafbc3111d2a319c8d43b" + logic_hash = "85e45f7b3fe13ccc106bda70bf9add1f5b39cb8a82aaafbc3111d2a319c8d43b" score = 75 quality = 75 tags = "FILE" @@ -164404,13 +164404,13 @@ rule MALPEDIA_Win_Roopirs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "28936f79-684c-5670-af33-515afae53ecb" + id = "57676d4c-d0d7-5b4f-80a4-819b4d474425" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.roopirs_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_d4e144778ab9b98b475c3cbfeb400528a9373556893774f62bba1f2eb8f36265" + logic_hash = "d4e144778ab9b98b475c3cbfeb400528a9373556893774f62bba1f2eb8f36265" score = 75 quality = 75 tags = "FILE" @@ -164443,13 +164443,13 @@ rule MALPEDIA_Win_Sidewinder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88271a0b-3c8a-5e3a-9c94-3dd9aba4bb4b" + id = "392688fd-d092-5405-9184-eda077762341" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sidewinder_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_ed076ae71f5673b9d5b7573a79292b3a5ca9ffc23926551c4a3dd71dd3fac1f3" + logic_hash = "ed076ae71f5673b9d5b7573a79292b3a5ca9ffc23926551c4a3dd71dd3fac1f3" score = 75 quality = 75 tags = "FILE" @@ -164482,13 +164482,13 @@ rule MALPEDIA_Win_Ragnarok_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "98747133-577b-5e5e-afd2-f5dda6d3991f" + id = "e51b7730-611b-519c-90af-8c932bd35b31" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ragnarok_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_ed2a7ae77b63d671045bd4aedbd475a1c70e0fa7ad07494ab8d71c8f930faf2f" + logic_hash = "ed2a7ae77b63d671045bd4aedbd475a1c70e0fa7ad07494ab8d71c8f930faf2f" score = 75 quality = 75 tags = "FILE" @@ -164521,13 +164521,13 @@ rule MALPEDIA_Win_Ceeloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84aab88e-f4e7-5b66-bf15-3afe5492549b" + id = "c4d991a8-4075-5bcb-8916-cb7ba3e3bc9e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ceeloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ceeloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a2c60d828b1d749bfbc654154ea7639eec54d50fcdb5e7a81ec6415d729400d3" + logic_hash = "a2c60d828b1d749bfbc654154ea7639eec54d50fcdb5e7a81ec6415d729400d3" score = 75 quality = 75 tags = "FILE" @@ -164560,13 +164560,13 @@ rule MALPEDIA_Win_Aukill_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d772bfb2-006d-5089-a953-2abca0293f15" + id = "db9d4a1a-ed53-5fea-bff5-185747bfbb51" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aukill" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.aukill_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_cf5c7585c61eda7d5c6a56885b3d8ed6928646fd3abef78ed34135b918e268f8" + logic_hash = "cf5c7585c61eda7d5c6a56885b3d8ed6928646fd3abef78ed34135b918e268f8" score = 75 quality = 75 tags = "FILE" @@ -164599,13 +164599,13 @@ rule MALPEDIA_Win_Gtpdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "95ce0f83-f9ba-5a70-9b0d-e1b7959c6388" + id = "4153c400-4ed4-5abe-992b-68d9e6f8d150" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gtpdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gtpdoor_auto.yar#L1-L153" license_url = "N/A" - logic_hash = "v1_sha256_423cce46146e2125cb44be14d40c52df5a3a2bf5fc0d9812eac79f63ac677cea" + logic_hash = "423cce46146e2125cb44be14d40c52df5a3a2bf5fc0d9812eac79f63ac677cea" score = 75 quality = 75 tags = "FILE" @@ -164642,13 +164642,13 @@ rule MALPEDIA_Win_Darktequila_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2747d283-23e3-5d24-9077-55bedbebfcbc" + id = "269a3731-3e60-523d-8f8e-b11db5f03d72" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darktequila_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "v1_sha256_7a615b9f83311311d3befdcf3fa9a13c4c4dc7e52e3af67816a4aeaa810facc1" + logic_hash = "7a615b9f83311311d3befdcf3fa9a13c4c4dc7e52e3af67816a4aeaa810facc1" score = 75 quality = 75 tags = "FILE" @@ -164681,13 +164681,13 @@ rule MALPEDIA_Win_Transbox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c907ad6-f54b-5297-ac2a-d95797398be3" + id = "974af1a4-da2b-5193-ac3c-32d4a6cfff60" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.transbox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.transbox_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_e0417344b856e4de18adbd11a563963b1ed47459f0027440ad36de04e1848468" + logic_hash = "e0417344b856e4de18adbd11a563963b1ed47459f0027440ad36de04e1848468" score = 75 quality = 75 tags = "FILE" @@ -164720,13 +164720,13 @@ rule MALPEDIA_Win_Mongall_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5810d81c-06f0-55ea-bac2-27012e93857b" + id = "1879a42c-8126-5974-b63b-7f69fc5f6e38" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mongall" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mongall_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_36dcbe2d37d6f65dbb3669c0b2ac6fd765ed6dc11c02d84fddc280c31d04ea56" + logic_hash = "36dcbe2d37d6f65dbb3669c0b2ac6fd765ed6dc11c02d84fddc280c31d04ea56" score = 75 quality = 75 tags = "FILE" @@ -164759,13 +164759,13 @@ rule MALPEDIA_Win_Solarbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5586d1b0-5cb8-5011-bd5d-8ab245062510" + id = "49174231-2a30-5980-bda7-c8f930d0210d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.solarbot_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_78704c2bda81ce32f769ec7e509f90cf94c947eb12d602603a0979d813473a0e" + logic_hash = "78704c2bda81ce32f769ec7e509f90cf94c947eb12d602603a0979d813473a0e" score = 75 quality = 75 tags = "FILE" @@ -164798,13 +164798,13 @@ rule MALPEDIA_Win_Ragnarlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "92d73416-b931-5032-9cfa-8d28ae8c0aec" + id = "2ac8a2eb-b248-5587-8704-788c5b75f23d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ragnarlocker_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_a0b16ae3dec166e9354e89e87f8c27a6b4e207c9c50c554aa69c08f1891c036a" + logic_hash = "a0b16ae3dec166e9354e89e87f8c27a6b4e207c9c50c554aa69c08f1891c036a" score = 75 quality = 75 tags = "FILE" @@ -164837,13 +164837,13 @@ rule MALPEDIA_Win_Typehash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f93d4b23-1594-53d2-9f9d-3e79f2ab52f1" + id = "edf296ed-fbc4-5bd8-b180-ef55e989c944" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.typehash_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_9451e6a97a0b537ea280e22049617c90fd5aa93257a4b129bfda6427a2eb4eeb" + logic_hash = "9451e6a97a0b537ea280e22049617c90fd5aa93257a4b129bfda6427a2eb4eeb" score = 75 quality = 75 tags = "FILE" @@ -164876,13 +164876,13 @@ rule MALPEDIA_Win_Nymaim2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fc3bef13-2a2e-5f15-a457-47fa27e067c3" + id = "b34e9293-8593-5a44-9c75-a60856a38adc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nymaim2_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_1e69e778cd0db9f8366da07218fbdcf365b60086ad2357e3134734801ed5db37" + logic_hash = "1e69e778cd0db9f8366da07218fbdcf365b60086ad2357e3134734801ed5db37" score = 75 quality = 75 tags = "FILE" @@ -164915,13 +164915,13 @@ rule MALPEDIA_Win_Ratankbapos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec81c17b-414f-5b76-aa6b-a7a4756dabe1" + id = "d1e7d1d4-363b-5b45-848f-d4cc89843f97" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ratankbapos_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_17591f183be92d031983360942e373f37d5a48aae82c019ca5afd1168616aff1" + logic_hash = "17591f183be92d031983360942e373f37d5a48aae82c019ca5afd1168616aff1" score = 75 quality = 75 tags = "FILE" @@ -164954,13 +164954,13 @@ rule MALPEDIA_Win_Koadic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8793f8e1-af7c-5829-834e-eaefd3994090" + id = "cf49fa85-eb15-5b40-90ec-91247303052e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.koadic_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_045758b315b8841fdc586ed89736311e4ca424527e393ec057e76ad188d18c25" + logic_hash = "045758b315b8841fdc586ed89736311e4ca424527e393ec057e76ad188d18c25" score = 75 quality = 75 tags = "FILE" @@ -164993,13 +164993,13 @@ rule MALPEDIA_Win_Webc2_Rave_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a5c94be8-c420-5089-bc3b-142963811866" + id = "df6c143a-04c8-53dd-b585-7785e6f7c9b7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_rave_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_d35d8eb6aefe7cc5c299f90e5678dfb9d7a049e0361b4bce0487fde286aa34fe" + logic_hash = "d35d8eb6aefe7cc5c299f90e5678dfb9d7a049e0361b4bce0487fde286aa34fe" score = 75 quality = 75 tags = "FILE" @@ -165032,13 +165032,13 @@ rule MALPEDIA_Win_Mail_O_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c2d276e-974b-509b-90e1-4d436a565de3" + id = "22d6b28e-4151-5e9b-9587-80b5734c06d0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mail_o_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_dcb8e5253869e623d55ce118499ad5275559d95782fd4c320c46ce5ddc9c4fdf" + logic_hash = "dcb8e5253869e623d55ce118499ad5275559d95782fd4c320c46ce5ddc9c4fdf" score = 75 quality = 75 tags = "FILE" @@ -165071,13 +165071,13 @@ rule MALPEDIA_Win_Pwnpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ae6c29b-bade-5759-8973-b2a45107aaac" + id = "89590cbe-393e-53e8-874f-1579725c5e19" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pwnpos_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_99cca90c63c7d894b30f59c47917d71bb5281e2d807f6e3da388b67f1d509c2d" + logic_hash = "99cca90c63c7d894b30f59c47917d71bb5281e2d807f6e3da388b67f1d509c2d" score = 75 quality = 75 tags = "FILE" @@ -165110,13 +165110,13 @@ rule MALPEDIA_Win_Mikoponi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88a99a2b-a639-593b-b89b-2cf5dbff209d" + id = "4800c6d3-16db-53d7-bb1f-1cb0040fb556" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mikoponi_auto.yar#L1-L109" license_url = "N/A" - logic_hash = "v1_sha256_6fec244d34dfdfffb8f190bd531090181ff56cb0a8f461ac3c66e10426835858" + logic_hash = "6fec244d34dfdfffb8f190bd531090181ff56cb0a8f461ac3c66e10426835858" score = 75 quality = 75 tags = "FILE" @@ -165147,13 +165147,13 @@ rule MALPEDIA_Win_Zeus_Sphinx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6931352-d33e-575b-9a91-af2dcf7b9db1" + id = "2404684e-f88f-5795-bbdc-963d4ddd15f4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zeus_sphinx_auto.yar#L1-L158" license_url = "N/A" - logic_hash = "v1_sha256_f8ae31764c1b32c59de8e620b679e44d219bf08111b95222bfeb2c4359a4f338" + logic_hash = "f8ae31764c1b32c59de8e620b679e44d219bf08111b95222bfeb2c4359a4f338" score = 75 quality = 75 tags = "FILE" @@ -165192,13 +165192,13 @@ rule MALPEDIA_Win_Evilbunny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "256122b5-52ea-5b16-a502-c2c0bca82652" + id = "3746f242-5ef7-565f-99d0-aeeb4c27d515" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.evilbunny_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_1534b24ff80468ad553b2eed5ffad4b00ea68305fd3769acbc60a82e33460626" + logic_hash = "1534b24ff80468ad553b2eed5ffad4b00ea68305fd3769acbc60a82e33460626" score = 75 quality = 75 tags = "FILE" @@ -165231,13 +165231,13 @@ rule MALPEDIA_Win_Rhttpctrl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ce458ed-e798-526d-b103-9a0a196105e1" + id = "bb8327a4-6882-545f-b20a-98b7f136eb51" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rhttpctrl_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_a8b0cf895e0bd3f2af68f83e9a4ca3cd7018abded67cb45f683d7384d581104e" + logic_hash = "a8b0cf895e0bd3f2af68f83e9a4ca3cd7018abded67cb45f683d7384d581104e" score = 75 quality = 75 tags = "FILE" @@ -165270,13 +165270,13 @@ rule MALPEDIA_Win_Biscuit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49f0e4a8-c5ce-592b-bda3-6a3ea3181d66" + id = "66751c6c-b859-5182-9d1d-e9646223d6c4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.biscuit_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_84aba44ada1e956d4a74e202350a88ae7df3ab1612a23de6af2ad0ed5a1e2805" + logic_hash = "84aba44ada1e956d4a74e202350a88ae7df3ab1612a23de6af2ad0ed5a1e2805" score = 75 quality = 75 tags = "FILE" @@ -165309,13 +165309,13 @@ rule MALPEDIA_Win_Duuzer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cfac1768-d14c-5ee5-9978-38623a5c364c" + id = "b9aa8686-ae5c-522f-84d5-1ffe739b66d7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.duuzer_auto.yar#L1-L148" license_url = "N/A" - logic_hash = "v1_sha256_0a972badbc054d0ce47d3497dce1a043373ba372ad2c5fee4eff7c656c3de915" + logic_hash = "0a972badbc054d0ce47d3497dce1a043373ba372ad2c5fee4eff7c656c3de915" score = 75 quality = 75 tags = "FILE" @@ -165353,13 +165353,13 @@ rule MALPEDIA_Win_Bitsloth_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4a723916-6101-52d6-a4d4-d1ec3b5f010d" + id = "a3d0de3b-9639-54f3-9dde-5c53759da2ed" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsloth" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bitsloth_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_c4f0991c5eb2b348c1fcbe6db2b4d14bd7d82664775a39a42f7ea0ad4a8658a0" + logic_hash = "c4f0991c5eb2b348c1fcbe6db2b4d14bd7d82664775a39a42f7ea0ad4a8658a0" score = 75 quality = 75 tags = "FILE" @@ -165392,13 +165392,13 @@ rule MALPEDIA_Win_Slickshoes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8fead080-bb6b-5ddd-867b-e006c200718a" + id = "d2f3560b-3237-526b-973c-5a49467a861c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.slickshoes_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_97b262a4dee8ee1b76d2a0a337ee7fc4558fd80e3330d7f7994e897a96aa6369" + logic_hash = "97b262a4dee8ee1b76d2a0a337ee7fc4558fd80e3330d7f7994e897a96aa6369" score = 75 quality = 75 tags = "FILE" @@ -165431,13 +165431,13 @@ rule MALPEDIA_Win_Varenyky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ff4a8e6-0344-58b8-aee7-b8b2e3029153" + id = "ab8f8dd3-9c68-536a-86ec-5c7d9a6bae52" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.varenyky_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_c5bb03c58d8d0a3e4056574270047301338558839b61ccfc4ab3bac90d9c50ac" + logic_hash = "c5bb03c58d8d0a3e4056574270047301338558839b61ccfc4ab3bac90d9c50ac" score = 75 quality = 75 tags = "FILE" @@ -165470,13 +165470,13 @@ rule MALPEDIA_Win_Hancitor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c3fc1a8-194d-56e2-8f2f-ca62a3eb543f" + id = "1eb6df2e-159b-5f28-b4bd-8814d0819600" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hancitor_auto.yar#L1-L262" license_url = "N/A" - logic_hash = "v1_sha256_065eca202c5de0c3aac505b9a1e3b15150d867b922d1e944cb9db0f3b78d775f" + logic_hash = "065eca202c5de0c3aac505b9a1e3b15150d867b922d1e944cb9db0f3b78d775f" score = 75 quality = 73 tags = "FILE" @@ -165526,13 +165526,13 @@ rule MALPEDIA_Win_Avzhan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84489015-fbc4-58bb-a556-d9fc5aea9f79" + id = "c13a7c9b-4cee-5226-bade-6ae0e888daa7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.avzhan_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_71cd3a78708c6b20dbe933c0b73634c73ab7a935896c5127cd1ee325ea10e744" + logic_hash = "71cd3a78708c6b20dbe933c0b73634c73ab7a935896c5127cd1ee325ea10e744" score = 75 quality = 75 tags = "FILE" @@ -165565,13 +165565,13 @@ rule MALPEDIA_Win_Redalpha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "644d6bb2-04f2-5d09-8213-865b208aaed9" + id = "6a45e264-f0cb-55d8-8d41-9c16d8d716f7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.redalpha_auto.yar#L1-L230" license_url = "N/A" - logic_hash = "v1_sha256_cbf7a84b857c49ee3d81dd7f006e794089e9ad6271126e24c962dedf553b5fc2" + logic_hash = "cbf7a84b857c49ee3d81dd7f006e794089e9ad6271126e24c962dedf553b5fc2" score = 75 quality = 73 tags = "FILE" @@ -165618,13 +165618,13 @@ rule MALPEDIA_Win_Woody_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bf7b5d0b-dc9f-5ddf-aca5-3447cf94d622" + id = "a1d402bd-2e1b-5cc3-9efe-bee43a3f6f70" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.woody_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_9fa53ff2aea1026050fd9bf490e4459858b6e425e2d1081bd2beeba1427b1834" + logic_hash = "9fa53ff2aea1026050fd9bf490e4459858b6e425e2d1081bd2beeba1427b1834" score = 75 quality = 75 tags = "FILE" @@ -165657,13 +165657,13 @@ rule MALPEDIA_Win_Kerrdown_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a21eea1c-c792-5b51-b2d8-b094aa1c6429" + id = "68770a3e-6717-5ac7-9970-7a5d2e8be7ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kerrdown_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_5c1e70ce1c83c058010acdca1cced0163370ed7a63b1ae0a7c0e9df6e4e225f4" + logic_hash = "5c1e70ce1c83c058010acdca1cced0163370ed7a63b1ae0a7c0e9df6e4e225f4" score = 75 quality = 75 tags = "FILE" @@ -165696,13 +165696,13 @@ rule MALPEDIA_Win_Virlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a8acf84d-4876-5e96-b399-7f2cc4dda0fb" + id = "9f47c27a-c9f5-5a88-9d0b-7ae966c8318a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virlock" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.virlock_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_57885374cad55b220d8ca1f9432224bf7f5758a9b4619824c3d2cad7d03a8a3d" + logic_hash = "57885374cad55b220d8ca1f9432224bf7f5758a9b4619824c3d2cad7d03a8a3d" score = 75 quality = 71 tags = "FILE" @@ -165735,13 +165735,13 @@ rule MALPEDIA_Win_Splitloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cbd65e56-a211-5424-8c79-2ee55a9366e8" + id = "134d8226-eb7c-5031-8a1c-a24d18923a11" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.splitloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.splitloader_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_61ea1a460bed6edfbafde374a204cb805d347ddcc6924015d5eb07560b9fca84" + logic_hash = "61ea1a460bed6edfbafde374a204cb805d347ddcc6924015d5eb07560b9fca84" score = 75 quality = 75 tags = "FILE" @@ -165774,13 +165774,13 @@ rule MALPEDIA_Win_Nefilim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7bb9e139-d617-5431-8c93-bd7ba1e2f9cd" + id = "1a64ad05-cdf4-50b0-b5d5-12b823b566f1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nefilim_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_437ef32e0bcb845260c527798fe2225eeb3cd5a3921b5194205f4e5468ee3dde" + logic_hash = "437ef32e0bcb845260c527798fe2225eeb3cd5a3921b5194205f4e5468ee3dde" score = 75 quality = 75 tags = "FILE" @@ -165813,13 +165813,13 @@ rule MALPEDIA_Win_Mars_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4e7c9896-5277-59bc-923d-9c685d346945" + id = "89d493f9-e4b1-533f-82c2-eb346efb826d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mars_stealer_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_fa77ecd9a121fc69a9c627c8a10e5db8b46b11ecb902d48795d692c6a136b780" + logic_hash = "fa77ecd9a121fc69a9c627c8a10e5db8b46b11ecb902d48795d692c6a136b780" score = 75 quality = 75 tags = "FILE" @@ -165852,13 +165852,13 @@ rule MALPEDIA_Win_Keylogger_Apt3_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8a443fc6-c3e2-5364-980b-976382c128f8" + id = "871f2218-1f0d-5644-a123-b9ca7ac01c6c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.keylogger_apt3_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_23fd7cba40859fc906b768d58d83d5a417832be7f192d8e12b9ebc03b321149b" + logic_hash = "23fd7cba40859fc906b768d58d83d5a417832be7f192d8e12b9ebc03b321149b" score = 75 quality = 75 tags = "FILE" @@ -165891,13 +165891,13 @@ rule MALPEDIA_Win_Whispergate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9d960675-85a0-5e3a-a3c1-e0325f1729b2" + id = "268f4f00-7468-54d8-b348-346d201993cc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.whispergate_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_a494914334df13264ae7aa19a2f5e165c28339f35ad7afc6f2c9baf4d999ad12" + logic_hash = "a494914334df13264ae7aa19a2f5e165c28339f35ad7afc6f2c9baf4d999ad12" score = 75 quality = 75 tags = "FILE" @@ -165930,13 +165930,13 @@ rule MALPEDIA_Win_Anel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69dac6e9-6dfb-5fc8-812f-53c6203b5c30" + id = "953c8e23-a017-5b2f-ada2-2a862edfbe44" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.anel_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_3d1ba89860b52bc0dc01f6c2b2044c292ec3a194dda9499e849b870d6aa20608" + logic_hash = "3d1ba89860b52bc0dc01f6c2b2044c292ec3a194dda9499e849b870d6aa20608" score = 75 quality = 75 tags = "FILE" @@ -165969,13 +165969,13 @@ rule MALPEDIA_Win_Coredn_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d19286a0-3699-5652-bb32-474ac3d71b00" + id = "56ae3d0f-275e-5068-a1a8-add140ea339b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.coredn_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_3e99d32cb9f6585a539057b215782ae24308a0cdeed56e6718c13cdaa1226877" + logic_hash = "3e99d32cb9f6585a539057b215782ae24308a0cdeed56e6718c13cdaa1226877" score = 75 quality = 75 tags = "FILE" @@ -166013,13 +166013,13 @@ rule MALPEDIA_Win_Dnschanger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96ae906b-38ff-57ff-b6eb-4042d6071644" + id = "375505d5-891d-554a-a42f-9e6f0fae0b87" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dnschanger_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_f68b87e486e08337bbca4e5fa0e18e836c7279b07c38cbb25db798c12b62c8c3" + logic_hash = "f68b87e486e08337bbca4e5fa0e18e836c7279b07c38cbb25db798c12b62c8c3" score = 75 quality = 75 tags = "FILE" @@ -166052,13 +166052,13 @@ rule MALPEDIA_Win_Stuxnet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c77f2598-d33a-5146-bad4-31f7457b08d6" + id = "9c448caf-a5e3-53e6-be9a-4aa45334f7d3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stuxnet_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_2029a68bba02441740da4f3ef9a391375e59b29e674666cb41a7f24fda7b29c9" + logic_hash = "2029a68bba02441740da4f3ef9a391375e59b29e674666cb41a7f24fda7b29c9" score = 75 quality = 75 tags = "FILE" @@ -166091,13 +166091,13 @@ rule MALPEDIA_Win_Zloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ac4b1a4-b79d-5f30-84ae-5b8375fd9744" + id = "178c70de-c326-5e7a-939c-09ed0c73d1dc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zloader_auto.yar#L1-L424" license_url = "N/A" - logic_hash = "v1_sha256_f3602cbba95531e02ba22e89ac5b5e6174a07dbda34c6d28cb18aded5d257e41" + logic_hash = "f3602cbba95531e02ba22e89ac5b5e6174a07dbda34c6d28cb18aded5d257e41" score = 75 quality = 50 tags = "FILE" @@ -166167,13 +166167,13 @@ rule MALPEDIA_Win_Kuluoz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d34a168e-393c-56fd-84a2-ef3057cdc843" + id = "23b3e89b-1b7f-51fe-9c49-dededa4af110" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kuluoz_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_e3270208208f4df1bb5bfe1d5ec8560fd50de417e7279c3823b68456c3f49c76" + logic_hash = "e3270208208f4df1bb5bfe1d5ec8560fd50de417e7279c3823b68456c3f49c76" score = 75 quality = 75 tags = "FILE" @@ -166206,13 +166206,13 @@ rule MALPEDIA_Win_Kikothac_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db4d3550-06ce-576a-91d1-a750bbf20451" + id = "d385826e-58d3-5814-919d-ec257a5aa756" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kikothac_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_44c91c13eb1dd4a6656263ce0b69b86cf3ff2448fb7726df446bdef3b4382332" + logic_hash = "44c91c13eb1dd4a6656263ce0b69b86cf3ff2448fb7726df446bdef3b4382332" score = 75 quality = 75 tags = "FILE" @@ -166245,13 +166245,13 @@ rule MALPEDIA_Win_Zxxz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f4e9ec73-62e5-5488-a023-06f7da45b3d3" + id = "7dd263db-5dc9-5446-993f-e84614693a03" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxxz" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zxxz_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_7a7e7dba53ef8e0486a9f712bcc36135ae7e5d2a4697169aaecab71dcaa9f879" + logic_hash = "7a7e7dba53ef8e0486a9f712bcc36135ae7e5d2a4697169aaecab71dcaa9f879" score = 75 quality = 75 tags = "FILE" @@ -166284,13 +166284,13 @@ rule MALPEDIA_Win_Darkshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "03b2fd8b-4a54-5ca3-bb84-260f540e759b" + id = "d4fc21ee-58fa-538c-be7f-a8cab0c5cdbd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkshell_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_3ad6f3f944b2f63e5ca49ebc403baac1fe005ab1933d4836c8ac4d2304e8086f" + logic_hash = "3ad6f3f944b2f63e5ca49ebc403baac1fe005ab1933d4836c8ac4d2304e8086f" score = 75 quality = 75 tags = "FILE" @@ -166323,13 +166323,13 @@ rule MALPEDIA_Win_Unidentified_020_Cia_Vault7_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ab86142-9c4f-5589-814f-4f3eba7216bc" + id = "29c37aae-f59e-5de0-b472-49827a85b93b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_020_cia_vault7_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_e7a70ab9b6a509f80d931123c1a82d7625f8b02d536427c2ae108e65b04e2ebe" + logic_hash = "e7a70ab9b6a509f80d931123c1a82d7625f8b02d536427c2ae108e65b04e2ebe" score = 75 quality = 75 tags = "FILE" @@ -166362,13 +166362,13 @@ rule MALPEDIA_Win_Ranbyus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a0266767-b59b-5850-8ae9-17719fc64eaf" + id = "4a2a0ab8-1d46-5117-bb36-6bc4aa1f9933" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ranbyus_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_330e6be70ed45bf6b2dbed5046fb65bb22576b8352f6395b54bf453a6f591094" + logic_hash = "330e6be70ed45bf6b2dbed5046fb65bb22576b8352f6395b54bf453a6f591094" score = 75 quality = 75 tags = "FILE" @@ -166401,13 +166401,13 @@ rule MALPEDIA_Win_Netrepser_Keylogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "03fbf060-907b-57fd-ab7e-6af145b8ccd8" + id = "7f57cd5d-92d6-5b8d-9329-1faf79bf30fb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.netrepser_keylogger_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "v1_sha256_301814f110ed56d36474cf3f699ac02f8540c1721eebd9fd906c701050fc9a5d" + logic_hash = "301814f110ed56d36474cf3f699ac02f8540c1721eebd9fd906c701050fc9a5d" score = 75 quality = 75 tags = "FILE" @@ -166446,13 +166446,13 @@ rule MALPEDIA_Win_Yoddos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d945bd83-4bd0-53b8-add6-edb020bdfdc2" + id = "773dcd86-3687-5c26-8a61-390a3a45554b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yoddos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yoddos_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_8286010b7da9f1df882192411526cd0a211d255dea4daeff1ec9797cedceaf98" + logic_hash = "8286010b7da9f1df882192411526cd0a211d255dea4daeff1ec9797cedceaf98" score = 75 quality = 75 tags = "FILE" @@ -166485,13 +166485,13 @@ rule MALPEDIA_Win_Covid22_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fa24344f-ad0f-50dd-8844-1297e21e189a" + id = "99a02a74-d0a3-533c-b448-35480cff51fc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.covid22" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.covid22_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_968cf98e2e8c36cdb3ce45b1a5e5186c5425f3f25bc15cd333cdcc77eeba73ef" + logic_hash = "968cf98e2e8c36cdb3ce45b1a5e5186c5425f3f25bc15cd333cdcc77eeba73ef" score = 75 quality = 75 tags = "FILE" @@ -166524,13 +166524,13 @@ rule MALPEDIA_Win_Graphdrop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b37d826-7c91-5953-b98a-aa4052a2b24c" + id = "24fb95a1-20eb-59d2-a21c-2ae5bcca80f7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.graphdrop_auto.yar#L1-L108" license_url = "N/A" - logic_hash = "v1_sha256_7950fd3d879183156c1cd9194f7d7f790283d1f02a5c57bd2f302dbba8044501" + logic_hash = "7950fd3d879183156c1cd9194f7d7f790283d1f02a5c57bd2f302dbba8044501" score = 75 quality = 73 tags = "FILE" @@ -166563,13 +166563,13 @@ rule MALPEDIA_Win_Taleret_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6fcad306-6257-554e-9055-0aa86ae2dc78" + id = "6be6a0df-09b4-53be-b501-12f03fd91cf1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.taleret_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_544f42faf26ff7a7e8e3048971242e57a62e785dd2bacb3cb794d982726af564" + logic_hash = "544f42faf26ff7a7e8e3048971242e57a62e785dd2bacb3cb794d982726af564" score = 75 quality = 75 tags = "FILE" @@ -166602,13 +166602,13 @@ rule MALPEDIA_Win_Newbounce_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25bfe856-3a37-5b30-a0ab-94b3cd2ec1f7" + id = "bdf56a77-5d9e-573d-af2b-c0319e364db4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newbounce" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.newbounce_auto.yar#L1-L145" license_url = "N/A" - logic_hash = "v1_sha256_1757d742189e1562595d26ebbaf5e74bc5236d74e3305389104993dc5b138ecf" + logic_hash = "1757d742189e1562595d26ebbaf5e74bc5236d74e3305389104993dc5b138ecf" score = 75 quality = 75 tags = "FILE" @@ -166646,13 +166646,13 @@ rule MALPEDIA_Win_Zenar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "39afc087-e827-5131-b85f-e2adabc83949" + id = "911998a5-168a-5bc2-9a82-e2c3fffdd44c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zenar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zenar_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_e884fb88ff5222c3dce5f2029617037692e70cee36f52d500814f26a83ec50e0" + logic_hash = "e884fb88ff5222c3dce5f2029617037692e70cee36f52d500814f26a83ec50e0" score = 75 quality = 75 tags = "FILE" @@ -166685,13 +166685,13 @@ rule MALPEDIA_Win_Havex_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "47afbd1e-2781-5c3b-a5ac-2b04c322071b" + id = "62ba2091-3094-511c-928f-d8587303cab0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.havex_rat_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_051d7a160bda27ce92537b0acc638ab1e006b209a8b64890cf910d9cca719a54" + logic_hash = "051d7a160bda27ce92537b0acc638ab1e006b209a8b64890cf910d9cca719a54" score = 75 quality = 75 tags = "FILE" @@ -166724,13 +166724,13 @@ rule MALPEDIA_Win_Gearshift_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d97dde53-3a80-55ff-9b12-b67fd1dfc9aa" + id = "00cf566b-9374-5def-8d2f-a72e86672548" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gearshift_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_917aa162d8155114b467928aa78b546e741372aa2ec73d46169e5f3309d74a6b" + logic_hash = "917aa162d8155114b467928aa78b546e741372aa2ec73d46169e5f3309d74a6b" score = 75 quality = 75 tags = "FILE" @@ -166763,13 +166763,13 @@ rule MALPEDIA_Win_Acbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7e5b331c-0e65-52e3-b933-23da6d1defd0" + id = "4a823252-73f2-58f2-b3ba-b547632b74fc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.acbackdoor_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0d2e2199924ba6f861c1f4e0ce544d152ae66498c3d6f8abd97960e9524ddf95" + logic_hash = "0d2e2199924ba6f861c1f4e0ce544d152ae66498c3d6f8abd97960e9524ddf95" score = 75 quality = 75 tags = "FILE" @@ -166802,13 +166802,13 @@ rule MALPEDIA_Win_Plurox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e980593d-7264-5be3-8487-d96780f1a174" + id = "00819bcc-51e2-53a8-9308-9b7887ed6069" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.plurox_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "v1_sha256_fa579257df25509063a4df447932e0b25e6ea4c45a2af23b4dfc95998427a19a" + logic_hash = "fa579257df25509063a4df447932e0b25e6ea4c45a2af23b4dfc95998427a19a" score = 75 quality = 75 tags = "FILE" @@ -166841,13 +166841,13 @@ rule MALPEDIA_Win_Calmthorn_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23968e26-c75a-5807-9471-7b8905d79be4" + id = "bcd75189-0c11-5940-85d3-d76aaafb784a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.calmthorn_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_b3539324ecfb8790060aa38a018df9861445823951558eb7601785d0fde93a58" + logic_hash = "b3539324ecfb8790060aa38a018df9861445823951558eb7601785d0fde93a58" score = 75 quality = 75 tags = "FILE" @@ -166880,13 +166880,13 @@ rule MALPEDIA_Win_Telb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d37ca4c-05c9-5844-b244-99cbf47c3074" + id = "2c2db826-44da-51b3-a002-12e7b8aba209" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.telb" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.telb_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_0475afe77557694f44f95a279ca9003eacdaca59e84d15417e917ac04b83cab7" + logic_hash = "0475afe77557694f44f95a279ca9003eacdaca59e84d15417e917ac04b83cab7" score = 75 quality = 75 tags = "FILE" @@ -166919,13 +166919,13 @@ rule MALPEDIA_Win_Narilam_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e43cd3da-a59a-58d8-bdf9-ee8c9804449e" + id = "da9d4048-8edf-5bad-820f-4e60bf8a1167" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.narilam_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_9c97c97f1983ca4888bd0ceffb3db6cc9301c52fb6e7adafbcc7af03cf7073fe" + logic_hash = "9c97c97f1983ca4888bd0ceffb3db6cc9301c52fb6e7adafbcc7af03cf7073fe" score = 75 quality = 75 tags = "FILE" @@ -166958,13 +166958,13 @@ rule MALPEDIA_Win_Windealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "83dbfd34-eb5f-53b6-bc2c-5f42da41166f" + id = "87b31818-e67b-5c82-9927-08d581ce1fca" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.windealer_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_cda4114916f5f955b9ea27c4701626023386bb93ae37a566cf799b5d0e98aca8" + logic_hash = "cda4114916f5f955b9ea27c4701626023386bb93ae37a566cf799b5d0e98aca8" score = 75 quality = 75 tags = "FILE" @@ -166997,13 +166997,13 @@ rule MALPEDIA_Win_Qakbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d10ce517-1bd3-59a0-9ea9-555d4f127332" + id = "420c4e6b-5192-5ecb-8603-21219ca27f7b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.qakbot_auto.yar#L1-L545" license_url = "N/A" - logic_hash = "v1_sha256_3dc61bc81008dc8bd15332e5573d386c22408e9f81e4f285b87a6fbf5a5bafcc" + logic_hash = "3dc61bc81008dc8bd15332e5573d386c22408e9f81e4f285b87a6fbf5a5bafcc" score = 75 quality = 50 tags = "FILE" @@ -167090,13 +167090,13 @@ rule MALPEDIA_Win_Hopscotch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9bd1188e-49ea-507b-972a-17ec5591bae7" + id = "4ccf5f3f-fc4d-50c4-9d15-78cb98c3a462" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hopscotch_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_87c8060052c7a27df707d3c608dced07179361cdfbcc1ac24fe99b2c3ce14a55" + logic_hash = "87c8060052c7a27df707d3c608dced07179361cdfbcc1ac24fe99b2c3ce14a55" score = 75 quality = 75 tags = "FILE" @@ -167129,13 +167129,13 @@ rule MALPEDIA_Win_Devopt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "072691b1-8a25-5650-8fcc-ce76eb881e94" + id = "bb55bee8-7a67-5968-98f9-09a9025ff6ad" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.devopt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.devopt_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_9b91ff04212580b4783bd5bcbd1899160fd4dd5cabce6d4170850a448d54a587" + logic_hash = "9b91ff04212580b4783bd5bcbd1899160fd4dd5cabce6d4170850a448d54a587" score = 75 quality = 75 tags = "FILE" @@ -167168,13 +167168,13 @@ rule MALPEDIA_Win_Boxcaon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cd3879a3-9a1d-53a1-a7ca-45d56b0aa555" + id = "a730ae2b-b623-5088-86a7-4d1a4eb89ea5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boxcaon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.boxcaon_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_5b71da83cc61472fd3b6239fea0178674ab4b3cf9a9678dbeeda07cdd88e683a" + logic_hash = "5b71da83cc61472fd3b6239fea0178674ab4b3cf9a9678dbeeda07cdd88e683a" score = 75 quality = 75 tags = "FILE" @@ -167207,13 +167207,13 @@ rule MALPEDIA_Win_Komprogo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "722a3bdf-492a-5721-a315-665d0c6a35be" + id = "c9a48c86-1d10-5914-97e5-45787475f04f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.komprogo_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_a0932a9f38d23a8c7cc40d2bb7fb17066e556ed1703c6642f0b68427cdf44c0d" + logic_hash = "a0932a9f38d23a8c7cc40d2bb7fb17066e556ed1703c6642f0b68427cdf44c0d" score = 75 quality = 75 tags = "FILE" @@ -167246,13 +167246,13 @@ rule MALPEDIA_Win_Himera_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "acfa54b6-1df8-523b-92c1-e0f7e9b24939" + id = "115dcecd-6236-578c-9832-50f71f100115" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.himera_loader_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_4b810ce6519155c850bedb77ed28ec3affe4b473b14342db1fd6830f8663ee07" + logic_hash = "4b810ce6519155c850bedb77ed28ec3affe4b473b14342db1fd6830f8663ee07" score = 75 quality = 75 tags = "FILE" @@ -167285,13 +167285,13 @@ rule MALPEDIA_Win_Bandit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df99e6f5-725b-5334-9522-eee8dd37f5a8" + id = "381568fe-b706-59c8-a395-3dcbe088e7b0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bandit_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_d56d1fb9d0bb1a835a79b856616244ad303b75dee12b9e7ce8956718588a906b" + logic_hash = "d56d1fb9d0bb1a835a79b856616244ad303b75dee12b9e7ce8956718588a906b" score = 75 quality = 75 tags = "FILE" @@ -167324,13 +167324,13 @@ rule MALPEDIA_Win_Pcshare_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ca682f75-ad60-5305-a8f5-7f7bbeb6c3da" + id = "41819f37-8279-594b-8188-e1afa20f2f95" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pcshare_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_b635afb96c2581863fb56aba8aaab8da9fbce00f8a052e881f8a8f014820c9d4" + logic_hash = "b635afb96c2581863fb56aba8aaab8da9fbce00f8a052e881f8a8f014820c9d4" score = 75 quality = 75 tags = "FILE" @@ -167363,13 +167363,13 @@ rule MALPEDIA_Win_Fancyfilter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2a1c0ccd-c549-5273-8978-c0a04c1764ee" + id = "0361fd07-d305-5b73-bb16-8f25d1edd877" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fancyfilter_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "v1_sha256_476e24d851dbd343335f49ac83fe24b993db2eb5e282eab0e77caa734f27e50a" + logic_hash = "476e24d851dbd343335f49ac83fe24b993db2eb5e282eab0e77caa734f27e50a" score = 75 quality = 75 tags = "FILE" @@ -167402,13 +167402,13 @@ rule MALPEDIA_Win_Chinoxy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09706ebd-a2df-5630-b2ca-b10996ce989d" + id = "42e4e8ac-898e-5ba1-b0d0-68925d7ec424" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chinoxy_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_1545d921096fb73521705c66429b51a5fc0ae5b2cfe48972524e78dbe1d3ae8e" + logic_hash = "1545d921096fb73521705c66429b51a5fc0ae5b2cfe48972524e78dbe1d3ae8e" score = 75 quality = 75 tags = "FILE" @@ -167441,13 +167441,13 @@ rule MALPEDIA_Win_Rover_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a12371ff-d6c0-5fa3-afaa-bbd7cf17f6f9" + id = "eae2ea54-1e52-5b6a-97b9-e0561a756b46" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rover_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_57f684b21a109064243739f52fd53044ef32fd5681c182556fe356fe4b7b3140" + logic_hash = "57f684b21a109064243739f52fd53044ef32fd5681c182556fe356fe4b7b3140" score = 75 quality = 75 tags = "FILE" @@ -167480,13 +167480,13 @@ rule MALPEDIA_Win_Jolob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52e33119-b581-5265-b353-b4ce13f3d1d9" + id = "ef72678c-e4af-5ecd-a17f-38938f34b802" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jolob_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_6d14d1852edd7575113d6514e73e7231e52f26da3a40217ee521425b76e2e32f" + logic_hash = "6d14d1852edd7575113d6514e73e7231e52f26da3a40217ee521425b76e2e32f" score = 75 quality = 75 tags = "FILE" @@ -167519,13 +167519,13 @@ rule MALPEDIA_Win_Winnti_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "46f964f4-8d6d-5b66-bc45-ce61b9ac12bc" + id = "8877d2db-c061-5f0c-9030-9148176d6e19" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.winnti_auto.yar#L1-L239" license_url = "N/A" - logic_hash = "v1_sha256_17da510395f95f1363bc518ade4bb0caf94e359f90bb002c059a140da569d4ec" + logic_hash = "17da510395f95f1363bc518ade4bb0caf94e359f90bb002c059a140da569d4ec" score = 75 quality = 73 tags = "FILE" @@ -167572,13 +167572,13 @@ rule MALPEDIA_Win_Isfb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0eb9d329-d93e-5e5a-8803-881827f2e40c" + id = "ad10a285-c85e-5394-87a5-a8221885f0c5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.isfb_auto.yar#L1-L1627" license_url = "N/A" - logic_hash = "v1_sha256_98d556ee27067e40eff884830538b87541d671166c2ebdd8799d4e04e5a64591" + logic_hash = "98d556ee27067e40eff884830538b87541d671166c2ebdd8799d4e04e5a64591" score = 75 quality = 50 tags = "FILE" @@ -167792,13 +167792,13 @@ rule MALPEDIA_Win_Blackbasta_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "61e5703f-793d-5ce1-8be1-58f35beb83a6" + id = "056c2725-7fc6-5492-9e95-8858f5743ba4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackbasta_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_5917351a58e2c45d71cb940556c45aaf794c00ea6a4cfbb1a7458b7fa470cb76" + logic_hash = "5917351a58e2c45d71cb940556c45aaf794c00ea6a4cfbb1a7458b7fa470cb76" score = 75 quality = 75 tags = "FILE" @@ -167831,13 +167831,13 @@ rule MALPEDIA_Win_Newposthings_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10e3aec2-e9f1-5710-a67c-82b6d6361ae2" + id = "38b154f6-846a-5678-b350-8d87b17b6222" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.newposthings_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_fee15bf490538f6a36053584f37721547efa8e7cc1e683e754b3484ec8de6c80" + logic_hash = "fee15bf490538f6a36053584f37721547efa8e7cc1e683e754b3484ec8de6c80" score = 75 quality = 75 tags = "FILE" @@ -167870,13 +167870,13 @@ rule MALPEDIA_Win_Doubleback_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e311fbbf-4341-5d1e-b691-70568a06c372" + id = "c1c6eec3-17ca-5077-8f4d-8926ef885c3f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doubleback_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_a12a729d1e3eac6cc5269daa7ad2d63c829a0d3d51d586ba012dff78e07be60d" + logic_hash = "a12a729d1e3eac6cc5269daa7ad2d63c829a0d3d51d586ba012dff78e07be60d" score = 75 quality = 75 tags = "FILE" @@ -167909,13 +167909,13 @@ rule MALPEDIA_Win_Xagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cb2434b7-aa0d-56ce-a0d0-6ffb8894def9" + id = "3dbdacb7-861e-58ce-911f-f56ad1729d00" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xagent_auto.yar#L1-L239" license_url = "N/A" - logic_hash = "v1_sha256_9db965af9a413dbcee60d3c1d7c4b3b1216a3333272ef760fe1fa17d4a9ca01b" + logic_hash = "9db965af9a413dbcee60d3c1d7c4b3b1216a3333272ef760fe1fa17d4a9ca01b" score = 75 quality = 73 tags = "FILE" @@ -167964,13 +167964,13 @@ rule MALPEDIA_Win_Scarabey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23662b08-f642-5ed0-b2d7-35f04fc2f943" + id = "6e60c4db-c5cb-54f4-b442-438a01df9af6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.scarabey_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_5ddb90a30fda6ca95ac7c6c807a159ecb2fde4cde650e7522ca27b96c3f88797" + logic_hash = "5ddb90a30fda6ca95ac7c6c807a159ecb2fde4cde650e7522ca27b96c3f88797" score = 75 quality = 75 tags = "FILE" @@ -168003,13 +168003,13 @@ rule MALPEDIA_Win_Webc2_Qbp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ae0a964-e21f-5192-82b3-67e7f32bfff3" + id = "fee8b4c8-beb4-5f15-8081-5f10952e51d6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_qbp_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_257413d68538251f3adda377abdcb2ea5b8000f62907fcc22ea1c060ea83ae47" + logic_hash = "257413d68538251f3adda377abdcb2ea5b8000f62907fcc22ea1c060ea83ae47" score = 75 quality = 75 tags = "FILE" @@ -168042,13 +168042,13 @@ rule MALPEDIA_Win_Open_Carrot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c45c20d-1b18-5ef9-b8aa-c998629b2460" + id = "f072a642-4447-5973-9ead-dc9232cd5b85" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.open_carrot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.open_carrot_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_28ad822413b17834bf69734ab09ffa4d02ddba5c7af7590650f7bb3e1133ed6c" + logic_hash = "28ad822413b17834bf69734ab09ffa4d02ddba5c7af7590650f7bb3e1133ed6c" score = 75 quality = 75 tags = "FILE" @@ -168081,13 +168081,13 @@ rule MALPEDIA_Win_Skyplex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ded9cfb6-bbdf-5451-88eb-77a737c4d58e" + id = "7314bd82-1aa5-5733-8a6b-d66b1f4ce931" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.skyplex_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_192b51867743844243ec787078ffba7934aed43d773432d484ad42af9f8ba5ed" + logic_hash = "192b51867743844243ec787078ffba7934aed43d773432d484ad42af9f8ba5ed" score = 75 quality = 75 tags = "FILE" @@ -168120,13 +168120,13 @@ rule MALPEDIA_Win_Flusihoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dd366d70-baad-5b2e-bbd4-d782fa0b2950" + id = "8d409317-c933-58d0-aa63-14cb54e47b7c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flusihoc_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_410a07cce1b358109f5858d6a241fb0d56be6d17f2ab80d7283dacba4edb86ad" + logic_hash = "410a07cce1b358109f5858d6a241fb0d56be6d17f2ab80d7283dacba4edb86ad" score = 75 quality = 75 tags = "FILE" @@ -168165,13 +168165,13 @@ rule MALPEDIA_Win_Alice_Atm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "467c1160-3a44-5ad5-9362-638646b0dbe3" + id = "501a026b-dba7-501a-810b-0b737ec59325" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.alice_atm_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_d552c74f415e09d46d22c314024829e6b9aa2356b6f2a8ec27602ddc27a1083f" + logic_hash = "d552c74f415e09d46d22c314024829e6b9aa2356b6f2a8ec27602ddc27a1083f" score = 75 quality = 75 tags = "FILE" @@ -168204,13 +168204,13 @@ rule MALPEDIA_Win_Infy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50b05a22-9b35-53df-840d-824719b55bdf" + id = "1542bed5-33fb-5d90-921f-7b98aeb36304" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.infy_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_351bd4b7525a7ff94f0f3657e8ee347d6c2c31664e11c42093ff09157f2eb43d" + logic_hash = "351bd4b7525a7ff94f0f3657e8ee347d6c2c31664e11c42093ff09157f2eb43d" score = 60 quality = 45 tags = "FILE" @@ -168243,13 +168243,13 @@ rule MALPEDIA_Win_Buer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d613d705-640e-522d-9e3a-d9bc4946a6ef" + id = "5a04d6e0-cd7f-5093-9f8c-3d9d8b9d18a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.buer_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_deb76d78e5600ee9ef4e7b63e09f28c10c8fc78def9e4354c583490d6447dafb" + logic_hash = "deb76d78e5600ee9ef4e7b63e09f28c10c8fc78def9e4354c583490d6447dafb" score = 75 quality = 75 tags = "FILE" @@ -168288,13 +168288,13 @@ rule MALPEDIA_Win_Mespinoza_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "34041723-3274-5c60-8034-266c2a0e8abb" + id = "33c5af28-80c3-5a94-a560-73cae0098842" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mespinoza_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_f5999e99c1ade61277d31280c07cf2a046437f8e201d1bf42efd1294376814d0" + logic_hash = "f5999e99c1ade61277d31280c07cf2a046437f8e201d1bf42efd1294376814d0" score = 75 quality = 75 tags = "FILE" @@ -168327,13 +168327,13 @@ rule MALPEDIA_Win_Pickpocket_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "22c29901-2649-556d-816c-0aa496bce93f" + id = "7a83df77-97f7-5782-8335-b4e0f4f4d0cb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pickpocket_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "v1_sha256_b44df7bc5acbc6d7badbaaac3695700d24536089857d9464cd11f3048d47faf5" + logic_hash = "b44df7bc5acbc6d7badbaaac3695700d24536089857d9464cd11f3048d47faf5" score = 75 quality = 75 tags = "FILE" @@ -168366,13 +168366,13 @@ rule MALPEDIA_Win_Troldesh_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "428ff88e-7696-5f5b-b7fd-eb3da31b1807" + id = "dfc58f44-005d-550d-86a0-6e27d1dbdd91" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.troldesh_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_6931e846879cddb9876cefe6a37d24256d508a47e814ed459478812a95ed70dc" + logic_hash = "6931e846879cddb9876cefe6a37d24256d508a47e814ed459478812a95ed70dc" score = 75 quality = 75 tags = "FILE" @@ -168405,13 +168405,13 @@ rule MALPEDIA_Win_Funny_Dream_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d9cd674b-0c35-5437-aa4e-0f64a963aabd" + id = "5f51b37f-d046-5620-bc19-e2253f913b87" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.funny_dream_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_cb215be87db33b154ffd783569bce8db609ba8b5cdc9d518db32c5fd6b7cb19c" + logic_hash = "cb215be87db33b154ffd783569bce8db609ba8b5cdc9d518db32c5fd6b7cb19c" score = 75 quality = 75 tags = "FILE" @@ -168444,13 +168444,13 @@ rule MALPEDIA_Win_Sality_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bf6dfbe9-7780-51e7-857e-ddaf15f78ea3" + id = "3651e4ed-4a90-502c-84b3-3270a294a585" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sality_auto.yar#L1-L222" license_url = "N/A" - logic_hash = "v1_sha256_9a7f5bbeaaf4328c45f3811719f9d62671822ec18ed1403a4d8c0d44848d8fbb" + logic_hash = "9a7f5bbeaaf4328c45f3811719f9d62671822ec18ed1403a4d8c0d44848d8fbb" score = 75 quality = 73 tags = "FILE" @@ -168497,13 +168497,13 @@ rule MALPEDIA_Win_Cactus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a2a740a-ebc7-57cc-90b5-e2901ff4ea76" + id = "7aadb4fa-1562-5d38-a064-9b891a040980" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cactus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cactus_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_4cf0fe68934e99fc9c68b61a4ebb1a3c34839913d17fce2a657defa1e18dd776" + logic_hash = "4cf0fe68934e99fc9c68b61a4ebb1a3c34839913d17fce2a657defa1e18dd776" score = 75 quality = 75 tags = "FILE" @@ -168536,13 +168536,13 @@ rule MALPEDIA_Win_Colibri_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f9905635-8b8a-5518-93a7-cbb2c850de60" + id = "8da162c4-201b-5524-b753-fac10e260355" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.colibri_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_4b78974320f8236aa3537bed6c446de746d50c1762246c89daad71b2e8c53347" + logic_hash = "4b78974320f8236aa3537bed6c446de746d50c1762246c89daad71b2e8c53347" score = 75 quality = 75 tags = "FILE" @@ -168575,13 +168575,13 @@ rule MALPEDIA_Win_Cabart_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c827306-1c7b-5b2e-9cc4-98820e0598a7" + id = "18a4d4f1-27f1-5b62-ac02-f2e216d2cf4e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cabart_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_4c41cdb81a5db228073171586c9e5e6d6ecfd715a748c36291a1859ea7ac8fe5" + logic_hash = "4c41cdb81a5db228073171586c9e5e6d6ecfd715a748c36291a1859ea7ac8fe5" score = 75 quality = 73 tags = "FILE" @@ -168614,13 +168614,13 @@ rule MALPEDIA_Win_Whitebird_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f192ecdb-ee59-5abe-be0c-4673d85ca279" + id = "e4f95047-ddcd-5a63-a3ce-8b63fa9928fc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.whitebird_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_f6f1864635810fc12da43aba0178bc81fe845d55a2fe60f4512e4d032da48db4" + logic_hash = "f6f1864635810fc12da43aba0178bc81fe845d55a2fe60f4512e4d032da48db4" score = 75 quality = 75 tags = "FILE" @@ -168658,13 +168658,13 @@ rule MALPEDIA_Win_Tigerlite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1ba0bda-812e-56bf-8a09-8ac5f9e4b00c" + id = "2f8f693e-a8e1-5528-af21-1e49257d2d13" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tigerlite" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tigerlite_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "v1_sha256_97a4326cdfea07521b42c0aaec8304cc4bf3187afbba14d3d8ecb63bd75d0ec6" + logic_hash = "97a4326cdfea07521b42c0aaec8304cc4bf3187afbba14d3d8ecb63bd75d0ec6" score = 75 quality = 75 tags = "FILE" @@ -168703,13 +168703,13 @@ rule MALPEDIA_Win_Icefog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c1b339c2-f2f9-57f8-9079-1593d5aaf54c" + id = "0a48d625-5699-565a-9775-5f80c9e1ec87" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.icefog_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_487424ea94183e95a7a3963011eba4b3e92a928a4a25ab7f953a01dda9030416" + logic_hash = "487424ea94183e95a7a3963011eba4b3e92a928a4a25ab7f953a01dda9030416" score = 75 quality = 75 tags = "FILE" @@ -168742,13 +168742,13 @@ rule MALPEDIA_Win_Puzzlemaker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "148b12d9-dc6e-5a79-a0cf-c1ece67f5aee" + id = "cb0c66df-41c4-52ac-ac22-d6d2f5a2308d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.puzzlemaker_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_59c32899b883bfb9bd7e74e09947139de6a13e19aa30e115675dc0025c3e011c" + logic_hash = "59c32899b883bfb9bd7e74e09947139de6a13e19aa30e115675dc0025c3e011c" score = 75 quality = 75 tags = "FILE" @@ -168781,13 +168781,13 @@ rule MALPEDIA_Win_Sysraw_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "876e800d-3ecb-5699-8850-d3902af22ac4" + id = "a136ac6f-472d-54c5-b881-5ee87f9b3845" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sysraw_stealer_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_a39e6a22fe8b2e74d45c7a3cdbaed2c5766660fde9e3c6d0bcfa65b1acb00f24" + logic_hash = "a39e6a22fe8b2e74d45c7a3cdbaed2c5766660fde9e3c6d0bcfa65b1acb00f24" score = 75 quality = 75 tags = "FILE" @@ -168820,13 +168820,13 @@ rule MALPEDIA_Win_Pteranodon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a11e776c-fe1b-57bd-a6c1-7e14dc220850" + id = "80ff2986-5474-5ad7-b810-831fbf1d4342" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pteranodon_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "v1_sha256_cb9eee2c2b40d73ca9d2882bf4c44ed595c9eb29005a317bb6423459f15ea4d1" + logic_hash = "cb9eee2c2b40d73ca9d2882bf4c44ed595c9eb29005a317bb6423459f15ea4d1" score = 75 quality = 75 tags = "FILE" @@ -168865,13 +168865,13 @@ rule MALPEDIA_Win_Grease_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "237135a9-feaa-5cdb-99c9-f66939d4ae1b" + id = "afd291db-bac5-5fe7-9f54-1a39c18ec08a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grease_auto.yar#L1-L226" license_url = "N/A" - logic_hash = "v1_sha256_a7bbee8fe2b545d42dcf93b28bc05e2b116dcf88de40c793a23d0b5cc4cea918" + logic_hash = "a7bbee8fe2b545d42dcf93b28bc05e2b116dcf88de40c793a23d0b5cc4cea918" score = 75 quality = 73 tags = "FILE" @@ -168917,13 +168917,13 @@ rule MALPEDIA_Win_Synflooder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b982366-cc99-5f3e-8483-164ac0693789" + id = "a5f633b9-dcb2-5076-bf0d-bd81d1f23849" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.synflooder_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_f7c8ec3c0f9f10642bd0b77ad1f3921e90b05a4859f114057bd9d1a11d0bddfc" + logic_hash = "f7c8ec3c0f9f10642bd0b77ad1f3921e90b05a4859f114057bd9d1a11d0bddfc" score = 75 quality = 75 tags = "FILE" @@ -168956,13 +168956,13 @@ rule MALPEDIA_Win_Goopic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "70cb8392-0246-5ec2-9e6a-013a0fa0816c" + id = "46e7b93a-a824-528f-bd94-0b2f369fa2ff" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.goopic_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_84ac631e9a300a568150cf088c579ef5611f1aa361740898f3a2d1d9e24582a8" + logic_hash = "84ac631e9a300a568150cf088c579ef5611f1aa361740898f3a2d1d9e24582a8" score = 75 quality = 75 tags = "FILE" @@ -168995,13 +168995,13 @@ rule MALPEDIA_Win_Derusbi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9f1e81f1-6ba7-521f-ac51-2a88c1d69960" + id = "c096fedf-ff02-5515-aa84-dda61fd1b242" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.derusbi_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_caf9d1cd989612f714b35d25a26a8b4ab8e67beec50b5a767b0d4e5f975c75e0" + logic_hash = "caf9d1cd989612f714b35d25a26a8b4ab8e67beec50b5a767b0d4e5f975c75e0" score = 75 quality = 75 tags = "FILE" @@ -169034,13 +169034,13 @@ rule MALPEDIA_Win_Dma_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "41b6b4c7-3a86-5d20-9df0-b1a9f226f254" + id = "5e2af925-42e5-5846-8ffd-3d54f6df360b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dma_locker_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_3ae5bccd6371af15118f93027d88904afa2d354f640add9013354700a19edfc8" + logic_hash = "3ae5bccd6371af15118f93027d88904afa2d354f640add9013354700a19edfc8" score = 75 quality = 75 tags = "FILE" @@ -169073,13 +169073,13 @@ rule MALPEDIA_Win_Dmsniff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "94e0b16c-e7fb-5f5c-ac58-11ab008439ce" + id = "3835a0ad-5401-5196-a04a-4e4d20ae32c6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dmsniff_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_9e4ba2c64d589b228eae63b3a713959af97846eab54c3823ca80a7bfedbc8089" + logic_hash = "9e4ba2c64d589b228eae63b3a713959af97846eab54c3823ca80a7bfedbc8089" score = 75 quality = 75 tags = "FILE" @@ -169112,13 +169112,13 @@ rule MALPEDIA_Win_Lethic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6363ec33-1771-5e5f-a4f8-4749c7e0e6ad" + id = "ecf699d4-037c-58b3-a572-a126b8291661" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lethic_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_0a37e4703a880069257b89a7948a47634d1bc51105338bac97b952539891efa4" + logic_hash = "0a37e4703a880069257b89a7948a47634d1bc51105338bac97b952539891efa4" score = 75 quality = 75 tags = "FILE" @@ -169151,13 +169151,13 @@ rule MALPEDIA_Win_Moker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ea30900-fc4e-5340-a7a6-4ca2deb71250" + id = "ec63b288-3da6-5af3-8f29-c765a5000a5d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moker_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_556dd24334d18ecb022efe59f4ae9c093932948c0fb590b7b2557d6f9fb4e7d8" + logic_hash = "556dd24334d18ecb022efe59f4ae9c093932948c0fb590b7b2557d6f9fb4e7d8" score = 75 quality = 75 tags = "FILE" @@ -169196,13 +169196,13 @@ rule MALPEDIA_Win_Dustman_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f0e024d3-027b-5cf6-b7c0-c39fe79b7bbc" + id = "f9958a70-82e7-51bb-b66a-8dad70813bed" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dustman_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_56d31c5fdf78a9c7870d8fbabe0b3ca7863397ea82e2f5ab171dff121b78c1f1" + logic_hash = "56d31c5fdf78a9c7870d8fbabe0b3ca7863397ea82e2f5ab171dff121b78c1f1" score = 75 quality = 75 tags = "FILE" @@ -169235,13 +169235,13 @@ rule MALPEDIA_Win_Royal_Dns_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8dcbd982-3f6d-5a65-a215-285637d0462f" + id = "5169d1d0-659d-5d51-8aba-541d3872a32b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.royal_dns_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_4810e30179da8cf300ac6b9d2a5829b8b65ed7f8312156b3af4aea162299d11c" + logic_hash = "4810e30179da8cf300ac6b9d2a5829b8b65ed7f8312156b3af4aea162299d11c" score = 75 quality = 75 tags = "FILE" @@ -169274,13 +169274,13 @@ rule MALPEDIA_Win_Ransomexx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "61c48670-9d35-5b2f-ae81-c025aee5494d" + id = "2fe059c2-8452-5b3e-8480-0e870f1f94ef" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ransomexx_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_f81d34b7c74a7d97ad1f03442803ea61bc2884bb95c0d382a5757d938c26aeda" + logic_hash = "f81d34b7c74a7d97ad1f03442803ea61bc2884bb95c0d382a5757d938c26aeda" score = 75 quality = 75 tags = "FILE" @@ -169313,13 +169313,13 @@ rule MALPEDIA_Win_Lambert_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88805d3b-6ee9-5159-b38d-10d9935a2180" + id = "810c5e09-e6d0-5a3a-ba2c-2c930c946f07" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lambert_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "v1_sha256_a8d478aa8e5424a909999540bcd026478246ccf020747d754ccdbccaf24eff93" + logic_hash = "a8d478aa8e5424a909999540bcd026478246ccf020747d754ccdbccaf24eff93" score = 75 quality = 75 tags = "FILE" @@ -169358,13 +169358,13 @@ rule MALPEDIA_Win_Turian_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "660c300e-8624-5c6a-b08b-79682e96d701" + id = "762c542d-5fa6-5b48-a3af-f444b4ed2d2f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turian" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.turian_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_64a5758bdf29fcbe94dd0cd69166b022a26376fc8e3a37014e6d93a76d08b3ce" + logic_hash = "64a5758bdf29fcbe94dd0cd69166b022a26376fc8e3a37014e6d93a76d08b3ce" score = 75 quality = 75 tags = "FILE" @@ -169397,13 +169397,13 @@ rule MALPEDIA_Win_Kagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e402ead-f0d3-54f4-bc68-12a69944ee28" + id = "5f4150a2-2cfd-5b67-9d04-7b313480e620" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kagent_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_c73f32fc029a7be975356173769505731b12b0db3312b7f6e0626dcf79b9cedc" + logic_hash = "c73f32fc029a7be975356173769505731b12b0db3312b7f6e0626dcf79b9cedc" score = 75 quality = 75 tags = "FILE" @@ -169436,13 +169436,13 @@ rule MALPEDIA_Win_Isr_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8162f485-5b1f-5e6b-a399-669e96316c6f" + id = "f92134ff-d8ee-58cb-8cb8-468d7205306f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.isr_stealer_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_75691989209029cb7a637cf5df87a857ef3ef18b6fe3194f56cba1ecab86658c" + logic_hash = "75691989209029cb7a637cf5df87a857ef3ef18b6fe3194f56cba1ecab86658c" score = 75 quality = 75 tags = "FILE" @@ -169475,13 +169475,13 @@ rule MALPEDIA_Win_Rokrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "26e3c155-b4f0-5d58-9a26-bb1725790827" + id = "a9d530d2-3818-5ce9-961b-9b84701cc153" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rokrat_auto.yar#L1-L156" license_url = "N/A" - logic_hash = "v1_sha256_34b666dd9c341c0b6a658755dae5641a6ccdd1f0414b3f92f59cfa0e0e0a459a" + logic_hash = "34b666dd9c341c0b6a658755dae5641a6ccdd1f0414b3f92f59cfa0e0e0a459a" score = 75 quality = 75 tags = "FILE" @@ -169520,13 +169520,13 @@ rule MALPEDIA_Win_Huskloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2eee9dbf-867d-5c1d-8f0f-bfbdaefdb107" + id = "2b71c66f-6603-595c-99bb-89c942583260" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.huskloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.huskloader_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_0b5c5ed5027920c73090f364afb1f0be41c97145cf9de72e357bac2712d50fca" + logic_hash = "0b5c5ed5027920c73090f364afb1f0be41c97145cf9de72e357bac2712d50fca" score = 75 quality = 75 tags = "FILE" @@ -169559,13 +169559,13 @@ rule MALPEDIA_Win_Pubload_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c1905681-a35e-50ac-8b73-88bda980c49f" + id = "741d7af0-0900-5fc5-83bc-80e761b9b4ce" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubload" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pubload_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_5f25f978a9edba85952ac66b5108bbd65875055e22860f7df1e90762255be210" + logic_hash = "5f25f978a9edba85952ac66b5108bbd65875055e22860f7df1e90762255be210" score = 75 quality = 75 tags = "FILE" @@ -169598,13 +169598,13 @@ rule MALPEDIA_Win_Poldat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68452a99-5d3c-57c4-a43c-e57a6d4a43fe" + id = "a4b71e9b-caa3-5e09-abcb-8fc111c1e88a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poldat_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_eec21397be824c40480269ad179cee66cff4f29ddc631fb679aa6de7be434481" + logic_hash = "eec21397be824c40480269ad179cee66cff4f29ddc631fb679aa6de7be434481" score = 75 quality = 75 tags = "FILE" @@ -169637,13 +169637,13 @@ rule MALPEDIA_Win_Sedreco_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ac073064-0253-5023-b2a2-3b9ebfc42266" + id = "79578107-84f9-5f01-8bf1-070f071e75ff" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sedreco_auto.yar#L1-L450" license_url = "N/A" - logic_hash = "v1_sha256_79e378080daf9957ad7b702ae6910bfba39dd77a995aedb850c5514668bb56cb" + logic_hash = "79e378080daf9957ad7b702ae6910bfba39dd77a995aedb850c5514668bb56cb" score = 75 quality = 50 tags = "FILE" @@ -169717,13 +169717,13 @@ rule MALPEDIA_Win_Virut_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b59ddaba-446a-55ac-92fd-2b9d358fb8e3" + id = "c8349287-bd2e-52b4-9752-e7bc4edd95a7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.virut_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_a48ac1b971086542095b7fb3caa9f795a6530b3c7c59d9de9bb3d487eade9d56" + logic_hash = "a48ac1b971086542095b7fb3caa9f795a6530b3c7c59d9de9bb3d487eade9d56" score = 75 quality = 75 tags = "FILE" @@ -169762,13 +169762,13 @@ rule MALPEDIA_Win_Udpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9fda8da-8915-5144-aabf-c2886fa6263f" + id = "98223189-2bfc-52a6-a611-fcd1eca88452" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.udpos_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_7c58f61902609cad456fdc9a279fa1453c4c938ca02ac1221afcfb1b15fb3e59" + logic_hash = "7c58f61902609cad456fdc9a279fa1453c4c938ca02ac1221afcfb1b15fb3e59" score = 75 quality = 75 tags = "FILE" @@ -169801,13 +169801,13 @@ rule MALPEDIA_Win_Greenshaitan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "930d2c8a-21bb-54cb-9086-895423af80cf" + id = "8f14a34e-de7f-5ea7-9fdc-322bcde7a341" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.greenshaitan_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_3cbeaa8f8745b6f3b0557ef1727b77581513ec936eac8ffdebb5493281224370" + logic_hash = "3cbeaa8f8745b6f3b0557ef1727b77581513ec936eac8ffdebb5493281224370" score = 75 quality = 75 tags = "FILE" @@ -169840,13 +169840,13 @@ rule MALPEDIA_Win_Chaperone_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "371e6d0d-9d12-5ae6-8ead-7f9b9ce66cfe" + id = "5a1a2e24-f819-52e0-8b1d-cbec80d9780c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chaperone_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_fb6f1141a2ad1ef091e8554a5e8c7b2e545fcb51cdc5087174343f9767f17bba" + logic_hash = "fb6f1141a2ad1ef091e8554a5e8c7b2e545fcb51cdc5087174343f9767f17bba" score = 75 quality = 75 tags = "FILE" @@ -169879,13 +169879,13 @@ rule MALPEDIA_Win_Shylock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "068ffbb4-037b-5d93-a53d-1212f5c8042e" + id = "357a8098-efc5-5a49-a18b-d4d668276421" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shylock_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_34460d345c77d949d300b4c007098ec528b095570601731f99128cb864a10989" + logic_hash = "34460d345c77d949d300b4c007098ec528b095570601731f99128cb864a10989" score = 75 quality = 75 tags = "FILE" @@ -169918,13 +169918,13 @@ rule MALPEDIA_Win_Petrwrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dd67243f-6a90-5ec4-af86-4b4d3298732f" + id = "5211c1ab-7958-5b82-8edd-8be8e9b0a5eb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.petrwrap_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_e84b96f3a3ec1cc8c24cef6cd623aa7e9ff5aec503f26b4080d6b5046ccfe346" + logic_hash = "e84b96f3a3ec1cc8c24cef6cd623aa7e9ff5aec503f26b4080d6b5046ccfe346" score = 75 quality = 75 tags = "FILE" @@ -169957,13 +169957,13 @@ rule MALPEDIA_Win_Comlook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bed4a800-0e11-5400-9009-7f1e21c533e1" + id = "2593fda3-f25f-5e4e-aea3-f7267ae6a193" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.comlook" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.comlook_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_f2d9544219cd4dfd907ec20f4f40e3ff7dc0abab6b393777aed6489d1acbc463" + logic_hash = "f2d9544219cd4dfd907ec20f4f40e3ff7dc0abab6b393777aed6489d1acbc463" score = 75 quality = 75 tags = "FILE" @@ -169996,13 +169996,13 @@ rule MALPEDIA_Win_Dramnudge_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7e3b4375-35ad-5da9-bc82-16632bfb2451" + id = "16a885b0-9bee-5a69-bfc1-f44df8ee4d9a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dramnudge_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_1c6ef479d0cf6562ae3d91df027da2da66ff27de574cb4249d01e23b1b7fe9ee" + logic_hash = "1c6ef479d0cf6562ae3d91df027da2da66ff27de574cb4249d01e23b1b7fe9ee" score = 75 quality = 75 tags = "FILE" @@ -170035,13 +170035,13 @@ rule MALPEDIA_Win_Darkvnc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b768fff5-6b50-5b6c-bad7-de65a0398c78" + id = "1f59578f-2ca5-52a8-837e-fa2b82f60870" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkvnc_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_059ffb48bc28e567c2e6dc5e6789fbdcb5b40c4bf8dddefcf2a4e68738b127e3" + logic_hash = "059ffb48bc28e567c2e6dc5e6789fbdcb5b40c4bf8dddefcf2a4e68738b127e3" score = 75 quality = 75 tags = "FILE" @@ -170074,13 +170074,13 @@ rule MALPEDIA_Win_Downdelph_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e77eea6d-e6fd-56b7-8064-85bc79158c44" + id = "077f28c1-b20c-5259-b0d0-bf4a01a0c8a9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.downdelph_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_2ab9cad8274dc5f2dae30f8b9a16e2eba342d8e6c2d2e4a6e6e80698c2dff674" + logic_hash = "2ab9cad8274dc5f2dae30f8b9a16e2eba342d8e6c2d2e4a6e6e80698c2dff674" score = 75 quality = 75 tags = "FILE" @@ -170113,13 +170113,13 @@ rule MALPEDIA_Win_Polpo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "819d7d2d-b769-5429-91b0-9d4a450f9a92" + id = "3ada2ef2-9c7f-50f6-a216-72665dfc2af3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polpo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.polpo_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_72d335a1b2528c04f03bf454be2a2837ab466ed1973103cf7af4c8dafa43e467" + logic_hash = "72d335a1b2528c04f03bf454be2a2837ab466ed1973103cf7af4c8dafa43e467" score = 75 quality = 75 tags = "FILE" @@ -170152,13 +170152,13 @@ rule MALPEDIA_Win_Poohmilk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e52e0556-71e4-55c5-bb51-db96473c63fd" + id = "9a12885d-67d3-50cd-a04d-3dc337c01cc8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poohmilk_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_f0431f01a34a1352435470a98d80c3656cef1cd2a7cc3eb4ac4c25c7f03235a9" + logic_hash = "f0431f01a34a1352435470a98d80c3656cef1cd2a7cc3eb4ac4c25c7f03235a9" score = 75 quality = 75 tags = "FILE" @@ -170191,13 +170191,13 @@ rule MALPEDIA_Win_Interception_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b4c73f6e-3836-5658-a688-b82628c21909" + id = "f1a298d5-70e2-5f27-b6ee-691574cd9abf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.interception" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.interception_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_3520af3329a4b24d818d777e1e8f70b92d9cafa69a1f58bf6db64da9ed00530f" + logic_hash = "3520af3329a4b24d818d777e1e8f70b92d9cafa69a1f58bf6db64da9ed00530f" score = 75 quality = 75 tags = "FILE" @@ -170230,13 +170230,13 @@ rule MALPEDIA_Win_Pony_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1d3d5bbd-b407-5f4b-aaeb-839a6c2973a4" + id = "24263a04-20d7-5949-957f-cf3a5af796d6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pony_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_f326d7c326c50f16cd34726bcea70a2ea74ad41815b2b6e851f1de5995c35b2f" + logic_hash = "f326d7c326c50f16cd34726bcea70a2ea74ad41815b2b6e851f1de5995c35b2f" score = 75 quality = 75 tags = "FILE" @@ -170269,13 +170269,13 @@ rule MALPEDIA_Win_Shadowpad_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "be04a7c6-7609-5139-9b6b-5f0b639fc7e0" + id = "1c39d05c-4c59-5f9b-9da5-72e531a1a600" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shadowpad_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_a48ed110f457b6e73e53b15a8712b4e6c99fbab0e15de593c3c355b2a563bc5f" + logic_hash = "a48ed110f457b6e73e53b15a8712b4e6c99fbab0e15de593c3c355b2a563bc5f" score = 75 quality = 75 tags = "FILE" @@ -170308,13 +170308,13 @@ rule MALPEDIA_Win_Unidentified_045_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45811f05-6406-5224-8309-47be3f3f8f1d" + id = "76acbb90-4df7-541d-89b1-1533f977dd70" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_045_auto.yar#L1-L101" license_url = "N/A" - logic_hash = "v1_sha256_85ab00021027191936abb42742c680d628a952bd176522618ad1f59b85811c84" + logic_hash = "85ab00021027191936abb42742c680d628a952bd176522618ad1f59b85811c84" score = 75 quality = 75 tags = "FILE" @@ -170345,13 +170345,13 @@ rule MALPEDIA_Win_Strongpity_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fc83431b-4fee-5458-aa1a-8ac645c98082" + id = "9dea39af-3982-5a58-a948-3e1c67dd03f0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.strongpity_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "v1_sha256_8a0d5e9b999ff0f85c5dc06bfd5cfa7c4f64f5270847839a9eee14c1a7cc3626" + logic_hash = "8a0d5e9b999ff0f85c5dc06bfd5cfa7c4f64f5270847839a9eee14c1a7cc3626" score = 60 quality = 45 tags = "FILE" @@ -170390,13 +170390,13 @@ rule MALPEDIA_Win_Oderoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce4dc58f-c086-5654-8a98-df91ea0de439" + id = "8af6addc-ebdd-5e5f-9273-b365bc983ffd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oderoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.oderoor_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_705d5b4a266b0c2f312f72fd5cb1e86ab39ec049fd53173701ccf137ec51b933" + logic_hash = "705d5b4a266b0c2f312f72fd5cb1e86ab39ec049fd53173701ccf137ec51b933" score = 75 quality = 75 tags = "FILE" @@ -170429,13 +170429,13 @@ rule MALPEDIA_Win_Pwndlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7bb55e64-eaa5-52ae-8632-4f126eabed46" + id = "276b9929-07b6-5961-91ba-ea8cd06bb086" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pwndlocker_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_32e46025ac999bee5e5546895b079eecc269f28102bbbcf16da2fe4d978f576c" + logic_hash = "32e46025ac999bee5e5546895b079eecc269f28102bbbcf16da2fe4d978f576c" score = 75 quality = 75 tags = "FILE" @@ -170468,13 +170468,13 @@ rule MALPEDIA_Win_Zeoticus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e987f5a1-3785-5d22-a342-411e4f75ec50" + id = "9de59c35-1f7d-51f9-8134-b24208326bd1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zeoticus_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_3f9c97113f0506e69ec31e3ee70b01bb1f52832387d7caa17b96ec4c6d0f2f8c" + logic_hash = "3f9c97113f0506e69ec31e3ee70b01bb1f52832387d7caa17b96ec4c6d0f2f8c" score = 75 quality = 75 tags = "FILE" @@ -170507,13 +170507,13 @@ rule MALPEDIA_Win_Morto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96bfbbbc-d4cc-5f71-b3d7-0d030e98cc40" + id = "9daa15ad-04bd-517d-96ea-e01678db73e5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.morto_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_6193315806789c46deee4d81d57339bc016356ef937c67c10ba9195e0e60ffaf" + logic_hash = "6193315806789c46deee4d81d57339bc016356ef937c67c10ba9195e0e60ffaf" score = 75 quality = 75 tags = "FILE" @@ -170546,13 +170546,13 @@ rule MALPEDIA_Win_Danabot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68397af0-7fa1-5d49-8c88-e7262890d15d" + id = "88731f6d-edda-5181-ab28-b879b1e82348" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.danabot_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_0aacaade997adfab10265dc65b353035ffe85eb407c689ce61c2eca9a9f37b60" + logic_hash = "0aacaade997adfab10265dc65b353035ffe85eb407c689ce61c2eca9a9f37b60" score = 75 quality = 75 tags = "FILE" @@ -170585,13 +170585,13 @@ rule MALPEDIA_Win_Badnews_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a4190608-305b-5dd7-8a8c-dd8cc86cd9b7" + id = "cbdbb9b6-fd8f-59db-ab40-2a7ebd7420e8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.badnews_auto.yar#L1-L206" license_url = "N/A" - logic_hash = "v1_sha256_615a11c7b728bb1d1522af864993baf4e6b235251c7ea78cc85debae2cde79de" + logic_hash = "615a11c7b728bb1d1522af864993baf4e6b235251c7ea78cc85debae2cde79de" score = 75 quality = 73 tags = "FILE" @@ -170635,13 +170635,13 @@ rule MALPEDIA_Win_Tmanger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e3f5e3b-a890-5846-aa73-c6e5698c0d5c" + id = "90de765e-dcad-555e-a3e2-21f3e814ffeb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tmanger_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_a7986e1f1ff68dbdf6cb715e7bd380c31c6c5e7bcad1efb5e3857ab5edff19ad" + logic_hash = "a7986e1f1ff68dbdf6cb715e7bd380c31c6c5e7bcad1efb5e3857ab5edff19ad" score = 75 quality = 75 tags = "FILE" @@ -170674,13 +170674,13 @@ rule MALPEDIA_Win_Opachki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec1fab7e-9224-576c-946f-c870468e3341" + id = "291586d9-b070-57a5-aa2e-28c307c908af" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.opachki_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "v1_sha256_d90c4672bb521b58f2551b67ed4270be91d6ae941a1e85079915797925d00bdb" + logic_hash = "d90c4672bb521b58f2551b67ed4270be91d6ae941a1e85079915797925d00bdb" score = 75 quality = 75 tags = "FILE" @@ -170718,13 +170718,13 @@ rule MALPEDIA_Win_Dharma_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "979b80e0-bccb-5e01-bde1-fe3ac2de35b7" + id = "a46a081b-90b3-5009-83f4-4508f1cf18af" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dharma_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_ffbccfb89aae24b9d0cb0290ebb9e2adf2ba122649057e830bafd37778b3a0cb" + logic_hash = "ffbccfb89aae24b9d0cb0290ebb9e2adf2ba122649057e830bafd37778b3a0cb" score = 75 quality = 75 tags = "FILE" @@ -170757,13 +170757,13 @@ rule MALPEDIA_Win_Minitypeframe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b73d3ed-0268-5c98-835b-4128c6375879" + id = "40e88a96-d1cd-5006-9a0d-53fcc15d287e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minitypeframe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.minitypeframe_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_8864a5220eda366ec3f0b791c455ecd5bc17a2ac1068453ffa5046f89df1e064" + logic_hash = "8864a5220eda366ec3f0b791c455ecd5bc17a2ac1068453ffa5046f89df1e064" score = 75 quality = 75 tags = "FILE" @@ -170796,13 +170796,13 @@ rule MALPEDIA_Win_Polyvice_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "69d59432-092d-5f29-bd5f-cf0c959bab8d" + id = "2290fade-1786-50c9-a103-500f2794f68d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.polyvice_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_099fd1583428c4dcd9d4587ff6b2523b274374d689fdabd70b857d716538d61f" + logic_hash = "099fd1583428c4dcd9d4587ff6b2523b274374d689fdabd70b857d716538d61f" score = 75 quality = 75 tags = "FILE" @@ -170835,13 +170835,13 @@ rule MALPEDIA_Win_Dubrute_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0557f112-0bd7-5503-9eb6-98f09ecce0e1" + id = "68b59ace-0878-598c-a753-f65c82412bdf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dubrute_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_17213bc1a7d95fe150fe5455d2618ba3abfef4592455b4788ecd90ee42a9b6b1" + logic_hash = "17213bc1a7d95fe150fe5455d2618ba3abfef4592455b4788ecd90ee42a9b6b1" score = 75 quality = 75 tags = "FILE" @@ -170874,13 +170874,13 @@ rule MALPEDIA_Win_Revenant_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "76103019-cf86-5044-b0f7-b7afdf143f02" + id = "89f91ed8-a64f-59de-9aac-43302ffc4c4f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.revenant_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_3200938fd857c1394fb14151a6f831277638c7dab5ca1a4886284fcf19cad884" + logic_hash = "3200938fd857c1394fb14151a6f831277638c7dab5ca1a4886284fcf19cad884" score = 75 quality = 75 tags = "FILE" @@ -170913,13 +170913,13 @@ rule MALPEDIA_Win_Darkmegi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71c93608-ce02-5ad8-807a-81149bed890d" + id = "a0e854e1-d6b5-5413-b2d6-b8294aeb1c03" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkmegi_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_cbefd542cb2be5b91d54762f56be197fb7c2a5e2f979e1fe8e05b6ab3d5c06b3" + logic_hash = "cbefd542cb2be5b91d54762f56be197fb7c2a5e2f979e1fe8e05b6ab3d5c06b3" score = 75 quality = 75 tags = "FILE" @@ -170952,13 +170952,13 @@ rule MALPEDIA_Win_Uacme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e5dd36d1-792d-5d3f-b94b-084d3eae753e" + id = "ff7de611-297b-5087-b1a6-103aa95a4d6a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.uacme_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_07027ccb25725e405fe664bc8c5892aae7b19e4bf0683cd3f46495797cb60d93" + logic_hash = "07027ccb25725e405fe664bc8c5892aae7b19e4bf0683cd3f46495797cb60d93" score = 75 quality = 75 tags = "FILE" @@ -170991,13 +170991,13 @@ rule MALPEDIA_Win_Doorme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0a9ca72e-707b-56db-967a-f4250af7d12b" + id = "ef34215c-21dc-5b70-9e46-024fa7a7faa3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doorme_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_7a262e46ac547aa0a1d170d6c95f7394f8a304e152ade6a1fdc4d6407588a287" + logic_hash = "7a262e46ac547aa0a1d170d6c95f7394f8a304e152ade6a1fdc4d6407588a287" score = 75 quality = 75 tags = "FILE" @@ -171030,13 +171030,13 @@ rule MALPEDIA_Win_Turla_Rpc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cae857f5-a45e-5927-9177-349e2d595226" + id = "66c1d7fa-741a-51ae-994f-511185fa9310" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.turla_rpc_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_47df29c03096bb465616e91b5c4f41a104d4cb12e1b0226d75d72ad4e8590fd9" + logic_hash = "47df29c03096bb465616e91b5c4f41a104d4cb12e1b0226d75d72ad4e8590fd9" score = 75 quality = 75 tags = "FILE" @@ -171075,13 +171075,13 @@ rule MALPEDIA_Win_Meltingclaw_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "804d5296-c4a0-5484-8a71-98285684edb0" + id = "3b6f1fa7-265c-5ffe-9d34-c9502295b009" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meltingclaw" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.meltingclaw_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_379103784a97b527734f31e44cda4d460b2bdbd8572feff4730fa002535654cf" + logic_hash = "379103784a97b527734f31e44cda4d460b2bdbd8572feff4730fa002535654cf" score = 75 quality = 75 tags = "FILE" @@ -171114,13 +171114,13 @@ rule MALPEDIA_Win_Xxmm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6d357438-82f1-55d0-8c65-567776ed8a6a" + id = "16a9d672-e06b-5e77-adaf-431f4123e535" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xxmm_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_c8c4a142f2bfee52addd60a0f4c2035a9a8040f793cfe3829a4504cc749982c2" + logic_hash = "c8c4a142f2bfee52addd60a0f4c2035a9a8040f793cfe3829a4504cc749982c2" score = 75 quality = 75 tags = "FILE" @@ -171153,13 +171153,13 @@ rule MALPEDIA_Win_Pngdowner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce26b60b-c5a3-5c7f-8619-9d5ee770c9b1" + id = "44303c5d-967e-534a-8e83-5300065e2ae0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pngdowner_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_de22eb663da7ff55693bb983ea5d4c7de5d0a56ea6d44ddf300552a98f59e1cb" + logic_hash = "de22eb663da7ff55693bb983ea5d4c7de5d0a56ea6d44ddf300552a98f59e1cb" score = 75 quality = 75 tags = "FILE" @@ -171192,13 +171192,13 @@ rule MALPEDIA_Win_Keyhole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68010693-0a92-56b2-a3ae-da536f2276ae" + id = "1776d34a-8ed1-5870-82db-2a2698f47369" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyhole" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.keyhole_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_64c3a1f6c6135646d67c8ef7bc09175e7e75133412ea28a0c20d12643fea552c" + logic_hash = "64c3a1f6c6135646d67c8ef7bc09175e7e75133412ea28a0c20d12643fea552c" score = 75 quality = 75 tags = "FILE" @@ -171231,13 +171231,13 @@ rule MALPEDIA_Win_Neconyd_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6a833c53-20fc-5132-b29a-4fcafdcda2f0" + id = "a2815a16-95e0-5db4-9058-3189995786c2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neconyd" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.neconyd_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_e1fd880f0f7b560832efc4f24d502d458a46d62299fa6f4e05fae094662862d2" + logic_hash = "e1fd880f0f7b560832efc4f24d502d458a46d62299fa6f4e05fae094662862d2" score = 75 quality = 75 tags = "FILE" @@ -171270,13 +171270,13 @@ rule MALPEDIA_Win_Lowzero_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a80672f7-0e2c-508f-aeb7-a6c492770add" + id = "2e1f2236-1021-58b7-bec6-2914502da5b8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowzero" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lowzero_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_8a0cc8f946fea76f2b3b346672d13b547cb8ca0c916aea88c757b9309e0ee850" + logic_hash = "8a0cc8f946fea76f2b3b346672d13b547cb8ca0c916aea88c757b9309e0ee850" score = 75 quality = 75 tags = "FILE" @@ -171309,13 +171309,13 @@ rule MALPEDIA_Win_Flowershop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0485700a-1ead-5b01-99ea-65b52ab95dcf" + id = "0c1734b8-36d9-5030-b687-4c9005cd52ad" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flowershop_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_fe80fc55a0148eaee88f1cb7adb18edcd9b995b61e3ef0f900df914eb5adb176" + logic_hash = "fe80fc55a0148eaee88f1cb7adb18edcd9b995b61e3ef0f900df914eb5adb176" score = 75 quality = 75 tags = "FILE" @@ -171348,13 +171348,13 @@ rule MALPEDIA_Win_Pslogger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c0137b2-1368-5dd3-a271-9de195e83077" + id = "ec7a19b3-c3a5-5a75-ac86-d0beb1e4cdd5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pslogger_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_746d33059662814e87cdaa4caa4e5b548a478a0041425137f661e51552f006fa" + logic_hash = "746d33059662814e87cdaa4caa4e5b548a478a0041425137f661e51552f006fa" score = 75 quality = 75 tags = "FILE" @@ -171393,13 +171393,13 @@ rule MALPEDIA_Win_Unidentified_044_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "10c13c71-1de4-5194-838e-572776c82567" + id = "b06c2db5-4f74-514b-a6ac-3ca802bc63db" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_044_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_bba754b0708d8dcd8392b060bb16bcb2ec72e2dcb75dae26c5459c6dda294679" + logic_hash = "bba754b0708d8dcd8392b060bb16bcb2ec72e2dcb75dae26c5459c6dda294679" score = 75 quality = 75 tags = "FILE" @@ -171432,13 +171432,13 @@ rule MALPEDIA_Win_Wastedlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88233bea-1c24-54c3-8d18-ab293a820090" + id = "8ef8d9a2-2e74-56fa-b8ce-a112e80f0d26" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wastedlocker_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_48bd61023921acb8234a4ca4342276a30ad18fb5b65266be5de19c7db798e757" + logic_hash = "48bd61023921acb8234a4ca4342276a30ad18fb5b65266be5de19c7db798e757" score = 75 quality = 75 tags = "FILE" @@ -171471,13 +171471,13 @@ rule MALPEDIA_Win_Unidentified_037_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "169e6c48-fc1c-51ac-950f-fe81ac1dcfa7" + id = "12311ab5-e4c5-520c-9e45-de0627bcb40b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_037_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_1d2de4db39b1900c0def6a2d43ab52baecc925bfad5faca5ff76425cebd9b30d" + logic_hash = "1d2de4db39b1900c0def6a2d43ab52baecc925bfad5faca5ff76425cebd9b30d" score = 75 quality = 75 tags = "FILE" @@ -171510,13 +171510,13 @@ rule MALPEDIA_Win_Sage_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6291c768-e2d6-514f-8cc2-e12ede93e30c" + id = "0cfc4781-9310-56a6-9786-dd48a9782a50" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sage_ransom_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_aa9c344ed40cd82065b24d270c712730728bf75ebcabdbfdec5a88ea8d283ad2" + logic_hash = "aa9c344ed40cd82065b24d270c712730728bf75ebcabdbfdec5a88ea8d283ad2" score = 75 quality = 75 tags = "FILE" @@ -171555,13 +171555,13 @@ rule MALPEDIA_Win_Darkpulsar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dab4c101-566e-59aa-bc8e-a7c40ca2a05f" + id = "3c0e62f1-e08c-54de-80e8-3035c44da66d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkpulsar_auto.yar#L1-L471" license_url = "N/A" - logic_hash = "v1_sha256_a16686b6fd6dac730451b9eb62e01c34a4e8ab3b1c781a91de53e419e5302dea" + logic_hash = "a16686b6fd6dac730451b9eb62e01c34a4e8ab3b1c781a91de53e419e5302dea" score = 75 quality = 50 tags = "FILE" @@ -171635,13 +171635,13 @@ rule MALPEDIA_Win_Cruloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8b8ec50e-1e31-50b1-a2d6-e55be6b7f5e8" + id = "af447408-0b7c-5bac-a78b-97c116da2002" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cruloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cruloader_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_59193418b12a936adb7da239534987c20e49170078a9b714faec730fae8ac983" + logic_hash = "59193418b12a936adb7da239534987c20e49170078a9b714faec730fae8ac983" score = 75 quality = 75 tags = "FILE" @@ -171674,13 +171674,13 @@ rule MALPEDIA_Win_Advisorsbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f50608b1-ed9c-537f-87f8-ab651e2c24e1" + id = "d26aaef7-489b-5eb4-8cea-1ab552de40d6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.advisorsbot_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_b714abe1aa8dcb7f6377853b7e4c0df837d586795e3163f35470e362238d5477" + logic_hash = "b714abe1aa8dcb7f6377853b7e4c0df837d586795e3163f35470e362238d5477" score = 75 quality = 75 tags = "FILE" @@ -171721,13 +171721,13 @@ rule MALPEDIA_Win_Bistromath_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2363fd40-23d1-555f-803b-240a2e8dcb1a" + id = "e2ace9ec-fb28-5f7e-b65b-e020bfa94a6f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bistromath_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_8b0190b62dedacf36599f0042a8bd29edc86ceda9086cf91a756283776411b62" + logic_hash = "8b0190b62dedacf36599f0042a8bd29edc86ceda9086cf91a756283776411b62" score = 75 quality = 75 tags = "FILE" @@ -171760,13 +171760,13 @@ rule MALPEDIA_Win_Enfal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "292e4f49-98c7-5650-9abe-df6d15c51fcc" + id = "01bf52c7-5562-58b0-bd6b-f99194c0bb2b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.enfal_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_c231b8446e9ed78bdd8a9cb59296768a0836b06ecc839e3d3e3a25695d5dfcf0" + logic_hash = "c231b8446e9ed78bdd8a9cb59296768a0836b06ecc839e3d3e3a25695d5dfcf0" score = 75 quality = 75 tags = "FILE" @@ -171799,13 +171799,13 @@ rule MALPEDIA_Win_Zeus_Action_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52985884-6b7d-58d0-bab1-3553f723e82c" + id = "d8b9574e-a0e7-5ba7-a640-3d17643b0cca" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zeus_action_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_3c34c6384d3102dcf930744109cb986bdc2576d8925ca3fbe6fecc099028fdf3" + logic_hash = "3c34c6384d3102dcf930744109cb986bdc2576d8925ca3fbe6fecc099028fdf3" score = 75 quality = 75 tags = "FILE" @@ -171838,13 +171838,13 @@ rule MALPEDIA_Win_Bluehaze_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7526fd00-ea1d-59ce-94aa-5926d37b3643" + id = "5c7b5561-ee2d-5a06-a96a-4cc26ae71cec" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluehaze" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bluehaze_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_108c6f0ac1c0898d4930ded73b9aadddbebc2ff25c5a1de920dfb159113df607" + logic_hash = "108c6f0ac1c0898d4930ded73b9aadddbebc2ff25c5a1de920dfb159113df607" score = 75 quality = 75 tags = "FILE" @@ -171877,13 +171877,13 @@ rule MALPEDIA_Win_Blackmatter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fa459a31-c531-55f0-9af4-41b59972eda7" + id = "7e457194-4a19-57a3-89ac-b5153afc0744" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackmatter_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_c5598bfcc346f3d5f3d24c66f49b6d8b4e14cf3a3802140e28639e017dd52693" + logic_hash = "c5598bfcc346f3d5f3d24c66f49b6d8b4e14cf3a3802140e28639e017dd52693" score = 75 quality = 75 tags = "FILE" @@ -171916,13 +171916,13 @@ rule MALPEDIA_Win_Crenufs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ad21d67-08e7-5def-9b7c-b4637990d440" + id = "afe43d9c-690f-5ee9-b954-c5b702959ff3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crenufs_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_3c7a04525acb3eb4c11e5514f2c9651e3b51e0f4081d21b17236ba959340440d" + logic_hash = "3c7a04525acb3eb4c11e5514f2c9651e3b51e0f4081d21b17236ba959340440d" score = 75 quality = 75 tags = "FILE" @@ -171955,13 +171955,13 @@ rule MALPEDIA_Win_Unidentified_073_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2a129658-5e5c-5494-ab10-f258fc0dc0cc" + id = "0ba61f73-e46a-5f54-853f-f1f3b502ee26" date = "2022-08-05" modified = "2022-08-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_073_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_8100472ca712d569bbcdb570af72e3f13986092b4d8ee8e3873da55bef76232d" + logic_hash = "8100472ca712d569bbcdb570af72e3f13986092b4d8ee8e3873da55bef76232d" score = 75 quality = 75 tags = "FILE" @@ -171994,13 +171994,13 @@ rule MALPEDIA_Win_Combos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "deff2c45-497c-5752-bdd1-2b16610887cb" + id = "83be0118-da53-5a8d-831d-9e770a5f717d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.combos_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_f3e6fe545b99111283539f520a90d4bf3b968444eac10c20521004e7b16afe6f" + logic_hash = "f3e6fe545b99111283539f520a90d4bf3b968444eac10c20521004e7b16afe6f" score = 75 quality = 75 tags = "FILE" @@ -172033,13 +172033,13 @@ rule MALPEDIA_Win_Jssloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "83c064c5-a021-5dc2-a692-d1c3e213215a" + id = "90fc04b9-9652-536e-8f60-72fc9a34063b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jssloader_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_97165a1c6774cf73430e22299a3df7b55ab3c7ba699c480d4641c6a6e116c33b" + logic_hash = "97165a1c6774cf73430e22299a3df7b55ab3c7ba699c480d4641c6a6e116c33b" score = 75 quality = 75 tags = "FILE" @@ -172072,13 +172072,13 @@ rule MALPEDIA_Win_Neteagle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91dacae0-8fcc-5ad5-9c35-fa1a2a0c9a38" + id = "552fea63-ea2d-5d68-acbe-acbcf4f3fc62" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.neteagle_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_d61d147c710715632ec1c821209ba30c6e6f1ac5fd2be9819dd093a236f5d3aa" + logic_hash = "d61d147c710715632ec1c821209ba30c6e6f1ac5fd2be9819dd093a236f5d3aa" score = 75 quality = 75 tags = "FILE" @@ -172111,13 +172111,13 @@ rule MALPEDIA_Win_Danbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3c1054a8-4a81-533a-8f84-3dc7a2459261" + id = "da55061d-0704-5ad4-a81b-0f3aa0376e8a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.danbot_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_5da6053f066e9d13d04800876e4e18c27ca9158fbdceb66408c8360c250a0789" + logic_hash = "5da6053f066e9d13d04800876e4e18c27ca9158fbdceb66408c8360c250a0789" score = 75 quality = 75 tags = "FILE" @@ -172150,13 +172150,13 @@ rule MALPEDIA_Win_Farseer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5838e7ff-c664-55c3-8669-c8faa9b890d1" + id = "5a67d1eb-3f83-53bd-8009-08fd90d91a72" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.farseer_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_c4f58eaf1a171a6ef6927bdc0d75281407b1ff19c17d7d3cb4db395f2514c097" + logic_hash = "c4f58eaf1a171a6ef6927bdc0d75281407b1ff19c17d7d3cb4db395f2514c097" score = 75 quality = 75 tags = "FILE" @@ -172189,13 +172189,13 @@ rule MALPEDIA_Win_Linseningsvr_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7b497987-7ed6-5ec3-be3e-4db39ca859ff" + id = "9dcd591f-d0ec-5190-8dad-c6b3b9eab825" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.linseningsvr_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_0cfff1e97d9fd891165604e0b9cd757922199a1abb3f822338fa50a684f756d6" + logic_hash = "0cfff1e97d9fd891165604e0b9cd757922199a1abb3f822338fa50a684f756d6" score = 75 quality = 75 tags = "FILE" @@ -172228,13 +172228,13 @@ rule MALPEDIA_Win_Shipshape_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "362d469d-6165-5da1-ab65-3a95f06cdfd2" + id = "aa7aa2cd-5e40-579e-a131-11724b603c86" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shipshape_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_b3e2abc875f7ba78a51d88975fa6d3eb42407a4e92394786033a7e1704215a48" + logic_hash = "b3e2abc875f7ba78a51d88975fa6d3eb42407a4e92394786033a7e1704215a48" score = 75 quality = 75 tags = "FILE" @@ -172267,13 +172267,13 @@ rule MALPEDIA_Win_Oski_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0bd7a610-f590-5105-b2fc-093f0f68a060" + id = "00507fe9-9209-5e5a-8102-b7f791efd242" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.oski_auto.yar#L1-L180" license_url = "N/A" - logic_hash = "v1_sha256_35c4af68aedcbb90eed8cfba69202373adfb8560464fdea190e8d4d9190a864c" + logic_hash = "35c4af68aedcbb90eed8cfba69202373adfb8560464fdea190e8d4d9190a864c" score = 75 quality = 75 tags = "FILE" @@ -172313,13 +172313,13 @@ rule MALPEDIA_Win_Redcurl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "15d5c921-2b20-50b4-9268-26b3a710fe0a" + id = "fbb544b7-c5e6-54a1-8421-fdb6aeb04e0b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcurl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.redcurl_auto.yar#L1-L212" license_url = "N/A" - logic_hash = "v1_sha256_69ca0c8cf976224bed2624627972f08d1882150471e8a73b5314d8faac0d77d8" + logic_hash = "69ca0c8cf976224bed2624627972f08d1882150471e8a73b5314d8faac0d77d8" score = 75 quality = 73 tags = "FILE" @@ -172363,13 +172363,13 @@ rule MALPEDIA_Win_Darkdew_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ec22b61-fca6-568b-8dd6-57c988ee4e7c" + id = "72766643-15c8-5d73-9055-fc2b6509a42d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkdew" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkdew_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_b05f670c23077615e6a702bdb8387206cc612d9856e8283c4dc5f994c8c7e0fc" + logic_hash = "b05f670c23077615e6a702bdb8387206cc612d9856e8283c4dc5f994c8c7e0fc" score = 75 quality = 75 tags = "FILE" @@ -172402,13 +172402,13 @@ rule MALPEDIA_Win_Wonknu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4a93b80a-e9dc-5a89-bea2-b0d28cbcfec0" + id = "7c22ecc6-5e07-568e-a954-bd5d4c46a783" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wonknu_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "v1_sha256_d8729848e6f29de29baa83d3d1b7a400fd076f81fa4553c7cf2ef20e4ee0bd77" + logic_hash = "d8729848e6f29de29baa83d3d1b7a400fd076f81fa4553c7cf2ef20e4ee0bd77" score = 75 quality = 75 tags = "FILE" @@ -172441,13 +172441,13 @@ rule MALPEDIA_Win_Herpes_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c666da07-10f7-5210-a368-bde828d5e21c" + id = "fedf32f5-9ae5-5123-9361-9a81a141f76e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.herpes_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_769ea4914adc8e6bb491030ee0781ca8f47cafb6846f9263dbbc09dc62dc70a2" + logic_hash = "769ea4914adc8e6bb491030ee0781ca8f47cafb6846f9263dbbc09dc62dc70a2" score = 75 quality = 75 tags = "FILE" @@ -172480,13 +172480,13 @@ rule MALPEDIA_Win_Nocturnalstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b6ce67a-1bae-5639-8542-59eb87298b24" + id = "b2ebf655-b369-5222-91b5-1580e525a57e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nocturnalstealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_2c6b243d35f29c591c5668acf471c8a2107f8e8d4171dce50c484f231af2f2ed" + logic_hash = "2c6b243d35f29c591c5668acf471c8a2107f8e8d4171dce50c484f231af2f2ed" score = 75 quality = 75 tags = "FILE" @@ -172519,13 +172519,13 @@ rule MALPEDIA_Elf_Babuk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "017d9694-86e8-55e6-bc14-40c8b39e6f9b" + id = "8eba83d0-6c95-5d1f-85db-3750f26fdff6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.babuk_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_a4e1d4252d61243f852bbd89e2ebf51566a3485791e9905d978089b8c49c4cb9" + logic_hash = "a4e1d4252d61243f852bbd89e2ebf51566a3485791e9905d978089b8c49c4cb9" score = 75 quality = 75 tags = "FILE" @@ -172558,13 +172558,13 @@ rule MALPEDIA_Win_Murkytop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06a01239-255d-5c95-8e92-b0a07e37fcb9" + id = "09c2c9ad-2fc4-523f-99a2-d7f06ef6936d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.murkytop_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_e4a555eba2d93ac52653d0ddd1b98a4be2b8b9fd7f1c8d48fbca611f1976d1c2" + logic_hash = "e4a555eba2d93ac52653d0ddd1b98a4be2b8b9fd7f1c8d48fbca611f1976d1c2" score = 75 quality = 75 tags = "FILE" @@ -172597,13 +172597,13 @@ rule MALPEDIA_Win_Brambul_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec7216b6-381f-5602-9834-acf8b96f91ac" + id = "ab481228-bdce-550e-a6f6-2d8dfaa70a2b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.brambul_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "v1_sha256_4ef5f993f2727cb74a42049fbc80622dc3543c88c7bb52088b1f5b1131ebc4b4" + logic_hash = "4ef5f993f2727cb74a42049fbc80622dc3543c88c7bb52088b1f5b1131ebc4b4" score = 75 quality = 75 tags = "FILE" @@ -172642,13 +172642,13 @@ rule MALPEDIA_Win_Shareip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "08d20d9d-595a-5e5f-b819-2151a3f9aa7a" + id = "c1bb89d1-f372-58e3-b942-2bef06089e9d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shareip_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_22f8defa170ad6011dfacc6043f0faf754eb6e381cb168ecc5d5e1f970ca56dc" + logic_hash = "22f8defa170ad6011dfacc6043f0faf754eb6e381cb168ecc5d5e1f970ca56dc" score = 75 quality = 75 tags = "FILE" @@ -172681,13 +172681,13 @@ rule MALPEDIA_Win_Mm_Core_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2449d3df-0aed-51b5-b58d-fca782053963" + id = "bf93218a-8d8c-58ea-bf30-76f3ba39addc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mm_core_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_29ec3357b82a9f4eff6706385f45e4b797a4fc7c02bf49f9f64641ab1015abf0" + logic_hash = "29ec3357b82a9f4eff6706385f45e4b797a4fc7c02bf49f9f64641ab1015abf0" score = 75 quality = 75 tags = "FILE" @@ -172720,13 +172720,13 @@ rule MALPEDIA_Win_Unidentified_095_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ec9b0e6-60ef-5502-9ae2-33f1ed8dd615" + id = "2cdecaec-fb60-5714-949a-43017e2a9367" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_095" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_095_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_26f94ce2105de641743f6ff5fce894a28fc2893a963b3d77519d919e034fdf59" + logic_hash = "26f94ce2105de641743f6ff5fce894a28fc2893a963b3d77519d919e034fdf59" score = 75 quality = 75 tags = "FILE" @@ -172759,13 +172759,13 @@ rule MALPEDIA_Win_Ground_Peony_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c5bd4a7-4573-52fa-aa83-ed5044af064b" + id = "a6ba3822-837c-5f9f-87da-bacc2e30de24" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ground_peony" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ground_peony_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_e78f90db6174b77e8191ffdbebceb8195c536d4827a66bc4c3081db996009605" + logic_hash = "e78f90db6174b77e8191ffdbebceb8195c536d4827a66bc4c3081db996009605" score = 75 quality = 75 tags = "FILE" @@ -172798,13 +172798,13 @@ rule MALPEDIA_Win_Sepulcher_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db9269cb-492c-541c-8137-6a9c14c471da" + id = "226eeb17-2cf9-5d07-9607-4486b199b293" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sepulcher_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_e1aaa31878ffe75af7745e7155d1b8f026b2d8b5dc07360be87f7b721a2b24ec" + logic_hash = "e1aaa31878ffe75af7745e7155d1b8f026b2d8b5dc07360be87f7b721a2b24ec" score = 75 quality = 75 tags = "FILE" @@ -172837,13 +172837,13 @@ rule MALPEDIA_Win_Unidentified_003_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f94ededd-7059-57e3-953d-61b46ccea4c4" + id = "68c73429-01e2-51c8-be95-38ace5fc7e1c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_003_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_1280401acbb116bbb5b04fa4063fd1d8d80a530174292f633236a0a89b7df590" + logic_hash = "1280401acbb116bbb5b04fa4063fd1d8d80a530174292f633236a0a89b7df590" score = 75 quality = 75 tags = "FILE" @@ -172876,13 +172876,13 @@ rule MALPEDIA_Win_Blackpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "222a109b-feab-5e6b-beb3-a5bab0708aac" + id = "89c6782b-ce89-5ae6-b33e-9ad6b6b135a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackpos_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_7d2d90e306d11c41271f7c0e9630f3392beaf89b6698e039f543a5fdf586b172" + logic_hash = "7d2d90e306d11c41271f7c0e9630f3392beaf89b6698e039f543a5fdf586b172" score = 75 quality = 75 tags = "FILE" @@ -172915,13 +172915,13 @@ rule MALPEDIA_Win_Crytox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5a4f32f1-756a-5d8c-818a-b860471eca2a" + id = "cfd8bc3e-6e83-548e-8e5a-491fd708c53c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crytox_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0d608432c61d44fbe73904a491bbca98a3f6f38166b8de3be56cb8c75f376d55" + logic_hash = "0d608432c61d44fbe73904a491bbca98a3f6f38166b8de3be56cb8c75f376d55" score = 75 quality = 75 tags = "FILE" @@ -172954,13 +172954,13 @@ rule MALPEDIA_Win_Boldmove_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "799f669d-1508-5d75-be35-8b284109a180" + id = "c0ee40b4-e9c4-5f65-956d-3ab91a0741b7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.boldmove_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_80c35171aa5675e2bb96034cca19e4fa2358df102e187fd20681a49dd8be92d9" + logic_hash = "80c35171aa5675e2bb96034cca19e4fa2358df102e187fd20681a49dd8be92d9" score = 75 quality = 75 tags = "FILE" @@ -172993,13 +172993,13 @@ rule MALPEDIA_Win_Webc2_Cson_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1cdc4710-f8bd-5ca5-bdad-4129f476d4f0" + id = "13b28ac1-90a8-569b-9437-56c16ba607cd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_cson_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_9a18d875b3b14f91d30d03a0640ea0a5b789b8ad5cdc4c9d1d8ddab08372dfdc" + logic_hash = "9a18d875b3b14f91d30d03a0640ea0a5b789b8ad5cdc4c9d1d8ddab08372dfdc" score = 75 quality = 75 tags = "FILE" @@ -173032,13 +173032,13 @@ rule MALPEDIA_Win_Seasalt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1a44cd72-c06f-5e83-b623-edb3985dfcf9" + id = "e8758fcf-84ae-529e-8419-cd8aeff0784f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.seasalt_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "v1_sha256_5df2d6a2f6a4936e4945854f6bc4e70b294eb2b72f1c3ef6c84a2efa72215e6e" + logic_hash = "5df2d6a2f6a4936e4945854f6bc4e70b294eb2b72f1c3ef6c84a2efa72215e6e" score = 75 quality = 75 tags = "FILE" @@ -173071,13 +173071,13 @@ rule MALPEDIA_Win_Turnedup_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ee1935a-3791-52d7-8601-bd35eb95164a" + id = "9cef3df1-e6dd-5dcd-8eeb-7fa8aae510b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.turnedup_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_f114ccc267f7ff6c1934261ef01804f10c4ed0bd6285f48c3f30e4d8aac2153d" + logic_hash = "f114ccc267f7ff6c1934261ef01804f10c4ed0bd6285f48c3f30e4d8aac2153d" score = 75 quality = 75 tags = "FILE" @@ -173110,13 +173110,13 @@ rule MALPEDIA_Win_Mirai_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b81876c5-90ba-5d0c-a126-730bea47d8b7" + id = "009ec30f-f4c4-5af9-afbc-ec79b59a007e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mirai_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_4b520e473aaa65894d4224b9e87eda17dce7091dc19025c78727d13bc484a535" + logic_hash = "4b520e473aaa65894d4224b9e87eda17dce7091dc19025c78727d13bc484a535" score = 75 quality = 75 tags = "FILE" @@ -173149,13 +173149,13 @@ rule MALPEDIA_Win_Zebrocy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6bc15217-31a0-5035-a1f4-47291eeef52a" + id = "3e5f6c21-b107-5927-ab15-3b5f7930bd9f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zebrocy_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_441b6c0eb1e7ad657ed1ddd776f40e36e6f7013a1b8efb6494c5b91191385474" + logic_hash = "441b6c0eb1e7ad657ed1ddd776f40e36e6f7013a1b8efb6494c5b91191385474" score = 75 quality = 75 tags = "FILE" @@ -173194,13 +173194,13 @@ rule MALPEDIA_Win_Rovnix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b410fc13-1ebf-587d-940e-cb551bd26929" + id = "75582b32-2396-52b5-ad83-7563a2940a52" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rovnix_auto.yar#L1-L331" license_url = "N/A" - logic_hash = "v1_sha256_ed6329dc4f284f83c7abc03edae1041f365607dbb53bb190660ed33f6a939524" + logic_hash = "ed6329dc4f284f83c7abc03edae1041f365607dbb53bb190660ed33f6a939524" score = 75 quality = 73 tags = "FILE" @@ -173259,13 +173259,13 @@ rule MALPEDIA_Win_Arefty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d5d41d46-9645-5414-9978-b4af8ed81f3e" + id = "a1bbf58c-af9c-5d64-b893-96f60da58ce9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.arefty_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "v1_sha256_fde5f4282a78a6517cf5f33df8600bda217d95924465f99b86aed788930f75c3" + logic_hash = "fde5f4282a78a6517cf5f33df8600bda217d95924465f99b86aed788930f75c3" score = 75 quality = 75 tags = "FILE" @@ -173298,13 +173298,13 @@ rule MALPEDIA_Win_Erbium_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b79fc65-795d-5d7b-9065-3570c6510074" + id = "3a53e6ef-1078-5435-9f60-4f8ff6596d6b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.erbium_stealer_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_bccad5f3f8af9dfd7831cb14cdc529eb8f240bee1d54dd0908880ec160a26124" + logic_hash = "bccad5f3f8af9dfd7831cb14cdc529eb8f240bee1d54dd0908880ec160a26124" score = 75 quality = 75 tags = "FILE" @@ -173337,13 +173337,13 @@ rule MALPEDIA_Win_Nymaim_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8adbf244-1ae7-59a9-9bbc-a34e1390d9e1" + id = "e0a12b6e-526a-5a8b-aed4-baed5127be87" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nymaim_auto.yar#L1-L222" license_url = "N/A" - logic_hash = "v1_sha256_f3d2f3296acd118f28135509a78d3821be2bc056e67d24571caf444a5d1f55ba" + logic_hash = "f3d2f3296acd118f28135509a78d3821be2bc056e67d24571caf444a5d1f55ba" score = 75 quality = 73 tags = "FILE" @@ -173390,13 +173390,13 @@ rule MALPEDIA_Win_Plaintee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bc5fe8e3-1fe4-5207-be25-107c5aa3f970" + id = "d95cbeb4-c06c-51b3-a2cb-8f8e5a1bfe81" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.plaintee_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_0e73f73019071a1fc77ee2e72d1d76e92ad8df711ace3b0abcab294f32362d30" + logic_hash = "0e73f73019071a1fc77ee2e72d1d76e92ad8df711ace3b0abcab294f32362d30" score = 75 quality = 75 tags = "FILE" @@ -173429,13 +173429,13 @@ rule MALPEDIA_Win_Remexi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8f052e02-63b5-5b40-bc87-8aa5e3aee823" + id = "19c1296a-4241-5074-a9c8-857410d4cc23" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.remexi_auto.yar#L1-L280" license_url = "N/A" - logic_hash = "v1_sha256_d7fd541a35f3fa538905c0988ed0ed78176c1f70ba37c8e34ed3bd3151c3e3a8" + logic_hash = "d7fd541a35f3fa538905c0988ed0ed78176c1f70ba37c8e34ed3bd3151c3e3a8" score = 75 quality = 73 tags = "FILE" @@ -173489,13 +173489,13 @@ rule MALPEDIA_Win_Necurs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cfa209b3-a6ad-5890-a03a-94d2a7ae1600" + id = "6a74d2a0-5b63-50c2-96d3-f0fbeed1b3d4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.necurs_auto.yar#L1-L154" license_url = "N/A" - logic_hash = "v1_sha256_1a877e35a35cc5b42dec49f688cab91a0513382e31843c1efea0701ab2d894e0" + logic_hash = "1a877e35a35cc5b42dec49f688cab91a0513382e31843c1efea0701ab2d894e0" score = 75 quality = 75 tags = "FILE" @@ -173533,13 +173533,13 @@ rule MALPEDIA_Win_Headertip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b5b84ec6-e768-5a01-8d1f-e374c351e4ef" + id = "106ff000-576d-5d0d-a598-b9503a4cb801" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.headertip" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.headertip_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_07b109a1a0d2271a95946a2e4133eb05992095f34ecb947954db0f3a5bf49d0e" + logic_hash = "07b109a1a0d2271a95946a2e4133eb05992095f34ecb947954db0f3a5bf49d0e" score = 75 quality = 75 tags = "FILE" @@ -173572,13 +173572,13 @@ rule MALPEDIA_Win_Chir_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68722a90-4680-53e2-b9ed-f0bba27d6285" + id = "93c47970-4fc6-58a0-955d-3bbd03cb7c7f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chir_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "v1_sha256_5c119df17edac6114f59bfe70ffc894c68fbc3a6604aa7943345ac49df6c4fce" + logic_hash = "5c119df17edac6114f59bfe70ffc894c68fbc3a6604aa7943345ac49df6c4fce" score = 75 quality = 75 tags = "FILE" @@ -173611,13 +173611,13 @@ rule MALPEDIA_Win_Nettraveler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2c62b6cc-3158-559b-8e3d-eb84c47d2000" + id = "96950378-de52-56f3-b780-3b44898a07bb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nettraveler_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_874696e02901d10cd4804b0fe2c66596a287514a0c9a118564d29a023c32f51c" + logic_hash = "874696e02901d10cd4804b0fe2c66596a287514a0c9a118564d29a023c32f51c" score = 75 quality = 75 tags = "FILE" @@ -173650,13 +173650,13 @@ rule MALPEDIA_Win_Brbbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e8857df8-d9ca-5caa-ae9b-b6e97ca7f4a1" + id = "90f3eca3-a8ac-5396-b696-f6c36e242527" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brbbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.brbbot_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_01b7f091ad5c5584725e6a754a08338f9a2c33e3759aac15777f95b901cf8ec0" + logic_hash = "01b7f091ad5c5584725e6a754a08338f9a2c33e3759aac15777f95b901cf8ec0" score = 75 quality = 75 tags = "FILE" @@ -173689,13 +173689,13 @@ rule MALPEDIA_Win_Luca_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "574ab628-1e50-57fd-8e94-6c02bc91fcfa" + id = "719beb67-5539-58f6-b79d-9238d1f007ac" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.luca_stealer_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_2b38c28929c2cf366b6c27d4893332041148ce4dfc12e9c48178a2f3e634135c" + logic_hash = "2b38c28929c2cf366b6c27d4893332041148ce4dfc12e9c48178a2f3e634135c" score = 75 quality = 75 tags = "FILE" @@ -173728,13 +173728,13 @@ rule MALPEDIA_Win_Bundestrojaner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d466bd32-ebf3-5cd4-b949-c7c40f96d83a" + id = "22b55f6b-e040-5c18-ad23-824cbb63f192" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bundestrojaner_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_4726f6c288ba39b565a7c1ba35f099303564bb770df1743f44ad4cd587b35c16" + logic_hash = "4726f6c288ba39b565a7c1ba35f099303564bb770df1743f44ad4cd587b35c16" score = 75 quality = 75 tags = "FILE" @@ -173767,13 +173767,13 @@ rule MALPEDIA_Win_Avast_Disabler_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4666f3a0-be09-5f6f-8cc5-894e837283c4" + id = "6a09cca4-7cb6-5c97-b15b-4f7311a6621b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.avast_disabler_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_19754a7bc503b1b28bdfc059b6eb230f6f3e29b2e990d8ace51bd954a83ec439" + logic_hash = "19754a7bc503b1b28bdfc059b6eb230f6f3e29b2e990d8ace51bd954a83ec439" score = 75 quality = 75 tags = "FILE" @@ -173806,13 +173806,13 @@ rule MALPEDIA_Win_Unidentified_023_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0130a4e8-72dc-59f2-90e4-82b4b4922dfc" + id = "f77c5286-0b1f-561f-8f58-a27a0408436a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_023_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_1eec10f2afa6bd7e6a1d69558f2f25a771bedb385bd839fc0b4d5b578eec4086" + logic_hash = "1eec10f2afa6bd7e6a1d69558f2f25a771bedb385bd839fc0b4d5b578eec4086" score = 75 quality = 75 tags = "FILE" @@ -173845,13 +173845,13 @@ rule MALPEDIA_Win_Neutrino_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c1cadfdf-5380-5aad-94eb-ce47c85a26bb" + id = "7a087fc7-82b2-5ab1-84ba-f1736b808b97" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.neutrino_pos_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_018a5236bd48798fd0b76750c3d5d4efe90b9a49b4a1a51163482fa226bfcefe" + logic_hash = "018a5236bd48798fd0b76750c3d5d4efe90b9a49b4a1a51163482fa226bfcefe" score = 75 quality = 75 tags = "FILE" @@ -173884,13 +173884,13 @@ rule MALPEDIA_Win_Virdetdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5586efae-7c0d-5c96-ba6a-f269c4d3b17d" + id = "6e6bed26-b841-5f32-a122-ab8bbf6a241f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.virdetdoor_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_1295e76b0307a288c9ca8e40bd8de47b87983bee24b0a3d67ad5ac1b80c8e6e1" + logic_hash = "1295e76b0307a288c9ca8e40bd8de47b87983bee24b0a3d67ad5ac1b80c8e6e1" score = 75 quality = 75 tags = "FILE" @@ -173923,13 +173923,13 @@ rule MALPEDIA_Win_Matryoshka_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "89059be5-531d-5672-bedd-b8c9fa746017" + id = "b422383a-3b69-5e32-94a3-431dbc17291c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.matryoshka_rat_auto.yar#L1-L135" license_url = "N/A" - logic_hash = "v1_sha256_e0e5d3a7b6eaf0039b9fbb2e4baba63862f57599449a2c9f7b8481e16636b102" + logic_hash = "e0e5d3a7b6eaf0039b9fbb2e4baba63862f57599449a2c9f7b8481e16636b102" score = 75 quality = 75 tags = "FILE" @@ -173966,13 +173966,13 @@ rule MALPEDIA_Win_Acr_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8fa6da6e-80d5-5a5f-8094-c42521ae91e1" + id = "27adbb62-681d-5315-be14-68aa5c14abca" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acr_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.acr_stealer_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_885dd5a2520c2a460bba6eeb3147670a114466803568b2f029aa5eef95499efd" + logic_hash = "885dd5a2520c2a460bba6eeb3147670a114466803568b2f029aa5eef95499efd" score = 75 quality = 75 tags = "FILE" @@ -174005,13 +174005,13 @@ rule MALPEDIA_Win_Cycbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f50ec979-8f6a-5740-8114-427b01b36076" + id = "0739459b-9989-5273-9ccc-a0e809393001" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cycbot_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_5d47f4f5e3abd3b5df89c0d09b456bd0060fa6da83993d889b58fda1585abda3" + logic_hash = "5d47f4f5e3abd3b5df89c0d09b456bd0060fa6da83993d889b58fda1585abda3" score = 75 quality = 75 tags = "FILE" @@ -174044,13 +174044,13 @@ rule MALPEDIA_Win_Evilpony_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3d70ac01-f622-5677-82c3-ad6e6e544501" + id = "c9372a6e-35c7-52f6-9c3d-299228c095b1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.evilpony_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_ffd9f8ba97fbd907290551898893cb44ef48c12bf2cd21edd5aa01ba36ae5a3e" + logic_hash = "ffd9f8ba97fbd907290551898893cb44ef48c12bf2cd21edd5aa01ba36ae5a3e" score = 75 quality = 75 tags = "FILE" @@ -174083,13 +174083,13 @@ rule MALPEDIA_Win_Doublefantasy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fe8520aa-91be-5590-82e3-121dd5650d27" + id = "5fe3121c-5496-55ab-9366-675d7b098073" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doublefantasy_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "v1_sha256_a1a10ee4973cf324c6bb6108700a68b5d1131343a7e5a1c18b7924dc06048831" + logic_hash = "a1a10ee4973cf324c6bb6108700a68b5d1131343a7e5a1c18b7924dc06048831" score = 75 quality = 75 tags = "FILE" @@ -174128,13 +174128,13 @@ rule MALPEDIA_Win_Alma_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ba44ee2-fb64-52b1-a486-abc3c20cb352" + id = "aee3e7b2-c800-5626-b16d-a97379fcdea3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.alma_locker_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_d029bcdb50f2458857c09101718554ffd09ec8e36a279b20a435629ea205a537" + logic_hash = "d029bcdb50f2458857c09101718554ffd09ec8e36a279b20a435629ea205a537" score = 75 quality = 75 tags = "FILE" @@ -174167,13 +174167,13 @@ rule MALPEDIA_Win_Darkpink_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ddeb029-d9b9-5246-b24b-3918b253f590" + id = "b675ae58-304b-51cc-82c9-2d05a952daf3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpink" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkpink_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_ae61fd7de2751bb38bc52ea4bef7ef6d5cc9562894ba78123146d52f1f8217ba" + logic_hash = "ae61fd7de2751bb38bc52ea4bef7ef6d5cc9562894ba78123146d52f1f8217ba" score = 75 quality = 75 tags = "FILE" @@ -174206,13 +174206,13 @@ rule MALPEDIA_Elf_Hideandseek_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "02b44a03-f9d7-5138-9475-44b755cfcd61" + id = "98de3f6a-a564-55ea-8fed-c2f9d5e8c7a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/elf.hideandseek_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_831bf70ed51337c7cfb50b54eee15779cbace8e90d2493dbccfcb114f36dd2a6" + logic_hash = "831bf70ed51337c7cfb50b54eee15779cbace8e90d2493dbccfcb114f36dd2a6" score = 75 quality = 75 tags = "FILE" @@ -174245,13 +174245,13 @@ rule MALPEDIA_Win_Meduza_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8ca649a5-6060-5034-8da6-c369b84a6f26" + id = "53f96cd6-21f2-53a2-bbb8-b71563537ed2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meduza" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.meduza_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_14b88dc41a5c318d90c279963aa5ad461ee65cb9acf5c901876d99dfeb325a5a" + logic_hash = "14b88dc41a5c318d90c279963aa5ad461ee65cb9acf5c901876d99dfeb325a5a" score = 75 quality = 75 tags = "FILE" @@ -174284,13 +174284,13 @@ rule MALPEDIA_Win_Cerbu_Miner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c28c707f-3cfa-5946-867d-0356f5f1165b" + id = "77652d6a-745f-5552-8901-83bf555706f4" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cerbu_miner_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_e4927a587588bc11053fcbade5bb9500364c9a656d383eb318cc8486464f3cce" + logic_hash = "e4927a587588bc11053fcbade5bb9500364c9a656d383eb318cc8486464f3cce" score = 75 quality = 75 tags = "FILE" @@ -174323,13 +174323,13 @@ rule MALPEDIA_Win_Banpolmex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84daa397-80c9-5b21-99af-ef22f5a63ea4" + id = "5e5629b9-1e18-5205-b631-ad03c2ae43f0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.banpolmex_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_e119b8f9656fb74b42241f31ba7dcd3e79fbd082cb37077b0109e5a58aed6af5" + logic_hash = "e119b8f9656fb74b42241f31ba7dcd3e79fbd082cb37077b0109e5a58aed6af5" score = 75 quality = 75 tags = "FILE" @@ -174362,13 +174362,13 @@ rule MALPEDIA_Win_Maktub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "15107a3c-d308-5bdb-ae41-9cd65780bfc2" + id = "10d37b97-d01f-5921-a99f-ff7dd2fcd55b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.maktub_auto.yar#L1-L207" license_url = "N/A" - logic_hash = "v1_sha256_3c5d956147e4a1bdb902ea8258e01af6a03648debc316e3eed6aa86b46300c73" + logic_hash = "3c5d956147e4a1bdb902ea8258e01af6a03648debc316e3eed6aa86b46300c73" score = 75 quality = 73 tags = "FILE" @@ -174413,13 +174413,13 @@ rule MALPEDIA_Win_Mpkbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba86ee30-db4b-5b88-b621-782cf7214138" + id = "8f074133-bfc7-504a-bda1-097418743139" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mpkbot_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_011afed12d8733a7391f09eb1750e489d4da026e534c4eca601c4698788ee6ad" + logic_hash = "011afed12d8733a7391f09eb1750e489d4da026e534c4eca601c4698788ee6ad" score = 75 quality = 75 tags = "FILE" @@ -174452,13 +174452,13 @@ rule MALPEDIA_Win_Xdspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8666f60c-55a8-5e78-8824-b6a0f3f5bd48" + id = "e9ae860f-a2c7-565f-9217-a440882548d6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xdspy_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_1f709444cf724d3961e54f18b66ae4023548e4088934cac26da730f0bde271d9" + logic_hash = "1f709444cf724d3961e54f18b66ae4023548e4088934cac26da730f0bde271d9" score = 75 quality = 75 tags = "FILE" @@ -174497,13 +174497,13 @@ rule MALPEDIA_Win_Bart_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1da18ccf-6e47-5a71-b8a5-aa99f4a0666b" + id = "47f2dba4-1ef6-5808-90b4-0ef4438e03a3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bart_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_b12024871014a9e86ab993e82383bdd8cbf27e2df488611e968a0202264b8904" + logic_hash = "b12024871014a9e86ab993e82383bdd8cbf27e2df488611e968a0202264b8904" score = 75 quality = 75 tags = "FILE" @@ -174536,13 +174536,13 @@ rule MALPEDIA_Win_Quantloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c0914381-4d6e-5ff8-bc04-cb7e563a6a38" + id = "432b5f56-9f20-5011-836d-a160f44f614d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.quantloader_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_35c517bd3ba01671a26eeca12557e31f89943cd497a56be614b2b507cc9bda11" + logic_hash = "35c517bd3ba01671a26eeca12557e31f89943cd497a56be614b2b507cc9bda11" score = 75 quality = 75 tags = "FILE" @@ -174581,13 +174581,13 @@ rule MALPEDIA_Win_Fishmaster_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a656b04b-506b-56f2-9a00-395657f63e64" + id = "c7f73382-0b3e-516e-ada8-2592a288859c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fishmaster_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_2d3700642fa743154e0272490d462793baad4e202db4b6b6f02f2c7c184ce851" + logic_hash = "2d3700642fa743154e0272490d462793baad4e202db4b6b6f02f2c7c184ce851" score = 75 quality = 75 tags = "FILE" @@ -174620,13 +174620,13 @@ rule MALPEDIA_Win_Formbook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06801701-a49f-562c-a2e3-0f8db9f9eb5c" + id = "241ced8d-1693-5841-a374-2686d8f6dbd5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.formbook_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_3380fbe26c3100d3b724659437582cb2b4b97057755a8459118372ab9a826cc2" + logic_hash = "3380fbe26c3100d3b724659437582cb2b4b97057755a8459118372ab9a826cc2" score = 75 quality = 75 tags = "FILE" @@ -174659,13 +174659,13 @@ rule MALPEDIA_Win_Ncctrojan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6932aab6-96e5-5fdc-bd10-907a0d52afbe" + id = "73693e19-d3ac-5418-9f8a-95e68a6f57fb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ncctrojan_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "v1_sha256_27c3caf8c915c86b411337145e185c50823300943eb40fbabcf07830267e1942" + logic_hash = "27c3caf8c915c86b411337145e185c50823300943eb40fbabcf07830267e1942" score = 75 quality = 75 tags = "FILE" @@ -174704,13 +174704,13 @@ rule MALPEDIA_Win_Pipcreat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3b7f8697-8664-5075-bb27-523dd91f5ef3" + id = "8419290f-1015-5dec-8abc-87fb98932602" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pipcreat_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_bfd77063c9003804a72d5e23f231f6f0ede323cbb3ca337d538e8165945eb11a" + logic_hash = "bfd77063c9003804a72d5e23f231f6f0ede323cbb3ca337d538e8165945eb11a" score = 75 quality = 75 tags = "FILE" @@ -174743,13 +174743,13 @@ rule MALPEDIA_Win_Halfrig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f8e0ccfe-6958-5e3a-9b8f-9f0dc368c681" + id = "62b21a07-3d27-5219-adbb-784980e8887e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.halfrig" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.halfrig_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_40d5c53e96f42e606a7012f83f1c1231408111cee8ecb6b2b8598f974593fa4a" + logic_hash = "40d5c53e96f42e606a7012f83f1c1231408111cee8ecb6b2b8598f974593fa4a" score = 75 quality = 75 tags = "FILE" @@ -174782,13 +174782,13 @@ rule MALPEDIA_Win_Redsalt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7f41965c-76f5-52c6-8d11-70de0c5ca1ba" + id = "5db28da0-c495-5a5e-81dd-226433bd91b1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.redsalt_auto.yar#L1-L223" license_url = "N/A" - logic_hash = "v1_sha256_5cb648a823e719ff50550ad2518a39d179f56511a84a79bfd6218be12b96b8b0" + logic_hash = "5cb648a823e719ff50550ad2518a39d179f56511a84a79bfd6218be12b96b8b0" score = 75 quality = 73 tags = "FILE" @@ -174836,13 +174836,13 @@ rule MALPEDIA_Win_Tarsip_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1ccf1990-5f9c-5a9f-be5e-7adc4bf29f61" + id = "ee7f1e65-623e-5bf6-9501-f2cb0191dbfa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tarsip_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_250b7ade9271df7a85ec6b855f6cf5a10251a0f1952bae0fcefa6519af030f1e" + logic_hash = "250b7ade9271df7a85ec6b855f6cf5a10251a0f1952bae0fcefa6519af030f1e" score = 75 quality = 75 tags = "FILE" @@ -174875,13 +174875,13 @@ rule MALPEDIA_Win_Sneepy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6d8e257d-a972-5c50-967e-fd0854f0ed09" + id = "5ef3150e-2bf6-5a09-ba39-87be2aca4160" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sneepy_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_93bb250be962b8e39c384decdfc047f665d0471aa8b95be7ae603f090eace95c" + logic_hash = "93bb250be962b8e39c384decdfc047f665d0471aa8b95be7ae603f090eace95c" score = 75 quality = 75 tags = "FILE" @@ -174914,13 +174914,13 @@ rule MALPEDIA_Win_Hlux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f82194b7-d11d-57e5-ba4e-75b05e390b3b" + id = "d5f33612-2e58-5a58-b025-51b8c84d8ab0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hlux_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "v1_sha256_6289602931f864ef390f887bdc3596feba8613d121e8e169b915693bee14e183" + logic_hash = "6289602931f864ef390f887bdc3596feba8613d121e8e169b915693bee14e183" score = 75 quality = 75 tags = "FILE" @@ -174959,13 +174959,13 @@ rule MALPEDIA_Win_Fireball_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "042a5827-7947-57ff-813f-f39323f2a4e5" + id = "56483242-91cf-583e-a311-f81ca06ce35e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fireball_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_c7846c89fcbe1ab5b4465cca84b35feb748c18b2402533bbb31c4b86c78dbc99" + logic_hash = "c7846c89fcbe1ab5b4465cca84b35feb748c18b2402533bbb31c4b86c78dbc99" score = 75 quality = 75 tags = "FILE" @@ -174998,13 +174998,13 @@ rule MALPEDIA_Win_Vobfus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "adaa9240-c3b2-59e5-9aa7-9fd35e7c4d6f" + id = "0a46ea97-451e-5b39-90ae-66d0e7a88052" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vobfus_auto.yar#L1-L223" license_url = "N/A" - logic_hash = "v1_sha256_cd307f59d811d28b88e7eec0e8a6b94fb0cf2bc6703d3faae8f6ec5a004bc423" + logic_hash = "cd307f59d811d28b88e7eec0e8a6b94fb0cf2bc6703d3faae8f6ec5a004bc423" score = 75 quality = 73 tags = "FILE" @@ -175051,13 +175051,13 @@ rule MALPEDIA_Win_Grey_Energy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f8e6bfe7-0068-52bb-af70-f706e4d34f2d" + id = "2194ec68-6952-5855-89b8-1a483c36ceb6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grey_energy_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_6dd36b9cf8b9672a3513055fe48f5d646f4ed637cb72460d1965a0ebc0972231" + logic_hash = "6dd36b9cf8b9672a3513055fe48f5d646f4ed637cb72460d1965a0ebc0972231" score = 75 quality = 75 tags = "FILE" @@ -175096,13 +175096,13 @@ rule MALPEDIA_Win_Conti_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "635e5e1e-01f2-56af-b388-a210b20025bb" + id = "0b096496-c6ee-577a-814c-51565da6533c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.conti_auto.yar#L1-L249" license_url = "N/A" - logic_hash = "v1_sha256_dcbcb23c478cd81647ea44a976b8893f9822f8475b35052b849cd9e3172bedaa" + logic_hash = "dcbcb23c478cd81647ea44a976b8893f9822f8475b35052b849cd9e3172bedaa" score = 75 quality = 73 tags = "FILE" @@ -175153,13 +175153,13 @@ rule MALPEDIA_Win_Graphite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ae960bce-c601-53a8-8f63-97be6a4c3a08" + id = "22d6771d-6e02-5bad-92aa-7abf2f0540bc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphite" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.graphite_auto.yar#L1-L109" license_url = "N/A" - logic_hash = "v1_sha256_fac8314c02add0a1a3fcfc7bc6cd359f12eb58a8246911250bf475b51a803e3f" + logic_hash = "fac8314c02add0a1a3fcfc7bc6cd359f12eb58a8246911250bf475b51a803e3f" score = 75 quality = 75 tags = "FILE" @@ -175192,13 +175192,13 @@ rule MALPEDIA_Win_Lock_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "395de6c4-e666-5951-9bcc-efdf233b170c" + id = "66d7719a-09f7-5449-96c8-7a2badb35721" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lock_pos_auto.yar#L1-L147" license_url = "N/A" - logic_hash = "v1_sha256_68264cf97fe11e22f20de5aa9fd8236aae89e24686e8c6b06c621f87466b5d04" + logic_hash = "68264cf97fe11e22f20de5aa9fd8236aae89e24686e8c6b06c621f87466b5d04" score = 75 quality = 75 tags = "FILE" @@ -175234,13 +175234,13 @@ rule MALPEDIA_Win_Pandabanker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "efc7083e-687f-59d5-ab5b-a5bf91881fe9" + id = "751a691a-c53d-5542-8dd0-6d6e61efc66b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pandabanker_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_af183af405489953bbbd5be29d963fc77205c0eef74bef65d65833acc7e1921c" + logic_hash = "af183af405489953bbbd5be29d963fc77205c0eef74bef65d65833acc7e1921c" score = 75 quality = 75 tags = "FILE" @@ -175273,13 +175273,13 @@ rule MALPEDIA_Win_Dairy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09dc291f-20d4-5d01-a428-4e35d201d297" + id = "133b9699-4dcc-594b-b21a-95c3efab14f3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dairy_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_1c31903f94f05665f06e9add90cd1dfd10d14af78de58f211ffc3b43b0fd9163" + logic_hash = "1c31903f94f05665f06e9add90cd1dfd10d14af78de58f211ffc3b43b0fd9163" score = 75 quality = 75 tags = "FILE" @@ -175312,13 +175312,13 @@ rule MALPEDIA_Win_Mirage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71c95716-ce27-525f-a561-5472ff8b2c6b" + id = "f68fe58b-43a1-51bc-9791-76dd178418d5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mirage_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_4d8628bd678dab095b081b63d7dce2fda51131fe49ad45959de9c07d1338533f" + logic_hash = "4d8628bd678dab095b081b63d7dce2fda51131fe49ad45959de9c07d1338533f" score = 75 quality = 75 tags = "FILE" @@ -175357,13 +175357,13 @@ rule MALPEDIA_Win_Hermeticwiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1fd9b098-460d-501c-9587-b2e0d7b4cdef" + id = "8b44d155-0791-5e5b-b54e-af128b883341" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hermeticwiper_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_17096a8aa2a5af71cd29251b2c3f7e9bb82649586a87a38d8e44cf9b2d8d68bd" + logic_hash = "17096a8aa2a5af71cd29251b2c3f7e9bb82649586a87a38d8e44cf9b2d8d68bd" score = 75 quality = 75 tags = "FILE" @@ -175396,13 +175396,13 @@ rule MALPEDIA_Win_Unidentified_042_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "027df964-4154-5d35-a8cf-dd8a3c6fc8d8" + id = "b7505cdf-3b67-54d1-b86a-09699ebba78c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_042_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_e1a66a5b2b9486f9685ec5c1def3b62ee2d1680cb3c8b0c5674fcab890803964" + logic_hash = "e1a66a5b2b9486f9685ec5c1def3b62ee2d1680cb3c8b0c5674fcab890803964" score = 75 quality = 75 tags = "FILE" @@ -175435,13 +175435,13 @@ rule MALPEDIA_Win_Carbanak_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "67956756-2b32-57d0-9b44-baa278e29e75" + id = "34d24f6c-b1d1-51ed-9905-23e69a560a3f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.carbanak_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_fa6cd9a85a7bf81411d9c274df92be474253e26394edfb9f41f2cdb268401124" + logic_hash = "fa6cd9a85a7bf81411d9c274df92be474253e26394edfb9f41f2cdb268401124" score = 75 quality = 75 tags = "FILE" @@ -175475,13 +175475,13 @@ rule MALPEDIA_Win_Sfile_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c44a9bc0-6e11-5171-86e9-267488bd0e57" + id = "75155690-b8c4-56cb-a521-79ec01661bb7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sfile" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sfile_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_f10b431d07234874e195b1e87ba788840300f4cb0ead711972642011468c2ef8" + logic_hash = "f10b431d07234874e195b1e87ba788840300f4cb0ead711972642011468c2ef8" score = 75 quality = 75 tags = "FILE" @@ -175514,13 +175514,13 @@ rule MALPEDIA_Win_Dripion_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "29a2363b-47e1-5081-8dcf-e9b29dc3038c" + id = "b0867d7f-74aa-587d-b520-fed580730ed1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dripion_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "v1_sha256_b54fd3ad608c7c63f9361c36ed20fa92f663e8b7a12233b0f074e7ff124b365a" + logic_hash = "b54fd3ad608c7c63f9361c36ed20fa92f663e8b7a12233b0f074e7ff124b365a" score = 75 quality = 75 tags = "FILE" @@ -175553,13 +175553,13 @@ rule MALPEDIA_Win_Tiny_Turla_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b03753b-dc7e-5e81-a795-bccaf0fe1f35" + id = "cbc30228-0e4c-5d86-b8e7-6b44a66c67bf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tiny_turla_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_b2b8f5dd8c24eb98beaa2120ec3707c14594804ade8ee0e436beafc526cfc343" + logic_hash = "b2b8f5dd8c24eb98beaa2120ec3707c14594804ade8ee0e436beafc526cfc343" score = 75 quality = 75 tags = "FILE" @@ -175592,13 +175592,13 @@ rule MALPEDIA_Win_Mortis_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9ec696bc-184a-5a6f-b0bd-8259fad51a32" + id = "795aebf5-a47f-5442-8167-7bfad8d933e5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mortis" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mortis_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_aab52de125cd03f4e28839f7c33e3b05d109e77cc3c335759a1d782c52454873" + logic_hash = "aab52de125cd03f4e28839f7c33e3b05d109e77cc3c335759a1d782c52454873" score = 75 quality = 75 tags = "FILE" @@ -175631,13 +175631,13 @@ rule MALPEDIA_Win_Dadjoke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4edfb348-18e2-5aa7-9ff9-6eda282ec51e" + id = "7e6ed0b6-d7e2-510d-b9a1-64b59097a88b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dadjoke_auto.yar#L1-L236" license_url = "N/A" - logic_hash = "v1_sha256_012b91fdf9c20cf8af04f39b868e60895f8a732788d300f19ff99d8e0ff61772" + logic_hash = "012b91fdf9c20cf8af04f39b868e60895f8a732788d300f19ff99d8e0ff61772" score = 75 quality = 73 tags = "FILE" @@ -175683,13 +175683,13 @@ rule MALPEDIA_Win_Gibberish_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f311f24d-f72c-5d62-a55d-f5cb6ee3766d" + id = "865bad8c-5684-533c-98cd-44918d4d88e8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gibberish_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_c8df032f5625050a647f354eb2ac9a0b117355c598425d253e17209609dc1370" + logic_hash = "c8df032f5625050a647f354eb2ac9a0b117355c598425d253e17209609dc1370" score = 75 quality = 75 tags = "FILE" @@ -175722,13 +175722,13 @@ rule MALPEDIA_Win_Carberp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0ae31eea-0e8a-561c-a29f-69a0edfd31ea" + id = "0a8c5eae-e871-515f-938c-f71747cf4ace" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.carberp_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_7591c0ae0d97018ab7f451ed94881b2aa3238758f2aeec163b32e54490fa5153" + logic_hash = "7591c0ae0d97018ab7f451ed94881b2aa3238758f2aeec163b32e54490fa5153" score = 75 quality = 75 tags = "FILE" @@ -175761,13 +175761,13 @@ rule MALPEDIA_Win_Orangeade_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c49be8e7-6dae-5bee-8067-e7a23d224870" + id = "a790e493-320f-57de-9b62-d13796c94676" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.orangeade_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_bc9cfd6680cc4f32cd41e9edf43afa43b54975c598906df96ea95e31fa6c1612" + logic_hash = "bc9cfd6680cc4f32cd41e9edf43afa43b54975c598906df96ea95e31fa6c1612" score = 75 quality = 75 tags = "FILE" @@ -175800,13 +175800,13 @@ rule MALPEDIA_Win_Chiser_Client_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d6638f7-176b-58d9-80f3-623f25aa8741" + id = "f565e008-ef7c-5843-a15a-c3b17611be9c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chiser_client" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chiser_client_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_4cf569331733e568f50794a1dc9bdd96595cb2c255defe55202f75e9deeee12b" + logic_hash = "4cf569331733e568f50794a1dc9bdd96595cb2c255defe55202f75e9deeee12b" score = 75 quality = 75 tags = "FILE" @@ -175839,13 +175839,13 @@ rule MALPEDIA_Win_Simplefilemover_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "29a8a8b2-0e5e-5ea0-aad0-87c3d1f70421" + id = "14bdd8f8-6142-5a38-9205-708716e93989" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.simplefilemover_auto.yar#L1-L222" license_url = "N/A" - logic_hash = "v1_sha256_6035737199462cdcfa6d56d9e4b447822bb430a938cb907f7ba0f0edbb7456df" + logic_hash = "6035737199462cdcfa6d56d9e4b447822bb430a938cb907f7ba0f0edbb7456df" score = 75 quality = 73 tags = "FILE" @@ -175890,13 +175890,13 @@ rule MALPEDIA_Win_Oceansalt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "384e04ac-7381-5d4d-ad86-225fbde7de3f" + id = "191b2018-8ac3-5133-a29f-db070c527bb4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.oceansalt_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "v1_sha256_618191320109f3ef06ff0a1fecf4d89247c2a03c9ed872381bb347fb4c387d8b" + logic_hash = "618191320109f3ef06ff0a1fecf4d89247c2a03c9ed872381bb347fb4c387d8b" score = 75 quality = 75 tags = "FILE" @@ -175935,13 +175935,13 @@ rule MALPEDIA_Win_Mbrlock_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f69857b1-0b65-5508-858d-3e7a45ffc760" + id = "cc094c21-b137-5d7e-ad7a-b11c96748bb2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mbrlock_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_491b9f4fb168bceb19b5cf7b6c98ee71ee5564cadbcb31d189925e8a478d4bf3" + logic_hash = "491b9f4fb168bceb19b5cf7b6c98ee71ee5564cadbcb31d189925e8a478d4bf3" score = 75 quality = 75 tags = "FILE" @@ -175974,13 +175974,13 @@ rule MALPEDIA_Win_Getmypass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6f5f66e5-9556-5c37-b6a1-f3232e7818ba" + id = "2ef24a38-2dcf-5e36-ba94-2bb1b309bc31" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.getmypass_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_942b395c1b2d446c948aa0d6582010011bc502a4c907e5ca48324090ba079bd9" + logic_hash = "942b395c1b2d446c948aa0d6582010011bc502a4c907e5ca48324090ba079bd9" score = 75 quality = 75 tags = "FILE" @@ -176013,13 +176013,13 @@ rule MALPEDIA_Win_Erebus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ce985cf2-72b0-574d-b67e-45813c5238cd" + id = "bb1eb465-4db1-53de-8a86-97595b0c4304" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.erebus_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_f2c3fac68e77b34a8cb144aa7557b3180cfb2d2c5f88070b47f30c977edf0360" + logic_hash = "f2c3fac68e77b34a8cb144aa7557b3180cfb2d2c5f88070b47f30c977edf0360" score = 75 quality = 75 tags = "FILE" @@ -176052,13 +176052,13 @@ rule MALPEDIA_Win_Applejeus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "479adaa5-9fcf-5ddc-b0e2-42f413cbdb83" + id = "a96317b4-bd12-5fff-be15-1f3be0768b07" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.applejeus_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_c4add26ff07d848a7e42bd144b883577737cbad9e67d1f7f5e019bb64cfa0808" + logic_hash = "c4add26ff07d848a7e42bd144b883577737cbad9e67d1f7f5e019bb64cfa0808" score = 75 quality = 75 tags = "FILE" @@ -176091,13 +176091,13 @@ rule MALPEDIA_Win_Gandcrab_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "48f66ebe-edff-5699-8cd5-6ab32fe62c37" + id = "b13655d9-7544-5839-87c5-fd4e5e753f37" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gandcrab_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_cdc40f7d17830a090b941b5f5b366bcc6036a417302630b2621031aa8f4178c1" + logic_hash = "cdc40f7d17830a090b941b5f5b366bcc6036a417302630b2621031aa8f4178c1" score = 75 quality = 75 tags = "FILE" @@ -176130,13 +176130,13 @@ rule MALPEDIA_Win_Svcready_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec97dd40-8d53-5a18-920b-334bcb64cc4f" + id = "9d907139-c144-5614-a62a-7c32470debfc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.svcready_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_d564083fd80540ab82e35300283080c4f0bdfd997ccd9dbb29372661ffd56646" + logic_hash = "d564083fd80540ab82e35300283080c4f0bdfd997ccd9dbb29372661ffd56646" score = 75 quality = 75 tags = "FILE" @@ -176169,13 +176169,13 @@ rule MALPEDIA_Win_Blackcoffee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "754067c0-582c-5910-adbb-5a90ef6e3550" + id = "4f36c9cd-a889-561b-ae61-a577c98570f5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackcoffee_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_0bd95226ab3597279ec9c63042069446fb610a5d850507e2f23654627aa44494" + logic_hash = "0bd95226ab3597279ec9c63042069446fb610a5d850507e2f23654627aa44494" score = 75 quality = 75 tags = "FILE" @@ -176208,13 +176208,13 @@ rule MALPEDIA_Win_Firechili_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "58cb718c-1874-56bc-802f-2b048af5efec" + id = "559e09c8-5cc7-5636-8b29-09d353ae6b28" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.firechili_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_c22cf39b407e9812d354a7c986ef996dc279b9f043abb338a1580b523e11c3e8" + logic_hash = "c22cf39b407e9812d354a7c986ef996dc279b9f043abb338a1580b523e11c3e8" score = 75 quality = 75 tags = "FILE" @@ -176247,13 +176247,13 @@ rule MALPEDIA_Win_Laturo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b42f6147-f901-582c-ac21-e1f314ab0dbf" + id = "81276e33-698e-507e-b345-8c9c243babc3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.laturo_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "v1_sha256_3a95665a0f62c0e6d122fab4ca77fec299db1ff67fd03f39a710232d9c73dd0f" + logic_hash = "3a95665a0f62c0e6d122fab4ca77fec299db1ff67fd03f39a710232d9c73dd0f" score = 75 quality = 75 tags = "FILE" @@ -176292,13 +176292,13 @@ rule MALPEDIA_Win_Kasperagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6066f019-78f6-5dde-9e11-360fd5cd65b0" + id = "340f4639-6fe5-58b0-bb8f-f62f0676eeb4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kasperagent_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_64254218e6067b681b9ff76df50b8965f4daccd1f710c2911946f314fae43e64" + logic_hash = "64254218e6067b681b9ff76df50b8965f4daccd1f710c2911946f314fae43e64" score = 75 quality = 75 tags = "FILE" @@ -176331,13 +176331,13 @@ rule MALPEDIA_Win_Naikon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "79fc8087-cefa-5a6e-b5f7-b595e73590f1" + id = "9a0d1ff4-6123-5ada-8c4c-3a20072403a8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.naikon_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_482df4e8a690a40d5dd089da89ade7d874a9359b42eeeb91d9707824c08e20e9" + logic_hash = "482df4e8a690a40d5dd089da89ade7d874a9359b42eeeb91d9707824c08e20e9" score = 75 quality = 75 tags = "FILE" @@ -176370,13 +176370,13 @@ rule MALPEDIA_Win_Unidentified_098_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b8a123c2-35eb-5690-a285-d8b14f715c4b" + id = "77dc1ff9-dd3d-5bc9-85b5-203dd4f53718" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_098" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_098_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0219ee65046a1130cad6fddadbb5a6a530711c105dcd628abbc82d2c03f62f83" + logic_hash = "0219ee65046a1130cad6fddadbb5a6a530711c105dcd628abbc82d2c03f62f83" score = 75 quality = 75 tags = "FILE" @@ -176409,13 +176409,13 @@ rule MALPEDIA_Win_Pillowmint_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e09c794-1f8d-5d8b-bc07-5fa8691d8cf6" + id = "c0d8452f-d73d-5e3b-840b-1f0850b1a270" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pillowmint_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_ae66a0e7e95b7c87f1f3ab1ab6c5145cf23dd8e31b81c9730156e18b839d9281" + logic_hash = "ae66a0e7e95b7c87f1f3ab1ab6c5145cf23dd8e31b81c9730156e18b839d9281" score = 75 quality = 75 tags = "FILE" @@ -176448,13 +176448,13 @@ rule MALPEDIA_Win_Krbanker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "524a4d15-c73b-5901-b364-39d2d0c75563" + id = "9a0cf891-270c-5b18-9c0c-11605a809801" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.krbanker_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_3f68b288c9b94489462004d900c99f82c6cc93e611f88ed341834ce27199e0a6" + logic_hash = "3f68b288c9b94489462004d900c99f82c6cc93e611f88ed341834ce27199e0a6" score = 75 quality = 75 tags = "FILE" @@ -176487,13 +176487,13 @@ rule MALPEDIA_Win_Zhcat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c2bc1fff-421e-5047-b02c-5f5359c3dd4c" + id = "632a3d5c-2d89-5179-ac16-c2aceba5bbfa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zhcat_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_1660d8f51e51dd71d6a1d9261fb6addc44fa7696401b7d8f6127a7c99ca1c719" + logic_hash = "1660d8f51e51dd71d6a1d9261fb6addc44fa7696401b7d8f6127a7c99ca1c719" score = 75 quality = 75 tags = "FILE" @@ -176526,13 +176526,13 @@ rule MALPEDIA_Win_Lemonduck_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8f75d9c6-9c63-50d2-8bfb-814ce9f41abb" + id = "79120d9c-8a0d-5155-9a06-2a2421d4dbd2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lemonduck_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_54774a4a200c3b8a4ce7eb935c4745902b9f773eeb8d215043530b937c7a7753" + logic_hash = "54774a4a200c3b8a4ce7eb935c4745902b9f773eeb8d215043530b937c7a7753" score = 75 quality = 75 tags = "FILE" @@ -176565,13 +176565,13 @@ rule MALPEDIA_Win_Bhunt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4e8fc656-5465-56b2-a007-108f7040a5b2" + id = "29e82532-7a8f-57df-9bb4-9a79fe2adcb0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bhunt_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_a7325d2f342b2d438ae4157b93fee930a25dcbfe35ec458ac01a26d195b6e98d" + logic_hash = "a7325d2f342b2d438ae4157b93fee930a25dcbfe35ec458ac01a26d195b6e98d" score = 50 quality = 75 tags = "FILE" @@ -176604,13 +176604,13 @@ rule MALPEDIA_Win_Cherry_Picker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fc0588f9-96be-590a-b523-b9444fee3ae8" + id = "85645a18-926d-5b0e-9fa0-dbb70398619f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cherry_picker_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_d063fae0bccc43dbf0d60b6c18c60c6de12439bcf31003957c363036cbe5a98f" + logic_hash = "d063fae0bccc43dbf0d60b6c18c60c6de12439bcf31003957c363036cbe5a98f" score = 75 quality = 75 tags = "FILE" @@ -176643,13 +176643,13 @@ rule MALPEDIA_Win_Unidentified_096_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3fa4d580-a450-52ac-b23a-38c6609ee495" + id = "ffd5cfa4-f468-5327-a209-b875a1aa7db9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_096" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_096_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_d9d15c86fa946b0e45aa738b5898be2be607aa89def00775e64a1c8735fb15f8" + logic_hash = "d9d15c86fa946b0e45aa738b5898be2be607aa89def00775e64a1c8735fb15f8" score = 75 quality = 75 tags = "FILE" @@ -176682,13 +176682,13 @@ rule MALPEDIA_Win_Postnaptea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a2e71d97-d932-58eb-b54b-bf6affe63f36" + id = "bae1adbd-4c25-5db5-ad59-5851d74e85fc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.postnaptea" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.postnaptea_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_67d33b8cfdd7ab58e5e7ea5ee0e718fa9e407a5184249ea4dfd2464e78e03ab8" + logic_hash = "67d33b8cfdd7ab58e5e7ea5ee0e718fa9e407a5184249ea4dfd2464e78e03ab8" score = 75 quality = 75 tags = "FILE" @@ -176721,13 +176721,13 @@ rule MALPEDIA_Win_Duqu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "812e8f17-c8e5-549a-a592-f34edea3c2ed" + id = "424302fc-6577-56a8-8823-f2003c48bc5c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.duqu_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "v1_sha256_c898aec26da15be1184cad51dbcbbea7d5de6c2fe0a6afa2af1a2af031fa3007" + logic_hash = "c898aec26da15be1184cad51dbcbbea7d5de6c2fe0a6afa2af1a2af031fa3007" score = 75 quality = 75 tags = "FILE" @@ -176766,13 +176766,13 @@ rule MALPEDIA_Win_Unidentified_081_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6a228783-8925-57e5-ad27-ceedd6726af5" + id = "4bef4e35-3450-5f50-98ad-424279417112" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_081" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_081_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_0bf113d92abe743278ae5a94b3d8f7a48f5ba7f91d2e79f1d3ac361b6c786f4e" + logic_hash = "0bf113d92abe743278ae5a94b3d8f7a48f5ba7f91d2e79f1d3ac361b6c786f4e" score = 75 quality = 75 tags = "FILE" @@ -176805,13 +176805,13 @@ rule MALPEDIA_Win_Squirrelwaffle_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "258eaeba-d5fa-5b93-b719-0e1dee290aa8" + id = "c61157f1-60e2-5b06-a116-a20987079807" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.squirrelwaffle_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_9eaea34205659a464bf5b301bb94e11eb962293c24be78788f1b35d437de22a1" + logic_hash = "9eaea34205659a464bf5b301bb94e11eb962293c24be78788f1b35d437de22a1" score = 75 quality = 75 tags = "FILE" @@ -176844,13 +176844,13 @@ rule MALPEDIA_Win_Mimikatz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "87e55939-0147-5ea3-8078-ba71cea41190" + id = "7f63ff96-1e0a-5197-8a45-285738861f05" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mimikatz_auto.yar#L1-L204" license_url = "N/A" - logic_hash = "v1_sha256_55557ae737b34b617581092058134efff316e946e4bd0657345c0e9223ab37a5" + logic_hash = "55557ae737b34b617581092058134efff316e946e4bd0657345c0e9223ab37a5" score = 75 quality = 73 tags = "FILE" @@ -176895,13 +176895,13 @@ rule MALPEDIA_Win_Backspace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96cf2188-d07c-593b-8e9a-b3c23d8f191a" + id = "74f06e56-cb1b-558b-a9a6-675b90898d32" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.backspace_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_1f557e82713be82d4effefb67945984b55368207555daca9d42390f29b2b045a" + logic_hash = "1f557e82713be82d4effefb67945984b55368207555daca9d42390f29b2b045a" score = 75 quality = 75 tags = "FILE" @@ -176934,13 +176934,13 @@ rule MALPEDIA_Win_Hodur_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a0f504a5-6b25-5d8d-b2a6-c203af8ae5fa" + id = "1836cfc6-54d1-596d-bd26-13def8f48ebb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hodur" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hodur_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_10960e958b4b7c8c59844799eda78e681e350f46bd3cc75a9f3f73ad5cb0c26d" + logic_hash = "10960e958b4b7c8c59844799eda78e681e350f46bd3cc75a9f3f73ad5cb0c26d" score = 75 quality = 75 tags = "FILE" @@ -176973,13 +176973,13 @@ rule MALPEDIA_Win_Turla_Silentmoon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "800b04cb-416f-5226-9597-f5d2ecb151ed" + id = "3bd3f75c-66e7-530a-b900-053594c9b821" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.turla_silentmoon_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_1fa09fbf5696dc9d66cc7dcda76511a0b5324dc46891c26079664b06f37ad447" + logic_hash = "1fa09fbf5696dc9d66cc7dcda76511a0b5324dc46891c26079664b06f37ad447" score = 75 quality = 75 tags = "FILE" @@ -177012,13 +177012,13 @@ rule MALPEDIA_Win_Agent_Btz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53459619-19e0-562d-868a-b7a43e291261" + id = "16f92e8e-8ed3-5d53-b4f6-23ff2aafa84a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.agent_btz_auto.yar#L1-L501" license_url = "N/A" - logic_hash = "v1_sha256_267846e6f96c5156f52d43399a19aa0f1974b0f38d3edac082778780cdba135e" + logic_hash = "267846e6f96c5156f52d43399a19aa0f1974b0f38d3edac082778780cdba135e" score = 75 quality = 50 tags = "FILE" @@ -177100,13 +177100,13 @@ rule MALPEDIA_Win_Sanny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5eb662b8-db29-52bd-8162-2b020ac4b7d4" + id = "71ee291c-39d8-5317-9103-639480e4514a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sanny_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_ae770490b83cd065ad50cf06c242577c788775793cde0b9ec9f8ad204369466f" + logic_hash = "ae770490b83cd065ad50cf06c242577c788775793cde0b9ec9f8ad204369466f" score = 75 quality = 75 tags = "FILE" @@ -177139,13 +177139,13 @@ rule MALPEDIA_Win_Tokyox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e9b7c8a2-5aeb-5a70-a1c8-588e34807679" + id = "57574695-5c21-57dd-9f3e-5c009f7654f6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tokyox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tokyox_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_e5ebbfb35065dbc14f8f4e75c7bbc71cffc1206aa4b5e3c10e8410f8c2a12bf7" + logic_hash = "e5ebbfb35065dbc14f8f4e75c7bbc71cffc1206aa4b5e3c10e8410f8c2a12bf7" score = 75 quality = 75 tags = "FILE" @@ -177178,13 +177178,13 @@ rule MALPEDIA_Win_Mutabaha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "514215d2-ab08-5b01-bd8c-6ce5e7e08a90" + id = "0b7c3233-e337-53ad-9db2-68c9d4c66563" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mutabaha_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_927984049f5ae8f206bee3f98c76bb65fa49de69b36e329af5d25dd2060b803c" + logic_hash = "927984049f5ae8f206bee3f98c76bb65fa49de69b36e329af5d25dd2060b803c" score = 75 quality = 75 tags = "FILE" @@ -177217,13 +177217,13 @@ rule MALPEDIA_Win_Rc2Fm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d337685c-bde0-5604-b03b-0d83ab687a4b" + id = "e03b7b3c-48a1-54e0-8e6b-e042d3ac2eec" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rc2fm_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_fde85b529d09d7ff1cf9ced9923a8b91413b0ceeff762a4b8cd7ea6f3c6fcfbf" + logic_hash = "fde85b529d09d7ff1cf9ced9923a8b91413b0ceeff762a4b8cd7ea6f3c6fcfbf" score = 75 quality = 75 tags = "FILE" @@ -177256,13 +177256,13 @@ rule MALPEDIA_Win_Nemty_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5f1635e1-5628-54e5-b654-d43fc5296842" + id = "ed44110a-96dc-5598-9b44-575420ef007c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nemty_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_f4748253b478a30babc01e1a18cefa28bd614751ff42e5c92d122e8c6c1d7fc7" + logic_hash = "f4748253b478a30babc01e1a18cefa28bd614751ff42e5c92d122e8c6c1d7fc7" score = 75 quality = 75 tags = "FILE" @@ -177295,13 +177295,13 @@ rule MALPEDIA_Win_Leash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b80eccf5-5849-57da-b4ca-9ccc4a5d2eec" + id = "0278e751-33b7-524f-8591-2e0be840b450" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.leash_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_ed40f6249299f75f35aea5ea7ac83b742dd2beb0bf7f39fe8ae59cad9cdb437c" + logic_hash = "ed40f6249299f75f35aea5ea7ac83b742dd2beb0bf7f39fe8ae59cad9cdb437c" score = 75 quality = 75 tags = "FILE" @@ -177334,13 +177334,13 @@ rule MALPEDIA_Win_Purplewave_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09e17f95-db28-54a5-93d9-400890eae3cf" + id = "a8fab1de-de14-5b36-888a-a891d75c38a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.purplewave_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_ec1dbe620cafbb0b6c5ed6f89052ebc62f770f57ab87864e785a226f41ace5e3" + logic_hash = "ec1dbe620cafbb0b6c5ed6f89052ebc62f770f57ab87864e785a226f41ace5e3" score = 75 quality = 75 tags = "FILE" @@ -177373,13 +177373,13 @@ rule MALPEDIA_Win_Final1Stspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5461f1a5-f4e4-54bf-a541-796b2ea1b433" + id = "06e7f902-9031-5e75-88f0-dd09807b7f4e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.final1stspy_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_2aee3f29893f78ed34587724b374d747687bfd3ae50997bd5da3ecf9af5640fd" + logic_hash = "2aee3f29893f78ed34587724b374d747687bfd3ae50997bd5da3ecf9af5640fd" score = 75 quality = 75 tags = "FILE" @@ -177412,13 +177412,13 @@ rule MALPEDIA_Win_Iisniff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3c21a730-78d0-5dc2-8f14-bf6d0fb75fe4" + id = "6c640864-5993-563c-afe7-e26ca8c22f49" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.iisniff_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_110e5f48ca56611bc57ccb877448c194f26647c840b794b9ff7133caff38a207" + logic_hash = "110e5f48ca56611bc57ccb877448c194f26647c840b794b9ff7133caff38a207" score = 75 quality = 75 tags = "FILE" @@ -177456,13 +177456,13 @@ rule MALPEDIA_Win_Unidentified_041_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f7f88396-0d54-5a49-a932-d722556ffa02" + id = "b9d7c571-d170-593a-8f70-0469676cb185" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_041_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_f4d0787e07f3ceed2cd8cf3663fb1191bdc709f813ee4ffdf4c24d0d1a2d3c75" + logic_hash = "f4d0787e07f3ceed2cd8cf3663fb1191bdc709f813ee4ffdf4c24d0d1a2d3c75" score = 75 quality = 75 tags = "FILE" @@ -177495,13 +177495,13 @@ rule MALPEDIA_Win_Breakthrough_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "97e45ecc-adda-5f85-b330-373c3572ff7b" + id = "0193d887-590b-5255-aefc-27c1cd144cae" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.breakthrough_loader_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_ea01661f3f714348cfd1bd7d048f5208e62d40484683d30237ed92dc307f011d" + logic_hash = "ea01661f3f714348cfd1bd7d048f5208e62d40484683d30237ed92dc307f011d" score = 75 quality = 75 tags = "FILE" @@ -177534,13 +177534,13 @@ rule MALPEDIA_Win_Onliner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d195cc9e-0145-5d4b-bcf9-2203cd6ede17" + id = "c0a25174-badc-5a1b-a67c-48cbb1aef2be" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.onliner_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_6df36365f1b8dbe7cdb1d0b03d64f7da847c99d2518d7b5ebc1610f68ca3a069" + logic_hash = "6df36365f1b8dbe7cdb1d0b03d64f7da847c99d2518d7b5ebc1610f68ca3a069" score = 75 quality = 75 tags = "FILE" @@ -177573,13 +177573,13 @@ rule MALPEDIA_Win_Andromut_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c5ad1cc6-75e4-59cb-8e86-70aca01076e4" + id = "01d6866f-94d6-5040-b42e-5414ac7b6d42" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.andromut_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_439db6ddaec21c0c7cf9cb5dec8606d00b8cbca3475fe9c3377e8acfff026f82" + logic_hash = "439db6ddaec21c0c7cf9cb5dec8606d00b8cbca3475fe9c3377e8acfff026f82" score = 75 quality = 75 tags = "FILE" @@ -177612,13 +177612,13 @@ rule MALPEDIA_Win_Mosquito_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "54912545-fa56-57d9-a73f-02a7711d8906" + id = "71ca1f1d-a29d-5919-908a-8739132906e6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mosquito_auto.yar#L1-L196" license_url = "N/A" - logic_hash = "v1_sha256_69b344d7d3f2add25a4f6f1220ea429e517503872e1e485621e80a5c5693cfe3" + logic_hash = "69b344d7d3f2add25a4f6f1220ea429e517503872e1e485621e80a5c5693cfe3" score = 75 quality = 73 tags = "FILE" @@ -177662,13 +177662,13 @@ rule MALPEDIA_Win_Brute_Ratel_C4_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40480583-1104-5138-87fa-cc7ade1c7a08" + id = "2e0925bc-6929-57fd-a204-d14352ab043b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.brute_ratel_c4_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_494c4fae1039f425b8c7198dfaa8d777cff4b0b0868ed2b5b99463571dc5c16b" + logic_hash = "494c4fae1039f425b8c7198dfaa8d777cff4b0b0868ed2b5b99463571dc5c16b" score = 75 quality = 75 tags = "FILE" @@ -177707,13 +177707,13 @@ rule MALPEDIA_Win_Clipog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f8b223a5-c810-5db2-97d3-fd0ae6e47a89" + id = "22c07191-4d84-5a13-93be-3e166d55b017" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipog" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.clipog_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_5f63443ad5edf1c4dcbd4a8d4fd0cdcfd536873049176b0dcfc08c2019029b24" + logic_hash = "5f63443ad5edf1c4dcbd4a8d4fd0cdcfd536873049176b0dcfc08c2019029b24" score = 75 quality = 75 tags = "FILE" @@ -177746,13 +177746,13 @@ rule MALPEDIA_Win_Hawkball_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1f652f2-d5a8-5817-b258-3528c691b84b" + id = "5f75e692-110c-55bd-97fc-1bd1a739617b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hawkball_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_ff667bedec18f0ed00ed5af46ab0b00bb4fbcb93b0094e0e12e6710929fc2634" + logic_hash = "ff667bedec18f0ed00ed5af46ab0b00bb4fbcb93b0094e0e12e6710929fc2634" score = 75 quality = 75 tags = "FILE" @@ -177785,13 +177785,13 @@ rule MALPEDIA_Win_Lobshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4cf67973-db5c-594d-9ea1-99e81ada3b1f" + id = "85b1eb24-9f05-55a3-8f6f-6e4c63293758" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lobshot_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_18b4e7449b3d62631766d70c0d11905d5078e9b18e0b08eccb6d10a0123c3b2d" + logic_hash = "18b4e7449b3d62631766d70c0d11905d5078e9b18e0b08eccb6d10a0123c3b2d" score = 75 quality = 75 tags = "FILE" @@ -177824,13 +177824,13 @@ rule MALPEDIA_Win_Xiaoba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1e26bd46-56dc-5e58-9934-65ab53d84fc4" + id = "8a2d4ebc-9dbe-5e06-9ffb-a1e3c148bd49" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xiaoba_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_1a83b2fe247a6302b4c8d96b4dc9a08c1e85c028cd9a733963d489679c8b5b8d" + logic_hash = "1a83b2fe247a6302b4c8d96b4dc9a08c1e85c028cd9a733963d489679c8b5b8d" score = 75 quality = 75 tags = "FILE" @@ -177863,13 +177863,13 @@ rule MALPEDIA_Win_Bbsrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c212589-b405-5cf9-808c-a68b31b81125" + id = "0025d705-e6c3-5443-a840-3f0b2380c373" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bbsrat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_41e9d1288a6b47bf01a3af69d556bf8b74b048345c44a671654c850d84e7f7a3" + logic_hash = "41e9d1288a6b47bf01a3af69d556bf8b74b048345c44a671654c850d84e7f7a3" score = 75 quality = 75 tags = "FILE" @@ -177902,13 +177902,13 @@ rule MALPEDIA_Win_Lorenz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "05aa7e00-93a2-554a-9f49-3c9ed5831846" + id = "f6bc353c-58c5-5213-8fe7-6cfcca7b0b8a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lorenz_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_1368912ce9218bae6e0caed5bc87ab7c2ec45745a55c8f3691e41777e1860427" + logic_hash = "1368912ce9218bae6e0caed5bc87ab7c2ec45745a55c8f3691e41777e1860427" score = 60 quality = 45 tags = "FILE" @@ -177941,13 +177941,13 @@ rule MALPEDIA_Win_Unidentified_106_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "480ef32f-30e5-5694-bca1-f121da75440d" + id = "8675f46d-f715-517e-bc85-af94d8443ca1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_106" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_106_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_8b889ebf850fd39b916ba5548e2ee462a29668a970da164f9df6605604203541" + logic_hash = "8b889ebf850fd39b916ba5548e2ee462a29668a970da164f9df6605604203541" score = 75 quality = 75 tags = "FILE" @@ -177980,13 +177980,13 @@ rule MALPEDIA_Win_Vawtrak_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9e48f06-51db-55e3-a3f9-99d85a1feec7" + id = "2112bb64-22b3-5c03-b2f8-c6e0d0b0c10f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vawtrak_auto.yar#L1-L216" license_url = "N/A" - logic_hash = "v1_sha256_60253f607ddfb6f5514a6ed220e9ab8f7a24d3f7658f13c97c0cead0093a08d3" + logic_hash = "60253f607ddfb6f5514a6ed220e9ab8f7a24d3f7658f13c97c0cead0093a08d3" score = 75 quality = 73 tags = "FILE" @@ -178032,13 +178032,13 @@ rule MALPEDIA_Win_Electric_Powder_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7dcfed50-abd1-57b5-ba21-62ce616bdf30" + id = "1eede688-bf8f-5498-af13-fe892853a3bd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.electric_powder_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_fd0dece583cd040033ee5a2fac814b92bb57f2cacae42d60f0a3caee41692c62" + logic_hash = "fd0dece583cd040033ee5a2fac814b92bb57f2cacae42d60f0a3caee41692c62" score = 75 quality = 75 tags = "FILE" @@ -178071,13 +178071,13 @@ rule MALPEDIA_Win_Upatre_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "72a4a846-07cf-5fa8-9fa7-6e1f6504da03" + id = "73539601-8658-55a3-ad49-65acd97f978e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.upatre_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_8c959d494139a03c01baced655928fcf1bda3e51a3d094a6d0ce455b32426f5d" + logic_hash = "8c959d494139a03c01baced655928fcf1bda3e51a3d094a6d0ce455b32426f5d" score = 75 quality = 75 tags = "FILE" @@ -178116,13 +178116,13 @@ rule MALPEDIA_Win_Cryptoluck_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "64137198-231a-5f50-85b4-f226c8bf4589" + id = "c54fc8ef-3602-58f8-83b4-8208d9ae15d7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptoluck_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_0975548068cce5a595ab873e8bd23c5fffef61084104837a0ebc0f80661af758" + logic_hash = "0975548068cce5a595ab873e8bd23c5fffef61084104837a0ebc0f80661af758" score = 75 quality = 75 tags = "FILE" @@ -178155,13 +178155,13 @@ rule MALPEDIA_Win_Sendsafe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc183653-bf74-5a11-9d42-610ff7143d82" + id = "ca9919a1-41ee-51c0-9d8a-dc97d5d2356c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sendsafe_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0b34fbaea5b0ab525d5bd2b630928ff7f548afb642b0c0217e296f895cb417fc" + logic_hash = "0b34fbaea5b0ab525d5bd2b630928ff7f548afb642b0c0217e296f895cb417fc" score = 75 quality = 75 tags = "FILE" @@ -178194,13 +178194,13 @@ rule MALPEDIA_Win_Chches_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "37a7363f-56ad-5023-bbe8-7aa83daf6842" + id = "d15a52b4-77ce-52c4-a76e-32aad2b4034d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chches_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_826aac443fa892955ee21ee159179cf79234b9fe8bb8add3f0a9151151666203" + logic_hash = "826aac443fa892955ee21ee159179cf79234b9fe8bb8add3f0a9151151666203" score = 75 quality = 75 tags = "FILE" @@ -178233,13 +178233,13 @@ rule MALPEDIA_Win_Bootwreck_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df443d3e-fde3-5b16-93c3-ac18f73e7c27" + id = "e46a87d8-ca64-51d8-8465-fa91fe773b67" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bootwreck_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_7dd89e2ad6a7e4ec6bd403b4a60d8d35c2c5a80bbaddf577283e953056078258" + logic_hash = "7dd89e2ad6a7e4ec6bd403b4a60d8d35c2c5a80bbaddf577283e953056078258" score = 75 quality = 75 tags = "FILE" @@ -178272,13 +178272,13 @@ rule MALPEDIA_Win_Andardoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "51b818d6-99f9-5a46-81f5-8985ef8011bb" + id = "81ba1768-aed9-5f8c-98e2-be1a91393599" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.andardoor_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_f5bb44cfeb5e0f7e950fe93babcfa1fb8b5f0313142a54c4e5fa92021682222b" + logic_hash = "f5bb44cfeb5e0f7e950fe93babcfa1fb8b5f0313142a54c4e5fa92021682222b" score = 75 quality = 75 tags = "FILE" @@ -178311,13 +178311,13 @@ rule MALPEDIA_Win_Mgbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a402439-813c-5a8e-b06c-c2770efabd86" + id = "dd03dc94-bb3a-5cad-8f13-4bbe4b7f90a6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mgbot_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_7310ce51cc81391fc78e9881bf8f490b2a783d4789728f7661df3e6bdca512d7" + logic_hash = "7310ce51cc81391fc78e9881bf8f490b2a783d4789728f7661df3e6bdca512d7" score = 75 quality = 75 tags = "FILE" @@ -178350,13 +178350,13 @@ rule MALPEDIA_Win_Poweliks_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0399ecc4-cd21-58b9-97d2-516486766c10" + id = "1e577d24-5a33-56a2-89ea-12d263fea556" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poweliks_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_25339dff3576021bbd48649b55b3a0a905a70a087edb57140d53477b59a39b79" + logic_hash = "25339dff3576021bbd48649b55b3a0a905a70a087edb57140d53477b59a39b79" score = 75 quality = 75 tags = "FILE" @@ -178389,13 +178389,13 @@ rule MALPEDIA_Win_Yakuza_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8d6d0993-9c25-5765-bfb7-491b98329a0e" + id = "73df97f0-7e35-550b-9535-694c3981ecc9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yakuza_ransomware_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_877a27b3e7b369865a3e2e4c6ef5b4324a9318b7d81e28cbd514c89eb464d3c0" + logic_hash = "877a27b3e7b369865a3e2e4c6ef5b4324a9318b7d81e28cbd514c89eb464d3c0" score = 75 quality = 75 tags = "FILE" @@ -178428,13 +178428,13 @@ rule MALPEDIA_Win_Plead_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "715043e8-4c8d-57dc-87ee-cba8585557b9" + id = "6ebeecb3-22ba-51cf-8f7b-acfcb3488d30" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.plead_auto.yar#L1-L236" license_url = "N/A" - logic_hash = "v1_sha256_3927d6d1b5e82a17fd417b0071c76ba719237a780a5f2d36d13d9a1ea487844d" + logic_hash = "3927d6d1b5e82a17fd417b0071c76ba719237a780a5f2d36d13d9a1ea487844d" score = 75 quality = 73 tags = "FILE" @@ -178481,13 +178481,13 @@ rule MALPEDIA_Win_Agendacrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ff35fba4-cda2-5493-9758-ccefdc68bde3" + id = "dc53611f-1b74-52ad-9b55-d5a83620a37c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.agendacrypt_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_d7e38346c9af348b4c2d13bd6ea77d0011438992fc08a00180dea033b3826496" + logic_hash = "d7e38346c9af348b4c2d13bd6ea77d0011438992fc08a00180dea033b3826496" score = 75 quality = 75 tags = "FILE" @@ -178520,13 +178520,13 @@ rule MALPEDIA_Win_Owlproxy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fd2a8c94-b595-5c5c-94dd-18a3d373107d" + id = "638fb361-2ad3-53d0-8e4f-9ad0b735dcdb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.owlproxy_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_b8fac1ab1f13b504661c8bdcc9beeb57fc5ec6f3de1faa47de004dfa99391115" + logic_hash = "b8fac1ab1f13b504661c8bdcc9beeb57fc5ec6f3de1faa47de004dfa99391115" score = 75 quality = 75 tags = "FILE" @@ -178559,13 +178559,13 @@ rule MALPEDIA_Win_Tinynuke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c5d6d203-e9cc-58a1-b59b-9f5851d6a904" + id = "e047ea51-f3c4-5f88-b573-b37c1953b9b2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tinynuke_auto.yar#L1-L291" license_url = "N/A" - logic_hash = "v1_sha256_6f2eccbfe290f185e4b6b9493a76e1eee7c900297614878527a2340fef27067f" + logic_hash = "6f2eccbfe290f185e4b6b9493a76e1eee7c900297614878527a2340fef27067f" score = 75 quality = 73 tags = "FILE" @@ -178620,13 +178620,13 @@ rule MALPEDIA_Win_Unidentified_082_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7668f1f-9729-56d6-b5f3-cf5b4a72bf86" + id = "7772581c-e8cf-5615-a758-46ef9c1fc0b0" date = "2021-10-07" modified = "2021-10-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_082" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_082_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_fdfe1ddce9f77ac8b465b0ddebe868c5e77078cf2b2457573a5b3810682f45ee" + logic_hash = "fdfe1ddce9f77ac8b465b0ddebe868c5e77078cf2b2457573a5b3810682f45ee" score = 75 quality = 75 tags = "FILE" @@ -178659,13 +178659,13 @@ rule MALPEDIA_Win_Newsreels_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a8cbd7f6-7bde-5500-bff7-be4abd368189" + id = "596de4f5-9368-5129-8f10-46a814b9edc2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.newsreels_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_31294f0bc1fd72fff816bb0c2c17d33dbab780b957e5c41520b825232208a7ae" + logic_hash = "31294f0bc1fd72fff816bb0c2c17d33dbab780b957e5c41520b825232208a7ae" score = 75 quality = 75 tags = "FILE" @@ -178698,13 +178698,13 @@ rule MALPEDIA_Win_Cryptolocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ccc370fb-f03e-5622-b6a7-0ba422caeb5b" + id = "ad9b18af-235b-525a-af62-054a0222583c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptolocker_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_75564b552b8c35eb8b1fab229d91abfa4288be2b05e1664b616963e88f02714a" + logic_hash = "75564b552b8c35eb8b1fab229d91abfa4288be2b05e1664b616963e88f02714a" score = 75 quality = 75 tags = "FILE" @@ -178737,13 +178737,13 @@ rule MALPEDIA_Win_Stealer_0X3401_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4135f304-d89c-5842-9264-f0d96d3e236b" + id = "1ccbeb2b-8652-556b-a78e-87a19479b4d7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealer_0x3401" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stealer_0x3401_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_00bd8b2b3e3b3733d5bcbc0fb6b2848b3225fb02bf487f9ea61c20713054d985" + logic_hash = "00bd8b2b3e3b3733d5bcbc0fb6b2848b3225fb02bf487f9ea61c20713054d985" score = 75 quality = 75 tags = "FILE" @@ -178776,13 +178776,13 @@ rule MALPEDIA_Win_Glitch_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e78fdca4-da07-55dd-8cb6-9c9e4dea4d8a" + id = "167489a1-806c-57ac-870b-1a5711737bf5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.glitch_pos_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_8974caf746bb63b369da7b75c4e0e1a2b35b653a94e981b459531b393a112a37" + logic_hash = "8974caf746bb63b369da7b75c4e0e1a2b35b653a94e981b459531b393a112a37" score = 75 quality = 75 tags = "FILE" @@ -178815,13 +178815,13 @@ rule MALPEDIA_Win_Unidentified_071_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3ff4d0d8-c3b0-581a-92ab-c50d405bfe36" + id = "518d209c-e627-5ef3-9eb6-1a7ee7d67ffa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_071_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_10aa474e67246e989615e8f1a539e8beccbe5f2115f19e32be1e24db8d548303" + logic_hash = "10aa474e67246e989615e8f1a539e8beccbe5f2115f19e32be1e24db8d548303" score = 75 quality = 75 tags = "FILE" @@ -178854,13 +178854,13 @@ rule MALPEDIA_Win_Pay2Key_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d56a8caa-de27-5bf4-a4bc-400285687b66" + id = "f2fcc621-8979-5801-a21d-ea66a00d4417" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pay2key_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_c5c5a0569f9a48f47100e890ff1d1fd3e4fd615600ef7e4d45ae1b0c294b9a08" + logic_hash = "c5c5a0569f9a48f47100e890ff1d1fd3e4fd615600ef7e4d45ae1b0c294b9a08" score = 75 quality = 75 tags = "FILE" @@ -178893,13 +178893,13 @@ rule MALPEDIA_Win_Onhat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ed7a30dd-b5d7-5a3a-92c9-e18e82bf311e" + id = "4885dade-4fce-5e20-9ffa-fd32e752e39c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.onhat_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_3d8264647f2b4bfebfbb64b6330e4d7098e25f3b002acba0b19c8992974ae5d6" + logic_hash = "3d8264647f2b4bfebfbb64b6330e4d7098e25f3b002acba0b19c8992974ae5d6" score = 75 quality = 75 tags = "FILE" @@ -178932,13 +178932,13 @@ rule MALPEDIA_Win_Prilex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "164dec24-4174-53d8-8ae5-abc29c20a45b" + id = "2ee73f8b-e8a7-530a-919c-0e8a3ae2ae98" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.prilex_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_6de539b63b8562d1b8bdbaceab1132bb64a8bf2aa0cf4524ffc6127b96beab6c" + logic_hash = "6de539b63b8562d1b8bdbaceab1132bb64a8bf2aa0cf4524ffc6127b96beab6c" score = 75 quality = 75 tags = "FILE" @@ -178971,13 +178971,13 @@ rule MALPEDIA_Win_Xsplus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c904e008-9a83-5e73-afce-3bd37c092f21" + id = "2c89d099-29a9-55d4-a949-65dd1bdfe6eb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xsplus_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "v1_sha256_e49d0b0e4b6b18be179499d3f98b92cb7a2ea53651dc18e80a64f9c221a6561b" + logic_hash = "e49d0b0e4b6b18be179499d3f98b92cb7a2ea53651dc18e80a64f9c221a6561b" score = 75 quality = 75 tags = "FILE" @@ -179017,13 +179017,13 @@ rule MALPEDIA_Win_Petya_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "541a8aa2-cb42-5218-bab5-a07eb1a06564" + id = "96d15d70-0cad-5ba8-b732-d7e2c6c8a3c4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.petya_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_126f559636a52e8bbed5a94164c0b2da83f722a29115c2b51cd7bbb82a77ed47" + logic_hash = "126f559636a52e8bbed5a94164c0b2da83f722a29115c2b51cd7bbb82a77ed47" score = 75 quality = 75 tags = "FILE" @@ -179056,13 +179056,13 @@ rule MALPEDIA_Win_Disk_Knight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5776c9f6-1544-5dc5-87f1-0a1c565b30f2" + id = "1b68d176-e621-572e-a02b-4eff18ee7835" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disk_knight" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.disk_knight_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_09ce3baeb29e85d6695478868b4b5a99498537909676146b33cec4463b3e4ba4" + logic_hash = "09ce3baeb29e85d6695478868b4b5a99498537909676146b33cec4463b3e4ba4" score = 75 quality = 75 tags = "FILE" @@ -179095,13 +179095,13 @@ rule MALPEDIA_Win_Royalcli_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "171fc0d2-14e8-5e05-b9e9-dc023fcab413" + id = "ff77d805-91a0-5315-ba44-9b60dd6ef815" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.royalcli_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_3f942fc64e71d9989fa602e154f4016ccbdc8b8d4e7f9551bd6f613b1bb3b100" + logic_hash = "3f942fc64e71d9989fa602e154f4016ccbdc8b8d4e7f9551bd6f613b1bb3b100" score = 75 quality = 75 tags = "FILE" @@ -179134,13 +179134,13 @@ rule MALPEDIA_Win_Ployx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "06748674-1fd4-5efb-81c6-616be4f8c36c" + id = "88ff8b0e-42c8-531a-aa7c-e4d988bc3583" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ployx_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_6c51c47290988f53993f59d945fc1bce237ebb223534fe936a15d347d9e6950c" + logic_hash = "6c51c47290988f53993f59d945fc1bce237ebb223534fe936a15d347d9e6950c" score = 75 quality = 75 tags = "FILE" @@ -179173,13 +179173,13 @@ rule MALPEDIA_Win_Betabot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "748401bf-d563-5e44-a386-4bc3df30690a" + id = "76d74828-4d3c-5b24-a19d-5dd4164ed17c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.betabot_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_07dd0ba00e2d3513e1cad1cf2b7d11e94e25b4a1985b335a6dca6b1199e5355b" + logic_hash = "07dd0ba00e2d3513e1cad1cf2b7d11e94e25b4a1985b335a6dca6b1199e5355b" score = 75 quality = 75 tags = "FILE" @@ -179212,13 +179212,13 @@ rule MALPEDIA_Win_Waterminer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3375f5c8-235f-5747-949d-71b00922c6ea" + id = "015d17f9-270a-5ff3-ae6a-8c2f19540faa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.waterminer_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_fee2af94ed2d9b29403d90ebf96331b0858215bab4f3b7310fc1b1dc42373d50" + logic_hash = "fee2af94ed2d9b29403d90ebf96331b0858215bab4f3b7310fc1b1dc42373d50" score = 75 quality = 75 tags = "FILE" @@ -179257,13 +179257,13 @@ rule MALPEDIA_Win_Poslurp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f844ec06-e892-5e50-8afa-12ac8736d268" + id = "6bf5ef0a-8f8e-5e13-a7d2-227d9ddd0565" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poslurp_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_bbd4232b1e9147e9ff5af0c6efd52975564af5c8f6efe7b5267fa51aa60fdd3c" + logic_hash = "bbd4232b1e9147e9ff5af0c6efd52975564af5c8f6efe7b5267fa51aa60fdd3c" score = 75 quality = 75 tags = "FILE" @@ -179296,13 +179296,13 @@ rule MALPEDIA_Win_Bughatch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "88052b0e-646c-5e56-8ad1-4ed8dda2800b" + id = "7c76d5fd-0852-57e8-98d3-2429c0a26bc6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bughatch" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bughatch_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_ce23ebcae0b6af11021010314345b92d6fc792734955c495c1529b11609de8c0" + logic_hash = "ce23ebcae0b6af11021010314345b92d6fc792734955c495c1529b11609de8c0" score = 75 quality = 75 tags = "FILE" @@ -179335,13 +179335,13 @@ rule MALPEDIA_Win_Sykipot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c4eed21-1d92-567f-a089-b1ed6a022032" + id = "7dfa6014-8de4-5034-9d3e-e952369ddc5e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sykipot_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_6b98694b9b7bab0c760215e0200ed7148a92e1d0f8160cc9d832d1342f3407bf" + logic_hash = "6b98694b9b7bab0c760215e0200ed7148a92e1d0f8160cc9d832d1342f3407bf" score = 75 quality = 75 tags = "FILE" @@ -179374,13 +179374,13 @@ rule MALPEDIA_Win_Knight_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "629e380f-1922-5e9f-a9f6-2c0654f0004e" + id = "a5e09115-4011-54e1-a2ba-c2bbb8ab355a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.knight" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.knight_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_d7c3e295d686febfc6f312c8c39590a584a2b1ffbd1bc0f76a009284be0570bc" + logic_hash = "d7c3e295d686febfc6f312c8c39590a584a2b1ffbd1bc0f76a009284be0570bc" score = 75 quality = 75 tags = "FILE" @@ -179413,13 +179413,13 @@ rule MALPEDIA_Win_Balkan_Door_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "82cf4e48-a612-56ab-82d9-68b0e0b1d38a" + id = "870a99c0-e95d-56d4-9ce7-fd5381768dbe" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.balkan_door_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_1cfcbe46433533ae63497a1399949fc7dd10f1e5a4dc1daebcdead984fa82911" + logic_hash = "1cfcbe46433533ae63497a1399949fc7dd10f1e5a4dc1daebcdead984fa82911" score = 75 quality = 75 tags = "FILE" @@ -179452,13 +179452,13 @@ rule MALPEDIA_Win_Runningrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df7af0c4-2d7d-5bd2-85ce-286ead530e38" + id = "297d1859-ca3a-5430-a307-3e48917944b6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.runningrat_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_cc8e1228550694df797c7f86352429950a0d9bf3c450fac5ae045f777304a562" + logic_hash = "cc8e1228550694df797c7f86352429950a0d9bf3c450fac5ae045f777304a562" score = 75 quality = 75 tags = "FILE" @@ -179496,13 +179496,13 @@ rule MALPEDIA_Win_Snatch_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1113afab-e602-5122-b36a-0f88666df814" + id = "d74b7542-a17c-5e73-9f4b-d6fcbd7ec77a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.snatch_loader_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "v1_sha256_58c7bbc8e69216b73bd02826084d61ba1cc9680e841df4cda286961c3330efac" + logic_hash = "58c7bbc8e69216b73bd02826084d61ba1cc9680e841df4cda286961c3330efac" score = 75 quality = 75 tags = "FILE" @@ -179541,13 +179541,13 @@ rule MALPEDIA_Win_Powersniff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4fa21806-ba73-5f2a-aefa-fb0ebd6f0fb9" + id = "96668c35-22ff-5b9e-ae57-ee3a83835c94" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.powersniff_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_61f4abb0e5c4aeea392fa5c634ad49408a74795c9a7a1a686ae66d78616fe1f2" + logic_hash = "61f4abb0e5c4aeea392fa5c634ad49408a74795c9a7a1a686ae66d78616fe1f2" score = 75 quality = 75 tags = "FILE" @@ -179580,13 +179580,13 @@ rule MALPEDIA_Win_Tinymet_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fc736571-7da1-5f89-9eb3-4af0c48a5500" + id = "3b877ab0-4cfd-5a16-b545-cbd2432f7e3a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tinymet_auto.yar#L1-L102" license_url = "N/A" - logic_hash = "v1_sha256_18fdd73d173a567cb669dcb2f204fa6a5132161bf80e753f323b92b81adc0ad1" + logic_hash = "18fdd73d173a567cb669dcb2f204fa6a5132161bf80e753f323b92b81adc0ad1" score = 75 quality = 75 tags = "FILE" @@ -179617,13 +179617,13 @@ rule MALPEDIA_Win_Rekoobew_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f9ae9e2d-3af3-5876-a7b5-51f5d3889afb" + id = "87c5607a-8a90-598c-943e-607b112d1594" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rekoobew_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_aef627dbf43f3f433f140924ae4bed9b7cb42ca10d8749c65899eb3d41030244" + logic_hash = "aef627dbf43f3f433f140924ae4bed9b7cb42ca10d8749c65899eb3d41030244" score = 75 quality = 75 tags = "FILE" @@ -179656,13 +179656,13 @@ rule MALPEDIA_Win_Milum_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "21fa9f00-bd95-55bd-9b3d-49a5f42a0adf" + id = "8311a048-c504-508b-a4e8-52a8a481b8b1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.milum_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_6c7c97a327f6ef555ead1a0969df80007fb8d016e702f68476c0459b28700b82" + logic_hash = "6c7c97a327f6ef555ead1a0969df80007fb8d016e702f68476c0459b28700b82" score = 75 quality = 75 tags = "FILE" @@ -179695,13 +179695,13 @@ rule MALPEDIA_Win_Bottomloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d3f2a1e9-c484-582c-8722-a5ae80bd413a" + id = "b80f27db-a9fe-5886-83a1-b7800bdc0933" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bottomloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bottomloader_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_e605cbf05da14cecd741717af69ae46ce70b645051ad1189e53cd9ddfd6b5a03" + logic_hash = "e605cbf05da14cecd741717af69ae46ce70b645051ad1189e53cd9ddfd6b5a03" score = 75 quality = 75 tags = "FILE" @@ -179734,13 +179734,13 @@ rule MALPEDIA_Win_Mariposa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9e9ac85b-cc58-5a5f-98f1-6e973069c454" + id = "2a3a2192-1985-5afb-a3c8-457f3f4c729c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mariposa_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_343ac33f57cd9cc9bfc1841bf1bd211734de245f417ee554220587a46ed4086f" + logic_hash = "343ac33f57cd9cc9bfc1841bf1bd211734de245f417ee554220587a46ed4086f" score = 75 quality = 75 tags = "FILE" @@ -179773,13 +179773,13 @@ rule MALPEDIA_Win_Zlob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec67e5ca-65d4-5cd9-b0f6-40c79302c29f" + id = "a970d088-9ed2-5a54-a209-a213c278b939" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zlob_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_7be20af316e82ae77a28c9d29b76181384335b1dbce3a98db4ea9d8cea904efb" + logic_hash = "7be20af316e82ae77a28c9d29b76181384335b1dbce3a98db4ea9d8cea904efb" score = 75 quality = 75 tags = "FILE" @@ -179812,13 +179812,13 @@ rule MALPEDIA_Win_Unidentified_104_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c1da46b-92f5-5929-908a-7ee612b9b602" + id = "d500f181-7347-5b56-b769-5ef7ee00cd2b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_104" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_104_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_4ebfb796f6d86b2c125f5dfb97b85200528b313a6e20e5b2b0501c20db7c82f7" + logic_hash = "4ebfb796f6d86b2c125f5dfb97b85200528b313a6e20e5b2b0501c20db7c82f7" score = 75 quality = 75 tags = "FILE" @@ -179851,13 +179851,13 @@ rule MALPEDIA_Win_Stealc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef4355da-db20-570f-97a1-ae0825496a46" + id = "a9a3385f-b9f5-5cec-b139-7fd9ab3e38ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stealc_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "v1_sha256_1bbc82a373b409e3dad4afed525c9d3527cdf24f15e799642d4692134ce52442" + logic_hash = "1bbc82a373b409e3dad4afed525c9d3527cdf24f15e799642d4692134ce52442" score = 75 quality = 75 tags = "FILE" @@ -179890,13 +179890,13 @@ rule MALPEDIA_Win_Darkloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c523ae60-830c-58c5-a128-bb0bb4d242b9" + id = "c6586d19-c9dc-5391-af52-9dc3a3375338" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkloader_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_80ad8615edb3b8dd04cf4b30a3f3c46ec7df78cf02d75573629255acdb077233" + logic_hash = "80ad8615edb3b8dd04cf4b30a3f3c46ec7df78cf02d75573629255acdb077233" score = 75 quality = 75 tags = "FILE" @@ -179929,13 +179929,13 @@ rule MALPEDIA_Win_Xfsadm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "72baac75-6d9d-5ca6-aa18-51e7f571283f" + id = "6cee945a-b699-5b54-a37c-80744e975247" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xfsadm_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_f4eb82f59dbe07c8f1ee2d03c53cd893a45918aeff41d261754b918f12bf1430" + logic_hash = "f4eb82f59dbe07c8f1ee2d03c53cd893a45918aeff41d261754b918f12bf1430" score = 75 quality = 75 tags = "FILE" @@ -179968,13 +179968,13 @@ rule MALPEDIA_Win_Bredolab_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "16e31b97-781b-5c45-918e-0a303f4c1a9f" + id = "c6a2080f-c1fa-51ce-a641-734a6742f158" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bredolab_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_2bd111cf3554a8f40745e475f3dd7434ed1da715b8da17d69e83265e9fb05367" + logic_hash = "2bd111cf3554a8f40745e475f3dd7434ed1da715b8da17d69e83265e9fb05367" score = 75 quality = 75 tags = "FILE" @@ -180007,13 +180007,13 @@ rule MALPEDIA_Win_Thunderx_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d07452cf-c9f1-5649-aa1d-e18f25e137d7" + id = "1bae1fb1-24b0-5f06-bb80-f0ccbc902def" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.thunderx_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_5011033895d94d0840d4177429f3e9775d789a180c5872dc899a5e5b8dd320c7" + logic_hash = "5011033895d94d0840d4177429f3e9775d789a180c5872dc899a5e5b8dd320c7" score = 75 quality = 75 tags = "FILE" @@ -180046,13 +180046,13 @@ rule MALPEDIA_Win_Absentloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ccd08d4-ebc9-5028-936b-76556ce0e716" + id = "4910d41c-fd9d-58f5-8e0b-80462a82048c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.absentloader_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_247d6cfb768e4552d66056adfd67fbf6ee95131ccc4d55998852773c9971750b" + logic_hash = "247d6cfb768e4552d66056adfd67fbf6ee95131ccc4d55998852773c9971750b" score = 75 quality = 75 tags = "FILE" @@ -180085,13 +180085,13 @@ rule MALPEDIA_Win_Sienna_Purple_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b8bf02e6-4b85-5e89-bf1c-6bc4fccef2f9" + id = "bf81e591-f4a8-52d6-a4ec-5bf5ebf65e21" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_purple" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sienna_purple_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_7480d66d62837df5528ba634142a2c05768c45916ca5058033314d20ebc94573" + logic_hash = "7480d66d62837df5528ba634142a2c05768c45916ca5058033314d20ebc94573" score = 75 quality = 75 tags = "FILE" @@ -180124,13 +180124,13 @@ rule MALPEDIA_Win_Himan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "481129d1-c07e-5d63-afc7-9e9810acbf84" + id = "43abb682-bd1a-5c0e-aa2b-b956d3c70fcc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.himan_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_30040eb81b0c6b577d494b8638c7a8a804b8dda803c9d87443634bca63af8301" + logic_hash = "30040eb81b0c6b577d494b8638c7a8a804b8dda803c9d87443634bca63af8301" score = 75 quality = 75 tags = "FILE" @@ -180163,13 +180163,13 @@ rule MALPEDIA_Win_Snatchcrypto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "62150707-1402-5f9e-b227-89f926777745" + id = "a0e595f3-b394-5bbb-9fbf-3f77b7a2ff1c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.snatchcrypto_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_df174efff90118ed4513d3543230102fa070bff240e3fca742525b945490dabd" + logic_hash = "df174efff90118ed4513d3543230102fa070bff240e3fca742525b945490dabd" score = 75 quality = 75 tags = "FILE" @@ -180202,13 +180202,13 @@ rule MALPEDIA_Win_Saigon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b8a29b1-2d0c-54f2-9acd-798da081d4e6" + id = "67d61467-37a6-5772-94ec-e928f4e39175" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.saigon_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_c3b4f453a06699b81b34d66487fc346a283825480563ae11e28741d2bf0a0cba" + logic_hash = "c3b4f453a06699b81b34d66487fc346a283825480563ae11e28741d2bf0a0cba" score = 75 quality = 75 tags = "FILE" @@ -180241,13 +180241,13 @@ rule MALPEDIA_Win_Hackbrowserdata_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "31ad04ca-ece9-5448-8622-ee57fb8d8f64" + id = "d3aae9ed-192f-5ff5-b564-ee9df4ce3245" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackbrowserdata" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hackbrowserdata_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_2b6a9208dc476df90c318e1825117cca44974a3b5522e1f9f1cb79fdbda237c3" + logic_hash = "2b6a9208dc476df90c318e1825117cca44974a3b5522e1f9f1cb79fdbda237c3" score = 75 quality = 75 tags = "FILE" @@ -180280,13 +180280,13 @@ rule MALPEDIA_Win_Rarstar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "23419d0d-065d-5953-8b12-1bd11e444722" + id = "18a386a5-5130-5703-978a-5323644a8d5c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rarstar_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_731c9230a2c0993fe7a5be5efd272fc408168bba25b13288ff7847590ce53fc3" + logic_hash = "731c9230a2c0993fe7a5be5efd272fc408168bba25b13288ff7847590ce53fc3" score = 75 quality = 75 tags = "FILE" @@ -180319,13 +180319,13 @@ rule MALPEDIA_Win_Feed_Load_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9eb9483d-3aab-5916-9cee-b3be2aa7d193" + id = "e5e8de31-96f1-50f3-b126-f68009a95e5b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.feed_load" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.feed_load_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_46de679564e79b2a5c0b197690c16d63fc18a06e57dcb85568ec77e2699570e3" + logic_hash = "46de679564e79b2a5c0b197690c16d63fc18a06e57dcb85568ec77e2699570e3" score = 75 quality = 75 tags = "FILE" @@ -180358,13 +180358,13 @@ rule MALPEDIA_Win_Tinyfluff_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7dd181d2-8e40-52ef-b389-c80291cf645e" + id = "7516ef27-cc3c-50fb-887e-45b6927b546c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyfluff" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tinyfluff_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_e68e7d6c227d4701d78eb91cd8fa16d542e11d322177ea0064fd63e81ec16ac3" + logic_hash = "e68e7d6c227d4701d78eb91cd8fa16d542e11d322177ea0064fd63e81ec16ac3" score = 75 quality = 75 tags = "FILE" @@ -180397,13 +180397,13 @@ rule MALPEDIA_Win_Laziok_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b1e45ef6-824c-5f9c-a160-78f82a125d8c" + id = "37e29cbd-65ea-5cba-b131-e7a5cbb3dccc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.laziok_auto.yar#L1-L97" license_url = "N/A" - logic_hash = "v1_sha256_c9f66361581dd6b09edf0f02e114cd674601a3020169deaf28372627acd9b101" + logic_hash = "c9f66361581dd6b09edf0f02e114cd674601a3020169deaf28372627acd9b101" score = 75 quality = 75 tags = "FILE" @@ -180434,13 +180434,13 @@ rule MALPEDIA_Win_Younglotus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2eae60ac-745d-51c7-87bf-7118e990e183" + id = "511ee3c4-3a8d-5982-a129-c4f520bbe10e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.younglotus_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "v1_sha256_22c4cfdc7fd425b818daae07117ab2b0a1f6250b75eb7983096dfb11564bd4bb" + logic_hash = "22c4cfdc7fd425b818daae07117ab2b0a1f6250b75eb7983096dfb11564bd4bb" score = 75 quality = 75 tags = "FILE" @@ -180479,13 +180479,13 @@ rule MALPEDIA_Win_Flash_Develop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fcb1b12b-7bf0-515e-b018-969caffde539" + id = "4688ecaa-1305-56f1-b990-d34d1967b3cd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flash_develop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flash_develop_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_1b0b49a0bdf8cbe355d0f549d184abf36cc5a8a27ac3e4b70ddcdc76ec6e38f0" + logic_hash = "1b0b49a0bdf8cbe355d0f549d184abf36cc5a8a27ac3e4b70ddcdc76ec6e38f0" score = 75 quality = 75 tags = "FILE" @@ -180518,13 +180518,13 @@ rule MALPEDIA_Win_Bohmini_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f6a79169-fa28-50ba-9ab5-8009311974b0" + id = "c8923e09-0cd1-5865-924f-18639308d13e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bohmini_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_d63dab417a618811791980b051ba5149b8c4dca6bd7568c5aa5894be2ba1d4b9" + logic_hash = "d63dab417a618811791980b051ba5149b8c4dca6bd7568c5aa5894be2ba1d4b9" score = 75 quality = 75 tags = "FILE" @@ -180557,13 +180557,13 @@ rule MALPEDIA_Win_Strelastealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7f2739f4-80f3-5eba-ae9e-65c67781fba3" + id = "9f02f870-18a6-5958-8b48-817eb9eee346" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.strelastealer_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "v1_sha256_90e62167509dc36976a411c59d204669c9f40c335a7d35fe2d5657e279efa4d6" + logic_hash = "90e62167509dc36976a411c59d204669c9f40c335a7d35fe2d5657e279efa4d6" score = 75 quality = 75 tags = "FILE" @@ -180602,13 +180602,13 @@ rule MALPEDIA_Win_Flashflood_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d035ad73-f8a4-5612-becd-d3ad16a2fb4f" + id = "8a274825-f4c9-5f62-b907-dfc89a45069c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flashflood_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_683f799d9771d2f1f092dca2666088c76c32113ac36ef3235bcc1b22e7e80191" + logic_hash = "683f799d9771d2f1f092dca2666088c76c32113ac36ef3235bcc1b22e7e80191" score = 75 quality = 75 tags = "FILE" @@ -180641,13 +180641,13 @@ rule MALPEDIA_Win_Polyglotduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "341e69b9-cdd6-5908-90b0-808dbffe4621" + id = "9c18a5b0-9646-54de-84d3-631d8bf608b5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.polyglotduke_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_6e964f854be862afb1ae59446d85c2642af462845dbac22a50b518391d708853" + logic_hash = "6e964f854be862afb1ae59446d85c2642af462845dbac22a50b518391d708853" score = 75 quality = 75 tags = "FILE" @@ -180680,13 +180680,13 @@ rule MALPEDIA_Win_Putabmow_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "05b4a24c-f52f-54b0-acf2-965831f98f55" + id = "7af0c993-b539-52ac-a45e-8054f116f777" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.putabmow_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_fefc0574406d648a12b534d0b553ded64a93f4ffe228447991ac5fd25e755fac" + logic_hash = "fefc0574406d648a12b534d0b553ded64a93f4ffe228447991ac5fd25e755fac" score = 75 quality = 75 tags = "FILE" @@ -180719,13 +180719,13 @@ rule MALPEDIA_Win_Pikabot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66f4da7f-10b4-5ce8-b5b2-889b36e7a168" + id = "ca491d89-20a6-5b52-8d28-6fe7d217ba54" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pikabot_auto.yar#L1-L270" license_url = "N/A" - logic_hash = "v1_sha256_c58243245af92019919e67e8e639db22bdc3515d5ca76925cfc701e773724623" + logic_hash = "c58243245af92019919e67e8e639db22bdc3515d5ca76925cfc701e773724623" score = 75 quality = 73 tags = "FILE" @@ -180777,13 +180777,13 @@ rule MALPEDIA_Win_Ave_Maria_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "488c49e4-9fd3-5c5c-83e3-e9d7658fffbe" + id = "a8ff9385-aecd-5e0a-9dbf-bb5ae67ce3ce" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ave_maria_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_059225085d94bd881b5977004829f436c6d9d9c9b3e6a06c534e4dec388c260c" + logic_hash = "059225085d94bd881b5977004829f436c6d9d9c9b3e6a06c534e4dec388c260c" score = 75 quality = 75 tags = "FILE" @@ -180816,13 +180816,13 @@ rule MALPEDIA_Win_Acidbox_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20664396-7399-53df-ac21-b6102fdb8792" + id = "ef6a2660-06bc-58c1-866c-71c4f81cb840" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.acidbox_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_41839e3e93fea6da491d6960f541c70a4bfe5cfb4dca07d8fcde4687922f61de" + logic_hash = "41839e3e93fea6da491d6960f541c70a4bfe5cfb4dca07d8fcde4687922f61de" score = 75 quality = 75 tags = "FILE" @@ -180855,13 +180855,13 @@ rule MALPEDIA_Win_Dusttrap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "04862092-8949-5da1-a62a-dabc69e24a74" + id = "94c0bae7-72b6-5bce-b0c6-34a621d70e05" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dusttrap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dusttrap_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_f4b4f45042cbce5a99225f86a255feaeb3d8c391ba31ee586efa9930ba8ea747" + logic_hash = "f4b4f45042cbce5a99225f86a255feaeb3d8c391ba31ee586efa9930ba8ea747" score = 75 quality = 75 tags = "FILE" @@ -180894,13 +180894,13 @@ rule MALPEDIA_Win_Rctrl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f68ad5cd-6f8e-54b1-9885-f9a91c704088" + id = "7ff215c3-2671-5b0b-ba24-88d7d36afa71" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rctrl_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_b0421815065d5d9f7baf76708ca03a7d751899f6c6932dc7218ef3afe98a981a" + logic_hash = "b0421815065d5d9f7baf76708ca03a7d751899f6c6932dc7218ef3afe98a981a" score = 75 quality = 75 tags = "FILE" @@ -180933,13 +180933,13 @@ rule MALPEDIA_Win_Medusa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "083d83f0-0fa1-5d09-9718-81c5829bc0f2" + id = "e5ced166-c5f3-50c0-9e84-e449f6bff889" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.medusa_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "v1_sha256_b88f5d47ff30b39fc78331a46c037d026177b73d253964f40555a9ce1312bb08" + logic_hash = "b88f5d47ff30b39fc78331a46c037d026177b73d253964f40555a9ce1312bb08" score = 75 quality = 75 tags = "FILE" @@ -180978,13 +180978,13 @@ rule MALPEDIA_Win_Mocton_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "befd0700-4bdd-5ed5-b8ce-79d1a5a6840d" + id = "0eb53608-52dd-5157-b27a-400060a227c2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mocton_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_ab360491efcec62323f6bd101f123d7a2664b6f36f37ac6acc5b7e8f64a1cf18" + logic_hash = "ab360491efcec62323f6bd101f123d7a2664b6f36f37ac6acc5b7e8f64a1cf18" score = 75 quality = 75 tags = "FILE" @@ -181017,13 +181017,13 @@ rule MALPEDIA_Win_Sslmm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4d79f66e-91ba-500b-950a-e1f9eebcd2ae" + id = "4fb6315d-623b-56fe-a1a9-1366cd8ee4e8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sslmm_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_e05d1383c6fd4195ee348036204c560e38cfb3624a913866f02778d6ae43e5d9" + logic_hash = "e05d1383c6fd4195ee348036204c560e38cfb3624a913866f02778d6ae43e5d9" score = 75 quality = 75 tags = "FILE" @@ -181056,13 +181056,13 @@ rule MALPEDIA_Win_Datper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af8d85cf-112d-5b38-881a-1d88611b341a" + id = "48b52ade-f95f-5b7e-bf6c-1ada03264771" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.datper_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_34ec1eabfa283c917df6f57bb7cf677574c84996d2deb9b676fabcef09eea21f" + logic_hash = "34ec1eabfa283c917df6f57bb7cf677574c84996d2deb9b676fabcef09eea21f" score = 75 quality = 75 tags = "FILE" @@ -181095,13 +181095,13 @@ rule MALPEDIA_Win_Rofin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "638254eb-3946-550d-b88b-1dfb37c8353b" + id = "0195ab71-caac-5cd0-8cdc-a4640763982a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rofin_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_1fdbbf0f641674931110c0fd75e6ced74603c00b71d8e67aaa8404e587da89df" + logic_hash = "1fdbbf0f641674931110c0fd75e6ced74603c00b71d8e67aaa8404e587da89df" score = 75 quality = 75 tags = "FILE" @@ -181134,13 +181134,13 @@ rule MALPEDIA_Win_Hermes_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "af5fe316-0525-520e-81fd-fd8f505dbe6d" + id = "88136c82-87ab-5f89-8963-9afb9534a540" date = "2021-10-07" modified = "2021-10-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hermes_ransom_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_2bb9637b7e3ee9fcdd4e957eade001e8c8132e1b7c987ea6727ab44eda025915" + logic_hash = "2bb9637b7e3ee9fcdd4e957eade001e8c8132e1b7c987ea6727ab44eda025915" score = 75 quality = 75 tags = "FILE" @@ -181173,13 +181173,13 @@ rule MALPEDIA_Win_Remy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "855da8af-46c4-5e56-b91f-937c463aa92f" + id = "9e3d091c-9c3e-5358-821c-2201f723e147" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.remy_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_75f06668797d3499803b9fa9b8dc61118625be3fbfdaf403e38706d03959bd0b" + logic_hash = "75f06668797d3499803b9fa9b8dc61118625be3fbfdaf403e38706d03959bd0b" score = 75 quality = 75 tags = "FILE" @@ -181212,13 +181212,13 @@ rule MALPEDIA_Win_Nokki_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "92ae503b-757e-589f-9e96-fac217cb216d" + id = "608277dd-14a1-5c03-9518-935e0938d8bc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nokki_auto.yar#L1-L154" license_url = "N/A" - logic_hash = "v1_sha256_f2978451176a73f0cc8bbc4000d4256ca994dc4b0d13d500f33621551196e998" + logic_hash = "f2978451176a73f0cc8bbc4000d4256ca994dc4b0d13d500f33621551196e998" score = 75 quality = 75 tags = "FILE" @@ -181255,13 +181255,13 @@ rule MALPEDIA_Win_Wipbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b066e001-ab46-5ee7-b2cc-0c8b8caa3ccd" + id = "285c0b10-9c1f-573b-962d-50c3932d3768" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wipbot_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_194fd4449423e13c04280571bb64d77c07b6c4746542edc34cc7c2636335ecb2" + logic_hash = "194fd4449423e13c04280571bb64d77c07b6c4746542edc34cc7c2636335ecb2" score = 75 quality = 75 tags = "FILE" @@ -181294,13 +181294,13 @@ rule MALPEDIA_Win_8Base_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c7e9b297-f8a2-5b07-a15c-2ff3537671e4" + id = "75838edc-73a2-5e39-b8ec-96e50d44170a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.8base" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.8base_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_928a212ebdb041c9575d16d9def4153d3085b06453acab4557e4b175f3e06eda" + logic_hash = "928a212ebdb041c9575d16d9def4153d3085b06453acab4557e4b175f3e06eda" score = 75 quality = 75 tags = "FILE" @@ -181333,13 +181333,13 @@ rule MALPEDIA_Win_Rcs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "597683b8-5f1c-5493-8584-b33c280dba5e" + id = "5cb7f68d-21c9-5599-a702-4f54a0b6f0b5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rcs_auto.yar#L1-L180" license_url = "N/A" - logic_hash = "v1_sha256_bb528f6bd9f82e58eb70b918c0975f8fb2e7c478b0eed2addcdb6f608a2b172e" + logic_hash = "bb528f6bd9f82e58eb70b918c0975f8fb2e7c478b0eed2addcdb6f608a2b172e" score = 75 quality = 75 tags = "FILE" @@ -181380,13 +181380,13 @@ rule MALPEDIA_Win_Vhd_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8bef782b-ecc1-5132-a259-5d65940901ce" + id = "fa5e5a99-c535-5a94-a209-b7a09fa24c2a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vhd_ransomware_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_084f45fac9b312e6724b7901489af4dd8f07289f6b7a3bdcfaaadbb0b1238055" + logic_hash = "084f45fac9b312e6724b7901489af4dd8f07289f6b7a3bdcfaaadbb0b1238055" score = 75 quality = 75 tags = "FILE" @@ -181419,13 +181419,13 @@ rule MALPEDIA_Win_Crypto_Fortress_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "425e304a-f82a-52f3-a4ea-ee014aa600eb" + id = "b81b861a-e59d-5e35-89f8-b48e5d1e64a8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crypto_fortress_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_7ca8cfbcda8442ad971ad2acb852f7382cff13447a653716ebcb2d4ba6db0aed" + logic_hash = "7ca8cfbcda8442ad971ad2acb852f7382cff13447a653716ebcb2d4ba6db0aed" score = 75 quality = 75 tags = "FILE" @@ -181458,13 +181458,13 @@ rule MALPEDIA_Win_Agfspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a7e154ed-9f25-517f-8587-d7a692ab503a" + id = "10a5651b-99ec-562f-82a5-e11489c17110" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.agfspy_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_2e86502162b077190fa9b6bc0039b0226221ca91b45f721fc1b45981eaf2202d" + logic_hash = "2e86502162b077190fa9b6bc0039b0226221ca91b45f721fc1b45981eaf2202d" score = 75 quality = 75 tags = "FILE" @@ -181497,13 +181497,13 @@ rule MALPEDIA_Win_Latrodectus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c4317e45-c83e-5cd6-b899-99d906256c10" + id = "02322cd8-96f0-5b56-94f1-88df3945f27c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.latrodectus_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_91b2f62d96756249c5bc2116ba49c8b0c1df538f3c82f3888f308bd5e8fea475" + logic_hash = "91b2f62d96756249c5bc2116ba49c8b0c1df538f3c82f3888f308bd5e8fea475" score = 75 quality = 75 tags = "FILE" @@ -181536,13 +181536,13 @@ rule MALPEDIA_Win_Btcware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "994a0fb0-798e-5b7f-ad36-7eaa56a1a179" + id = "0a15c264-44c4-5125-8666-5205c4d8e175" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.btcware_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_f2d147920cfa04deca980bc5278a317aec1f05504da7229422f4351e420db59d" + logic_hash = "f2d147920cfa04deca980bc5278a317aec1f05504da7229422f4351e420db59d" score = 75 quality = 75 tags = "FILE" @@ -181575,13 +181575,13 @@ rule MALPEDIA_Win_Zupdax_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "75db184c-bc65-5160-873d-9cbd5659ade2" + id = "d7482dbc-f70b-5a30-84dd-76b8876bc623" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdax" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zupdax_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_c678dda4eb233d445c52eec76463d1638934195de484c67d217556190a9036d4" + logic_hash = "c678dda4eb233d445c52eec76463d1638934195de484c67d217556190a9036d4" score = 75 quality = 75 tags = "FILE" @@ -181614,13 +181614,13 @@ rule MALPEDIA_Win_Tflower_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "64690192-34a4-5849-9f69-c1b01732aa38" + id = "656aa3e8-bdba-5aaa-91e7-d2cae80667fc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tflower_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "v1_sha256_5567cb36102c74631716b6bc2ab76355b3e5f81ea5dbfa12803ccef6f940b1df" + logic_hash = "5567cb36102c74631716b6bc2ab76355b3e5f81ea5dbfa12803ccef6f940b1df" score = 75 quality = 75 tags = "FILE" @@ -181659,13 +181659,13 @@ rule MALPEDIA_Win_Babylon_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "89c230d9-121c-5e8f-a132-1df6f1666609" + id = "9f7a1796-9db6-5951-ad0f-bee6b4401843" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.babylon_rat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_21f4c795c3602b5a17bf075d20095868b597667dfa16017802f014398ad09283" + logic_hash = "21f4c795c3602b5a17bf075d20095868b597667dfa16017802f014398ad09283" score = 75 quality = 75 tags = "FILE" @@ -181698,13 +181698,13 @@ rule MALPEDIA_Win_Hikit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7e652416-6ec0-5a58-84cb-3a86042b2002" + id = "3cdc5f2c-e59e-5de2-a448-8a8d65bcfa6a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hikit_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_0bc449cc629b4fb561ad191213636c79bd60e251037b5d8cd78af6bf7f1045a2" + logic_hash = "0bc449cc629b4fb561ad191213636c79bd60e251037b5d8cd78af6bf7f1045a2" score = 75 quality = 75 tags = "FILE" @@ -181737,13 +181737,13 @@ rule MALPEDIA_Win_Rawdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "37d6e979-4ed0-5f75-ae0c-ab48a5b661bb" + id = "4d5ade47-14c0-5e98-bb49-10b170788d30" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rawdoor_auto.yar#L1-L155" license_url = "N/A" - logic_hash = "v1_sha256_271dc4d0258aafb48e5ea172443314b54c134d84f01d29ab84a2d16da5831287" + logic_hash = "271dc4d0258aafb48e5ea172443314b54c134d84f01d29ab84a2d16da5831287" score = 75 quality = 75 tags = "FILE" @@ -181781,13 +181781,13 @@ rule MALPEDIA_Win_Cryptic_Convo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "512cbdbd-ef8b-5a3d-876b-9016634a0d86" + id = "ee0bcadb-9b51-5f84-8a43-144a3ffa84ad" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptic_convo_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_ba224512d1d5c20e7f8dff36dcd163b0f00725bbb0cb250e1837ecee50522cf5" + logic_hash = "ba224512d1d5c20e7f8dff36dcd163b0f00725bbb0cb250e1837ecee50522cf5" score = 75 quality = 75 tags = "FILE" @@ -181820,13 +181820,13 @@ rule MALPEDIA_Win_Nvisospit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "22ddd34a-63ad-5d4d-a1dc-79110ef0c255" + id = "f5c60665-a01a-5768-8a20-3005a0276675" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nvisospit_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_bbf068c3d3b2f73248f6b6d32c9808daec6187590ab8231b3d2dc1fe1f513715" + logic_hash = "bbf068c3d3b2f73248f6b6d32c9808daec6187590ab8231b3d2dc1fe1f513715" score = 75 quality = 75 tags = "FILE" @@ -181859,13 +181859,13 @@ rule MALPEDIA_Win_Kins_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b2110a48-d69b-5157-a996-87ea958f6af2" + id = "d3620de7-0502-5d17-b47d-c76d16c08a91" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kins_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_f2c2bfcf5e7ce9dcb0b01d359d338a97b9128c8cf189b0c6d157b8680e4a55a3" + logic_hash = "f2c2bfcf5e7ce9dcb0b01d359d338a97b9128c8cf189b0c6d157b8680e4a55a3" score = 75 quality = 75 tags = "FILE" @@ -181898,13 +181898,13 @@ rule MALPEDIA_Win_Fonix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e8d57c2e-1ae3-52aa-af59-731c1232b43f" + id = "13e11a44-10a3-5017-894b-01b6a1809d38" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fonix_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_4ee726385c93cbef83aaf363fadcc91c1116e9967604b802fb868026ddede36e" + logic_hash = "4ee726385c93cbef83aaf363fadcc91c1116e9967604b802fb868026ddede36e" score = 75 quality = 75 tags = "FILE" @@ -181937,13 +181937,13 @@ rule MALPEDIA_Win_Goggles_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9e58408-8287-5e33-8fc1-06399ee5f72a" + id = "5a06c6e9-c0df-5eb2-9be8-0912ecacc960" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.goggles_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_6adf86a94e27e4da9bbef6eb899bde95be7c68b8b1a213561e769f61dd93d169" + logic_hash = "6adf86a94e27e4da9bbef6eb899bde95be7c68b8b1a213561e769f61dd93d169" score = 75 quality = 75 tags = "FILE" @@ -181976,13 +181976,13 @@ rule MALPEDIA_Win_Ziyangrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6d0a5c5-722a-5efa-835d-b333b71254d8" + id = "201f34db-38cb-5eda-937b-85ae79e54374" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ziyangrat_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_f833bf74199bebd7dff936e145830c4820d190515f18da15b78535e3254684ab" + logic_hash = "f833bf74199bebd7dff936e145830c4820d190515f18da15b78535e3254684ab" score = 75 quality = 75 tags = "FILE" @@ -182015,13 +182015,13 @@ rule MALPEDIA_Win_Romeos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e14ca3d1-c086-513c-8900-fa37d340463c" + id = "bb3171da-1b84-5cda-93f9-c750b4ebf760" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.romeos_auto.yar#L1-L166" license_url = "N/A" - logic_hash = "v1_sha256_bf8e366219ae553a8681194274b3fe54bbd7c5cf107fd9635cc89862e4d3fd87" + logic_hash = "bf8e366219ae553a8681194274b3fe54bbd7c5cf107fd9635cc89862e4d3fd87" score = 75 quality = 75 tags = "FILE" @@ -182060,13 +182060,13 @@ rule MALPEDIA_Win_Temp_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "739e794a-46e7-5fbd-adfb-9a77d584846e" + id = "2b48048b-b096-5784-980a-c1580b4dfd03" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.temp_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.temp_stealer_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_2fe51b5c6906bc550bb0cdd93c915effb0d85e2b560daf9bcb0132c66585b9e7" + logic_hash = "2fe51b5c6906bc550bb0cdd93c915effb0d85e2b560daf9bcb0132c66585b9e7" score = 75 quality = 75 tags = "FILE" @@ -182099,13 +182099,13 @@ rule MALPEDIA_Win_Rifdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "64972f5b-5c7f-5949-a690-1cce4e1ecd0b" + id = "499aaa99-f413-5777-add2-b3ffc4ab58b2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rifdoor_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_238633b85866a846f2bb6c165a492790b5a2e2a57ade12fcf4d261ecd5fc10cd" + logic_hash = "238633b85866a846f2bb6c165a492790b5a2e2a57ade12fcf4d261ecd5fc10cd" score = 75 quality = 75 tags = "FILE" @@ -182144,13 +182144,13 @@ rule MALPEDIA_Win_Hui_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fece07b3-5053-5293-b344-2762557ff467" + id = "175084ea-2a45-5f42-bda4-3cc233036dd9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hui_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hui_loader_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_96ca3a225904ad2e70a598c1b3c7fa88d26822a60a6742e1663517bed35c0526" + logic_hash = "96ca3a225904ad2e70a598c1b3c7fa88d26822a60a6742e1663517bed35c0526" score = 75 quality = 75 tags = "FILE" @@ -182183,13 +182183,13 @@ rule MALPEDIA_Win_Listrix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8bc03eff-44af-50c7-973c-79c467277f89" + id = "f00b612a-8ee6-5314-b10b-7290e9e1e604" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.listrix_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_2287c5f695d49f8318bd5f0c78a77cdf4d2c441f03bbfda75594fd76fd20827f" + logic_hash = "2287c5f695d49f8318bd5f0c78a77cdf4d2c441f03bbfda75594fd76fd20827f" score = 75 quality = 75 tags = "FILE" @@ -182222,13 +182222,13 @@ rule MALPEDIA_Win_Virtualgate_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4df816d0-4602-55b2-a0f5-50a21bc3dd6f" + id = "532683a6-8cc0-5db0-a44c-3ae7cc350778" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.virtualgate" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.virtualgate_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_88ee3ecdf07b44d4f393563ecf7e06ea2c4377ec1fc56b55a448fb7ea043998d" + logic_hash = "88ee3ecdf07b44d4f393563ecf7e06ea2c4377ec1fc56b55a448fb7ea043998d" score = 75 quality = 75 tags = "FILE" @@ -182261,13 +182261,13 @@ rule MALPEDIA_Win_3Cx_Backdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a71b9ffb-252c-5d2b-9b9d-919c271f01f0" + id = "a2feaa4e-af6b-5757-88c5-19fa5e0f7c9e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.3cx_backdoor_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_92678e8f023e2e18a272c55dabf9fa5b49a39a58d01ec45cd8edb3c746fea107" + logic_hash = "92678e8f023e2e18a272c55dabf9fa5b49a39a58d01ec45cd8edb3c746fea107" score = 75 quality = 75 tags = "FILE" @@ -182300,13 +182300,13 @@ rule MALPEDIA_Win_Apocalipto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e1ae6845-111c-51af-8cb3-ea1c6a6e3bad" + id = "58f415e5-91b6-56af-81ea-f9ae50f28789" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.apocalipto_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_48ade2c833b72b6d2d3dc07dbbdbc3c6fed84013a5bea316066eb8c372c170b2" + logic_hash = "48ade2c833b72b6d2d3dc07dbbdbc3c6fed84013a5bea316066eb8c372c170b2" score = 75 quality = 75 tags = "FILE" @@ -182339,13 +182339,13 @@ rule MALPEDIA_Win_Gcleaner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "65fbdfae-2097-5f12-989e-05c108d6688b" + id = "f3bfcb33-d9d5-58c8-b732-fae47caf5ec8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gcleaner_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "v1_sha256_46f1f4e86df7721d1ed8e6509c63180bfe445457c94a26b5c8b0a0ee89dd2952" + logic_hash = "46f1f4e86df7721d1ed8e6509c63180bfe445457c94a26b5c8b0a0ee89dd2952" score = 75 quality = 75 tags = "FILE" @@ -182378,13 +182378,13 @@ rule MALPEDIA_Win_Unidentified_076_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f253b641-2e93-5db9-86a6-11647cf9917d" + id = "0c83626b-47ce-55ce-a381-007bcb7e73d5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_076_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_92802d8a51aa29b7bc92df361f52f4a28a9ddff1846405226196ebfa4afe53d1" + logic_hash = "92802d8a51aa29b7bc92df361f52f4a28a9ddff1846405226196ebfa4afe53d1" score = 75 quality = 75 tags = "FILE" @@ -182417,13 +182417,13 @@ rule MALPEDIA_Win_Microcin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "239b2b00-32b8-56bb-afd2-a188f5b7d1d6" + id = "e3018704-b085-5615-9047-7419a64c6b42" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.microcin_auto.yar#L1-L451" license_url = "N/A" - logic_hash = "v1_sha256_ce937d5b0febb8a0ef0b69b389b9ac6e2a402988a44ce06e021321112f9c236c" + logic_hash = "ce937d5b0febb8a0ef0b69b389b9ac6e2a402988a44ce06e021321112f9c236c" score = 75 quality = 44 tags = "FILE" @@ -182496,13 +182496,13 @@ rule MALPEDIA_Win_Ratel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6483c8e4-3b9f-5002-a4c5-fec54c46fb0e" + id = "7eb1cf1a-9399-50f9-a3fb-9725ac6a1e01" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ratel_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_d4d80b213dd2387d65ee9b24a5f750334253f3a710c3a54d1bb71b146d82d823" + logic_hash = "d4d80b213dd2387d65ee9b24a5f750334253f3a710c3a54d1bb71b146d82d823" score = 75 quality = 75 tags = "FILE" @@ -182535,13 +182535,13 @@ rule MALPEDIA_Win_Imprudentcook_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e1102ea0-66b8-5b2e-87f9-92c648e53e1c" + id = "e705cf05-f0e2-52d1-a85e-1511f7ba8697" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.imprudentcook" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.imprudentcook_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_7d085ab823410a63e41a516b8f50c0d9f8600ba4763b5093b512309c5b8e436e" + logic_hash = "7d085ab823410a63e41a516b8f50c0d9f8600ba4763b5093b512309c5b8e436e" score = 75 quality = 75 tags = "FILE" @@ -182574,13 +182574,13 @@ rule MALPEDIA_Win_Magniber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0645f536-caaa-56d2-84ae-f609b9ba22df" + id = "7fac4144-b4d1-566a-b639-19fbbfbfa437" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.magniber_auto.yar#L1-L168" license_url = "N/A" - logic_hash = "v1_sha256_f96a42bc667d201d8cee5f819105f9eb43cfe17ca799b1fa9b8dd76d6755feb0" + logic_hash = "f96a42bc667d201d8cee5f819105f9eb43cfe17ca799b1fa9b8dd76d6755feb0" score = 75 quality = 75 tags = "FILE" @@ -182619,13 +182619,13 @@ rule MALPEDIA_Win_Clop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "793c321a-ea21-5e71-9da0-ecf9970dbd1c" + id = "d1ccc182-0c15-5d56-97cc-8d7a704e7207" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.clop_auto.yar#L1-L193" license_url = "N/A" - logic_hash = "v1_sha256_3750789377624c88727401f0639208a90e22f423fdcc34c5c702f455dce2beef" + logic_hash = "3750789377624c88727401f0639208a90e22f423fdcc34c5c702f455dce2beef" score = 75 quality = 75 tags = "FILE" @@ -182668,13 +182668,13 @@ rule MALPEDIA_Win_Moriagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e85c44f0-f2fb-5530-809a-ece429461e02" + id = "8ea17c80-9deb-5afe-98a3-751e4ae48a8a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moriagent_auto.yar#L1-L152" license_url = "N/A" - logic_hash = "v1_sha256_b07e11158ac51efd9de0395dc805b23dd409bb1c9d15248d2eea5cac8417e1fb" + logic_hash = "b07e11158ac51efd9de0395dc805b23dd409bb1c9d15248d2eea5cac8417e1fb" score = 75 quality = 75 tags = "FILE" @@ -182712,13 +182712,13 @@ rule MALPEDIA_Win_W32Times_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a889528-c1c9-5987-b5f8-082ec24ef114" + id = "7f8cab1b-98aa-5ea0-a38a-8a88f0f95260" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.w32times_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_9e441675ff42eb62c793bece475e1238e60eea81c292e3ab2a330e03a3660487" + logic_hash = "9e441675ff42eb62c793bece475e1238e60eea81c292e3ab2a330e03a3660487" score = 75 quality = 75 tags = "FILE" @@ -182751,13 +182751,13 @@ rule MALPEDIA_Win_Dratzarus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c913dab2-e77a-585c-b783-94e2e9f0be45" + id = "9c3af3dd-4032-5af8-b2c4-ec6909e4538c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dratzarus_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_2840756e9ce2aef8d569e9bd5574fc7ae7c62b15ae58ef485173a9e6c40f95ff" + logic_hash = "2840756e9ce2aef8d569e9bd5574fc7ae7c62b15ae58ef485173a9e6c40f95ff" score = 75 quality = 75 tags = "FILE" @@ -182790,13 +182790,13 @@ rule MALPEDIA_Win_Blackmagic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "91b4a857-5a5f-5af4-b7a0-fe8d0d847bad" + id = "df0b2b99-699a-561e-81a2-262819321991" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmagic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackmagic_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_8896e03618f3636d9e8021773bcbae5a5f1f7f57b30da18d455d4ffaf6317ffa" + logic_hash = "8896e03618f3636d9e8021773bcbae5a5f1f7f57b30da18d455d4ffaf6317ffa" score = 75 quality = 75 tags = "FILE" @@ -182829,13 +182829,13 @@ rule MALPEDIA_Win_Protonbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3f1b8630-b0a7-59b2-bd2e-92317c7966de" + id = "8cdc823c-c8c1-58ea-8d03-57dbf9ef2cfb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.protonbot_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_1da2c73b33dd64c5d5bd2696d510d134f1603c96fce2824c4a93e6a826735bf1" + logic_hash = "1da2c73b33dd64c5d5bd2696d510d134f1603c96fce2824c4a93e6a826735bf1" score = 75 quality = 75 tags = "FILE" @@ -182868,13 +182868,13 @@ rule MALPEDIA_Win_Rarog_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fdb31ada-dd22-53ef-8657-3de4d3b45525" + id = "6993ce44-e3a7-570d-bdd2-f949ea883388" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rarog_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_dcc275a3610670298392baeef430ff6a6f46366e16201b4054f65002692c15e6" + logic_hash = "dcc275a3610670298392baeef430ff6a6f46366e16201b4054f65002692c15e6" score = 75 quality = 75 tags = "FILE" @@ -182907,13 +182907,13 @@ rule MALPEDIA_Win_Hesperbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25a41448-2af7-5b94-801f-e82fa5b48c6a" + id = "bb461f42-9b9a-5e68-bbce-8f8a48953354" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hesperbot_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_5b0325f4989a837a39c4052bc59652c8fb0f8c04335eefffdde925a80c93ba45" + logic_hash = "5b0325f4989a837a39c4052bc59652c8fb0f8c04335eefffdde925a80c93ba45" score = 75 quality = 75 tags = "FILE" @@ -182946,13 +182946,13 @@ rule MALPEDIA_Win_Sobig_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cf7a5149-cdad-56e1-9b13-b44049498681" + id = "1db89ea4-c7b4-580a-8658-7872983b45bd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sobig_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_703647dd78e5c80dff25867b8b892bf4ae4d1517eb9d703a33dee66b43a14d30" + logic_hash = "703647dd78e5c80dff25867b8b892bf4ae4d1517eb9d703a33dee66b43a14d30" score = 75 quality = 75 tags = "FILE" @@ -182985,13 +182985,13 @@ rule MALPEDIA_Win_Nspx30_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0b6a06d0-d600-5d08-9e9b-239eb2b7623d" + id = "47a5f87a-bd45-5a39-bf1f-2280475ca3dc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nspx30" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nspx30_auto.yar#L1-L307" license_url = "N/A" - logic_hash = "v1_sha256_60a2afbb46ed2d066c5213f1fddc7a9e909463149f91997e5d932b09b46a1178" + logic_hash = "60a2afbb46ed2d066c5213f1fddc7a9e909463149f91997e5d932b09b46a1178" score = 75 quality = 73 tags = "FILE" @@ -183045,13 +183045,13 @@ rule MALPEDIA_Win_Doublepulsar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "efb60609-e682-5e94-a80a-b427179c9847" + id = "f29ce0a7-5938-5b7b-b2a5-1e58b48324b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doublepulsar_auto.yar#L1-L178" license_url = "N/A" - logic_hash = "v1_sha256_2279c234c2a28c8a309faafd6821b4cb1af9e5365add72a62e549a791ef8e967" + logic_hash = "2279c234c2a28c8a309faafd6821b4cb1af9e5365add72a62e549a791ef8e967" score = 75 quality = 75 tags = "FILE" @@ -183090,13 +183090,13 @@ rule MALPEDIA_Win_Vshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2787018e-7677-5da9-96cb-b7cf46d458d2" + id = "4d7f1293-ffbb-5626-82e1-c6ee180846fc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vshell" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vshell_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0b9171ca5e9865b14566a3ce59438d8b7cb591eb5aa3cd70720ec9582e22ec53" + logic_hash = "0b9171ca5e9865b14566a3ce59438d8b7cb591eb5aa3cd70720ec9582e22ec53" score = 75 quality = 75 tags = "FILE" @@ -183129,13 +183129,13 @@ rule MALPEDIA_Win_Shimrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e0cdeb1-7563-5b40-b790-17ef2fc29cf4" + id = "55457a06-1988-5269-89a3-7d42c80efbb3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shimrat_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_9a44a689bc8afe661c9129a62baf593cebe3f41d9c0399451d80b6ae3b28e636" + logic_hash = "9a44a689bc8afe661c9129a62baf593cebe3f41d9c0399451d80b6ae3b28e636" score = 75 quality = 75 tags = "FILE" @@ -183168,13 +183168,13 @@ rule MALPEDIA_Win_Bazarbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5daf3e69-85e1-55f2-a462-11f0795cf0b7" + id = "a043fe1e-731d-5a9e-9fb9-7f9cee445985" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bazarbackdoor_auto.yar#L1-L596" license_url = "N/A" - logic_hash = "v1_sha256_fa8de6b24d77371b268d10b4378b94df76c1989be3511c0a0f6cfa11ec9c195b" + logic_hash = "fa8de6b24d77371b268d10b4378b94df76c1989be3511c0a0f6cfa11ec9c195b" score = 75 quality = 50 tags = "FILE" @@ -183269,13 +183269,13 @@ rule MALPEDIA_Win_Voldemort_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "218ff0f4-bfd0-5cd0-9919-6ba18078c586" + id = "115d33d2-50af-5fac-a879-fb480a2fd38a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.voldemort" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.voldemort_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_f8d7f88b5cd57c32e85ea5f0ae8c31ab594e2a2acc618e6a4574791256fd098d" + logic_hash = "f8d7f88b5cd57c32e85ea5f0ae8c31ab594e2a2acc618e6a4574791256fd098d" score = 75 quality = 75 tags = "FILE" @@ -183308,13 +183308,13 @@ rule MALPEDIA_Win_Flying_Dutchman_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4d513e0d-e024-52cd-8724-5ee45afafd29" + id = "886d0773-9268-59b5-bd3b-294bdb3b9350" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flying_dutchman_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_db7ff3ab0ec7e2a2a2d94a46706f998e00b81b5002023e59f4f386401742ebb6" + logic_hash = "db7ff3ab0ec7e2a2a2d94a46706f998e00b81b5002023e59f4f386401742ebb6" score = 75 quality = 75 tags = "FILE" @@ -183347,13 +183347,13 @@ rule MALPEDIA_Win_Friedex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d4ecab61-96b1-5bc4-8396-022f559d65eb" + id = "2136bda7-6880-57af-8169-a2ba9b9744fa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.friedex_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "v1_sha256_3133b9fe228e62a956c776f3b2c9ea0b2f6b9e5dde15151f1885bdca3ce807d5" + logic_hash = "3133b9fe228e62a956c776f3b2c9ea0b2f6b9e5dde15151f1885bdca3ce807d5" score = 75 quality = 75 tags = "FILE" @@ -183392,13 +183392,13 @@ rule MALPEDIA_Win_Iispy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8be51c27-e65b-546a-8b01-5961d7dd39f7" + id = "f477a1c5-e3be-5ef8-b32e-8b426be4a34a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.iispy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.iispy_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_a63d1814fb9729f25b3d33b430e70a4df7089bb73b4fd099189f97e6642fe502" + logic_hash = "a63d1814fb9729f25b3d33b430e70a4df7089bb73b4fd099189f97e6642fe502" score = 75 quality = 75 tags = "FILE" @@ -183431,13 +183431,13 @@ rule MALPEDIA_Win_Green_Dispenser_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "74282c15-7f93-5e80-b240-1843de0da5fb" + id = "84ada711-0fc6-5325-8121-c6b1b7bed827" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.green_dispenser" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.green_dispenser_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_871957685fdf3c7f3a313c97f44c2b4e50a7c0cccb8e8255b3b477d16c388ef7" + logic_hash = "871957685fdf3c7f3a313c97f44c2b4e50a7c0cccb8e8255b3b477d16c388ef7" score = 75 quality = 75 tags = "FILE" @@ -183470,13 +183470,13 @@ rule MALPEDIA_Win_C0D0So0_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d8d05f75-6777-5557-a3ec-144ad82dae84" + id = "bb44345c-7e5d-55a8-a363-6f4dd49ac691" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.c0d0so0_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_268a1640f52d336fbac005894a892b3cb4160d26716dda753325e6e4796f541a" + logic_hash = "268a1640f52d336fbac005894a892b3cb4160d26716dda753325e6e4796f541a" score = 75 quality = 75 tags = "FILE" @@ -183509,13 +183509,13 @@ rule MALPEDIA_Win_Batchwiper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "da6bca3a-81d7-52d9-b24f-366c3dc7ed01" + id = "8e0f816b-f334-5f53-bde8-8c13e5a1573a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.batchwiper_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_7b7cda4dab9bb8ec218294d77768f35a5d54eba78e3d583128b9f7cf9e6690f0" + logic_hash = "7b7cda4dab9bb8ec218294d77768f35a5d54eba78e3d583128b9f7cf9e6690f0" score = 75 quality = 75 tags = "FILE" @@ -183548,13 +183548,13 @@ rule MALPEDIA_Win_Alreay_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6ae13bf3-b25a-5f41-b361-9dedbda5497c" + id = "01f61c78-bfa8-5f5f-a6a2-e7995cbc405d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.alreay_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_bcfb6d409e0586aac8c1117f30af44579c0e0ed1018da12aba1f4024fa72bbe6" + logic_hash = "bcfb6d409e0586aac8c1117f30af44579c0e0ed1018da12aba1f4024fa72bbe6" score = 75 quality = 75 tags = "FILE" @@ -183587,13 +183587,13 @@ rule MALPEDIA_Win_Dispenserxfs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "00ff9cb0-f21d-5dee-9337-73a408d82a89" + id = "49bf9fde-27a7-5a52-b363-6d4c360f5198" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dispenserxfs_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_0ae97d732c7fee9f1fd4b6377f2a916fed962748494ab51169af7ce6e36e4229" + logic_hash = "0ae97d732c7fee9f1fd4b6377f2a916fed962748494ab51169af7ce6e36e4229" score = 75 quality = 75 tags = "FILE" @@ -183626,13 +183626,13 @@ rule MALPEDIA_Win_Touchmove_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fab3efd7-7f83-59fd-96df-3f0fd93789ad" + id = "a88e9c25-4116-5e49-8a2c-fef3336f0802" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.touchmove_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_519a7e3bd048a6a0769391087a62b1ec389f7202cc576a740e9eb0fb3d43844d" + logic_hash = "519a7e3bd048a6a0769391087a62b1ec389f7202cc576a740e9eb0fb3d43844d" score = 75 quality = 75 tags = "FILE" @@ -183665,13 +183665,13 @@ rule MALPEDIA_Win_Skip20_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1715a1ef-e508-50be-8546-83e0deb15af3" + id = "15b7373a-f84f-57db-8d95-802539d58928" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.skip20_auto.yar#L1-L102" license_url = "N/A" - logic_hash = "v1_sha256_9f59196702302927edbd3dc2784c10dacebf31e2e8430b74641bf84000e5924e" + logic_hash = "9f59196702302927edbd3dc2784c10dacebf31e2e8430b74641bf84000e5924e" score = 75 quality = 75 tags = "FILE" @@ -183702,13 +183702,13 @@ rule MALPEDIA_Win_Lechiket_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e7c5cf43-046d-5bbd-be32-e8e5276d5c87" + id = "3c392c3e-349a-5ca1-96fd-f1ca584c8f71" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lechiket" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lechiket_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_e5f8571d03794447ef51373bbf17c3e068216c3a3171d9d6c8a00d68358f6b61" + logic_hash = "e5f8571d03794447ef51373bbf17c3e068216c3a3171d9d6c8a00d68358f6b61" score = 75 quality = 75 tags = "FILE" @@ -183741,13 +183741,13 @@ rule MALPEDIA_Win_Pkybot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "879a99ec-2c32-5bdd-b06c-6ecb23668226" + id = "9566564a-6687-550f-9183-0e62d1076054" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pkybot_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_a42386b2108c9d1af3a399f3ab6d599f676b5aeb865fae8577e3f6311e115c33" + logic_hash = "a42386b2108c9d1af3a399f3ab6d599f676b5aeb865fae8577e3f6311e115c33" score = 75 quality = 75 tags = "FILE" @@ -183780,13 +183780,13 @@ rule MALPEDIA_Win_Logtu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "29eac636-77f4-5fd8-87fd-1f754cc65b8a" + id = "94e45298-e780-5ad6-8cab-2da098818af3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.logtu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.logtu_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_b14516261bf7c410bd1f687a208584a9b7a9e03096d2ecbcc28b896d23b0142d" + logic_hash = "b14516261bf7c410bd1f687a208584a9b7a9e03096d2ecbcc28b896d23b0142d" score = 75 quality = 75 tags = "FILE" @@ -183819,13 +183819,13 @@ rule MALPEDIA_Win_Banjori_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bb7d0aef-483d-5898-8fb9-aac24e307db9" + id = "0fe922ef-f1d7-5df7-a358-1fecc2c2b8e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.banjori_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_0ea88ecfce727aae78a4405fc075f0c940df492b8f26cbc0ee71a3d10d4f39b8" + logic_hash = "0ea88ecfce727aae78a4405fc075f0c940df492b8f26cbc0ee71a3d10d4f39b8" score = 75 quality = 73 tags = "FILE" @@ -183858,13 +183858,13 @@ rule MALPEDIA_Win_Bka_Trojaner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "628f4067-c3c9-5578-9fab-860463cf9a39" + id = "74ec4af9-e2de-59bf-b310-d52e9a27c28c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bka_trojaner_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_b667f447169e58d5bdd1a72921cf0718ce5c118c508bba9ba523771b59233c38" + logic_hash = "b667f447169e58d5bdd1a72921cf0718ce5c118c508bba9ba523771b59233c38" score = 75 quality = 75 tags = "FILE" @@ -183897,13 +183897,13 @@ rule MALPEDIA_Win_Crackedcantil_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "62682a36-713f-5a6b-a005-b745846ed781" + id = "52d95e2e-99ba-5a33-908a-7559ea7385c4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crackedcantil" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crackedcantil_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_17b1a73eb9ece6311db723bfa77f75998ebf06320351a537998796263eeb6f3a" + logic_hash = "17b1a73eb9ece6311db723bfa77f75998ebf06320351a537998796263eeb6f3a" score = 75 quality = 75 tags = "FILE" @@ -183936,13 +183936,13 @@ rule MALPEDIA_Win_Bookcodesrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4a7ac24e-e1ac-55f8-9d12-c73d0b1a28bb" + id = "99ba8457-466c-5891-8a8f-fdeb5f482f06" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bookcodesrat_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_97a726b41418f1d2b06b45e6dc5e4910d38bdcc7f5f296e48cad978114a25824" + logic_hash = "97a726b41418f1d2b06b45e6dc5e4910d38bdcc7f5f296e48cad978114a25824" score = 75 quality = 75 tags = "FILE" @@ -183975,13 +183975,13 @@ rule MALPEDIA_Win_Shujin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "14a1bc2b-8e00-5fa5-9f52-8b4d554c16aa" + id = "2a43000e-7971-5f56-a789-53c0781b645d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shujin_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_9e7c36d5a8e7a7e0db70030a2edbd679a6e8a68faaf57024a99c72983d6e53eb" + logic_hash = "9e7c36d5a8e7a7e0db70030a2edbd679a6e8a68faaf57024a99c72983d6e53eb" score = 75 quality = 75 tags = "FILE" @@ -184014,13 +184014,13 @@ rule MALPEDIA_Win_Matrix_Banker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "82530052-9446-58ea-b99c-54f9b2187f1a" + id = "fbbbed54-1d1e-54ca-b972-776370388fdc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.matrix_banker_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_418333eb6355aa1c00334bbe82cc7f9927e2216ee2cd2f63bf5855e96db3a4a8" + logic_hash = "418333eb6355aa1c00334bbe82cc7f9927e2216ee2cd2f63bf5855e96db3a4a8" score = 75 quality = 75 tags = "FILE" @@ -184053,13 +184053,13 @@ rule MALPEDIA_Win_Pebbledash_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ec1c2044-2e5a-5b22-a09b-fde77faa202d" + id = "32b0f21d-5afa-53d6-93e7-29fbd519196d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pebbledash_auto.yar#L1-L171" license_url = "N/A" - logic_hash = "v1_sha256_9344c4ac60887a4e00c22de66e7202e2f1a072e514ea3fdd68e29205e525a98f" + logic_hash = "9344c4ac60887a4e00c22de66e7202e2f1a072e514ea3fdd68e29205e525a98f" score = 75 quality = 75 tags = "FILE" @@ -184098,13 +184098,13 @@ rule MALPEDIA_Win_Rising_Sun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e46e97c-f421-5fcb-8918-da4d9630b4e5" + id = "e7041472-db64-5ca5-926c-a3eb0b3a9cad" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rising_sun_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_7e3e464c1a03d1cb6ef88adda73a2c17dabfe5f93751654747dc236b8a8e7509" + logic_hash = "7e3e464c1a03d1cb6ef88adda73a2c17dabfe5f93751654747dc236b8a8e7509" score = 75 quality = 75 tags = "FILE" @@ -184137,13 +184137,13 @@ rule MALPEDIA_Win_Collection_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7b5d3e75-cdaf-5732-b612-6e446f3f3b76" + id = "1b2d65a3-063f-5da2-afcb-bd2cf7ccde3f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.collection_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.collection_rat_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_a7a889a1cf63b732a0e6294d85395ab72d5994c8a4737c39e94d8d81761fea64" + logic_hash = "a7a889a1cf63b732a0e6294d85395ab72d5994c8a4737c39e94d8d81761fea64" score = 75 quality = 75 tags = "FILE" @@ -184176,13 +184176,13 @@ rule MALPEDIA_Win_Penco_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c88b8b0-20b2-5246-b556-95842ae2e144" + id = "a328cbb1-7204-553d-a05a-a09a312a6db7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.penco_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_e33ab85787ce312a011f9fd963d9c309cc71808ca3fa13b59754045a420c6308" + logic_hash = "e33ab85787ce312a011f9fd963d9c309cc71808ca3fa13b59754045a420c6308" score = 75 quality = 75 tags = "FILE" @@ -184215,13 +184215,13 @@ rule MALPEDIA_Win_Webc2_Table_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96c78171-830e-59dc-9037-39ad0ba1fe2d" + id = "f2e05018-a2cd-5f74-9326-c8e1d8ecd04d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_table_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_7af577baa9db86d99239cfd53a2d34bbabd6fc2e47d46dae6b2b1756d43598d7" + logic_hash = "7af577baa9db86d99239cfd53a2d34bbabd6fc2e47d46dae6b2b1756d43598d7" score = 75 quality = 75 tags = "FILE" @@ -184254,13 +184254,13 @@ rule MALPEDIA_Win_Tofsee_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "162bf417-4496-522d-bfe8-cb9045019db7" + id = "77c418f3-cea7-5bdf-bba1-bed4438fce6c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tofsee_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_072fc19fe47ee3a53dbd73b9def787fe701419f7ff08ef93e84b3d80d7a1f117" + logic_hash = "072fc19fe47ee3a53dbd73b9def787fe701419f7ff08ef93e84b3d80d7a1f117" score = 75 quality = 75 tags = "FILE" @@ -184293,13 +184293,13 @@ rule MALPEDIA_Win_Ariabody_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2b050b59-cd5c-5d65-9525-f3541b7616e6" + id = "09c48148-a35c-5dbf-9884-3f4ca9e8942d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ariabody_auto.yar#L1-L167" license_url = "N/A" - logic_hash = "v1_sha256_d2889556cedcf38c4ea9e1f0b840f1fda159a165dc69125aae39d5a13e01fecd" + logic_hash = "d2889556cedcf38c4ea9e1f0b840f1fda159a165dc69125aae39d5a13e01fecd" score = 75 quality = 75 tags = "FILE" @@ -184338,13 +184338,13 @@ rule MALPEDIA_Win_Obscene_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5af39186-6670-537b-9b07-078b7d86bd56" + id = "d248edfb-cd2d-59a2-b789-bf38244829c1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.obscene_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_39a0d4041b2cc668b4ace8ad4daf4cef6d2ee34b044053350de4964082b18c2d" + logic_hash = "39a0d4041b2cc668b4ace8ad4daf4cef6d2ee34b044053350de4964082b18c2d" score = 75 quality = 75 tags = "FILE" @@ -184377,13 +184377,13 @@ rule MALPEDIA_Win_Winordll64_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81feb80a-10c5-5a16-973c-b18aa9947262" + id = "08e3713d-71e0-5b8a-9ceb-d90daa753676" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.winordll64" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.winordll64_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_a4a004425dba88268c2d3d715c259f2863978c42cd46c83d869be58ecc44a5d1" + logic_hash = "a4a004425dba88268c2d3d715c259f2863978c42cd46c83d869be58ecc44a5d1" score = 75 quality = 75 tags = "FILE" @@ -184416,13 +184416,13 @@ rule MALPEDIA_Win_Prestige_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4c6fafda-cacb-5431-9b5f-9544165d5674" + id = "e0029ece-b029-5766-af56-54e290d25cc7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prestige" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.prestige_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_bf3e8d9d4daef418b3a3a7f61bd3283d0f9369ffef531d651e87452e24457972" + logic_hash = "bf3e8d9d4daef418b3a3a7f61bd3283d0f9369ffef531d651e87452e24457972" score = 75 quality = 75 tags = "FILE" @@ -184455,13 +184455,13 @@ rule MALPEDIA_Win_Mole_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "988eb0cf-3c01-5192-ad66-2b69efb93e6b" + id = "6fb57925-5672-50fa-ac3a-bb409269cd91" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mole_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_d2300b61acf948bdcbf42bf1210c281241845787d88efeb1407824c182f5bb45" + logic_hash = "d2300b61acf948bdcbf42bf1210c281241845787d88efeb1407824c182f5bb45" score = 75 quality = 75 tags = "FILE" @@ -184494,13 +184494,13 @@ rule MALPEDIA_Win_Ehdevel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "28f8648f-2af2-5e09-8142-aa3f30cb8dec" + id = "7db917ef-bc83-5744-b6c0-6eb0a0f20aea" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ehdevel_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_9b05c9bc40d7442213206fba6f4d684a37ffe66d5cd633b4545ba4a54fb64f27" + logic_hash = "9b05c9bc40d7442213206fba6f4d684a37ffe66d5cd633b4545ba4a54fb64f27" score = 75 quality = 75 tags = "FILE" @@ -184533,13 +184533,13 @@ rule MALPEDIA_Win_Gootkit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "82addef4-1fdd-524a-86fc-9cd0dd45bb4c" + id = "a3a6e6c9-1219-5f09-a9d1-18bdb3a0aef0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gootkit_auto.yar#L1-L333" license_url = "N/A" - logic_hash = "v1_sha256_07bd7f30e8bca19c8b0b8ce140e27e4d72a01335eb0ac2905d18ed037638c9b8" + logic_hash = "07bd7f30e8bca19c8b0b8ce140e27e4d72a01335eb0ac2905d18ed037638c9b8" score = 75 quality = 73 tags = "FILE" @@ -184599,13 +184599,13 @@ rule MALPEDIA_Win_Bid_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "054e4a87-bad2-5fac-8627-ef5318139f5f" + id = "e2459c49-87ff-58be-b5d8-513cfe01796f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bid_ransomware_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_932fef61c31980fb36a4d7c0896110af89987a449be43ee55891fe684dd7e3ac" + logic_hash = "932fef61c31980fb36a4d7c0896110af89987a449be43ee55891fe684dd7e3ac" score = 75 quality = 75 tags = "FILE" @@ -184638,13 +184638,13 @@ rule MALPEDIA_Win_Montysthree_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f8c55eb9-4c68-5793-994a-a7c7805ab15a" + id = "0d03b577-0149-576c-bee9-a21123040e4f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.montysthree_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_bf3d99d0efe6d2be58b918ad67e35573b0208282c240cbcabb922d766da8ba39" + logic_hash = "bf3d99d0efe6d2be58b918ad67e35573b0208282c240cbcabb922d766da8ba39" score = 75 quality = 75 tags = "FILE" @@ -184677,13 +184677,13 @@ rule MALPEDIA_Win_Unidentified_078_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b986c32c-776a-5e76-8dc3-f87d1a1d80f9" + id = "64f36470-7870-5fa2-9ea9-c0ec36ad9821" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_078_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_b2ccb25b85c44f5791ffc176375cf264c69c00ab695680a03b0c62f11e1990f7" + logic_hash = "b2ccb25b85c44f5791ffc176375cf264c69c00ab695680a03b0c62f11e1990f7" score = 75 quality = 75 tags = "FILE" @@ -184716,13 +184716,13 @@ rule MALPEDIA_Win_Graphican_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea6abbfb-9a73-5381-ba2b-1bfa57a1f1c0" + id = "82332df7-f8b2-5311-821b-79a046dc5e4d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.graphican_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_e01b6a4a7e17b3788b0929c107b93003400ca0366bc88f55631d49ec789512b2" + logic_hash = "e01b6a4a7e17b3788b0929c107b93003400ca0366bc88f55631d49ec789512b2" score = 75 quality = 75 tags = "FILE" @@ -184755,13 +184755,13 @@ rule MALPEDIA_Win_Merdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d1883481-1720-5236-ba2f-ced81c630435" + id = "ef7053a5-476a-59b5-8ddd-5293675500e6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.merdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.merdoor_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_33a0b0b418ee0e7fb6e555149df68449fe325aead89e3fe3bc9a1904f1b68daf" + logic_hash = "33a0b0b418ee0e7fb6e555149df68449fe325aead89e3fe3bc9a1904f1b68daf" score = 75 quality = 75 tags = "FILE" @@ -184794,13 +184794,13 @@ rule MALPEDIA_Win_Conficker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "35b29bb7-152c-54c7-8972-802e0a0bc2b3" + id = "f0b1468f-9383-5532-bcfb-56c04dc4f4a8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.conficker_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_0479575ad4678a4af7a680c76d33baa6776a5c8edf9a46b4e7378756f89a04a2" + logic_hash = "0479575ad4678a4af7a680c76d33baa6776a5c8edf9a46b4e7378756f89a04a2" score = 75 quality = 75 tags = "FILE" @@ -184833,13 +184833,13 @@ rule MALPEDIA_Win_Geminiduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5adc8a9e-e6e4-5142-90b5-74400edf723e" + id = "02859369-3674-5db5-af28-f984437e92a6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.geminiduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.geminiduke_auto.yar#L1-L149" license_url = "N/A" - logic_hash = "v1_sha256_43a7a4a4b6211d31a7f1edbc5b1056c5050268b2a916bbe7f7b62319abe9e067" + logic_hash = "43a7a4a4b6211d31a7f1edbc5b1056c5050268b2a916bbe7f7b62319abe9e067" score = 75 quality = 75 tags = "FILE" @@ -184876,13 +184876,13 @@ rule MALPEDIA_Win_Bitter_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad4ea967-75c0-5997-99c6-e24100138007" + id = "b3eda11e-9841-5a64-a760-3d15b12e8c6a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bitter_rat_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_0cafad6913e5947920a6576295487b4fcd67fc675f1ae39a216d82d179786bf2" + logic_hash = "0cafad6913e5947920a6576295487b4fcd67fc675f1ae39a216d82d179786bf2" score = 75 quality = 75 tags = "FILE" @@ -184915,13 +184915,13 @@ rule MALPEDIA_Win_Credraptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2ae423d-d5b9-5bfd-9465-0ff695beb800" + id = "e8ed5662-d50d-5276-970c-7ae5bc800549" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.credraptor_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_a2be5c2e7aba128bc464089768bae22c73dd588e7ba2a1d837a215f744aa4638" + logic_hash = "a2be5c2e7aba128bc464089768bae22c73dd588e7ba2a1d837a215f744aa4638" score = 75 quality = 75 tags = "FILE" @@ -184954,13 +184954,13 @@ rule MALPEDIA_Win_Unidentified_006_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "484802e1-8718-58d8-ba4a-a9ac5e1bc067" + id = "1d29f273-95a4-58bd-87cd-6ac677036b5c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_006_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_dd723dd2c53afa22a9c28d9c9c06ec724a63cc0cfcf78b59a425b4cdf0fd8bc1" + logic_hash = "dd723dd2c53afa22a9c28d9c9c06ec724a63cc0cfcf78b59a425b4cdf0fd8bc1" score = 75 quality = 75 tags = "FILE" @@ -184993,13 +184993,13 @@ rule MALPEDIA_Win_Punkey_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6aba704-6d45-5377-a08b-a2889942e53f" + id = "4e1fe79b-2125-523a-abd5-f08f284bf027" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.punkey_pos_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_be3234349330303fdbacc67e779ee45aced60b2ad5880e7a508a6b6e58a3eaf4" + logic_hash = "be3234349330303fdbacc67e779ee45aced60b2ad5880e7a508a6b6e58a3eaf4" score = 75 quality = 75 tags = "FILE" @@ -185032,13 +185032,13 @@ rule MALPEDIA_Win_Faketc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bb52fb4d-1976-5b80-ab7d-f41a592701b4" + id = "c5dc084d-e278-57fb-9514-ebf606045902" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.faketc_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_d4858f4d36b9ea8cb8d8cc99b63821ae69695a27a1935e91bfea486ad5660c7d" + logic_hash = "d4858f4d36b9ea8cb8d8cc99b63821ae69695a27a1935e91bfea486ad5660c7d" score = 75 quality = 75 tags = "FILE" @@ -185071,13 +185071,13 @@ rule MALPEDIA_Win_Nagini_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "29b7c8bf-8278-5962-b6b9-b9bdd716cffb" + id = "36bcfb0a-2346-546a-ae2c-0b00cc2618a0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nagini_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_0c83f5c5996fc3fecace2eca42d157da471f759617384a5504d89fe38e4a9faf" + logic_hash = "0c83f5c5996fc3fecace2eca42d157da471f759617384a5504d89fe38e4a9faf" score = 75 quality = 75 tags = "FILE" @@ -185110,13 +185110,13 @@ rule MALPEDIA_Win_Xiangoop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1aff2e52-2364-58f0-9897-39209099fe0b" + id = "6e84a1ce-b3cc-5c7d-80b5-2c2f7136b8d8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiangoop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xiangoop_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_3a1a5f28cac0124e198da0edd11ac88ef86aa9a350a33831b6bb7ce30756bca1" + logic_hash = "3a1a5f28cac0124e198da0edd11ac88ef86aa9a350a33831b6bb7ce30756bca1" score = 75 quality = 75 tags = "FILE" @@ -185149,13 +185149,13 @@ rule MALPEDIA_Win_Unidentified_075_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "559cb477-2c95-51d3-b1c6-beb70eb18b13" + id = "147c0d53-aecb-5cae-ac7f-14d52d3c203f" date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_075_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_10617fdfd534147bc5e0f7e922724e69d45c37af66d21f98c629fa1bac685120" + logic_hash = "10617fdfd534147bc5e0f7e922724e69d45c37af66d21f98c629fa1bac685120" score = 75 quality = 75 tags = "FILE" @@ -185188,13 +185188,13 @@ rule MALPEDIA_Win_Juicy_Potato_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6c66d4f-0616-554f-a10f-e26bce509ccf" + id = "8d631ed2-d4c1-50a7-a41e-e61bbdbf9578" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.juicy_potato_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_95a9bfa286d63983a17370c06426811d86dabf6e0c8c9f41f87914697070c991" + logic_hash = "95a9bfa286d63983a17370c06426811d86dabf6e0c8c9f41f87914697070c991" score = 75 quality = 75 tags = "FILE" @@ -185227,13 +185227,13 @@ rule MALPEDIA_Win_Oni_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "28dd5dfe-b54e-508b-884f-ac74fc3e72ab" + id = "5b8ed8df-ac04-55ed-9aa1-c25508ccaf69" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oni" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.oni_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_a1166454b136e06548b4b89fd8ff394c058729ff7d3b6449cb76520548366b87" + logic_hash = "a1166454b136e06548b4b89fd8ff394c058729ff7d3b6449cb76520548366b87" score = 75 quality = 75 tags = "FILE" @@ -185266,13 +185266,13 @@ rule MALPEDIA_Win_Romcom_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df6e5f41-0010-59c1-ae87-6755bc9bfeac" + id = "ac368bf9-8ebe-5cf1-b296-f1d215e57efb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.romcom_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_4c8cc2f6b48e17e29a12ff93bdda011d4ae8c63471090287633ffb79d5adb21a" + logic_hash = "4c8cc2f6b48e17e29a12ff93bdda011d4ae8c63471090287633ffb79d5adb21a" score = 75 quality = 75 tags = "FILE" @@ -185305,13 +185305,13 @@ rule MALPEDIA_Win_Curator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "45bf79c2-80f6-5ff4-adae-19a31e358a51" + id = "fa7637d1-ef72-55c1-9cd8-4047e79769b0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.curator" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.curator_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_385564603afac75ab1aef52e96073e79dd684407e092688731815c7fd2379a64" + logic_hash = "385564603afac75ab1aef52e96073e79dd684407e092688731815c7fd2379a64" score = 75 quality = 75 tags = "FILE" @@ -185344,13 +185344,13 @@ rule MALPEDIA_Win_Chthonic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9aad3357-eb58-586c-ae7c-8be3a6a369f8" + id = "88bbe6d9-2022-5fe0-b1f7-f4f3c2df3385" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chthonic_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_da867e1af67cf97ccf35b53e1588f870d915e4ed4b4f2f84ed6de90f903a9195" + logic_hash = "da867e1af67cf97ccf35b53e1588f870d915e4ed4b4f2f84ed6de90f903a9195" score = 75 quality = 75 tags = "FILE" @@ -185383,13 +185383,13 @@ rule MALPEDIA_Win_Gspy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "657ee87a-9e1e-5f08-9666-5ecf06a496f0" + id = "5725a0eb-387e-5f55-9c61-97bda1555361" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gspy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gspy_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_c2942f87aa0e0d3cd7efb2debc57b53c46a950e05b62dce63b5340d2d7cb5666" + logic_hash = "c2942f87aa0e0d3cd7efb2debc57b53c46a950e05b62dce63b5340d2d7cb5666" score = 75 quality = 75 tags = "FILE" @@ -185422,13 +185422,13 @@ rule MALPEDIA_Win_Unidentified_099_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5cc151fc-5a8d-5475-9f22-0fb348ad86bf" + id = "d97436b2-5a7b-573d-8a35-42ed42551daa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_099" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_099_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_05815599a06afec044356539b7fb022948a8fa88c4aa5bb33d6e484e946176ef" + logic_hash = "05815599a06afec044356539b7fb022948a8fa88c4aa5bb33d6e484e946176ef" score = 75 quality = 75 tags = "FILE" @@ -185461,13 +185461,13 @@ rule MALPEDIA_Win_Adylkuzz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b598f436-2f28-5fae-97c8-ba6d351d7a6a" + id = "265860c5-c195-5ef7-81e8-066fa261eab1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.adylkuzz_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a5ced23a2b6a73ae95a9a6a65000eaf7907a66a0c142cf3646367ed2ee46dd3d" + logic_hash = "a5ced23a2b6a73ae95a9a6a65000eaf7907a66a0c142cf3646367ed2ee46dd3d" score = 75 quality = 75 tags = "FILE" @@ -185500,13 +185500,13 @@ rule MALPEDIA_Win_Unidentified_088_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "753f157c-6e01-561f-8e51-3aa4325ed3c1" + id = "b2c85c30-7ba6-55a0-9cd5-72dd624b0463" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_088" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_088_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_43e33104a2b3e4b5653d5103e68195a062333638b6afc520c108067d1cded5c7" + logic_hash = "43e33104a2b3e4b5653d5103e68195a062333638b6afc520c108067d1cded5c7" score = 75 quality = 75 tags = "FILE" @@ -185539,13 +185539,13 @@ rule MALPEDIA_Win_Dtrack_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e4ea24b-8bce-5d33-9700-7ac86db38eb5" + id = "d8f3c989-b720-5ce0-af93-3bde59a2fdab" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dtrack_auto.yar#L1-L158" license_url = "N/A" - logic_hash = "v1_sha256_245b50e28635461a6214109a0274cb2a754a0f5b0ed2d19ab52e688b26ae3fdb" + logic_hash = "245b50e28635461a6214109a0274cb2a754a0f5b0ed2d19ab52e688b26ae3fdb" score = 75 quality = 75 tags = "FILE" @@ -185583,13 +185583,13 @@ rule MALPEDIA_Win_Smokeloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "53eafc80-00c3-5d9c-b357-9dd16ec61cb3" + id = "f23556ba-5c41-5731-b926-98b3ff953aa7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.smokeloader_auto.yar#L1-L557" license_url = "N/A" - logic_hash = "v1_sha256_14e5b0cfca13af7489c48288e9aa993c0a3271acbd4222a869c5d82af431f76e" + logic_hash = "14e5b0cfca13af7489c48288e9aa993c0a3271acbd4222a869c5d82af431f76e" score = 75 quality = 50 tags = "FILE" @@ -185677,13 +185677,13 @@ rule MALPEDIA_Win_Darkside_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9c141b26-e629-5dac-83c9-4bba7b5b295d" + id = "78d056bd-691e-5837-8a3e-d494c36948d5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkside_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_6b8e9b7a9d216743f758468d2821e935f995800b913ca32663480c8ad049b99d" + logic_hash = "6b8e9b7a9d216743f758468d2821e935f995800b913ca32663480c8ad049b99d" score = 75 quality = 75 tags = "FILE" @@ -185716,13 +185716,13 @@ rule MALPEDIA_Win_Mbrlocker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ae53ea8b-56a3-57c4-9827-24627a047b29" + id = "6a472526-8a03-5ccc-a5eb-10b46b34c6da" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mbrlocker_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_2abe677d378843746aa6479444a4219927906b009fff2766ade4f081783dbae6" + logic_hash = "2abe677d378843746aa6479444a4219927906b009fff2766ade4f081783dbae6" score = 75 quality = 75 tags = "FILE" @@ -185755,13 +185755,13 @@ rule MALPEDIA_Win_Khrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b2028b0e-21a5-5398-95e7-5c9b435e4db4" + id = "6db105ed-fa5f-5732-ac42-40d20165099d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.khrat_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_d3a598db6b81f9cdf5c2df41f102b4f7efaa91eac99a2097cd83dc35f1bc7100" + logic_hash = "d3a598db6b81f9cdf5c2df41f102b4f7efaa91eac99a2097cd83dc35f1bc7100" score = 75 quality = 75 tags = "FILE" @@ -185794,13 +185794,13 @@ rule MALPEDIA_Win_Retefe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7bef3c44-8532-5a68-bc93-835da00a6cbf" + id = "db079941-ad88-585f-9381-dc621d03f57c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.retefe_auto.yar#L1-L261" license_url = "N/A" - logic_hash = "v1_sha256_10f5fe00ae8dec2b9fe4c64e3188b2157517c220142d93e2bb2a9654bee449af" + logic_hash = "10f5fe00ae8dec2b9fe4c64e3188b2157517c220142d93e2bb2a9654bee449af" score = 75 quality = 73 tags = "FILE" @@ -185852,13 +185852,13 @@ rule MALPEDIA_Win_Longwatch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f3455b1d-485c-5e60-a283-e6fea42590d9" + id = "b41781a5-fa9e-5caa-89a9-6b017c4409b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.longwatch_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_7e9f24cefc29fec880f531c16b44bc6a332c0d308ff5c0a0db91cf7bbb28f078" + logic_hash = "7e9f24cefc29fec880f531c16b44bc6a332c0d308ff5c0a0db91cf7bbb28f078" score = 75 quality = 75 tags = "FILE" @@ -185891,13 +185891,13 @@ rule MALPEDIA_Win_Bs2005_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "47655830-f7b8-55a6-8c21-19792c9b2933" + id = "d7ab1e13-ba2d-5cc6-b498-29127d7b94b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bs2005_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_9437688f1e9a849259370cda11e68d8a858bd8cd17b5169c95f49dad03ad5566" + logic_hash = "9437688f1e9a849259370cda11e68d8a858bd8cd17b5169c95f49dad03ad5566" score = 75 quality = 75 tags = "FILE" @@ -185930,13 +185930,13 @@ rule MALPEDIA_Win_Ghost_Secret_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2fa4f349-f3eb-502f-8a56-a22a44c221a8" + id = "aa96bf29-3993-5fcb-89d9-e0ea92c3a3df" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_secret" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ghost_secret_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_c0493088659adfee49574a5acb9764a23e419d0406508dff35abe1e75e13521d" + logic_hash = "c0493088659adfee49574a5acb9764a23e419d0406508dff35abe1e75e13521d" score = 75 quality = 75 tags = "FILE" @@ -185969,13 +185969,13 @@ rule MALPEDIA_Win_Sword_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "81ef6442-c114-5c12-a5a8-b6e65f70e9d6" + id = "d4f1eb68-153e-5ccd-81d3-89b6b9da3f3a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sword_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_065f81feabb14c35e08637eea61a6954f973d06eb84d7a6351d2f07f555efbd2" + logic_hash = "065f81feabb14c35e08637eea61a6954f973d06eb84d7a6351d2f07f555efbd2" score = 75 quality = 75 tags = "FILE" @@ -186008,13 +186008,13 @@ rule MALPEDIA_Win_Coinminer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "676e54d4-8ee0-5c9d-a3ca-5befc38988e7" + id = "e53c74f5-8d04-54ad-a733-6c3d22f8d0e4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.coinminer_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_06dcc1977408b543966283c5e3d6aefe14c67fca3216b7316faa289a6df0dd9d" + logic_hash = "06dcc1977408b543966283c5e3d6aefe14c67fca3216b7316faa289a6df0dd9d" score = 75 quality = 75 tags = "FILE" @@ -186047,13 +186047,13 @@ rule MALPEDIA_Win_Stormwind_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a257286e-bb6e-5ba3-9523-d4aa251684e5" + id = "80614d8b-8924-5b45-b8c5-f7daeb22acc2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stormwind" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stormwind_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_1831a86c13bffd90b9334f0a5afcc717f00e9aac3ae8337459965aab192d5d98" + logic_hash = "1831a86c13bffd90b9334f0a5afcc717f00e9aac3ae8337459965aab192d5d98" score = 75 quality = 75 tags = "FILE" @@ -186086,13 +186086,13 @@ rule MALPEDIA_Win_Lightbunny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d4428df-cdf6-53c5-8a2c-4c7ee5e6ab06" + id = "86c71225-3e49-57f7-8a14-1d446e18ff78" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightbunny" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lightbunny_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_33cbdcbf0c5d4d510f8f905bf01b71c8a0fd5566bc7f248daf644c66992c59c1" + logic_hash = "33cbdcbf0c5d4d510f8f905bf01b71c8a0fd5566bc7f248daf644c66992c59c1" score = 75 quality = 75 tags = "FILE" @@ -186125,13 +186125,13 @@ rule MALPEDIA_Win_Gemcutter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5916d14f-56bd-5d43-afca-e992fe7164f3" + id = "f2a59f86-1075-5464-b91b-cb447c183566" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gemcutter_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_9745c8061ab88116351043d55251d3e8c32737ca442027c8a6620480abc8c8bf" + logic_hash = "9745c8061ab88116351043d55251d3e8c32737ca442027c8a6620480abc8c8bf" score = 75 quality = 75 tags = "FILE" @@ -186164,13 +186164,13 @@ rule MALPEDIA_Win_Synccrypt_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6964b1be-7800-5312-8524-d3d99cd9710c" + id = "c0acfe97-1049-5df6-8be2-e1920c7563c7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.synccrypt_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_36fed86930a547a043d213272378804045281c22493a08490f720ea6d556929c" + logic_hash = "36fed86930a547a043d213272378804045281c22493a08490f720ea6d556929c" score = 75 quality = 45 tags = "FILE" @@ -186203,13 +186203,13 @@ rule MALPEDIA_Win_Makadocs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25d2f762-77ba-5eff-a25e-8e606dee3ef7" + id = "d7e05dca-32b3-50ff-8846-a9085f7d1f77" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.makadocs_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_d5f25f8d17e486ca7957ad641a672887ad1c923171b871947c68e6256fe8b85d" + logic_hash = "d5f25f8d17e486ca7957ad641a672887ad1c923171b871947c68e6256fe8b85d" score = 75 quality = 75 tags = "FILE" @@ -186242,13 +186242,13 @@ rule MALPEDIA_Win_Neddnloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c8725a0c-0d18-5bd5-9d43-52a6793ea4d9" + id = "e15402b8-b469-5172-91e2-075f5a9b23c1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.neddnloader_auto.yar#L1-L170" license_url = "N/A" - logic_hash = "v1_sha256_77a49dc1eddd877e4d25ede9f8b3d2e84b63610bcd03fbfc5a12361b574a00c2" + logic_hash = "77a49dc1eddd877e4d25ede9f8b3d2e84b63610bcd03fbfc5a12361b574a00c2" score = 75 quality = 75 tags = "FILE" @@ -186287,13 +186287,13 @@ rule MALPEDIA_Win_Entryshell_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "68482f04-5aee-5019-9f0d-b2c39960c056" + id = "f7004160-2921-54d6-8486-e3c529e5d739" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.entryshell" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.entryshell_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_99234173465f72334050322378ee4ca31b5cc7ed20c04f0fbc21ed7db2e5d8fb" + logic_hash = "99234173465f72334050322378ee4ca31b5cc7ed20c04f0fbc21ed7db2e5d8fb" score = 75 quality = 75 tags = "FILE" @@ -186326,13 +186326,13 @@ rule MALPEDIA_Win_Racket_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7787c762-cfc3-513f-820a-6e3394afc723" + id = "fdbc67f2-dd9c-564f-803b-5a571eceba53" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.racket" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.racket_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_8c447bff92b42700b626fab2f15edaccf604f14572851cce781a5a45ae5fbde2" + logic_hash = "8c447bff92b42700b626fab2f15edaccf604f14572851cce781a5a45ae5fbde2" score = 75 quality = 75 tags = "FILE" @@ -186365,13 +186365,13 @@ rule MALPEDIA_Win_Rapid_Ransom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "93d8945f-4088-5006-b566-9c17e317557c" + id = "c76663f4-5d9b-5e27-96de-31f5287939c0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rapid_ransom_auto.yar#L1-L162" license_url = "N/A" - logic_hash = "v1_sha256_420102af1054256a36b0f8f07d0daf89ae38632ab058ebfe54352c8eea1f1c3e" + logic_hash = "420102af1054256a36b0f8f07d0daf89ae38632ab058ebfe54352c8eea1f1c3e" score = 75 quality = 75 tags = "FILE" @@ -186409,13 +186409,13 @@ rule MALPEDIA_Win_Hi_Zor_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a7955272-a512-52a2-a7d3-e5fcc7c891b3" + id = "24f4aee1-0c12-5135-acc3-79b59762efbf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hi_zor_rat_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_8af52d284dd3ab5b7dd25e47f9e41f3a65d45bdcdc9d0dd1ec6d75ccfe311424" + logic_hash = "8af52d284dd3ab5b7dd25e47f9e41f3a65d45bdcdc9d0dd1ec6d75ccfe311424" score = 75 quality = 75 tags = "FILE" @@ -186448,13 +186448,13 @@ rule MALPEDIA_Win_Kronos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a4f510de-a937-53a9-ab98-1553996087e1" + id = "a0b4b62f-a866-556e-9f95-bc6e89d12770" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kronos_auto.yar#L1-L101" license_url = "N/A" - logic_hash = "v1_sha256_47204f1b85469eed91b1a8f9ff5dd1693684b7472dfd0cf1125143da1fd8fdea" + logic_hash = "47204f1b85469eed91b1a8f9ff5dd1693684b7472dfd0cf1125143da1fd8fdea" score = 75 quality = 75 tags = "FILE" @@ -186485,13 +186485,13 @@ rule MALPEDIA_Win_Mqsttang_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e7b95ad0-9534-5076-91f3-11870ce8ddfe" + id = "5c891dae-4eed-590b-b193-46c6fc31d649" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mqsttang" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mqsttang_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_730db72c4ecde718fd98b702027c89d493008b2e112f78653e06311a808dd020" + logic_hash = "730db72c4ecde718fd98b702027c89d493008b2e112f78653e06311a808dd020" score = 75 quality = 75 tags = "FILE" @@ -186524,13 +186524,13 @@ rule MALPEDIA_Win_Qhost_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "30419395-1ef2-5d00-a76a-aaba8233294e" + id = "b665b26d-0cb0-522b-ad4c-ae26d70948e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.qhost_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_9e1768d558cd3150b7b786a97888fc646ca0ae377a338c2bb336a3ca12cb703a" + logic_hash = "9e1768d558cd3150b7b786a97888fc646ca0ae377a338c2bb336a3ca12cb703a" score = 75 quality = 75 tags = "FILE" @@ -186563,13 +186563,13 @@ rule MALPEDIA_Win_Redpepper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "890227d3-c211-585f-8a7a-ae018719db3b" + id = "fe9a2c74-3bcd-57d2-a4a6-d3f35fe0f1be" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.redpepper_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_c4da24b7951d6f6fb7e27212edbac20ef8484913731cd43af2131db52962e64a" + logic_hash = "c4da24b7951d6f6fb7e27212edbac20ef8484913731cd43af2131db52962e64a" score = 75 quality = 75 tags = "FILE" @@ -186602,13 +186602,13 @@ rule MALPEDIA_Win_Bunitu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "184c7ca9-def7-5a54-990c-e16424076805" + id = "b836f62d-ccb0-5139-8fb4-d5cfc207aba0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bunitu_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_1cf3d7359d010e00d7ff20ba5e701d6257e9f7229ca17c7a247d649a01d8b461" + logic_hash = "1cf3d7359d010e00d7ff20ba5e701d6257e9f7229ca17c7a247d649a01d8b461" score = 75 quality = 75 tags = "FILE" @@ -186641,13 +186641,13 @@ rule MALPEDIA_Win_Unidentified_061_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f740743b-47d8-5c48-a1bf-29f2a51f7231" + id = "59888b60-a3e6-5e9f-a441-429646fe0731" date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_061_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_ee3ce5b6c77f09c690f7a934c26be09c58c4fcdee70275b61c00e527d8aa097d" + logic_hash = "ee3ce5b6c77f09c690f7a934c26be09c58c4fcdee70275b61c00e527d8aa097d" score = 75 quality = 75 tags = "FILE" @@ -186680,13 +186680,13 @@ rule MALPEDIA_Win_Webbytea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d83f58db-d5bf-54d3-b4e8-d74ea89dd12f" + id = "289bbfb0-4c87-5ec8-bb1c-f221332bf4ea" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webbytea" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webbytea_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_5634a8f7fcf9d0a5da9524118130e9bacc28a4059c716e709153bee5aa0b255e" + logic_hash = "5634a8f7fcf9d0a5da9524118130e9bacc28a4059c716e709153bee5aa0b255e" score = 75 quality = 75 tags = "FILE" @@ -186719,13 +186719,13 @@ rule MALPEDIA_Win_Backswap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2c42d2f7-d243-525b-9dde-fb2bc411c9df" + id = "6e17f855-5952-50ed-bf6a-366f7e607462" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.backswap_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_bb4d774b5a39969b7683aade4505aad39c80dbe023defeb6c0c050fb546e7038" + logic_hash = "bb4d774b5a39969b7683aade4505aad39c80dbe023defeb6c0c050fb546e7038" score = 75 quality = 75 tags = "FILE" @@ -186758,13 +186758,13 @@ rule MALPEDIA_Win_Anchormtea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2daee2cd-4f8e-590f-8619-4d21a4644c01" + id = "75878680-af6e-531f-abbe-374c7f6b18e7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormtea" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.anchormtea_auto.yar#L1-L152" license_url = "N/A" - logic_hash = "v1_sha256_b646f5ea9da3552482b100437224e4af5475bebe8d62d4511d1baeeadc61942b" + logic_hash = "b646f5ea9da3552482b100437224e4af5475bebe8d62d4511d1baeeadc61942b" score = 75 quality = 75 tags = "FILE" @@ -186802,13 +186802,13 @@ rule MALPEDIA_Win_Hookinjex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e6a37ce0-5c06-58dd-acba-8994981775bd" + id = "71399701-93a4-54b6-a1f8-3cb7f4c94c21" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hookinjex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hookinjex_auto.yar#L1-L157" license_url = "N/A" - logic_hash = "v1_sha256_8fbd3eb9a9d2410863924e40f8ff07b371959d0645dbb4e7cd7484e6ff1ff474" + logic_hash = "8fbd3eb9a9d2410863924e40f8ff07b371959d0645dbb4e7cd7484e6ff1ff474" score = 60 quality = 25 tags = "FILE" @@ -186847,13 +186847,13 @@ rule MALPEDIA_Win_Starsypound_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c9f7204f-f1f8-5357-a5b3-fe5f39a05290" + id = "70e37162-3a73-596a-8d7d-42b9d85b78f7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.starsypound_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_abf4ae91c4287e1227ba24bd55f61dc3c1250c1b8b21f760166157e29806933f" + logic_hash = "abf4ae91c4287e1227ba24bd55f61dc3c1250c1b8b21f760166157e29806933f" score = 75 quality = 75 tags = "FILE" @@ -186886,13 +186886,13 @@ rule MALPEDIA_Win_Fct_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4c02ee9b-08c4-554b-b69c-8872d139b85c" + id = "abc15496-5280-5df8-8374-6c73912930cc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fct" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fct_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_459978803baa25140106f0b9d6fb1e3d43d379e92c63a80a39a4b43b54ebb800" + logic_hash = "459978803baa25140106f0b9d6fb1e3d43d379e92c63a80a39a4b43b54ebb800" score = 75 quality = 75 tags = "FILE" @@ -186925,13 +186925,13 @@ rule MALPEDIA_Win_Icedid_Downloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1122b489-83ca-56ae-be26-fa732a8b7df3" + id = "a6a24661-a781-5517-9bde-5f4ae21f58dc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.icedid_downloader_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_8833f99bb1bd77711eb78fc1bd4033ed964a1a4a33594d443cf638144662738b" + logic_hash = "8833f99bb1bd77711eb78fc1bd4033ed964a1a4a33594d443cf638144662738b" score = 75 quality = 75 tags = "FILE" @@ -186964,13 +186964,13 @@ rule MALPEDIA_Win_Unidentified_113_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bf9c3e9e-3741-5d94-9096-6608a4eb1b53" + id = "fca9d6d2-018c-5238-a2c5-d26ca95c2862" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_113" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_113_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_55ef739d0acd0e849dcf600673496f5aa2583f128c784d3cf7a14a872f001ae1" + logic_hash = "55ef739d0acd0e849dcf600673496f5aa2583f128c784d3cf7a14a872f001ae1" score = 75 quality = 75 tags = "FILE" @@ -187003,13 +187003,13 @@ rule MALPEDIA_Win_Hazy_Load_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "77f8a76f-dbb9-5580-b8e5-db52e4bb2ef2" + id = "fbfa1e78-dff1-53dc-80af-71732a4c81b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hazy_load" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hazy_load_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_fd77b624c32a8e3f12aae94d42471fe8468beed29de311ba6e72f1538f11b350" + logic_hash = "fd77b624c32a8e3f12aae94d42471fe8468beed29de311ba6e72f1538f11b350" score = 75 quality = 75 tags = "FILE" @@ -187042,13 +187042,13 @@ rule MALPEDIA_Win_Stration_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "07b0fb94-14eb-5a5f-8358-84f427a58051" + id = "a114ca5f-e8f5-5b6c-8d4b-c8b226c24232" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.stration_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_810e080388d75ad01155fee822907ac9d5b404fa94d6259fc807c41db11a9cc8" + logic_hash = "810e080388d75ad01155fee822907ac9d5b404fa94d6259fc807c41db11a9cc8" score = 75 quality = 75 tags = "FILE" @@ -187081,13 +187081,13 @@ rule MALPEDIA_Win_Xfscashncr_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "208a50dc-9c2f-524d-902c-8f742a45a74f" + id = "aa68c3d3-6057-5726-9c6a-29c3062e0a39" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xfscashncr_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_8cc1f9194ac942ef01eaad15d7e35adea44a498eaca746d03287f1cf0f22bf7b" + logic_hash = "8cc1f9194ac942ef01eaad15d7e35adea44a498eaca746d03287f1cf0f22bf7b" score = 75 quality = 75 tags = "FILE" @@ -187120,13 +187120,13 @@ rule MALPEDIA_Win_Manitsme_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c3590be2-2bdd-5690-89ba-b9f692cf88ae" + id = "db884f68-52e3-535c-a75f-a98978605003" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.manitsme_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_272de9774cf5a8eb5198458ddf07f5bca3359e27fa527484a54e8b750a92c4ea" + logic_hash = "272de9774cf5a8eb5198458ddf07f5bca3359e27fa527484a54e8b750a92c4ea" score = 75 quality = 75 tags = "FILE" @@ -187159,13 +187159,13 @@ rule MALPEDIA_Win_Graphical_Neutrino_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc470237-e69f-5d3f-8810-bff9b21984e4" + id = "709b8c7e-3b27-57db-a7ca-ec92842eb964" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.graphical_neutrino_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_20fe129c0f852597f7609ecc786913a363ba634ff126dc42ff1c434f04b54173" + logic_hash = "20fe129c0f852597f7609ecc786913a363ba634ff126dc42ff1c434f04b54173" score = 75 quality = 75 tags = "FILE" @@ -187198,13 +187198,13 @@ rule MALPEDIA_Win_Cueisfry_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba2e7472-6d6e-5e78-ad9d-57453ce04e52" + id = "3f94f63a-bd01-5ab8-af5f-ba8550248461" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cueisfry_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_fe662cbb30073bd6bd4ed92effaa065add48a5ad78c3a6b1fdab8c2e82a82aba" + logic_hash = "fe662cbb30073bd6bd4ed92effaa065add48a5ad78c3a6b1fdab8c2e82a82aba" score = 75 quality = 75 tags = "FILE" @@ -187237,13 +187237,13 @@ rule MALPEDIA_Win_Carrotbat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c11946d-76f4-56ff-ba76-bff1c12160b9" + id = "1f5a4e61-8efd-5abd-b8fb-2f87b63c93c7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.carrotbat_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_e53146cb3545ca99ae66e1a10fcb74cff088286f73e969b286c25b4fb9383fdf" + logic_hash = "e53146cb3545ca99ae66e1a10fcb74cff088286f73e969b286c25b4fb9383fdf" score = 75 quality = 75 tags = "FILE" @@ -187276,13 +187276,13 @@ rule MALPEDIA_Win_Concealment_Troy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "12d93ed1-7f54-5923-b343-ef4a37a7e440" + id = "f25da06b-e34f-5ec3-afca-981eed54a3f2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.concealment_troy_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_5ef8bd4e1cd35f7f8cc8bada75a137689ed8949f72f34f8e30aca42d1738a1ce" + logic_hash = "5ef8bd4e1cd35f7f8cc8bada75a137689ed8949f72f34f8e30aca42d1738a1ce" score = 75 quality = 75 tags = "FILE" @@ -187315,13 +187315,13 @@ rule MALPEDIA_Win_8T_Dropper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "be9cd56d-c38e-56cb-8643-c90f28d181ab" + id = "485513e6-6a30-5542-9db5-771c168cddae" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.8t_dropper_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_ce9c22a4da7356dd0a0bfe7a1e7d1abeadd8c256121840ed85ba440a85beb469" + logic_hash = "ce9c22a4da7356dd0a0bfe7a1e7d1abeadd8c256121840ed85ba440a85beb469" score = 75 quality = 75 tags = "FILE" @@ -187354,13 +187354,13 @@ rule MALPEDIA_Win_Thumbthief_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c65374e-0507-51a3-9bde-3c39195e9b2e" + id = "c07df13f-4d93-5b5e-9219-11a7b6751d3c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.thumbthief_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_48fc10818492752c11b968a2d68b30a1043a5a183785607a78ccc035f88fcdc3" + logic_hash = "48fc10818492752c11b968a2d68b30a1043a5a183785607a78ccc035f88fcdc3" score = 75 quality = 75 tags = "FILE" @@ -187393,13 +187393,13 @@ rule MALPEDIA_Win_Logpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c535eb50-52a8-5c60-86ff-46c8cb1529dd" + id = "35b4ad0a-906a-5aa4-a185-d299d314c772" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.logpos_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_1f09c571a98b8191fefaf5488e1ffd2ed1ffe04d05c499ee0ffd2f1f5274e533" + logic_hash = "1f09c571a98b8191fefaf5488e1ffd2ed1ffe04d05c499ee0ffd2f1f5274e533" score = 75 quality = 75 tags = "FILE" @@ -187432,13 +187432,13 @@ rule MALPEDIA_Win_Ripper_Atm_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "402f4c15-e2ea-5805-ac6d-5b3993f083e5" + id = "e53a9e99-401d-50a0-8b9f-eabc46d865fe" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ripper_atm_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_d8b90900e28d85311ea385a629a5f77668a5882f0cccbfa3d22ef622cc722131" + logic_hash = "d8b90900e28d85311ea385a629a5f77668a5882f0cccbfa3d22ef622cc722131" score = 75 quality = 75 tags = "FILE" @@ -187471,13 +187471,13 @@ rule MALPEDIA_Win_Seduploader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2815992d-8cef-5f94-a492-0627529870d8" + id = "abd18501-c80d-5d3c-830d-4070c5a4c096" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.seduploader_auto.yar#L1-L109" license_url = "N/A" - logic_hash = "v1_sha256_ad39ca6734688a1ba0a401112f23db476ff01fef94039db8596308ec3fce36d4" + logic_hash = "ad39ca6734688a1ba0a401112f23db476ff01fef94039db8596308ec3fce36d4" score = 75 quality = 75 tags = "FILE" @@ -187510,13 +187510,13 @@ rule MALPEDIA_Win_Casper_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71585731-4b56-553b-9979-f468653e66c1" + id = "e6e721c8-dd07-5896-b009-f293b597cc79" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.casper_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_44b510f3119535b0c0c8064d1c39533cfa6df7cf823ef2fa1ba3402aaa98bcc5" + logic_hash = "44b510f3119535b0c0c8064d1c39533cfa6df7cf823ef2fa1ba3402aaa98bcc5" score = 75 quality = 75 tags = "FILE" @@ -187549,13 +187549,13 @@ rule MALPEDIA_Win_Payloadbin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b008c33a-b6ac-5d89-af9d-de68c53afb2b" + id = "b954a512-78f3-562b-9197-a6a1e74a513b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.payloadbin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.payloadbin_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_800c1bff3826d8d61dac146dc7e96bbf271b1fb2a9cc74c55e98e32d0540be8c" + logic_hash = "800c1bff3826d8d61dac146dc7e96bbf271b1fb2a9cc74c55e98e32d0540be8c" score = 75 quality = 75 tags = "FILE" @@ -187588,13 +187588,13 @@ rule MALPEDIA_Win_Albaniiutas_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b14d3be-8890-57c8-8385-b1d83270d72a" + id = "ed214e5c-6897-5f8e-bd2b-0bb8f51690d9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.albaniiutas_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_4a292a9bd7e73dd3f8f38b0c5f35ad3036161e113ab281f4d09533b41c3cbb43" + logic_hash = "4a292a9bd7e73dd3f8f38b0c5f35ad3036161e113ab281f4d09533b41c3cbb43" score = 75 quality = 75 tags = "FILE" @@ -187627,13 +187627,13 @@ rule MALPEDIA_Win_Buterat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d69fc413-0634-5517-98f4-3dfab3ae27bc" + id = "25ad2a50-49be-5d4a-bf97-43396868ed49" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.buterat_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_b70d6ce44ee783afa32cbecdbe7cf8ccdf3b06b682102fb9a600b816f864c117" + logic_hash = "b70d6ce44ee783afa32cbecdbe7cf8ccdf3b06b682102fb9a600b816f864c117" score = 75 quality = 75 tags = "FILE" @@ -187666,13 +187666,13 @@ rule MALPEDIA_Win_Spectre_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "365d1622-4de3-5d3e-92d3-362946419ea1" + id = "97f71f8a-8fe2-5a94-98b9-e19f44e57e9b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spectre" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spectre_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_fb8efa47f6cbb2730748ec520c0057da98d0d3b4bb855873b3521ccc59bde3f2" + logic_hash = "fb8efa47f6cbb2730748ec520c0057da98d0d3b4bb855873b3521ccc59bde3f2" score = 75 quality = 75 tags = "FILE" @@ -187705,13 +187705,13 @@ rule MALPEDIA_Win_Adhubllka_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c7f6af49-39ff-5939-a2e5-5108f78c49fe" + id = "60da8c7f-6dd6-527d-a4d7-5811a92e6c32" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.adhubllka_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_f31f80e2e1b5812b9eab30806e14c5a9a3d65252ed9a183d7a41e8edbf56db58" + logic_hash = "f31f80e2e1b5812b9eab30806e14c5a9a3d65252ed9a183d7a41e8edbf56db58" score = 75 quality = 75 tags = "FILE" @@ -187744,13 +187744,13 @@ rule MALPEDIA_Win_Magic_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c7d8f92a-26ce-5a68-909b-e18488bef1ad" + id = "294a613b-706a-59cd-8861-ad8f327481f6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.magic_rat_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_6b25c43e846cdbf4276d18349be54a1db9c0a30e7cc0f465fa60ef70531174db" + logic_hash = "6b25c43e846cdbf4276d18349be54a1db9c0a30e7cc0f465fa60ef70531174db" score = 60 quality = 45 tags = "FILE" @@ -187783,13 +187783,13 @@ rule MALPEDIA_Win_Scieron_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9db62fd9-c947-5520-b7e7-6576f879c817" + id = "1a215415-1cbd-5509-a833-0e80720c59be" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scieron" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.scieron_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_f3ffce1ac52929398289b6099b241833a19e91e706a019cc700fc14e11b03b2d" + logic_hash = "f3ffce1ac52929398289b6099b241833a19e91e706a019cc700fc14e11b03b2d" score = 75 quality = 75 tags = "FILE" @@ -187822,13 +187822,13 @@ rule MALPEDIA_Win_Unidentified_089_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "43a089a4-59cb-5112-a089-beed32bea66d" + id = "f61e4a77-808b-5e07-801b-03e57ce838b5" date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_089_auto.yar#L1-L98" license_url = "N/A" - logic_hash = "v1_sha256_f9666eb88fbd91e0eb2e4b4c8812230b36d73d66192fed407aecfaa8f0ed362a" + logic_hash = "f9666eb88fbd91e0eb2e4b4c8812230b36d73d66192fed407aecfaa8f0ed362a" score = 75 quality = 75 tags = "FILE" @@ -187859,13 +187859,13 @@ rule MALPEDIA_Win_Hotwax_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f750468e-b4bd-5a3a-b7bf-4b56190fd65a" + id = "d6f02e96-b0de-561a-b1c4-f7fa097556ab" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hotwax_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_fe64f11364e8e368736d318c239a3692d708ee4c24b150c29655e2d18f1cd86c" + logic_hash = "fe64f11364e8e368736d318c239a3692d708ee4c24b150c29655e2d18f1cd86c" score = 75 quality = 75 tags = "FILE" @@ -187898,13 +187898,13 @@ rule MALPEDIA_Win_Common_Magic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "83c7a872-a7b8-5420-b056-d076e2e16f19" + id = "01685495-e500-52ed-8d28-52ffda64d4ce" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.common_magic_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_f088c9c6d83029098f6560147761ea146208530ef1a48657d7b10a76113354f7" + logic_hash = "f088c9c6d83029098f6560147761ea146208530ef1a48657d7b10a76113354f7" score = 75 quality = 75 tags = "FILE" @@ -187937,13 +187937,13 @@ rule MALPEDIA_Win_Gopuram_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4f0505d4-dbeb-5477-b37f-78029d4b3058" + id = "8d1cf207-19a7-572a-8ca5-3e711cdc3ad9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gopuram" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gopuram_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_9c847639dd3b37832d4dad79157d5016a8deee4fa6901036c6568baf2f1743d6" + logic_hash = "9c847639dd3b37832d4dad79157d5016a8deee4fa6901036c6568baf2f1743d6" score = 75 quality = 75 tags = "FILE" @@ -187976,13 +187976,13 @@ rule MALPEDIA_Win_Jasus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1aa70aa5-4be7-537f-adac-34fac34652c5" + id = "e40f0cf2-c464-539f-a5ee-e734bdbeed88" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jasus_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_2c691c8874b1ab7be876ba59aead20405103b0885bc9bec7a0a38d9442642c23" + logic_hash = "2c691c8874b1ab7be876ba59aead20405103b0885bc9bec7a0a38d9442642c23" score = 75 quality = 75 tags = "FILE" @@ -188015,13 +188015,13 @@ rule MALPEDIA_Win_Rm3_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "189a1f48-4ac9-5896-ba0a-9420078e342e" + id = "b9c899fd-24b6-544d-a199-56585ec67459" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rm3_auto.yar#L1-L368" license_url = "N/A" - logic_hash = "v1_sha256_1f5fb30680a7291833cb3efcb87bc5516507b42236b00016cdde1fb7cc527979" + logic_hash = "1f5fb30680a7291833cb3efcb87bc5516507b42236b00016cdde1fb7cc527979" score = 75 quality = 73 tags = "FILE" @@ -188084,13 +188084,13 @@ rule MALPEDIA_Win_Prometei_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8fd26b9d-6a0e-570e-a510-4a12c199d5da" + id = "73d3f76f-d3b0-5e4d-8b8d-e04a2bcf37d7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.prometei_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "v1_sha256_72d6c26be48c032cc1c8fed3d3613c60659d58796a856f7285dd7faf58b4fc32" + logic_hash = "72d6c26be48c032cc1c8fed3d3613c60659d58796a856f7285dd7faf58b4fc32" score = 75 quality = 75 tags = "FILE" @@ -188129,13 +188129,13 @@ rule MALPEDIA_Win_Project_Wood_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ea117b05-45d3-56d3-8a29-52298769e280" + id = "eadfb598-e06d-536a-8983-e068733d6495" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.project_wood" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.project_wood_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_92c5f7de9849db3abd82c6a5e3e8ba38f7353d944f46cacae8fc567f574f0ddc" + logic_hash = "92c5f7de9849db3abd82c6a5e3e8ba38f7353d944f46cacae8fc567f574f0ddc" score = 75 quality = 75 tags = "FILE" @@ -188168,13 +188168,13 @@ rule MALPEDIA_Win_Amtsol_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cdd59013-aa28-5727-9e6f-4385efb605c4" + id = "d1d86fa3-9623-55ab-a209-71141f53945c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.amtsol_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_0a770dc5a932b1002072b79c5d73e29f3137e050ecc56387df95b6b6024c1535" + logic_hash = "0a770dc5a932b1002072b79c5d73e29f3137e050ecc56387df95b6b6024c1535" score = 75 quality = 75 tags = "FILE" @@ -188207,13 +188207,13 @@ rule MALPEDIA_Win_Bolek_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3cd56c77-bd65-568b-bd1f-99ae2b64a2a9" + id = "15e34de8-623e-5f2f-9d4c-c44b8f35819d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bolek_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_403a7b71c7f1728fba717836e961ac65b351f821c9556b0d1663304cb6494bb7" + logic_hash = "403a7b71c7f1728fba717836e961ac65b351f821c9556b0d1663304cb6494bb7" score = 75 quality = 75 tags = "FILE" @@ -188246,13 +188246,13 @@ rule MALPEDIA_Win_Quiterat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96df8f83-72b5-50f6-8a55-c62e097755ba" + id = "77d947fb-1cf9-5915-bdff-e8a9015c7494" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.quiterat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.quiterat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a310f4ac3c641f7313b25e7928a0fd6d50c428f9dd3945e05d910454f6c56057" + logic_hash = "a310f4ac3c641f7313b25e7928a0fd6d50c428f9dd3945e05d910454f6c56057" score = 75 quality = 75 tags = "FILE" @@ -188285,13 +188285,13 @@ rule MALPEDIA_Win_Homefry_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2e93dfbe-8aec-5107-bb62-cd54b090fadd" + id = "7df805f2-9572-5d41-ae6a-f57f653d9d31" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.homefry_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_7ca7431c5f68652158a7da10d411e05a72b05761bc09d487931a01e83f98c509" + logic_hash = "7ca7431c5f68652158a7da10d411e05a72b05761bc09d487931a01e83f98c509" score = 75 quality = 75 tags = "FILE" @@ -188324,13 +188324,13 @@ rule MALPEDIA_Win_Darkmoon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "114909f6-af97-5d24-99e6-bf922322ced6" + id = "5d3b6757-7119-5541-a7be-7724ca1cd5bf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkmoon_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_d37414a84f00a17b4ccc08379aad2daedc420510e1678b61639cea473c36abeb" + logic_hash = "d37414a84f00a17b4ccc08379aad2daedc420510e1678b61639cea473c36abeb" score = 75 quality = 75 tags = "FILE" @@ -188363,13 +188363,13 @@ rule MALPEDIA_Win_Ascentloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "33f42512-1799-5b50-beb6-56d854c9865b" + id = "52e48a17-f763-5fcc-946a-031eef291a19" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ascentloader_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_47183e13937994500473836e864be558b3709bce2edd5ef734fa1f084094231f" + logic_hash = "47183e13937994500473836e864be558b3709bce2edd5ef734fa1f084094231f" score = 75 quality = 75 tags = "FILE" @@ -188402,13 +188402,13 @@ rule MALPEDIA_Win_Unidentified_111_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "269f1c79-fb43-5149-b040-35fc43355c1e" + id = "761c3c1a-627b-5adf-b1c2-f96f11c05a94" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_111_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_8a86a6eb9509e0a5b4e912cde53abfcabb23f3644fc565d69ca8396c5dc5d7c9" + logic_hash = "8a86a6eb9509e0a5b4e912cde53abfcabb23f3644fc565d69ca8396c5dc5d7c9" score = 75 quality = 75 tags = "FILE" @@ -188441,13 +188441,13 @@ rule MALPEDIA_Win_Grimagent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50418724-ba70-5897-8382-60bd54f78534" + id = "382b2b71-faf8-5a36-9cf2-cfc0231fe5c7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.grimagent_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_cb883960783c6a0a5fc69c20e118ca0de5603c9daad18851a44812dd938995b0" + logic_hash = "cb883960783c6a0a5fc69c20e118ca0de5603c9daad18851a44812dd938995b0" score = 75 quality = 75 tags = "FILE" @@ -188480,13 +188480,13 @@ rule MALPEDIA_Win_Kurton_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2ea8517b-5e46-5609-8807-77f1f489fff2" + id = "ae340b25-d60e-5936-9704-4ef115d92a62" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kurton_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_98f093531c4285f2e18a4965e5bde7f8dfb22eacc63485687a98c0565a239fa8" + logic_hash = "98f093531c4285f2e18a4965e5bde7f8dfb22eacc63485687a98c0565a239fa8" score = 75 quality = 75 tags = "FILE" @@ -188519,13 +188519,13 @@ rule MALPEDIA_Win_Ldr4_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "09066572-6f1a-590b-8fe9-239258bd174c" + id = "e9bf8314-609f-5a98-b31a-45503c13f904" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ldr4" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ldr4_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_53ff90205c01818bf39f4f2440172f0cbaed0a0fe830aff04c528ba3bd5f6dab" + logic_hash = "53ff90205c01818bf39f4f2440172f0cbaed0a0fe830aff04c528ba3bd5f6dab" score = 75 quality = 75 tags = "FILE" @@ -188558,13 +188558,13 @@ rule MALPEDIA_Win_Batel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e110d0d7-1565-5060-8723-6a178b9e1c0b" + id = "678ea513-45df-57d6-9805-5abca0dd9fcc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.batel_auto.yar#L1-L235" license_url = "N/A" - logic_hash = "v1_sha256_731869ba11fac648e9df7ba8fc3d93220b79591052bdb6d5c0dfe953901a0596" + logic_hash = "731869ba11fac648e9df7ba8fc3d93220b79591052bdb6d5c0dfe953901a0596" score = 75 quality = 73 tags = "FILE" @@ -188610,13 +188610,13 @@ rule MALPEDIA_Win_Vidar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a3d0645c-ca85-53d6-81f1-36c0e1265a6a" + id = "4940e312-352d-5104-84b1-3e1a86d1ecab" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vidar_auto.yar#L1-L422" license_url = "N/A" - logic_hash = "v1_sha256_78072c96fd4e60233539f368a83645e6e3c45bf8d23ede4d4f8a97936d6b546c" + logic_hash = "78072c96fd4e60233539f368a83645e6e3c45bf8d23ede4d4f8a97936d6b546c" score = 75 quality = 50 tags = "FILE" @@ -188686,13 +188686,13 @@ rule MALPEDIA_Win_Nitlove_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "64810567-bd3a-5fdf-9c94-5fb7abcbf041" + id = "b0d01298-0d5a-55f1-9d4e-e8ef0815c02e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nitlove_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_39f2491a6c684fee2e407b59de9df647d75dd52440711335af5e0d5784c94ebd" + logic_hash = "39f2491a6c684fee2e407b59de9df647d75dd52440711335af5e0d5784c94ebd" score = 75 quality = 75 tags = "FILE" @@ -188725,13 +188725,13 @@ rule MALPEDIA_Win_Poortry_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "33a9b841-3df1-5819-9a09-f9dca479fd1c" + id = "a1a56f3e-7edd-5f6c-95ad-6a7e0151c6bc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poortry" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poortry_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_061aa3c00188d534d84cadb6424381cd58cb3c5879a428a6e59fbe1a6fec0983" + logic_hash = "061aa3c00188d534d84cadb6424381cd58cb3c5879a428a6e59fbe1a6fec0983" score = 75 quality = 75 tags = "FILE" @@ -188764,13 +188764,13 @@ rule MALPEDIA_Win_Microbackdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f2af9ecd-90ca-5aa9-a74b-c2ddd2737645" + id = "ca439651-8945-55d7-8b43-498ad02227fd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.microbackdoor_auto.yar#L1-L179" license_url = "N/A" - logic_hash = "v1_sha256_a9f80afe51613a501aee1e06cfe93241c41ac6752fa256f5ea6aad4ef6ad5201" + logic_hash = "a9f80afe51613a501aee1e06cfe93241c41ac6752fa256f5ea6aad4ef6ad5201" score = 75 quality = 75 tags = "FILE" @@ -188809,13 +188809,13 @@ rule MALPEDIA_Win_Icondown_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c3e50f6e-59d8-5fec-8803-936faea0c7c8" + id = "5373046f-833e-5b65-887b-89e409444e78" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.icondown_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_bd300aef1bbb9e18b32c6db589be33a644549d928eba04fbddb21d95cf446793" + logic_hash = "bd300aef1bbb9e18b32c6db589be33a644549d928eba04fbddb21d95cf446793" score = 75 quality = 75 tags = "FILE" @@ -188848,13 +188848,13 @@ rule MALPEDIA_Win_Industroyer2_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a995db9d-7565-53ee-8aaa-8b38446f517d" + id = "be2f5050-30a2-53df-a694-0ba33b5871cf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.industroyer2_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_94208b597eddeff9489860d6342fc47049a5b4b079735882fa37a055dd142db4" + logic_hash = "94208b597eddeff9489860d6342fc47049a5b4b079735882fa37a055dd142db4" score = 75 quality = 75 tags = "FILE" @@ -188887,13 +188887,13 @@ rule MALPEDIA_Win_Xpertrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0d8c57bb-2be3-555a-85b2-89499cb841be" + id = "e49e4f10-4f24-5d5f-a0ba-93859bc43e3e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.xpertrat_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "v1_sha256_0756c58d6846e1ce6d5f3a4d4ce8c4c63505cae3368973abe64928b289231578" + logic_hash = "0756c58d6846e1ce6d5f3a4d4ce8c4c63505cae3368973abe64928b289231578" score = 75 quality = 75 tags = "FILE" @@ -188932,13 +188932,13 @@ rule MALPEDIA_Win_Satellite_Turla_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "899dd1e6-74d2-51e1-8b5a-7a015681e751" + id = "021a1167-58db-5ce8-8597-0f62f23fcc56" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.satellite_turla_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_e5dfd974166d3696682fe85d3bf761357a2cf777cf6c86d583494170169c67ee" + logic_hash = "e5dfd974166d3696682fe85d3bf761357a2cf777cf6c86d583494170169c67ee" score = 75 quality = 75 tags = "FILE" @@ -188977,13 +188977,13 @@ rule MALPEDIA_Win_Blackenergy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "056aeab2-2b52-5f45-9b95-8b7cccf97aba" + id = "75f134c5-71b6-5322-a009-b31d954d7d23" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blackenergy_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_1873575f4ba8e3b3e090543b90afdc434ae43dfa997f5bef2241328cdcb2b4cc" + logic_hash = "1873575f4ba8e3b3e090543b90afdc434ae43dfa997f5bef2241328cdcb2b4cc" score = 75 quality = 75 tags = "FILE" @@ -189016,13 +189016,13 @@ rule MALPEDIA_Win_Slave_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "27dfa500-2a9b-5c30-bdfe-251c73cfca34" + id = "b045c957-b6f9-5c69-b89f-41a2fc8766bd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.slave_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_32dc8f0602dd0c995ffd6f35edd82eaee41a96ee44816d90c15c92afe3d59d57" + logic_hash = "32dc8f0602dd0c995ffd6f35edd82eaee41a96ee44816d90c15c92afe3d59d57" score = 75 quality = 75 tags = "FILE" @@ -189055,13 +189055,13 @@ rule MALPEDIA_Win_Sombrat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad330d10-e7e2-55fe-914a-b2de2a0651e2" + id = "0c91fe38-2a08-5223-9951-dfa72ae3e5ad" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sombrat_auto.yar#L1-L152" license_url = "N/A" - logic_hash = "v1_sha256_cbad5e11330408439cf135255bf75438d03367a5c47a9504ff97a59c98c52d54" + logic_hash = "cbad5e11330408439cf135255bf75438d03367a5c47a9504ff97a59c98c52d54" score = 75 quality = 75 tags = "FILE" @@ -189100,13 +189100,13 @@ rule MALPEDIA_Win_Afrodita_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "50bbda74-4970-59d2-ba5b-9a080ce5e1f6" + id = "abc25194-e40d-5d3d-8aa7-1b131b3ce317" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.afrodita_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_5cdb28e0e0c0d2fc18f90f498d1e0e06f36fb26b48f78ae36bd548bd118d94b5" + logic_hash = "5cdb28e0e0c0d2fc18f90f498d1e0e06f36fb26b48f78ae36bd548bd118d94b5" score = 75 quality = 75 tags = "FILE" @@ -189139,13 +189139,13 @@ rule MALPEDIA_Win_Rtm_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9f6cfa9c-e4e4-5e3c-9008-3110283a314c" + id = "0ddce877-c810-52c5-9bdb-6bdd5bdc33c5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm_locker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rtm_locker_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_368fcfca2d19a0bfd2fafa00b39d1c6b06c40ca85cdf8b686f8ad87f29bc5ebf" + logic_hash = "368fcfca2d19a0bfd2fafa00b39d1c6b06c40ca85cdf8b686f8ad87f29bc5ebf" score = 75 quality = 75 tags = "FILE" @@ -189178,13 +189178,13 @@ rule MALPEDIA_Win_Doplugs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "393981cf-0bff-5c31-9696-2e8b2b7d7d2f" + id = "25bc6674-e80a-5978-bdcd-775785ac724e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doplugs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doplugs_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_f953831840b57858258557fc6d861ade3d3cd53d14e6b5f923d0ab7ef61db359" + logic_hash = "f953831840b57858258557fc6d861ade3d3cd53d14e6b5f923d0ab7ef61db359" score = 75 quality = 75 tags = "FILE" @@ -189217,13 +189217,13 @@ rule MALPEDIA_Win_Webc2_Ausov_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4ed6242f-f867-5092-868f-0a95e1c1e226" + id = "f988a94d-ce66-5749-aa7b-8d72d93ac6d8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_ausov_auto.yar#L1-L112" license_url = "N/A" - logic_hash = "v1_sha256_1e4b39bc03f6a1c14963eaf8f0b58843065ae625a870f162ccaf462590958318" + logic_hash = "1e4b39bc03f6a1c14963eaf8f0b58843065ae625a870f162ccaf462590958318" score = 75 quality = 75 tags = "FILE" @@ -189256,13 +189256,13 @@ rule MALPEDIA_Win_Qtbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "02147cc9-5ccd-51b1-a9c3-378e62b53ef8" + id = "b6cd7830-06d4-528e-badc-1164fe765257" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.qtbot_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "v1_sha256_b0461cc5472670ef13bed91b802682965df84a278581734494bb0db4dd3456a2" + logic_hash = "b0461cc5472670ef13bed91b802682965df84a278581734494bb0db4dd3456a2" score = 60 quality = 25 tags = "FILE" @@ -189301,13 +189301,13 @@ rule MALPEDIA_Win_Redyms_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5295db8d-9e5e-5f51-8944-e999ed7fd57e" + id = "caf709b7-19ee-5a38-9403-a27d78973c28" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.redyms_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_b27b96ec2fba623283604654291a288582fbe387215c7c411815fe1fd821aa0e" + logic_hash = "b27b96ec2fba623283604654291a288582fbe387215c7c411815fe1fd821aa0e" score = 75 quality = 75 tags = "FILE" @@ -189340,13 +189340,13 @@ rule MALPEDIA_Win_Maui_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "52e99a9b-f6e5-5ff9-924a-b55e3c87df12" + id = "fae207f4-bee0-581e-92b7-618fcd87980f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.maui" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.maui_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_c832f22e1bbb1398fc1d6a8199e3732cb12b403d9a2eb2103c84e67dba24e6f9" + logic_hash = "c832f22e1bbb1398fc1d6a8199e3732cb12b403d9a2eb2103c84e67dba24e6f9" score = 75 quality = 75 tags = "FILE" @@ -189379,13 +189379,13 @@ rule MALPEDIA_Win_Kazuar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a96dc519-b606-51c7-918b-20e218b6827c" + id = "e7b5f37c-6bd5-5a21-b802-031d3d305256" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kazuar_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_02ddda00d237d685622ba3fe593a517532f67079f8df3124667eb63da629b240" + logic_hash = "02ddda00d237d685622ba3fe593a517532f67079f8df3124667eb63da629b240" score = 75 quality = 75 tags = "FILE" @@ -189418,13 +189418,13 @@ rule MALPEDIA_Win_Shapeshift_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ed4e389b-5048-5150-8450-6059086895e5" + id = "cabcac9b-3338-5cbf-966e-320365499be9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shapeshift_auto.yar#L1-L95" license_url = "N/A" - logic_hash = "v1_sha256_4f13648d24cba1b4262131ef571d4233f5b7db53468eba6e1303bec367f02718" + logic_hash = "4f13648d24cba1b4262131ef571d4233f5b7db53468eba6e1303bec367f02718" score = 75 quality = 75 tags = "FILE" @@ -189455,13 +189455,13 @@ rule MALPEDIA_Win_Unidentified_070_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d71c7670-2292-502f-b07e-d8316f411c9c" + id = "a2ac6d19-ae7e-5108-ae59-9789ab0e339d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_070_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_45a52b7bdbd7641f0d504c35a74291eb016539e938091cf460316e51b8b9d79b" + logic_hash = "45a52b7bdbd7641f0d504c35a74291eb016539e938091cf460316e51b8b9d79b" score = 75 quality = 75 tags = "FILE" @@ -189494,13 +189494,13 @@ rule MALPEDIA_Win_Sidewalk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad1e2558-1a30-5d44-b5d8-8e2d25995075" + id = "50903c03-c7b5-5314-a551-e4e23fcd9efd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sidewalk_auto.yar#L1-L164" license_url = "N/A" - logic_hash = "v1_sha256_e6737ed096fc4d4ecc8ea3c0d1ac3b4b3bce3ee6030ce0fc8630ca3477945c10" + logic_hash = "e6737ed096fc4d4ecc8ea3c0d1ac3b4b3bce3ee6030ce0fc8630ca3477945c10" score = 75 quality = 75 tags = "FILE" @@ -189539,13 +189539,13 @@ rule MALPEDIA_Win_Makloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7d19eefd-dcd8-5b76-9bf3-05633e7ca934" + id = "0f3149c9-1ed5-5172-a5f9-8fb09f83bab4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.makloader_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_d48950dd774d94fc31c8ea99b96c15449f45f0477bbb34828e1e9167b3ed582c" + logic_hash = "d48950dd774d94fc31c8ea99b96c15449f45f0477bbb34828e1e9167b3ed582c" score = 75 quality = 75 tags = "FILE" @@ -189578,13 +189578,13 @@ rule MALPEDIA_Win_Badencript_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "78e3aa76-c9af-5720-8b52-5f9ca7a1af39" + id = "ddb7f1a7-8259-5ec8-9b35-e98fb67b2310" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.badencript_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_4aaa48768d97770f6e85ee594f356b88c6dabd160111a6a927596e69e9ca03f4" + logic_hash = "4aaa48768d97770f6e85ee594f356b88c6dabd160111a6a927596e69e9ca03f4" score = 75 quality = 75 tags = "FILE" @@ -189617,13 +189617,13 @@ rule MALPEDIA_Win_Sysjoker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ec8c491-5554-5e5e-a52c-12d412178be7" + id = "c6b88483-c0cd-564a-a7b0-6f38f31ef535" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sysjoker_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_d98bfbb9945f0ec0fc3cad0efe9bd86fca6a269db3916cb189ae165a81048301" + logic_hash = "d98bfbb9945f0ec0fc3cad0efe9bd86fca6a269db3916cb189ae165a81048301" score = 75 quality = 75 tags = "FILE" @@ -189656,13 +189656,13 @@ rule MALPEDIA_Win_Dnspionage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a41da805-eca8-5b56-9bbf-eb5c6f020721" + id = "c7c60f8b-ffeb-567c-be45-7a70df2627af" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dnspionage_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_9f5e6f058799877afad32a21b9b0391ec6d411b2fe63c92bd1ec8e1ea4cf6242" + logic_hash = "9f5e6f058799877afad32a21b9b0391ec6d411b2fe63c92bd1ec8e1ea4cf6242" score = 75 quality = 75 tags = "FILE" @@ -189695,13 +189695,13 @@ rule MALPEDIA_Win_Bravonc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c64189c0-6773-5bd2-8ffe-9e4399cdc0b2" + id = "46ca6b44-3777-5a69-8397-e443ebcbbb5c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bravonc_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_c173b555e387356384c480cbe1258c67f0fa737efd2cf0efcccd2c272e1e677f" + logic_hash = "c173b555e387356384c480cbe1258c67f0fa737efd2cf0efcccd2c272e1e677f" score = 75 quality = 75 tags = "FILE" @@ -189734,13 +189734,13 @@ rule MALPEDIA_Win_Htbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "66e75ada-6203-5681-92dc-5534cf9c7c0c" + id = "b8c0c702-9e98-5ca8-9fa2-097b95e54dc8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.htbot_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_39353b8760f6514deb000f072c90c3958c292efa21f940225f19c2a80bdd3000" + logic_hash = "39353b8760f6514deb000f072c90c3958c292efa21f940225f19c2a80bdd3000" score = 75 quality = 75 tags = "FILE" @@ -189773,13 +189773,13 @@ rule MALPEDIA_Win_Blacklotus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dfbff8f4-8af2-558c-8264-6a61f6d72c3d" + id = "84ef9a0b-6544-5450-8b66-292ec2ba5dbd" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blacklotus_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_94ccc2d7ff61cb6463b78893aadb2549c584433629bcbab33ca8298790f40cde" + logic_hash = "94ccc2d7ff61cb6463b78893aadb2549c584433629bcbab33ca8298790f40cde" score = 75 quality = 75 tags = "FILE" @@ -189812,13 +189812,13 @@ rule MALPEDIA_Win_Socks5_Systemz_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "95a0810a-1193-5443-82ec-e1b64e66b983" + id = "1b9e49c1-7943-57d2-ba80-481fd6bd4c4f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.socks5_systemz_auto.yar#L1-L110" license_url = "N/A" - logic_hash = "v1_sha256_9753a87ae203dc0ffbfcfb14c7d357f4f852fcb6d79c68c3fdb61fe8b2c4fc73" + logic_hash = "9753a87ae203dc0ffbfcfb14c7d357f4f852fcb6d79c68c3fdb61fe8b2c4fc73" score = 75 quality = 75 tags = "FILE" @@ -189849,13 +189849,13 @@ rule MALPEDIA_Win_Selfmake_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c163d87b-dddb-52c0-8b73-28fbb9c336e3" + id = "15836b07-3544-5bf9-b844-02538b3af65c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.selfmake" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.selfmake_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_93ed4fceea8c314a1c4a918011ab44630046aab19d1594880ab759bf63042ba9" + logic_hash = "93ed4fceea8c314a1c4a918011ab44630046aab19d1594880ab759bf63042ba9" score = 75 quality = 75 tags = "FILE" @@ -189888,13 +189888,13 @@ rule MALPEDIA_Win_Photofork_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9daea32b-1e77-5c00-82de-59d255e1f808" + id = "ceb1cb1f-8247-52bb-81a3-fc6627c948bc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.photofork" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.photofork_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_55c8708d569da20398deafe5dc1cb0108f4fd9e562f2f0448ff6d194ec946bbd" + logic_hash = "55c8708d569da20398deafe5dc1cb0108f4fd9e562f2f0448ff6d194ec946bbd" score = 75 quality = 75 tags = "FILE" @@ -189927,13 +189927,13 @@ rule MALPEDIA_Win_Rincux_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0c9336cd-522f-5761-947f-c6f9d584ab4f" + id = "8d755739-a59d-591b-8d5d-874be1eebc41" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rincux_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_7c862e7ddc61d94d5055385764a3b34165e25fd304c6c127ff548146450f782d" + logic_hash = "7c862e7ddc61d94d5055385764a3b34165e25fd304c6c127ff548146450f782d" score = 75 quality = 75 tags = "FILE" @@ -189966,13 +189966,13 @@ rule MALPEDIA_Win_Poison_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a817401-92ef-5f11-82da-3c11a9fe9ec2" + id = "3901c97f-e38d-5819-991e-493be520fc51" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.poison_rat_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_b960cb72b2615d9b184a9e25264d3c87f1ec796c5d1b6fa8620d3a64be9786ae" + logic_hash = "b960cb72b2615d9b184a9e25264d3c87f1ec796c5d1b6fa8620d3a64be9786ae" score = 75 quality = 75 tags = "FILE" @@ -190005,13 +190005,13 @@ rule MALPEDIA_Win_Startpage_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9572203f-0493-54fe-9f69-12af3eebe49b" + id = "32039b80-5611-5dab-bcba-b3de61ca7c44" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.startpage_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_264fe8c064e54c165fc131dc307fd06ea57035a4276b77eac419d3cf78ed64b4" + logic_hash = "264fe8c064e54c165fc131dc307fd06ea57035a4276b77eac419d3cf78ed64b4" score = 75 quality = 75 tags = "FILE" @@ -190044,13 +190044,13 @@ rule MALPEDIA_Win_Fanny_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c48aad5-1c69-54d1-9bde-4fd80660b0da" + id = "636b5d30-80f3-5732-bf96-9c4782cd973d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fanny_auto.yar#L1-L173" license_url = "N/A" - logic_hash = "v1_sha256_194cb9aecc835fe3bc3c50607cb7b5a60a928574c0136642094275d35cd55914" + logic_hash = "194cb9aecc835fe3bc3c50607cb7b5a60a928574c0136642094275d35cd55914" score = 75 quality = 75 tags = "FILE" @@ -190089,13 +190089,13 @@ rule MALPEDIA_Win_Heriplor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "336c4225-c921-51d1-9cf3-193fe4246b6f" + id = "d711b4d9-3914-58b9-9b88-9214444e3dee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.heriplor_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_bf5971e2bb98e2180b60da71db38d7f4898a68723f2588a48c70334b337b7d93" + logic_hash = "bf5971e2bb98e2180b60da71db38d7f4898a68723f2588a48c70334b337b7d93" score = 75 quality = 75 tags = "FILE" @@ -190128,13 +190128,13 @@ rule MALPEDIA_Win_Vskimmer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "cdeb75e4-bab3-5c9c-a5fe-6049f9c65c8c" + id = "60bc81a1-a857-5ddb-833d-12c04ee64d84" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vskimmer_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_3a5deb80227e8fbb07640a24d78b7397cb1bc684cae3032e29532961361bc773" + logic_hash = "3a5deb80227e8fbb07640a24d78b7397cb1bc684cae3032e29532961361bc773" score = 75 quality = 75 tags = "FILE" @@ -190167,13 +190167,13 @@ rule MALPEDIA_Win_Babuk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "edbfcea2-b3f2-5951-9aa3-bc6a69ebef80" + id = "8c7b928c-487d-526b-ac59-7d8bfd4e45d6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.babuk_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "v1_sha256_354e556bcaba9e4e8ba4670f917c2bf0c9f534ada32a0a701e4d296506ec2560" + logic_hash = "354e556bcaba9e4e8ba4670f917c2bf0c9f534ada32a0a701e4d296506ec2560" score = 75 quality = 75 tags = "FILE" @@ -190212,13 +190212,13 @@ rule MALPEDIA_Win_Unidentified_091_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "39372311-1476-534d-a69c-b0e5ff24ec06" + id = "62d0217c-caa8-5a24-836c-be321aa72ae6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_091" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_091_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_5a53bb358b4bf07b18385bcb86f5c0c27f228bb0e297f7cd9c02060943441d31" + logic_hash = "5a53bb358b4bf07b18385bcb86f5c0c27f228bb0e297f7cd9c02060943441d31" score = 75 quality = 75 tags = "FILE" @@ -190251,13 +190251,13 @@ rule MALPEDIA_Win_Mrdec_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3600b943-5cd2-5b65-9cf0-236fbe839f52" + id = "9c58a6c5-fccf-57f8-a955-f9f71c01cd0e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mrdec_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_3ee02aa9dfb3f27619d5f97eac66eb46db9b305219d25b4c3e7969b99a315a5e" + logic_hash = "3ee02aa9dfb3f27619d5f97eac66eb46db9b305219d25b4c3e7969b99a315a5e" score = 75 quality = 75 tags = "FILE" @@ -190290,13 +190290,13 @@ rule MALPEDIA_Win_Tinyloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df5961cf-893f-55ab-a3c1-589ea8f49225" + id = "895ccf2b-2f25-5f72-b650-0acb543eef11" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tinyloader_auto.yar#L1-L218" license_url = "N/A" - logic_hash = "v1_sha256_b908cedbddd27a2a95532a03db9c626e01fc12979ac66acd61b30dfbfa8e2199" + logic_hash = "b908cedbddd27a2a95532a03db9c626e01fc12979ac66acd61b30dfbfa8e2199" score = 75 quality = 73 tags = "FILE" @@ -190341,13 +190341,13 @@ rule MALPEDIA_Win_Nightdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8c734875-a36f-5a52-bb87-976820855059" + id = "d930ef7f-f999-550e-bc75-97e1e8c7627b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nightdoor_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_b8f0be07bb7b1289cbb83b32643a32575a68c3484dc281ff533188505409d208" + logic_hash = "b8f0be07bb7b1289cbb83b32643a32575a68c3484dc281ff533188505409d208" score = 75 quality = 75 tags = "FILE" @@ -190380,13 +190380,13 @@ rule MALPEDIA_Win_Jessiecontea_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de151b6f-81b3-53f0-bc0d-57e3b4dd3bb3" + id = "435a6af2-0956-5ced-bef4-bdde8bb54520" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jessiecontea_auto.yar#L1-L163" license_url = "N/A" - logic_hash = "v1_sha256_901d415627c4e09bca131d66822cb1b54da6638557cfa44cdd1fbdb71a4f0951" + logic_hash = "901d415627c4e09bca131d66822cb1b54da6638557cfa44cdd1fbdb71a4f0951" score = 75 quality = 75 tags = "FILE" @@ -190425,13 +190425,13 @@ rule MALPEDIA_Win_Killdisk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4835c803-995a-5bdb-abb9-e77d8a0759ac" + id = "d7be3786-7785-5fb7-a02c-f300fdd3ab5d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.killdisk_auto.yar#L1-L165" license_url = "N/A" - logic_hash = "v1_sha256_86f639bc00ee029db28c18aca620f57e9d7c8d6a5978a5c4489b1ba8c9e4159d" + logic_hash = "86f639bc00ee029db28c18aca620f57e9d7c8d6a5978a5c4489b1ba8c9e4159d" score = 75 quality = 75 tags = "FILE" @@ -190470,13 +190470,13 @@ rule MALPEDIA_Win_Mmon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3fbdbfd9-09a7-55c9-bc81-e8c3febe696f" + id = "b18c07bb-08ed-5694-944e-153520890ae8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mmon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mmon_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_0a47221b764bce60b9ce9e11d4cf6ad81a3b7814241076d22b6772dafdc7fe22" + logic_hash = "0a47221b764bce60b9ce9e11d4cf6ad81a3b7814241076d22b6772dafdc7fe22" score = 75 quality = 75 tags = "FILE" @@ -190509,13 +190509,13 @@ rule MALPEDIA_Win_Phoreal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3590b025-26bf-5c26-8a00-7c1cdc7c0f39" + id = "9354abd9-a851-5d8e-a424-1be008c5ab6c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.phoreal_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_904dd636d7db526ab8a0410c75a52ee0fac4292f0f4ce7ff0cd1d42961fa831e" + logic_hash = "904dd636d7db526ab8a0410c75a52ee0fac4292f0f4ce7ff0cd1d42961fa831e" score = 75 quality = 75 tags = "FILE" @@ -190548,13 +190548,13 @@ rule MALPEDIA_Win_Cuba_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0bdd1bbc-3857-518e-b93e-671e4f9f4e06" + id = "3602e8da-452a-5ed9-9344-c7f4379dda1d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cuba_auto.yar#L1-L160" license_url = "N/A" - logic_hash = "v1_sha256_7c1547f930142355cbe84e5424404f219fb1f83bf4df86f3c7d2bdf36e965b58" + logic_hash = "7c1547f930142355cbe84e5424404f219fb1f83bf4df86f3c7d2bdf36e965b58" score = 75 quality = 75 tags = "FILE" @@ -190593,13 +190593,13 @@ rule MALPEDIA_Win_Divergent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "92da408d-d135-5f7d-8a84-c03c66f7364e" + id = "11ec65d7-b0ac-595b-ba44-5bae97099c0e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.divergent_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_ce2ba9c31c93d1d30382978d9975d2fc77a1697c44fa31feb01e0ffcff44bfb5" + logic_hash = "ce2ba9c31c93d1d30382978d9975d2fc77a1697c44fa31feb01e0ffcff44bfb5" score = 75 quality = 75 tags = "FILE" @@ -190632,13 +190632,13 @@ rule MALPEDIA_Win_Cryptomix_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "29bfa88d-309a-56ef-ad62-57c5fbecc250" + id = "ee7d4b5d-fd38-5125-ac96-e606d0aa2a74" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cryptomix_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "v1_sha256_47824f768326cefd215579730913e815a8ef928dff6d4693ae0d6a1bbfe5f79b" + logic_hash = "47824f768326cefd215579730913e815a8ef928dff6d4693ae0d6a1bbfe5f79b" score = 75 quality = 75 tags = "FILE" @@ -190677,13 +190677,13 @@ rule MALPEDIA_Win_Mydoom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "df03700d-ebf8-53f6-a06b-417fbc932ecf" + id = "68282348-e634-5e24-a89b-07582d0aeab6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mydoom_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_26adeacf80adc41cd09ac09890246c8c37a7ca914ae80276202f0defea3500e4" + logic_hash = "26adeacf80adc41cd09ac09890246c8c37a7ca914ae80276202f0defea3500e4" score = 75 quality = 75 tags = "FILE" @@ -190716,13 +190716,13 @@ rule MALPEDIA_Win_Soundbite_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e413b4ae-6f14-5cb2-a85b-1ad850e72f4b" + id = "70cdb19a-d0a2-5f5f-a69b-31680210f3d2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.soundbite_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_d07ea48c839908887a0a5f9ab78be91fc08852ce51b809ff0c620d5b56719109" + logic_hash = "d07ea48c839908887a0a5f9ab78be91fc08852ce51b809ff0c620d5b56719109" score = 75 quality = 75 tags = "FILE" @@ -190755,13 +190755,13 @@ rule MALPEDIA_Win_R980_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7c55102b-2e5f-5aed-85c9-2644dee6f278" + id = "624a6ffd-b1f3-59a0-9a56-7f82cf4ce201" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.r980_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_ef4f026b46d8c7c29b2c5642311344a13e41f9d1ab13a98be1b516e844609533" + logic_hash = "ef4f026b46d8c7c29b2c5642311344a13e41f9d1ab13a98be1b516e844609533" score = 75 quality = 45 tags = "FILE" @@ -190794,13 +190794,13 @@ rule MALPEDIA_Win_Kivars_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "077f1a46-54d7-5496-a5c5-5b2fe43d66e4" + id = "d7f4c524-5721-516a-9cef-d2a6a4c9899f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kivars_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_0b4c416b9816d7bbf517a345e2ad0668f53e6096c3605ae9037473d6b0f26452" + logic_hash = "0b4c416b9816d7bbf517a345e2ad0668f53e6096c3605ae9037473d6b0f26452" score = 75 quality = 75 tags = "FILE" @@ -190839,13 +190839,13 @@ rule MALPEDIA_Win_Kdcsponge_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "40c0a277-13fb-5568-adb9-63ef7afaf3e1" + id = "93fd80a3-a643-5f56-b47f-f9e7f12c352c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kdcsponge" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kdcsponge_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_4a397cc9ed7623d7a2a288b58acb6ea4c1ff2bde7c30c2fd6b35d7ed37df75f7" + logic_hash = "4a397cc9ed7623d7a2a288b58acb6ea4c1ff2bde7c30c2fd6b35d7ed37df75f7" score = 75 quality = 75 tags = "FILE" @@ -190878,13 +190878,13 @@ rule MALPEDIA_Win_Unidentified_102_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2fadd4ae-e0fa-5867-8950-5b86702ba582" + id = "68f5ede2-e772-5b9c-86c7-72da7d6ddaff" date = "2023-07-11" modified = "2023-07-15" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_102" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_102_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_7cf959abf8b06a75a101a66334f27ae5601df812c1ddb140fd9298ef735bb0dc" + logic_hash = "7cf959abf8b06a75a101a66334f27ae5601df812c1ddb140fd9298ef735bb0dc" score = 75 quality = 75 tags = "FILE" @@ -190917,13 +190917,13 @@ rule MALPEDIA_Win_Mirrorkey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d5254159-c9b7-5e53-873f-29de249aa2d3" + id = "63ba5dc8-af1b-5114-b682-e36b4410bbde" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorkey" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mirrorkey_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_45136c9373865a91139e9dff7c71e7f62a2de8b30b90c9e3be875470ec9069c0" + logic_hash = "45136c9373865a91139e9dff7c71e7f62a2de8b30b90c9e3be875470ec9069c0" score = 75 quality = 75 tags = "FILE" @@ -190956,13 +190956,13 @@ rule MALPEDIA_Win_Cheesetray_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "645cade1-33a2-5218-abae-0d005eb6f3f9" + id = "0e764866-65b7-5e4b-a972-c9b6a1308865" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cheesetray_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_c2cc89a9aac3f1f1be62615be1486f58a410f3fcbd107e350beb164393db52f7" + logic_hash = "c2cc89a9aac3f1f1be62615be1486f58a410f3fcbd107e350beb164393db52f7" score = 75 quality = 75 tags = "FILE" @@ -190995,13 +190995,13 @@ rule MALPEDIA_Win_Bouncer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6edb5a3d-ef88-5469-9deb-1ff32847038b" + id = "5fe05fe3-5ba6-5402-bae1-03809aced05d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.bouncer_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_ffbe1b49339388f6599ff4eb536b18862d27897734fc35260ae1ce6cc8930ed7" + logic_hash = "ffbe1b49339388f6599ff4eb536b18862d27897734fc35260ae1ce6cc8930ed7" score = 75 quality = 75 tags = "FILE" @@ -191034,13 +191034,13 @@ rule MALPEDIA_Win_Karagany_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "519e019e-d5d1-5c4b-a03d-b77db61a6b8e" + id = "98602626-f80c-53db-88a5-fef596efc6b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.karagany_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_e11ee77bbad2aed0526f0917e5fec6612f23198efabc3eebf7b6abb2227dd310" + logic_hash = "e11ee77bbad2aed0526f0917e5fec6612f23198efabc3eebf7b6abb2227dd310" score = 75 quality = 75 tags = "FILE" @@ -191073,13 +191073,13 @@ rule MALPEDIA_Win_Fuxsocy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "224f6b78-5e53-53e1-890b-c5b455413603" + id = "9b163b74-81fa-5d1f-8fcc-0d3d39882b0f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fuxsocy_auto.yar#L1-L126" license_url = "N/A" - logic_hash = "v1_sha256_7f8e495acd118755a8b2612e1d92bc28ab4a40bb2e7047fd4133b89e103973ef" + logic_hash = "7f8e495acd118755a8b2612e1d92bc28ab4a40bb2e7047fd4133b89e103973ef" score = 75 quality = 75 tags = "FILE" @@ -191112,13 +191112,13 @@ rule MALPEDIA_Win_Kgh_Spy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "30737985-1215-5fe6-a154-a6dd4e94ef19" + id = "2adff718-5ead-5f74-948f-adeec6ff4a99" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kgh_spy_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_16434283b98a9ec3028553199436a1655677ca0b41828e5ff9ba53861a24c40d" + logic_hash = "16434283b98a9ec3028553199436a1655677ca0b41828e5ff9ba53861a24c40d" score = 75 quality = 75 tags = "FILE" @@ -191151,13 +191151,13 @@ rule MALPEDIA_Win_Carrotball_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "37547477-8d9f-59a2-966b-3d7e70af1111" + id = "8d1dffb9-f801-5b51-998b-8e4431af5d29" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.carrotball_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_8cb2e3b01c31931d0c5f23b61551aa799de8dd787a3493373f0ac01ba6f109d9" + logic_hash = "8cb2e3b01c31931d0c5f23b61551aa799de8dd787a3493373f0ac01ba6f109d9" score = 75 quality = 75 tags = "FILE" @@ -191190,13 +191190,13 @@ rule MALPEDIA_Win_Dimnie_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3e17e74c-694a-58d6-8678-8d7981764c94" + id = "a82e9816-e911-5906-b4fb-5ab4ee56af42" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dimnie_auto.yar#L1-L115" license_url = "N/A" - logic_hash = "v1_sha256_4f084852c71be42252e84f78f5c5fbeea9af651580f68857653ee5cb5f11e6f5" + logic_hash = "4f084852c71be42252e84f78f5c5fbeea9af651580f68857653ee5cb5f11e6f5" score = 75 quality = 75 tags = "FILE" @@ -191229,13 +191229,13 @@ rule MALPEDIA_Win_Lazarus_Killdisk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1d91085a-eb55-5670-b964-9a774d1d9ef1" + id = "0195fc4c-73fa-5c09-bf2a-89a4d303bb67" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus_killdisk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lazarus_killdisk_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_b26134f5ee9a86ea9f8f0c2251fd193e47e701ab49921be548b684d8807f003c" + logic_hash = "b26134f5ee9a86ea9f8f0c2251fd193e47e701ab49921be548b684d8807f003c" score = 75 quality = 75 tags = "FILE" @@ -191268,13 +191268,13 @@ rule MALPEDIA_Win_Ramdo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "350be0b1-7135-53d5-9161-94bd4868e3ff" + id = "08b789f2-d7a2-5fbb-860d-c8f55dcc2345" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ramdo_auto.yar#L1-L107" license_url = "N/A" - logic_hash = "v1_sha256_276f369c53a1fdcd50e18eb96f6dc8769ce2d1ebf68a37e2dea30ad2afbcd8fa" + logic_hash = "276f369c53a1fdcd50e18eb96f6dc8769ce2d1ebf68a37e2dea30ad2afbcd8fa" score = 75 quality = 75 tags = "FILE" @@ -191307,13 +191307,13 @@ rule MALPEDIA_Win_Cargobay_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7050b450-c3b1-5bc2-b05a-b2a060e0fbe6" + id = "19cc2286-1645-5f7d-a2c4-3ef65d16d1bb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cargobay_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_2ae360967276d2625b03685b127c94c75664c2e3f32ade543c32daba4148b1b4" + logic_hash = "2ae360967276d2625b03685b127c94c75664c2e3f32ade543c32daba4148b1b4" score = 75 quality = 75 tags = "FILE" @@ -191346,13 +191346,13 @@ rule MALPEDIA_Win_Multigrain_Pos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "833f7bb8-3aee-533d-9ef7-9fcfcfd23bfa" + id = "72a7f3f7-5585-5b52-9f6b-6aafeee8dfc7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.multigrain_pos_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_20f055bfbc8013c86389227ab88ba0d8272e12b77bffca2ef889258bc8b1eb3c" + logic_hash = "20f055bfbc8013c86389227ab88ba0d8272e12b77bffca2ef889258bc8b1eb3c" score = 75 quality = 75 tags = "FILE" @@ -191385,13 +191385,13 @@ rule MALPEDIA_Win_Holerun_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8a3b5f8e-ce58-51a8-a518-5a71f8e1a1ea" + id = "8b68b52e-fb5a-5ecc-88ef-a3ed80a6122b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.holerun" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.holerun_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_f543cc584969255e8ee0247544f45390194f0e1121bcb76269aa2fe3a672745b" + logic_hash = "f543cc584969255e8ee0247544f45390194f0e1121bcb76269aa2fe3a672745b" score = 75 quality = 75 tags = "FILE" @@ -191424,13 +191424,13 @@ rule MALPEDIA_Win_Spica_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9a2d03aa-18a8-5e10-9f9c-000d5edd49b8" + id = "b6a1a6a9-846d-5070-af66-e8c23c4a6b50" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spica" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spica_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_a88bf3ca9882c583346cf58a04e5a1e9985797df2dfd737cf0e029b406925de0" + logic_hash = "a88bf3ca9882c583346cf58a04e5a1e9985797df2dfd737cf0e029b406925de0" score = 75 quality = 75 tags = "FILE" @@ -191463,13 +191463,13 @@ rule MALPEDIA_Win_Graphsteel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "60c19612-026c-5461-ab9a-7b2ebb6548ee" + id = "ee773efd-abc9-59ea-a8a9-5d1bcd00ab52" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.graphsteel_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_c16b3aee4470d6b80d6571382358ae60606e1bc85c16a98c39f469be44f26ba8" + logic_hash = "c16b3aee4470d6b80d6571382358ae60606e1bc85c16a98c39f469be44f26ba8" score = 75 quality = 75 tags = "FILE" @@ -191502,13 +191502,13 @@ rule MALPEDIA_Win_Lowkey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b299f53c-ce54-50f9-b5c9-316170407b6e" + id = "0a67007e-1a9c-5f31-b37c-8c32fdff3311" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lowkey_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_9d3c45875e4ddd32bb18b8cb6ded5fb4838ad62f27365a87e2390b683b239917" + logic_hash = "9d3c45875e4ddd32bb18b8cb6ded5fb4838ad62f27365a87e2390b683b239917" score = 75 quality = 75 tags = "FILE" @@ -191541,13 +191541,13 @@ rule MALPEDIA_Win_Sdbbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a84dfd1b-12bf-54c9-837e-8b1515aa9215" + id = "b16da93b-bcb6-5a59-8ee7-f2b1db92f76a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sdbbot_auto.yar#L1-L174" license_url = "N/A" - logic_hash = "v1_sha256_869a5323254bb19be34889ba3dd9fff300dc452318f40f9c34e9c0c7014796e1" + logic_hash = "869a5323254bb19be34889ba3dd9fff300dc452318f40f9c34e9c0c7014796e1" score = 75 quality = 75 tags = "FILE" @@ -191587,13 +191587,13 @@ rule MALPEDIA_Win_Dropshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c619a101-106e-5ba8-adb3-434f45e1cfa9" + id = "8c0e25df-1d9c-5bb9-85ce-2d5bc4ccd180" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dropshot_auto.yar#L1-L100" license_url = "N/A" - logic_hash = "v1_sha256_3f5f25fe800a01f710cc89be583f98653a26f14448d6ba599306a1d4d7c2a368" + logic_hash = "3f5f25fe800a01f710cc89be583f98653a26f14448d6ba599306a1d4d7c2a368" score = 75 quality = 75 tags = "FILE" @@ -191624,13 +191624,13 @@ rule MALPEDIA_Win_Nokoyawa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0f5ed07e-5567-5e84-8e0a-cee92de10772" + id = "41b1b168-b0ea-5f04-84cd-fd90bfa48e03" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nokoyawa_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_a5e2c231f7d7eec8e19a418805bfeaea862c56b36ec030240db4e6a8dee84747" + logic_hash = "a5e2c231f7d7eec8e19a418805bfeaea862c56b36ec030240db4e6a8dee84747" score = 75 quality = 75 tags = "FILE" @@ -191663,13 +191663,13 @@ rule MALPEDIA_Win_Daxin_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "679eacb4-6ea6-5534-858f-917428dc8070" + id = "eb9db3c6-59a2-55fc-ab29-402a0b79069e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.daxin" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.daxin_auto.yar#L1-L145" license_url = "N/A" - logic_hash = "v1_sha256_9f52c4014d6014a5dd41f71fe4bb65b03575c870c6d23007d187323e250b54a3" + logic_hash = "9f52c4014d6014a5dd41f71fe4bb65b03575c870c6d23007d187323e250b54a3" score = 75 quality = 75 tags = "FILE" @@ -191707,13 +191707,13 @@ rule MALPEDIA_Win_Webmonitor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fb0fd59f-8092-5654-b6a2-5a92c90b25b3" + id = "a4fb11db-5000-556c-8a5e-92fa710a7bf2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webmonitor_auto.yar#L1-L159" license_url = "N/A" - logic_hash = "v1_sha256_dae97ec3da1552d8829942df4314bf12da735041179d90d1884bc5549bf4d3f9" + logic_hash = "dae97ec3da1552d8829942df4314bf12da735041179d90d1884bc5549bf4d3f9" score = 75 quality = 75 tags = "FILE" @@ -191752,13 +191752,13 @@ rule MALPEDIA_Win_Nestegg_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2532dd69-9d75-5e00-8baf-4b0303a1147e" + id = "315a7796-8683-5d7a-8cf2-784c6dd94f9d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nestegg_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_4273a1509259a06eece460649eb821123ed1b442866d55968fb9b1f2cfa0fb16" + logic_hash = "4273a1509259a06eece460649eb821123ed1b442866d55968fb9b1f2cfa0fb16" score = 75 quality = 75 tags = "FILE" @@ -191791,13 +191791,13 @@ rule MALPEDIA_Win_Avaddon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c32e0dc9-9987-5e9f-8857-b88ea72307f4" + id = "a92a672c-0df0-579b-b5cc-abf6eb5f22bf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.avaddon_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_9da4ad197260f3ad47fcf04fe9c86aafe2cfaae8d70042fb37f0ac71730ef837" + logic_hash = "9da4ad197260f3ad47fcf04fe9c86aafe2cfaae8d70042fb37f0ac71730ef837" score = 75 quality = 75 tags = "FILE" @@ -191830,13 +191830,13 @@ rule MALPEDIA_Win_Dustpan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "48cfb882-ca3a-5de9-910d-09200a86a5a4" + id = "c9c878b8-cad8-5a19-8f4e-78ad38029b7f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustpan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dustpan_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_5224f428476ca9b9e044abefc44ce9a53e06974708bc3448eb44f67994867ab4" + logic_hash = "5224f428476ca9b9e044abefc44ce9a53e06974708bc3448eb44f67994867ab4" score = 75 quality = 75 tags = "FILE" @@ -191869,13 +191869,13 @@ rule MALPEDIA_Win_Rgdoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d7f80515-2149-5bf9-bdd3-4eea3eab0abf" + id = "c131d66d-fa54-5330-a7a6-924c788ac07b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rgdoor_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_e436d1f0b319cc823655f3b279c99c1561f88f885f295d5e38aafb91490652b3" + logic_hash = "e436d1f0b319cc823655f3b279c99c1561f88f885f295d5e38aafb91490652b3" score = 75 quality = 75 tags = "FILE" @@ -191908,13 +191908,13 @@ rule MALPEDIA_Win_Deadwood_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0622c606-e868-5f12-88fb-edde18a219fe" + id = "e299ec52-8e21-507f-ba5a-e3a893abbf1e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deadwood" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.deadwood_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_27f6d744e976a1cbd8fe2392486788cf865733377db2356449d61f5e2be3b703" + logic_hash = "27f6d744e976a1cbd8fe2392486788cf865733377db2356449d61f5e2be3b703" score = 75 quality = 75 tags = "FILE" @@ -191947,13 +191947,13 @@ rule MALPEDIA_Win_Unidentified_100_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f1b58dde-d3dd-5965-bab2-9a1c9f240633" + id = "e8675cb6-73bb-59b5-91a8-02c6f92da222" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_100" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_100_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_a4a5162870b4493fc5243e7bd2eeeb85f162da808d7efca293e2e60ad15e324b" + logic_hash = "a4a5162870b4493fc5243e7bd2eeeb85f162da808d7efca293e2e60ad15e324b" score = 75 quality = 75 tags = "FILE" @@ -191986,13 +191986,13 @@ rule MALPEDIA_Win_Rambo_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba07a542-67a7-54de-97be-08b7bb19aaf4" + id = "9f18152a-df9c-5933-beb1-7d48427107b5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rambo_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_43a3f5e58cc73b887b9d9425ae48fd61511eb3413bc03e0babb322fa4b593a9b" + logic_hash = "43a3f5e58cc73b887b9d9425ae48fd61511eb3413bc03e0babb322fa4b593a9b" score = 75 quality = 75 tags = "FILE" @@ -192031,13 +192031,13 @@ rule MALPEDIA_Win_Aresloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b2c2bdc4-b8b1-55a5-abfb-db0cdbcbb9fd" + id = "72768534-8c41-5891-8d86-5b5baf0231f5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.aresloader_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_01346a5099a8423ed0407177afbd014d15a423ebfced07e8fa01ead0f1c12c68" + logic_hash = "01346a5099a8423ed0407177afbd014d15a423ebfced07e8fa01ead0f1c12c68" score = 60 quality = 25 tags = "FILE" @@ -192070,13 +192070,13 @@ rule MALPEDIA_Win_Misha_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "64fc551e-db0c-5d76-962f-29c538e5d20e" + id = "ae44f4ed-6b62-5739-afcc-3910b944ad53" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.misha_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_6808e3992c1a57c6f785e40da9dc7940883a56816b3304928fa690c0fc154801" + logic_hash = "6808e3992c1a57c6f785e40da9dc7940883a56816b3304928fa690c0fc154801" score = 75 quality = 75 tags = "FILE" @@ -192109,13 +192109,13 @@ rule MALPEDIA_Win_Spyeye_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a70de952-df8d-567a-be57-97667c33dc33" + id = "d7c62579-def8-5f0a-826a-88762a729bf5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.spyeye_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_f4149a2d0558cdca789e55a3da096c9eb02a06e0cbb6c5f6412ffac38db590ec" + logic_hash = "f4149a2d0558cdca789e55a3da096c9eb02a06e0cbb6c5f6412ffac38db590ec" score = 75 quality = 75 tags = "FILE" @@ -192148,13 +192148,13 @@ rule MALPEDIA_Win_Avrecon_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7ed48c56-9d0f-589d-9c98-4d7fe2970c7b" + id = "e9aaaaa7-af2e-5870-9eba-7f7fa77b0103" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.avrecon_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_e59963ec079d8f4d8ec354feb72326171934afc46817d03eebe4cd3c6c4dfb16" + logic_hash = "e59963ec079d8f4d8ec354feb72326171934afc46817d03eebe4cd3c6c4dfb16" score = 75 quality = 75 tags = "FILE" @@ -192187,13 +192187,13 @@ rule MALPEDIA_Win_Cloud_Duke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f467934a-b671-5728-aa67-b6b5efabf525" + id = "faff812c-4777-587b-9604-c74c7f7c8370" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cloud_duke_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_c237687bdb3916be1afbb15c7aa4edc82ffc9e06f6334b5efe36ab376ab13130" + logic_hash = "c237687bdb3916be1afbb15c7aa4edc82ffc9e06f6334b5efe36ab376ab13130" score = 75 quality = 75 tags = "FILE" @@ -192226,13 +192226,13 @@ rule MALPEDIA_Win_Webc2_Head_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5ec9eeb9-be89-53e7-b6cd-22e4564e3395" + id = "b0489fed-bd6b-5cdc-bfab-bd5427505aa6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.webc2_head_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_0f0d261fc67cb4837b13f2fc98dacb6b1c0e0f0d77dda88fbe5b4ef793a0acb0" + logic_hash = "0f0d261fc67cb4837b13f2fc98dacb6b1c0e0f0d77dda88fbe5b4ef793a0acb0" score = 75 quality = 75 tags = "FILE" @@ -192265,13 +192265,13 @@ rule MALPEDIA_Win_Nightclub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "932bfac9-c563-5c53-b3e5-4e30b7421aa9" + id = "16a1e3cd-d9e1-5de2-a066-97eb2bedde4e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightclub" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nightclub_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_c6e72bd1072251138d02bae0378aff5596a4fe234144ae53f2fd722485213a6d" + logic_hash = "c6e72bd1072251138d02bae0378aff5596a4fe234144ae53f2fd722485213a6d" score = 75 quality = 75 tags = "FILE" @@ -192304,13 +192304,13 @@ rule MALPEDIA_Win_Aurora_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "acb096ff-95a2-5a57-b090-bbad12577dfc" + id = "db71bfec-d16f-5b65-a2de-3646c8fc9579" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.aurora_auto.yar#L1-L122" license_url = "N/A" - logic_hash = "v1_sha256_59e6b8275e1925f874147250deaf1189e73e34e27743f50bcfcc60f5d60b4760" + logic_hash = "59e6b8275e1925f874147250deaf1189e73e34e27743f50bcfcc60f5d60b4760" score = 75 quality = 75 tags = "FILE" @@ -192343,13 +192343,13 @@ rule MALPEDIA_Win_Ufrstealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "07346c4f-8b2f-5d63-8a1f-d4de982d8290" + id = "363b32bd-9a61-5367-b5d5-54daf961a4ad" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ufrstealer_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_df31fc542afebf5a6b78b056f78a762c74ccc9e30af24ef9561e9985cdd6d298" + logic_hash = "df31fc542afebf5a6b78b056f78a762c74ccc9e30af24ef9561e9985cdd6d298" score = 75 quality = 75 tags = "FILE" @@ -192382,13 +192382,13 @@ rule MALPEDIA_Win_Trochilus_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0074a25c-93a1-51b3-bacb-85136e093a81" + id = "ff7e3b17-5233-56c0-8cf9-b500183b9183" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.trochilus_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_28ef93658f73bc964eedcf05592130cfb5b477accac6e59366138836c637cdc2" + logic_hash = "28ef93658f73bc964eedcf05592130cfb5b477accac6e59366138836c637cdc2" score = 75 quality = 75 tags = "FILE" @@ -192421,13 +192421,13 @@ rule MALPEDIA_Win_Marap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "7a9b6dcb-632a-52f9-972a-641b2eb89319" + id = "2cc3d8fa-aa39-5bef-af3b-a091606785c2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.marap_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_981ff96ccf9321bc9cf0b93466d635ede7fbc6c0341e04e670ea58028783ac37" + logic_hash = "981ff96ccf9321bc9cf0b93466d635ede7fbc6c0341e04e670ea58028783ac37" score = 75 quality = 75 tags = "FILE" @@ -192460,13 +192460,13 @@ rule MALPEDIA_Win_Pykspa_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "4b5c6105-1ff1-559d-b2c7-e67fe14fe881" + id = "f69b7ae8-9844-5edd-af39-3a24a60736b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pykspa_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_debf44a0a6bbb12f51a3423f6d02332e02447168503a68de6d1e19702f8f8b56" + logic_hash = "debf44a0a6bbb12f51a3423f6d02332e02447168503a68de6d1e19702f8f8b56" score = 75 quality = 75 tags = "FILE" @@ -192499,13 +192499,13 @@ rule MALPEDIA_Win_Miniasp_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "84e742d7-c2f5-5f76-af4f-8224d9b80f18" + id = "f347c9b8-8bc2-5051-8759-9c4a71c6ee76" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.miniasp_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_dc054826603e4c65732efe9c4e870d0e5d57b1e034ff76fb6ca9b268c587f33f" + logic_hash = "dc054826603e4c65732efe9c4e870d0e5d57b1e034ff76fb6ca9b268c587f33f" score = 75 quality = 75 tags = "FILE" @@ -192538,13 +192538,13 @@ rule MALPEDIA_Win_Knot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ddbed42c-26c0-5d13-9821-5f16a52c2451" + id = "ea865775-0235-55b7-9748-11331945e645" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.knot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.knot_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_735c3c37008eab248d62841c5d72cf7bb3dbc84598bc674db47efd96b8fa6a3a" + logic_hash = "735c3c37008eab248d62841c5d72cf7bb3dbc84598bc674db47efd96b8fa6a3a" score = 75 quality = 75 tags = "FILE" @@ -192577,13 +192577,13 @@ rule MALPEDIA_Win_Smac_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6d2b8262-c75b-5abe-aa11-997765830c6d" + id = "6cf7aa8f-47b5-541a-9ef7-59898eb272ee" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.smac_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_2551ca62dde47575d33bf5dda5cc9135e813c4132339b49d1f3c1a2ad36da540" + logic_hash = "2551ca62dde47575d33bf5dda5cc9135e813c4132339b49d1f3c1a2ad36da540" score = 75 quality = 75 tags = "FILE" @@ -192616,13 +192616,13 @@ rule MALPEDIA_Win_Kleptoparasite_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a6abe095-c859-5f67-b070-2805c09a7dcf" + id = "2de3c422-45bc-58ea-9b58-c5be8e18f59a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kleptoparasite_stealer_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_7be717d94b9f90fe9083718b4b3c9a144ee692fe8b9cfc6de9546fc76b8ff287" + logic_hash = "7be717d94b9f90fe9083718b4b3c9a144ee692fe8b9cfc6de9546fc76b8ff287" score = 60 quality = 35 tags = "FILE" @@ -192655,13 +192655,13 @@ rule MALPEDIA_Win_Breach_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bdd0d8f1-5066-5f4f-9875-ee1aa82c8d72" + id = "a5b42a75-e77a-5ca6-b3c1-cb4ca403dd4b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.breach_rat_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_6d11bf02b16d797b6e97c762d9594bbc3acc80831e5eb5fa56307a891b9803ec" + logic_hash = "6d11bf02b16d797b6e97c762d9594bbc3acc80831e5eb5fa56307a891b9803ec" score = 75 quality = 75 tags = "FILE" @@ -192694,13 +192694,13 @@ rule MALPEDIA_Win_Tiop_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "49f3cfc8-5cc4-53b6-ac79-e6c1fc207c2a" + id = "6a354c9f-7033-5930-8cdf-ccc9b036cb6a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tiop_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_8dde382911bda80f4443cb56d55614794d75f26151cbf4838080e27ec3645e3d" + logic_hash = "8dde382911bda80f4443cb56d55614794d75f26151cbf4838080e27ec3645e3d" score = 75 quality = 75 tags = "FILE" @@ -192733,13 +192733,13 @@ rule MALPEDIA_Win_Keymarble_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "74935cb3-9c50-5522-a924-d24caea6a970" + id = "d1987e31-8cfb-500b-b69a-7c2a019e7ea8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.keymarble_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_04e65eb3ae3b01821122573e8815ad5d48f3cdd5d412f7107b80ce95c7695b7b" + logic_hash = "04e65eb3ae3b01821122573e8815ad5d48f3cdd5d412f7107b80ce95c7695b7b" score = 75 quality = 75 tags = "FILE" @@ -192772,13 +192772,13 @@ rule MALPEDIA_Win_Campoloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "766921c9-1a8f-5f51-a371-3713a1d58bf4" + id = "00b62c88-0d38-56b9-90a5-7c85290ffbe9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.campoloader_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_dae472a7090c99e8a9ce136356f9bc867c42c508ecb59c9f6aa0187832a15e3c" + logic_hash = "dae472a7090c99e8a9ce136356f9bc867c42c508ecb59c9f6aa0187832a15e3c" score = 75 quality = 75 tags = "FILE" @@ -192811,13 +192811,13 @@ rule MALPEDIA_Win_Privateloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "970e34e9-6dad-550f-8cf9-d47fe313a7f3" + id = "d996c731-cbb3-50a4-93a5-b71789f95831" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.privateloader_auto.yar#L1-L184" license_url = "N/A" - logic_hash = "v1_sha256_b3bd260ff9676412911b82f7ca10842c721430b21d232272a50e615d0d279a78" + logic_hash = "b3bd260ff9676412911b82f7ca10842c721430b21d232272a50e615d0d279a78" score = 75 quality = 75 tags = "FILE" @@ -192859,13 +192859,13 @@ rule MALPEDIA_Win_Matanbuchus_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "90d62426-5cef-5bbd-bc1a-d6a2d3e94cc7" + id = "a3fb7262-831d-5cfb-8abc-cea45bc828f6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.matanbuchus_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_4f8fe54f712fa0006512f2c2876f2933c4c245339d29133362ca02de9b0dcb22" + logic_hash = "4f8fe54f712fa0006512f2c2876f2933c4c245339d29133362ca02de9b0dcb22" score = 75 quality = 75 tags = "FILE" @@ -192898,13 +192898,13 @@ rule MALPEDIA_Win_Sathurbot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "088fac37-512c-5069-909b-079d79386f7a" + id = "55b56bcd-97b3-557a-80fc-a30a2a5d5f93" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sathurbot_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_516fbdaf796971a35966077b409dae2049cf7a15611af7b3fda85f6cf94f88db" + logic_hash = "516fbdaf796971a35966077b409dae2049cf7a15611af7b3fda85f6cf94f88db" score = 75 quality = 75 tags = "FILE" @@ -192937,13 +192937,13 @@ rule MALPEDIA_Win_Sasfis_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "838b26ab-e9de-51a4-a8a0-1bf2baf7e7cf" + id = "c173d20c-b6af-5642-9dac-436a162fb4a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sasfis_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_7c5f9810c1f84570570dc00d72da471119d3938e3544c5969df4af5e973862b8" + logic_hash = "7c5f9810c1f84570570dc00d72da471119d3938e3544c5969df4af5e973862b8" score = 75 quality = 75 tags = "FILE" @@ -192976,13 +192976,13 @@ rule MALPEDIA_Win_Mulcom_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bbda05bb-b2ed-563a-9c4c-9a592fbd20d1" + id = "4a9d49d8-b0ca-5241-8b60-6dc35ab732b6" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mulcom" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mulcom_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_372ee2b3e45726bdecfcc73339ca35421a12f3ab3e84538dcc5c7a553f146e2b" + logic_hash = "372ee2b3e45726bdecfcc73339ca35421a12f3ab3e84538dcc5c7a553f146e2b" score = 75 quality = 75 tags = "FILE" @@ -193015,13 +193015,13 @@ rule MALPEDIA_Win_Unidentified_080_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0bcb1aa4-d619-5d60-86bf-fcc823647d95" + id = "2fada674-370f-5bc5-84a9-2e5ff9925df1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_080_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_f4698b30ea4cfaea5b3dd4c3d2fb3772007307dc7944cfe2e7ccc981a278d898" + logic_hash = "f4698b30ea4cfaea5b3dd4c3d2fb3772007307dc7944cfe2e7ccc981a278d898" score = 75 quality = 75 tags = "FILE" @@ -193054,13 +193054,13 @@ rule MALPEDIA_Win_Targetcompany_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f900c3aa-f605-5fb3-886e-92af379541d9" + id = "f1b7a89e-2688-52a1-8c7d-13cb0d455b2e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.targetcompany" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.targetcompany_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_7d65ff06dda40a31d2e8e57267ae5018fe6d616cb14d7c02506f36589aa887d7" + logic_hash = "7d65ff06dda40a31d2e8e57267ae5018fe6d616cb14d7c02506f36589aa887d7" score = 75 quality = 75 tags = "FILE" @@ -193093,13 +193093,13 @@ rule MALPEDIA_Win_Wannahusky_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "487ddf94-8c40-56a6-9ec8-4ae95eaa2662" + id = "b2ad3b67-4e34-5409-83f1-3168450902fa" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannahusky" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wannahusky_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_77e82dda4e107ad0b0d473cd2e43d110eacdad7445bdb06e12858f482aa9bc9d" + logic_hash = "77e82dda4e107ad0b0d473cd2e43d110eacdad7445bdb06e12858f482aa9bc9d" score = 75 quality = 75 tags = "FILE" @@ -193132,13 +193132,13 @@ rule MALPEDIA_Win_Ransomhub_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "936aa0e9-350a-51b8-9878-c75bbca523a6" + id = "16824eb2-4ba0-577a-a551-4908aad55778" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomhub" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ransomhub_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_f4a09a2e3b131a855ce4ab14c5a239317d5e0fe3c9ee416c213d5fc3f65e7c00" + logic_hash = "f4a09a2e3b131a855ce4ab14c5a239317d5e0fe3c9ee416c213d5fc3f65e7c00" score = 75 quality = 75 tags = "FILE" @@ -193171,13 +193171,13 @@ rule MALPEDIA_Win_Mechanical_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "56c24964-a77a-5e47-923f-b908ca4f1644" + id = "f58702e9-e83b-59f3-ba4d-4c871c835d79" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mechanical_auto.yar#L1-L154" license_url = "N/A" - logic_hash = "v1_sha256_94b14ca845d1ee4d0c436cd1fe538aa0afa038eac7ee0713fa70a64141fc5c86" + logic_hash = "94b14ca845d1ee4d0c436cd1fe538aa0afa038eac7ee0713fa70a64141fc5c86" score = 75 quality = 75 tags = "FILE" @@ -193216,13 +193216,13 @@ rule MALPEDIA_Win_Monero_Miner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0bdb3097-4cdf-5b78-9732-0f0157320b0e" + id = "9a367978-bd77-51cd-8e56-86e861b9daa1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.monero_miner_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_4ac9d0cde3be6117a7ffb436bafb97493b6772afb7402a8076aa8c3226e1ef83" + logic_hash = "4ac9d0cde3be6117a7ffb436bafb97493b6772afb7402a8076aa8c3226e1ef83" score = 75 quality = 75 tags = "FILE" @@ -193255,13 +193255,13 @@ rule MALPEDIA_Win_Olympic_Destroyer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "da3dbe83-c0e4-5243-8f77-fe29700c53fa" + id = "b177466d-4016-5e9b-b3ba-a9107347cf6f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.olympic_destroyer_auto.yar#L1-L234" license_url = "N/A" - logic_hash = "v1_sha256_fa50bc2589388652e3cccf0c3f51fa7fe6dd4219d5101d2a0cb0322727b90903" + logic_hash = "fa50bc2589388652e3cccf0c3f51fa7fe6dd4219d5101d2a0cb0322727b90903" score = 75 quality = 73 tags = "FILE" @@ -193307,13 +193307,13 @@ rule MALPEDIA_Win_Troll_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "028addb0-ebf7-503b-bf81-b674eeef1f8c" + id = "b3bc43a0-20cb-5f37-a32c-9a34ea4e289e" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.troll_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.troll_stealer_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_1fcbf79446deea8c1ec8b5953d0db65f84994139955c1cee9bca8fc3f0d1ce3f" + logic_hash = "1fcbf79446deea8c1ec8b5953d0db65f84994139955c1cee9bca8fc3f0d1ce3f" score = 75 quality = 75 tags = "FILE" @@ -193346,13 +193346,13 @@ rule MALPEDIA_Win_Tinyturla_Ng_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2522f5f8-20db-52fc-8efc-f43fa3577f07" + id = "0e7d5cbc-4d8e-5d08-97c6-9c50d3154da3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyturla_ng" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tinyturla_ng_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_c4bc20a25d7b1bca8938e309f5cad122284666710845f9d27ecb23d7dbbc9d43" + logic_hash = "c4bc20a25d7b1bca8938e309f5cad122284666710845f9d27ecb23d7dbbc9d43" score = 75 quality = 75 tags = "FILE" @@ -193385,13 +193385,13 @@ rule MALPEDIA_Win_Disttrack_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "de52ac14-abfd-57b1-8b03-a0b79eff25dc" + id = "e31a7534-93aa-5c3a-8d1c-4db6a4e10208" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.disttrack_auto.yar#L1-L275" license_url = "N/A" - logic_hash = "v1_sha256_f3a6eab6984225695ff1eabbd0fc23dd3ab520ffce08e75f88d4a97c81e66461" + logic_hash = "f3a6eab6984225695ff1eabbd0fc23dd3ab520ffce08e75f88d4a97c81e66461" score = 75 quality = 73 tags = "FILE" @@ -193441,13 +193441,13 @@ rule MALPEDIA_Win_Action_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b22152e1-4866-5e90-8366-82b6eb9d3cfb" + id = "7c57309a-67d2-511f-b446-07a8dac55b8c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.action_rat_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_804b12281cf1f625ad4f62982be2e6f06ae13a4b27a9fb038471c045c4dd26b6" + logic_hash = "804b12281cf1f625ad4f62982be2e6f06ae13a4b27a9fb038471c045c4dd26b6" score = 75 quality = 75 tags = "FILE" @@ -193480,13 +193480,13 @@ rule MALPEDIA_Win_Ondritols_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b0709936-ec92-5aab-8a96-54ef22012f8a" + id = "4bdd5e11-901a-5fdb-be76-3d7bad7b15da" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ondritols" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ondritols_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_31bdba3ae2c3b90f1c45acd89ae6f07099ae537657a6493ddb8dcbc12190c75b" + logic_hash = "31bdba3ae2c3b90f1c45acd89ae6f07099ae537657a6493ddb8dcbc12190c75b" score = 75 quality = 75 tags = "FILE" @@ -193519,13 +193519,13 @@ rule MALPEDIA_Win_Fakerean_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a1c3a962-255d-560a-85fc-62a376b991e0" + id = "34f4a458-02de-570d-b3a3-0e20f22e1220" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fakerean_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_ff26cea37ee30849e01ae5f84110a8c6d04e7d37a0c5e0d9f3ae27ca67cdd4d9" + logic_hash = "ff26cea37ee30849e01ae5f84110a8c6d04e7d37a0c5e0d9f3ae27ca67cdd4d9" score = 75 quality = 75 tags = "FILE" @@ -193558,13 +193558,13 @@ rule MALPEDIA_Win_Alma_Communicator_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "9b9c2682-3dce-523a-b302-a717dcac7f8d" + id = "d8b295a7-7b28-5e6b-b5af-98c76d267598" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.alma_communicator_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_904bfc03a43918532b57223d9b7b36661a7e5069ea789e70ed097e9455614910" + logic_hash = "904bfc03a43918532b57223d9b7b36661a7e5069ea789e70ed097e9455614910" score = 75 quality = 75 tags = "FILE" @@ -193597,13 +193597,13 @@ rule MALPEDIA_Win_Rikamanu_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "013f139a-257f-5c4c-8509-7bedc9e8eade" + id = "308aa7df-176c-53f5-8487-211055f7d5b3" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rikamanu_auto.yar#L1-L282" license_url = "N/A" - logic_hash = "v1_sha256_d4697a7a9a9db5141a7716ea23027d53a2dc30b33c7526980666f737aa001510" + logic_hash = "d4697a7a9a9db5141a7716ea23027d53a2dc30b33c7526980666f737aa001510" score = 75 quality = 73 tags = "FILE" @@ -193656,13 +193656,13 @@ rule MALPEDIA_Win_Mebromi_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a87268f7-353c-5b95-a0e1-c1d1681cd5ad" + id = "3d64e85a-906f-5ddb-9f75-04eb426f7ebc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mebromi_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_051f5b8119e90ef14be758def00ef62b697ce727969ed9523ac57414d0773faf" + logic_hash = "051f5b8119e90ef14be758def00ef62b697ce727969ed9523ac57414d0773faf" score = 75 quality = 75 tags = "FILE" @@ -193695,13 +193695,13 @@ rule MALPEDIA_Win_Treasurehunter_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b9baa99c-c2d5-555b-be24-6acd0a84945b" + id = "742c7bf5-d2b7-520e-a089-1fe564ad2be1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.treasurehunter_auto.yar#L1-L104" license_url = "N/A" - logic_hash = "v1_sha256_9cfdb80d896aafedd2a1ceb8f4988ae951779a5109bafb233ecba9d043eab6e8" + logic_hash = "9cfdb80d896aafedd2a1ceb8f4988ae951779a5109bafb233ecba9d043eab6e8" score = 75 quality = 75 tags = "FILE" @@ -193732,13 +193732,13 @@ rule MALPEDIA_Win_Moonbounce_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f0c6fbd1-78af-51f4-815a-ad77869507e8" + id = "2da98614-65a4-5227-bf42-e140c3206599" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.moonbounce_auto.yar#L1-L113" license_url = "N/A" - logic_hash = "v1_sha256_c88f40d1d857bf1c76177c0c7eb43f16650b71d1b80bdf0f0745bd71c4b7c892" + logic_hash = "c88f40d1d857bf1c76177c0c7eb43f16650b71d1b80bdf0f0745bd71c4b7c892" score = 75 quality = 75 tags = "FILE" @@ -193771,13 +193771,13 @@ rule MALPEDIA_Win_Citadel_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c00de5c8-708b-5aa3-a1a9-16bc9a6c9049" + id = "b395dca4-452f-5377-80bb-408553de53db" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.citadel_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_19150147fccb12d09c7c4bd60b0305f74a8937d98e638616a5c6d14e1a34b56b" + logic_hash = "19150147fccb12d09c7c4bd60b0305f74a8937d98e638616a5c6d14e1a34b56b" score = 75 quality = 75 tags = "FILE" @@ -193816,13 +193816,13 @@ rule MALPEDIA_Win_Sagerunex_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d1d14dc3-195e-5b23-840f-85dbd19bc87c" + id = "a425b22d-b4f2-5d55-8ad8-71f79a62d46d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sagerunex" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sagerunex_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_dff18f54b10b1df23611f9090ec75c66093dde952c82cc96492b8dbdbdc0e627" + logic_hash = "dff18f54b10b1df23611f9090ec75c66093dde952c82cc96492b8dbdbdc0e627" score = 75 quality = 75 tags = "FILE" @@ -193855,13 +193855,13 @@ rule MALPEDIA_Win_Crypmic_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6ee41d1d-d2b2-5b07-b7eb-5f6f5a1dad81" + id = "a619fa41-ae29-5844-bc2f-097bc7d852ef" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.crypmic_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_bac6071bafa0b8d2c9908dd1914b7cdff1ecb7962c586174feb22c09b0eeeac5" + logic_hash = "bac6071bafa0b8d2c9908dd1914b7cdff1ecb7962c586174feb22c09b0eeeac5" score = 75 quality = 75 tags = "FILE" @@ -193894,13 +193894,13 @@ rule MALPEDIA_Win_Zedhou_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "864fb8a1-41b9-5bc3-b1ce-acc004e9155e" + id = "b7edbb31-b801-517b-bc19-dc86b8702084" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.zedhou_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_6241dd23f931d49343383f9ed85b9fc9d0b5c6b6eca9f5ed0e96f38f7152c02e" + logic_hash = "6241dd23f931d49343383f9ed85b9fc9d0b5c6b6eca9f5ed0e96f38f7152c02e" score = 75 quality = 75 tags = "FILE" @@ -193933,13 +193933,13 @@ rule MALPEDIA_Win_Helminth_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25df8796-52a3-5254-8dd4-fb55cddeb23c" + id = "379c192f-5a15-5f3b-ad5b-fc2b330bc750" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.helminth_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_274e3eea90d2e30111a5a8cd56771457195fff91f933a3b2952878df64a83186" + logic_hash = "274e3eea90d2e30111a5a8cd56771457195fff91f933a3b2952878df64a83186" score = 75 quality = 75 tags = "FILE" @@ -193977,13 +193977,13 @@ rule MALPEDIA_Win_Rawpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e80c11a9-9af9-5065-945e-6d1e580a6d7e" + id = "f6a04448-ba2c-50f7-b9f8-5b14dc2eb099" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.rawpos_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_56a2b8fbb4e25a898a4bc87c65b7d85dae5bb8a6be93f75773ea8a26525a9a96" + logic_hash = "56a2b8fbb4e25a898a4bc87c65b7d85dae5bb8a6be93f75773ea8a26525a9a96" score = 75 quality = 75 tags = "FILE" @@ -194016,13 +194016,13 @@ rule MALPEDIA_Win_Ramnit_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "25f3bc76-e594-5cc7-bd9e-254deb6130ce" + id = "2d07274e-4e7e-51f1-9043-6e669a2900ab" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ramnit_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_ac5af9c4c79d490a7e08824dfdc4e94d8423d8a8e8b47eb3783c3aa2be0c55ae" + logic_hash = "ac5af9c4c79d490a7e08824dfdc4e94d8423d8a8e8b47eb3783c3aa2be0c55ae" score = 75 quality = 73 tags = "FILE" @@ -194055,13 +194055,13 @@ rule MALPEDIA_Win_Sidetwist_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8a3c93db-52b7-5a9e-a7d4-e3013f607657" + id = "234f5e67-21ea-563f-a765-16d670746925" date = "2023-12-06" modified = "2023-12-08" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidetwist" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sidetwist_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_5b593ac062a3ee588643c8e2045ef28da674c3f54189c5d0eebe42dcfcc6f71f" + logic_hash = "5b593ac062a3ee588643c8e2045ef28da674c3f54189c5d0eebe42dcfcc6f71f" score = 75 quality = 75 tags = "FILE" @@ -194094,13 +194094,13 @@ rule MALPEDIA_Win_Wpbrutebot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e1a6ace5-98ab-56a3-a793-290da199be91" + id = "898c87b0-2add-591b-b052-5ab6d1f02713" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.wpbrutebot_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_4440d9063c782ae6ab73b1ab2283579374719f22f3d62d05493ede3029f224d5" + logic_hash = "4440d9063c782ae6ab73b1ab2283579374719f22f3d62d05493ede3029f224d5" score = 75 quality = 75 tags = "FILE" @@ -194133,13 +194133,13 @@ rule MALPEDIA_Win_Killav_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "71a9f13f-be37-5849-bb16-ed39f0c68000" + id = "6ea8eddf-089b-50a4-8f27-4f9ec3d8cbec" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.killav" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.killav_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_ff0be756557cba2c394e4d12fd6850def3f48f4054b3fe5a54c94ab0f930267a" + logic_hash = "ff0be756557cba2c394e4d12fd6850def3f48f4054b3fe5a54c94ab0f930267a" score = 75 quality = 75 tags = "FILE" @@ -194172,13 +194172,13 @@ rule MALPEDIA_Win_Nimgrabber_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a99f8ddf-50c7-581a-992e-06cebbf725e6" + id = "3417f107-706b-5ec9-a82e-ecd192636787" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimgrabber" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nimgrabber_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_d297cfdaadbf9a62a41740c1e9e183f352f7bffa358a9fd4217b0060da18e6ef" + logic_hash = "d297cfdaadbf9a62a41740c1e9e183f352f7bffa358a9fd4217b0060da18e6ef" score = 75 quality = 75 tags = "FILE" @@ -194211,13 +194211,13 @@ rule MALPEDIA_Win_Oldbait_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6b915c49-6c5a-5439-aa02-f751e4f8b68f" + id = "de1960aa-dffc-50a3-b5af-d60e93de2ed5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.oldbait_auto.yar#L1-L227" license_url = "N/A" - logic_hash = "v1_sha256_56d5ee4ed7de5e4bf6d19f067af8af7a888733392a830afd56b63d7b093ebe45" + logic_hash = "56d5ee4ed7de5e4bf6d19f067af8af7a888733392a830afd56b63d7b093ebe45" score = 75 quality = 73 tags = "FILE" @@ -194264,13 +194264,13 @@ rule MALPEDIA_Win_Scout_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0901175a-35b9-5a11-b91d-473dbba30381" + id = "badacd81-959a-5316-bd3b-4267a7a059cc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.scout" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.scout_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_45093eb9e440370fa3e5ca64b63b1022aa2768448d9bb6e9d805f1e4a716e0bc" + logic_hash = "45093eb9e440370fa3e5ca64b63b1022aa2768448d9bb6e9d805f1e4a716e0bc" score = 75 quality = 75 tags = "FILE" @@ -194303,13 +194303,13 @@ rule MALPEDIA_Win_Blindingcan_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bed6e51e-1a44-5066-8d81-f78cca63a359" + id = "465029b5-763a-56ed-b1de-dd91c2f1a7ca" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.blindingcan_auto.yar#L1-L176" license_url = "N/A" - logic_hash = "v1_sha256_74166ac02345e359092c0de07b6503277e6c28815f8b4319943798385b40290d" + logic_hash = "74166ac02345e359092c0de07b6503277e6c28815f8b4319943798385b40290d" score = 75 quality = 75 tags = "FILE" @@ -194348,13 +194348,13 @@ rule MALPEDIA_Win_Enigma_Loader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ef08e442-d6aa-52c6-b4e3-4215541299d8" + id = "3133a569-e0c5-5978-8ff0-ff719a8c5fe7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.enigma_loader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.enigma_loader_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_a5243000c2e0d210886f2730559565c47c46e77ae7333cb6bce278e91fb001ee" + logic_hash = "a5243000c2e0d210886f2730559565c47c46e77ae7333cb6bce278e91fb001ee" score = 75 quality = 75 tags = "FILE" @@ -194387,13 +194387,13 @@ rule MALPEDIA_Win_Yorekey_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b214c5de-b6f9-51ec-aaba-1c3cbedd291b" + id = "eff8b001-6508-5d1e-8689-b1f2eb9999f7" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.yorekey" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.yorekey_auto.yar#L1-L169" license_url = "N/A" - logic_hash = "v1_sha256_abba0a97f92aee372a13d852ed7f2662d19cb8080c2f20b48056340c1204a7ba" + logic_hash = "abba0a97f92aee372a13d852ed7f2662d19cb8080c2f20b48056340c1204a7ba" score = 75 quality = 75 tags = "FILE" @@ -194431,13 +194431,13 @@ rule MALPEDIA_Win_Void_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5a2f89ff-ec50-5ada-aa62-d8bbfa2a039c" + id = "89398dc6-137f-5ec6-8d95-3834bc4f980c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.void" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.void_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_9f2df3bf5647831ce19a5214f5a12a4e7816575938889bc15e27938cfd4b8dad" + logic_hash = "9f2df3bf5647831ce19a5214f5a12a4e7816575938889bc15e27938cfd4b8dad" score = 75 quality = 75 tags = "FILE" @@ -194468,13 +194468,13 @@ rule MALPEDIA_Win_Hyperssl_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f0ef4b18-5000-502f-9529-13db194f572d" + id = "278628e2-0cb8-5fcf-b0b4-758a4cb29c23" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.hyperssl_auto.yar#L1-L205" license_url = "N/A" - logic_hash = "v1_sha256_11f6d7199b100b059f11030323327bd2335a327a45ce3c310d198ef4e514bf67" + logic_hash = "11f6d7199b100b059f11030323327bd2335a327a45ce3c310d198ef4e514bf67" score = 75 quality = 73 tags = "FILE" @@ -194520,13 +194520,13 @@ rule MALPEDIA_Win_Helauto_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2aa047ae-810b-5cad-a08d-a26c94a1b3fb" + id = "8f4c5f14-ca45-53fe-8db7-58ae81e6cff8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.helauto_auto.yar#L1-L114" license_url = "N/A" - logic_hash = "v1_sha256_8c0415faca54a4465c0b97b35f2aed1c836ec68c9df037f6186699e53a26046b" + logic_hash = "8c0415faca54a4465c0b97b35f2aed1c836ec68c9df037f6186699e53a26046b" score = 75 quality = 75 tags = "FILE" @@ -194559,13 +194559,13 @@ rule MALPEDIA_Win_Doublefinger_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "122a830f-af50-540a-826a-5a70894f9e50" + id = "cf642cb4-badb-524a-b631-15e39cc2daf5" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefinger" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.doublefinger_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_3eae491d263429c9200953e488faaa30692919588c48a865c32492ea2fca792f" + logic_hash = "3eae491d263429c9200953e488faaa30692919588c48a865c32492ea2fca792f" score = 75 quality = 75 tags = "FILE" @@ -194598,13 +194598,13 @@ rule MALPEDIA_Win_Strifewater_Rat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "6e5fe625-189f-56c9-aeec-da53ee757b9b" + id = "93638997-4b39-56df-8c2c-e15416c268e2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.strifewater_rat_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_c4c860d44d36734eadf7062d94acf85100c901ee56a2bc935f573163c784a260" + logic_hash = "c4c860d44d36734eadf7062d94acf85100c901ee56a2bc935f573163c784a260" score = 75 quality = 75 tags = "FILE" @@ -194637,13 +194637,13 @@ rule MALPEDIA_Win_Redleaves_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ad3d8224-993c-5289-a75f-105d784c4f75" + id = "9f7b8b12-c503-5485-9c53-56cd6e66e380" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.redleaves_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_3dce4e217425a30687e485e0f532b16bc2ee15eb23b5abe81e3322015aee4687" + logic_hash = "3dce4e217425a30687e485e0f532b16bc2ee15eb23b5abe81e3322015aee4687" score = 75 quality = 69 tags = "FILE" @@ -194684,13 +194684,13 @@ rule MALPEDIA_Win_Billgates_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2d321b54-57a7-5dcd-ba68-2ea52cf2f311" + id = "ce6a49fc-09dc-5429-91ef-444e27e6a6e2" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.billgates_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "v1_sha256_7ac006802cc67c455b1cfb751cff616e1942e0354815f2ae842e0537d44fc0dd" + logic_hash = "7ac006802cc67c455b1cfb751cff616e1942e0354815f2ae842e0537d44fc0dd" score = 75 quality = 75 tags = "FILE" @@ -194723,13 +194723,13 @@ rule MALPEDIA_Win_Pinchduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "404d94e2-b126-567b-acbf-a7b10274261d" + id = "0794d793-2c22-5bd4-a61c-badc5e0c2c07" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pinchduke_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_59fabedb52194937fd24b19da68caeec236a55861258ee349d09c23df6cfa041" + logic_hash = "59fabedb52194937fd24b19da68caeec236a55861258ee349d09c23df6cfa041" score = 75 quality = 75 tags = "FILE" @@ -194762,13 +194762,13 @@ rule MALPEDIA_Win_Sarhust_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a8da62cc-2f51-5e18-94b5-92cd8b3e39e9" + id = "52e2651a-2a6e-5230-b7b1-6048b76df517" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.sarhust_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_714fe7fd57f34b3db5ebbf318cfb9e33c9b49986cf0bcf43914f2398aec0102c" + logic_hash = "714fe7fd57f34b3db5ebbf318cfb9e33c9b49986cf0bcf43914f2398aec0102c" score = 75 quality = 75 tags = "FILE" @@ -194801,13 +194801,13 @@ rule MALPEDIA_Win_Fusiondrive_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "abc8f59b-edc3-5780-a983-496eb82970af" + id = "6b24ebb4-bf8c-5059-8d46-133c8671d36b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fusiondrive" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fusiondrive_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_21ef3d5712d10364f2b0ca6cdaf9dc2adad20cae2472f23d5b6b628fa15a50bd" + logic_hash = "21ef3d5712d10364f2b0ca6cdaf9dc2adad20cae2472f23d5b6b628fa15a50bd" score = 75 quality = 75 tags = "FILE" @@ -194840,13 +194840,13 @@ rule MALPEDIA_Win_Unidentified_039_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a7b2792e-dbec-55ad-b036-7bd0d8a34527" + id = "ff352829-d1d0-5849-83ea-58866912f4d1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.unidentified_039_auto.yar#L1-L124" license_url = "N/A" - logic_hash = "v1_sha256_d0fe8cc6956cba73b2a7ff7165daeebd2de9ab47240a59740a19b016e98dc584" + logic_hash = "d0fe8cc6956cba73b2a7ff7165daeebd2de9ab47240a59740a19b016e98dc584" score = 75 quality = 75 tags = "FILE" @@ -194879,13 +194879,13 @@ rule MALPEDIA_Win_Volgmer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "96be8489-fdf2-51c9-9667-7175cb094055" + id = "ee14de89-49ac-54c0-9028-7fc3ec1ece55" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.volgmer_auto.yar#L1-L404" license_url = "N/A" - logic_hash = "v1_sha256_e0462e79ef6280b8a6003ef7a899cec3de3d795edb85c7c6f37d83222de71a6b" + logic_hash = "e0462e79ef6280b8a6003ef7a899cec3de3d795edb85c7c6f37d83222de71a6b" score = 75 quality = 50 tags = "FILE" @@ -194952,13 +194952,13 @@ rule MALPEDIA_Win_Kingminer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "715da54a-1d63-58ac-9ebc-c0777d6811fd" + id = "d7cd7a0a-31ee-53e1-af0c-e4bec9eb4a6f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kingminer_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_a1f2a6dac0d3d841d4f21da5b45b97f1a4e688102fb3e94636b9a33bdb699efe" + logic_hash = "a1f2a6dac0d3d841d4f21da5b45b97f1a4e688102fb3e94636b9a33bdb699efe" score = 75 quality = 75 tags = "FILE" @@ -194991,13 +194991,13 @@ rule MALPEDIA_Win_Nozelesn_Decryptor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1c4ddae3-eb7d-5e2d-a964-58a0dc7e791d" + id = "a50249a6-41ed-5afd-a344-f1c46141fa9b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.nozelesn_decryptor_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_4edccdad4171a3a8dbbdabb59b2b49ff95bfdb30e97dda2b954d7aea22da3283" + logic_hash = "4edccdad4171a3a8dbbdabb59b2b49ff95bfdb30e97dda2b954d7aea22da3283" score = 75 quality = 75 tags = "FILE" @@ -195030,13 +195030,13 @@ rule MALPEDIA_Win_Joanap_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "dc1a1f0e-78f3-5e0c-9803-d1cbf83ac27a" + id = "5e1b53cb-7deb-5667-8a28-f48e8944278b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.joanap_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_6fdacc4c6daa9a4be9b126a90beb146cca04ff56d03b259a90c3b1977b1b6f5e" + logic_hash = "6fdacc4c6daa9a4be9b126a90beb146cca04ff56d03b259a90c3b1977b1b6f5e" score = 75 quality = 75 tags = "FILE" @@ -195069,13 +195069,13 @@ rule MALPEDIA_Win_Babar_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "601f78bd-dd16-5608-b765-30d2fb222f84" + id = "4c6a7dce-047d-5f59-9e3d-d3334c41d05a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.babar_auto.yar#L1-L161" license_url = "N/A" - logic_hash = "v1_sha256_f26db48f4ddda7baab96557200e3865f1c9bdc6e10a7518d2cd23d9a8273c7f2" + logic_hash = "f26db48f4ddda7baab96557200e3865f1c9bdc6e10a7518d2cd23d9a8273c7f2" score = 75 quality = 75 tags = "FILE" @@ -195114,13 +195114,13 @@ rule MALPEDIA_Win_Pvzout_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "74cd2b7f-d4e8-54cf-9f51-0e228c0b9c9b" + id = "7f4c2c6d-072f-520f-bffa-7c86816c46e1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pvzout_auto.yar#L1-L120" license_url = "N/A" - logic_hash = "v1_sha256_ba6cffc93be56b2981aa18b2dfb2d12dcc79b5b9f031aee7308eec09fd3e12bc" + logic_hash = "ba6cffc93be56b2981aa18b2dfb2d12dcc79b5b9f031aee7308eec09fd3e12bc" score = 75 quality = 75 tags = "FILE" @@ -195153,13 +195153,13 @@ rule MALPEDIA_Win_Darkcloud_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2536a255-0d04-579d-afc9-1647529bcb2a" + id = "e059e862-be86-52e7-8da9-3408fec87995" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.darkcloud_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_dc797d71bdd72f9d3e0bc969cd3f0b1296fdab9f38aa0a923dd640404b9f8c9b" + logic_hash = "dc797d71bdd72f9d3e0bc969cd3f0b1296fdab9f38aa0a923dd640404b9f8c9b" score = 75 quality = 75 tags = "FILE" @@ -195192,13 +195192,13 @@ rule MALPEDIA_Win_Adkoob_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "bd78b0e5-457d-5f47-805f-7f00ebc261a3" + id = "9d0574c1-9926-5334-bfa7-9cdc9299a5a4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.adkoob_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_319076565d49e1f1e3a8b65fbc8806c865eb0ef04dd1a893be86dfc9ed47d730" + logic_hash = "319076565d49e1f1e3a8b65fbc8806c865eb0ef04dd1a893be86dfc9ed47d730" score = 75 quality = 75 tags = "FILE" @@ -195231,13 +195231,13 @@ rule MALPEDIA_Win_Chainshot_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d2d9a966-35c4-555b-8891-586459b0ac42" + id = "e1db7f53-0270-5824-82d9-8aed908ee2be" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chainshot_auto.yar#L1-L111" license_url = "N/A" - logic_hash = "v1_sha256_8440e51f4c64f9f335a379594cb3f694f5050a99bd0f6190db9cf62fbca5d726" + logic_hash = "8440e51f4c64f9f335a379594cb3f694f5050a99bd0f6190db9cf62fbca5d726" score = 75 quality = 75 tags = "FILE" @@ -195270,13 +195270,13 @@ rule MALPEDIA_Win_Flawedgrace_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a19ad360-6634-576b-9251-8c25019f1b92" + id = "b7a2b679-4a09-5cd6-8d45-af761287421f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.flawedgrace_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_1ff4be291ff6b1a953ca9c7eac4587b5db7acf2526c0381d7b2b4e64ad42f78b" + logic_hash = "1ff4be291ff6b1a953ca9c7eac4587b5db7acf2526c0381d7b2b4e64ad42f78b" score = 75 quality = 75 tags = "FILE" @@ -195309,13 +195309,13 @@ rule MALPEDIA_Win_Lazardoor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8a0d9899-1d5d-5c42-af7a-885a2d0aeef7" + id = "277a5926-2173-548c-847c-f39b2e42e95f" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazardoor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.lazardoor_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_7e853d80ccef3940e80ec411ec3cf1794666e4d443e999ba85c896703eb74aa3" + logic_hash = "7e853d80ccef3940e80ec411ec3cf1794666e4d443e999ba85c896703eb74aa3" score = 75 quality = 75 tags = "FILE" @@ -195348,13 +195348,13 @@ rule MALPEDIA_Win_Derohe_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "ba48625c-b316-5f5d-ae9b-3beabba9d7aa" + id = "c13e1a85-a976-55b6-90d6-648c0339f374" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.derohe_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_6fba1305105906cd35356cda0d2e36fa76e73b801e4848b11ebc790c439c6d6c" + logic_hash = "6fba1305105906cd35356cda0d2e36fa76e73b801e4848b11ebc790c439c6d6c" score = 75 quality = 75 tags = "FILE" @@ -195387,13 +195387,13 @@ rule MALPEDIA_Win_Dizzyvoid_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5e082fd2-811e-506b-b72a-39c742c2f94f" + id = "b900bbf0-efba-5979-b901-058422cfe398" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dizzyvoid" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.dizzyvoid_auto.yar#L1-L226" license_url = "N/A" - logic_hash = "v1_sha256_8385659a773378b82a70cc8941b67dcf8ffad28a19525f1f78e990eee9f0fdc1" + logic_hash = "8385659a773378b82a70cc8941b67dcf8ffad28a19525f1f78e990eee9f0fdc1" score = 75 quality = 73 tags = "FILE" @@ -195440,13 +195440,13 @@ rule MALPEDIA_Win_Jackpos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0e459a8f-ad74-5644-82e3-0ebfaebe866b" + id = "3dd7bb50-a9ba-5035-bc39-1825f87f4af4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jackpos_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_e318334295704491926f566878a765af2b4635b235cabb0b05edeaa2585792fc" + logic_hash = "e318334295704491926f566878a765af2b4635b235cabb0b05edeaa2585792fc" score = 75 quality = 75 tags = "FILE" @@ -195479,13 +195479,13 @@ rule MALPEDIA_Win_Gup_Proxy_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3fcbe7aa-7fdb-5a64-9ee0-28b32bf51ae4" + id = "83d0d192-73f0-5c37-84a4-96599a03dd8c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gup_proxy_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_cd4745a85ea3e99fe6039df895795db2fbf4a6914277daa87672debc92efc3be" + logic_hash = "cd4745a85ea3e99fe6039df895795db2fbf4a6914277daa87672debc92efc3be" score = 75 quality = 75 tags = "FILE" @@ -195518,13 +195518,13 @@ rule MALPEDIA_Win_Graftor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "d5099540-3776-5497-8cef-7f4ee9d7465c" + id = "c144e9e9-346f-5b6a-9dfe-1d03b0e82296" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.graftor_auto.yar#L1-L133" license_url = "N/A" - logic_hash = "v1_sha256_fb4376621aa16704d8aafacb83eec317def5e2f740ec5d73dd897b4e00fd49ae" + logic_hash = "fb4376621aa16704d8aafacb83eec317def5e2f740ec5d73dd897b4e00fd49ae" score = 75 quality = 75 tags = "FILE" @@ -195557,13 +195557,13 @@ rule MALPEDIA_Win_Acridrain_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a21af47a-a064-5b41-9436-62fa7fd0427a" + id = "fcb90d8e-aad2-5dfa-b2aa-c88c9fb392e4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.acridrain_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_445c602d5a9107fcce82aaaf7b300d7763f0b08be8d23fd5ad6910688300093b" + logic_hash = "445c602d5a9107fcce82aaaf7b300d7763f0b08be8d23fd5ad6910688300093b" score = 75 quality = 75 tags = "FILE" @@ -195596,13 +195596,13 @@ rule MALPEDIA_Win_Tildeb_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "767102f2-49ab-5b9a-8ec8-3c4e514a8f04" + id = "49677524-14e6-56de-966e-12587dbc120c" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tildeb" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.tildeb_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_ff05557691123d6857c3cb5d609bf2746dd344811b380372ecacb54f0277a087" + logic_hash = "ff05557691123d6857c3cb5d609bf2746dd344811b380372ecacb54f0277a087" score = 75 quality = 75 tags = "FILE" @@ -195635,13 +195635,13 @@ rule MALPEDIA_Win_Ryuk_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "3a59532e-f093-545e-9ea1-7e4b72b90745" + id = "721acb27-a4a0-50f9-a1d2-cd2f2b4d785d" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ryuk_auto.yar#L1-L449" license_url = "N/A" - logic_hash = "v1_sha256_445b298ca90f42d0360a842e111170d0d02597be6aa1ae9b7c72639822721220" + logic_hash = "445b298ca90f42d0360a842e111170d0d02597be6aa1ae9b7c72639822721220" score = 75 quality = 50 tags = "FILE" @@ -195714,13 +195714,13 @@ rule MALPEDIA_Win_Ransoc_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1590179f-8936-5b76-83d6-9e746035e72a" + id = "c55d5df4-572b-5c0c-9b0c-3a567923b39b" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.ransoc_auto.yar#L1-L123" license_url = "N/A" - logic_hash = "v1_sha256_9e4916ca4af80e938f133184e5caea93df6c13b83aeab910e5de3e08f2b95d7e" + logic_hash = "9e4916ca4af80e938f133184e5caea93df6c13b83aeab910e5de3e08f2b95d7e" score = 75 quality = 75 tags = "FILE" @@ -195753,13 +195753,13 @@ rule MALPEDIA_Win_Mosaic_Regressor_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "1e14d17b-c365-52ba-b65f-db2a9893ba74" + id = "6545d5ce-704c-5c00-a6cd-ec1b5c909576" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosaic_regressor" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mosaic_regressor_auto.yar#L1-L117" license_url = "N/A" - logic_hash = "v1_sha256_73c7fd14f8effd7ac9e0816b586de74eff8d0d21c8391e8e84f2921e57196fdb" + logic_hash = "73c7fd14f8effd7ac9e0816b586de74eff8d0d21c8391e8e84f2921e57196fdb" score = 75 quality = 75 tags = "FILE" @@ -195792,13 +195792,13 @@ rule MALPEDIA_Win_Phoenix_Locker_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "20311e94-10bf-5879-9d6b-fb2aa107efc0" + id = "211c4ada-8c2c-53b1-a8d1-ffd67dfd6fac" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.phoenix_locker_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_fc57928d88a0e4a78b2d227bc29cc732b1edff7e878d1ae0306413cb72bae6ed" + logic_hash = "fc57928d88a0e4a78b2d227bc29cc732b1edff7e878d1ae0306413cb72bae6ed" score = 75 quality = 75 tags = "FILE" @@ -195831,13 +195831,13 @@ rule MALPEDIA_Win_Simda_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "fdc43536-c715-5487-b593-f5e4619d38cb" + id = "d74b8ce3-47a5-51db-a32e-c17b32ae8c86" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.simda_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_843d6d6caa38939c108c027a85a80f4565ce68a6213223a9ac5f7b9c75de56e2" + logic_hash = "843d6d6caa38939c108c027a85a80f4565ce68a6213223a9ac5f7b9c75de56e2" score = 75 quality = 75 tags = "FILE" @@ -195870,13 +195870,13 @@ rule MALPEDIA_Win_Newpass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "2cd6cc95-79fa-5267-9c48-74da78282bce" + id = "1259b84e-f22e-5be6-af9b-9be76f957f31" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.newpass_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_348cb83a48a4b33ccc0bbb52d51d9d135a00878f03abb1cd8978354d39a99336" + logic_hash = "348cb83a48a4b33ccc0bbb52d51d9d135a00878f03abb1cd8978354d39a99336" score = 75 quality = 75 tags = "FILE" @@ -195909,13 +195909,13 @@ rule MALPEDIA_Win_Kpot_Stealer_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f53a1820-8e1d-5ff2-a867-d053d924c064" + id = "e2a580eb-b7e8-5569-b0fb-2a299c9ec4b4" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kpot_stealer_auto.yar#L1-L128" license_url = "N/A" - logic_hash = "v1_sha256_f623e53c9b602005767465c863e7a8d05ae4b1bf549ad4d0a72142bca2bcb3fc" + logic_hash = "f623e53c9b602005767465c863e7a8d05ae4b1bf549ad4d0a72142bca2bcb3fc" score = 75 quality = 75 tags = "FILE" @@ -195948,13 +195948,13 @@ rule MALPEDIA_Win_Boatlaunch_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "334c1aa3-75f1-5509-b92e-e1dc581a8663" + id = "17aecbbe-5b2a-5c30-99c2-803688504adb" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.boatlaunch" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.boatlaunch_auto.yar#L1-L172" license_url = "N/A" - logic_hash = "v1_sha256_1f8a4849474a78f820c262b22058fdfb27def9aa1bc7516915781a893805dbc5" + logic_hash = "1f8a4849474a78f820c262b22058fdfb27def9aa1bc7516915781a893805dbc5" score = 75 quality = 73 tags = "FILE" @@ -195993,13 +195993,13 @@ rule MALPEDIA_Win_Pocodown_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "b428fc2b-634f-5388-ad0a-96d31f45cb50" + id = "80a18124-a9b0-5acb-a47f-4f6b0c30bce1" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.pocodown_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_0c989d45fa577d150beb78b93b7b2b3b8b608ef00eacc1f315d54d3fff02abed" + logic_hash = "0c989d45fa577d150beb78b93b7b2b3b8b608ef00eacc1f315d54d3fff02abed" score = 75 quality = 75 tags = "FILE" @@ -196032,13 +196032,13 @@ rule MALPEDIA_Win_Gratem_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "85e5b32e-eead-5fbb-831f-5cdd2810dcd6" + id = "89f0dee2-28c6-5a10-a3ad-288a448f45ac" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.gratem_auto.yar#L1-L118" license_url = "N/A" - logic_hash = "v1_sha256_b58ab0ade84c3286830362f0f11bfb9519b8733c76dfe4e9cd7ba24746663e50" + logic_hash = "b58ab0ade84c3286830362f0f11bfb9519b8733c76dfe4e9cd7ba24746663e50" score = 75 quality = 75 tags = "FILE" @@ -196071,13 +196071,13 @@ rule MALPEDIA_Win_Cur1_Downloader_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c656942c-adf5-5a4d-9796-771186c25df7" + id = "8f21da40-d974-5099-af6e-31cd89e26953" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cur1_downloader" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cur1_downloader_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_1c569e94280f8095f5f07b5abf340e9688b7e484a4ea176f880968651b21cc46" + logic_hash = "1c569e94280f8095f5f07b5abf340e9688b7e484a4ea176f880968651b21cc46" score = 75 quality = 75 tags = "FILE" @@ -196110,13 +196110,13 @@ rule MALPEDIA_Win_Chinad_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "296020e8-c993-5ecc-93ce-2b54de81e453" + id = "638e582c-33e3-5dc7-b819-6884369859ac" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.chinad_auto.yar#L1-L130" license_url = "N/A" - logic_hash = "v1_sha256_0909b63bc06cff243e8fe7a8bed04254856f090009be2422d2270c54ce10717f" + logic_hash = "0909b63bc06cff243e8fe7a8bed04254856f090009be2422d2270c54ce10717f" score = 75 quality = 75 tags = "FILE" @@ -196149,13 +196149,13 @@ rule MALPEDIA_Win_Vigilant_Cleaner_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "5c57cf41-cb7f-597e-a740-072449278bbb" + id = "95508716-6967-5a7f-8deb-f89ef52d51c8" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.vigilant_cleaner_auto.yar#L1-L119" license_url = "N/A" - logic_hash = "v1_sha256_8f3ebf6c4c6a27d564cc935d377873205b5347edbbb627f3304dd27f1d14c8a3" + logic_hash = "8f3ebf6c4c6a27d564cc935d377873205b5347edbbb627f3304dd27f1d14c8a3" score = 75 quality = 75 tags = "FILE" @@ -196188,13 +196188,13 @@ rule MALPEDIA_Win_Cosmicduke_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "db0c7838-845d-54f2-9658-bd13bcb417ee" + id = "5fb60344-131a-5131-b8e1-4edb7524b3e9" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cosmicduke" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.cosmicduke_auto.yar#L1-L132" license_url = "N/A" - logic_hash = "v1_sha256_7c78d88a6294fbefeccb9e02496af3e7aa8e7c4fd27d39a3747c54e6c53a3f19" + logic_hash = "7c78d88a6294fbefeccb9e02496af3e7aa8e7c4fd27d39a3747c54e6c53a3f19" score = 75 quality = 75 tags = "FILE" @@ -196227,13 +196227,13 @@ rule MALPEDIA_Win_Evilgrab_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "373d9cca-1ce0-596d-81f6-16876208eab9" + id = "2f5e9905-bb83-55a1-ac75-ab30097513bc" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.evilgrab_auto.yar#L1-L131" license_url = "N/A" - logic_hash = "v1_sha256_b41ba72c13396de6441cf8d00725c98522c9e1b32d509c53ffe738d9f7f30c83" + logic_hash = "b41ba72c13396de6441cf8d00725c98522c9e1b32d509c53ffe738d9f7f30c83" score = 75 quality = 75 tags = "FILE" @@ -196266,13 +196266,13 @@ rule MALPEDIA_Win_Mydogs_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "a7350145-bffb-5410-a978-17369692fb0e" + id = "9688d839-8d35-5299-b5ae-d8084dbff6c0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.mydogs_auto.yar#L1-L127" license_url = "N/A" - logic_hash = "v1_sha256_4d3f1e38f0e3ee2bcc850d56898106585e9b5f7ff2ecd490e245883ad04d625f" + logic_hash = "4d3f1e38f0e3ee2bcc850d56898106585e9b5f7ff2ecd490e245883ad04d625f" score = 75 quality = 75 tags = "FILE" @@ -196305,13 +196305,13 @@ rule MALPEDIA_Win_Jlorat_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "8f4c0445-f3bf-5d91-8bbf-46c1c3f52240" + id = "1d1cf35b-b348-5281-a39e-6f479f3341d0" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.jlorat_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_f1e1cc634deaa339c16c9b45b57e58aeaba6eb3b461fa4ec4f4f48da46c3a4c6" + logic_hash = "f1e1cc634deaa339c16c9b45b57e58aeaba6eb3b461fa4ec4f4f48da46c3a4c6" score = 75 quality = 75 tags = "FILE" @@ -196344,13 +196344,13 @@ rule MALPEDIA_Win_Atlas_Agent_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0d8c56d6-ffc2-5197-a59c-bf6089d78b75" + id = "8963b3c6-9ff3-517b-b17b-5c5871d182de" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.atlas_agent" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.atlas_agent_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_af8db8f42863f1a21cc132a9027166c584afcbb4de297bb22cf7a2ce6f153562" + logic_hash = "af8db8f42863f1a21cc132a9027166c584afcbb4de297bb22cf7a2ce6f153562" score = 75 quality = 75 tags = "FILE" @@ -196387,13 +196387,13 @@ rule MALPEDIA_Win_Kelihos_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "f4a12bb6-604b-54b1-a9a1-02f3e05f1cf3" + id = "916af3c3-ae46-5939-bcc1-467f81305f04" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.kelihos_auto.yar#L1-L134" license_url = "N/A" - logic_hash = "v1_sha256_01c4d51fd72ba50cd8794e1b3e4eee55e82df8fc084f2e85675408a95d821aa3" + logic_hash = "01c4d51fd72ba50cd8794e1b3e4eee55e82df8fc084f2e85675408a95d821aa3" score = 75 quality = 75 tags = "FILE" @@ -196426,13 +196426,13 @@ rule MALPEDIA_Win_Fuwuqidrama_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "c1173bac-29b9-53fa-aa35-fb52ebe7e88d" + id = "0fa71a6d-0c80-54bf-8699-93451280ec8a" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.fuwuqidrama_auto.yar#L1-L129" license_url = "N/A" - logic_hash = "v1_sha256_01914df1a3041b58ec9ceec9faa5307c8556d20ec25933ac048149432128c635" + logic_hash = "01914df1a3041b58ec9ceec9faa5307c8556d20ec25933ac048149432128c635" score = 75 quality = 75 tags = "FILE" @@ -196465,13 +196465,13 @@ rule MALPEDIA_Win_Veiledsignal_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "0b6feca8-f7d7-5c5d-9901-da6a5e5c13b9" + id = "6c1343f8-3e47-50b2-a300-f82013ec0933" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.veiledsignal" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.veiledsignal_auto.yar#L1-L116" license_url = "N/A" - logic_hash = "v1_sha256_9a6f92fe1de553c3683182fb5ec18013c09f63a6458b1c64fe2148d2dc0fd4cc" + logic_hash = "9a6f92fe1de553c3683182fb5ec18013c09f63a6458b1c64fe2148d2dc0fd4cc" score = 75 quality = 75 tags = "FILE" @@ -196504,13 +196504,13 @@ rule MALPEDIA_Win_Shatteredglass_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "e927c75c-0641-51eb-926b-d76e6708d341" + id = "b5759aec-876a-5e51-92c3-b5c3cd47ebed" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.shatteredglass" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.shatteredglass_auto.yar#L1-L121" license_url = "N/A" - logic_hash = "v1_sha256_01b6c47460c5c08264d9ff26f8c68c9d17064a107dafa21abd25815194e46710" + logic_hash = "01b6c47460c5c08264d9ff26f8c68c9d17064a107dafa21abd25815194e46710" score = 75 quality = 75 tags = "FILE" @@ -196543,13 +196543,13 @@ rule MALPEDIA_Win_Coronavirus_Ransomware_Auto : FILE meta: description = "autogenerated rule brought to you by yara-signator" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "720e338b-9ba0-5525-9a4f-08a6c3c444dd" + id = "25a17b3a-8384-5e84-a1b5-2dd73e5ee0cf" date = "2024-10-31" modified = "2024-11-11" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware" source_url = "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.coronavirus_ransomware_auto.yar#L1-L125" license_url = "N/A" - logic_hash = "v1_sha256_d0b11b2a26c2b9ac5d26c61d4c9566b412c8fa0dfeb2d6ec35815769f67a7b2e" + logic_hash = "d0b11b2a26c2b9ac5d26c61d4c9566b412c8fa0dfeb2d6ec35815769f67a7b2e" score = 75 quality = 75 tags = "FILE" @@ -196581,7 +196581,7 @@ rule MALPEDIA_Win_Coronavirus_Ransomware_Auto : FILE * YARA Rule Set * Repository Name: Trellix ARC * Repository: https://github.com/advanced-threat-research/Yara-Rules/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: fc51a3fe3b450838614a5a5aa327c6bd8689cbb2 * Number of Rules: 162 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -196797,7 +196797,7 @@ private rule TRELLIX_ARC_Ransom_Xinof_Chunk_PRIVATE : RANSOMWARE meta: description = "Detect chunk of Xinof ransomware" author = "Thomas Roccia | McAfee ATR Team" - id = "e49d6c28-c52f-584f-b1ba-67ce29ea0ff5" + id = "243c39fd-b5f6-5f64-8058-43da182480c0" date = "2020-11-20" date = "2020-11-20" modified = "2020-11-20" @@ -196805,7 +196805,7 @@ private rule TRELLIX_ARC_Ransom_Xinof_Chunk_PRIVATE : RANSOMWARE source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_xinof.yar#L1-L51" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "0c1e6299a2392239dbe7fead33ef4146" - logic_hash = "v1_sha256_f0266962357a7cb26995cdbfcc99749b73fc4ed09c813fa8e2ed0f5143cde554" + logic_hash = "f0266962357a7cb26995cdbfcc99749b73fc4ed09c813fa8e2ed0f5143cde554" score = 75 quality = 70 tags = "RANSOMWARE" @@ -196856,13 +196856,13 @@ rule TRELLIX_ARC_Shifu : FINANCIAL meta: description = "No description has been set in the source file - Trellix ARC" author = "McAfee Labs" - id = "51da01a5-5f2a-5275-a68a-d78784c5d8ce" + id = "81e9ad25-1df0-5196-be8b-1d1d5d8e4387" date = "2024-12-01" modified = "2020-08-14" reference = "https://blogs.mcafee.com/mcafee-labs/japanese-banking-trojan-shifu-combines-malware-tools/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_Shifu.yar#L1-L24" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_dfa6165f8d2750330c71dedbde293780d2bb27e8eb3635e47ca770ff7b9a9d63" + logic_hash = "dfa6165f8d2750330c71dedbde293780d2bb27e8eb3635e47ca770ff7b9a9d63" score = 75 quality = 70 tags = "FINANCIAL" @@ -196886,13 +196886,13 @@ rule TRELLIX_ARC_Rietspoof_Loader : RANSOMWARE FILE meta: description = "Rule to detect the Rietspoof loader" author = "Marc Rivero | McAfee ATR Team" - id = "2578c6bd-ae11-5f25-922c-fd19df5f7bfd" + id = "f306e381-e2ae-528e-937b-aced72356d77" date = "2024-12-01" modified = "2020-08-14" reference = "https://blog.avast.com/rietspoof-malware-increases-activity" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_rietspoof_loader.yar#L1-L22" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_d72b58ff452070e03d0b25bc433ef5c677df77dd440adc1ecdb592cee24235fb" + logic_hash = "d72b58ff452070e03d0b25bc433ef5c677df77dd440adc1ecdb592cee24235fb" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -196912,14 +196912,14 @@ rule TRELLIX_ARC_MALWARE_Blackpos_Pdb : POS FILE meta: description = "BlackPOS PDB" author = "Marc Rivero | McAfee ATR Team" - id = "c81cc953-4e02-59a3-ad5b-f31d1a07dc8b" + id = "f37e1522-49c4-5369-bc2c-33b070e9eae7" date = "2014-01-24" modified = "2020-08-14" reference = "https://en.wikipedia.org/wiki/BlackPOS_Malware" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_blackpos_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5a963e8aca62f3cf5872c6bff02d6dee0399728554c6ac3f5cb312b2ba7d7dbf" - logic_hash = "v1_sha256_d8f3fa380ca15f0fae432849b8c16cb8a0a9d1427d3e72fbf89cbbd63b0849c9" + logic_hash = "d8f3fa380ca15f0fae432849b8c16cb8a0a9d1427d3e72fbf89cbbd63b0849c9" score = 75 quality = 70 tags = "POS, FILE" @@ -196940,14 +196940,14 @@ rule TRELLIX_ARC_Malw_Cutwail_Pdb : BOTNET FILE meta: description = "Rule to detect cutwail based on the PDB" author = "Marc Rivero | McAfee ATR Team" - id = "e257d958-70da-517f-bfa6-2831dd99eaa6" + id = "62058ff9-acb5-5f71-b6bb-4c64e51442ba" date = "2008-04-16" modified = "2020-08-14" reference = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/CUTWAIL" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_cutwail.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "d702f823eefb50d9ea5b336c638f65a40c2342f8eb88278da60aa8a498c75010" - logic_hash = "v1_sha256_f53626e6085509ddf9268b69e54a138e64cd5d3fbad119e6e9473179decd7927" + logic_hash = "f53626e6085509ddf9268b69e54a138e64cd5d3fbad119e6e9473179decd7927" score = 75 quality = 70 tags = "BOTNET, FILE" @@ -196968,13 +196968,13 @@ rule TRELLIX_ARC_Rovnix_Downloader : DOWNLOADER meta: description = "Rovnix downloader with sinkhole checks" author = "Intel Security" - id = "f62ba89a-da9e-53dc-b4fe-a210d6964352" + id = "d51f8f73-7a3a-5ccf-9122-86061b5399f1" date = "2024-12-01" modified = "2020-08-14" reference = "https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_Rovnix.yar#L1-L38" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_52cde40c95436129b7d48b4bd5e78b66deb84fdc84a76cc9ac72f24e0777e540" + logic_hash = "52cde40c95436129b7d48b4bd5e78b66deb84fdc84a76cc9ac72f24e0777e540" score = 75 quality = 43 tags = "DOWNLOADER" @@ -197009,14 +197009,14 @@ rule TRELLIX_ARC_Malw_Inabot_Worm : WORM FILE meta: description = "Rule to detect inabot worm based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "7fe0bfbd-6a5b-5d82-9a95-73880a472345" + id = "b899d2d6-000a-5363-9efe-527dcd0cea17" date = "2013-04-19" modified = "2020-08-14" reference = "http://verwijderspyware.blogspot.com/2013/04/elimineren-w32inabot-worm-hoe-te.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_inabot_worm_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "c9c010228254aae222e31c669dda639cdd30695729b8ef2b6ece06d899a496aa" - logic_hash = "v1_sha256_70485de4e071b684faa87484ce2a53a8b2a29d0a2954e785b858c7ff1d908de0" + logic_hash = "70485de4e071b684faa87484ce2a53a8b2a29d0a2954e785b858c7ff1d908de0" score = 75 quality = 70 tags = "WORM, FILE" @@ -197038,13 +197038,13 @@ rule TRELLIX_ARC_MALW_Liquorbot : MALWARE FILE meta: description = "Rule to detect LiquorBot malware" author = "Marc Rivero | McAfee ATR Team" - id = "e18edb34-025a-55b5-bf48-c8f5d04d3de1" + id = "73898df8-b5eb-50ac-a2fe-ef9233c251c5" date = "2020-08-19" modified = "2020-08-19" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_liquorbot.yar#L1-L23" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_2448e3ede809331b2370fe9d42d603ad6508be6531a1a8764e0e0621867b6e89" + logic_hash = "2448e3ede809331b2370fe9d42d603ad6508be6531a1a8764e0e0621867b6e89" score = 75 quality = 70 tags = "MALWARE, FILE" @@ -197066,14 +197066,14 @@ rule TRELLIX_ARC_Chikdos_Malware_Pdb : DOS FILE meta: description = "Chikdos PDB" author = "Marc Rivero | McAfee ATR Team" - id = "f0b56cec-5c6d-5601-abd7-a115ea616e87" + id = "0174ff2b-57fc-5578-b45e-c08bf8528ee8" date = "2013-12-02" modified = "2020-08-14" reference = "http://hackermedicine.com/tag/trojan-chickdos/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_chickdos_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "c2a0e9f8e880ac22098d550a74940b1d81bc9fda06cebcf67f74782e55e9d9cc" - logic_hash = "v1_sha256_150bf809a61aad00df0c49fb6a609b909c84ffb9ca442e143a6c5bf3dfc39314" + logic_hash = "150bf809a61aad00df0c49fb6a609b909c84ffb9ca442e143a6c5bf3dfc39314" score = 75 quality = 70 tags = "DOS, FILE" @@ -197094,14 +197094,14 @@ rule TRELLIX_ARC_Backdoor_Kankan_Pdb : BACKDOOR FILE meta: description = "Rule to detect kankan PDB" author = "Marc Rivero | McAfee ATR Team" - id = "b93f668f-28c1-5f0e-9859-9c527c7367bf" + id = "6910ecc7-3c31-569b-a7ff-2dcbccff88f9" date = "2013-08-01" modified = "2020-08-14" reference = "https://threatpoint.checkpoint.com/ThreatPortal/threat?threatType=malwarefamily&threatId=650" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_backdoor_kankan_pdb.yar#L1-L27" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "73f9e28d2616ee990762ab8e0a280d513f499a5ab2cae9f8cf467701f810b98a" - logic_hash = "v1_sha256_3d2e45631dfca0e76e98eee4bb5c4ce1631906f497c052d8c41cc37637cb2760" + logic_hash = "3d2e45631dfca0e76e98eee4bb5c4ce1631906f497c052d8c41cc37637cb2760" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -197124,14 +197124,14 @@ rule TRELLIX_ARC_Malw_Likseput_Backdoor_Pdb : BACKDOOR FILE meta: description = "Rule to detect Likseput backdoor based on the PDB" author = "Marc Rivero | McAfee ATR Team" - id = "a9ff02fa-87d5-5d9f-8878-5afc8a3cfbaa" + id = "2193daf8-016b-5f49-97ec-b821c8da22f6" date = "2011-03-26" modified = "2020-08-14" reference = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_likseput.e" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_likseput_backdoor_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "993b36370854587f4eef3366562f01ab87bc4f7b88a21f07b44bd5051340386d" - logic_hash = "v1_sha256_2afc4b7e6a5f0d9fed9a075aebaac8157e843c83c55c3f2255431bb6a03459ec" + logic_hash = "2afc4b7e6a5f0d9fed9a075aebaac8157e843c83c55c3f2255431bb6a03459ec" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -197152,14 +197152,14 @@ rule TRELLIX_ARC_Vpnfilter : BACKDOOR FILE meta: description = "Filter for 2nd stage malware used in VPNfilter attack" author = "Christiaan Beek @ McAfee Advanced Threat Research" - id = "5c02ae4e-b18c-5b81-bef4-77d39b774903" + id = "89bd7f94-d73c-5c5c-a3ec-0331f79e61fd" date = "2018-05-23" modified = "2020-08-14" reference = "https://blog.talosintelligence.com/2018/05/VPNFilter.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_VPNfilter.yar#L1-L40" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387" - logic_hash = "v1_sha256_88f08765dff632f0c08e985181309e5c3ac9cdaa51d05d8485c411fb1a183cca" + logic_hash = "88f08765dff632f0c08e985181309e5c3ac9cdaa51d05d8485c411fb1a183cca" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -197194,14 +197194,14 @@ rule TRELLIX_ARC_Alina_POS_PDB : POS FILE meta: description = "Rule to detect Alina POS" author = "Marc Rivero | McAfee ATR Team" - id = "53920fc8-b74b-5624-b78a-7f67e8103578" + id = "9588aa10-d5e4-55f4-998c-a01503a53d3a" date = "2013-08-08" modified = "2020-08-14" reference = "https://www.pandasecurity.com/mediacenter/pandalabs/alina-pos-malware/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_alina_pos_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "28b0c52c0630c15adcc857d0957b3b8002a4aeda3c7ec40049014ce33c7f67c3" - logic_hash = "v1_sha256_9bb8260e3a47567e2460dd474fb74e57987e3d79eb30cdbc2a45b88a16ba1ca2" + logic_hash = "9bb8260e3a47567e2460dd474fb74e57987e3d79eb30cdbc2a45b88a16ba1ca2" score = 75 quality = 70 tags = "POS, FILE" @@ -197222,14 +197222,14 @@ rule TRELLIX_ARC_Redline_Payload : BACKDOOR FILE meta: description = "Rule to detect the RedLine payload" author = "Marc Rivero | McAfee ATR Team" - id = "afb3bf8d-4098-53ab-8e97-7bc0fc3982ce" + id = "61c2032f-1e6b-5123-8f99-ff83ae95e8a9" date = "2020-04-16" modified = "2020-08-14" reference = "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_redline.yar#L1-L38" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5df956f08d6ad0559efcdb7b7a59b2f3b95dee9e2aa6b76602c46e2aba855eff" - logic_hash = "v1_sha256_44df161b7434b9137ca5bb919eb314f8447b216b3f6e1214606a898fb36ee4f4" + logic_hash = "44df161b7434b9137ca5bb919eb314f8447b216b3f6e1214606a898fb36ee4f4" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -197257,14 +197257,14 @@ rule TRELLIX_ARC_Rtf_Bluetea_Builder : MALDOC FILE meta: description = "Rule to detect the RTF files created to distribute BlueTea trojan" author = "Marc Rivero | McAfee ATR Team" - id = "f8497477-ae84-56fb-9c45-9d188afd7d96" + id = "20e4f7b2-b36c-5724-a3aa-4216ed6265ab" date = "2020-04-21" modified = "2020-08-14" reference = "https://blog.360totalsecurity.com/en/bluetea-action-drive-the-life-trojan-update-email-worm-module-and-spread-through-covid-19-outbreak/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALDOC_rtf_bluetea_builder.yar#L1-L30" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "4a3eeaed22342967a95302a4f087b25f50d61314facc6791f756dcd113d4f277" - logic_hash = "v1_sha256_6c4007fb7ef4819141db63050215dcbb3d2c17e7cdcdbb6cfb4f4b045bb5736b" + logic_hash = "6c4007fb7ef4819141db63050215dcbb3d2c17e7cdcdbb6cfb4f4b045bb5736b" score = 75 quality = 70 tags = "MALDOC, FILE" @@ -197285,14 +197285,14 @@ rule TRELLIX_ARC_Malw_Medfos : TROJAN FILE meta: description = "Rule to detect Medfos trojan based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "566f66a3-1124-58a9-8296-b95d54292aca" + id = "07ad0227-ca8f-5071-8ef7-8c3e087fcc35" date = "2013-04-19" modified = "2020-08-14" reference = "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=win32%2Fmedfos" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_medfos_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "3582e242f62598445ca297c389cae532613afccf48b16e9c1dcf1bfedaa6e14f" - logic_hash = "v1_sha256_1726462a806f5cb3f0b80596623cebc51a7a9f866ded0cb59ea1c43034ce2819" + logic_hash = "1726462a806f5cb3f0b80596623cebc51a7a9f866ded0cb59ea1c43034ce2819" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -197313,14 +197313,14 @@ rule TRELLIX_ARC_Kelihos_Botnet_Pdb : BOTNET FILE meta: description = "Rule to detect Kelihos malware based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "27b8d370-d678-5bbb-b71c-f9cc0507cd0d" + id = "2b6683a1-ba19-586b-8a92-89d4764efa12" date = "2013-09-04" modified = "2020-08-14" reference = "https://www.malwaretech.com/2017/04/the-kelihos-botnet.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_kelhios_botnet_pdb.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "f0a6d09b5f6dbe93a4cf02e120a846073da2afb09604b7c9c12b2e162dfe7090" - logic_hash = "v1_sha256_f60fb85161f86653f390b444d568da24cf07b3be99856230156741e8451e2a3f" + logic_hash = "f60fb85161f86653f390b444d568da24cf07b3be99856230156741e8451e2a3f" score = 75 quality = 70 tags = "BOTNET, FILE" @@ -197342,13 +197342,13 @@ rule TRELLIX_ARC_MALW_Cobaltrike : BACKDOOR FILE meta: description = "Rule to detect CobaltStrike beacon" author = "Felix Bilstein - yara-signator at cocacoding dot com" - id = "86e59c74-97c1-57b0-89c7-e4ee4e36fe8a" + id = "a7dae4c7-672e-58fb-8542-90fa90d991a4" date = "2020-07-19" modified = "2021-08-30" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_cobaltstrike.yar#L1-L38" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_fc91d40c6544c7ab7c60b3cb8fc542bd4a6fac79dbe00cad8f612854f2a6dcd1" + logic_hash = "fc91d40c6544c7ab7c60b3cb8fc542bd4a6fac79dbe00cad8f612854f2a6dcd1" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -197385,14 +197385,14 @@ rule TRELLIX_ARC_Dropper_Demekaf_Pdb : DROPPER FILE meta: description = "Rule to detect Demekaf dropper based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "a0e85816-0fcd-5d5d-92e0-c3e9a02b41d6" + id = "b49f42c1-d737-5afa-b547-7268e4cde360" date = "2011-03-26" modified = "2020-08-14" reference = "https://v.virscan.org/Trojan-Dropper.Win32.Demekaf.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_dropper_demekaf_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "fab320fceb38ba2c5398debdc828a413a41672ce9745afc0d348a0e96c5de56e" - logic_hash = "v1_sha256_89c0c1da1f8997b12a446c93bbde200e62fac9cab2a9a17147b268d435bdc3b6" + logic_hash = "89c0c1da1f8997b12a446c93bbde200e62fac9cab2a9a17147b268d435bdc3b6" score = 75 quality = 70 tags = "DROPPER, FILE" @@ -197413,14 +197413,14 @@ rule TRELLIX_ARC_Downloader_Darkmegi_Pdb : DOWNLOADER FILE meta: description = "Rule to detect DarkMegi downloader based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "fd6b8183-4da3-5d1f-99b7-ca7d0e1d04ed" + id = "3ccc3685-e05b-5620-9198-24733fb1e7eb" date = "2013-03-06" modified = "2020-08-14" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_downloader_darkmegi.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "bf849b1e8f170142176d2a3b4f0f34b40c16d0870833569824809b5c65b99fc1" - logic_hash = "v1_sha256_47faf8c5296e651f82726a6e8a7843dfa0f98e7be7257d2c03efcff550f52140" + logic_hash = "47faf8c5296e651f82726a6e8a7843dfa0f98e7be7257d2c03efcff550f52140" score = 75 quality = 70 tags = "DOWNLOADER, FILE" @@ -197441,13 +197441,13 @@ rule TRELLIX_ARC_MALW_Fritzfrog : BOTNET FILE meta: description = "Rule to detect Fritzfrog" author = "Marc Rivero | McAfee ATR Team" - id = "10abeaa3-f827-50b1-b9b3-7544ccc3fe8a" + id = "4c553279-7e0c-5602-944d-ad8a47edf4ea" date = "2020-08-20" modified = "2020-08-20" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_fritzfrog.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_488c807ecf0a9e981b2c1f2f5bb2e3072952d11f7cbf3a354bc85dc8e88b8b09" + logic_hash = "488c807ecf0a9e981b2c1f2f5bb2e3072952d11f7cbf3a354bc85dc8e88b8b09" score = 75 quality = 70 tags = "BOTNET, FILE" @@ -197470,14 +197470,14 @@ rule TRELLIX_ARC_Masslogger_Stealer : STEALER FILE meta: description = "Rule to detect unpacked MassLogger stealer" author = "Marc Rivero | McAfee ATR Team" - id = "47f6b145-a301-5c06-93a7-2b3bb6fef751" + id = "c3a40108-3f0c-5949-9201-95c3c38b352a" date = "2020-07-02" modified = "2020-08-14" reference = "https://urlhaus.abuse.ch/browse/signature/MassLogger/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_masslogger_stealer.yar#L1-L63" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "343873155b6950386f7d9bcd8d2b2e81088521aedf8ff1333d20229426d8145c" - logic_hash = "v1_sha256_476b3f3a54a4616058a2aef01adbe429a38eacc8ee58881d31bd28e795a27575" + logic_hash = "476b3f3a54a4616058a2aef01adbe429a38eacc8ee58881d31bd28e795a27575" score = 75 quality = 66 tags = "STEALER, FILE" @@ -197537,13 +197537,13 @@ rule TRELLIX_ARC_Shellcode_Mykins_Botnet : SHELLCODE FILE meta: description = "Rule to detect the shellcode used in the MyKins Botnet" author = "Marc Rivero | McAfee ATR Team" - id = "1806edc7-8e16-52cf-9beb-61c00912ee9f" + id = "9dc80b27-59e2-5925-9bb7-64a54241f52b" date = "2018-01-24" modified = "2020-08-14" reference = "https://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_shellcode_mykins_botnet.yar#L1-L27" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_5fa54c41a423d776d05bdac5b171ee685f54372b4e6aa41b57cce769ac2c6976" + logic_hash = "5fa54c41a423d776d05bdac5b171ee685f54372b4e6aa41b57cce769ac2c6976" score = 75 quality = 70 tags = "SHELLCODE, FILE" @@ -197565,14 +197565,14 @@ rule TRELLIX_ARC_Malw_Mangzamel_Trojan : TROJAN FILE meta: description = "Rule to detect Mangzamel trojan based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "f9d42396-155f-57d1-bc17-f2763769d9c5" + id = "ca77180f-6133-5edb-a36b-78bc6f18d80c" date = "2014-06-25" modified = "2020-08-14" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_mangzamel_trojan_pdb.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "4324580ea162a636b7db1efb3a3ba38ce772b7168b4eb3a149df880a47bd72b7" - logic_hash = "v1_sha256_bab103c671445e0ea916fae290689d30d45021bdca58a495ebd3d6ca9ca55051" + logic_hash = "bab103c671445e0ea916fae290689d30d45021bdca58a495ebd3d6ca9ca55051" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -197594,13 +197594,13 @@ rule TRELLIX_ARC_Nionspy : FILEINFECTOR FILE meta: description = "Triggers on old and new variants of W32/NionSpy file infector" author = "Trellix ARC Team" - id = "b5198288-cc62-510b-9500-b1d75dee84fd" + id = "86051ef8-a18b-553c-b06c-490f8d6df5cf" date = "2024-12-01" modified = "2020-08-14" reference = "https://blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_NionSpy.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_982ba52f39352aee9e2d2dcadfb0816c439e92d0e5947afa7860630720913742" + logic_hash = "982ba52f39352aee9e2d2dcadfb0816c439e92d0e5947afa7860630720913742" score = 75 quality = 70 tags = "FILEINFECTOR, FILE" @@ -197622,14 +197622,14 @@ rule TRELLIX_ARC_Malw_Eicar : EICAR meta: description = "Rule to detect the EICAR pattern" author = "Marc Rivero | McAfee ATR Team" - id = "34bd1b3f-753d-5a72-9f58-0cb2bc04a804" + id = "16307b03-7fab-5d68-ad3b-0efcea952fcf" date = "2024-12-01" modified = "2020-08-14" reference = "https://www.eicar.org/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_Eicar.yar#L1-L22" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f" - logic_hash = "v1_sha256_564b0592f40582fe71e2dab0c0f25c168462f9297c13e7c9f06ac51b492e4533" + logic_hash = "564b0592f40582fe71e2dab0c0f25c168462f9297c13e7c9f06ac51b492e4533" score = 75 quality = 70 tags = "EICAR" @@ -197649,14 +197649,14 @@ rule TRELLIX_ARC_Havex_Backdoor_Pdb : BACKDOOR FILE meta: description = "Rule to detect backdoor Havex based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "19684a5c-a37e-5ba9-a70f-ad4edb9036f2" + id = "a667bb4e-8c38-59a6-8ae0-09c44961a687" date = "2012-11-17" modified = "2020-08-14" reference = "https://www.f-secure.com/v-descs/backdoor_w32_havex.shtml" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_backdoor_havex_pdb.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "0f4046be5de15727e8ac786e54ad7230807d26ef86c3e8c0e997ea76ab3de255" - logic_hash = "v1_sha256_dc50475b1ff2194306a0295f71860e4cc5ae7e126daa5d401b98cd2a0aadf1dd" + logic_hash = "dc50475b1ff2194306a0295f71860e4cc5ae7e126daa5d401b98cd2a0aadf1dd" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -197678,14 +197678,14 @@ rule TRELLIX_ARC_Jatboss : PHISHING FILE meta: description = "Rule to detect PDF files from Jatboss campaign and MSG files that contained those attachents" author = "Marc Rivero | McAfee ATR Team" - id = "7ed62fb1-1922-5f04-9403-1a2714a2df5f" + id = "009a7486-2ee8-57ef-8dfd-fcbd035b4e85" date = "2019-12-04" modified = "2020-08-14" reference = "https://exchange.xforce.ibmcloud.com/collection/JATBOSS-Phishing-Kit-17c74b38860de5cb9fc727e6c0b6d5b5" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_jatboss.yar#L1-L36" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "b81fb37dc48812f6ad61984ecf2a8dbbfe581120257cb4becad5375a12e755bb" - logic_hash = "v1_sha256_5e6e4c8f6c0896623f166a98eb83a9a4f23139306671cf2e35ba239b2dc191fc" + logic_hash = "5e6e4c8f6c0896623f166a98eb83a9a4f23139306671cf2e35ba239b2dc191fc" score = 75 quality = 66 tags = "PHISHING, FILE" @@ -197708,13 +197708,13 @@ rule TRELLIX_ARC_Cyaxsharp_Rezer0 : LOADER meta: description = "Detects CyaX-Sharp/ReZer0 loader samples based on the embedded scheduled task template" author = "Max 'Libra' Kersten for McAfee's Advanced Threat Research Team" - id = "3f88e77e-39c6-5178-97b9-f7141429dcfc" + id = "7a1addcf-4e8f-5290-8788-9b0738128160" date = "2021-04-08" modified = "2021-08-04" reference = "This rule was published in combination with the following McAfee ATR blog: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/see-ya-sharp-a-loaders-tale/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MAL_cyax_sharp_loader.yar#L1-L16" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_3d6daaf7a85a9b3898e4ce5d5293b09f26965f9f7280b34ba8f6814b7f14dec2" + logic_hash = "3d6daaf7a85a9b3898e4ce5d5293b09f26965f9f7280b34ba8f6814b7f14dec2" score = 75 quality = 70 tags = "LOADER" @@ -197732,14 +197732,14 @@ rule TRELLIX_ARC_Dridex_P2P_Pdb : BACKDOOR FILE meta: description = "Rule to detect Dridex P2P based on the PDB" author = "Marc Rivero | McAfee ATR Team" - id = "c1095b7b-49ef-508c-b8d4-12e30436dce4" + id = "57350c96-877e-57de-9465-df9f7eb6d656" date = "2014-11-29" modified = "2020-08-14" reference = "https://www.us-cert.gov/ncas/alerts/aa19-339a" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_dridex_p2p_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5345a9405212f3b8ef565d5d793e407ae8db964865a85c97e096295ba3f39a78" - logic_hash = "v1_sha256_c9c4db48435203cdb882eef8082efd8424bd13f1aa512cfb3082f365b9bc6e83" + logic_hash = "c9c4db48435203cdb882eef8082efd8424bd13f1aa512cfb3082f365b9bc6e83" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -197760,13 +197760,13 @@ rule TRELLIX_ARC_MALW_Emotet : FINANCIAL FILE meta: description = "Rule to detect unpacked Emotet" author = "Marc Rivero | McAfee ATR Team" - id = "34126ea4-785c-5415-b00f-05e35ef88b73" + id = "5bc83065-dfdd-56b7-9983-200bff35c8b1" date = "2020-07-21" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_emotet.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_223e4453a6c3b56b0bc0f91147fa55ea59582d64b8a5c08f1f8d06026044065e" + logic_hash = "223e4453a6c3b56b0bc0f91147fa55ea59582d64b8a5c08f1f8d06026044065e" score = 75 quality = 70 tags = "FINANCIAL, FILE" @@ -197798,14 +197798,14 @@ rule TRELLIX_ARC_Festi_Botnet_Pdb : BOTNET FILE meta: description = "Rule to detect the Festi botnet based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "32ef12a2-ea79-5927-a4b0-e03e307f8a40" + id = "02f4149d-b8ac-5852-8cbe-c47f4cddcba6" date = "2013-03-04" modified = "2020-08-14" reference = "https://www.welivesecurity.com/2012/05/11/king-of-spam-festi-botnet-analysis/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_festi_botnet_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "e55913523f5ae67593681ecb28d0fa1accee6739fdc3d52860615e1bc70dcb99" - logic_hash = "v1_sha256_46e2576900fe94d614a683d4f09079b7ac78654079b2e558d076bcb42db4bf11" + logic_hash = "46e2576900fe94d614a683d4f09079b7ac78654079b2e558d076bcb42db4bf11" score = 75 quality = 70 tags = "BOTNET, FILE" @@ -197826,14 +197826,14 @@ rule TRELLIX_ARC_Screenlocker_5H311_1Nj3C706 : SCREENLOCKER FILE meta: description = "Rule to detect the screenlocker 5h311_1nj3c706" author = "Marc Rivero | McAfee ATR Team" - id = "cef0ad3b-6cbc-5755-b9f8-63868f826964" + id = "50bbe8e1-4721-5277-b786-d2a2d9acf917" date = "2018-08-07" modified = "2020-08-14" reference = "https://twitter.com/demonslay335/status/1038060120461266944" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_screenlocker_5h311_1nj3c706.yar#L1-L33" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "016ee638bd4fccd5ca438c2e0abddc4b070f59269c08f11c5313ba9c37190718" - logic_hash = "v1_sha256_61b4495841c77053ba2631f087197719f3ee45cd93add022f23b87ece8563619" + logic_hash = "61b4495841c77053ba2631f087197719f3ee45cd93add022f23b87ece8563619" score = 75 quality = 70 tags = "SCREENLOCKER, FILE" @@ -197862,14 +197862,14 @@ rule TRELLIX_ARC_Malw_Browser_Fox_Adware : ADWARE FILE meta: description = "Rule to detect Browser Fox Adware based on the PDB reference" author = "Marc Rivero | McAfee ATR Team" - id = "d0b1a6e2-d2e6-53a6-86f1-4f975c961c67" + id = "67d20c3a-4e9d-5fbf-b26a-d7b5fb270d12" date = "2015-01-15" modified = "2020-08-14" reference = "https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Browse%20Fox.aspx" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_browser_fox_adware.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "c6f3d6024339940896dd18f32064c0773d51f0261ecbee8b0534fdd9a149ac64" - logic_hash = "v1_sha256_462a05de46ec0d710cac80a05d4935279a43f49cbd5ef49c072f277982a76fce" + logic_hash = "462a05de46ec0d710cac80a05d4935279a43f49cbd5ef49c072f277982a76fce" score = 75 quality = 70 tags = "ADWARE, FILE" @@ -197890,14 +197890,14 @@ rule TRELLIX_ARC_Kartoxa_Malware_Pdb : POS FILE meta: description = "Rule to detect Kartoxa POS based on the PDB" author = "Marc Rivero | McAfee ATR Team" - id = "a8604a84-e463-52b2-9965-443a859eec5b" + id = "3d2dbf22-5d8f-5f19-9048-2d021ada22c8" date = "2010-10-09" modified = "2020-08-14" reference = "https://securitynews.sonicwall.com/xmlpost/guatambu-new-multi-component-infostealer-drops-kartoxa-pos-malware-apr-08-2016/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_backdoor_katorxa_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "86dd21b8388f23371d680e2632d0855b442f0fa7e93cd009d6e762715ba2d054" - logic_hash = "v1_sha256_6e1810af386f3aada4cd1d72f76d8210d201808c8fe1d21d379ff1a825d93710" + logic_hash = "6e1810af386f3aada4cd1d72f76d8210d201808c8fe1d21d379ff1a825d93710" score = 75 quality = 70 tags = "POS, FILE" @@ -197918,13 +197918,13 @@ rule TRELLIX_ARC_Msworldexploit_Builder_Doc : MALDOC FILE meta: description = "Rule to detect RTF/Docs files created by MsWordExploit Builder" author = "Marc Rivero | McAfee ATR Team" - id = "16afb49b-54e0-5691-bb5f-0ce1765c81ac" + id = "6c4c091b-5fce-583a-bc17-31830251892c" date = "2024-12-01" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/malware/MALW_MsWordExploit_DOC.yar#L1-L24" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_f85c6d79e5ed20084d35f9de92a9d9ce20cf4b3100b1226d64147e366934585d" + logic_hash = "f85c6d79e5ed20084d35f9de92a9d9ce20cf4b3100b1226d64147e366934585d" score = 75 quality = 68 tags = "MALDOC, FILE" @@ -197947,13 +197947,13 @@ rule TRELLIX_ARC_Trojan_Coinminer : FILE meta: description = "Rule to detect Coinminer malware" author = "Trellix ATR" - id = "ec689431-ff5e-5987-bc93-f10854e480ea" + id = "ec1f4fb7-bce3-5d5b-bbff-50f9bfc90298" date = "2021-07-22" modified = "2022-01-19" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/miners/Trojan_CoinMiner.yar#L3-L23" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_0d9d502eb0a54f90044f42f8ce485a2df6814064172cb7bf006a8c8a51976acd" + logic_hash = "0d9d502eb0a54f90044f42f8ce485a2df6814064172cb7bf006a8c8a51976acd" score = 75 quality = 70 tags = "FILE" @@ -197977,13 +197977,13 @@ rule TRELLIX_ARC_MINER_Monero_Mining_Detection : MINER FILE meta: description = "Monero mining software" author = "Trellix ATR team" - id = "ed8a925d-f48f-5272-ba30-22c63c8e7445" + id = "98ee7711-16ee-58e1-b52f-c68dd5f2b8a3" date = "2018-04-05" modified = "2022-01-19" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/miners/MINER_Monero.yar#L1-L43" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_4c1815186b0eb9e6be5fb0fcad02fd981ac9cf79c485fe12ce4a73054ef9fda2" + logic_hash = "4c1815186b0eb9e6be5fb0fcad02fd981ac9cf79c485fe12ce4a73054ef9fda2" score = 75 quality = 70 tags = "MINER, FILE" @@ -198023,13 +198023,13 @@ rule TRELLIX_ARC_STEALER_Lokibot : STEALER FILE meta: description = "Rule to detect Lokibot stealer" author = "Marc Rivero | McAfee ATR Team" - id = "4e20ea74-858d-5c35-8fca-83b78a5d376e" + id = "75f502a3-2d9f-5ccf-93f8-2d6a73e9e1b7" date = "2020-09-23" modified = "2020-09-25" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/stealer/STEALER_Lokibot.yar#L1-L39" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_999a69394a545f726cf15e4361e0dfc17eeac6544e6816a0ad140316e9642510" + logic_hash = "999a69394a545f726cf15e4361e0dfc17eeac6544e6816a0ad140316e9642510" score = 75 quality = 70 tags = "STEALER, FILE" @@ -198067,13 +198067,13 @@ rule TRELLIX_ARC_STEALER_Credstealesy : STEALER meta: description = "Generic Rule to detect the CredStealer Malware" author = "IsecG – McAfee Labs" - id = "49981bd2-b259-5e09-8ae1-d9e96229d4f3" + id = "90e23ed8-3243-519b-8eb4-9db5902c73d3" date = "2015-05-08" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/when-hackers-get-hacked-the-malware-servers-of-a-data-stealing-campaign/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/stealer/STEALER_credstealer.yar#L1-L24" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_3d007fc0d2e2eb3d8f0c2b86dd01ede482e72f6c67fd6d284d77c47b53021b3c" + logic_hash = "3d007fc0d2e2eb3d8f0c2b86dd01ede482e72f6c67fd6d284d77c47b53021b3c" score = 75 quality = 70 tags = "STEALER" @@ -198095,14 +198095,14 @@ rule TRELLIX_ARC_STEALER_Emirates_Statement : STEALER meta: description = "Credentials Stealing Attack" author = "Christiaan Beek | McAfee ATR Team" - id = "7c9f9214-4904-5ccd-a20c-d2e1bfc6480b" + id = "b5a6d996-8a3d-5238-95af-bf5ff893bbc5" date = "2013-06-30" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/stealer/STEALER_EmiratesStatement.yar#L1-L24" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "7cf757e0943b0a6598795156c156cb90feb7d87d4a22c01044499c4e1619ac57" - logic_hash = "v1_sha256_17eaddf375fc1875fb0275f8c0f93dfe921b452bdc6eb471adc155f749492328" + logic_hash = "17eaddf375fc1875fb0275f8c0f93dfe921b452bdc6eb471adc155f749492328" score = 75 quality = 45 tags = "STEALER" @@ -198125,13 +198125,13 @@ rule TRELLIX_ARC_RANSOM_Darkside : RANSOMWARE FILE meta: description = "Rule to detect packed and unpacked samples of DarkSide" author = "Marc Rivero | McAfee ATR Team" - id = "37fcfd0b-c9d3-53da-88c5-37c4579fb937" + id = "ecbee92f-236a-5385-9566-502ef1c0aeda" date = "2020-08-11" modified = "2023-07-27" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Darkside.yar#L1-L23" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_be16d65911336809be103ea667167228e6445de85fd47ecd9ff8b3d91e056693" + logic_hash = "be16d65911336809be103ea667167228e6445de85fd47ecd9ff8b3d91e056693" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198154,14 +198154,14 @@ rule TRELLIX_ARC_RANSOM_Darkside_DLL_May2021 : RANSOM FILE meta: description = "Rule to detect Darkside Ransomware as a DLL" author = "TS @ McAfee ATR" - id = "fc4954be-e9d3-574d-af2f-2740f86a1fd7" + id = "e9d64637-dc8f-5650-81e1-34e27e6ee912" date = "2021-05-14" modified = "2023-07-27" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Darkside.yar#L26-L47" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "f587adbd83ff3f4d2985453cd45c7ab1" - logic_hash = "v1_sha256_39930b6f352642647ea6b80f941201b93d6a9defd42cb75f9e4f7239ff17a4ec" + logic_hash = "39930b6f352642647ea6b80f941201b93d6a9defd42cb75f9e4f7239ff17a4ec" score = 75 quality = 70 tags = "RANSOM, FILE" @@ -198187,14 +198187,14 @@ rule TRELLIX_ARC_MALW_Thiefquest : KEYLOGGER BACKDOOR RANSOMWARE FILE meta: description = "Rule to detect the Evilquest/ThiefQuest malware" author = "McAfee ATR Team" - id = "312703fb-6a88-5e68-8d4e-9ad57a8c2890" + id = "09b074f7-6899-574d-a7d6-4414509aaa78" date = "2020-07-09" modified = "2020-10-12" reference = "https://www.bleepingcomputer.com/news/security/thiefquest-ransomware-is-a-file-stealing-mac-wiper-in-disguise/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_thiefquest.yar#L1-L46" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b" - logic_hash = "v1_sha256_d40a466b12188d545d3fbe2c9d7e3685dde1250ae1f25df2a72cdf93c470ae25" + logic_hash = "d40a466b12188d545d3fbe2c9d7e3685dde1250ae1f25df2a72cdf93c470ae25" score = 75 quality = 68 tags = "KEYLOGGER, BACKDOOR, RANSOMWARE, FILE" @@ -198237,14 +198237,14 @@ rule TRELLIX_ARC_Nemty_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Nemty Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "275245b3-4f60-5a22-bcc2-9a7b2623f0e8" + id = "e9b133d6-fd77-5201-995d-c42bae7cde46" date = "2020-02-23" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Nemty.yar#L1-L45" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "73bf76533eb0bcc4afb5c72dcb8e7306471ae971212d05d0ff272f171b94b2d4" - logic_hash = "v1_sha256_d055286670516318c14dcf4e5873b96eede5e1dfb3ee978553fc11f1ac6b3252" + logic_hash = "d055286670516318c14dcf4e5873b96eede5e1dfb3ee978553fc11f1ac6b3252" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198284,14 +198284,14 @@ rule TRELLIX_ARC_Nemty_Ransomware_2_6 : RANSOMWARE FILE meta: description = "Rule to detect Nemty Ransomware version 2.6" author = "Marc Rivero | McAfee ATR Team" - id = "4699753d-4aa7-5841-87db-9f73d85010c0" + id = "335dff33-d078-58ba-b68b-a949895b710f" date = "2020-04-06" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Nemty.yar#L47-L80" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "52b7d20d358d1774a360bb3897a889e14d416c3b2dff26156a506ff199c3388d" - logic_hash = "v1_sha256_dacf709838ef2ef65d25bdbbd92007ab46a95953031d7bee75eac046f670171a" + logic_hash = "dacf709838ef2ef65d25bdbbd92007ab46a95953031d7bee75eac046f670171a" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198312,14 +198312,14 @@ rule TRELLIX_ARC_Loocipher_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Loocipher ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "ec472c24-dbe5-53b7-89cc-c046cf4b05ba" + id = "d18efe09-4b04-5089-84f8-aead63fc19bb" date = "2019-12-05" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-of-loocipher-a-new-ransomware-family-observed-this-year/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Loocipher.yar#L1-L46" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "7720aa6eb206e589493e440fec8690ceef9e70b5e6712a9fec9208c03cac7ff0" - logic_hash = "v1_sha256_36e452c34fd9bbb521f5422bffdbb71991de66f3faa29292dc3f27c8d7e1f9ba" + logic_hash = "36e452c34fd9bbb521f5422bffdbb71991de66f3faa29292dc3f27c8d7e1f9ba" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198361,13 +198361,13 @@ rule TRELLIX_ARC_Ransom_Avoslocker : FILE meta: description = "Rule to detect Avoslocker Ransomware" author = "CB @ ATR" - id = "f221214d-2722-551e-8ec1-b8c661ef060e" + id = "50f029c8-154e-583d-8264-8d86d01075f6" date = "2021-07-22" modified = "2021-07-22" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Avoslocker.yar#L3-L27" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_316aaab225797eedd62f9cfde1fdbd799a10441b3b15a8abc76141b57b36b1d3" + logic_hash = "316aaab225797eedd62f9cfde1fdbd799a10441b3b15a8abc76141b57b36b1d3" score = 75 quality = 70 tags = "FILE" @@ -198395,14 +198395,14 @@ rule TRELLIX_ARC_Ransom_Maze : RANSOMWARE FILE meta: description = "Detecting MAZE Ransomware" author = "McAfee ATR" - id = "3b08175d-1aa5-5a1f-8ed2-7446b72911a4" + id = "098a93c4-9aab-5563-af17-7aa91b056f64" date = "2020-04-19" modified = "2020-10-12" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/Ransom_Maze.yar#L1-L39" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5badaf28bde6dcf77448b919e2290f95cd8d4e709ef2d699aae21f7bae68a76c" - logic_hash = "v1_sha256_fc16475fbc2a2acf5d053ded4d2ec4126c6d6dcac3a6eafadcd6c61419dd7594" + logic_hash = "fc16475fbc2a2acf5d053ded4d2ec4126c6d6dcac3a6eafadcd6c61419dd7594" score = 75 quality = 68 tags = "RANSOMWARE, FILE" @@ -198435,13 +198435,13 @@ rule TRELLIX_ARC_Cryptolocker_Set1 : RANSOMWARE meta: description = "Detection of Cryptolocker Samples" author = "Christiaan Beek, Christiaan_Beek@McAfee.com" - id = "1aae69d8-ce19-559f-b205-630ef848dbc7" + id = "13ccc6d3-c2cc-59ac-81af-ec11fb78cd41" date = "2014-04-13" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Cryptolocker.yar#L1-L40" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_5be8d077537a59d860a972392be186d2697e55778f750d03b0fd3b0a73f714d9" + logic_hash = "5be8d077537a59d860a972392be186d2697e55778f750d03b0fd3b0a73f714d9" score = 75 quality = 70 tags = "RANSOMWARE" @@ -198479,13 +198479,13 @@ rule TRELLIX_ARC_Cryptolocker_Rule2 : RANSOMWARE meta: description = "Detection of CryptoLocker Variants" author = "Christiaan Beek, Christiaan_Beek@McAfee.com" - id = "385ccfd3-9235-5b12-a6a7-fdf0d7f567bf" + id = "a6e808ef-4f60-5592-9440-69309784efb1" date = "2014-04-14" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Cryptolocker.yar#L42-L79" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_e8e03516cc0b669000c8d6b443be7a5f7a8b904abba98fd3c7d4f038de6741ab" + logic_hash = "e8e03516cc0b669000c8d6b443be7a5f7a8b904abba98fd3c7d4f038de6741ab" score = 75 quality = 70 tags = "RANSOMWARE" @@ -198524,14 +198524,14 @@ rule TRELLIX_ARC_Ransom_Conti : RANSOMWARE FILE meta: description = "Conti ransomware is havnig capability too scan and encrypt oover the network" author = "McAfee ATR team" - id = "47633300-576d-5669-a0e4-dbe97f4e04d6" + id = "8fc6943d-fb99-5957-929b-4c264d9fba2d" date = "2020-07-09" modified = "2020-10-12" reference = "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/Ransom_Conti.yar#L3-L37" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "eae876886f19ba384f55778634a35a1d975414e83f22f6111e3e792f706301fe" - logic_hash = "v1_sha256_953471c130309bbc712197d49d2072bd45838f49d2b25f86273a15c6baa87354" + logic_hash = "953471c130309bbc712197d49d2072bd45838f49d2b25f86273a15c6baa87354" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198557,14 +198557,14 @@ rule TRELLIX_ARC_Shrug2_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect the Shrug Ransomware" author = "McAfee ATR Team" - id = "fedd7ac4-950c-58e8-b240-7ef5a9b014a6" + id = "34e59296-db7c-551b-8d48-ffea20f2b4bb" date = "2018-07-12" modified = "2020-10-12" reference = "https://blogs.quickheal.com/new-net-ransomware-shrug2/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_shrug2.yar#L1-L30" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "c89833833885bafdcfa1c6ee84d7dbcf2389b85d7282a6d5747da22138bd5c59" - logic_hash = "v1_sha256_8c817b7fc4a0eada08b3d298c94b99a85c4e5a49a49d1c3fabdb0c6bbf56676b" + logic_hash = "8c817b7fc4a0eada08b3d298c94b99a85c4e5a49a49d1c3fabdb0c6bbf56676b" score = 75 quality = 20 tags = "RANSOMWARE, FILE" @@ -198592,13 +198592,13 @@ rule TRELLIX_ARC_Samsamransom2016 : RANSOMWARE FILE meta: description = "No description has been set in the source file - Trellix ARC" author = "Christiaan Beek | McAfee ATR Team" - id = "78aab23c-46c3-5328-ab98-2074ab46bad7" + id = "1c7985d0-d01c-52f7-8819-e038ccc01212" date = "2018-01-25" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_SamSam.yar#L3-L52" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_9e8034ec0ded82ad82b625d6d1b9918761decef0fd42a253722cdc620b355e1a" + logic_hash = "9e8034ec0ded82ad82b625d6d1b9918761decef0fd42a253722cdc620b355e1a" score = 75 quality = 68 tags = "RANSOMWARE, FILE" @@ -198644,14 +198644,14 @@ rule TRELLIX_ARC_Samsam_Ransomware_Latest : RANSOMWARE FILE meta: description = "Latest SamSA ransomware samples" author = "Christiaan Beek" - id = "6c6827ab-1e88-525d-8c47-122d9d8c7ec6" + id = "716b9282-013e-5194-8518-2fa1a4007095" date = "2018-01-23" modified = "2020-08-14" reference = "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_SamSam.yar#L54-L105" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "88e344977bf6451e15fe202d65471a5f75d22370050fe6ba4dfa2c2d0fae7828" - logic_hash = "v1_sha256_06703479795fdef64813471f11b275df544c90d5bcece4817d415cd504d7b317" + logic_hash = "06703479795fdef64813471f11b275df544c90d5bcece4817d415cd504d7b317" score = 50 quality = 68 tags = "RANSOMWARE, FILE" @@ -198694,13 +198694,13 @@ rule TRELLIX_ARC_RANSOM_Suncrypt : RANSOMWARE FILE meta: description = "Rule to detect SunCrypt ransomware" author = "McAfee ATR Team" - id = "004805a4-2ead-5ad7-90bd-6c3ff26ea58d" + id = "92655f3e-f8e4-5c9f-ae3f-0796bd31d660" date = "2020-10-02" modified = "2020-11-02" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Suncrypt.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_9f27c6c5bfe0d01ed517d55687bf699814679488f95ce4942306f09f39e29d85" + logic_hash = "9f27c6c5bfe0d01ed517d55687bf699814679488f95ce4942306f09f39e29d85" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198723,13 +198723,13 @@ rule TRELLIX_ARC_RANSOM_Suncrypt_Decryptor : RANSOMWARE FILE meta: description = "Rule to detect SunCrypt ransomware decryptor" author = "McAfee ATR Team" - id = "019ecf79-ecf4-5b58-b6b8-2f07f10084c2" + id = "ec0d3811-6083-5537-bf29-32ee02d43b5e" date = "2020-10-02" modified = "2020-11-02" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Suncrypt.yar#L27-L50" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_59d1193bb0f8d3983a181394b5dd5247470d9e118cc4fe0674167f162bcdb6e1" + logic_hash = "59d1193bb0f8d3983a181394b5dd5247470d9e118cc4fe0674167f162bcdb6e1" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198751,14 +198751,14 @@ rule TRELLIX_ARC_Termite_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect the Termite Ransomware" author = "McAfee ATR Team" - id = "1f09b972-e927-56e2-a9ae-b394dd0ff1fd" + id = "521ec8ee-a54c-57c3-9437-a2ef7f8ed4ca" date = "2018-08-28" modified = "2020-10-12" reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_termite.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "021ca4692d3a721af510f294326a31780d6f8fcd9be2046d1c2a0902a7d58133" - logic_hash = "v1_sha256_e5c01e8377957fa25cf6c2031c2680e802b0082a36f50b97b4e488c5bf40e968" + logic_hash = "e5c01e8377957fa25cf6c2031c2680e802b0082a36f50b97b4e488c5bf40e968" score = 75 quality = 20 tags = "RANSOMWARE, FILE" @@ -198786,13 +198786,13 @@ rule TRELLIX_ARC_Ransom_Win_Blackcat : RANSOMWARE FILE meta: description = "Detecting variants of Windows BlackCat malware" author = " Trellix ATR" - id = "5b8934ca-3a64-5fcb-aead-8910a54fc72b" + id = "65483ffb-6b10-5fd5-8a5f-fc885a5f2e98" date = "2022-01-06" modified = "2022-01-19" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/Ransom_Win_BlackCat_public.yar#L2-L24" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_8faad28ab26690221f6e2130c886446615dbd505f76490cfaf999d130d0de6e3" + logic_hash = "8faad28ab26690221f6e2130c886446615dbd505f76490cfaf999d130d0de6e3" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -198815,13 +198815,13 @@ rule TRELLIX_ARC_Ransom_Tunderx : RANSOMWARE FILE meta: description = "Rule to detect tthe ThunderX ransomware family" author = "McAfee ATR team" - id = "b06fcb9c-04b4-5b3b-b69f-8d85475fd3e8" + id = "cf5ecd0c-db26-5fe4-a056-b5c1ca3b1d34" date = "2020-09-14" modified = "2020-10-12" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/Ransom_ThunderX.yar#L3-L45" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_f870616c4a35239a01129daad5f12469b2df39251ee4bc9fbeb5523f00231ece" + logic_hash = "f870616c4a35239a01129daad5f12469b2df39251ee4bc9fbeb5523f00231ece" score = 75 quality = 68 tags = "RANSOMWARE, FILE" @@ -198866,13 +198866,13 @@ rule TRELLIX_ARC_Backdoorfckg : CTB_LOCKER_RANSOMWARE RANSOMWARE meta: description = "CTB_Locker" author = "ISG" - id = "20af42df-c7c9-5de1-855a-03447e7478b1" + id = "2a00551d-1f80-5991-9416-d9b1b39db8e9" date = "2015-01-20" modified = "2020-08-14" reference = "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_CTBLocker.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_a334b07053db66aa0fb2d2b2ca7f94c480509041724ddd4dd1708052d75baffb" + logic_hash = "a334b07053db66aa0fb2d2b2ca7f94c480509041724ddd4dd1708052d75baffb" score = 75 quality = 20 tags = "CTB_LOCKER_RANSOMWARE, RANSOMWARE" @@ -198896,13 +198896,13 @@ rule TRELLIX_ARC_Sodinokobi : RANSOMWARE meta: description = "This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future." author = "McAfee ATR team" - id = "db4f7c4a-349f-59f5-932e-1443a4f72d86" + id = "dd05ce31-9699-50a9-944c-5883340791af" date = "2024-12-01" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Sodinokibi.yar#L33-L54" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_f25039ac743223756461bbeeb349c674473608f9959bf3c79ce4a7587fde3ab2" + logic_hash = "f25039ac743223756461bbeeb349c674473608f9959bf3c79ce4a7587fde3ab2" score = 75 quality = 70 tags = "RANSOMWARE" @@ -198924,13 +198924,13 @@ rule TRELLIX_ARC_Ransom_Black_Kingdom : RANSOMWARE FILE meta: description = "Rule to detect Black Kingdom ransomware that is spread using the latest Exchange vulns" author = "McAfee ATR" - id = "bf591436-19b9-558b-83a8-ea281c41bdb0" + id = "c38e6dbf-7fb9-52f0-acd0-f824647b6041" date = "2024-12-01" modified = "2021-04-06" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/ransom_BlackKingDom.yar#L3-L49" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_334e84a9469367ed64509203feb61b5f64d5a7e38d29ff5c5089631246b06588" + logic_hash = "334e84a9469367ed64509203feb61b5f64d5a7e38d29ff5c5089631246b06588" score = 50 quality = 68 tags = "RANSOMWARE, FILE" @@ -198978,13 +198978,13 @@ rule TRELLIX_ARC_Cryptonar_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect CryptoNar Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "db89c589-8d09-57ab-9892-cedd884e7df7" + id = "0911250f-fc1f-58bc-ac09-d77d2a2ed3ce" date = "2024-12-01" modified = "2020-08-14" reference = "https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_CryptoNar.yar#L1-L36" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_04c1c4f45ad3552aa0876c3b645c6ca92493018f7fdc5d9d9ed26cf67199d21b" + logic_hash = "04c1c4f45ad3552aa0876c3b645c6ca92493018f7fdc5d9d9ed26cf67199d21b" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199017,13 +199017,13 @@ rule TRELLIX_ARC_Ransom_Vovalex_Part2 : RANSOM FILE meta: description = "Vovalex ransomware detection part 2" author = "CB @ ATR" - id = "0ed0ca43-0e46-545a-a050-fa02d5b255ea" + id = "26c91d06-13da-5039-8b8a-eb8de2774d79" date = "2021-02-01" modified = "2021-02-01" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/Ransom_Vovalex1.yar#L3-L42" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_82814fd9155ec910c6353de8336733704e05c9f02409ad99cd80da8ef9fe3c04" + logic_hash = "82814fd9155ec910c6353de8336733704e05c9f02409ad99cd80da8ef9fe3c04" score = 75 quality = 64 tags = "RANSOM, FILE" @@ -199066,13 +199066,13 @@ rule TRELLIX_ARC_RANSOM_Exorcist : RANSOMWARE FILE meta: description = "Rule to detect Exorcist" author = "McAfee ATR Team" - id = "437bf7a3-6363-50e2-84c6-238461f63dfd" + id = "38ab069d-b030-5459-a42f-7ecd5963e68f" date = "2020-09-01" modified = "2020-10-12" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Exorcist.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_c376382e60aae0f661151495097d3d93f185faebb11781dbf083324c23a07247" + logic_hash = "c376382e60aae0f661151495097d3d93f185faebb11781dbf083324c23a07247" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199096,13 +199096,13 @@ rule TRELLIX_ARC_Bitpaymer_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect BitPaymer Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "3b526246-9ced-5881-abfe-278c0f5fd2da" + id = "20b91cf2-2a84-55d9-8230-90d7b20a461f" date = "2019-11-08" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spanish-mssp-targeted-by-bitpaymer-ransomware/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Bitpaymer.yar#L1-L72" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_527cdbdf51e6f3f5d58e805cf4a1bc09c9d24880c2323046acef6ee03c92d62f" + logic_hash = "527cdbdf51e6f3f5d58e805cf4a1bc09c9d24880c2323046acef6ee03c92d62f" score = 75 quality = 66 tags = "RANSOMWARE, FILE" @@ -199148,14 +199148,14 @@ rule TRELLIX_ARC_Locdoor_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Locdoor/DryCry" author = "Marc Rivero | McAfee ATR Team" - id = "6c918a58-5180-584d-b478-7dd033c64060" + id = "d855d7fd-a1e3-561e-906e-103752285b0f" date = "2018-09-02" modified = "2020-08-14" reference = "https://twitter.com/leotpsc/status/1036180615744376832" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_locdoor.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "0000c55f7cdbbad9bacba0e79637696f3bfeb95a5f71dfa0b398bc77a207eb41" - logic_hash = "v1_sha256_c9519279a929feedae2bab58cd0de91f6c447827fa59afa927726fde84d21e1c" + logic_hash = "c9519279a929feedae2bab58cd0de91f6c447827fa59afa927726fde84d21e1c" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199183,13 +199183,13 @@ rule TRELLIX_ARC_Ransom_Linux_Hellokitty_0721 : RANSOMWARE FILE meta: description = "rule to detect Linux variant of the Hello Kitty Ransomware" author = "Christiaan @ ATR" - id = "4aa66ef0-7e7f-538f-811e-4811fb308294" + id = "097b02e7-93d8-5d4f-9964-7b660b3cd7b9" date = "2021-07-19" modified = "2021-07-19" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Linux_HelloKitty0721.yar#L1-L28" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_77a3809df4c7c591a855aaecd702af62935952937bb81661aa7f68e64dcf4fb4" + logic_hash = "77a3809df4c7c591a855aaecd702af62935952937bb81661aa7f68e64dcf4fb4" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199222,13 +199222,13 @@ rule TRELLIX_ARC_Ransom_Mespinoza : FILE meta: description = "rule to detect Mespinoza ransomware" author = "Christiaan Beek @ McAfee ATR" - id = "b4fe6bbe-10be-5bc4-ac4c-2d19315a9a45" + id = "70a76bc4-e0cb-5caa-bb64-1a732349d2ce" date = "2020-11-24" modified = "2020-11-24" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/Ransom_Mespinoza.yar#L3-L27" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_e245fb9a71d86209690a6f4c7aa38c10dbd32cda2ea3ecde08d0d94e896381cb" + logic_hash = "e245fb9a71d86209690a6f4c7aa38c10dbd32cda2ea3ecde08d0d94e896381cb" score = 75 quality = 70 tags = "FILE" @@ -199256,14 +199256,14 @@ rule TRELLIX_ARC_Amba_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Amba Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "24f709e0-558d-564a-8e69-08e57e1b90a6" + id = "961f2892-e462-55e4-bd96-7dff895cb1e6" date = "2017-07-03" modified = "2020-08-14" reference = "https://www.enigmasoftware.com/ambaransomware-removal/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_amba.yar#L1-L41" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "b9b6045a45dd22fcaf2fc13d39eba46180d489cb4eb152c87568c2404aecac2f" - logic_hash = "v1_sha256_0830ab49956711d3e6ad64785edcf54146a24756c4ab66384305dc18091867bd" + logic_hash = "0830ab49956711d3e6ad64785edcf54146a24756c4ab66384305dc18091867bd" score = 75 quality = 68 tags = "RANSOMWARE, FILE" @@ -199299,14 +199299,14 @@ rule TRELLIX_ARC_Robbinhood_Ransomware : RANSOMWARE FILE meta: description = "Robbinhood GoLang ransowmare" author = "Christiaan Beek | McAfee ATR" - id = "df5b576b-ef1d-5f0f-920e-7ba06a3dd258" + id = "b2654d00-330e-511e-b8f1-75aa7b57d040" date = "2019-05-10" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_RobbinHood.yar#L1-L37" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "9977ba861016edef0c3fb38517a8a68dbf7d3c17de07266cfa515b750b0d249e" - logic_hash = "v1_sha256_19a1b7d92bc49dee6da3fb4c053b118e6475aeca43e891d46470c2c09c148038" + logic_hash = "19a1b7d92bc49dee6da3fb4c053b118e6475aeca43e891d46470c2c09c148038" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199336,13 +199336,13 @@ rule TRELLIX_ARC_Ransom_Monglock : RANSOMWARE FILE meta: description = "Ransomware encrypting Mongo Databases " author = "Christiaan Beek - McAfee ATR team" - id = "cdb2eed8-16cf-534b-8b78-17d26570c954" + id = "4350a874-dd76-5379-af9f-f1d190385706" date = "2019-04-25" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_MONGOLOCK.yar#L1-L41" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_245a7377a410828ed8bc7148f36af6d143ad20d16840238ed5b6d6f94f015984" + logic_hash = "245a7377a410828ed8bc7148f36af6d143ad20d16840238ed5b6d6f94f015984" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199376,14 +199376,14 @@ rule TRELLIX_ARC_Kraken_Cryptor_Ransomware_Loader : RANSOMWARE FILE meta: description = "Rule to detect the Kraken Cryptor Ransomware loader" author = "Marc Rivero | McAfee ATR Team" - id = "5faa92a1-40df-5da0-aa7c-0ff4df120c90" + id = "e6bfa30b-6565-5d03-8f4d-96fc2b6a1c11" date = "2018-09-30" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Kraken.yar#L1-L30" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd" - logic_hash = "v1_sha256_9e252a3ba7f6bf861ea7563461a1420959dfb0f5b7c3f6071150d03422504539" + logic_hash = "9e252a3ba7f6bf861ea7563461a1420959dfb0f5b7c3f6071150d03422504539" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199408,14 +199408,14 @@ rule TRELLIX_ARC_Kraken_Cryptor_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect the Kraken Cryptor Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "a6fd3691-abba-5757-b7d3-660c69f092d5" + id = "7e1e5fa8-6d87-5e64-a8d4-4dae55ab76ca" date = "2018-09-30" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Kraken.yar#L32-L64" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd" - logic_hash = "v1_sha256_2ad7f0bf6110eab79e0f9541c49ae44089ebca3f91ffa80de874d60d5a7ed266" + logic_hash = "2ad7f0bf6110eab79e0f9541c49ae44089ebca3f91ffa80de874d60d5a7ed266" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199442,13 +199442,13 @@ rule TRELLIX_ARC_Ransom_Note_Kraken_Cryptor_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect the ransom note delivered by Kraken Cryptor Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "121c2eea-50c1-55c1-8f16-444c6a23fffc" + id = "dec9d364-daf9-5a1d-8e72-ed4dd2aeecdf" date = "2018-09-30" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Kraken.yar#L66-L108" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_d4acdf0716320b0f757b8dbc97bb9d407460b2d69dc8e12292539e823be0f57d" + logic_hash = "d4acdf0716320b0f757b8dbc97bb9d407460b2d69dc8e12292539e823be0f57d" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199488,13 +199488,13 @@ rule TRELLIX_ARC_RANSOM_Mountlocker : RANSOMWARE FILE meta: description = "Rule to detect Mount Locker ransomware" author = "McAfee ATR Team" - id = "2c78e4c0-b7d1-56dd-9ea8-f246ec3651de" + id = "8451b78c-3cef-557a-a2e3-0767a0b0eddb" date = "2020-09-25" modified = "2020-10-12" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_mountlocker.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_fb332a6725b9276cca379dd3621943c69f88570fb317da27a857a2544d2aa4e0" + logic_hash = "fb332a6725b9276cca379dd3621943c69f88570fb317da27a857a2544d2aa4e0" score = 75 quality = 64 tags = "RANSOMWARE, FILE" @@ -199519,14 +199519,14 @@ rule TRELLIX_ARC_RANSOM_Makop : RANSOMWARE FILE meta: description = "Rule to detect the unpacked Makop ransomware samples" author = "Marc Rivero | McAfee ATR Team" - id = "3edddb88-ac20-5c0f-894b-17b9c2b96d60" + id = "2828f2f9-4702-5cef-8b4e-7e98146c0332" date = "2020-07-19" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_makop.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "008e4c327875110b96deef1dd8ef65cefa201fef60ca1cbb9ab51b5304e66fe1" - logic_hash = "v1_sha256_2b4f8b90d46530421b66dbb04df6e84d268709fbee884536d8acc91e1b85f8a4" + logic_hash = "2b4f8b90d46530421b66dbb04df6e84d268709fbee884536d8acc91e1b85f8a4" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199556,13 +199556,13 @@ rule TRELLIX_ARC_Clop_Ransom_Note : RANSOMWARE FILE meta: description = "Rule to detect Clop Ransomware Note" author = "Marc Rivero | McAfee ATR Team" - id = "bf69fe94-3fb9-5dcc-9a76-d2dbf1e13d48" + id = "b18e4d4d-aa38-5009-a31b-ed038c5bd4f9" date = "2019-08-01" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_ClopRansomNote.yar#L1-L34" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_a90862e9dc59b1a8f38b777b4f529d5de740d0f49175813cae64f10ca9677826" + logic_hash = "a90862e9dc59b1a8f38b777b4f529d5de740d0f49175813cae64f10ca9677826" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199588,22 +199588,22 @@ rule TRELLIX_ARC_Clop_Ransom_Note : RANSOMWARE FILE condition: ( uint16( 0 ) == 0x6f59 ) and filesize < 10KB and all of them } -import "pe" import "hash" +import "pe" rule TRELLIX_ARC_Ransom_Egregor : RANSOMWARE FILE { meta: description = "Detect Egregor ransomware" author = "Thomas Roccia | McAfee ATR team" - id = "cb639274-ab68-57a5-837f-5de8544f1e9a" + id = "b9f1a712-c168-5e0f-8b9e-cb03a6c43fc3" date = "2020-10-28" modified = "2020-10-28" reference = "https://bazaar.abuse.ch/sample/004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_egregor.yar#L4-L31" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5f9fcbdf7ad86583eb2bbcaa5741d88a" - logic_hash = "v1_sha256_8077c656eed0b1633da54f8d017d4eff122f2f4e486c4e1af6f6434ea33c0675" + logic_hash = "8077c656eed0b1633da54f8d017d4eff122f2f4e486c4e1af6f6434ea33c0675" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199628,14 +199628,14 @@ rule TRELLIX_ARC_Ransom_Xinof : RANSOMWARE FILE meta: description = "Detect Xinof ransomware" author = "Thomas Roccia | McAfee ATR team" - id = "69c173f2-aa94-56b2-9361-ec6a7a21cdf7" + id = "3b064ce4-cd5b-5a4a-bb55-a2c2c361791e" date = "2020-11-20" modified = "2020-11-20" reference = "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_xinof.yar#L53-L82" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "0c1e6299a2392239dbe7fead33ef4146" - logic_hash = "v1_sha256_42110ee8869d56c53dc201cbc83652c6457541b8d502aa12b37ef6200e735a15" + logic_hash = "42110ee8869d56c53dc201cbc83652c6457541b8d502aa12b37ef6200e735a15" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199665,14 +199665,14 @@ rule TRELLIX_ARC_Pico_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Pico Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "508e8dcf-0ded-5a8e-aa13-42839a45b823" + id = "843cac7a-652e-5cbf-a09d-fb4b1eaa8481" date = "2018-08-30" modified = "2020-08-14" reference = "https://twitter.com/siri_urz/status/1035138577934557184" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Pico.yar#L1-L37" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "cc4a9e410d38a29d0b6c19e79223b270e3a1c326b79c03bec73840b37778bc06" - logic_hash = "v1_sha256_bb15e66504f393bcb4b173cb2a4ec65aa13110060f7fb70282330b5f6d72f5ed" + logic_hash = "bb15e66504f393bcb4b173cb2a4ec65aa13110060f7fb70282330b5f6d72f5ed" score = 75 quality = 20 tags = "RANSOMWARE, FILE" @@ -199707,14 +199707,14 @@ rule TRELLIX_ARC_Ragnarlocker_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect RagnarLocker samples" author = "McAfee ATR Team" - id = "cd2cac4f-ab0f-5eab-93ba-4ecc107fc4e3" + id = "58874f27-3070-52c9-bd96-337fdaa4499b" date = "2020-04-15" modified = "2020-10-12" reference = "https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_ragnarlocker.yar#L3-L45" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "9706a97ffa43a0258571def8912dc2b8bf1ee207676052ad1b9c16ca9953fc2c" - logic_hash = "v1_sha256_2f31da9182a1b47fb1e7e4459461de4c496ec323ff13e622d3ce27ac8cce1912" + logic_hash = "2f31da9182a1b47fb1e7e4459461de4c496ec323ff13e622d3ce27ac8cce1912" score = 75 quality = 68 tags = "RANSOMWARE, FILE" @@ -199745,14 +199745,14 @@ rule TRELLIX_ARC_Screenlocker_Acroware : RANSOMWARE FILE meta: description = "Rule to detect the ScreenLocker Acroware" author = "Marc Rivero | McAfee ATR Team" - id = "c132b5f9-40cf-5599-8c27-281326bc2aac" + id = "76eb69eb-dfe7-5629-bf2d-d20574efd662" date = "2018-08-28" modified = "2020-08-14" reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_acroware.yar#L1-L29" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "f9efcfc5328e6502cbbbff752a940ac221e437d8732052fc265618f6a6ad72ae" - logic_hash = "v1_sha256_582f3544cf1f8066b1e9ac04c3a4cc9f0ba96804ca53bc3746b433df9c33e0a1" + logic_hash = "582f3544cf1f8066b1e9ac04c3a4cc9f0ba96804ca53bc3746b433df9c33e0a1" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199777,14 +199777,14 @@ rule TRELLIX_ARC_Installer_Coronavirus : RANSOMWARE FILE meta: description = "Rule to detect the Corona Virus Installer" author = "Marc Rivero | McAfee ATR Team" - id = "495a0983-e891-51da-a7d5-4762ff3f3dcc" + id = "2a224529-bfc7-57ed-91c3-426cae4b7895" date = "2020-03-25" modified = "2020-08-14" reference = "https://twitter.com/malwrhunterteam/status/1238056503493505024" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_coronavirus.yar#L1-L41" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed" - logic_hash = "v1_sha256_26be8bbfbf615967cc2a0e2d4179cd5f444c53f170a681d2ec236244881dc629" + logic_hash = "26be8bbfbf615967cc2a0e2d4179cd5f444c53f170a681d2ec236244881dc629" score = 75 quality = 62 tags = "RANSOMWARE, FILE" @@ -199810,14 +199810,14 @@ rule TRELLIX_ARC_Ransomware_Coronavirus : RANSOMWARE FILE meta: description = "Rule to detect the Corona Virus ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "4643d0eb-86e6-5713-9475-2006ee5530e1" + id = "4195a57b-cd51-5050-861a-6436f7ec4eca" date = "2020-03-25" modified = "2020-08-14" reference = "https://twitter.com/malwrhunterteam/status/1238056503493505024" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_coronavirus.yar#L43-L80" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3" - logic_hash = "v1_sha256_2a7e1676a20f30b0cb0321579bb85e4836e2aee5f56b838d2ff2bec7a08c489f" + logic_hash = "2a7e1676a20f30b0cb0321579bb85e4836e2aee5f56b838d2ff2bec7a08c489f" score = 75 quality = 64 tags = "RANSOMWARE, FILE" @@ -199842,14 +199842,14 @@ rule TRELLIX_ARC_Anatova_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect the Anatova Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "c5761c04-de77-51c1-911d-7363819b0460" + id = "6e3205aa-42e4-5449-877e-37494cdd096b" date = "2019-01-22" modified = "2020-08-14" reference = "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Anatova.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93" - logic_hash = "v1_sha256_4fce15ad0ef2d3cb39f6092677f117308f847815cb2a5a491290a1f9d09776df" + logic_hash = "4fce15ad0ef2d3cb39f6092677f117308f847815cb2a5a491290a1f9d09776df" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199870,14 +199870,14 @@ rule TRELLIX_ARC_Lockergogaransomware : RANSOMWARE FILE meta: description = "LockerGoga Ransomware" author = "Christiaan Beek - McAfee ATR team" - id = "04254cc8-da23-508a-a6a5-b7cfbca93837" + id = "bdf5da34-adf0-5731-820f-96511e647a83" date = "2019-03-20" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_LockerGoga.yar#L1-L36" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f" - logic_hash = "v1_sha256_165fa0fa044b2e0d2344626c2064162f23e13dc17310a772b703dbbe9457bd99" + logic_hash = "165fa0fa044b2e0d2344626c2064162f23e13dc17310a772b703dbbe9457bd99" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199908,14 +199908,14 @@ rule TRELLIX_ARC_RANSOM_Babuk_Packed_Feb2021 : RANSOM T1027_005 T1027 T1083 T108 meta: description = "Rule to detect Babuk Locker packed" author = "McAfee ATR" - id = "4371a538-d7f3-56b2-89a1-ffbe78945d1c" + id = "f5f3a3a6-2531-56c4-9153-b698c7bdc3d3" date = "2021-02-19" modified = "2021-02-24" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Babuk_Packed_Feb2021.yar#L1-L30" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "48e0f7d87fe74a2b61c74f0d32e6a8a5" - logic_hash = "v1_sha256_f3312b9c9147e9f892dbfb329cb95d3ee3ae67eefeec2d089b8c89fd26531953" + logic_hash = "f3312b9c9147e9f892dbfb329cb95d3ee3ae67eefeec2d089b8c89fd26531953" score = 75 quality = 70 tags = "RANSOM, T1027.005, T1027, T1083, T1082, T1059, T1129, FILE" @@ -199943,13 +199943,13 @@ rule TRELLIX_ARC_Megacortex_Signed : RANSOMWARE FILE meta: description = "Rule to detect MegaCortex samples digitally signed" author = "Marc Rivero | McAfee ATR Team" - id = "30a38ef5-7a18-5d71-baf9-de0ff3332f59" + id = "78a74e30-4de0-5e63-8ca5-31251c296f98" date = "2024-12-01" modified = "2020-08-14" reference = "https://blog.malwarebytes.com/detections/ransom-megacortex/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_MegaCortex.yar#L3-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_8ffced3aca837682fbd7ee68f559f73b8299cbfbe198f48124c4857680735249" + logic_hash = "8ffced3aca837682fbd7ee68f559f73b8299cbfbe198f48124c4857680735249" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199966,13 +199966,13 @@ rule TRELLIX_ARC_Netwalker_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Netwalker ransomware" author = "McAfee ATR Team" - id = "465ab5e2-77b5-5b2e-b6b0-c45b6f33dbdb" + id = "6fe75a64-77b8-5cb8-9365-a5336d4d1617" date = "2020-03-30" modified = "2020-11-20" reference = "https://www.ccn-cert.cni.es/comunicacion-eventos/comunicados-ccn-cert/9802-publicado-un-informe-de-codigo-danino-sobre-netwalker.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_netwalker.yar#L3-L28" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_11da4b57f8d9ed1fdf053053a51870af2cbf4062cc1340087ee70c3e92a1baf6" + logic_hash = "11da4b57f8d9ed1fdf053053a51870af2cbf4062cc1340087ee70c3e92a1baf6" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -199995,13 +199995,13 @@ rule TRELLIX_ARC_Netwalker_Signed : FILE meta: description = "Rule to detect Netwalker ransomware digitally signed." author = "Marc Rivero | McAfee ATR Team" - id = "58e94206-a0b8-5fc8-9cd3-d3f5e4b8a9dc" + id = "6806b917-2e02-57e3-887a-b4c12db83653" date = "2020-03-30" modified = "2020-11-20" reference = "https://www.ccn-cert.cni.es/comunicacion-eventos/comunicados-ccn-cert/9802-publicado-un-informe-de-codigo-danino-sobre-netwalker.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_netwalker.yar#L30-L47" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_d78ed22771d7c93516375afb8fd2fd7baa40a357ec3c247939a10d11f80ae226" + logic_hash = "d78ed22771d7c93516375afb8fd2fd7baa40a357ec3c247939a10d11f80ae226" score = 75 quality = 70 tags = "FILE" @@ -200015,13 +200015,13 @@ rule TRELLIX_ARC_Netwalker : RANSOMWARE FILE meta: description = "Rule based on code overlap in RagnarLocker ransomware" author = "McAfee ATR team" - id = "6b76aac2-2fea-5389-bdbf-8c2b7b5aa6c8" + id = "80097a40-534a-5e1b-8fde-e4d832d76698" date = "2020-06-14" modified = "2020-11-20" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_netwalker.yar#L49-L75" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_8c56ebed9e097d294045de46942c708da9ba7e01475dcecb0c3d41fcc8004780" + logic_hash = "8c56ebed9e097d294045de46942c708da9ba7e01475dcecb0c3d41fcc8004780" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200046,14 +200046,14 @@ rule TRELLIX_ARC_Win_Netwalker_Reflective_Dll_Injection_Decoded : RANSOMWARE meta: description = "Rule to detect Reflective DLL Injection Powershell Script dropping Netwalker, after hexadecimal decoded and xor decrypted " author = "McAfee ATR Team" - id = "0bd8d7d0-8ecc-5fd6-a297-53d928a57d92" + id = "9562c0b9-e7ac-5b96-99cc-1df91cb617af" date = "2020-05-28" modified = "2020-11-20" reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/ | https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_netwalker.yar#L77-L140" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "fd29001b8b635e6c51270788bab7af0bb5adba6917c278b93161cfc2bc7bd6ae" - logic_hash = "v1_sha256_e99c045f39e7933e877a4df7793aa5ea6be5a782bb079419501929ba99844dec" + logic_hash = "e99c045f39e7933e877a4df7793aa5ea6be5a782bb079419501929ba99844dec" score = 75 quality = 30 tags = "RANSOMWARE" @@ -200090,14 +200090,14 @@ rule TRELLIX_ARC_Snake_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Snake ransomware" author = "McAfee ATR Team" - id = "3b6b6f21-9319-5dc0-9593-6cde9a46ace6" + id = "b8f50af5-5568-5676-93a1-e818f08df0ce" date = "2020-02-20" modified = "2020-10-12" reference = "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_snake_ransomware.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60" - logic_hash = "v1_sha256_3ae64fbacbf886b8d09abc3f5f8eb9c8bff809909a251f2d055056e6d12217a2" + logic_hash = "3ae64fbacbf886b8d09abc3f5f8eb9c8bff809909a251f2d055056e6d12217a2" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200118,13 +200118,13 @@ rule TRELLIX_ARC_Buran_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Buran ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "07d33def-9516-53b3-87df-494e10e2e5fd" + id = "b96c0e5c-dce2-559d-9623-81e8a9a322f2" date = "2019-11-05" modified = "2020-08-14" reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Buran.yar#L1-L27" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_056cf2e6aca22876fb8bfafc14a3be0e42124a26edab42a6f7a928c87fb8fff4" + logic_hash = "056cf2e6aca22876fb8bfafc14a3be0e42124a26edab42a6f7a928c87fb8fff4" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200149,13 +200149,13 @@ rule TRELLIX_ARC_Ryuk_Ransomware : RANSOMWARE FILE meta: description = "Ryuk Ransomware hunting rule" author = "Christiaan Beek - McAfee ATR team" - id = "0ae0fa13-5578-5940-b6ab-5416815035d3" + id = "d3e67e26-3b34-5c28-a1c0-c4aeacd49df9" date = "2019-04-25" modified = "2021-07-12" reference = "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Ryuk.yar#L1-L47" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_43c0be708fa8a388dce6e1dd721e24329b5b08a942d99e9b2631c90155790c4b" + logic_hash = "43c0be708fa8a388dce6e1dd721e24329b5b08a942d99e9b2631c90155790c4b" score = 50 quality = 70 tags = "RANSOMWARE, FILE" @@ -200194,14 +200194,14 @@ rule TRELLIX_ARC_RANSOM_RYUK_May2021 : RANSOMWARE FILE meta: description = "Rule to detect latest May 2021 compiled Ryuk variant" author = "Marc Elias | McAfee ATR Team" - id = "7b7bdb72-b917-58bc-922a-5c6fe16e5223" + id = "6e415a9e-7373-50a8-ad57-f95220faed9c" date = "2021-05-21" modified = "2021-07-12" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Ryuk.yar#L91-L113" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a" - logic_hash = "v1_sha256_b379c1182e60ce8c777668386d8cbd08350dd2363770dec56502bf44aaf5d7f6" + logic_hash = "b379c1182e60ce8c777668386d8cbd08350dd2363770dec56502bf44aaf5d7f6" score = 50 quality = 70 tags = "RANSOMWARE, FILE" @@ -200220,13 +200220,13 @@ rule TRELLIX_ARC_Lockbit2_Jul21 : FILE meta: description = "simple rule to detect latest Lockbit ransomware Jul 2021" author = "CB @ ATR" - id = "1c9d0148-920f-5e4e-ac43-844a4f1251a6" + id = "22b423df-ae5c-5672-95be-333b13791fc6" date = "2021-07-28" modified = "2021-07-28" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Lockbit2.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_b3ed7d7c72b7585877293f586bae5ec7b0135b09d518b4e4b08f64e60db5a159" + logic_hash = "b3ed7d7c72b7585877293f586bae5ec7b0135b09d518b4e4b08f64e60db5a159" score = 50 quality = 70 tags = "FILE" @@ -200254,14 +200254,14 @@ rule TRELLIX_ARC_Jeff_Dev_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Jeff Dev Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "1709348d-04e5-5a5f-827d-59c8c3529b6a" + id = "dd5e24f4-a2d8-5db5-9e7e-7f8bded5d401" date = "2018-08-26" modified = "2020-08-14" reference = "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_jeff_dev.yar#L1-L28" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "386d4617046790f7f1fcf37505be4ffe51d165ba7cbd42324aed723288ca7e0a" - logic_hash = "v1_sha256_58a408f4e1781540e4abdb87b85b94c1f0ea49b40bf241d6d074bc2162ac2032" + logic_hash = "58a408f4e1781540e4abdb87b85b94c1f0ea49b40bf241d6d074bc2162ac2032" score = 75 quality = 45 tags = "RANSOMWARE, FILE" @@ -200285,14 +200285,14 @@ rule TRELLIX_ARC_Unpacked_Shiva_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect an unpacked sample of Shiva ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "3a1f5682-8aca-5fe1-9f3a-8abee3e9283a" + id = "c6cd4421-216f-5c1f-bb8d-fc8ab00bb72d" date = "2018-09-05" modified = "2020-08-14" reference = "https://twitter.com/malwrhunterteam/status/1037424962569732096" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_Shiva.yar#L1-L37" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "299bebcb18e218254960ef96c2e65a4dc1945dcdfe9fc68550022f99a474f56d" - logic_hash = "v1_sha256_8a6a1d9f3b75617d8f07489ecf2867f90ddcf9fbe1db1e7c0f5c26833f88be3f" + logic_hash = "8a6a1d9f3b75617d8f07489ecf2867f90ddcf9fbe1db1e7c0f5c26833f88be3f" score = 75 quality = 66 tags = "RANSOMWARE, FILE" @@ -200325,14 +200325,14 @@ rule TRELLIX_ARC_Wannaren_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect WannaRen Ransomware" author = "McAfee ATR Team" - id = "a2d84270-1d5f-5322-ae7a-25d2b029b098" + id = "f4f30d12-547d-5044-a4e5-b88bf359480f" date = "2020-04-25" modified = "2020-10-12" reference = "https://blog.360totalsecurity.com/en/attention-you-may-have-become-a-susceptible-group-of-wannaren-ransomware/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_wannaren.yar#L1-L34" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "7b364f1c854e6891c8d09766bcc9a49420e0b5b4084d74aa331ae94e2cfb7e1d" - logic_hash = "v1_sha256_0feb913b84eb0ecdda688f0cf0a5051798fe4fbce8a6ea959825985a81a6699c" + logic_hash = "0feb913b84eb0ecdda688f0cf0a5051798fe4fbce8a6ea959825985a81a6699c" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200362,13 +200362,13 @@ rule TRELLIX_ARC_RANSOM_Wastedlocker : RANSOMWARE FILE meta: description = "Rule to detect unpacked samples of WastedLocker" author = "McAfee ATR Team" - id = "445016b7-841a-5e33-b73c-3e75ff2515ed" + id = "900923cf-75c0-5342-858d-fe1ffa9486bd" date = "2020-07-27" modified = "2020-10-12" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_wastedlocker.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_c5adf88a46c34c8683d0e3d70529b352c77209f004e6c638ff079ea025921781" + logic_hash = "c5adf88a46c34c8683d0e3d70529b352c77209f004e6c638ff079ea025921781" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200399,13 +200399,13 @@ rule TRELLIX_ARC_Purelocker_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect PureLocker ransomware based on binary sequences" author = "Marc Rivero | McAfee ATR Team" - id = "22a13e80-b14b-57cc-bf4b-d52f2cad441d" + id = "3d945869-9faa-59de-add6-d664a7beef6f" date = "2019-11-13" modified = "2020-08-14" reference = "https://www.pandasecurity.com/mediacenter/security/purelocker-ransomware-servers/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_PureLocker.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_9f39f0ef922023a79919f5b41a7acda6c08373af8f5fd2d4c4dcaca6146970ea" + logic_hash = "9f39f0ef922023a79919f5b41a7acda6c08373af8f5fd2d4c4dcaca6146970ea" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200428,13 +200428,13 @@ rule TRELLIX_ARC_Badbunny : RANSOMWARE FILE meta: description = "Bad Rabbit Ransomware" author = "Christiaan Beek" - id = "bc8271fb-fc21-5912-b6d5-de0ef824d43b" + id = "190ee396-4c26-54f7-baac-bb45e3587488" date = "2017-10-24" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_BadRabbit.yar#L3-L47" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_2879b8dc1ca0e86253354ac24b56d950878b23215b503da9b1d5faabd2c4bf9d" + logic_hash = "2879b8dc1ca0e86253354ac24b56d950878b23215b503da9b1d5faabd2c4bf9d" score = 75 quality = 45 tags = "RANSOMWARE, FILE" @@ -200474,13 +200474,13 @@ rule TRELLIX_ARC_Badrabbit_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Bad Rabbit Ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "432b6d04-28ac-53af-81de-db52f731f2b5" + id = "d6e78c14-0913-5eed-be15-a6d1a8cd1a8d" date = "2024-12-01" modified = "2020-08-14" reference = "https://securelist.com/bad-rabbit-ransomware/82851/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_BadRabbit.yar#L49-L101" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_7536f021ce7fede0f1a2bf2f4ebc7d6e7269a6dd63005cab1fc6a309a71c61c0" + logic_hash = "7536f021ce7fede0f1a2bf2f4ebc7d6e7269a6dd63005cab1fc6a309a71c61c0" score = 75 quality = 43 tags = "RANSOMWARE, FILE" @@ -200521,13 +200521,13 @@ rule TRELLIX_ARC_Crime_Ransomware_Windows_Gpgqwerty : RANSOMWARE meta: description = "Detect GPGQwerty ransomware" author = "McAfee Labs" - id = "21809851-df53-5d32-8aab-180c62bf885e" + id = "dcbaf3bd-7d0c-5449-a751-82caaad3b5c2" date = "2018-03-21" modified = "2020-08-14" reference = "https://securingtomorrow.mcafee.com/mcafee-labs/ransomware-takes-open-source-path-encrypts-gnu-privacy-guard/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_GPGQwerty.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_8e77895cb8e7f33707c5080780a49cb4bf1d35aa7a8df829fdc7a93319ce3897" + logic_hash = "8e77895cb8e7f33707c5080780a49cb4bf1d35aa7a8df829fdc7a93319ce3897" score = 75 quality = 70 tags = "RANSOMWARE" @@ -200551,14 +200551,14 @@ rule TRELLIX_ARC_Ransom_Babuk : RANSOM T1027 T1083 T1057 T1082 T1129 T1490 T1543 meta: description = "Rule to detect Babuk Locker" author = "TS @ McAfee ATR" - id = "0c27cd5c-af45-53ed-bb1c-f55289e3052d" + id = "7c0a3b4e-90aa-5442-aa5e-1a7fcae9bec8" date = "2021-01-19" modified = "2021-02-24" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_BabukLocker_Jan2021.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "e10713a4a5f635767dcd54d609bed977" - logic_hash = "v1_sha256_123cebd1c2e66f3e91ee235cb9288df63dfaeba02e6df45f896cb50f38851a8f" + logic_hash = "123cebd1c2e66f3e91ee235cb9288df63dfaeba02e6df45f896cb50f38851a8f" score = 75 quality = 70 tags = "RANSOM, T1027, T1083, T1057, T1082, T1129, T1490, T1543.003, FILE" @@ -200583,14 +200583,14 @@ rule TRELLIX_ARC_Nefilim_Ransomware : RANSOMWARE FILE meta: description = "Rule to detect Nefilim ransomware" author = "Marc Rivero | McAfee ATR Team" - id = "2986496d-ddd9-5638-8254-abc952a5c41a" + id = "55d9cb20-5071-5dce-a46f-a20816ba379f" date = "2020-03-17" modified = "2020-04-03" reference = "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_NEFILIM.yar#L3-L48" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6" - logic_hash = "v1_sha256_d8cd5d2dd552d3e9f57f7bd244e941fe89a96ab16bbcc71911e8e2a519f53f03" + logic_hash = "d8cd5d2dd552d3e9f57f7bd244e941fe89a96ab16bbcc71911e8e2a519f53f03" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200620,14 +200620,14 @@ rule TRELLIX_ARC_Nefilim_Signed : RANSOMWARE FILE meta: description = "Rule to detect Nefilim samples digitally signed" author = "Marc Rivero | McAfee ATR Team" - id = "0e8df876-f652-5bfe-99ba-ffb5eefbf196" + id = "a9a5daf0-4cfb-556a-b20a-72283fb1a0f9" date = "2020-04-02" modified = "2020-08-14" reference = "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_NEFILIM.yar#L50-L72" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5" - logic_hash = "v1_sha256_7625eb7de1ebb2f5410552b8983379f213d639f5e146a5d951975b69eb8111d3" + logic_hash = "7625eb7de1ebb2f5410552b8983379f213d639f5e146a5d951975b69eb8111d3" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200645,14 +200645,14 @@ rule TRELLIX_ARC_RANSOM_Nefilim_Go : RANSOMWARE FILE meta: description = "Rule to detect the new Nefilim written in GO" author = "Marc Rivero | McAfee ATR Team" - id = "861656c8-8b1a-526e-ad43-9397d5a45762" + id = "a8809060-c646-5d54-88e7-c8054305ee6c" date = "2020-07-13" modified = "2020-08-14" reference = "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/ransomware/RANSOM_NEFILIM.yar#L74-L98" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "a51fec27e478a1908fc58c96eb14f3719608ed925f1b44eb67bbcc67bd4c4099" - logic_hash = "v1_sha256_f0b10286fb1623a32bcf1f30cadce2901f7711cb36db6bbe812f6c2e03862270" + logic_hash = "f0b10286fb1623a32bcf1f30cadce2901f7711cb36db6bbe812f6c2e03862270" score = 75 quality = 70 tags = "RANSOMWARE, FILE" @@ -200673,14 +200673,14 @@ rule TRELLIX_ARC_Apt_Turla_Pdb : BACKDOOR FILE meta: description = "Rule to detect a component of the APT Turla" author = "Marc Rivero | McAfee ATR Team" - id = "d13952f4-74ea-5839-aac8-a150da9579ec" + id = "b39ac7fc-16dd-559e-8ab0-76da5cbbc719" date = "2017-05-31" modified = "2020-08-14" reference = "https://attack.mitre.org/groups/G0010/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_turla_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122" - logic_hash = "v1_sha256_d519317c936a38f189bf0de908902ec4e3e079c8c7463c8881ceb332c0a82a26" + logic_hash = "d519317c936a38f189bf0de908902ec4e3e079c8c7463c8881ceb332c0a82a26" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200703,14 +200703,14 @@ rule TRELLIX_ARC_Milum_Trojan : TROJAN FILE meta: description = "Rule to detect Milum trojan from the Wildpressure operation" author = "Marc Rivero | McAfee ATR Team" - id = "1ead2373-dc43-5d07-85b7-ee3da68122b3" + id = "acc56237-a93a-55c0-a90c-11ca1da683db" date = "2020-04-24" modified = "2020-08-14" reference = "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_milum_wildpressure.yar#L3-L28" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "86456ebf6b807e8253faf1262e7a2b673131c80174f6133b253b2e5f0da442a9" - logic_hash = "v1_sha256_3ab1ff129517cb4a829edac289c00d7701d6f667ba2ef5a28024fd01a3a52e8e" + logic_hash = "3ab1ff129517cb4a829edac289c00d7701d6f667ba2ef5a28024fd01a3a52e8e" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -200731,14 +200731,14 @@ rule TRELLIX_ARC_Pwnlnx_Backdoor_Variant_1 : BACKDOOR FILE meta: description = "Rule to detect the backdoor pwnlnx variant 1" author = "Marc Rivero | McAfee ATR Team" - id = "a0dc8762-e0cb-50a2-96a0-42002f8821c4" + id = "5b76ca62-460c-5c36-a239-700cc509f2b0" date = "2020-04-17" modified = "2020-08-14" reference = "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_decade_of_RATs.yar#L3-L33" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "0f6033d6f82ce758b576e2d8c483815e908e323d0b700040fbdab5593fb5282b" - logic_hash = "v1_sha256_1487890494dde891a6dbe7dff7ebd5660ee01fe10220215e680115f168c2ae4a" + logic_hash = "1487890494dde891a6dbe7dff7ebd5660ee01fe10220215e680115f168c2ae4a" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200759,14 +200759,14 @@ rule TRELLIX_ARC_Pwnlnx_Backdoor_Variant_2 : BACKDOOR FILE meta: description = "Rule to detect the backdoor pwnlnx variant 2" author = "Marc Rivero | McAfee ATR Team" - id = "bfd7b606-cf62-522a-a526-262b37401154" + id = "c4ee686b-49d9-5566-b749-1144a19c1fee" date = "2020-04-17" modified = "2020-08-14" reference = "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_decade_of_RATs.yar#L35-L65" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "08cc67002782cbafd97a4bff549d25dd72d6976d2fdf79339aaf5a3ff7c3107e" - logic_hash = "v1_sha256_08ea40ba72677263a41f62097fc38040361ba595d67cb04979b66548c7f4d271" + logic_hash = "08ea40ba72677263a41f62097fc38040361ba595d67cb04979b66548c7f4d271" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200787,14 +200787,14 @@ rule TRELLIX_ARC_Pwnlnx_Backdoor_Variant_3 : BACKDOOR FILE meta: description = "Rule to detect the backdoor pwnlnx variant" author = "Marc Rivero | McAfee ATR Team" - id = "d88d81db-7e12-532a-b330-3d5629b65de7" + id = "02ea1eb2-7235-5ed5-86ba-19d52e8fb428" date = "2020-04-17" modified = "2020-08-14" reference = "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_decade_of_RATs.yar#L67-L97" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "08f29e234f0ce3bded1771d702f8b5963b144141727e48b8a0594f58317aac75" - logic_hash = "v1_sha256_8a1405f430ce57810577f65ef43a1425601bf49b5adb4f6f935505427ad9dc94" + logic_hash = "8a1405f430ce57810577f65ef43a1425601bf49b5adb4f6f935505427ad9dc94" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200815,14 +200815,14 @@ rule TRELLIX_ARC_Pwnlnx_Backdoor_Variant_4 : BACKDOOR FILE meta: description = "Rule to detect the backdoor pwnlnx variant 4" author = "Marc Rivero | McAfee ATR Team" - id = "37ac1c30-f5b4-599f-a250-7498fd9618f9" + id = "199bb534-f0f6-5b67-aedd-3eada5e45cc6" date = "2020-04-17" modified = "2020-08-14" reference = "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_decade_of_RATs.yar#L99-L129" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "2590ab56d46ff344f2aa4998efd1db216850bdddfc146d5d37e4b7d07c7336fc" - logic_hash = "v1_sha256_11203beee446aaf0783d3a8d3839a88ef16c27d52be8670d650ebf6a1de2c3aa" + logic_hash = "11203beee446aaf0783d3a8d3839a88ef16c27d52be8670d650ebf6a1de2c3aa" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200843,14 +200843,14 @@ rule TRELLIX_ARC_Pwnlnx_Backdoor_Variant_6 : BACKDOOR FILE meta: description = "Rule to detect the backdoor pwnlnx variant 6" author = "Marc Rivero | McAfee ATR Team" - id = "43492f48-4b8c-5710-a908-923a31600a92" + id = "56bfe9c7-4cd4-51f6-a469-da8af52d64c2" date = "2020-04-17" modified = "2020-08-14" reference = "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_decade_of_RATs.yar#L131-L161" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "d29254ab907c9ef54349de3ec0dd8b22b4692c58ed7a7b340afbc6e44363f96a" - logic_hash = "v1_sha256_29423135a46ee7b9aa1bd8f1e6f7ffad09725787ad6e75312e1d34b18e3917d4" + logic_hash = "29423135a46ee7b9aa1bd8f1e6f7ffad09725787ad6e75312e1d34b18e3917d4" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200871,14 +200871,14 @@ rule TRELLIX_ARC_Mirai_Casper_Variant : BACKDOOR FILE meta: description = "Rule to detect the Mirai Casper variant" author = "Marc Rivero | McAfee ATR Team" - id = "ea0d5f78-2369-58dc-846d-3233f2723c6b" + id = "0f3a028c-9514-51cd-ad82-415e8ac2dee7" date = "2020-04-17" modified = "2020-08-14" reference = "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_decade_of_RATs.yar#L163-L193" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "57cc422a6a90c571198a2d1c3db13c31fbdb48ba2f0f4356846d6d636d0f9300" - logic_hash = "v1_sha256_5449d1ef0c4977c6151fc194ad5f526b6be414c1efb7fd4bacb77d4bcd89c703" + logic_hash = "5449d1ef0c4977c6151fc194ad5f526b6be414c1efb7fd4bacb77d4bcd89c703" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200901,14 +200901,14 @@ rule TRELLIX_ARC_APT_Stolen_Certificates : BACKDOOR FILE meta: description = "Rule to detect samples digitally signed from these stolen certificates" author = "Marc Rivero | McAfee ATR Team" - id = "0be56d06-7f9d-56f8-8844-31837ab688c2" + id = "57051977-780c-5c8e-bc66-0f1d8b3bbd93" date = "2020-04-17" modified = "2020-08-14" reference = "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_decade_of_RATs.yar#L196-L221" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "ce3424524fd1f482a0339a3f92e440532cff97c104769837fa6ae52869013558" - logic_hash = "v1_sha256_9b700e4889349d0203bdd4e00035ee9c9aba5025ccc57eef915b2c78996f8160" + logic_hash = "9b700e4889349d0203bdd4e00035ee9c9aba5025ccc57eef915b2c78996f8160" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -200926,14 +200926,14 @@ rule TRELLIX_ARC_Apt_Auriga_Driver : KERNELDRIVER FILE meta: description = "Rule to detect the Auriga driver" author = "Marc Rivero | McAfee ATR Team" - id = "09e61f19-6ddb-558a-9c1a-c0bfc16cdb5b" + id = "b61058a1-1b48-5be1-ba2f-74a7c3d38825" date = "2013-03-13" modified = "2020-08-14" reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_auriga_biscuit.yar#L1-L39" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "207eee627a76449ac6d2ca43338d28087c8b184e7b7b50fdc60a11950c8283ec" - logic_hash = "v1_sha256_c027073ba398fe89d418be67f0850c8d9e4d4c50a991c45b84cdb416497ccf1c" + logic_hash = "c027073ba398fe89d418be67f0850c8d9e4d4c50a991c45b84cdb416497ccf1c" score = 75 quality = 70 tags = "KERNELDRIVER, FILE" @@ -200968,14 +200968,14 @@ rule TRELLIX_ARC_Enfal_Pdb : BACKDOOR FILE meta: description = "Rule to detect Enfal malware" author = "Marc Rivero | McAfee ATR Team" - id = "05274809-0c25-593b-8295-5c3e937a3c20" + id = "09b9667c-cf58-5438-958d-19a99fe91e32" date = "2013-08-27" modified = "2020-08-14" reference = "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/enfal" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/enfal_pdb.yar#L1-L29" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "6756808313359cbd7c50cd779f809bc9e2d83c08da90dbd80f5157936673d0bf" - logic_hash = "v1_sha256_1f7785a4c54981c3e7cb417718312e0ed82132b9bd9288f7b0f322cbeafbaecd" + logic_hash = "1f7785a4c54981c3e7cb417718312e0ed82132b9bd9288f7b0f322cbeafbaecd" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201000,13 +201000,13 @@ rule TRELLIX_ARC_APT_Acidbox_Kernelmode_Module : KERNELDRIVER FILE meta: description = "Rule to detect the kernel mode component of AcidBox" author = "Marc Rivero | McAfee ATR Team" - id = "7bd2d303-c583-5439-8c2e-d0f3460fb171" + id = "80b60307-5431-5f21-9e6f-06adaab0519d" date = "2020-07-24" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_acidbox.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_e39da89d0da22115ac7889bc73ff183973a6c5334e304df955362bde76694d42" + logic_hash = "e39da89d0da22115ac7889bc73ff183973a6c5334e304df955362bde76694d42" score = 75 quality = 70 tags = "KERNELDRIVER, FILE" @@ -201037,13 +201037,13 @@ rule TRELLIX_ARC_APT_Acidbox_Main_Module_Dll : BACKDOOR FILE meta: description = "Rule to detect the Main mode component of AcidBox" author = "Marc Rivero | McAfee ATR Team" - id = "45a2df98-d7fc-543d-b886-75b9ddeaf3c4" + id = "8c9beb0f-62f7-5788-8340-0b1ecdf54253" date = "2020-07-24" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_acidbox.yar#L34-L65" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_db98e204742b8629074d47df301ffcbb2dfb977a4da91557fb50838aae79e777" + logic_hash = "db98e204742b8629074d47df301ffcbb2dfb977a4da91557fb50838aae79e777" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201074,13 +201074,13 @@ rule TRELLIX_ARC_APT_Acidbox_Ssp_Dll_Module : BACKDOOR FILE meta: description = "Rule to detect the SSP DLL component of AcidBox" author = "Marc Rivero | McAfee ATR Team" - id = "321071fd-88e6-54d7-b5f9-f1f1a6aa5592" + id = "ef1511c5-f650-5e65-937c-466f00932183" date = "2020-07-24" modified = "2020-08-14" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_acidbox.yar#L67-L98" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_4c9b9de11d73587ca1ad1efa5455598e41edc5a9a59fc0339c429a212c1c7941" + logic_hash = "4c9b9de11d73587ca1ad1efa5455598e41edc5a9a59fc0339c429a212c1c7941" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201111,14 +201111,14 @@ rule TRELLIX_ARC_APT_Winnti : BACKDOOR FILE meta: description = "Detects Winnti variants" author = "McAfee ATR Team" - id = "188469a7-4527-5481-b5d0-7ed533bc49d1" + id = "f12b039a-2508-580f-b777-428bbda2c666" date = "2020-06-04" modified = "2020-10-14" reference = "https://attack.mitre.org/software/S0141/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_winnti.yar#L1-L27" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "fd539d345821d9ac9b885811b1f642aa1817ba8501d47bc1de575f5bef2fbf9e" - logic_hash = "v1_sha256_f94b2c552fbb30e1005e5c75a2f449d60b9558a0916197bed41bf32c6477daef" + logic_hash = "f94b2c552fbb30e1005e5c75a2f449d60b9558a0916197bed41bf32c6477daef" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201141,13 +201141,13 @@ rule TRELLIX_ARC_Shadowspawn_Utility : UTILITY FILE meta: description = "Rule to detect ShadowSpawn utility used in the SoftCell operation" author = "Marc Rivero | McAfee ATR Team" - id = "d73b52ca-73ac-54cf-a4ad-4713022e55dd" + id = "0a325f5c-2750-5354-b920-f7e1510a8b71" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L3-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_0f2805aee60cdb4eb932768849c845052c92131d0b25a511b822b79b2ac93e24" + logic_hash = "0f2805aee60cdb4eb932768849c845052c92131d0b25a511b822b79b2ac93e24" score = 75 quality = 70 tags = "UTILITY, FILE" @@ -201173,13 +201173,13 @@ rule TRELLIX_ARC_Poison_Ivy_Softcell : RAT FILE meta: description = "Rule to detect Poison Ivy used in the SoftCell operation" author = "Marc Rivero | McAfee ATR Team" - id = "3ceed73b-bf76-5207-a8f8-e02674e870fe" + id = "c362b116-4cb6-5393-9c64-28e8d2886dc7" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L34-L72" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_ac84023404d76adf8cfd8d26bb59fb51f29057748806c4f5ea0634803fd937cd" + logic_hash = "ac84023404d76adf8cfd8d26bb59fb51f29057748806c4f5ea0634803fd937cd" score = 75 quality = 70 tags = "RAT, FILE" @@ -201215,13 +201215,13 @@ rule TRELLIX_ARC_Trochilus_Softcell : TROJAN FILE meta: description = "Rule to detect Trochilus malware used in the SoftCell operation" author = "Trellix ARC Team" - id = "c658f3cd-8a77-5371-9bd4-02b188702344" + id = "81e942ae-936f-5952-8d50-ee8cec74520b" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L74-L106" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_80a0841a08627acf11707f3aeef4e7c3777aecf04b932755efa618d7e92b0cda" + logic_hash = "80a0841a08627acf11707f3aeef4e7c3777aecf04b932755efa618d7e92b0cda" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -201250,13 +201250,13 @@ rule TRELLIX_ARC_Lg_Utility_Lateral_Movement_Softcell : UTILITY FILE meta: description = "Rule to detect the utility LG from Joeware to do Lateral Movement in the SoftCell operation" author = "Marc Rivero | McAfee ATR Team" - id = "9018b245-21d0-53a4-b182-33c09b93b647" + id = "4f435348-427a-5f35-9545-5582033eb043" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L108-L143" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_f88781b9632cd31bb9e3d68730c63c3fcd0ebe4a09b70b5b54d456cdc9ae8d01" + logic_hash = "f88781b9632cd31bb9e3d68730c63c3fcd0ebe4a09b70b5b54d456cdc9ae8d01" score = 75 quality = 70 tags = "UTILITY, FILE" @@ -201289,13 +201289,13 @@ rule TRELLIX_ARC_Mangzamel_Softcell : TROJAN FILE meta: description = "Rule to detect Mangzamel used in the SoftCell operation" author = "Marc Rivero | McAfee ATR Team" - id = "dffe1e71-88d2-566c-9793-0c5b0bc353c0" + id = "b0473362-7e03-5127-aee5-b5a4f05bcc8e" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L145-L176" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_3666c645943eb8469096b8093c74e4d819299d3ffc2b99e37a506d8ef09e90c4" + logic_hash = "3666c645943eb8469096b8093c74e4d819299d3ffc2b99e37a506d8ef09e90c4" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -201325,13 +201325,13 @@ rule TRELLIX_ARC_Nbtscan_Utility_Softcell : UTILITY FILE meta: description = "Rule to detect nbtscan utility used in the SoftCell operation" author = "Marc Rivero | McAfee ATR Team" - id = "894f6286-784b-50b0-8b83-a8a6dced2f46" + id = "a2a8dd43-0d30-5da5-9dd3-6ba9f6473c40" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L178-L209" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_6079f1363578f82fd38971d0c8f69cc156f7f678c3f2be22c5d9c3748dc80b1f" + logic_hash = "6079f1363578f82fd38971d0c8f69cc156f7f678c3f2be22c5d9c3748dc80b1f" score = 75 quality = 45 tags = "UTILITY, FILE" @@ -201360,13 +201360,13 @@ rule TRELLIX_ARC_Mimikatz_Utility_Softcell : HACKTOOL FILE meta: description = "Rule to detect Mimikatz utility used in the SoftCell operation" author = "Marc Rivero | McAfee ATR Team" - id = "57eb721d-7dad-56e5-a810-c7e2191b2c37" + id = "0c01a2f6-cf3c-57b3-8f19-94d320422658" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L211-L258" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_4ccb44bf0d490a18e35290d904326ce14cdc92c96be1a38e6059431645233e37" + logic_hash = "4ccb44bf0d490a18e35290d904326ce14cdc92c96be1a38e6059431645233e37" score = 75 quality = 68 tags = "HACKTOOL, FILE" @@ -201411,13 +201411,13 @@ rule TRELLIX_ARC_Sfx_Winrar_Plugx : BUILDER FILE meta: description = "Rule to detect the SFX WinRAR delivering a possible Plugx sample" author = "Marc Rivero | McAfee ATR Team" - id = "ca1e6324-8562-54f4-99c5-26f4cdefe615" + id = "ac975a58-6a8a-515e-b27f-327a7bfc7686" date = "2019-06-25" modified = "2020-08-14" reference = "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Operation_SoftCell.yar#L260-L307" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_8231f46330762cecf8a796d1a29c8fa6ba1c10b527fa86bf6c73130349558dad" + logic_hash = "8231f46330762cecf8a796d1a29c8fa6ba1c10b527fa86bf6c73130349558dad" score = 75 quality = 68 tags = "BUILDER, FILE" @@ -201460,14 +201460,14 @@ rule TRELLIX_ARC_Apt_Miniasp_Pdb : TROJAN FILE meta: description = "Rule to detect MiniASP based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "dfb5c873-e42c-5b8f-8356-4fa8de981420" + id = "2e7e2990-5e7f-52b0-884a-fcb54b2f5488" date = "2012-07-12" modified = "2020-08-14" reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_MiniASP_pdb.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "42334f2119069b8c0ececfb14a7030e480b5d18ca1cc35f1ceaee847bc040e53" - logic_hash = "v1_sha256_8ee6f93aaae2c48cc5835269fd526371040cd33cc309220f92a150444ba21055" + logic_hash = "8ee6f93aaae2c48cc5835269fd526371040cd33cc309220f92a150444ba21055" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -201489,14 +201489,14 @@ rule TRELLIX_ARC_Apt_Aurora_Pdb_Samples : BACKDOOR FILE meta: description = "Aurora APT Malware 2006-2010" author = "Marc Rivero | McAfee ATR Team" - id = "81144726-5c28-5499-9c6c-dd4e63b04b39" + id = "51b080b7-671b-592b-ba52-7fdd0ddf0294" date = "2010-01-11" modified = "2020-08-14" reference = "https://en.wikipedia.org/wiki/Operation_Aurora" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_operation_aurora.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "ce7debbcf1ca3a390083fe5753f231e632017ca041dfa662ad56095a500f2364" - logic_hash = "v1_sha256_5791ae7b96f2b59d0cca1ab97455bb4745edad8980ac4aff22aa36e0bc4f240e" + logic_hash = "5791ae7b96f2b59d0cca1ab97455bb4745edad8980ac4aff22aa36e0bc4f240e" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201518,14 +201518,14 @@ rule TRELLIX_ARC_Apt_Gdocupload_Glooxmail : BACKDOOR FILE meta: description = "Rule to detect gdocupload tool used by APT1" author = "Marc Rivero | McAfee ATR Team" - id = "25f6e9b6-5d59-58bd-86cc-66acb215d49e" + id = "deb20196-65e6-5dac-af0c-2f16e5926715" date = "2013-02-19" modified = "2020-08-14" reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_gdocupload_pdb.yar#L1-L32" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "295c5c7aa5fa29628dec9f42ed657fce0bc789079c4e51932bcbc99a28dfd440" - logic_hash = "v1_sha256_e016bb636af22fae79875bebaf1b4bd4f2a403e797d7ee52ea0691b4d7a54cf8" + logic_hash = "e016bb636af22fae79875bebaf1b4bd4f2a403e797d7ee52ea0691b4d7a54cf8" score = 75 quality = 45 tags = "BACKDOOR, FILE" @@ -201555,13 +201555,13 @@ rule TRELLIX_ARC_Syskit : FILE meta: description = "SYSkit backdoor" author = "Christiaan @ McAfee ATR" - id = "5c359066-b108-503c-9598-08829c0d98d6" + id = "f06db38f-52d5-51b5-a17f-63e285dd5f80" date = "2019-09-17" modified = "2020-04-02" reference = "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Tortoiseshell_Syskit.yar#L3-L40" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_5b489d47d56de5c770b6ff6d6d56bf0fb87174f4a8428052b28fb392d9ac3f87" + logic_hash = "5b489d47d56de5c770b6ff6d6d56bf0fb87174f4a8428052b28fb392d9ac3f87" score = 75 quality = 68 tags = "FILE" @@ -201602,14 +201602,14 @@ rule TRELLIX_ARC_Ixeshe_Bled_Malware_Pdb : BACKDOOR FILE meta: description = "Rule to detect Ixeshe_bled malware based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "39ed0923-60d1-5aa3-9bab-9e3b40b31bc7" + id = "93356eab-5bb3-5b85-acc6-9a247554aa2d" date = "2012-05-30" modified = "2020-08-14" reference = "https://attack.mitre.org/software/S0015/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/ixeshe_bled_pdb.yar#L1-L24" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "d1be51ef9a873de85fb566d157b034234377a4a1f24dfaf670e6b94b29f35482" - logic_hash = "v1_sha256_7d2ce7644e25a56c101c148a32f7b0f7c3185c0c17f4d65eaef257f6ac7f8ffb" + logic_hash = "7d2ce7644e25a56c101c148a32f7b0f7c3185c0c17f4d65eaef257f6ac7f8ffb" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201630,14 +201630,14 @@ rule TRELLIX_ARC_Apt_Blackenergy_Pdb : TROJAN FILE meta: description = "Rule to detect the BlackEnergy trojan" author = "Marc Rivero | McAfee ATR Team" - id = "5c9dff12-20ae-52ef-9c53-47cfc815b559" + id = "55c96b66-a8bf-5390-a75a-f3d2441c2a55" date = "2013-02-15" modified = "2020-08-14" reference = "https://www.kaspersky.com.au/resource-center/threats/blackenergy" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_blackenergy_pdb.yar#L1-L38" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "4b2efcda5269f4b80dc417a2b01332185f2fafabd8ba7114fa0306baaab5a72d" - logic_hash = "v1_sha256_7bb85d03d8f2a4d91554f7fea96e9bbe36b153cfa4a91fd13fb99d41d430c9e9" + logic_hash = "7bb85d03d8f2a4d91554f7fea96e9bbe36b153cfa4a91fd13fb99d41d430c9e9" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -201671,14 +201671,14 @@ rule TRELLIX_ARC_Karkoff_Dnspionaje : BACKDOOR FILE meta: description = "Rule to detect the Karkoff malware" author = "Marc Rivero | McAfee ATR Team" - id = "795f8a3f-04eb-545b-8fa8-e94e83109ed2" + id = "a5cdc65f-3a4c-5d97-9d88-8d60b14dfb9a" date = "2019-04-23" modified = "2020-08-14" reference = "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_karkoff_dnspionaje.yar#L1-L30" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c" - logic_hash = "v1_sha256_79dd0087f1197cb1b2cd98416302363951479ba5ebf82289768585b56ed21c3a" + logic_hash = "79dd0087f1197cb1b2cd98416302363951479ba5ebf82289768585b56ed21c3a" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201704,14 +201704,14 @@ rule TRELLIX_ARC_Apt_Lagulon_Trojan_Pdb : TROJAN FILE meta: description = "Rule to detect trojan Lagulon based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "53e64066-cbe9-5145-872e-6b5646adc674" + id = "a31a465d-1f16-5c3e-a62d-ea15c11253c3" date = "2013-08-31" modified = "2020-08-14" reference = "https://www.cylance.com/operation-cleaver-cylance" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_lagulon_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "e401340020688cdd0f5051b7553815eee6bc04a5a962900883f1b3676bf1de53" - logic_hash = "v1_sha256_dad04c2deb990f253f952b768b74349dc9afb5f6db91ea3afff889f4c9f3230b" + logic_hash = "dad04c2deb990f253f952b768b74349dc9afb5f6db91ea3afff889f4c9f3230b" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -201732,14 +201732,14 @@ rule TRELLIX_ARC_Apt_Hanover_Pdb : BACKDOOR FILE meta: description = "Rule to detect hanover samples based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "721f4a9d-d992-57b2-a7d2-0c94ca0d3752" + id = "e2476ae8-d284-58f5-8bcb-9313a5b4d756" date = "2012-01-05" modified = "2020-08-14" reference = "https://securityaffairs.co/wordpress/14550/cyber-crime/operation-hangover-indian-cyberattack-infrastructure.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_hangover.yar#L1-L39" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "a2460412575cdc187dfb69eb2847c5b43156af7f7d94b71422e7f771e8adb51e" - logic_hash = "v1_sha256_a37d528e4dacddcabe55261f16b51aec626f6180107f154d3ae34cdfa71e2c58" + logic_hash = "a37d528e4dacddcabe55261f16b51aec626f6180107f154d3ae34cdfa71e2c58" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201773,14 +201773,14 @@ rule TRELLIX_ARC_Apt_Hanover_Appinbot_Pdb : BACKDOOR FILE meta: description = "Rule to detect hanover appinbot samples based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "e3396ad6-cc89-5710-b5f5-adaa59912591" + id = "fb201000-ca8b-57e0-b560-5082477d8ee7" date = "2012-01-05" modified = "2020-08-14" reference = "https://securityaffairs.co/wordpress/14550/cyber-crime/operation-hangover-indian-cyberattack-infrastructure.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_hangover.yar#L41-L77" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "6ad56d64444fa76e1ad43a8c260c493b9086d4116eb18af630e65d3fd39bf6d6" - logic_hash = "v1_sha256_56cdd22efd81bcdda445242257b2418c6941bf9e5e68065d8b8d73d0f9c27df5" + logic_hash = "56cdd22efd81bcdda445242257b2418c6941bf9e5e68065d8b8d73d0f9c27df5" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201813,14 +201813,14 @@ rule TRELLIX_ARC_Apt_Hanover_Foler_Pdb : BACKDOOR FILE meta: description = "Rule to detect hanover foler samples" author = "Marc Rivero | McAfee ATR Team" - id = "110ffd1a-50c5-5171-a522-cc7e060f9076" + id = "064b12a1-7a6a-5a19-bc9a-c98c1dbc6631" date = "2012-01-05" modified = "2020-08-14" reference = "https://securityaffairs.co/wordpress/14550/cyber-crime/operation-hangover-indian-cyberattack-infrastructure.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_hangover.yar#L79-L106" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "bd77d7f8af8329dfb0bcc0624d6d824d427fbaf859ab2dedd8629aa2f3b7ae0d" - logic_hash = "v1_sha256_cd2bd6a4c8084c02af5aaba81529cdb67aab7c2db397e2757d383534123c5227" + logic_hash = "cd2bd6a4c8084c02af5aaba81529cdb67aab7c2db397e2757d383534123c5227" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201844,14 +201844,14 @@ rule TRELLIX_ARC_Apt_Hanover_Linog_Pdb : BACKDOOR FILE meta: description = "Rule to detect hanover linog samples based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "697dbe0e-b45a-5a73-949b-d09c49da57dc" + id = "2f4d30ad-aadc-5c90-8234-d1b5802f4781" date = "2012-01-05" modified = "2020-08-14" reference = "https://securityaffairs.co/wordpress/14550/cyber-crime/operation-hangover-indian-cyberattack-infrastructure.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_hangover.yar#L108-L132" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "f6319fd0e1d3b9d3694c46f80208e70b389e7dcc6aaad2508b80575c604c5dba" - logic_hash = "v1_sha256_3aebafc80ca2e187bdcae3750162d94ce9419988ffd451ba4762b2d299a04ed7" + logic_hash = "3aebafc80ca2e187bdcae3750162d94ce9419988ffd451ba4762b2d299a04ed7" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201873,14 +201873,14 @@ rule TRELLIX_ARC_Apt_Hanover_Ron_Babylon_Pdb : BACKDOOR FILE meta: description = "apt_hanover_ron_babylon" author = "Marc Rivero | McAfee ATR Team" - id = "50876718-68b6-50c2-90de-225ba385d1c9" + id = "2637bba5-67be-5e71-9ce3-570ea14a96df" date = "2012-01-05" modified = "2020-08-14" reference = "https://securityaffairs.co/wordpress/14550/cyber-crime/operation-hangover-indian-cyberattack-infrastructure.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_hangover.yar#L134-L200" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "784cfb1bfdd7080c658fad08b1f679bbb0c94e6e468a3605ea47cdce533df815" - logic_hash = "v1_sha256_212de25a555335eb4dc24052702ee30d71039f44b448079f19f12fcb775d5298" + logic_hash = "212de25a555335eb4dc24052702ee30d71039f44b448079f19f12fcb775d5298" score = 75 quality = 45 tags = "BACKDOOR, FILE" @@ -201943,14 +201943,14 @@ rule TRELLIX_ARC_Apt_Hanover_Slidewin_Pdb : BACKDOOR FILE meta: description = "Rule to detect hanover slidewin samples" author = "Marc Rivero | McAfee ATR Team" - id = "1db30eca-6ec9-5eb8-81b8-4ad2420838a4" + id = "aefa1a2b-6a6f-5209-b1e2-90f1817442da" date = "2012-01-05" modified = "2020-08-14" reference = "https://securityaffairs.co/wordpress/14550/cyber-crime/operation-hangover-indian-cyberattack-infrastructure.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_hangover.yar#L202-L229" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "89b80267f9c7fc291474e5751c2e42838fdab7a5cbd50a322ed8f8efc3d2ce83" - logic_hash = "v1_sha256_28922d75109cf3da4807e08588e076f1496c14ea462a1c8dedb1d1a734f1fb48" + logic_hash = "28922d75109cf3da4807e08588e076f1496c14ea462a1c8dedb1d1a734f1fb48" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -201974,14 +201974,14 @@ rule TRELLIX_ARC_Apt_Elise_Pdb : BACKDOOR FILE meta: description = "Rule to detect Elise APT based on the PDB reference" author = "Marc Rivero | McAfee ATR Team" - id = "64ec5d5c-34f4-51b8-8617-e8d54a7182e4" + id = "cc8dd203-baad-5800-ba2c-f9c47d8ca6f0" date = "2017-05-31" modified = "2020-08-14" reference = "https://attack.mitre.org/software/S0081/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_elise_pdb.yar#L1-L29" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "b426dbe0f281fe44495c47b35c0fb61b28558b5c8d9418876e22ec3de4df9e7b" - logic_hash = "v1_sha256_bb7eee8082aa0f6634a8c4cdb9cbe0e2a7f00b97e48609c81a21bdaac64a5496" + logic_hash = "bb7eee8082aa0f6634a8c4cdb9cbe0e2a7f00b97e48609c81a21bdaac64a5496" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -202006,14 +202006,14 @@ rule TRELLIX_ARC_Apt_Gauss_Pdb : BACKDOOR FILE meta: description = "Rule to detect Gauss based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "2ec81166-fa58-59be-b429-0a0b15888b67" + id = "209223cc-16e5-5596-8744-21ad71b5ec2a" date = "2012-08-14" modified = "2020-08-14" reference = "https://securelist.com/the-mystery-of-the-encrypted-gauss-payload-5/33561/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/gauss_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "7b0d0612b4ecc889a901115c2e77776ef0ea65c056b283d12e80f863062cea28" - logic_hash = "v1_sha256_cb20c87ea976f395e000f2c631ffd52b09dca2af37adceafe5be72b37f75a997" + logic_hash = "cb20c87ea976f395e000f2c631ffd52b09dca2af37adceafe5be72b37f75a997" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -202034,13 +202034,13 @@ rule TRELLIX_ARC_Hermeticwiper : TROJAN FILE meta: description = "Detecting variants of Hermetic Wiper malware discovered in UA" author = " cb @ Trellix ATR" - id = "0ad4ad32-cce3-5039-910d-f28c4e366194" + id = "fc6d9238-b732-541d-b083-11b43fe8770d" date = "2022-02-24" modified = "2022-02-24" reference = "https://github.com/advanced-threat-research/Yara-Rules/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Troj_HermWiper.yar#L1-L27" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_b48e91afa19e09c7035ccda1b9293448e834d612b9a953b593f9412acb78faac" + logic_hash = "b48e91afa19e09c7035ccda1b9293448e834d612b9a953b593f9412acb78faac" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -202068,14 +202068,14 @@ rule TRELLIX_ARC_Troy_Malware_Campaign_Pdb : BACKDOOR FILE meta: description = "Rule to detect the Operation Troy based on the PDB" author = "Marc Rivero | McAfee ATR Team" - id = "cdebd6a3-6160-566f-94e0-4b331a51d872" + id = "c1fc5b9c-104f-5d07-86ee-5a54d9731f04" date = "2013-06-23" modified = "2020-08-14" reference = "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_operation_troy.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "2ca6b7e9488c1e9f39392e696704ad3f2b82069e35bc8001d620024ebbf2d65a" - logic_hash = "v1_sha256_a64b4aa082c45d1753ad30ba2f67df0ef5b7658c3c99e031ef747eb4e6c7bb00" + logic_hash = "a64b4aa082c45d1753ad30ba2f67df0ef5b7658c3c99e031ef747eb4e6c7bb00" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -202097,14 +202097,14 @@ rule TRELLIX_ARC_Apt_Manitsme_Trojan : TROJAN FILE meta: description = "Rule to detect the Manitsme trojan" author = "Marc Rivero | McAfee ATR Team" - id = "a9b9cc87-b911-5b95-a9ca-023995f64c8c" + id = "49e0c934-6920-5e49-837c-27ebbbd5a1a2" date = "2013-03-08" modified = "2020-08-14" reference = "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_manitsme_trojan_pdb.yar#L1-L36" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "c1c0ea096ec4d36c1312171de2a9ebe258c588528a20dbb06a7e3cf97bf1e197" - logic_hash = "v1_sha256_584053145249a930d3eae5e291d3553c57fa427dbecac9f04e7c0169f153b7af" + logic_hash = "584053145249a930d3eae5e291d3553c57fa427dbecac9f04e7c0169f153b7af" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -202136,14 +202136,14 @@ rule TRELLIX_ARC_Apt_Mirage_Pdb : TROJAN FILE meta: description = "Rule to detect Mirage samples based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "1216b9b2-85d8-5045-9599-a5e142acd2c3" + id = "49b7623f-a2c9-52e4-8679-d62f6aae99ca" date = "2012-09-18" modified = "2020-08-14" reference = "https://www.secureworks.com/research/the-mirage-campaign" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_mirage_pdb.yar#L1-L26" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "0107a12f05bea4040a467dd5bc5bd130fd8a4206a09135d452875da89f121019" - logic_hash = "v1_sha256_cb88dc787d9964451ea93f5574d9c73ae6a820d81e20d41c3c8ee44c3fee032d" + logic_hash = "cb88dc787d9964451ea93f5574d9c73ae6a820d81e20d41c3c8ee44c3fee032d" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -202165,14 +202165,14 @@ rule TRELLIX_ARC_Apt_Flamer_Pdb : BACKDOOR FILE meta: description = "Rule to detect Flamer based on the PDB" author = "Marc Rivero | McAfee ATR Team" - id = "9351a710-1c32-59cc-84f1-30dfc6ea4f3e" + id = "3bbe043d-c0dc-5aa2-b985-800a6d9038fd" date = "2012-05-29" modified = "2020-08-14" reference = "https://www.forcepoint.com/ko/blog/x-labs/flameflamerskywiper-one-most-advanced-malware-found-yet" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/flamer_pdb.yar#L1-L25" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "554924ebdde8e68cb8d367b8e9a016c5908640954ec9fb936ece07ac4c5e1b75" - logic_hash = "v1_sha256_3c1d3d015e086cff1f3d5add39397d8ed251b12144b31d8547165cbd0217735c" + logic_hash = "3c1d3d015e086cff1f3d5add39397d8ed251b12144b31d8547165cbd0217735c" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -202193,14 +202193,14 @@ rule TRELLIX_ARC_Chimera_Recordedtv_Modified : TROJAN FILE meta: description = "Rule to detect the modified version of RecordedTV.ms found in the Operation Skeleton" author = "Marc Rivero | McAfee ATR Team" - id = "a34f08f5-ac1c-5a8e-a463-a82fff4bea18" + id = "b0969713-41a4-550c-9545-f02783fa8d02" date = "2020-04-21" modified = "2020-08-14" reference = "https://medium.com/@cycraft_corp/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_operation_skeleton.yar#L1-L33" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "66f13964c87fc6fe093a9d8cc0de0bf2b3bdaea9564210283fdb97a1dde9893b" - logic_hash = "v1_sha256_7165779b66999259a079fa68f898c5f9fb634adcb9d249366d321dff1014184b" + logic_hash = "7165779b66999259a079fa68f898c5f9fb634adcb9d249366d321dff1014184b" score = 75 quality = 70 tags = "TROJAN, FILE" @@ -202225,13 +202225,13 @@ rule TRELLIX_ARC_Apt_Nix_Elf_Derusbi : BACKDOOR FILE meta: description = "Rule to detect the APT Derusbi ELF file" author = "Marc Rivero | McAfee ATR Team" - id = "b820ab97-c118-50e0-ba65-14f271c52aed" + id = "3b1c9644-7279-5e2c-8891-f03ca78cf3b7" date = "2017-05-31" modified = "2020-08-14" reference = "https://attack.mitre.org/software/S0021/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Derusbi.yar#L1-L61" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_0a83566a0540d28d1cc0ebee01d29d15ddc86cabff9044fd8a198b847ba24c50" + logic_hash = "0a83566a0540d28d1cc0ebee01d29d15ddc86cabff9044fd8a198b847ba24c50" score = 75 quality = 68 tags = "BACKDOOR, FILE" @@ -202288,13 +202288,13 @@ rule TRELLIX_ARC_Apt_Nix_Elf_Derusbi_Kernelmodule : BACKDOOR FILE meta: description = "Rule to detect the Derusbi ELK Kernel module" author = "Marc Rivero | McAfee ATR Team" - id = "3b7630f1-a94c-5f41-b7c5-c9a82469ed71" + id = "1614a63d-c5d1-5ce1-a5b8-eb48325f60e6" date = "2017-05-31" modified = "2020-08-14" reference = "https://attack.mitre.org/software/S0021/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Derusbi.yar#L63-L105" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_0b86e96ef616e926f0d665e2bd013f2773461483176c68bd5e7c7d059ac13d78" + logic_hash = "0b86e96ef616e926f0d665e2bd013f2773461483176c68bd5e7c7d059ac13d78" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -202334,13 +202334,13 @@ rule TRELLIX_ARC_Apt_Nix_Elf_Derusbi_Linux_Sharedmemcreation : BACKDOOR FILE meta: description = "Rule to detect Derusbi Linux Shared Memory creation" author = "Marc Rivero | McAfee ATR Team" - id = "b8d64f98-bde3-5da2-9e4e-9a10a4b47665" + id = "8d2db62e-22fa-5bbe-ab65-f294fc911b82" date = "2017-05-31" modified = "2020-08-14" reference = "https://attack.mitre.org/software/S0021/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Derusbi.yar#L107-L130" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_095af979728f3b71e3192140306e4aa76011e07a25b20b0c5b3b98db41411714" + logic_hash = "095af979728f3b71e3192140306e4aa76011e07a25b20b0c5b3b98db41411714" score = 75 quality = 70 tags = "BACKDOOR, FILE" @@ -202361,13 +202361,13 @@ rule TRELLIX_ARC_Apt_Nix_Elf_Derusbi_Linux_Strings : BACKDOOR FILE meta: description = "Rule to detect APT Derusbi Linux Strings" author = "Marc Rivero | McAfee ATR Team" - id = "f0f6f41a-ce7d-5d53-9802-c4079c7b7e21" + id = "09e47580-9b20-5461-943e-32b932c36214" date = "2017-05-31" modified = "2020-08-14" reference = "https://attack.mitre.org/software/S0021/" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_Derusbi.yar#L132-L173" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_0e95497c44a0c1d85936a6a072063720a771b7e1eb8da2377e54577e3fc2764e" + logic_hash = "0e95497c44a0c1d85936a6a072063720a771b7e1eb8da2377e54577e3fc2764e" score = 75 quality = 68 tags = "BACKDOOR, FILE" @@ -202401,13 +202401,13 @@ rule TRELLIX_ARC_Apt_Hikit_Rootkit : ROOTKIT FILE meta: description = "Rule to detect the rootkit hikit based on PDB" author = "Marc Rivero | McAfee ATR Team" - id = "6ba6e964-7289-5dfd-b9b1-706f17fd44a5" + id = "c53acbc6-8f4a-590b-8dd7-ce4da6d79cf8" date = "2012-08-20" modified = "2020-08-14" reference = "https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_hikit_rootkit_pdb.yar#L1-L28" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" - logic_hash = "v1_sha256_8a425ababdfbe95bd8ac7d4f519be16c0f1fd0b7eea2874124db2f00dd6eb56d" + logic_hash = "8a425ababdfbe95bd8ac7d4f519be16c0f1fd0b7eea2874124db2f00dd6eb56d" score = 75 quality = 70 tags = "ROOTKIT, FILE" @@ -202431,14 +202431,14 @@ rule TRELLIX_ARC_Apt_Babar_Malware : BACKDOOR FILE meta: description = "Rule to detect Babar malware" author = "Marc Rivero | McAfee ATR Team" - id = "0a84f105-2ad2-5f1e-9e2c-4bdcd2c65562" + id = "3cbb63ce-ff93-51ee-93aa-2594fa1f8dad" date = "2015-02-18" modified = "2020-08-14" reference = "http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france" source_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/APT/APT_babar_pdb.yar#L1-L35" license_url = "https://github.com/advanced-threat-research/Yara-Rules//blob/fc51a3fe3b450838614a5a5aa327c6bd8689cbb2/LICENSE" hash = "c72a055b677cd9e5e2b2dcbba520425d023d906e6ee609b79c643d9034938ebf" - logic_hash = "v1_sha256_02acef92691caed4573b609c111302427b9c27c5ef93f9199c52d75cb13e8615" + logic_hash = "02acef92691caed4573b609c111302427b9c27c5ef93f9199c52d75cb13e8615" score = 75 quality = 45 tags = "BACKDOOR, FILE" @@ -202468,7 +202468,7 @@ rule TRELLIX_ARC_Apt_Babar_Malware : BACKDOOR FILE * YARA Rule Set * Repository Name: Arkbird SOLG * Repository: https://github.com/StrangerealIntel/DailyIOC - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: a873ff1298c43705e9c67286f3014f4300dd04f7 * Number of Rules: 215 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -202483,13 +202483,13 @@ rule ARKBIRD_SOLG_Ran_Onyxlocker_Nov_2020_1 : FILE meta: description = "Detect OnyxLocker ransomware" author = "Arkbird_SOLG" - id = "ab9d2568-6fef-5908-9759-074c920012b5" + id = "bb7d914c-a074-5d79-a5d2-43c5a0adf49e" date = "2020-11-18" modified = "2020-11-18" reference = "https://twitter.com/Kangxiaopao/status/1328614320016560128" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-18/OnyxLocker/Ran_OnyxLocker_Nov_2020_1.yar#L1-L27" license_url = "N/A" - logic_hash = "v1_sha256_1ccca1040acee5bb937fd5ebb3536f8c644d3586229d01457d780bef5fcb57a1" + logic_hash = "1ccca1040acee5bb937fd5ebb3536f8c644d3586229d01457d780bef5fcb57a1" score = 75 quality = 71 tags = "FILE" @@ -202521,13 +202521,13 @@ rule ARKBIRD_SOLG_APT_MAL_Donot_Loader_June_2020_1 : FILE meta: description = "Detect loader malware used by APT Donot for drops the final stage" author = "Arkbird_SOLG" - id = "ac09f6f0-3043-54d9-a368-8201fbcb5a64" + id = "ec4cac12-529f-56d2-bbc0-5fe30424b10b" date = "2020-06-22" modified = "2020-06-22" reference = "https://twitter.com/ccxsaber/status/1274978583463649281" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-22/APT_MAL_Donot_Loader_June_2020_1.yar#L3-L22" license_url = "N/A" - logic_hash = "v1_sha256_986deffd48c1fb707948b00e1e200fa6538d4c73a32ab89f5119403f9bf0d734" + logic_hash = "986deffd48c1fb707948b00e1e200fa6538d4c73a32ab89f5119403f9bf0d734" score = 75 quality = 75 tags = "FILE" @@ -202552,13 +202552,13 @@ rule ARKBIRD_SOLG_APT_Tardigrade_Nov_2021_1 : FILE meta: description = "Detect Tardigrade loader" author = "Arkbird_SOLG" - id = "4db7b343-d4fb-5322-a414-addd226d1a13" + id = "f6c8014a-21dd-5ebd-9edd-7a9f649a43a0" date = "2021-11-22" modified = "2021-11-23" reference = "https://www.isac.bio/post/tardigrade" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-22/APT_Tardigrade_Nov_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_98358d9dbf62e653b136268d8694ed4d7f48c80125dd12ccea5f36ff5c6b4a3c" + logic_hash = "98358d9dbf62e653b136268d8694ed4d7f48c80125dd12ccea5f36ff5c6b4a3c" score = 75 quality = 75 tags = "FILE" @@ -202582,13 +202582,13 @@ rule ARKBIRD_SOLG_RAN_Nemty_June_2021_1 : FILE meta: description = "Detect Nemty ransomware" author = "Arkbird_SOLG" - id = "44fb8759-2b05-500f-852d-a6669500a05a" + id = "1c7994b8-7479-5679-91a5-e3ca4b2e7fde" date = "2021-06-12" modified = "2021-06-13" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-12/Nemty/RAN_Nemty_June_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_25a9e82ae1e950e1c71d6dfa120efd1a2ba39cbf8e9c2cd4ba4e67ce7dabc45e" + logic_hash = "25a9e82ae1e950e1c71d6dfa120efd1a2ba39cbf8e9c2cd4ba4e67ce7dabc45e" score = 75 quality = 75 tags = "FILE" @@ -202612,13 +202612,13 @@ rule ARKBIRD_SOLG_APT_APT28_Zekapab_Mar_2021_1 : FILE meta: description = "Detect Zekapab used by APT28 group" author = "Arkbird_SOLG" - id = "dd9fe522-fce9-5202-a0e8-da5eff659095" + id = "634f32dd-8bcf-5c58-a335-9b66ff568a54" date = "2021-03-15" modified = "2021-03-15" reference = "https://twitter.com/DrunkBinary/status/1371423755608719360" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-15/APT28/APT_APT28_Zekapab_Mar_2021_1.yar#L1-L25" license_url = "N/A" - logic_hash = "v1_sha256_dabaab47c193a05620d282a00b6b47f710cfa6b1efc699ea5d47267d10cfdcb6" + logic_hash = "dabaab47c193a05620d282a00b6b47f710cfa6b1efc699ea5d47267d10cfdcb6" score = 60 quality = 23 tags = "FILE" @@ -202648,13 +202648,13 @@ rule ARKBIRD_SOLG_RAN_Medusalocker_July_2021_1 : FILE meta: description = "Detect MedusaLocker ransomware" author = "Arkbird_SOLG" - id = "84c43564-b55d-52ac-ba06-1c883026a725" + id = "7eec35ac-f1ec-596b-8224-ef27e31e841c" date = "2021-07-25" modified = "2021-08-08" reference = "https://twitter.com/r3dbU7z/status/1418433910057353217" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-25/MedusaLocker/RAN_MedusaLocker_July_2021_1.yara#L1-L28" license_url = "N/A" - logic_hash = "v1_sha256_541665541c07b585a7dfa024f85516b7be94d7d8d76a85e58c8c3b71fd0550ff" + logic_hash = "541665541c07b585a7dfa024f85516b7be94d7d8d76a85e58c8c3b71fd0550ff" score = 75 quality = 73 tags = "FILE" @@ -202686,13 +202686,13 @@ rule ARKBIRD_SOLG_APT_Chimera_Sept_2020_1 : FILE meta: description = "Detect Cobalt Strike agent used by Chimera" author = "Arkbird_SOLG" - id = "a518ec2f-3ff0-5549-99e2-3a5f62d3b008" + id = "7a7c3952-fa6e-5643-a40f-d2e466b8c2a2" date = "2020-10-03" modified = "2020-10-04" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-03/Chimera/APT_Chimera_Sept_2020_1.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_8fdb34c793534f8632fd2c35b89462d4a736a31f2347e7bab3e8bcebff04c21f" + logic_hash = "8fdb34c793534f8632fd2c35b89462d4a736a31f2347e7bab3e8bcebff04c21f" score = 75 quality = 75 tags = "FILE" @@ -202719,13 +202719,13 @@ rule ARKBIRD_SOLG_APT_Turla_Ironpython_Apr_2021_1 : FILE meta: description = "Detect IronPython script used by Turla group" author = "Arkbird_SOLG" - id = "1bbc212e-ab0e-5d4b-b645-4fa056a48496" + id = "303929d4-2c43-5e43-aeb0-09f469f7091b" date = "2021-04-30" modified = "2021-05-01" reference = "https://twitter.com/DrunkBinary/status/1388332507695919104" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-01/Turla/APT_Turla_IronPython_Apr_2021_1.yara#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_f6b626cddb4832f842a15eddce705fb24125e4341c425cf27dbbe537e2a98bdc" + logic_hash = "f6b626cddb4832f842a15eddce705fb24125e4341c425cf27dbbe537e2a98bdc" score = 75 quality = 57 tags = "FILE" @@ -202756,13 +202756,13 @@ rule ARKBIRD_SOLG_RAN_ELF_Darkside_Apr_2021_1 : FILE meta: description = "Detect the ELF version of Darkside ransomware" author = "Arkbird_SOLG" - id = "7fd663ef-3a35-5776-a221-d3f7006acde5" + id = "10c0ba57-d6d6-5d1d-bd2a-f6f240d71f8b" date = "2021-05-01" modified = "2021-05-02" reference = "https://twitter.com/JAMESWT_MHT/status/1388301138437578757" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-01/Darkside/RAN_ELF_Darkside_Apr_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_510932893e1e81d6c88e86c7ae2345460b397c936336c7e1a33799dbc1dd6aab" + logic_hash = "510932893e1e81d6c88e86c7ae2345460b397c936336c7e1a33799dbc1dd6aab" score = 75 quality = 75 tags = "FILE" @@ -202790,13 +202790,13 @@ rule ARKBIRD_SOLG_Ran_Babuklockers_Jan_2021_1 : FILE meta: description = "Detect the BabukLocker ransomware" author = "Arkbird_SOLG" - id = "f8c6b874-cbdc-5a7b-8fbf-c5444927dd27" + id = "a3bad41d-59fb-564f-a352-ca38af582c08" date = "2020-01-03" modified = "2021-01-03" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-01-02/BabukLocker/Ran_BabukLockers_Jan_2021_1.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_8939e408948dd7b17acdac5c6b5f50db24ec63f19937b8663a15f52b678d0065" + logic_hash = "8939e408948dd7b17acdac5c6b5f50db24ec63f19937b8663a15f52b678d0065" score = 50 quality = 75 tags = "FILE" @@ -202821,13 +202821,13 @@ rule ARKBIRD_SOLG_APT_Molerats_Feb_2021_1 : FILE meta: description = "Detect Molerats implants" author = "Arkbird_SOLG" - id = "33ad6a4a-3292-5b76-ab77-e2590d2c8d04" + id = "8ede3aa9-9788-52a5-91a7-bb160daad5ba" date = "2021-02-27" modified = "2021-03-01" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-02-28/Molerats/APT_Molerats_Feb_2021_1.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_fbd98f088019434f736107dfe62a307e2c57d0288d68f3133a13de59bf318aea" + logic_hash = "fbd98f088019434f736107dfe62a307e2c57d0288d68f3133a13de59bf318aea" score = 75 quality = 75 tags = "FILE" @@ -202852,13 +202852,13 @@ rule ARKBIRD_SOLG_APT_APT34_RDAT_July_2021_1 : FILE meta: description = "Detect RDAT used by APT34" author = "Arkbird_SOLG" - id = "493dec6c-2b90-57a0-a4d4-e71798d220c0" + id = "136f8a9e-e680-5fab-8113-b4d33a47bc34" date = "2021-07-15" modified = "2021-07-16" reference = "https://twitter.com/ShadowChasing1/status/1415206437806960647" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-15/APT34/APT_APT34_RDAT_July_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_269788430ca8faff4b0ea5ec7c2a62f99f5f48ef3bc4ea3f7a27f1d735e64819" + logic_hash = "269788430ca8faff4b0ea5ec7c2a62f99f5f48ef3bc4ea3f7a27f1d735e64819" score = 75 quality = 75 tags = "FILE" @@ -202884,13 +202884,13 @@ rule ARKBIRD_SOLG_WIP_Meteorexpress_Aug_2021_1 : FILE meta: description = "Detect MeteorExpress/BreakWin wiper" author = "Arkbird_SOLG" - id = "7b6d2152-c175-514a-bfce-99cdaaefdcf7" + id = "6dffc8c9-ccd0-5cf3-8f3c-38adad8508b2" date = "2021-08-06" modified = "2021-08-07" reference = "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-07/BreakWin/WIP_MeteorExpress_Aug_2021_1.yara#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_80e40479d699b988d1282e407edd51b5e3ea796ebf380d82f5a5aafaacafe75d" + logic_hash = "80e40479d699b988d1282e407edd51b5e3ea796ebf380d82f5a5aafaacafe75d" score = 75 quality = 71 tags = "FILE" @@ -202920,13 +202920,13 @@ rule ARKBIRD_SOLG_Tool_Efspotatoe_Aug_2021_2 : FILE meta: description = "Detect EFSPotatoe tool (Generic rule)" author = "Arkbird_SOLG" - id = "54a39454-2cdb-5a1c-9697-64cc64bf9644" + id = "f40673da-7b16-5657-ba9a-f3f13034ad12" date = "2021-08-27" modified = "2021-08-29" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Lockfile/Tool_EFSPotatoe_Aug_2021_2.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_eedad68d3192908fea2109c7fa51a2e38e31ed666424307318ac2123b95d1cd3" + logic_hash = "eedad68d3192908fea2109c7fa51a2e38e31ed666424307318ac2123b95d1cd3" score = 75 quality = 75 tags = "FILE" @@ -202951,13 +202951,13 @@ rule ARKBIRD_SOLG_MAL_Loader_Lockfile_Aug_2021_1 : FILE meta: description = "Detect loader used by lockerfile group" author = "Arkbird_SOLG" - id = "563abea6-ed1a-569d-b971-2a208c27fdf0" + id = "031335f3-e6c7-5e94-af23-c7fb254203b7" date = "2021-08-28" modified = "2021-08-29" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Lockfile/MAL_loader_Lockfile_Aug_2021_1.yara#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_622a673d5cb9832cf0abc9942bf0e1f64bcdbd99524dea0bd64698fffa815a9b" + logic_hash = "622a673d5cb9832cf0abc9942bf0e1f64bcdbd99524dea0bd64698fffa815a9b" score = 75 quality = 75 tags = "FILE" @@ -202978,13 +202978,13 @@ rule ARKBIRD_SOLG_Tool_Efspotatoe_Aug_2021_1 : FILE meta: description = "Detect custom .NET variant EFSPotatoe tool" author = "Arkbird_SOLG" - id = "5f40b39e-145f-56f4-a861-325cd8f2340e" + id = "614a6543-89ce-5f75-9933-766fd1e5458b" date = "2021-08-27" modified = "2021-08-29" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Lockfile/Tool_EFSPotatoe_Aug_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_a9fed543aeaba380688ec59034b0e8c90fc0bea986085958966101bd44cf480f" + logic_hash = "a9fed543aeaba380688ec59034b0e8c90fc0bea986085958966101bd44cf480f" score = 75 quality = 75 tags = "FILE" @@ -203008,13 +203008,13 @@ rule ARKBIRD_SOLG_MAL_Kernel_Driver_Aug_2021_1 : FILE meta: description = "Detect kernel driver used by lockfile group" author = "Arkbird_SOLG" - id = "689bc562-000f-5111-9e6b-e159890ff82e" + id = "80bf5286-6da6-5380-ad14-345d8122d3d4" date = "2021-08-28" modified = "2021-08-29" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Lockfile/MAL_Kernel_Driver_Aug_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_225bd5995d3f1ed4c0bcb43c862662c9e5badd96a87d779d3bc6f1809d0ce3bb" + logic_hash = "225bd5995d3f1ed4c0bcb43c862662c9e5badd96a87d779d3bc6f1809d0ce3bb" score = 75 quality = 50 tags = "FILE" @@ -203040,13 +203040,13 @@ rule ARKBIRD_SOLG_RAN_Lockfile_Packed_Aug_2021_1 : FILE meta: description = "Detect lockfile ransomware (Packed version)" author = "Arkbird_SOLG" - id = "2481b8a0-bb64-58da-8c37-87ec44dbe224" + id = "7c1631d0-5bec-5b44-b4b2-5ddf1dbd7222" date = "2021-08-28" modified = "2021-08-29" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Lockfile/RAN_Lockfile_Packed_Aug_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_a52b2715d505a657c3cd7cd31efb47c16a0ec943a4e1b742bd3ec5c6e46495c9" + logic_hash = "a52b2715d505a657c3cd7cd31efb47c16a0ec943a4e1b742bd3ec5c6e46495c9" score = 50 quality = 75 tags = "FILE" @@ -203069,13 +203069,13 @@ rule ARKBIRD_SOLG_MAL_Killproc_Aug_2021_1 : FILE meta: description = "Detect KillProc driver used by Night Dragon for kill process before encryption" author = "Arkbird_SOLG" - id = "d20c107f-4b9b-5e56-a732-1f0ae79b467a" + id = "b0d6a21d-f451-58c9-b640-ad57feec7c38" date = "2021-08-27" modified = "2021-08-29" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Lockfile/MAL_KillProc_Aug_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_d24634e7719e3b6be3322b07c3e754e8c1275c73102c6d7f8d9abaae9887a0da" + logic_hash = "d24634e7719e3b6be3322b07c3e754e8c1275c73102c6d7f8d9abaae9887a0da" score = 75 quality = 75 tags = "FILE" @@ -203101,13 +203101,13 @@ rule ARKBIRD_SOLG_RAN_Lockfile_Aug_2021_1 : FILE meta: description = "Detect Lockfile ransomware (unpacked version)" author = "Arkbird_SOLG" - id = "99bc3c19-8185-5a81-b566-cf80f340ba47" + id = "4abe2e70-5df9-5c5c-ac11-0c958d5430b7" date = "2021-08-28" modified = "2021-08-29" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Lockfile/RAN_Lockfile_Aug_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_6fc04316b8b4790494a8c88c8435245a051b2757e5936a5ef95cae2f05907b63" + logic_hash = "6fc04316b8b4790494a8c88c8435245a051b2757e5936a5ef95cae2f05907b63" score = 50 quality = 75 tags = "FILE" @@ -203131,13 +203131,13 @@ rule ARKBIRD_SOLG_MAL_Luna_Stealer_Apr_2021_1 : FILE meta: description = "Detect Luna stealer (also Mercurial Grabber)" author = "Arkbird_SOLG" - id = "daa74f29-58df-5ef9-b9cc-5da518ba7d7b" + id = "2fecce99-5869-5de0-afae-6dc245748fa6" date = "2021-08-29" modified = "2021-08-30" reference = "https://github.com/NightfallGT/Mercurial-Grabber" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-29/Luna/MAL_Luna_Stealer_Apr_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_934ded815c262fa8bee38638e17ed8c2b1f0dcad28037bf1d525e11bf7e34dce" + logic_hash = "934ded815c262fa8bee38638e17ed8c2b1f0dcad28037bf1d525e11bf7e34dce" score = 75 quality = 75 tags = "FILE" @@ -203164,13 +203164,13 @@ rule ARKBIRD_SOLG_APT_APT34_RDAT_Feb_2021_1 : FILE meta: description = "Detect Installer from APT34 group" author = "Arkbird_SOLG" - id = "246b917b-66fd-5e52-9dd8-c04bd398dbf8" + id = "32f28376-e792-543b-82f7-36ec627b4fab" date = "2021-02-26" modified = "2021-02-27" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-02-26/APT34/APT_APT34_RDAT_Feb_2021_1.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_61ea6eceda0c7d6ec15db87891c4322002c112383c7a4d0089e35db9636bbe73" + logic_hash = "61ea6eceda0c7d6ec15db87891c4322002c112383c7a4d0089e35db9636bbe73" score = 50 quality = 73 tags = "FILE" @@ -203194,13 +203194,13 @@ rule ARKBIRD_SOLG_RAN_Biglock_Jun_2021_1 : FILE meta: description = "Detect BigLock ransomware" author = "Arkbird_SOLG" - id = "73e4687e-f675-527c-bd39-36b6e73f19f6" + id = "6a3fbb70-034d-5932-8c7f-de8d1b3df25c" date = "2021-06-05" modified = "2021-06-05" reference = "https://twitter.com/fbgwls245/status/1400971422336311297" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-05/BigLock/RAN_BigLock_Jun_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_f8407f39c4acef3546f8ddc22a04fb0534c5e1fa08d552654d9b9ebdf48fed94" + logic_hash = "f8407f39c4acef3546f8ddc22a04fb0534c5e1fa08d552654d9b9ebdf48fed94" score = 50 quality = 75 tags = "FILE" @@ -203223,13 +203223,13 @@ rule ARKBIRD_SOLG_Mal_Boxcaon_Jul_2021_1 : FILE meta: description = "Detect the BoxCaon malware" author = "Arkbird_SOLG" - id = "4151cd87-4aef-5675-9c7f-9e9bbc7d6434" + id = "5f456b73-02f9-5dd7-973e-bde20dcddd27" date = "2021-07-01" modified = "2021-07-02" reference = "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-02/IndigoZebra/Mal_BoxCaon_Jul_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_c7dfce8d7a451817a80897d5cb02cec5aba52f86ece0286353865b7d391e2ffc" + logic_hash = "c7dfce8d7a451817a80897d5cb02cec5aba52f86ece0286353865b7d391e2ffc" score = 75 quality = 46 tags = "FILE" @@ -203256,13 +203256,13 @@ rule ARKBIRD_SOLG_Mal_Xcaon_Jul_2021_1 : FILE meta: description = "Detect the xCaon malware" author = "Arkbird_SOLG" - id = "d4b58a27-ec71-5b20-bdcf-16753545884e" + id = "bcd5a52d-9547-5709-95f4-9d1f956f623c" date = "2021-07-01" modified = "2021-07-02" reference = "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-02/IndigoZebra/Mal_xCaon_Jul_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_9c3e3d0035596323a505404ecc067bd2b87a4b0ac7499f1c87aac015f59eb65a" + logic_hash = "9c3e3d0035596323a505404ecc067bd2b87a4b0ac7499f1c87aac015f59eb65a" score = 75 quality = 75 tags = "FILE" @@ -203288,13 +203288,13 @@ rule ARKBIRD_SOLG_APT_Turla_Bigboss_Apr_2021_1 : FILE meta: description = "Detects new BigBoss implants (SilentMoon/GoldenSky)" author = "Arkbird_SOLG" - id = "b815d9fc-2b0d-5fb2-9d1e-326aa6ee5a03" + id = "6f6c8d1e-f2c7-5f08-b1dc-ce726c6d89be" date = "2021-04-06" modified = "2021-07-17" reference = "https://twitter.com/DrunkBinary/status/1304086230540390400" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-17/BigBoss/APT_Turla_BigBoss_Apr_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_ce0ffdad9eecb79128b6c08c87914f356c86ac631655c76905a06d953add3998" + logic_hash = "ce0ffdad9eecb79128b6c08c87914f356c86ac631655c76905a06d953add3998" score = 75 quality = 71 tags = "FILE" @@ -203320,13 +203320,13 @@ rule ARKBIRD_SOLG_Ran_Conti_Loader_V3_Nov_2020_1 : FILE meta: description = "Detect Conti V3 loader" author = "Arkbird_SOLG" - id = "0d84d0bd-0c90-5c3e-86e1-cfd91099d6db" + id = "9541b9f8-befe-5bf4-88ee-b1cc5e92f927" date = "2020-12-15" modified = "2020-12-15" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-15/Conti/Ran_Conti_V3_Nov_2020_1.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_c3c8530e1963c5af8ee93a5d2cc222abbeb3fb7e82ef6de2068795a38dca67aa" + logic_hash = "c3c8530e1963c5af8ee93a5d2cc222abbeb3fb7e82ef6de2068795a38dca67aa" score = 50 quality = 71 tags = "FILE" @@ -203350,13 +203350,13 @@ rule ARKBIRD_SOLG_Ran_Conti_V3_Nov_2020_1 : FILE meta: description = "Detect Conti V3 ransomware" author = "Arkbird_SOLG" - id = "824971c4-69ed-5e0c-ad98-49255a9b4e81" + id = "89702af3-664a-5c4a-8d2b-f195f5dddb6f" date = "2020-12-15" modified = "2020-12-15" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-15/Conti/Ran_Conti_V3_Nov_2020_1.yar#L24-L43" license_url = "N/A" - logic_hash = "v1_sha256_2c8f2fd9b155bb4fdb1304b4d7f683bc679780d079d8bbe4fb308f94769f1392" + logic_hash = "2c8f2fd9b155bb4fdb1304b4d7f683bc679780d079d8bbe4fb308f94769f1392" score = 50 quality = 75 tags = "FILE" @@ -203378,13 +203378,13 @@ rule ARKBIRD_SOLG_MAL_Mysterysnail_RAT_Oct_2021_1 : FILE meta: description = "Detect MysterySnaial RAT implant" author = "Arkbird_SOLG" - id = "a277f1df-82bd-532c-a00f-206a811fe44d" + id = "2fa5015a-144f-52f6-8a5f-28fce10861e3" date = "2021-10-13" modified = "2021-10-14" reference = "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-14/MAL_MysterySnail_RAT_Oct_2021_1.yara#L1-L25" license_url = "N/A" - logic_hash = "v1_sha256_bcf072fae02b479084b8d47b4cd676216f72aecfa4ebcf8226b6997839929b57" + logic_hash = "bcf072fae02b479084b8d47b4cd676216f72aecfa4ebcf8226b6997839929b57" score = 50 quality = 75 tags = "FILE" @@ -203410,13 +203410,13 @@ rule ARKBIRD_SOLG_Loader_JAVA_Kinsing_Aug_2020_Variant_A_1 : FILE meta: description = "Detect Kinsing Variant A" author = "Arkbird_SOLG" - id = "20f2f726-2532-5b88-bcec-cc6c122f7ef0" + id = "470fd4a6-faba-52b5-8ffa-5ac33fb607a0" date = "2020-08-28" modified = "2020-08-29" reference = "https://twitter.com/JAMESWT_MHT/status/1299222198574632961" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-28/Loader_JAVA_Kinsing_Aug_2020_1.yar#L2-L30" license_url = "N/A" - logic_hash = "v1_sha256_a9654b67ca6fb5de23d385707f01196d6d1c85e527d2bdbe312a2b2fcf998dc0" + logic_hash = "a9654b67ca6fb5de23d385707f01196d6d1c85e527d2bdbe312a2b2fcf998dc0" score = 75 quality = 67 tags = "FILE" @@ -203449,13 +203449,13 @@ rule ARKBIRD_SOLG_Loader_JAVA_Kinsing_Aug_2020_Variant_B_1 : FILE meta: description = "Detect Kinsing Variant B" author = "Arkbird_SOLG" - id = "b85d8922-7dea-5b90-93f3-379b27d6bfeb" + id = "7e0f9826-806c-5801-aab5-d2a8dba4e206" date = "2020-08-28" modified = "2020-08-29" reference = "https://twitter.com/JAMESWT_MHT/status/1299222198574632961" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-28/Loader_JAVA_Kinsing_Aug_2020_1.yar#L32-L52" license_url = "N/A" - logic_hash = "v1_sha256_5862d02b4e57024aa1c00b0a10ac9ee1a733890cf7d5b9ec7586f0506af113fc" + logic_hash = "5862d02b4e57024aa1c00b0a10ac9ee1a733890cf7d5b9ec7586f0506af113fc" score = 75 quality = 75 tags = "FILE" @@ -203480,13 +203480,13 @@ rule ARKBIRD_SOLG_MAL_Keylogger_Jul_2021_1 : FILE meta: description = "Detect a keylogger used by IAmTheKing group" author = "Arkbird_SOLG" - id = "8f54eabb-fa6a-5d59-ab25-7b0dad98a3bb" + id = "186dc5f5-5cc2-551a-a34c-e775085e7f89" date = "2021-07-09" modified = "2021-07-12" reference = "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_Keylogger_Jul_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_dfdf5892564b93cd1bf564cfe62e37d9477b5ae0bf20e0f9a44ee97b7e3a99f8" + logic_hash = "dfdf5892564b93cd1bf564cfe62e37d9477b5ae0bf20e0f9a44ee97b7e3a99f8" score = 75 quality = 71 tags = "FILE" @@ -203511,13 +203511,13 @@ rule ARKBIRD_SOLG_MAL_Powerpool_Jul_2021_1 : FILE meta: description = "Detect PowerPool malware" author = "Arkbird_SOLG" - id = "86330886-769b-5313-a20e-88c39ee9d2d5" + id = "8248300e-fc3e-56df-be4a-f1850e2bedc8" date = "2021-07-09" modified = "2021-07-12" reference = "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_PowerPool_Jul_2021_1.yara#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_0978a6cd60533ffda0c2b13ea98dc1ba46a464890b895cb2704804a763756fca" + logic_hash = "0978a6cd60533ffda0c2b13ea98dc1ba46a464890b895cb2704804a763756fca" score = 75 quality = 73 tags = "FILE" @@ -203546,13 +203546,13 @@ rule ARKBIRD_SOLG_MAL_Powerpool_Jul_2021_2 : FILE meta: description = "Detect PowerPool malware (ALPC exploit variant)" author = "Arkbird_SOLG" - id = "50436ffb-a6cb-581f-913f-6dac8091ca60" + id = "2988e9a8-da43-51fb-bd39-44aa1d161120" date = "2021-07-09" modified = "2021-07-12" reference = "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_PowerPool_Jul_2021_2.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_07d7a6444ddccbf4887de18659147354c9961092bb07ee0148392035a6d27086" + logic_hash = "07d7a6444ddccbf4887de18659147354c9961092bb07ee0148392035a6d27086" score = 75 quality = 75 tags = "FILE" @@ -203578,13 +203578,13 @@ rule ARKBIRD_SOLG_MAL_Queenofclubs_Jul_2021_1 : FILE meta: description = "Detect QueenOfClubs malware" author = "Arkbird_SOLG" - id = "d0265438-fa70-5359-90a3-e47c1a44f36a" + id = "d78df760-5753-528c-b03d-7bb91ec658c0" date = "2021-07-09" modified = "2021-07-12" reference = "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_QueenOfClubs_Jul_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_c6fe9dd24098ef3c281d9e6727613499988c88b9d2011af77390e0ce358bebf4" + logic_hash = "c6fe9dd24098ef3c281d9e6727613499988c88b9d2011af77390e0ce358bebf4" score = 75 quality = 75 tags = "FILE" @@ -203609,13 +203609,13 @@ rule ARKBIRD_SOLG_Tool_Screencapture_Jul_2021_1 : FILE meta: description = "Detect Screen Capture utility" author = "Arkbird_SOLG" - id = "19603735-8e63-54e0-a8cd-3ec9e4255a3f" + id = "09e4295e-454a-519a-964e-c5295e603aef" date = "2021-07-09" modified = "2021-07-12" reference = "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/Tool_ScreenCapture_Jul_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_dff6c722ec001f5e3b5c53b41f8d457ab69ae46316f5dc7bbf1d00eb3d1ed3c8" + logic_hash = "dff6c722ec001f5e3b5c53b41f8d457ab69ae46316f5dc7bbf1d00eb3d1ed3c8" score = 75 quality = 73 tags = "FILE" @@ -203638,13 +203638,13 @@ rule ARKBIRD_SOLG_MAL_Queenofhearts_Jul_2021_1 : FILE meta: description = "Detect QueenOfHearts malware" author = "Arkbird_SOLG" - id = "15609526-4e0c-5444-bdbc-99f46f93e273" + id = "763b35dd-6515-5ae8-a539-200a3647f074" date = "2021-07-09" modified = "2021-07-12" reference = "https://twitter.com/ShadowChasing1/status/1413111641504292864" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_QueenOfHearts_Jul_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_51cb8efddbc635e9a54f58a799e6edcf8eda8ca451ebe85cbce5f6cd20bfb083" + logic_hash = "51cb8efddbc635e9a54f58a799e6edcf8eda8ca451ebe85cbce5f6cd20bfb083" score = 75 quality = 75 tags = "FILE" @@ -203672,13 +203672,13 @@ rule ARKBIRD_SOLG_MAL_Jackofhearts_Jul_2021_1 : FILE meta: description = "Detect JackOfHearts malware" author = "Arkbird_SOLG" - id = "70954910-5c46-59bd-916c-b2d6b0380145" + id = "42d5eadb-dd94-5a15-8a0d-d1e56b58ce2e" date = "2021-07-09" modified = "2021-07-12" reference = "hhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_JackOfHearts_Jul_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_6cad69beb7c104ef19beb26ca42b923283a0303c230e30b48dde58f88af4cd42" + logic_hash = "6cad69beb7c104ef19beb26ca42b923283a0303c230e30b48dde58f88af4cd42" score = 75 quality = 73 tags = "FILE" @@ -203706,13 +203706,13 @@ rule ARKBIRD_SOLG_MAL_Kingofhearts_Jul_2021_1 : FILE meta: description = "Detect KingOfHearts malware" author = "Arkbird_SOLG" - id = "f9498164-2675-57e0-a1a4-1bd532768643" + id = "b1efb4db-3864-5fdc-a3a0-992734eaf22f" date = "2021-07-09" modified = "2021-07-12" reference = "https://twitter.com/ShadowChasing1/status/1413111641504292864" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_KingOfHearts_Jul_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_6761958760997030693c832c75098890b0d6d34fd6fe9c60d68d611497d57419" + logic_hash = "6761958760997030693c832c75098890b0d6d34fd6fe9c60d68d611497d57419" score = 75 quality = 50 tags = "FILE" @@ -203738,13 +203738,13 @@ rule ARKBIRD_SOLG_MAL_Slothfulmedia_Jul_2021_1 : FILE meta: description = "Detect SlothfulMedia malware" author = "Arkbird_SOLG" - id = "5f121817-b2bb-5700-9d38-341b93a76630" + id = "f4e1eca6-ecc9-5911-b69e-c8c4de43f1a1" date = "2021-07-09" modified = "2021-07-12" reference = "hhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-11/IAmTheKing/MAL_SlothfulMedia_Jul_2021_1.yara#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_929364cbb9854336641590d53ee9c4548f02845e26252d359b155e4c2b1032ca" + logic_hash = "929364cbb9854336641590d53ee9c4548f02845e26252d359b155e4c2b1032ca" score = 75 quality = 73 tags = "FILE" @@ -203775,13 +203775,13 @@ rule ARKBIRD_SOLG_MAL_Stashlog_Sep_2021_1 : FILE meta: description = "Detect Stashlog malware" author = "Arkbird_SOLG" - id = "724ee252-0fa8-5eaf-ba68-d07968629a82" + id = "a6ae59df-c45a-5a31-8530-4fd7f0f33f93" date = "2021-09-01" modified = "2021-09-05" reference = "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-09-05/MAL_Stashlog_Sep_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_6bde398a0f13674e72fcbd9809d22773bc1fe699f7c187775740d50910b07d5b" + logic_hash = "6bde398a0f13674e72fcbd9809d22773bc1fe699f7c187775740d50910b07d5b" score = 50 quality = 75 tags = "FILE" @@ -203806,13 +203806,13 @@ rule ARKBIRD_SOLG_MAL_PRIVATELOG_Sep_2021_1 : FILE meta: description = "Detect PRIVATELOG malware" author = "Arkbird_SOLG" - id = "ac45248d-185e-5d7c-8c1e-8eb7590ff49e" + id = "fa122d77-0bac-5836-85fd-b096660f7412" date = "2021-09-01" modified = "2021-09-05" reference = "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-09-05/MAL_PRIVATELOG_Sep_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_4df78bc3005c67d467a0999751bf4fb42ff9075f1601d51ab3b2b88e5dc38f6e" + logic_hash = "4df78bc3005c67d467a0999751bf4fb42ff9075f1601d51ab3b2b88e5dc38f6e" score = 50 quality = 50 tags = "FILE" @@ -203838,13 +203838,13 @@ rule ARKBIRD_SOLG_APT_Kimsuky_Aug_2020_1 : FILE meta: description = "Detect Gold Dragon used by Kimsuky APT group" author = "Arkbird_SOLG" - id = "01ab6811-b4db-58f3-ab84-33f4e441b5ab" + id = "dd79aa3b-0bbc-5fdd-808e-c2dee6d89804" date = "2020-08-31" modified = "2020-09-14" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-09-14/Kimsuky/APT_Kimsuky_Aug_2020_1.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_4644ea81535c867a36a882bb270cea784ae135e7acc7078823be0579b1746932" + logic_hash = "4644ea81535c867a36a882bb270cea784ae135e7acc7078823be0579b1746932" score = 75 quality = 75 tags = "FILE" @@ -203872,13 +203872,13 @@ rule ARKBIRD_SOLG_Backdoor_APT_Nazar_April_2020_1 : FILE meta: description = "Detect strings used by APT Nazar" author = "Arkbird_SOLG" - id = "9a1fe3ec-6097-5d2d-949e-68a80f3d716c" + id = "727a1f4e-1371-5a95-bce9-4a4f701a2ac6" date = "2020-04-29" modified = "2023-11-22" reference = "Internal research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-04-29/Yara_Rule_APT_Bazar-April_2020_1.yar#L3-L29" license_url = "N/A" - logic_hash = "v1_sha256_79028588ac6afd3e3d0d839d10eada9e5382991eebb600b0dae2119bcd7eac93" + logic_hash = "79028588ac6afd3e3d0d839d10eada9e5382991eebb600b0dae2119bcd7eac93" score = 75 quality = 73 tags = "FILE" @@ -203909,13 +203909,13 @@ rule ARKBIRD_SOLG_APT_APT27_Hyperbro_Apr_2021_1 : FILE meta: description = "Detect Hyperbro backdoor" author = "Arkbird_SOLG" - id = "8e695742-a94a-5098-b943-5a734b7d7a45" + id = "060a200e-17dd-5789-94d4-eeff5c2e9a18" date = "2021-05-01" modified = "2021-05-04" reference = "-" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-03/APT27/APT_APT27_Hyperbro_Apr_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_1a32ab7c30885a665ede66640a9b047e3c381f6f535243fcadf1a7a22e76f407" + logic_hash = "1a32ab7c30885a665ede66640a9b047e3c381f6f535243fcadf1a7a22e76f407" score = 75 quality = 35 tags = "FILE" @@ -203939,13 +203939,13 @@ rule ARKBIRD_SOLG_SP_Vault7_SIG_F_Nov_2020_1 : FILE meta: description = "Detect open-source PasswordReminder recovery tools used by Chinese APT in the Past" author = "Arkbird_SOLG" - id = "d4c89c5f-1351-5337-931d-b545a78840ed" + id = "0b65e333-16e2-57c3-84f0-5cd24c9d9593" date = "2020-11-30" modified = "2020-11-30" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-30/SP_Vault7_SIG_F_Nov_2020_1.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_b03ffb433491b532d891f29aeb5b33c6578067f2f05845514a7bdc1e50f88a10" + logic_hash = "b03ffb433491b532d891f29aeb5b33c6578067f2f05845514a7bdc1e50f88a10" score = 75 quality = 75 tags = "FILE" @@ -203971,13 +203971,13 @@ rule ARKBIRD_SOLG_APT_Lazarus_HTA_Apr_2021_1 : FILE meta: description = "Detect HTA with the fake picture header as decoy used by Lazarus" author = "Arkbird_SOLG" - id = "cadd66fe-6ba4-5b8d-8013-86904c0ba74c" + id = "1a57251e-f0fb-541c-bf8b-f1afecf7f1c7" date = "2021-04-27" modified = "2021-04-27" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-04-27/Lazarus/APT_Lazarus_HTA_Apr_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_40c2e5b662d1999c3ae5be97604bb9ebc809a383d66331cb4b385666ce55be2a" + logic_hash = "40c2e5b662d1999c3ae5be97604bb9ebc809a383d66331cb4b385666ce55be2a" score = 75 quality = 63 tags = "FILE" @@ -204002,13 +204002,13 @@ rule ARKBIRD_SOLG_ATM_Dispcashbr_May_2021_1 : FILE meta: description = "Detect the DispCashBR ATM malware" author = "Arkbird_SOLG" - id = "06435f15-7d39-515c-978d-0abbb04d1a70" + id = "629261d8-242c-580d-aa4d-4b313c77edef" date = "2020-05-14" modified = "2021-05-14" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-14/DispCashBR/ATM_DispCashBR_May_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_26f641a266c1f187d834a05b327c13ddee93747e182a5458e4ec3cb1f23f5f47" + logic_hash = "26f641a266c1f187d834a05b327c13ddee93747e182a5458e4ec3cb1f23f5f47" score = 75 quality = 75 tags = "FILE" @@ -204031,13 +204031,13 @@ rule ARKBIRD_SOLG_APT_NK_Lazarus_Stealer_Screencapture_June_2020_1 : FILE meta: description = "Detect ScreenCapture malware used by Lazarus APT" author = "Arkbird_SOLG, James_inthe_box" - id = "bc4b818e-0232-5291-b9f0-52db7ba57b95" + id = "bb0463ac-6219-5a12-b3d2-fc82800bda69" date = "2020-06-23" modified = "2021-07-13" reference = "https://twitter.com/GR_CTI/status/1275164880992186371" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-23/APT_Lazarus_Stealer_June_2020_1.yar#L3-L31" license_url = "N/A" - logic_hash = "v1_sha256_66f8d3da0f70f6c4ed6f853ab4040d7f96c043e9e194f1720999b48910b3e756" + logic_hash = "66f8d3da0f70f6c4ed6f853ab4040d7f96c043e9e194f1720999b48910b3e756" score = 75 quality = 75 tags = "FILE" @@ -204071,13 +204071,13 @@ rule ARKBIRD_SOLG_APT_NK_Lazarus_Stealer_Keylog_June_2020_1 : FILE meta: description = "Detect keylog malware used by Lazarus APT" author = "Arkbird_SOLG, James_inthe_box" - id = "e73d02a6-7ba1-5ac3-9b77-f546bd83d51c" + id = "dd6aae8c-76d1-514d-905e-21472eb9b9b2" date = "2020-06-23" modified = "2021-07-13" reference = "https://twitter.com/GR_CTI/status/1275164880992186371" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-23/APT_Lazarus_Stealer_June_2020_1.yar#L33-L58" license_url = "N/A" - logic_hash = "v1_sha256_9a4e17903ad2a7c80651aa8f3d57876d1621be06ba7a683135b11929b232b2fa" + logic_hash = "9a4e17903ad2a7c80651aa8f3d57876d1621be06ba7a683135b11929b232b2fa" score = 75 quality = 75 tags = "FILE" @@ -204108,13 +204108,13 @@ rule ARKBIRD_SOLG_APT_NK_Lazarus_Stealer_Generic_June_2020_1 : FILE meta: description = "Detect stealers used by Lazarus APT by common strings" author = "Arkbird_SOLG, James_inthe_box" - id = "870c3382-4928-5b7c-a371-9276dc881791" + id = "11a7c531-91a4-524e-aa5d-c11538f7db58" date = "2020-06-23" modified = "2021-07-13" reference = "https://twitter.com/GR_CTI/status/1275164880992186371" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-23/APT_Lazarus_Stealer_June_2020_1.yar#L60-L85" license_url = "N/A" - logic_hash = "v1_sha256_878e4a128b7de45f4940e7adccfeb376ce46e87b35b25e162f668303e9fd7852" + logic_hash = "878e4a128b7de45f4940e7adccfeb376ce46e87b35b25e162f668303e9fd7852" score = 75 quality = 75 tags = "FILE" @@ -204145,13 +204145,13 @@ rule ARKBIRD_SOLG_MAL_Bazarloader_Oct_2021_1 : FILE meta: description = "Detect BazarLoader implant" author = "Arkbird_SOLG" - id = "b521ba3a-cae9-5020-a07f-aa527a530b5f" + id = "d6462e74-fe1d-599e-aac8-0d0942ca42ad" date = "2021-10-30" modified = "2021-10-30" reference = "https://twitter.com/malwrhunterteam/status/1454154412902002692" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-29/Hive/MAL_BazarLoader_Oct_2021_1.yara#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_afbe02ef9e69ac5105aaae28240d6863c9c4578c0e8fd7c86c38d975cf8acdc6" + logic_hash = "afbe02ef9e69ac5105aaae28240d6863c9c4578c0e8fd7c86c38d975cf8acdc6" score = 75 quality = 75 tags = "FILE" @@ -204173,13 +204173,13 @@ rule ARKBIRD_SOLG_MAL_Cobaltstrike_Oct_2021_1 : FILE meta: description = "Detect Cobalt Strike implant" author = "Arkbird_SOLG" - id = "57e0e9ae-4c31-5c24-8b67-f31ed0d5fb3b" + id = "89d46993-cc1b-536b-b1ab-a0e967d0d397" date = "2021-10-30" modified = "2021-10-30" reference = "https://twitter.com/malwrhunterteam/status/1454154412902002692" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-29/Hive/MAL_CobaltStrike_Oct_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_4f1a2306b8279be67829d0d515063caae6a9d7a07078a43c2cbe62f675bcb450" + logic_hash = "4f1a2306b8279be67829d0d515063caae6a9d7a07078a43c2cbe62f675bcb450" score = 75 quality = 75 tags = "FILE" @@ -204203,13 +204203,13 @@ rule ARKBIRD_SOLG_RAN_ELF_Hive_Oct_2021_1 : FILE meta: description = "Detect ELF version of Hive ransomware" author = "Arkbird_SOLG" - id = "d786d4c6-4268-5173-9ec0-93eb02910725" + id = "434cfe85-3209-5990-9c68-47ce4fafd5b8" date = "2021-10-29" modified = "2021-10-30" reference = "https://twitter.com/ESETresearch/status/1454100591261667329" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-29/Hive/RAN_ELF_Hive_Oct_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_47ccf3b825521986070dba92194d5937289c0335b922537ea3242c4afb2be237" + logic_hash = "47ccf3b825521986070dba92194d5937289c0335b922537ea3242c4afb2be237" score = 60 quality = 35 tags = "FILE" @@ -204233,13 +204233,13 @@ rule ARKBIRD_SOLG_RAN_ELF_Revil_Jun_2021_1 : FILE meta: description = "Detect the ELF version of REvil ransomware" author = "Arkbird_SOLG" - id = "c1a49460-6abe-5f21-87fb-2245bcfaba8c" + id = "b4b9d60e-a352-5045-8be3-e9a08d70ef6b" date = "2021-06-28" modified = "2021-06-29" reference = "https://twitter.com/jaimeblascob/status/1409603887871500288" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-28/REvil/RAN_ELF_REvil_Jun_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_054bdb8362fdea2dc914b11387f6c67e35932acb73ba2b133ca29f69549914ba" + logic_hash = "054bdb8362fdea2dc914b11387f6c67e35932acb73ba2b133ca29f69549914ba" score = 75 quality = 75 tags = "FILE" @@ -204264,13 +204264,13 @@ rule ARKBIRD_SOLG_Ran_Loader_Hades_Dec_2020_1 : FILE meta: description = "Detect the loader used by Hades ransomware for load the final implant in memory" author = "Arkbird_SOLG" - id = "f14607b4-a8a8-575d-9467-021d864da08b" + id = "d48d3a2b-3f0f-5da2-aba9-db2366489a6c" date = "2020-12-27" modified = "2021-01-01" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-01-01/Hades/Ran_Loader_Hades_Dec_2020_1.yar#L2-L24" license_url = "N/A" - logic_hash = "v1_sha256_cfa0f8acd3c526f7f4889794f7c38547a88031bb615a03ad5c1542c61bc0eecd" + logic_hash = "cfa0f8acd3c526f7f4889794f7c38547a88031bb615a03ad5c1542c61bc0eecd" score = 50 quality = 71 tags = "FILE" @@ -204295,13 +204295,13 @@ rule ARKBIRD_SOLG_MAL_Redxor_Feb_2021_1 : FILE meta: description = "Detect RedXor backdoor (Feb 2021)" author = "Arkbird_SOLG" - id = "7f0d05a3-420b-5e2f-adb8-e8261b2b372d" + id = "10ae10b7-b351-5dda-9408-aa01a40e3d6a" date = "2021-03-14" modified = "2021-05-24" reference = "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-23/RedXor/MAL_RedXor_Feb_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_b4e3ea24bb19abe7065ed5fc94f65e68ea84b11da7b45936ee991ef6aac6d33d" + logic_hash = "b4e3ea24bb19abe7065ed5fc94f65e68ea84b11da7b45936ee991ef6aac6d33d" score = 75 quality = 75 tags = "FILE" @@ -204326,13 +204326,13 @@ rule ARKBIRD_SOLG_MAL_ELF_Rotajakiro_May_2021_1 : FILE meta: description = "Detect the ELF version of RotaJakiro" author = "Arkbird_SOLG" - id = "a1f17398-6d12-5803-98c8-8cf2ef453fb8" + id = "a67f9b64-8778-542f-8481-566a4ffaf5e8" date = "2020-05-07" modified = "2021-05-08" reference = "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-08/RotaJakiro/MAL_ELF_RotaJakiro_May_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_8e4b9ef8a908a13e738da31b28c879228c3bdc1d8461417b1c1bf31026c98abf" + logic_hash = "8e4b9ef8a908a13e738da31b28c879228c3bdc1d8461417b1c1bf31026c98abf" score = 75 quality = 75 tags = "FILE" @@ -204358,13 +204358,13 @@ rule ARKBIRD_SOLG_RAN_Astrolocker_May_2021_1 : FILE meta: description = "Detect the Astrolocker ransomware" author = "Arkbird_SOLG" - id = "06d590a7-132e-5615-a154-b7c28684610d" + id = "f2c2c96a-277e-575b-8d80-4729f4a1cfe4" date = "2020-05-12" modified = "2021-05-16" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-12/Astrolocker/RAN_Astrolocker_May_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_7e50642f5f864b7cffeb5ccf4581ac7566da24fd5361a3303a860f036cd6d439" + logic_hash = "7e50642f5f864b7cffeb5ccf4581ac7566da24fd5361a3303a860f036cd6d439" score = 50 quality = 75 tags = "FILE" @@ -204386,13 +204386,13 @@ rule ARKBIRD_SOLG_RAN_Mountlocker_May_2021_1 : FILE meta: description = "Detect the Mountlocker ransomware" author = "Arkbird_SOLG" - id = "008b8c5f-e724-5eee-bbe7-09cc0e744e2e" + id = "0bc0d341-4658-500e-b487-1993e5431560" date = "2020-05-12" modified = "2021-05-16" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-12/Astrolocker/RAN_MountLocker_May_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_c0826d4c740b5c46b704b42e002602dd0cda2b6d1bf0ba5431877be8bd600b64" + logic_hash = "c0826d4c740b5c46b704b42e002602dd0cda2b6d1bf0ba5431877be8bd600b64" score = 75 quality = 75 tags = "FILE" @@ -204418,13 +204418,13 @@ rule ARKBIRD_SOLG_APT_NK_Lazarus_Implant_June_2020_1 : FILE meta: description = "Detect Lazarus implant June 2020" author = "Arkbird_SOLG" - id = "86ba8557-5cea-57cd-a227-b0e5c30922a8" + id = "602c33f2-1e34-5267-9154-ada2d6edc64b" date = "2020-06-28" modified = "2020-06-28" reference = "https://twitter.com/ccxsaber/status/1277064824434745345" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-28/APT_NK_Lazarus_Implant_June_2020_1.yar#L3-L23" license_url = "N/A" - logic_hash = "v1_sha256_29b6b8d3bdd47707854ed0dc00808d6352934950a8e7244450df78422ff3cb15" + logic_hash = "29b6b8d3bdd47707854ed0dc00808d6352934950a8e7244450df78422ff3cb15" score = 75 quality = 73 tags = "FILE" @@ -204452,13 +204452,13 @@ rule ARKBIRD_SOLG_APT28_Zekapab_June_2020_1 : FILE meta: description = "Detect Delphi variant of Zekapab" author = "Arkbird_SOLG" - id = "259cea43-a2ec-5f53-874f-8b2ee9ed7008" + id = "cf87e67f-2db9-537d-8800-8cd47b47c276" date = "2020-06-28" modified = "2020-06-28" reference = "https://twitter.com/DrunkBinary/status/1276573779037163520" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-28/APT28_Zekapab_June_2020_1.yar#L3-L29" license_url = "N/A" - logic_hash = "v1_sha256_a02a78b8f60cf9d4441cc18b70fd00ec89253a5feafdc0eb392486b575bc61e2" + logic_hash = "a02a78b8f60cf9d4441cc18b70fd00ec89253a5feafdc0eb392486b575bc61e2" score = 75 quality = 25 tags = "FILE" @@ -204490,13 +204490,13 @@ rule ARKBIRD_SOLG_MAL_Pseudomanuscrypt_Dec_2021_1 : FILE meta: description = "Detect PseudoManuscrypt loader dropped by the installer" author = "Arkbird_SOLG" - id = "9c8fdf07-5c1f-5415-879e-9003343ec34d" + id = "8784baa0-c52c-5ee0-9a92-9b6457df61ed" date = "2021-12-16" modified = "2021-12-17" reference = "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-PseudoManuscrypt-a-mass-scale-spyware-attack-campaign-En.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-12-16/MAL_PseudoManuscrypt_Dec_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_e304323ed26c7040c97efa8041bcd3eb2f6d0caeba76d6674fc2947d7850e830" + logic_hash = "e304323ed26c7040c97efa8041bcd3eb2f6d0caeba76d6674fc2947d7850e830" score = 75 quality = 75 tags = "FILE" @@ -204522,13 +204522,13 @@ rule ARKBIRD_SOLG_RAN_Conti_Dec_2021_1 : FILE meta: description = "Detect Conti ransomware (v3)" author = "Arkbird_SOLG" - id = "ea8979ca-7d93-56c4-bd6b-67e7af5f2498" + id = "efa65b86-95d7-55fd-b98a-7b3c747a671c" date = "2021-12-16" modified = "2021-12-16" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-12-16/RAN_Conti_Dec_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_038ad0c7ffcabcaf85de1adadf8a386063f96d5cd0e348a3cea4ea3b7b10fe70" + logic_hash = "038ad0c7ffcabcaf85de1adadf8a386063f96d5cd0e348a3cea4ea3b7b10fe70" score = 75 quality = 75 tags = "FILE" @@ -204551,13 +204551,13 @@ rule ARKBIRD_SOLG_Ran_Ranzylocker_Hunting_Mar_2021_1 : FILE meta: description = "Detect RanzyLocker ransomware" author = "Arkbird_SOLG" - id = "1e6292a5-5b3a-5135-a479-baa73dc64e67" + id = "0d0c743b-9beb-5413-b5ba-dad75c2ee0b7" date = "2021-03-16" modified = "2021-03-17" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-16/RanzyLocker/Ran_RanzyLocker_Hunting_Mar_2021_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_ec7867e40e4418bb662c8cf5a71566cd261d2040ee5d3afa0bbe2b92ebfef98e" + logic_hash = "ec7867e40e4418bb662c8cf5a71566cd261d2040ee5d3afa0bbe2b92ebfef98e" score = 50 quality = 53 tags = "FILE" @@ -204586,13 +204586,13 @@ rule ARKBIRD_SOLG_Ran_Pay2Key_Nov_2020_1 : FILE meta: description = "Detect Pay2Key ransomware" author = "Arkbird_SOLG" - id = "1f7fa8d6-1b1d-5cea-8746-60a9d7a6779b" + id = "440b8128-4708-54ba-94c3-c0b522004da6" date = "2020-12-01" modified = "2020-12-14" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-14/Pay2Key/Ran_Pay2Key_Nov_2020_1.yar#L1-L31" license_url = "N/A" - logic_hash = "v1_sha256_f1ea1ed141ba7a1eaaa34c216adebfacaa23ef8776a0216b778ccb34bd000590" + logic_hash = "f1ea1ed141ba7a1eaaa34c216adebfacaa23ef8776a0216b778ccb34bd000590" score = 75 quality = 75 tags = "FILE" @@ -204625,13 +204625,13 @@ rule ARKBIRD_SOLG_APT_Puzzlemaker_Implant_Jun_2021_1 : FILE meta: description = "Detect the implant of the PuzzleMaker group" author = "Arkbird_SOLG" - id = "81923d73-57b6-52ff-8ef2-b6c556dd96e4" + id = "9387130c-4474-55bf-9736-09494a5e81b8" date = "2021-06-10" modified = "2021-11-01" reference = "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-09/PuzzleMaker/APT_PuzzleMaker_Implant_Jun_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_e54eaaa76b2d370a27a232dee2299266f8b3b82d53da36e35c2a6fcdd7d5b1f7" + logic_hash = "e54eaaa76b2d370a27a232dee2299266f8b3b82d53da36e35c2a6fcdd7d5b1f7" score = 75 quality = 75 tags = "FILE" @@ -204657,13 +204657,13 @@ rule ARKBIRD_SOLG_APT_Puzzlemaker_Launcher_Jun_2021_1 : FILE meta: description = "Detect the launcher of the PuzzleMaker group" author = "Arkbird_SOLG" - id = "933f832a-193d-5ee2-a032-959f88505767" + id = "ae31d9de-8e6c-5c1b-bc45-bc4e50cea00f" date = "2021-06-10" modified = "2021-11-01" reference = "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-09/PuzzleMaker/APT_PuzzleMaker_Launcher_Jun_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_5c717ca5c57a86e1b5db45b3d581a45be248d45820c00c40c57a001ac07ce1b2" + logic_hash = "5c717ca5c57a86e1b5db45b3d581a45be248d45820c00c40c57a001ac07ce1b2" score = 75 quality = 75 tags = "FILE" @@ -204689,13 +204689,13 @@ rule ARKBIRD_SOLG_APT_Patchwork_Tool_CVE_2019_0808_1 : FILE meta: description = "Detect CVE 2019-0808 tool used by Patchwork group" author = "Arkbird_SOLG" - id = "21cf3a2e-7acb-54fe-9021-a307feb7c1b7" + id = "169255fe-dd7a-5a4e-8f0f-d84a0cf5c684" date = "2020-08-27" modified = "2021-07-13" reference = "https://blog.exodusintel.com/2019/05/17/windows-within-windows/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-27/APT_Patchwork_Tool_CVE_2019_0808_1.yar#L3-L34" license_url = "N/A" - logic_hash = "v1_sha256_e66df5d69d64c00cb68ff7bea0f7a7eec6657aff83d0f6cdb48d908bae8bcec8" + logic_hash = "e66df5d69d64c00cb68ff7bea0f7a7eec6657aff83d0f6cdb48d908bae8bcec8" score = 50 quality = 75 tags = "FILE" @@ -204732,13 +204732,13 @@ rule ARKBIRD_SOLG_EXP_CVE_2021_42321_Nov_2021_1 : CVE_2021_42321 FILE meta: description = "Detect CVE-2021-42321 exploit tool" author = "Arkbird_SOLG" - id = "08def8e1-f5f6-5af3-a3be-553491572641" + id = "2efd58a1-e5c3-5596-b5fd-f6e2fe0ab620" date = "2021-11-21" modified = "2021-11-21" reference = "https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-21/EXP_CVE_2021_42321_Nov_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_bf45f240875f3c3ab729fe623b6c97d0540c0d7d3e9b2e4beb88af6922f8a643" + logic_hash = "bf45f240875f3c3ab729fe623b6c97d0540c0d7d3e9b2e4beb88af6922f8a643" score = 50 quality = 67 tags = "CVE-2021-42321, FILE" @@ -204762,13 +204762,13 @@ rule ARKBIRD_SOLG_MAL_ELF_Vermilion_Strike_Sep_2021_1 : FILE meta: description = "Detect the ELF version of Vermilion Strike implant" author = "Arkbird_SOLG" - id = "694511de-c933-5c59-9f88-8fd2feb855ae" + id = "bfc498b6-4d3d-5ae9-a360-d31f8cf6c5fc" date = "2021-09-14" modified = "2021-09-16" reference = "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-09-15/Vermilion_Strike/MAL_ELF_Vermilion_Strike_Sep_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_fe4bb6da7b29f1ae7c25a657d27f5e60ffa0e7d9f1f09a5a2331e4a80eb79481" + logic_hash = "fe4bb6da7b29f1ae7c25a657d27f5e60ffa0e7d9f1f09a5a2331e4a80eb79481" score = 50 quality = 75 tags = "FILE" @@ -204792,13 +204792,13 @@ rule ARKBIRD_SOLG_MAL_Beacon_Vermilion_Strike_Sep_2021_1 : FILE meta: description = "Detect the windows version of the beacon of Vermilion Strike implant" author = "Arkbird_SOLG" - id = "981b6997-7403-5062-b7d7-518d2433eb92" + id = "61bb0f02-0eb3-5abe-a2fc-65b94a9486f7" date = "2021-09-14" modified = "2021-09-16" reference = "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-09-15/Vermilion_Strike/MAL_Beacon_Vermilion_Strike_Sep_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_801d93fc250666a48fbdd504c8bacab74f0bf7f534a7301a20ad79df3b41750d" + logic_hash = "801d93fc250666a48fbdd504c8bacab74f0bf7f534a7301a20ad79df3b41750d" score = 75 quality = 75 tags = "FILE" @@ -204823,13 +204823,13 @@ rule ARKBIRD_SOLG_MAL_Stager_Vermilion_Strike_Sep_2021_1 : FILE meta: description = "Detect the windows version of the stager of Vermilion Strike implant" author = "Arkbird_SOLG" - id = "d3368bbe-5cec-553f-a31e-91443c2c6848" + id = "7a8ae258-1fb4-5a24-b69e-3a632e00bfae" date = "2021-09-14" modified = "2021-09-16" reference = "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-09-15/Vermilion_Strike/MAL_Stager_Vermilion_Strike_Sep_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_cc4d59c92faba1f3435c8454071a1e1c60b6339393796c76e64b890bb85d13cc" + logic_hash = "cc4d59c92faba1f3435c8454071a1e1c60b6339393796c76e64b890bb85d13cc" score = 50 quality = 75 tags = "FILE" @@ -204852,13 +204852,13 @@ rule ARKBIRD_SOLG_RAN_ELF_Hellokitty_Aug_2021_1 : FILE meta: description = "Detect HelloKitty ransomware" author = "Arkbird_SOLG" - id = "05a704f4-5a2e-5ce7-9000-7f73b1de1b5c" + id = "3e83f07a-0ee7-5381-9aba-2606c01b9d91" date = "2021-08-14" modified = "2021-08-14" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-14/HelloKitty/RAN_ELF_HelloKitty_Aug_2021_1.yara#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_99816756ea0a680eb25da192c9f069082f6479befe4e50188ad8f90b323d1f2d" + logic_hash = "99816756ea0a680eb25da192c9f069082f6479befe4e50188ad8f90b323d1f2d" score = 75 quality = 75 tags = "FILE" @@ -204880,13 +204880,13 @@ rule ARKBIRD_SOLG_APT_MAL_NK_Rivts_Feb_2009_1 : FILE meta: description = "Detect Rivts malware used by NK APT" author = "Arkbird_SOLG" - id = "87c4fe91-da12-5757-a5a0-6fbed92cd76c" + id = "71dacbd4-36bb-5a45-a288-31bfaef784dc" date = "2020-06-17" modified = "2020-06-18" reference = "https://twitter.com/Arkbird_SOLG/status/1272674621381361672" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-07/NK_Rivts_Feb_2009_1.yar#L3-L22" license_url = "N/A" - logic_hash = "v1_sha256_aab3e8067933cbaef2725b5db9e744df2e2be0a89aaf7ce85df79c5f45d72d8f" + logic_hash = "aab3e8067933cbaef2725b5db9e744df2e2be0a89aaf7ce85df79c5f45d72d8f" score = 75 quality = 67 tags = "FILE" @@ -204911,13 +204911,13 @@ rule ARKBIRD_SOLG_APT_Sidewinder_Nov_2020_1 : FILE meta: description = "Detect Sidewinder DLL decoder algorithm" author = "Arkbird_SOLG" - id = "4e574344-ce5d-5572-9953-368a529ff207" + id = "9e948949-f38d-5a76-a34c-965ec9be070d" date = "2020-11-14" modified = "2020-11-15" reference = "https://twitter.com/hexfati/status/1325397305051148292" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-15/APT_SideWinder_Nov_2020_1.yar#L1-L12" license_url = "N/A" - logic_hash = "v1_sha256_661eb5510ff0aa59b38b2c023653f0a23867a2813d854fbd0a7a6b657d9ba671" + logic_hash = "661eb5510ff0aa59b38b2c023653f0a23867a2813d854fbd0a7a6b657d9ba671" score = 75 quality = 75 tags = "FILE" @@ -204936,13 +204936,13 @@ rule ARKBIRD_SOLG_Ransom_Ragnarlocker_July_2020_1 : FILE meta: description = "Detect Ragnarlocker by strings (July 2020)" author = "Arkbird_SOLG" - id = "24d2de5b-fa1b-52b7-b7f5-8e178a33248c" + id = "9291ed33-8d7d-5b88-9075-b847fdbab179" date = "2020-07-30" modified = "2020-07-30" reference = "https://twitter.com/JAMESWT_MHT/status/1288797666688851969" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-07-30/Yara_Ransom_Ragnarlocker_July_2020_1.yar#L3-L34" license_url = "N/A" - logic_hash = "v1_sha256_73d3be9a2d3b315ed6d3d93e2c6f9988d60234530b0398e8949c511f919a8954" + logic_hash = "73d3be9a2d3b315ed6d3d93e2c6f9988d60234530b0398e8949c511f919a8954" score = 75 quality = 23 tags = "FILE" @@ -204979,13 +204979,13 @@ rule ARKBIRD_SOLG_EXF_Exmatter_Nov_2021_1 : FILE meta: description = "Detect packed Exmatter with Confuser" author = "Arkbird_SOLG" - id = "6d0978e2-20fb-5be3-b21c-c5e3952a7fd6" + id = "ddae7776-3202-50e6-b8af-0e5d15373386" date = "2021-11-01" modified = "2021-11-01" reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-01/Exmatter/EXF_Exmatter_Nov_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_67aaac3db488a9e28897047a7498b7a447ec63cdb6da82cb3d4217c7d615f176" + logic_hash = "67aaac3db488a9e28897047a7498b7a447ec63cdb6da82cb3d4217c7d615f176" score = 50 quality = 75 tags = "FILE" @@ -205012,13 +205012,13 @@ rule ARKBIRD_SOLG_MAL_Phoenix_Stealer_Jun_2021_1 : FILE meta: description = "Detect the Phoenix Stealer" author = "Arkbird_SOLG" - id = "5a78a5dd-55d9-513e-b822-15845ab967b4" + id = "8c9df216-cbfe-51f3-a6d7-cfeb99fafbe0" date = "2021-11-01" modified = "2021-11-01" reference = "https://twitter.com/3xp0rtblog/status/1455111070566207493/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-01/Phoenix_Stealer/MAL_Phoenix_Stealer_Jun_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_989c2518a42201559265ce4b974b35df5c4b8365e53f789fc124ee969e747c87" + logic_hash = "989c2518a42201559265ce4b974b35df5c4b8365e53f789fc124ee969e747c87" score = 75 quality = 75 tags = "FILE" @@ -205043,13 +205043,13 @@ rule ARKBIRD_SOLG_RAN_Decaf_Nov_2021_1 : FILE meta: description = "Detect Decaf ransomware (unpacked UPX)" author = "Arkbird_SOLG" - id = "99b6b91c-a24b-5b88-8823-ad51d7d07a83" + id = "d19b2d31-a6c5-5033-ba43-4e9ccabc37bb" date = "2021-11-01" modified = "2021-11-02" reference = "https://blog.morphisec.com/decaf-ransomware-a-new-golang-threat-makes-its-appearance" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-01/Decaf/RAN_Decaf_Nov_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_5cea33d710d252b39bcd8ae227f52d10897b7fe58b1ff5226a1cb8cc094d600c" + logic_hash = "5cea33d710d252b39bcd8ae227f52d10897b7fe58b1ff5226a1cb8cc094d600c" score = 75 quality = 75 tags = "FILE" @@ -205073,13 +205073,13 @@ rule ARKBIRD_SOLG_Exp_CVE_2021_36934_July_2021_1 : FILE meta: description = "Detect CVE_2021_36934 exploit (HiveNightmare)" author = "Arkbird_SOLG" - id = "3c5c8458-58b1-5f11-a76f-947a67f4e31c" + id = "3a0ed4f7-8a99-569f-a636-4cd64c2121bb" date = "2021-07-23" modified = "2021-07-23" reference = "https://github.com/GossiTheDog/HiveNightmare" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/20.21-07-23/HiveNightmare/Exp_CVE_2021_36934_July_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_2fd6cdf8a81f239473716d2c10a1754ebb2c60099eebd9d0cc1450ad3441075b" + logic_hash = "2fd6cdf8a81f239473716d2c10a1754ebb2c60099eebd9d0cc1450ad3441075b" score = 75 quality = 48 tags = "FILE" @@ -205106,13 +205106,13 @@ rule ARKBIRD_SOLG_RAN_Avoslocker_July_2021_1 : FILE meta: description = "Detect AvosLocker ransomware" author = "Arkbird_SOLG" - id = "abb0e629-0917-5223-b9ea-6ca1752638d7" + id = "3fbc707f-9802-54bc-933b-bc4c4953b1d0" date = "2021-07-23" modified = "2021-07-24" reference = "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/20.21-07-23/AvosLocker/RAN_AvosLocker_July_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_e2291f574b5ab68e901a76b6511e0ee4c1eee51d5e3eced62bf68ceedb061958" + logic_hash = "e2291f574b5ab68e901a76b6511e0ee4c1eee51d5e3eced62bf68ceedb061958" score = 75 quality = 75 tags = "FILE" @@ -205139,13 +205139,13 @@ rule ARKBIRD_SOLG_Exp_Petitpotam_July_2021_1 : FILE meta: description = "Detect PetitPotam exploit (local exploit version)" author = "Arkbird_SOLG" - id = "11cd69f8-ca96-5fd2-9714-827e895f6b55" + id = "dd23c77d-9929-5130-aad8-2bcc0a7dcbaa" date = "2021-07-23" modified = "2021-07-24" reference = "https://github.com/topotam/PetitPotam" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/20.21-07-23/PetitPotam/Exp_PetitPotam_July_2021_1.yara#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_a33a1dc2a3593063de2b65e01a770ff5c72ad360d88efdca588eacb8817fb91d" + logic_hash = "a33a1dc2a3593063de2b65e01a770ff5c72ad360d88efdca588eacb8817fb91d" score = 75 quality = 69 tags = "FILE" @@ -205173,13 +205173,13 @@ rule ARKBIRD_SOLG_WIP_Unk_Wiper_July_2021_1 : FILE meta: description = "Detect unknown wiper that focuses olympic games in Japan" author = "Arkbird_SOLG" - id = "68005d3c-c24d-5c44-bb04-53e3a94370b8" + id = "a03d558e-399a-506e-8f37-d4907cc68d54" date = "2021-07-22" modified = "2021-07-22" reference = "https://www.mbsd.jp/research/20210721/blog/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-22/WIP_Unk_Wiper_July_2021_1.yara#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_32f66fee2547ef33121620b822f86bfdf66ff337909a56aa4f0e8ef83b6d7730" + logic_hash = "32f66fee2547ef33121620b822f86bfdf66ff337909a56aa4f0e8ef83b6d7730" score = 75 quality = 40 tags = "FILE" @@ -205213,13 +205213,13 @@ rule ARKBIRD_SOLG_APT_APT_C_23_Micropsia_Mar_2021_1 : FILE meta: description = "Detect Micropsia used by APT-C-23 (Build 2018)" author = "Arkbird_SOLG" - id = "954d4add-9710-55ae-8162-c118fbd07034" + id = "517a33bb-0214-588f-80e4-dc82f2552330" date = "2021-03-31" modified = "2021-03-31" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-31/APT-C-23/APT_APT_C_23_Micropsia_Mar_2021_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_69baab88d80ab15e08f3b08dfca45a1fee6c2e6077152906f391618713fac2ef" + logic_hash = "69baab88d80ab15e08f3b08dfca45a1fee6c2e6077152906f391618713fac2ef" score = 50 quality = 69 tags = "FILE" @@ -205247,13 +205247,13 @@ rule ARKBIRD_SOLG_APT_APT_C_23_Micropsia_Mar_2021_2 : FILE meta: description = "Detect Micropsia used by APT-C-23 (Build 2020)" author = "Arkbird_SOLG" - id = "16eaf75c-e4cf-54f3-8235-2b49ac199270" + id = "cdd95b35-09b4-5412-bd86-55c2e7523d3e" date = "2021-03-31" modified = "2021-03-31" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-31/APT-C-23/APT_APT_C_23_Micropsia_Mar_2021_2.yar#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_a00091161ec69c9885e983117e2b424f860bfbab2551ea23b74c37fc062850b9" + logic_hash = "a00091161ec69c9885e983117e2b424f860bfbab2551ea23b74c37fc062850b9" score = 50 quality = 75 tags = "FILE" @@ -205283,13 +205283,13 @@ rule ARKBIRD_SOLG_RAN_ALPHV_Dec_2021_1 : FILE meta: description = "Detect AlphV ransomware (Nov and Dec 2021)" author = "Arkbird_SOLG" - id = "19db52a3-7f9a-5247-9a96-d65fb755eb0c" + id = "5c758dc9-b1dc-58e0-b443-6f78e27ffefe" date = "2021-12-09" modified = "2021-12-18" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-12-09/RAN_ALPHV_Dec_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_416ebea98f660dd9fad27c3be0c79e47bc69e08fe4be7db76a71462d2c5ada49" + logic_hash = "416ebea98f660dd9fad27c3be0c79e47bc69e08fe4be7db76a71462d2c5ada49" score = 75 quality = 75 tags = "FILE" @@ -205314,13 +205314,13 @@ rule ARKBIRD_SOLG_RAN_ELF_Qnapcrypt_Aug_2021_1 : FILE meta: description = "Detect QNAPCrypt ransomware (x86 version)" author = "Arkbird_SOLG" - id = "ecc5a44e-af37-534a-9fba-7b3e70f4f4c2" + id = "fcdec43a-de70-57a2-9527-263685acc820" date = "2021-08-11" modified = "2021-08-12" reference = "https://bazaar.abuse.ch/browse/tag/QNAPCrypt/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-11/QNAPCrypt/RAN_ELF_QNAPCrypt_Aug_2021_1.yara#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_4dbe5241b9f1b68a15193f3d5c7b0b5fac80208c16917b6e543ce407301f1dcf" + logic_hash = "4dbe5241b9f1b68a15193f3d5c7b0b5fac80208c16917b6e543ce407301f1dcf" score = 75 quality = 71 tags = "FILE" @@ -205353,13 +205353,13 @@ rule ARKBIRD_SOLG_RAN_ELF_Qnapcrypt_Aug_2021_2 : FILE meta: description = "Detect QNAPCrypt ransomware (x64 version)" author = "Arkbird_SOLG" - id = "5b60188f-cd9b-5007-8e9e-94ee428a590b" + id = "8cd54646-87da-5261-82f3-68ab96549379" date = "2021-08-11" modified = "2021-08-12" reference = "https://bazaar.abuse.ch/browse/tag/QNAPCrypt/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-11/QNAPCrypt/RAN_ELF_QNAPCrypt_Aug_2021_2.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_9eb3a499afbaaf2addb8ee12cc2d479ebbacd4d19cc270e995f12e83546008b4" + logic_hash = "9eb3a499afbaaf2addb8ee12cc2d479ebbacd4d19cc270e995f12e83546008b4" score = 75 quality = 73 tags = "FILE" @@ -205385,13 +205385,13 @@ rule ARKBIRD_SOLG_APT_APT_34_Maildrop_Mar_2021_1 : FILE meta: description = "Detect MailDrop malware used by APT34" author = "Arkbird_SOLG" - id = "6d88a934-f048-58b9-b272-20a877a4d060" + id = "a17c4e0b-9bbb-594d-8551-5c146e6a601e" date = "2021-04-03" modified = "2021-04-09" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-04-03/APT34/APT_APT_34_MailDrop_Mar_2021_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_f55192044bf8e190dfdc18aeaac543a5022643ea242e75ff2492939ae6e1814c" + logic_hash = "f55192044bf8e190dfdc18aeaac543a5022643ea242e75ff2492939ae6e1814c" score = 75 quality = 75 tags = "FILE" @@ -205420,13 +205420,13 @@ rule ARKBIRD_SOLG_MAL_Gmera_June_2021_1 : FILE meta: description = "Detect Gmera malware" author = "Arkbird_SOLG" - id = "408042c0-2e80-5066-b2cf-d3763fa87876" + id = "e1234dc9-b42b-5f54-86cb-ad1b13e9e98d" date = "2021-06-23" modified = "2021-06-24" reference = "https://twitter.com/BushidoToken/status/1407671196322258948" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-23/MAL_Gmera_June_2021_1.yara#L1-L25" license_url = "N/A" - logic_hash = "v1_sha256_9a08c46e0c4d4dd83c1373dd3d7e78d8ed466d3822816880600be1a7d7d69d99" + logic_hash = "9a08c46e0c4d4dd83c1373dd3d7e78d8ed466d3822816880600be1a7d7d69d99" score = 75 quality = 63 tags = "FILE" @@ -205454,13 +205454,13 @@ rule ARKBIRD_SOLG_Mal_Plugx_Thor_July_2021_1 : FILE meta: description = "Detect Thor variant of PlugX (Variant 1)" author = "Arkbird_SOLG" - id = "d78870d1-ea30-5648-8aa0-8c81d25e8594" + id = "5447e5df-0326-5987-905b-bfc49acee05a" date = "2021-07-27" modified = "2021-07-28" reference = "https://unit42.paloaltonetworks.com/thor-plugx-variant/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-27/PlugX/Mal_PlugX_Thor_July_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_f94e6cf8a1169526a438dfbf4d6b40f4ce0f6af6eee2e893fb138b81c4172c73" + logic_hash = "f94e6cf8a1169526a438dfbf4d6b40f4ce0f6af6eee2e893fb138b81c4172c73" score = 75 quality = 75 tags = "FILE" @@ -205484,13 +205484,13 @@ rule ARKBIRD_SOLG_RAN_Piton_Nov_2021_1 : FILE meta: description = "Detect Piton variant (rebuild from the Babuk leaks)" author = "Arkbird_SOLG" - id = "9ed27d68-2d07-5579-9807-7cc9137fcf81" + id = "433d0692-553b-5efe-84e4-134e99342fe5" date = "2021-11-03" modified = "2021-11-04" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-04/RAN_Piton_Nov_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_cd8287b3be0f8f9338cf6ba8eb24dd9a6f91a54c984a635e1103f7e6028cbf3c" + logic_hash = "cd8287b3be0f8f9338cf6ba8eb24dd9a6f91a54c984a635e1103f7e6028cbf3c" score = 75 quality = 75 tags = "FILE" @@ -205513,13 +205513,13 @@ rule ARKBIRD_SOLG_APT_Oilrig_VBS_2016_1 : FILE meta: description = "Detect VBS script in base 64 used by OilRig (2016)" author = "Arkbird_SOLG" - id = "4135061c-b665-508b-9550-5fd7f4182252" + id = "5cc3a3f1-4f2f-56c4-af69-8652d22b6730" date = "2020-08-26" modified = "2021-07-13" reference = "https://twitter.com/Arkbird_SOLG/status/1298758788028264450" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-26/APT_OilRig_2016.yar#L4-L23" license_url = "N/A" - logic_hash = "v1_sha256_a6c42c46c80ca79b01aa0475c823aeccef416a0f8c2f58db95392cbe125b2fad" + logic_hash = "a6c42c46c80ca79b01aa0475c823aeccef416a0f8c2f58db95392cbe125b2fad" score = 75 quality = 63 tags = "FILE" @@ -205544,13 +205544,13 @@ rule ARKBIRD_SOLG_APT_Oilrig_PSH_Helminth_2016_1 : FILE meta: description = "Detect Powershell script Helminth in base 64 used by OilRig (2016)" author = "Arkbird_SOLG" - id = "80917ff4-48c4-5cb7-98c5-40e214a0e82f" + id = "782503c2-a292-505c-b513-79cbbd381124" date = "2020-08-26" modified = "2021-07-13" reference = "https://twitter.com/Arkbird_SOLG/status/1298758788028264450" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-26/APT_OilRig_2016.yar#L25-L45" license_url = "N/A" - logic_hash = "v1_sha256_0216015765f5abdb6ccf7643344aead51e4eebb19fd947f9484ce5dc6696d4d5" + logic_hash = "0216015765f5abdb6ccf7643344aead51e4eebb19fd947f9484ce5dc6696d4d5" score = 75 quality = 61 tags = "FILE" @@ -205576,13 +205576,13 @@ rule ARKBIRD_SOLG_APT_MAL_NK_Lazarus_Dacls_June_2020_1 : FILE meta: description = "Detect DACLS malware used by APT Lazarus" author = "Arkbird_SOLG" - id = "6734217e-c9e6-5cc1-b041-24391f9b4c52" + id = "fb85b83a-4367-5f1d-be06-8a8e906b8df7" date = "2020-06-11" modified = "2020-06-12" reference = "https://twitter.com/batrix20/status/1270924079826997248" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-12/Lazarus/Lazarus_June_2020_1.yar#L3-L26" license_url = "N/A" - logic_hash = "v1_sha256_ed3e4a7a0490c5e8854d4e1bc8a223658ab9657a03c1b237af1056293a51611b" + logic_hash = "ed3e4a7a0490c5e8854d4e1bc8a223658ab9657a03c1b237af1056293a51611b" score = 75 quality = 48 tags = "FILE" @@ -205612,13 +205612,13 @@ rule ARKBIRD_SOLG_APT_MAL_NK_Lazarus_Nukesped_June_2020_1 : FILE meta: description = "Detect NukeSped malware used by APT Lazarus" author = "Arkbird_SOLG" - id = "35d56d43-c7f5-52d9-b733-68262575026f" + id = "7a5b27df-43bd-544d-8d0f-72e58ce3064c" date = "2020-06-11" modified = "2020-06-12" reference = "https://twitter.com/batrix20/status/1270924079826997248" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-12/Lazarus/Lazarus_June_2020_1.yar#L28-L54" license_url = "N/A" - logic_hash = "v1_sha256_b1332eb255f8ae9ae6a68ef8ef86d9f5472584cae8161c27186e341990df7eae" + logic_hash = "b1332eb255f8ae9ae6a68ef8ef86d9f5472584cae8161c27186e341990df7eae" score = 75 quality = 75 tags = "FILE" @@ -205649,13 +205649,13 @@ rule ARKBIRD_SOLG_MAL_Netfilter_Dropper_Jun_2021_1 : FILE meta: description = "Detect the dropper of Netfilter rootkit" author = "Arkbird_SOLG" - id = "d5891751-e006-50e1-813a-28919c578675" + id = "5e67c99c-6b08-5190-9c8a-55086c20923e" date = "2020-06-18" modified = "2021-06-18" reference = "https://twitter.com/struppigel/status/1405483373280235520" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-18/Netfilter/MAL_Netfilter_Dropper_Jun_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_66e96304e097a0f6cd99cf77b20f61b8a0bcceaf8685a336c039a80947a08f78" + logic_hash = "66e96304e097a0f6cd99cf77b20f61b8a0bcceaf8685a336c039a80947a08f78" score = 75 quality = 75 tags = "FILE" @@ -205680,13 +205680,13 @@ rule ARKBIRD_SOLG_MAL_Netfilter_May_2021_1 : FILE meta: description = "Detect Netfilter rootkit" author = "Arkbird_SOLG" - id = "6ae039aa-45b0-5e55-b87d-09519d7a78d8" + id = "da333ed8-8cd3-5ae4-bce5-a43a227fdee3" date = "2021-06-18" modified = "2021-06-21" reference = "https://twitter.com/struppigel/status/1405483373280235520" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-18/Netfilter/MAL_Netfilter_May_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_f219981af907f74e4d95f768d99b7fd877c8bfb00587d198a4b0e2c521c744e1" + logic_hash = "f219981af907f74e4d95f768d99b7fd877c8bfb00587d198a4b0e2c521c744e1" score = 75 quality = 73 tags = "FILE" @@ -205713,13 +205713,13 @@ rule ARKBIRD_SOLG_APT_Lazarus_Jun_2021_1 : FILE meta: description = "Detect a variant of NukeSped malware" author = "Arkbird_SOLG" - id = "21580087-d6e2-512a-8925-905e6f1a7dab" + id = "0f5d42c0-d6dc-573b-9227-787ccbcaa83d" date = "2021-06-19" modified = "2021-06-21" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-19/Lazarus/APT_Lazarus_Jun_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_ea4ce93d54b9b8e5d1d5bb64d37ac26839e2fa3200da3057597d83c4be6d129f" + logic_hash = "ea4ce93d54b9b8e5d1d5bb64d37ac26839e2fa3200da3057597d83c4be6d129f" score = 75 quality = 75 tags = "FILE" @@ -205744,13 +205744,13 @@ rule ARKBIRD_SOLG_MAL_Mailo_Jun_2021_1 : FILE meta: description = "Detect the Mach-O malware" author = "Arkbird_SOLG" - id = "7b238991-5ba0-5e6e-9046-46d1cedfb604" + id = "4c975200-fce4-5a2a-b565-6d397c4e0b1c" date = "2021-06-09" modified = "2021-06-21" reference = "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-19/MAIL-O/MAL_MailO_Jun_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_165c5fd90039c14ef1fa1e80bb7f14761e991b09560c5f1da2ddf9a0eadee623" + logic_hash = "165c5fd90039c14ef1fa1e80bb7f14761e991b09560c5f1da2ddf9a0eadee623" score = 75 quality = 75 tags = "FILE" @@ -205774,13 +205774,13 @@ rule ARKBIRD_SOLG_MAL_OSX_Wizardupdate_Oct_2021_2 : FILE meta: description = "Detect a structure like the bash of WizardUpdate installer on OSX system" author = "Arkbird_SOLG" - id = "101fa8ab-a140-527e-a28b-18116f9daffd" + id = "3e48c2fa-10f4-5152-90e6-f5f8cc507103" date = "2021-10-22" modified = "2021-10-23" reference = "https://twitter.com/MsftSecIntel/status/1451279679059488773" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-23/WizardUpdate/MAL_OSX_WizardUpdate_Oct_2021_2.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_99d3323e3c155be040fef3beea0a55aec9bd3178df822d5fd6530864186446ed" + logic_hash = "99d3323e3c155be040fef3beea0a55aec9bd3178df822d5fd6530864186446ed" score = 75 quality = 67 tags = "FILE" @@ -205805,13 +205805,13 @@ rule ARKBIRD_SOLG_MAL_OSX_Wizardupdate_Oct_2021_1 : FILE meta: description = "Detect WizardUpdate installer on OSX system" author = "Arkbird_SOLG" - id = "1f50b493-9c93-58b2-b9aa-42ea36a19448" + id = "50974725-6b45-5f2f-aa76-ae73dc752873" date = "2021-10-22" modified = "2021-10-23" reference = "https://twitter.com/MsftSecIntel/status/1451279679059488773" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-23/WizardUpdate/MAL_OSX_WizardUpdate_Oct_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_b25145a9aa33c9518e5e0847b50faa8b67d65078ddfbb66de49196a17ddd3137" + logic_hash = "b25145a9aa33c9518e5e0847b50faa8b67d65078ddfbb66de49196a17ddd3137" score = 75 quality = 75 tags = "FILE" @@ -205835,13 +205835,13 @@ rule ARKBIRD_SOLG_APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1 : FILE meta: description = "Detect encoded Kimsuky shellcode used in fake PDF against South Korea" author = "Arkbird_SOLG" - id = "c01dad63-5172-5a59-a508-3ba7e87c3de3" + id = "8df7090a-6583-5d25-92bd-422e6b4191f7" date = "2021-08-03" modified = "2021-08-04" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-04/Kimsuky/APT_Kimsuky_PDF_Enc_Shellcode_Aug_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_54f549b92c232f789aff039c748f1f987e68e9ee10dfab309f2ecba16d574cdb" + logic_hash = "54f549b92c232f789aff039c748f1f987e68e9ee10dfab309f2ecba16d574cdb" score = 50 quality = 75 tags = "FILE" @@ -205867,13 +205867,13 @@ rule ARKBIRD_SOLG_APT_Kimsuky_PDF_Shellcode_Aug_2021_1 : FILE meta: description = "Detect Kimsuky shellcode used in fake PDF against South Korea" author = "Arkbird_SOLG" - id = "f4a5d75f-de15-51f7-9502-21648861bd24" + id = "0b8d514b-82b6-5106-a87a-0890be1850d5" date = "2021-08-03" modified = "2021-08-04" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-04/Kimsuky/APT_Kimsuky_PDF_Shellcode_Aug_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_432ae4d1e61aec51be03edf7767b1f05ea98d7cb7af90372a70f8ae86002f82a" + logic_hash = "432ae4d1e61aec51be03edf7767b1f05ea98d7cb7af90372a70f8ae86002f82a" score = 50 quality = 75 tags = "FILE" @@ -205900,13 +205900,13 @@ rule ARKBIRD_SOLG_APT_Aridviper_Installer_Feb_2020_1 : FILE meta: description = "Detect Installer used by AridViper group in Febuary 2021" author = "Arkbird_SOLG" - id = "6d57b209-53cc-5236-a0de-275ac41ece42" + id = "3d891aeb-b4d6-50f2-ad08-cb6d9d56064d" date = "2021-02-08" modified = "2021-02-09" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-02-08/AridViper/APT_AridViper_Installer_Feb_2020_1.yar#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_1fca713b7ac7f3e960a4174325c32578724e87241e159fbf7754c7e2d19779a1" + logic_hash = "1fca713b7ac7f3e960a4174325c32578724e87241e159fbf7754c7e2d19779a1" score = 50 quality = 69 tags = "FILE" @@ -205934,13 +205934,13 @@ rule ARKBIRD_SOLG_RAN_Nitro_Aug_2021_1 : FILE meta: description = "Detect Nitro ransomware" author = "Arkbird_SOLG" - id = "600a42e9-1ec3-5727-be55-db1f041e572d" + id = "256059b2-1683-5108-8fc8-3cf0b2e7b613" date = "2021-08-12" modified = "2021-08-13" reference = "https://bazaar.abuse.ch/browse/tag/NitroRansomware/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-13/Nitro/RAN_Nitro_Aug_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_c31267cd9bc6c63db8e32b2a0e7518b0432d62f1de52117b9e903fc3370a1f4d" + logic_hash = "c31267cd9bc6c63db8e32b2a0e7518b0432d62f1de52117b9e903fc3370a1f4d" score = 75 quality = 75 tags = "FILE" @@ -205967,13 +205967,13 @@ rule ARKBIRD_SOLG_Ran_ELF_EXX_Nov_2020_1 : FILE meta: description = "Detect EXX variant ELF ransomware" author = "Arkbird_SOLG" - id = "5d65aca2-cade-51ca-a905-29b38d33ebb8" + id = "fe85d480-317a-51c3-a817-fc9034e2944f" date = "2020-12-09" modified = "2020-12-09" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-09/EXX/Ran_ELF_EXX_Nov_2020_1.yar#L1-L28" license_url = "N/A" - logic_hash = "v1_sha256_4508a0cf79d0d85959009f59e1471cbf123fa24f5c21da5801e91ed0bbe8a085" + logic_hash = "4508a0cf79d0d85959009f59e1471cbf123fa24f5c21da5801e91ed0bbe8a085" score = 50 quality = 73 tags = "FILE" @@ -206003,13 +206003,13 @@ rule ARKBIRD_SOLG_APT_APT28_VHD_Nov_2020_1 : FILE meta: description = "Detect suspicious VHD file with APT28 artefacts inside (November 2020)" author = "Arkbird_SOLG" - id = "bf401d05-25ba-540f-b465-99047788b7dc" + id = "25452eaa-f135-5b7f-a523-67715a2ab9f7" date = "2020-12-09" modified = "2020-12-10" reference = "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-09/APT28/APT_APT28_Nov_2020_1.yar#L3-L35" license_url = "N/A" - logic_hash = "v1_sha256_d72c3428cf731feb63c59ef109b99ec234e69bb6df34bdde928cc4b886f0533b" + logic_hash = "d72c3428cf731feb63c59ef109b99ec234e69bb6df34bdde928cc4b886f0533b" score = 50 quality = 69 tags = "FILE" @@ -206046,13 +206046,13 @@ rule ARKBIRD_SOLG_APT_APT28_Zebrocy_GO_Downloader_Nov_2020_1 : FILE meta: description = "Detect Zebrocy Go downloader (November 2020)" author = "Arkbird_SOLG" - id = "e9902851-dad8-5aeb-baa2-76970fa5b429" + id = "114c0297-7168-5d20-b56b-89b0b47f18c7" date = "2020-12-09" modified = "2020-12-10" reference = "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-09/APT28/APT_APT28_Nov_2020_1.yar#L37-L65" license_url = "N/A" - logic_hash = "v1_sha256_e7b2e7c250f3a98127399176adf9f93b758f0a5111e126dd0a75a3fb95a48da9" + logic_hash = "e7b2e7c250f3a98127399176adf9f93b758f0a5111e126dd0a75a3fb95a48da9" score = 50 quality = 61 tags = "FILE" @@ -206084,13 +206084,13 @@ rule ARKBIRD_SOLG_APT_Lazarus_EPS_July_2020_1 : FILE meta: description = " Detected Lazarus EPS script for download and execute the payload in base 64" author = "Arkbird_SOLG" - id = "73ab6ef5-e8e8-50b7-a2b5-7118b463f05d" + id = "244ef018-bc7b-5e10-bf65-b52fdb5ad403" date = "2020-07-28" modified = "2020-07-28" reference = "https://twitter.com/spider_girl22/status/1287952503280082944" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-07-28/Lazarus/APT_Lazarus_EPS_July_2020_1.yar#L3-L30" license_url = "N/A" - logic_hash = "v1_sha256_0fbd6ac10a31cc9a571e42f8696480336cd350e56ba2ffafb386f066fd53c552" + logic_hash = "0fbd6ac10a31cc9a571e42f8696480336cd350e56ba2ffafb386f066fd53c552" score = 75 quality = 45 tags = "FILE" @@ -206123,13 +206123,13 @@ rule ARKBIRD_SOLG_RAN_Conti_May_2021_1 : FILE meta: description = "Detect packed Conti ransomware (May 2021) [Common parts with Vidar packer, possible false positives to Vidar stealer or Danabot" author = "Arkbird_SOLG" - id = "ee43b78f-e24f-5aa0-b5f2-1f531800e471" + id = "661182f7-4716-50d1-8d98-9fb272cf43eb" date = "2021-05-19" modified = "2021-05-21" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-20/Conti/RAN_Conti_May_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_397f99dee35d8a0c5f564655e952f8a55d347a74303eadfc6788bd6ff0f6c4c5" + logic_hash = "397f99dee35d8a0c5f564655e952f8a55d347a74303eadfc6788bd6ff0f6c4c5" score = 50 quality = 75 tags = "FILE" @@ -206152,13 +206152,13 @@ rule ARKBIRD_SOLG_RAN_Conti_May_2021_2 : FILE meta: description = "Detect unpacked Conti ransomware (May 2021)" author = "Arkbird_SOLG" - id = "e18a259f-a97a-542c-bbd5-796f20160fe8" + id = "f7580a0d-b94e-560e-a01e-1f0eb0c8833e" date = "2021-05-20" modified = "2021-05-21" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-20/Conti/RAN_Conti_May_2021_2.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_d1ec1d2954d0075d9d9ed194bb96a34d457045bfc7a22cb44adb76dee4bc8e41" + logic_hash = "d1ec1d2954d0075d9d9ed194bb96a34d457045bfc7a22cb44adb76dee4bc8e41" score = 75 quality = 75 tags = "FILE" @@ -206183,13 +206183,13 @@ rule ARKBIRD_SOLG_Ran_Robbinhood_Oct_2020_1 : FILE meta: description = "Detect RobbinHood ransomware" author = "Arkbird_SOLG" - id = "0fe39fe1-4168-5ea1-9b7f-92e60310838b" + id = "adaacb06-0738-5d2b-b97e-b9007341f743" date = "2020-11-04" modified = "2020-11-05" reference = "https://twitter.com/joakimkennedy/status/1323957238680178689" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-05/RobbinHood/Ran_RobbinHood_Oct_2020_1.yar#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_72d0e9b1e2f6aee8f24125e6e6801329e2fad016f05a94ad65c04874a016d09d" + logic_hash = "72d0e9b1e2f6aee8f24125e6e6801329e2fad016f05a94ad65c04874a016d09d" score = 75 quality = 67 tags = "FILE" @@ -206214,13 +206214,13 @@ rule ARKBIRD_SOLG_MAL_Skinnyboy_Launcher_Jun_2021_1 : FILE meta: description = "Detect the Launcher of SkinnyBoy" author = "Arkbird_SOLG" - id = "28c632a0-4e91-5cec-85d3-8eb7221c7b85" + id = "4e69cba4-92ef-5ea5-95d8-b22ed77f515c" date = "2021-06-05" modified = "2021-06-06" reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-06/APT28/MAL_SkinnyBoy_Launcher_Jun_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_4d5906832a1bc90552255ada1cc9e3c7cd3e14e4b0cb11b1bf2c11c57bca8ad8" + logic_hash = "4d5906832a1bc90552255ada1cc9e3c7cd3e14e4b0cb11b1bf2c11c57bca8ad8" score = 75 quality = 75 tags = "FILE" @@ -206244,13 +206244,13 @@ rule ARKBIRD_SOLG_MAL_Skinnyboy_Dropper_Jun_2021_1 : FILE meta: description = "Detect SkinnyBoy Dropper" author = "Arkbird_SOLG" - id = "ab824553-0584-5444-9e71-fd0e73214755" + id = "1ea4cfe7-d44d-5cdb-8436-cb2b09dd2e56" date = "2021-05-01" modified = "2021-06-06" reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-06/APT28/MAL_SkinnyBoy_Dropper_Jun_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_805bc5bb5833a75d68df2a6ce828d70b2257809a3699fdca5e621aae6bdc5070" + logic_hash = "805bc5bb5833a75d68df2a6ce828d70b2257809a3699fdca5e621aae6bdc5070" score = 75 quality = 73 tags = "FILE" @@ -206274,13 +206274,13 @@ rule ARKBIRD_SOLG_MAL_Skinnyboy_Implant_Jun_2021_1 : FILE meta: description = "Detect SkinnyBoy Implant" author = "Arkbird_SOLG" - id = "779e30e1-21e0-52b1-b404-fba27a863020" + id = "2c78e0f3-a0b3-56fb-b4d2-313c03f1331b" date = "2021-06-05" modified = "2021-06-06" reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-06/APT28/MAL_SkinnyBoy_Implant_Jun_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_37d6b03adaad0a97e91a366d8e5ce47bc0eb77263849422129edf9df28d25bd8" + logic_hash = "37d6b03adaad0a97e91a366d8e5ce47bc0eb77263849422129edf9df28d25bd8" score = 75 quality = 75 tags = "FILE" @@ -206304,13 +206304,13 @@ rule ARKBIRD_SOLG_RAN_PYSA_Sept_2021_1 : FILE meta: description = "Detect the PYSA ransomware" author = "Arkbird_SOLG" - id = "a890802b-4041-54bb-8356-d5e9fe1b8321" + id = "fd939287-ec37-5021-9782-f0f86a9f0e4b" date = "2021-09-23" modified = "2021-11-10" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-09/PYSA/RAN_PYSA_Sept_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_e16f2ae581b8627ccd4e8ecb56db52c992022473d006843ed19a69c8059ecb54" + logic_hash = "e16f2ae581b8627ccd4e8ecb56db52c992022473d006843ed19a69c8059ecb54" score = 75 quality = 75 tags = "FILE" @@ -206335,13 +206335,13 @@ rule ARKBIRD_SOLG_UNK_DEV_0322_Jul_2021_1 : CVE_2021_35211 FILE meta: description = "Detect the script used by DEV-0322 for create a new user after exploit the CVE-2021-35211" author = "Arkbird_SOLG" - id = "54eecbae-9f49-53f8-a244-b77c6a2548d1" + id = "8d16eb7f-c137-5f23-8830-ce26dc6e4d52" date = "2021-07-16" modified = "2021-11-10" reference = "https://www.cadosecurity.com/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-09/DEV_0322/UNK_DEV_0322_Jul_2021_1.yara#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_7d7f012053bff6217f0fe9087acbeba13f83cb2c3dbe9a4fe8e7e0e4551edefd" + logic_hash = "7d7f012053bff6217f0fe9087acbeba13f83cb2c3dbe9a4fe8e7e0e4551edefd" score = 75 quality = 59 tags = "CVE-2021-35211, FILE" @@ -206369,13 +206369,13 @@ rule ARKBIRD_SOLG_APT_Winnti_Elfx64_Aug_2020_1 : FILE meta: description = "Detect of ELF implant used by APT Winnti in August 2020" author = "Arkbird_SOLG" - id = "d719ffed-0920-5a09-835f-787134fc029e" + id = "112e8d60-cbcb-53a7-b458-d39ee03d5c22" date = "2020-08-18" modified = "2020-08-18" reference = "https://twitter.com/KorbenD_Intel/status/1295725146037133312" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-18/Winnti/APT_Winnti_ELFx64_Aug_2020_1.yar#L1-L34" license_url = "N/A" - logic_hash = "v1_sha256_ebe6e60c45336476fd91c4185eee0414c3eba83960301a610b69c8818dbb17fd" + logic_hash = "ebe6e60c45336476fd91c4185eee0414c3eba83960301a610b69c8818dbb17fd" score = 75 quality = 36 tags = "FILE" @@ -206414,13 +206414,13 @@ rule ARKBIRD_SOLG_APT_APT38_Valeforbeta_Mar_2021_1 : FILE meta: description = "Detect ValeforBeta used in attacks against Japanese organisations by APT38" author = "Arkbird_SOLG" - id = "7de4cdba-e48b-5a15-a830-be9a2e6545a0" + id = "74a20725-3e52-5fef-9934-c812137dc989" date = "2021-03-23" modified = "2021-03-24" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-23/APT38/APT_APT38_ValeforBeta_Mar_2021_1.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_0ee8202b8978bf487df2a63c17d139076f2e9f68f1827a17929522060a72937a" + logic_hash = "0ee8202b8978bf487df2a63c17d139076f2e9f68f1827a17929522060a72937a" score = 50 quality = 67 tags = "FILE" @@ -206446,13 +206446,13 @@ rule ARKBIRD_SOLG_APT_APT38_Vsingle_Mar_2021_1 : FILE meta: description = "Detect VSingle used in attacks against Japanese organisations by APT38" author = "Arkbird_SOLG" - id = "228f2406-1e1a-51f3-96bd-735ef9fdcebb" + id = "d1d640f6-bcec-5364-8ea5-e0c0b86da6e1" date = "2021-03-23" modified = "2021-03-24" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-23/APT38/APT_APT38_VSingle_Mar_2021_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_d01baac099ce33b837c83d6778900f7e55b8c63e75d0e552c10ababc8dec744c" + logic_hash = "d01baac099ce33b837c83d6778900f7e55b8c63e75d0e552c10ababc8dec744c" score = 50 quality = 69 tags = "FILE" @@ -206479,13 +206479,13 @@ rule ARKBIRD_SOLG_MAL_Jssloader_Jun_2021_1 : FILE meta: description = "Detect JSSLoader malware" author = "Arkbird_SOLG" - id = "bf6f411c-8e1d-507b-a8ef-63be332884d1" + id = "192b1386-f0bc-54e8-9341-84f77f4f07c5" date = "2021-06-04" modified = "2021-06-05" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-04/FIN7/MAL_JSSLoader_Jun_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_73942afed6b3471be07be1fba3e7f90ec7f2377a1167aeef70627cd07faa3681" + logic_hash = "73942afed6b3471be07be1fba3e7f90ec7f2377a1167aeef70627cd07faa3681" score = 75 quality = 75 tags = "FILE" @@ -206510,13 +206510,13 @@ rule ARKBIRD_SOLG_MAL_Nglite_Nov_2021_2 : FILE meta: description = "Detect NGLite backdoor (version B)" author = "Arkbird_SOLG" - id = "9b8688d9-cff3-5de8-b687-4865c0c09444" + id = "e18f2891-366b-5cff-a17e-63523bfd9cee" date = "2021-11-08" modified = "2021-11-09" reference = "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-08/NGLite/MAL_NGLite_Nov_2021_2.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_4d44d208010ca17f47f597f7d9eb5ee39d91a2d9077218a173ef0015699dc296" + logic_hash = "4d44d208010ca17f47f597f7d9eb5ee39d91a2d9077218a173ef0015699dc296" score = 75 quality = 75 tags = "FILE" @@ -206540,13 +206540,13 @@ rule ARKBIRD_SOLG_MAL_Nglite_Nov_2021_1 : FILE meta: description = "Detect NGLite backdoor (version A)" author = "Arkbird_SOLG" - id = "f683cd87-a36d-5c80-b41c-cbb8bfc3909a" + id = "cf2845f3-1176-5197-9d05-f123b0f23c75" date = "2021-11-09" modified = "2021-11-09" reference = "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-08/NGLite/MAL_NGLite_Nov_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_ebafc52da76b9a960ee3c2c99955fb5dcb4acff2b7a0d7fad714bfc17617331a" + logic_hash = "ebafc52da76b9a960ee3c2c99955fb5dcb4acff2b7a0d7fad714bfc17617331a" score = 75 quality = 75 tags = "FILE" @@ -206570,13 +206570,13 @@ rule ARKBIRD_SOLG_RAN_Blackmatter_Aug_2021_1 : FILE meta: description = "Detect BlackMatter ransomware" author = "Arkbird_SOLG" - id = "4ffa904a-9fc4-5abb-abec-887248cd0ce2" + id = "eb308cde-af92-5b34-b256-88009f90810f" date = "2021-08-02" modified = "2021-08-02" reference = "https://twitter.com/abuse_ch/status/1421834305416933376" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-01/Blackmatter/RAN_BlackMatter_Aug_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_ff158ce977eb10f36c9e8a032dd3880fcd5ecc09e9cc07cd27b98bbce5661d75" + logic_hash = "ff158ce977eb10f36c9e8a032dd3880fcd5ecc09e9cc07cd27b98bbce5661d75" score = 50 quality = 71 tags = "FILE" @@ -206603,13 +206603,13 @@ rule ARKBIRD_SOLG_APT_APT34_Dustman_Apr_2021_1 : FILE meta: description = "Detect the Installer of Dustman wiper used by APT34" author = "Arkbird_SOLG" - id = "88b3b133-4f58-5cc0-b58e-20650cbaf3e4" + id = "071063f5-d2a4-5666-a8c4-283c02061f6d" date = "2021-04-28" modified = "2021-04-30" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-04-29/APT34/APT_APT34_Dustman_Apr_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_44e68fa21c1d6258bc9c0dcdc9cc531a15081122c90b23607bcfda716471aeb6" + logic_hash = "44e68fa21c1d6258bc9c0dcdc9cc531a15081122c90b23607bcfda716471aeb6" score = 75 quality = 75 tags = "FILE" @@ -206633,13 +206633,13 @@ rule ARKBIRD_SOLG_Ran_Buran_Oct_2020_1 : FILE meta: description = "Detect Buran ransomware" author = "Arkbird_SOLG" - id = "a0fe9086-8329-5211-bc12-423e1ef82aa7" + id = "dbdc251e-9ac6-5de1-8a72-72ac159daf4c" date = "2020-11-05" modified = "2020-11-06" reference = "https://twitter.com/JAMESWT_MHT/status/1323956405976600579" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-06/Buran/Ran_Buran_Oct_2020_1.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_a6984d21451c980d001e040325c66b547060653ac97556bc379da40f3ab6a70a" + logic_hash = "a6984d21451c980d001e040325c66b547060653ac97556bc379da40f3ab6a70a" score = 75 quality = 75 tags = "FILE" @@ -206666,13 +206666,13 @@ rule ARKBIRD_SOLG_Ran_Ruyk_Oct_2020_1 : FILE meta: description = "Detect RYUK ransomware (Sept_2020_V1)" author = "Arkbird_SOLG" - id = "81a040ce-7ffe-5ea3-aeed-1a42265c7af9" + id = "7ade43ef-cd31-5308-b5ab-71f04d27018b" date = "2020-10-25" modified = "2020-10-27" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-27/RYUK/Ran_Ruyk_Oct2020_1.yar#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_b70eb2e5f58076ea8d4d1370649358acf68f3119cb2be6d5ef0a302bb3bf5d1e" + logic_hash = "b70eb2e5f58076ea8d4d1370649358acf68f3119cb2be6d5ef0a302bb3bf5d1e" score = 75 quality = 75 tags = "FILE" @@ -206706,13 +206706,13 @@ rule ARKBIRD_SOLG_Mem_Cryptor_Obsidium_Oct_2020_1 : FILE meta: description = "Detect Obsidium cryptor by memory string" author = "Arkbird_SOLG" - id = "8a88f26c-0541-5a82-910c-d6404322d680" + id = "039c45f0-cc43-50ee-ae4e-a7e0e220dc04" date = "2020-10-25" modified = "2020-10-27" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-27/RYUK/Mem_Cryptor_Obsidium_Oct_2020_1.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_5f471064505d7ab634b6d52f66fa0a96682af2eb1dd41afe4449543253c6bbf7" + logic_hash = "5f471064505d7ab634b6d52f66fa0a96682af2eb1dd41afe4449543253c6bbf7" score = 75 quality = 50 tags = "FILE" @@ -206732,13 +206732,13 @@ rule ARKBIRD_SOLG_Ran_Ruyk_Oct_2020_2 : FILE meta: description = "Detect RYUK ransomware (Sept_2020_V1 + V2)" author = "Arkbird_SOLG" - id = "a13ba148-3b98-5752-91f3-4b2740a05e60" + id = "82ed6736-00e6-5a30-89cf-a2b86f2e1ba6" date = "2020-10-25" modified = "2020-10-28" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-27/RYUK/Ran_Ruyk_Oct2020_2.yar#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_a06d61b9363b732d17a2766b280951198a6adc226e284ab1d909cd98516cfb6f" + logic_hash = "a06d61b9363b732d17a2766b280951198a6adc226e284ab1d909cd98516cfb6f" score = 75 quality = 46 tags = "FILE" @@ -206772,13 +206772,13 @@ rule ARKBIRD_SOLG_APT_APT28_Downdelph_Feb_2021_1 : FILE meta: description = "Detect Downdelph used by APT28 group" author = "Arkbird_SOLG" - id = "9d6ac3b7-cfc8-515b-8eb1-b83cf08e7cf4" + id = "0376c026-93eb-526a-8ab3-26bdd365e608" date = "2021-02-18" modified = "2021-02-19" reference = "https://twitter.com/RedDrip7/status/1362343352759250946" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-02-18/APT28/APT_APT28_Downdelph_Feb_2021_1.yar#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_15e38ceeb0410645938ce2f90becf9a344711efd6e539f304de7b413f6f3b420" + logic_hash = "15e38ceeb0410645938ce2f90becf9a344711efd6e539f304de7b413f6f3b420" score = 75 quality = 75 tags = "FILE" @@ -206800,13 +206800,13 @@ rule ARKBIRD_SOLG_Ran_Mount_Locker_Nov_2020_1 : FILE meta: description = "Detect Mount Locker ransomware (November 2020 variant)" author = "Arkbird_SOLG" - id = "4fe3dc42-ce53-51bd-9033-df6038cf94c4" + id = "20fde6f4-ef7d-57c4-8cc2-a6ea810c2b0c" date = "2020-11-20" modified = "2020-11-22" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-21/Mount Locker/Ran_Mount_Locker_Nov_2020_1.yar#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_028e89e9c0c46ac5c36fee5cbfba068b4c6c1f53aa224e454ebd358f2c6ae9a9" + logic_hash = "028e89e9c0c46ac5c36fee5cbfba068b4c6c1f53aa224e454ebd358f2c6ae9a9" score = 75 quality = 75 tags = "FILE" @@ -206836,13 +206836,13 @@ rule ARKBIRD_SOLG_Loa_JS_Gootkit_Nov_2020_1 : FILE meta: description = "Detect JS loader used on the Gootkit killchain (November 2020)" author = "Arkbird_SOLG" - id = "92eab92a-f5d1-5871-ad81-bc39b6c68482" + id = "649133bd-a44c-5d99-befa-0508fed27ed8" date = "2020-11-21" modified = "2020-11-21" reference = "https://twitter.com/ffforward/status/1330214661577437187" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-21/Gootkit/Loa_JS_Gootkit_Nov_2020_1.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_f24d31e7107b8c59b969481596a5e1369933bf2b0fa5117cd1aa5f7ea116d8d5" + logic_hash = "f24d31e7107b8c59b969481596a5e1369933bf2b0fa5117cd1aa5f7ea116d8d5" score = 75 quality = 75 tags = "FILE" @@ -206863,13 +206863,13 @@ rule ARKBIRD_SOLG_APT_APT29_Miniduke_Mar_2021_1 : FILE meta: description = "Detect MiniDuke implant used by APT29 group" author = "Arkbird_SOLG" - id = "45170c3a-13e8-53e5-90c8-faa915026280" + id = "2faefc2f-afe3-51df-b530-50d3b3775071" date = "2021-03-08" modified = "2021-03-10" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-09/APT29/APT_APT29_MiniDuke_Mar_2021_1.yar#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_2fcbe37f9ee26a246bfc397cc907bb570a01d0f5b8e323a81aae0f6426b60435" + logic_hash = "2fcbe37f9ee26a246bfc397cc907bb570a01d0f5b8e323a81aae0f6426b60435" score = 50 quality = 75 tags = "FILE" @@ -206891,13 +206891,13 @@ rule ARKBIRD_SOLG_APT_APT29_Fatduke_Mar_2021_1 : FILE meta: description = "Detect Fatduke implant used by APT29 group" author = "Arkbird_SOLG" - id = "8c64f89b-31df-584d-a229-f5d50ebb089e" + id = "aed6d6f0-1baf-5842-8ced-e07f213ef1ff" date = "2021-03-08" modified = "2021-03-10" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-09/APT29/APT_APT29_Fatduke_Mar_2021_1.yar#L1-L25" license_url = "N/A" - logic_hash = "v1_sha256_2aec00355b14ec81f577527d3eba1f682ce96cc9e6ac7727b3865ddf01ddf69a" + logic_hash = "2aec00355b14ec81f577527d3eba1f682ce96cc9e6ac7727b3865ddf01ddf69a" score = 50 quality = 67 tags = "FILE" @@ -206922,13 +206922,13 @@ rule ARKBIRD_SOLG_APT_APT29_Polyglotduke_Mar_2021_1 : FILE meta: description = "Detect PolyglotDuke implant used by APT29 group" author = "Arkbird_SOLG" - id = "95e5ea03-a44c-5a5c-a4fa-1be3aa0b1912" + id = "751e4f57-2c31-5cad-a794-e124b40c537b" date = "2021-03-08" modified = "2021-03-10" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-09/APT29/APT_APT29_PolyglotDuke_Mar_2021_1.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_3a6d54fb266fe054886569c200f122b1e4459e0d561fe5246b623a19ec526224" + logic_hash = "3a6d54fb266fe054886569c200f122b1e4459e0d561fe5246b623a19ec526224" score = 75 quality = 75 tags = "FILE" @@ -206951,13 +206951,13 @@ rule ARKBIRD_SOLG_MAL_Stealer_Cookie_July_2020_1 : FILE meta: description = "Detect strings used by EdgeCookiesView and ChromeCookiesView in the ressources of the Cookie Stealer" author = "Arkbird_SOLG" - id = "d70f73ad-1349-567e-bc73-6973090ce759" + id = "02a68973-73b2-572a-a358-f0edc921773a" date = "2020-07-09" modified = "2020-07-09" reference = "https://twitter.com/JAMESWT_MHT/status/1281154921811841026" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-07-09/MAL_Stealer_Cookie_July_2020_1.yar#L3-L32" license_url = "N/A" - logic_hash = "v1_sha256_63747567a9dd68ac0d16b67910957cb9bc28d7237f431ac0c76403ca810e1b94" + logic_hash = "63747567a9dd68ac0d16b67910957cb9bc28d7237f431ac0c76403ca810e1b94" score = 75 quality = 50 tags = "FILE" @@ -206994,13 +206994,13 @@ rule ARKBIRD_SOLG_APT_Sidewinder_NET_Loader_Aug_2020_1 : FILE meta: description = "Detected the NET loader used by SideWinder group (August 2020)" author = "Arkbird_SOLG" - id = "58aed6bf-9b08-5fc9-af15-2809d44b487c" + id = "7334a3b8-cd56-5820-a073-5bd22076644f" date = "2020-08-24" modified = "2020-08-24" reference = "https://twitter.com/ShadowChasing1/status/1297902086747598852" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-24/SideWinder/APT_SideWinder_NET_Loader_Aug_2020_1.yar#L3-L21" license_url = "N/A" - logic_hash = "v1_sha256_b40127cd845d75ef81eb230c12635da00dd77fc53e5886c253a2466627aa8534" + logic_hash = "b40127cd845d75ef81eb230c12635da00dd77fc53e5886c253a2466627aa8534" score = 75 quality = 73 tags = "FILE" @@ -207024,13 +207024,13 @@ rule ARKBIRD_SOLG_Mal_Stealer_NET_Redline_Aug_2020_1 : FILE meta: description = "Detect Redline Stealer (August 2020)" author = "Arkbird_SOLG" - id = "d86a186d-cd3c-5fdc-9171-1f2ebc1297b9" + id = "6fda87c3-0d00-5c00-a1ff-6d96dd726ddf" date = "2020-08-24" modified = "2020-08-24" reference = "https://twitter.com/JAMESWT_MHT/status/1297878628450152448" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-24/Redline/Mal_Stealer_NET_Redline_Aug_2020_1.yar#L1-L31" license_url = "N/A" - logic_hash = "v1_sha256_950641dfaf17f332e6a18961aebb2533732d82ce69f3617efa08cc63272f1786" + logic_hash = "950641dfaf17f332e6a18961aebb2533732d82ce69f3617efa08cc63272f1786" score = 75 quality = 75 tags = "FILE" @@ -207066,13 +207066,13 @@ rule ARKBIRD_SOLG_MAL_Windealer_Oct_2021_1 : FILE meta: description = "Detect WinDealer implant" author = "Arkbird_SOLG" - id = "5d5049c3-0561-5a55-a46c-41da049addfa" + id = "7ffece8a-b56a-5893-a135-3001c0327f66" date = "2021-10-30" modified = "2021-10-31" reference = "https://blogs.jpcert.or.jp/en/2021/10/windealer.html" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-30/WinDealer/MAL_WinDealer_Oct_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_b6211274a0ffa55723d3c34763540278197507b4bd4b853249e16501a3aa5acb" + logic_hash = "b6211274a0ffa55723d3c34763540278197507b4bd4b853249e16501a3aa5acb" score = 75 quality = 71 tags = "FILE" @@ -207096,13 +207096,13 @@ rule ARKBIRD_SOLG_MAL_Windealer_Oct_2021_2 : FILE meta: description = "Detect modules from WinDealer implant" author = "Arkbird_SOLG" - id = "264d5962-9106-556a-8f97-660abd8b8115" + id = "3cca1fa1-2651-5a93-bef1-d32a7b5be4c9" date = "2021-10-30" modified = "2021-10-31" reference = "https://blogs.jpcert.or.jp/en/2021/10/windealer.html" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-10-30/WinDealer/MAL_WinDealer_Oct_2021_2.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_c2fb5697dcdb34e0fb3e2dbd2df05748eddc2796c253e90503372eb73c475fab" + logic_hash = "c2fb5697dcdb34e0fb3e2dbd2df05748eddc2796c253e90503372eb73c475fab" score = 75 quality = 75 tags = "FILE" @@ -207126,13 +207126,13 @@ rule ARKBIRD_SOLG_RAN_Matrix_Sep_2020_1 : FILE meta: description = "Detect MATRIX ransomware" author = "Arkbird_SOLG" - id = "b8364d2d-33c7-5afd-a51e-40c597242161" + id = "a7df188c-e381-55e6-97e6-45f5830ff0d3" date = "2020-10-15" modified = "2020-10-15" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-15/MATRIX/RAN_Matrix_Sep_2020_1.yar#L1-L28" license_url = "N/A" - logic_hash = "v1_sha256_e832b258e8d2ee94ebbf2e715ca01960a92d723ee017261b18ce05d3095bf8a3" + logic_hash = "e832b258e8d2ee94ebbf2e715ca01960a92d723ee017261b18ce05d3095bf8a3" score = 75 quality = 75 tags = "FILE" @@ -207165,13 +207165,13 @@ rule ARKBIRD_SOLG_RAN_Crylock_Oct_2020_1 : FILE meta: description = "Detect CryLock ransomware V2.0.0" author = "Arkbird_SOLG" - id = "c86ab4f1-82d9-50c3-b96d-cb4fdbcd70b7" + id = "642211e0-b5fe-5842-ab16-ca1fc8d00ac0" date = "2020-10-14" modified = "2020-10-15" reference = "https://twitter.com/JAMESWT_MHT/status/1316426560803680257" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-15/Crylock/RAN_CryLock_Oct_2020_1.yar#L1-L31" license_url = "N/A" - logic_hash = "v1_sha256_5d9aae41283c5738f2e584ea8d236ae64f7615ec629f9513fddb611714ddc230" + logic_hash = "5d9aae41283c5738f2e584ea8d236ae64f7615ec629f9513fddb611714ddc230" score = 75 quality = 71 tags = "FILE" @@ -207205,13 +207205,13 @@ rule ARKBIRD_SOLG_TA505_Bin_21Nov_1 : FILE meta: description = "module1.bin" author = "Arkbird_SOLG" - id = "1536c862-9210-5cd3-aef9-e21b60720766" + id = "2f23653e-5158-5a64-86ee-a58048780661" date = "2019-11-21" modified = "2019-11-21" reference = "https://twitter.com/58_158_177_102/status/1197432303057637377" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/20-11-19/Yara_Rule_TA505_Nov19.yar#L3-L30" license_url = "N/A" - logic_hash = "v1_sha256_133f202300a9e0428d20ce76bc832cf45cb5dacb05e39c21130d8d5cc39446ba" + logic_hash = "133f202300a9e0428d20ce76bc832cf45cb5dacb05e39c21130d8d5cc39446ba" score = 75 quality = 75 tags = "FILE" @@ -207245,13 +207245,13 @@ rule ARKBIRD_SOLG_TA505_Bin_21Nov_2 : FILE meta: description = "vspub1.bin" author = "Arkbird_SOLG" - id = "9f61e354-d212-5721-9ad2-dcd9e1accd2b" + id = "2bbd1d3a-50ab-5c6a-97fe-60b5a86e8d18" date = "2019-11-21" modified = "2019-11-21" reference = "https://twitter.com/58_158_177_102/status/1197432303057637377" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/20-11-19/Yara_Rule_TA505_Nov19.yar#L32-L50" license_url = "N/A" - logic_hash = "v1_sha256_43fb83abdeb1a31da836b4cf99dcda269f6d005cbb8eb2d845498d2c589574e1" + logic_hash = "43fb83abdeb1a31da836b4cf99dcda269f6d005cbb8eb2d845498d2c589574e1" score = 75 quality = 75 tags = "FILE" @@ -207274,13 +207274,13 @@ rule ARKBIRD_SOLG_TA505_Maldoc_21Nov_1 : FILE meta: description = "invitation.doc" author = "Arkbird_SOLG" - id = "2dc6b753-9cef-5c12-9099-9e24ec980026" + id = "10562979-0b90-5752-89b8-f0d35121df41" date = "2019-11-21" modified = "2019-11-21" reference = "https://twitter.com/58_158_177_102/status/1197432303057637377" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/20-11-19/Yara_Rule_TA505_Nov19.yar#L52-L83" license_url = "N/A" - logic_hash = "v1_sha256_7d2cbc0a505c245aa3e9e8a76cebc7ea7dbd4bd3be26a858f731b96791293ba5" + logic_hash = "7d2cbc0a505c245aa3e9e8a76cebc7ea7dbd4bd3be26a858f731b96791293ba5" score = 75 quality = 50 tags = "FILE" @@ -207316,13 +207316,13 @@ rule ARKBIRD_SOLG_TA505_Maldoc_21Nov_2 : FILE meta: description = "invitation (1).xls" author = "Arkbird_SOLG" - id = "5b047fff-7c3d-51a5-9756-5b1755eb6295" + id = "e6328342-0d08-58a3-befe-15de41649763" date = "2019-11-21" modified = "2019-11-21" reference = "https://twitter.com/58_158_177_102/status/1197432303057637377" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/20-11-19/Yara_Rule_TA505_Nov19.yar#L85-L116" license_url = "N/A" - logic_hash = "v1_sha256_84c7f064fb813934e397d81dad8af6288cb919e046cd2bb16f9ca6dc348c43c2" + logic_hash = "84c7f064fb813934e397d81dad8af6288cb919e046cd2bb16f9ca6dc348c43c2" score = 75 quality = 75 tags = "FILE" @@ -207358,13 +207358,13 @@ rule ARKBIRD_SOLG_Malware_Casbaneiro_MSI : FILE meta: description = "Detect MSIPackage used by Casbaneiro" author = "Arkbird_SOLG" - id = "4ee9b1df-133d-5b4d-9adb-6bced12d5637" + id = "47a5ea47-f799-5467-a482-9816c0de3ecf" date = "2020-06-05" modified = "2020-06-05" reference = "https://twitter.com/JAMESWT_MHT/status/1268811438707159040" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-05/Casbaneiro/Casbaneiro_stealer.yar#L3-L22" license_url = "N/A" - logic_hash = "v1_sha256_fa1c53268d51b4b34b4cf4cd84ddb43ffba1dfa8bbe73cd7506f5e31e970855b" + logic_hash = "fa1c53268d51b4b34b4cf4cd84ddb43ffba1dfa8bbe73cd7506f5e31e970855b" score = 75 quality = 71 tags = "FILE" @@ -207389,13 +207389,13 @@ rule ARKBIRD_SOLG_MAL_Shark_Aug_2021_1 : FILE meta: description = "Detect Shark backdoor used by Hexane group (aka Siamesekitten)" author = "Arkbird_SOLG" - id = "042c63af-24ba-5cb8-9ccf-68f253a68dd6" + id = "881dcdd9-2f4d-51d3-b046-15cdb2a2cb55" date = "2021-08-18" modified = "2021-08-19" reference = "https://www.clearskysec.com/siamesekitten/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-19/Hexane/MAL_Shark_Aug_2021_1.yara#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_c14abb839f4af81a3db38719f23c47498d577a779950e66978ff14d015043490" + logic_hash = "c14abb839f4af81a3db38719f23c47498d577a779950e66978ff14d015043490" score = 75 quality = 75 tags = "FILE" @@ -207423,13 +207423,13 @@ rule ARKBIRD_SOLG_MAL_Milan_Aug_2021_1 : FILE meta: description = "Detect Milian backdoor used by Hexane group (aka Siamesekitten)" author = "Arkbird_SOLG" - id = "c96ca7f1-ae74-542d-afc8-b4b47851b450" + id = "34acac5a-6090-5a68-9afb-4da7073bed58" date = "2021-08-18" modified = "2021-08-19" reference = "https://www.clearskysec.com/siamesekitten/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-19/Hexane/MAL_Milan_Aug_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_bad8ae2a9275bcb6e0e903fda6a128a1bed676c8e1a8e653e9fc3467766ce7fc" + logic_hash = "bad8ae2a9275bcb6e0e903fda6a128a1bed676c8e1a8e653e9fc3467766ce7fc" score = 75 quality = 75 tags = "FILE" @@ -207455,13 +207455,13 @@ rule ARKBIRD_SOLG_APT_Evilnum_LNK_Jul_2021_1 : FILE meta: description = "Detect LNK file used by EvilNum group" author = "Arkbird_SOLG" - id = "d3923200-9545-579a-b3ba-d036838300c4" + id = "9d570c02-606a-5bff-af7a-9b5ef1e6df90" date = "2020-07-13" modified = "2021-07-14" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-13/EvilNum/APT_EvilNum_LNK_Jul_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_d20aadfce6a0246f415f94a62edbf7fd48dcdcd9756a5a8d898a5459633b9350" + logic_hash = "d20aadfce6a0246f415f94a62edbf7fd48dcdcd9756a5a8d898a5459633b9350" score = 75 quality = 75 tags = "FILE" @@ -207488,13 +207488,13 @@ rule ARKBIRD_SOLG_APT_Evilnum_JS_Jul_2021_1 : FILE meta: description = "Detect JS script used by EvilNum group" author = "Arkbird_SOLG" - id = "2a66020d-d8ba-5dfb-8d58-9bd223b80fd8" + id = "08b410c4-4899-5280-9735-6b3017c7a813" date = "2020-07-13" modified = "2021-07-14" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-13/EvilNum/APT_EvilNum_JS_Jul_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_0ace40e54f6dca078f17e7e157c7973642b83366ba792d2bcdc0d971f729fb68" + logic_hash = "0ace40e54f6dca078f17e7e157c7973642b83366ba792d2bcdc0d971f729fb68" score = 75 quality = 69 tags = "FILE" @@ -207521,13 +207521,13 @@ rule ARKBIRD_SOLG_MAL_Moriya_May_2021_1 : FILE meta: description = "Detect Moriya rootkit used in the TunnelSnake operation" author = "Arkbird_SOLG" - id = "b49d6f33-e72f-5add-a663-689f1c988751" + id = "6a78ddc0-b39f-5aec-9c54-980854173abf" date = "2020-05-07" modified = "2021-05-26" reference = "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-26/Moriya/MAL_Moriya_May_2021_1.yara#L1-L27" license_url = "N/A" - logic_hash = "v1_sha256_f73049f261428c8921a2c8a86fb5d242719e5dc9f30a5c58e86be1a79d84a42d" + logic_hash = "f73049f261428c8921a2c8a86fb5d242719e5dc9f30a5c58e86be1a79d84a42d" score = 75 quality = 75 tags = "FILE" @@ -207559,13 +207559,13 @@ rule ARKBIRD_SOLG_MAL_Moriya_May_2021_2 : FILE meta: description = "Detect Moriya rootkit used in the TunnelSnake operation" author = "Arkbird_SOLG" - id = "1162140f-86c1-53fe-a081-a11984769a8f" + id = "25cecff1-94f9-5e8d-8758-9b891e9d7373" date = "2020-05-26" modified = "2021-05-27" reference = "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-26/Moriya/MAL_Moriya_May_2021_2.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_11ef00940604c3337b1c8c00903297343cfd4e8f3899b949d58e4203ab68d3fd" + logic_hash = "11ef00940604c3337b1c8c00903297343cfd4e8f3899b949d58e4203ab68d3fd" score = 75 quality = 75 tags = "FILE" @@ -207592,13 +207592,13 @@ rule ARKBIRD_SOLG_EXP_CVE_2021_1647_Apr_2021_1 : CVE_2021_1647 FILE meta: description = "Detect CVE-2021-1647 tool " author = "Arkbird_SOLG" - id = "2a4591c3-7e93-5ed6-bfc1-3a7c9630f35e" + id = "c4c14d22-adf8-51b1-b898-7e253447824f" date = "2021-05-04" modified = "2021-05-05" reference = "-" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-04/CVE-2021-1647/EXP_CVE_2021_1647_Apr_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_58f16973f68b1b792f6f1575b6a3f386493d033767ee97e48a33044e3ddc3426" + logic_hash = "58f16973f68b1b792f6f1575b6a3f386493d033767ee97e48a33044e3ddc3426" score = 75 quality = 75 tags = "CVE-2021-1647, FILE" @@ -207621,13 +207621,13 @@ rule ARKBIRD_SOLG_MAL_Emotet_Nov_2021_1 : FILE meta: description = "Detect Emotet loader" author = "Arkbird_SOLG" - id = "934b6da6-a531-56f4-bcfa-827d23d0c130" + id = "ad67c735-7ed9-5440-b693-55dce9840f56" date = "2021-11-15" modified = "2021-11-16" reference = "https://cyber.wtf/2021/11/15/guess-whos-back/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-16/MAL_Emotet_Nov_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_9ae3cbf863fdf3addd7ec00b4d6b55024c3159156518ef15fff79f5a92988297" + logic_hash = "9ae3cbf863fdf3addd7ec00b4d6b55024c3159156518ef15fff79f5a92988297" score = 75 quality = 75 tags = "FILE" @@ -207651,13 +207651,13 @@ rule ARKBIRD_SOLG_MAL_Klingon_Jun_2021_1 : FILE meta: description = "Detect the Klingon RAT" author = "Arkbird_SOLG" - id = "2a47b220-7989-529d-9b74-65649e302f37" + id = "bf114c4d-3010-5b34-954e-82794e30edcb" date = "2021-06-19" modified = "2021-06-21" reference = "https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-20/Klingon/MAL_Klingon_Jun_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_283452d24edea988dc353fada4cd1e050db244a48cc6ab30f70e1900ca9c7c2f" + logic_hash = "283452d24edea988dc353fada4cd1e050db244a48cc6ab30f70e1900ca9c7c2f" score = 75 quality = 75 tags = "FILE" @@ -207680,13 +207680,13 @@ rule ARKBIRD_SOLG_APT_APT_C_61_Dec_2021_1 : FILE meta: description = "Detect similiar structures used in the APT-C-61 maldocs" author = "Arkbird_SOLG" - id = "986d9391-c016-568f-8e64-a0aed12374a5" + id = "48054d32-6613-5a54-b19c-8e9b8f747c14" date = "2021-12-13" modified = "2021-12-14" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-12-13/APT_APT_C_61_Dec_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_be742a0ebc53f09872d5231cf367bb1e3ae04c1a70ce94610b6597e426eeb389" + logic_hash = "be742a0ebc53f09872d5231cf367bb1e3ae04c1a70ce94610b6597e426eeb389" score = 75 quality = 69 tags = "FILE" @@ -207710,13 +207710,13 @@ rule ARKBIRD_SOLG_MAL_Sidoh_Stealer_Aug_2021_1 : FILE meta: description = "Detect Sidoh Stealer used by RYUK group" author = "Arkbird_SOLG" - id = "1a105b4a-0cea-51f9-8b2a-57f608a4a79d" + id = "b4661304-6dfa-5c33-95f2-8694271b9e58" date = "2021-08-31" modified = "2021-09-01" reference = "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-31/Sidoh/MAL_Sidoh_Stealer_Aug_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_baeea14c6be42d64d3ca68298bf6ced34c9587fcda91471945cfc7ed1fe267bd" + logic_hash = "baeea14c6be42d64d3ca68298bf6ced34c9587fcda91471945cfc7ed1fe267bd" score = 75 quality = 75 tags = "FILE" @@ -207741,13 +207741,13 @@ rule ARKBIRD_SOLG_MAL_Milum_Jul_2021_1 : FILE meta: description = "Detect Milum malware" author = "Arkbird_SOLG" - id = "bf58de9d-7a03-5adb-b343-a4df387a870e" + id = "ba1cc56e-f6da-57db-a773-4823ae343e31" date = "2021-07-08" modified = "2021-07-08" reference = "https://securelist.com/wildpressure-targets-macos/103072/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-08/WildPressure/MAL_Milum_Jul_2021_1.yara#L1-L33" license_url = "N/A" - logic_hash = "v1_sha256_4321051fdc9ab5f4ee12c4b505e4271df89b489067875eaf3d2cb670815f7e37" + logic_hash = "4321051fdc9ab5f4ee12c4b505e4271df89b489067875eaf3d2cb670815f7e37" score = 75 quality = 75 tags = "FILE" @@ -207777,13 +207777,13 @@ rule ARKBIRD_SOLG_APT_Lazarus_Stealer_Packed_July_2020_1 : FILE meta: description = "Detected Lazarus Strealer Packed by Thermida - July 2020" author = "Arkbird_SOLG" - id = "7cea9ddb-f954-5a84-b106-bae1acac0bdd" + id = "325039a4-34c7-5144-93c0-61b013e30606" date = "2020-07-23" modified = "2023-11-22" reference = "https://twitter.com/DeadlyLynn/status/1286233135751995397" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-07-23/Yara_Rule_APT_Lazarus_Stealer_July_2020_1.yar#L36-L66" license_url = "N/A" - logic_hash = "v1_sha256_f062c8f784133ad586490036757ff9d5e8a799e8abac94eeacf60743783e19ed" + logic_hash = "f062c8f784133ad586490036757ff9d5e8a799e8abac94eeacf60743783e19ed" score = 75 quality = 50 tags = "FILE" @@ -207820,13 +207820,13 @@ rule ARKBIRD_SOLG_MAL_Heinote_June_2020_1 : FILE meta: description = "Detect Hienote malware" author = "Arkbird_SOLG" - id = "d424d754-9f61-5c36-bb64-726309ecc3f2" + id = "5c0e604a-83d4-5c6f-83fa-0df878da80d8" date = "2020-06-26" modified = "2023-11-22" reference = "https://twitter.com/JAMESWT_MHT/status/1276471822217891840" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-06-26/Heinote_June_2020-1.yar#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_679f1113c9c770910d18da395b13aaef009ecdde91a0c11f931d0d7e63ed122a" + logic_hash = "679f1113c9c770910d18da395b13aaef009ecdde91a0c11f931d0d7e63ed122a" score = 75 quality = 61 tags = "FILE" @@ -207859,13 +207859,13 @@ rule ARKBIRD_SOLG_MAL_Cadelspy_Stealer_May_2021_1 : FILE meta: description = "Detect Cadelspy stealer" author = "Arkbird_SOLG" - id = "97f67a2c-1101-5b43-b804-002661aee81b" + id = "bac23ed9-f51c-546e-8f4e-320d33b51829" date = "2021-05-30" modified = "2021-06-05" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-30/APT39/MAL_Cadelspy_Stealer_May_2021_1.yara#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_29fade3703c55bd16e67f9bf126cb0d8a06bc0eafe10e145f8d57d8c4abe5656" + logic_hash = "29fade3703c55bd16e67f9bf126cb0d8a06bc0eafe10e145f8d57d8c4abe5656" score = 75 quality = 75 tags = "FILE" @@ -207894,14 +207894,14 @@ rule ARKBIRD_SOLG_APT_Chisel_Hafnium_Feb_2021_1 : FILE meta: description = "Rule for detecting Chisel kit tool used by Hafnium" author = "Arkbird_SOLG" - id = "d26ac190-c1d6-53d1-a71c-77a837fed4ba" + id = "cd6be3b4-71fd-5e17-8835-a331a24fc5d6" date = "2021-02-23" modified = "2021-04-25" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-02-23/Hafinum/APT_Chisel_Hafnium_Feb_2021_1.yara#L1-L28" license_url = "N/A" hash = "4afa5fde76f1f3030cf7dbd12e37b717e1f902ac95c8bdf54a2e58a64faade04" - logic_hash = "v1_sha256_8e56234ce59197a8df51b21b89d3a901785dbb0211ab576cb3d194de34b611de" + logic_hash = "8e56234ce59197a8df51b21b89d3a901785dbb0211ab576cb3d194de34b611de" score = 75 quality = 57 tags = "FILE" @@ -207930,13 +207930,13 @@ rule ARKBIRD_SOLG_APT_Babyelephant_Installer_Feb_2021_1 : FILE meta: description = "Detect Installer from BabyElephant APT" author = "Arkbird_SOLG" - id = "4f462112-66f9-5b76-bd49-c7a2609e8fd0" + id = "c89a127d-af49-597e-927d-c9a10c90fabe" date = "2021-02-23" modified = "2021-02-23" reference = "https://twitter.com/h2jazi/status/1363683531067715584" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-02-23/BabyElephant/APT_BabyElephant_Installer_Feb_2021_1.yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_7c4f2cd7e56426e42141b1f2f3a13e1daa01b1de1fe88f4bd135601234407ec9" + logic_hash = "7c4f2cd7e56426e42141b1f2f3a13e1daa01b1de1fe88f4bd135601234407ec9" score = 50 quality = 73 tags = "FILE" @@ -207960,13 +207960,13 @@ rule ARKBIRD_SOLG_RAN_Haron_Aug_2021_1 : FILE meta: description = "Detect Haron locker" author = "Arkbird_SOLG" - id = "f8dbae55-d3ec-5abd-b8ae-a48272bc2789" + id = "5900ad0e-66ca-5127-b8c2-cc23ace8929f" date = "2021-08-09" modified = "2021-08-09" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-09/RAN_Haron_Aug_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_5001041d9bb8acc0fa5e0e3b4cfacc5a891bed6885101ae3513b5524c91c572d" + logic_hash = "5001041d9bb8acc0fa5e0e3b4cfacc5a891bed6885101ae3513b5524c91c572d" score = 75 quality = 75 tags = "FILE" @@ -207994,13 +207994,13 @@ rule ARKBIRD_SOLG_Mal_ATM_Loup_Aug_2020_1 : FILE meta: description = "Detect ATM malware Loup by theirs strings." author = "Arkbird_SOLG" - id = "d914c806-97e3-5c57-9cbd-2b89b3ea6913" + id = "07c0fe02-a82a-58a7-8776-748a1c986f93" date = "2020-08-17" modified = "2020-08-18" reference = "https://twitter.com/r3c0nst/status/1295275546780327936" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-08-17/Loup/Mal_ATM_Loup_Aug_2020_1.yar#L3-L34" license_url = "N/A" - logic_hash = "v1_sha256_18e4d6af5d89746b42c87d7311e442f61deff3bfcbf57cc008d87290e91baafb" + logic_hash = "18e4d6af5d89746b42c87d7311e442f61deff3bfcbf57cc008d87290e91baafb" score = 75 quality = 67 tags = "FILE" @@ -208037,13 +208037,13 @@ rule ARKBIRD_SOLG_Ran_Crysis_Sep_2020_1 : FILE meta: description = "Detect Crysis ransomware" author = "Arkbird_SOLG" - id = "7c7d7a68-724d-58e9-b375-ebdf4a5ea974" + id = "9cc1a1b9-c4a9-5add-833d-81be02ffc4fb" date = "2020-10-16" modified = "2020-10-16" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-16/Ran_Crysis_Sep_2020_1.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_c7706b862cd0277c8b726d32dc819ad7e15933b28e3a31599922f3dc0beb8348" + logic_hash = "c7706b862cd0277c8b726d32dc819ad7e15933b28e3a31599922f3dc0beb8348" score = 75 quality = 69 tags = "FILE" @@ -208071,13 +208071,13 @@ rule ARKBIRD_SOLG_Ran_Egregor_Sept_2020_1 : FILE meta: description = "Detect Egregor ransomware (variant Sept2020)" author = "Arkbird_SOLG" - id = "5d4db1cd-0b16-5e49-8207-3ba363036b13" + id = "b44b93ec-b470-511e-b08f-7d83efd30ecc" date = "2020-10-07" modified = "2020-10-16" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-16/Ran_Egregor_Sept_2020_1.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_4ce7398cc6ad0538735aec6490204122690f029cbb8d20f9efd2f612955f106b" + logic_hash = "4ce7398cc6ad0538735aec6490204122690f029cbb8d20f9efd2f612955f106b" score = 75 quality = 75 tags = "FILE" @@ -208104,13 +208104,13 @@ rule ARKBIRD_SOLG_RAN_Medusalocker_Aug_2021_1 : FILE meta: description = "Detect MedusaLocker ransomware" author = "Arkbird_SOLG" - id = "846bf483-2434-5810-8f79-c06ed2304c0c" + id = "9e647371-b37a-53af-bfb6-cde72855b564" date = "2021-08-08" modified = "2021-08-08" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-08-08/medusalocker/RAN_MedusaLocker_Aug_2021_1.yara#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_40dd3ec16eefc59cb25c8855fb62cda1d642ec711226c1c964fd26384be7ef15" + logic_hash = "40dd3ec16eefc59cb25c8855fb62cda1d642ec711226c1c964fd26384be7ef15" score = 75 quality = 73 tags = "FILE" @@ -208143,13 +208143,13 @@ rule ARKBIRD_SOLG_APT_UNC2452_Sunshuttle_Mar_2021_1 : FILE meta: description = "Detect Sunshuttle implant used by UNC2452 group" author = "Arkbird_SOLG" - id = "1a2da724-769d-5cb7-96ec-929b104de16e" + id = "faa07d19-4c61-554d-a6b1-ab7cb0919ec0" date = "2021-03-06" modified = "2021-03-06" reference = "https://twitter.com/Arkbird_SOLG/status/1367570764468224010" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-06/UNC2452/APT_UNC2452_sunshuttle_Mar_2021_1.yar#L1-L31" license_url = "N/A" - logic_hash = "v1_sha256_368487f1716aaa5c10e19a428649d6706b3f45c53853e6729752dc41fc97bc38" + logic_hash = "368487f1716aaa5c10e19a428649d6706b3f45c53853e6729752dc41fc97bc38" score = 75 quality = 63 tags = "FILE" @@ -208181,13 +208181,13 @@ rule ARKBIRD_SOLG_APT_Unknown_Middle_East_Feb_2020_1 : FILE meta: description = "Dectect unknown Middle East implants (retrohunt June 2020)" author = "Arkbird_SOLG" - id = "bcfac370-312a-536e-b975-87e069e9ddfc" + id = "e45675e6-29d5-587b-943e-19450772a092" date = "2021-03-05" modified = "2021-03-06" reference = "internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-06/Unknown/APT_Unknown_Middle_East_Feb_2020_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_64cdac73bc3e29e8716cb24ae6577f853b2cf31303d129a0ec38ba89b7ff5351" + logic_hash = "64cdac73bc3e29e8716cb24ae6577f853b2cf31303d129a0ec38ba89b7ff5351" score = 75 quality = 75 tags = "FILE" @@ -208214,13 +208214,13 @@ rule ARKBIRD_SOLG_MAL_ELF_Specter_Jul_2021_1 : FILE meta: description = "Detect the Specter malware" author = "Arkbird_SOLG" - id = "3ac7593a-9625-5767-9e02-bbd69cf4c45c" + id = "24237a56-2717-5efc-9bfb-9ab6d87e082b" date = "2021-07-02" modified = "2021-07-05" reference = "https://twitter.com/JAMESWT_MHT/status/1410870749473148930" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-04/Specter/MAL_ELF_Specter_Jul_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_de737f051d34edb2219e77c0d4f0239b95bad9983ee5e435d6ee9741525816f0" + logic_hash = "de737f051d34edb2219e77c0d4f0239b95bad9983ee5e435d6ee9741525816f0" score = 75 quality = 75 tags = "FILE" @@ -208244,13 +208244,13 @@ rule ARKBIRD_SOLG_RAN_ELK_Darkradiation_Jul_2021_1 : FILE meta: description = "Detect the DarkRadiation ransomware" author = "Arkbird_SOLG" - id = "6ea1e4af-82b3-5dd6-8c03-e991a5b6c287" + id = "13d77ecc-14ab-54ce-9eec-2d614f5ae8e4" date = "2021-07-03" modified = "2021-07-05" reference = "https://bazaar.abuse.ch/browse/tag/DarkRadiation/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-04/DarkRadiation/RAN_ELK_DarkRadiation_Jul_2021_1.yara#L1-L25" license_url = "N/A" - logic_hash = "v1_sha256_6fbc6eed7dd7f92af0cd8b3b2726636a64dc8de0b795b176169817994f44d4fa" + logic_hash = "6fbc6eed7dd7f92af0cd8b3b2726636a64dc8de0b795b176169817994f44d4fa" score = 75 quality = 61 tags = "FILE" @@ -208279,13 +208279,13 @@ rule ARKBIRD_SOLG_RAN_ELK_Darkradiation_Jul_2021_3 : FILE meta: description = "Detect structures of scripts like used by the DarkRadiation ransomware" author = "Arkbird_SOLG" - id = "b35a92c8-dd31-5364-bca7-3f1e12406d38" + id = "144eb08d-e222-5f6f-925d-33077953e7e6" date = "2021-07-03" modified = "2021-07-05" reference = "https://bazaar.abuse.ch/browse/tag/DarkRadiation/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-04/DarkRadiation/RAN_ELK_DarkRadiation_Jul_2021_3.yara#L1-L29" license_url = "N/A" - logic_hash = "v1_sha256_8d2fa53f5abd327d100ffc71863f3b49ce8a19f1a72db556902d95ae6ba09d4a" + logic_hash = "8d2fa53f5abd327d100ffc71863f3b49ce8a19f1a72db556902d95ae6ba09d4a" score = 75 quality = 55 tags = "FILE" @@ -208318,13 +208318,13 @@ rule ARKBIRD_SOLG_RAN_ELK_Darkradiation_Jul_2021_2 : FILE meta: description = "Detect the DarkRadiation ransomware" author = "Arkbird_SOLG" - id = "33d917b5-3f1c-5d86-9a4d-b7ee591d23b0" + id = "3580a41a-ba2e-5a47-b35d-b2482fbc913a" date = "2021-07-03" modified = "2021-07-05" reference = "https://bazaar.abuse.ch/browse/tag/DarkRadiation/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-04/DarkRadiation/RAN_ELK_DarkRadiation_Jul_2021_2.yara#L1-L27" license_url = "N/A" - logic_hash = "v1_sha256_b21db1658845cafe37950d69b5bc0aab203e7bea3e43f95394236e0133234e2d" + logic_hash = "b21db1658845cafe37950d69b5bc0aab203e7bea3e43f95394236e0133234e2d" score = 75 quality = 57 tags = "FILE" @@ -208355,13 +208355,13 @@ rule ARKBIRD_SOLG_MAL_ELF_Bioset_Jul_2021_1 : FILE meta: description = "Detect the Bioset malware" author = "Arkbird_SOLG" - id = "1b36bc60-3019-57dd-9640-b25fd9ee8d21" + id = "1b95c3df-7543-521c-a28b-d540ad0bd648" date = "2021-07-02" modified = "2021-07-05" reference = "https://twitter.com/JAMESWT_MHT/status/1409848815948111877" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-04/Bioset/MAL_ELF_Bioset_Jul_2021_1.yara#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_b5ba7f4517f07d8657cbd54695cad88d8c2f263ee010bd70c4a05433b2927576" + logic_hash = "b5ba7f4517f07d8657cbd54695cad88d8c2f263ee010bd70c4a05433b2927576" score = 75 quality = 75 tags = "FILE" @@ -208391,13 +208391,13 @@ rule ARKBIRD_SOLG_Exp_Underminer_Apr_2021_1 : FILE meta: description = "Detect Underminer exploit kit" author = "Arkbird_SOLG" - id = "06222626-010f-51c7-9d90-968ff5b27268" + id = "bd2a6b30-e05a-5f90-8dc2-719c1ba48a61" date = "2021-04-14" modified = "2021-04-15" reference = "https://twitter.com/nao_sec/status/1382358986813415427" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-04-14/Underminer/Exp_Underminer_Apr_2021_1.yar#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_46dd4d8ba58e79761056d3dd6921530520b0071090bcfc3bfaed7a6804f787b7" + logic_hash = "46dd4d8ba58e79761056d3dd6921530520b0071090bcfc3bfaed7a6804f787b7" score = 75 quality = 63 tags = "FILE" @@ -208421,13 +208421,13 @@ rule ARKBIRD_SOLG_Loader_Buer_Nov_2020_1 : FILE meta: description = "Detect Buer loader" author = "Arkbird_SOLG" - id = "b2b24bdf-cadf-56fb-a977-3af977a33103" + id = "a2883eca-d576-53ba-aa97-5e3c94f501a5" date = "2020-12-01" modified = "2020-12-01" reference = "https://twitter.com/James_inthe_box/status/1333551419735953409" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-01/Buer/Mal_Buer_Nov_2020_1.yar#L35-L64" license_url = "N/A" - logic_hash = "v1_sha256_96a74b497076be170ce6138189501d8b3a1002bcf07f9d3cf662d64612d04a59" + logic_hash = "96a74b497076be170ce6138189501d8b3a1002bcf07f9d3cf662d64612d04a59" score = 75 quality = 55 tags = "FILE" @@ -208459,13 +208459,13 @@ rule ARKBIRD_SOLG_APT_UNC2452_Webshell_Chopper_Mar_2021_1 : FILE meta: description = "Detect exploit listener in the exchange configuration for Webshell Chopper used by UNC2452 group" author = "Arkbird_SOLG" - id = "4b03dff6-3560-59bc-b37e-487e9821e17e" + id = "174af8e1-0df0-5ad7-ac7d-a208f64cb765" date = "2021-03-07" modified = "2021-03-07" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-03-07/UNC2452/APT_UNC2452_Webshell_Chopper_Mar_2021_1.yar#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_77bd7e5c10aa9cf2b407b37a76954b4eed163e36653e1fb3cde5de853f824cf0" + logic_hash = "77bd7e5c10aa9cf2b407b37a76954b4eed163e36653e1fb3cde5de853f824cf0" score = 75 quality = 73 tags = "FILE" @@ -208487,13 +208487,13 @@ rule ARKBIRD_SOLG_MAL_Nativezone_May_2021_1 : FILE meta: description = "Detect NativeZone malware" author = "Arkbird_SOLG" - id = "3be26ef2-d05b-5940-8a58-6276a2b3a7b6" + id = "5b858a8d-6e6a-5712-a83a-229bed1c7872" date = "2021-05-28" modified = "2021-06-05" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-01/NOBELIUM/MAL_NativeZone_May_2021_1.yara#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_9281784100e922fe3ef64e7c112276ffa5f8691ab4f24f1b68fbb0495e449bd3" + logic_hash = "9281784100e922fe3ef64e7c112276ffa5f8691ab4f24f1b68fbb0495e449bd3" score = 75 quality = 75 tags = "FILE" @@ -208515,13 +208515,13 @@ rule ARKBIRD_SOLG_MAL_Enc_Payload_May_2021_1 : FILE meta: description = "Detect encrypted payload, must be with others APT29 rules maybe give lot fake postives due to the pdf header" author = "Arkbird_SOLG" - id = "9de3ad75-b97f-5993-9ad8-6354e711a811" + id = "34da1d06-7892-59ec-8b11-c3278a7f2e34" date = "2021-05-28" modified = "2021-06-02" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-01/NOBELIUM/MAL_Enc_payload_May_2021_1.yara#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_484d9947d8acd32126cdc3e3f671cd3b3b048bbdb608d5573f6fcc7e4ddf13f8" + logic_hash = "484d9947d8acd32126cdc3e3f671cd3b3b048bbdb608d5573f6fcc7e4ddf13f8" score = 50 quality = 75 tags = "FILE" @@ -208543,13 +208543,13 @@ rule ARKBIRD_SOLG_MAL_Envyscout_May_2021_1 : FILE meta: description = "Detect EnvyScout downloader" author = "Arkbird_SOLG" - id = "509b6475-493c-5ea0-beee-d4020f3f650e" + id = "645f60d1-7c95-515c-a88e-d8528cf8b644" date = "2021-05-28" modified = "2021-06-02" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-01/NOBELIUM/MAL_EnvyScout_May_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_7ce4fd18c88f7ea7486c51fc0b673d178bd26ecc2f4a39ec9c5a4a71aaa0daa1" + logic_hash = "7ce4fd18c88f7ea7486c51fc0b673d178bd26ecc2f4a39ec9c5a4a71aaa0daa1" score = 75 quality = 73 tags = "FILE" @@ -208574,13 +208574,13 @@ rule ARKBIRD_SOLG_MAL_Boombox_May_2021_1 : FILE meta: description = "Detect BoomBox malware" author = "Arkbird_SOLG" - id = "6df95b06-d02d-5187-b8eb-ea620c2fbbc1" + id = "b2629c5b-1fb0-5ea1-8661-faf8f1d6b578" date = "2021-05-28" modified = "2021-06-05" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-01/NOBELIUM/MAL_BoomBox_May_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_b88848ead9c992392c99e88a25541b72d825fbd32c3eb83fefc18e7cfbd08cc8" + logic_hash = "b88848ead9c992392c99e88a25541b72d825fbd32c3eb83fefc18e7cfbd08cc8" score = 75 quality = 75 tags = "FILE" @@ -208603,13 +208603,13 @@ rule ARKBIRD_SOLG_EXP_CVE_2021_41379_Nov_2021_1 : CVE_2021_41379 FILE meta: description = "Detect exploit tool using CVE-2021-41379" author = "Arkbird_SOLG" - id = "c5ea5339-7c76-5d74-816b-b1f0fb22938f" + id = "616e697d-0c62-58bb-9f37-29670a09d886" date = "2021-11-26" modified = "2021-11-29" reference = "https://twitter.com/JAMESWT_MHT/status/1463414554004709384" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-26/EXP_CVE_2021_41379_Nov_2021_1.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_5514ab8f95a5d82453407dd506d55eaf1a0aa22f5ce6a5fb18501ef41645305a" + logic_hash = "5514ab8f95a5d82453407dd506d55eaf1a0aa22f5ce6a5fb18501ef41645305a" score = 75 quality = 75 tags = "CVE-2021-41379, FILE" @@ -208634,13 +208634,13 @@ rule ARKBIRD_SOLG_EXP_CVE_2021_41379_Nov_2021_3 : CVE_2021_41379 FILE meta: description = "Detect exploit tool using CVE-2021-41379 (variant 3)" author = "Arkbird_SOLG" - id = "748ca616-3a70-52c7-b47c-b2431e0d0a03" + id = "c82578d6-63ca-50f6-b105-321791ec8808" date = "2021-11-26" modified = "2021-11-29" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-26/EXP_CVE_2021_41379_Nov_2021_3.yara#L1-L27" license_url = "N/A" - logic_hash = "v1_sha256_559c4ca0e9ac60e3dd7d5b9a8eb22d887b0b436d4e1fc528e05e7a33ecce0aa6" + logic_hash = "559c4ca0e9ac60e3dd7d5b9a8eb22d887b0b436d4e1fc528e05e7a33ecce0aa6" score = 75 quality = 75 tags = "CVE-2021-41379, FILE" @@ -208670,13 +208670,13 @@ rule ARKBIRD_SOLG_EXP_CVE_2021_41379_Nov_2021_2 : CVE_2021_41379 FILE meta: description = "Detect exploit tool using CVE-2021-41379 (variant 2)" author = "Arkbird_SOLG" - id = "9066ab10-98b1-533e-97cf-da0dbe64a66f" + id = "29fe9a9c-5180-55c8-882b-ad18981dc011" date = "2021-11-26" modified = "2021-11-29" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-26/EXP_CVE_2021_41379_Nov_2021_2.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_28b1d0d6c0ee14cd46b12763692f4f76020cd5ad74bb2b39b61f493b98486068" + logic_hash = "28b1d0d6c0ee14cd46b12763692f4f76020cd5ad74bb2b39b61f493b98486068" score = 75 quality = 75 tags = "CVE-2021-41379, FILE" @@ -208701,13 +208701,13 @@ rule ARKBIRD_SOLG_Ran_Mem_Ragnarlocker_Nov_2020_1 : FILE meta: description = "Detect memory artefacts of the Ragnarlocker ransomware (Nov 2020)" author = "Arkbird_SOLG" - id = "cea4506c-95fd-5b9c-9fee-295582013423" + id = "910774ab-9ad6-5c56-a921-203f61c9d7f7" date = "2020-11-26" modified = "2020-11-27" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-27/Ran_RagnarLocker_Nov_2020_1.yar#L3-L33" license_url = "N/A" - logic_hash = "v1_sha256_2cb26677b8f4e464750eb8dec0638fd3f9a28500e68f64d62e99236c93895c85" + logic_hash = "2cb26677b8f4e464750eb8dec0638fd3f9a28500e68f64d62e99236c93895c85" score = 75 quality = 50 tags = "FILE" @@ -208745,13 +208745,13 @@ rule ARKBIRD_SOLG_Ran_Cert_Ragnarlocker_Nov_2020_1 : FILE meta: description = "Detect certificates and VMProtect used for the Ragnarlocker ransomware (Nov 2020)" author = "Arkbird_SOLG" - id = "ea931e7c-06ee-5c5e-902a-00916dbc8ef4" + id = "85d51804-eebd-5353-8bd9-01756e7f7d07" date = "2020-11-26" modified = "2020-11-27" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-27/Ran_RagnarLocker_Nov_2020_1.yar#L35-L55" license_url = "N/A" - logic_hash = "v1_sha256_8171128426b48102457f5ba0771b27aaf5f4562293aff04c256bd5bd721a908e" + logic_hash = "8171128426b48102457f5ba0771b27aaf5f4562293aff04c256bd5bd721a908e" score = 50 quality = 75 tags = "FILE" @@ -208771,13 +208771,13 @@ rule ARKBIRD_SOLG_Mal_Phantomnet_Nov_2020_1 : FILE meta: description = "Detect PhantomNet (November 2020)" author = "Arkbird_SOLG" - id = "2aa748fc-0490-5a27-ad7d-78a62759b793" + id = "16ddcc9a-8254-5d40-adcd-70ebe212fc78" date = "2020-12-19" modified = "2020-12-19" reference = "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-19/Mal_PhantomNet_Nov_2020_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_a08467f68968fb0dfa82bca5984e1ad823f222946bd0acb62db418556a9a347a" + logic_hash = "a08467f68968fb0dfa82bca5984e1ad823f222946bd0acb62db418556a9a347a" score = 75 quality = 65 tags = "FILE" @@ -208806,13 +208806,13 @@ rule ARKBIRD_SOLG_Mal_Smanager_Installer_Module_Nov_2020_1 : FILE meta: description = "Detect installer module of Smanager (November 2020)" author = "Arkbird_SOLG" - id = "7c99219f-7090-59e9-bc7c-44dc8cee242e" + id = "364285bc-2173-5ff0-85d2-af06051a3b70" date = "2020-12-19" modified = "2020-12-19" reference = "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-19/Mal_Smanager_Installer_Module_Nov_2020_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_380d28f6cdea24f807f3c29207eb0b8888ebdfea215c53df164fe080c3917438" + logic_hash = "380d28f6cdea24f807f3c29207eb0b8888ebdfea215c53df164fe080c3917438" score = 75 quality = 61 tags = "FILE" @@ -208840,13 +208840,13 @@ rule ARKBIRD_SOLG_Mal_Funnydream_Backdoor_Nov_2020_1 : FILE meta: description = "Detect backdoor used by FunnyDream (November 2020)" author = "Arkbird_SOLG" - id = "c6409ed8-9bab-5fbd-9ebd-17b785b4da28" + id = "48120ba2-adaa-5098-8d8c-5c32bbafb9f6" date = "2020-12-19" modified = "2020-12-19" reference = "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-12-19/Mal_FunnyDream_Backdoor_Nov_2020_1.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_d12c465c735f09295b382fd5679d411c5114c232dabc22be84151e436f8fa199" + logic_hash = "d12c465c735f09295b382fd5679d411c5114c232dabc22be84151e436f8fa199" score = 75 quality = 67 tags = "FILE" @@ -208872,13 +208872,13 @@ rule ARKBIRD_SOLG_MAL_Polazert_Apr_2021_1 : FILE meta: description = "Detect Polazert stealer" author = "Arkbird_SOLG" - id = "f2352f47-1fc4-5c75-be88-83cd0c6fc6fc" + id = "c7766749-558f-50b8-9054-01f5c4e1238b" date = "2021-04-11" modified = "2021-04-11" reference = "https://bazaar.abuse.ch/browse/tag/Polazert/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-04-11/Polazert/MAL_Polazert_Apr_2021_1.yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_29cefeb3816435e70c706ac78395738f075f6c9f81d63e7295b0d8a6f370b51d" + logic_hash = "29cefeb3816435e70c706ac78395738f075f6c9f81d63e7295b0d8a6f370b51d" score = 75 quality = 75 tags = "FILE" @@ -208902,13 +208902,13 @@ rule ARKBIRD_SOLG_MAL_ELF_Go_Worm_Jul_2021_1 : FILE meta: description = "Detect the worm written in Go that drops XMRig Miner" author = "Arkbird_SOLG" - id = "edbe99e1-445c-5964-80f7-b52fad4b9dc6" + id = "6f4a9d3a-e038-5d7f-9c18-c380a0b295d2" date = "2021-07-06" modified = "2021-07-06" reference = "https://twitter.com/JAMESWT_MHT/status/1409848815948111877" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-06/MAL_ELF_Go_Worm_Jul_2021_1.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_be8b95f8aab62d3a2b3376a0481ebc609afcd089e0613d39f258e07366b708a1" + logic_hash = "be8b95f8aab62d3a2b3376a0481ebc609afcd089e0613d39f258e07366b708a1" score = 75 quality = 61 tags = "FILE" @@ -208934,13 +208934,13 @@ rule ARKBIRD_SOLG_Exp_CVE_2021_40444_Sep_2021_1 : FILE meta: description = "Detect the maldocs with a structure like used for CVE_2021_40444 exploit" author = "Arkbird_SOLG" - id = "d08351d3-7f92-52ef-b914-bc19f5ba8587" + id = "acaba73d-f744-5d3f-9617-e976832f3577" date = "2021-09-09" modified = "2021-09-09" reference = "https://github.com/StrangerealIntel/DailyIOC" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-09-09/Exp_CVE_2021_40444_Sep_2021_1.yara#L2-L20" license_url = "N/A" - logic_hash = "v1_sha256_ba1b256c9caad3371d57e6ecbe54721038c819c7c081edf2443523109c25b184" + logic_hash = "ba1b256c9caad3371d57e6ecbe54721038c819c7c081edf2443523109c25b184" score = 50 quality = 75 tags = "FILE" @@ -208965,13 +208965,13 @@ rule ARKBIRD_SOLG_Ran_Ranzy_Locker_Nov_2020_1 : FILE meta: description = " Detect Ranzy Locker (RAAS)" author = "Arkbird_SOLG" - id = "84d7821f-dfb4-51e6-bd92-48469bbcf9f9" + id = "7e81d73a-ef18-5f89-b6b3-f56212d30b4a" date = "2020-11-19" modified = "2020-11-19" reference = "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-19/Ranzy_Locker/Ran_Ranzy_Locker_Nov_2020_1.yar#L1-L36" license_url = "N/A" - logic_hash = "v1_sha256_e27017fa196d14b88c5cb682a070d10e42b63f9e21189d9917c0ae03c47216cc" + logic_hash = "e27017fa196d14b88c5cb682a070d10e42b63f9e21189d9917c0ae03c47216cc" score = 75 quality = 75 tags = "FILE" @@ -209011,13 +209011,13 @@ rule ARKBIRD_SOLG_MAL_ELF_Rekoobe_Nov_2021_1 : FILE meta: description = "Detect the Rekoobe rootkit" author = "Arkbird_SOLG" - id = "77972383-fb05-587c-ba0f-494e9c534184" + id = "a5b200f1-cbb7-5106-8127-74abd3cde061" date = "2021-11-10" modified = "2021-11-11" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-10/MAL_ELF_Rekoobe_Nov_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_bde3d1a3d2d2e9efd4b7c68f69dce40d5e0f01d41885481730d8a7fa67cbab7e" + logic_hash = "bde3d1a3d2d2e9efd4b7c68f69dce40d5e0f01d41885481730d8a7fa67cbab7e" score = 75 quality = 73 tags = "FILE" @@ -209042,13 +209042,13 @@ rule ARKBIRD_SOLG_APT_Donot_Downloader_May_2021_1 : FILE meta: description = "Detect the trojan downloader used by Donot group" author = "Arkbird_SOLG" - id = "714fb6c2-13d5-59c7-8ce5-6c6974a94521" + id = "251a809e-9e36-5c46-955f-006531bd9619" date = "2020-05-09" modified = "2021-05-09" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-09/Donot/APT_Donot_Downloader_May_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_df64ab97b74935ce8b73c3854eb81fa1dbd4e59b1e27c43ae9c85b90aaaef6f7" + logic_hash = "df64ab97b74935ce8b73c3854eb81fa1dbd4e59b1e27c43ae9c85b90aaaef6f7" score = 75 quality = 75 tags = "FILE" @@ -209073,13 +209073,13 @@ rule ARKBIRD_SOLG_RAN_Fuxsocy_May_2021_1 : FILE meta: description = "Detect FuxSocy ransomware" author = "Arkbird_SOLG" - id = "ebcf26f8-4087-5bbb-bdd4-74b343184161" + id = "2420c2fa-bc94-51a6-87ab-4e8d226fdd23" date = "2020-05-09" modified = "2021-05-09" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-05-09/FuxSocy/RAN_FuxSocy_May_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_ab34f95d2b12bdf2d362538e880301542c3308fff427cfb5ee59e9dca89ec033" + logic_hash = "ab34f95d2b12bdf2d362538e880301542c3308fff427cfb5ee59e9dca89ec033" score = 75 quality = 75 tags = "FILE" @@ -209103,13 +209103,13 @@ rule ARKBIRD_SOLG_CRIM_FIN7_PS_Cryptor_Jun_2021_1 : FILE meta: description = "Detect PS Cryptor used by FIN7 for Diceloader and Carbanak" author = "Arkbird_SOLG" - id = "2ac9d361-1594-501c-997d-db42c717d6a9" + id = "26361500-c33e-59c8-a53f-a881966c71a7" date = "2021-06-07" modified = "2021-06-07" reference = "https://twitter.com/z0ul_/status/1401795117678219267" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-07/FIN7/CRIM_FIN7_PS_Cryptor_Jun_2021_1.yara#L1-L28" license_url = "N/A" - logic_hash = "v1_sha256_d7eadaa6dec75ecfa2f03860f41b39dbe9e7ffc9e6ad743497586356301ef67c" + logic_hash = "d7eadaa6dec75ecfa2f03860f41b39dbe9e7ffc9e6ad743497586356301ef67c" score = 75 quality = 55 tags = "FILE" @@ -209142,13 +209142,13 @@ rule ARKBIRD_SOLG_Ran_Regretlocker_Oct_2020_1 : FILE meta: description = "Detect RegretLocker ransomware" author = "Arkbird_SOLG" - id = "4238f40d-aa47-5bce-9a50-4b6b21eb9033" + id = "a8d58402-15e2-5d20-8d33-2e7a3f8973fd" date = "2020-11-04" modified = "2020-11-04" reference = "https://twitter.com/VK_Intel/status/1323693700371914753" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-11-04/RegretLocker/Ran_RegretLocker_Oct_2020_1.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_2c63bdcee6f2a9025d3a1f73f3a38ec58da103752b88bd3a6bf79d85d8f92e4d" + logic_hash = "2c63bdcee6f2a9025d3a1f73f3a38ec58da103752b88bd3a6bf79d85d8f92e4d" score = 75 quality = 75 tags = "FILE" @@ -209175,13 +209175,13 @@ rule ARKBIRD_SOLG_APT_Turla_Comrat_Chinch_V4_Jan_2021_1 : FILE meta: description = "Detect ComRAT V4 (Chinch) used by APT Turla group" author = "Arkbird_SOLG" - id = "1214c156-5554-5681-87b7-c8d1fcb0b244" + id = "7d4daf3d-eed9-59fb-a4b9-fbc1c72adfcd" date = "2021-01-23" modified = "2021-01-26" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-01-23/Turla/APT_Turla_ComRAT_Chinch_V4_Jan_2021_1.yar#L1-L28" license_url = "N/A" - logic_hash = "v1_sha256_0d92207c4716f8d2fbf1d4f0cf3a33c38417fdd1565c87c251f7ff290135c435" + logic_hash = "0d92207c4716f8d2fbf1d4f0cf3a33c38417fdd1565c87c251f7ff290135c435" score = 75 quality = 75 tags = "FILE" @@ -209212,13 +209212,13 @@ rule ARKBIRD_SOLG_MAL_Kpot_Oct_2020_1 : FILE meta: description = "Detect KPot stealer (new variant October 2020)" author = "Arkbird_SOLG" - id = "2b659f09-b392-5133-a6d2-dec791e112e2" + id = "316feeb3-59e5-5d18-9800-db41fabd6cb0" date = "2020-10-17" modified = "2020-10-17" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-17/MAL_KPot_Oct_2020_1.yar#L1-L40" license_url = "N/A" - logic_hash = "v1_sha256_20010e8f2d45f904911664edee710f4dca18327c2b80766c253970a50624d13c" + logic_hash = "20010e8f2d45f904911664edee710f4dca18327c2b80766c253970a50624d13c" score = 75 quality = 73 tags = "FILE" @@ -209260,13 +209260,13 @@ rule ARKBIRD_SOLG_APT_Gelsemium_Gelsenicine_June_2021_1 : FILE meta: description = "Detect Gelsenicine malware (Loader - Variant 1)" author = "Arkbird_SOLG" - id = "a8daa0d3-93ea-596e-9585-917fcbc26f97" + id = "36276150-a5dd-5385-9e50-958a6fa54de5" date = "2021-06-12" modified = "2021-06-14" reference = "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-13/Gelsemium/APT_Gelsemium_Gelsenicine_June_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_66d9fad7105b46a55db11c5224b1a395793f2dee89f779d59c80b2f7cda5a115" + logic_hash = "66d9fad7105b46a55db11c5224b1a395793f2dee89f779d59c80b2f7cda5a115" score = 75 quality = 75 tags = "FILE" @@ -209290,13 +209290,13 @@ rule ARKBIRD_SOLG_APT_Gelsemium_Gelsenicine_June_2021_2 : FILE meta: description = "Detect Gelsenicine malware (Loader - Variant 2)" author = "Arkbird_SOLG" - id = "57867a6e-0a67-523a-babf-25368a626d79" + id = "c6e28da2-622b-57ba-9381-9f8f6b8879bf" date = "2021-06-12" modified = "2021-06-14" reference = "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-13/Gelsemium/APT_Gelsemium_Gelsenicine_June_2021_2.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_e1d6402c743af697c8d1b34087b6fe9db80237834d73967b0a0638023d4e4a40" + logic_hash = "e1d6402c743af697c8d1b34087b6fe9db80237834d73967b0a0638023d4e4a40" score = 75 quality = 75 tags = "FILE" @@ -209320,13 +209320,13 @@ rule ARKBIRD_SOLG_APT_Gelsemium_Gelsevirine_June_2021_1 : FILE meta: description = "Detect Gelsevirine malware (Main Plug-in)" author = "Arkbird_SOLG" - id = "1028d08a-01cc-51a2-b07a-09f98e468afb" + id = "31900186-2531-5558-aafb-67707040ddaf" date = "2021-06-12" modified = "2021-06-14" reference = "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-13/Gelsemium/APT_Gelsemium_Gelsevirine_June_2021_1.yara#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_06e7ee49092621c8469eeb1cd9e5cc1420a1879084e0d0a39181dc046bfa00cf" + logic_hash = "06e7ee49092621c8469eeb1cd9e5cc1420a1879084e0d0a39181dc046bfa00cf" score = 75 quality = 75 tags = "FILE" @@ -209349,13 +209349,13 @@ rule ARKBIRD_SOLG_APT_Gelsemium_Gelsemine_June_2021_1 : FILE meta: description = "Detect Gelsemine malware (Dropper - Variant 1)" author = "Arkbird_SOLG" - id = "0d793563-ee56-5da3-ba96-cf32bb2c887b" + id = "cfe932fd-ff50-5e54-824c-e11afe8e8575" date = "2021-06-12" modified = "2021-06-14" reference = "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-06-13/Gelsemium/APT_Gelsemium_Gelsemine_June_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_2b5031412de163ad92dfe00c7da331eb36c4ce7b590df48dfa84df0104e93b15" + logic_hash = "2b5031412de163ad92dfe00c7da331eb36c4ce7b590df48dfa84df0104e93b15" score = 75 quality = 75 tags = "FILE" @@ -209379,13 +209379,13 @@ rule ARKBIRD_SOLG_MAL_Unknown_PE_Jul_2021_1 : FILE meta: description = "Detect unknown TA that focus russian people" author = "Arkbird_SOLG" - id = "3d6d1489-896f-5aad-81ca-3c3528e2f72c" + id = "228e194c-84d9-562a-8811-326c5efeafae" date = "2020-07-14" modified = "2021-07-14" reference = "https://twitter.com/ShadowChasing1/status/1415292150258880513" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-14/MAL_Unknown_PE_Jul_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_9c61d2e29315bea0cdaf45b6dc48d35b8cc2d85de84afbb3a213f095a555af71" + logic_hash = "9c61d2e29315bea0cdaf45b6dc48d35b8cc2d85de84afbb3a213f095a555af71" score = 75 quality = 73 tags = "FILE" @@ -209409,13 +209409,13 @@ rule ARKBIRD_SOLG_RAN_Crylock_July_2021_1 : FILE meta: description = "Detect CryLock ransomware (ex-Cryakl)" author = "Arkbird_SOLG" - id = "b1305432-b707-5d53-bd61-e4c02b0a044f" + id = "350bd622-f4b5-5837-a239-dc506b100aef" date = "2021-07-17" modified = "2021-07-17" reference = "https://twitter.com/BushidoToken/status/1415958829318217730" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-07-16/Crylock/RAN_Crylock_July_2021_1.yara#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_4f5046a64e7491085a55d8d1f2b5b056dc0aa89fcdea47652ecb7db680de2f59" + logic_hash = "4f5046a64e7491085a55d8d1f2b5b056dc0aa89fcdea47652ecb7db680de2f59" score = 75 quality = 65 tags = "FILE" @@ -209442,13 +209442,13 @@ rule ARKBIRD_SOLG_RAN_Cring_Apr_2021_1 : FILE meta: description = "Detect CRing ransomware" author = "Arkbird_SOLG" - id = "8aff62bf-2273-55c5-8f86-d6e5fc70af10" + id = "3648494d-8c27-5767-90e8-45e294aac382" date = "2021-04-08" modified = "2021-04-09" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-04-08/CRing/RAN_CRing_Apr_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_d82db146c9048391d79bda6cc5913363fc3cfc1a7cca26b23b362b7f3563ef3c" + logic_hash = "d82db146c9048391d79bda6cc5913363fc3cfc1a7cca26b23b362b7f3563ef3c" score = 50 quality = 75 tags = "FILE" @@ -209470,13 +209470,13 @@ rule ARKBIRD_SOLG_Ran_Egregor_Oct_2020_1 : FILE meta: description = "Detect Egregor / Maze ransomware by Maze blocks" author = "Arkbird_SOLG" - id = "4ed6e3b4-2665-517d-b30d-37abf6874b0e" + id = "03d3ee25-cd0c-573e-beca-e4ff4377da9f" date = "2020-10-29" modified = "2023-11-22" reference = "Internal Research" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2020-10-31/Ran_Egregor_Oct_2020_1 .yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_d7d03db002b74d031b725db60e38a46abce564fb090b013aa9ec66376b430000" + logic_hash = "d7d03db002b74d031b725db60e38a46abce564fb090b013aa9ec66376b430000" score = 75 quality = 75 tags = "FILE" @@ -209502,13 +209502,13 @@ rule ARKBIRD_SOLG_RAN_Yanluowang_Dec_2021_1 : FILE meta: description = "Detect Yanluowang ransomware" author = "Arkbird_SOLG" - id = "ce8a306c-05da-55d5-b7b6-3d60bb646caa" + id = "339d3dab-9bdd-5a46-8261-c32862ccc3bf" date = "2021-12-17" modified = "2021-12-18" reference = "https://samples.vx-underground.org/samples/Families/YanluowangRansomware/" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-12-18/RAN_Yanluowang_Dec_2021_1.yara#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_0144874fb24411b4378a2e2992934e674808f01ecc38f23d0d9d37e1d45621e4" + logic_hash = "0144874fb24411b4378a2e2992934e674808f01ecc38f23d0d9d37e1d45621e4" score = 75 quality = 75 tags = "FILE" @@ -209531,13 +209531,13 @@ rule ARKBIRD_SOLG_APK_Droidwatcher_Nov_2021_1 : FILE meta: description = "Detect modified DroidWatcher stealer used by Void Balaur group" author = "Arkbird_SOLG" - id = "a1d6f27d-aa50-5fdb-b242-17c87a7fcef9" + id = "04e02521-d89a-5f72-8b6f-0350f6defdd0" date = "2021-11-11" modified = "2021-11-12" reference = "https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-11/Void_Balaur/APK_DroidWatcher_Nov_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_c16bcdd5d9cd6a3cbb527893e13ac967211d1686edd9f7ae03e37feada725a1b" + logic_hash = "c16bcdd5d9cd6a3cbb527893e13ac967211d1686edd9f7ae03e37feada725a1b" score = 50 quality = 75 tags = "FILE" @@ -209561,13 +209561,13 @@ rule ARKBIRD_SOLG_MAL_Zstealer_Nov_2021_1 : FILE meta: description = "Detect ZStealer stealer used by Void Balaur group" author = "Arkbird_SOLG" - id = "77ce3d34-737b-5ed2-b865-c8ce543dc1c7" + id = "0282884b-569a-5e46-a6ad-d2776ff71ddb" date = "2021-11-11" modified = "2021-11-12" reference = "https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf" source_url = "https://github.com/StrangerealIntel/DailyIOC/blob/a873ff1298c43705e9c67286f3014f4300dd04f7/2021-11-11/Void_Balaur/MAL_ZStealer_Nov_2021_1.yara#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_c3bec4fb8338ad71577e63f81c22b5d250083f2475f60610de8dccd4979035d3" + logic_hash = "c3bec4fb8338ad71577e63f81c22b5d250083f2475f60610de8dccd4979035d3" score = 75 quality = 75 tags = "FILE" @@ -209590,7 +209590,7 @@ rule ARKBIRD_SOLG_MAL_Zstealer_Nov_2021_1 : FILE * YARA Rule Set * Repository Name: Telekom Security * Repository: https://github.com/telekom-security/malware_analysis/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: bf832d97e8fd292ec5e095e35bde992a6462e71c * Number of Rules: 12 * Skipped: 0 (age), 5 (quality), 0 (score), 0 (importance) @@ -209605,14 +209605,14 @@ rule TELEKOM_SECURITY_Android_Flubot : FILE meta: description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2" author = "Thomas Barabosch, Telekom Security" - id = "3b943eba-9496-50ae-9913-2ba5e9e644d3" + id = "d6d1eebc-961f-5032-af04-4c95f364a74d" date = "2021-09-14" modified = "2021-09-14" reference = "https://github.com/telekom-security/malware_analysis/" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/flubot/flubot.yar#L1-L19" license_url = "N/A" hash = "37be18494cd03ea70a1fdd6270cef6e3" - logic_hash = "v1_sha256_db22e0890dfad7cb9cb1d18aadb406514e5e8874051aa7f07a4bb93da9db68df" + logic_hash = "db22e0890dfad7cb9cb1d18aadb406514e5e8874051aa7f07a4bb93da9db68df" score = 75 quality = 45 tags = "FILE" @@ -209634,14 +209634,14 @@ rule TELEKOM_SECURITY_Android_Teabot : FILE meta: description = "matches on dumped, decrypted V/DEX files of Teabot" author = "Thomas Barabosch, Telekom Security" - id = "0a79f0ec-4116-5430-8410-fa743925fcba" + id = "9db701bf-be84-5236-97f7-67043cf3ea93" date = "2021-09-14" modified = "2021-09-14" reference = "https://github.com/telekom-security/malware_analysis/" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/flubot/teabot.yar#L1-L23" license_url = "N/A" hash = "37be18494cd03ea70a1fdd6270cef6e3" - logic_hash = "v1_sha256_5aa7fdb191c36510c7698f3eae40c0b7f15c944b8f60113bbb4e40fc926579b8" + logic_hash = "5aa7fdb191c36510c7698f3eae40c0b7f15c944b8f60113bbb4e40fc926579b8" score = 75 quality = 45 tags = "FILE" @@ -209667,13 +209667,13 @@ rule TELEKOM_SECURITY_Crylock_Binary : FILE meta: description = "Detects CryLock ransomware v2.3.0.0" author = "Thomas Barabosch, Telekom Security" - id = "563f0f5c-1351-53ed-a664-6a8f533dd94a" + id = "5d46adf6-3ea4-5e3d-ac33-1292c076c0df" date = "2021-06-28" modified = "2021-07-08" reference = "TBA" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/crylock/crylock_20210706.yar#L1-L27" license_url = "N/A" - logic_hash = "v1_sha256_990be4604c5737383cce1b32dfbf3bc066367d7bf4652e2549730cdeccf1f413" + logic_hash = "990be4604c5737383cce1b32dfbf3bc066367d7bf4652e2549730cdeccf1f413" score = 75 quality = 70 tags = "FILE" @@ -209702,13 +209702,13 @@ rule TELEKOM_SECURITY_Crylock_Hta : FILE meta: description = "Detects CryLock ransomware how_to_decrypt.hta ransom note" author = "Thomas Barabosch, Telekom Security" - id = "4fe2f958-b286-5cd8-8ddd-d39be18ece5b" + id = "cf6ba6d2-beca-5da0-bb2d-0b8b52418a5e" date = "2021-06-28" modified = "2021-07-08" reference = "TBA" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/crylock/crylock_20210706.yar#L29-L53" license_url = "N/A" - logic_hash = "v1_sha256_3b603a395f872d74d54b98a8ac6e6eb71c3bd0f076b4c834fcb4922e2aaa58b9" + logic_hash = "3b603a395f872d74d54b98a8ac6e6eb71c3bd0f076b4c834fcb4922e2aaa58b9" score = 75 quality = 70 tags = "FILE" @@ -209737,13 +209737,13 @@ rule TELEKOM_SECURITY_Win_Systembc_20220311 : FILE meta: description = "Detects unpacked SystemBC module" author = "Thomas Barabosch, Deutsche Telekom Security" - id = "164ec211-cd54-5cec-9106-d6cb96a0ab5f" + id = "39e1a131-bd2c-56e9-961f-2b2c31f29e85" date = "2022-03-13" modified = "2022-03-13" reference = "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/systembc/systembc.yara#L1-L27" license_url = "N/A" - logic_hash = "v1_sha256_2f6e2c4c786941f800678e22679d4b81d1097a46c2555ae70e745df1b997c1c8" + logic_hash = "2f6e2c4c786941f800678e22679d4b81d1097a46c2555ae70e745df1b997c1c8" score = 75 quality = 70 tags = "FILE" @@ -209766,13 +209766,13 @@ rule TELEKOM_SECURITY_Get_Windows_Proxy_Configuration : CAPABILITY HACKTOOL meta: description = "Queries Windows Registry for proxy configuration" author = "Thomas Barabosch, Deutsche Telekom Security" - id = "7fa9aa9b-36bd-5059-8ac8-babd08c0fe1f" + id = "b67b0b70-a95f-5c65-a522-ef4f41e36159" date = "2022-01-14" modified = "2023-12-12" reference = "https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-ie-clientnetworkprotocolimplementation-hklmproxyserver" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/hacktools/hacktools.yar#L44-L57" license_url = "N/A" - logic_hash = "v1_sha256_db52782a56d42f6e460466ea46993490bbbceeb7422d45211f064edb2e37a8eb" + logic_hash = "db52782a56d42f6e460466ea46993490bbbceeb7422d45211f064edb2e37a8eb" score = 75 quality = 70 tags = "CAPABILITY, HACKTOOL" @@ -209790,13 +209790,13 @@ rule TELEKOM_SECURITY_Cn_Utf8_Windows_Terminal : CAPABILITY HACKTOOL meta: description = "This is a (dirty) hack to display UTF-8 on Windows command prompt." author = "Thomas Barabosch, Deutsche Telekom Security" - id = "3c2fd792-8bbd-54e8-a277-78871361fd2f" + id = "a1beee71-c526-58fb-a255-dba55ef7535b" date = "2022-01-14" modified = "2023-12-12" reference = "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/hacktools/hacktools.yar#L59-L71" license_url = "N/A" - logic_hash = "v1_sha256_4c91280c3d6d3b48c4ee11bf3d0c2baecee1368fbf3951c0a3bf386454c557cf" + logic_hash = "4c91280c3d6d3b48c4ee11bf3d0c2baecee1368fbf3951c0a3bf386454c557cf" score = 40 quality = 20 tags = "CAPABILITY, HACKTOOL" @@ -209812,13 +209812,13 @@ rule TELEKOM_SECURITY_Vatet_Loader_Rufus_Backdoor : DEFRAY777 meta: description = "Detects backdoored Rufus with Vatet Loader of Defray777" author = "Thomas Barabosch, Deutsche Telekom Security" - id = "92e55685-3a93-5f95-9c01-7afcf3aa1bb9" + id = "1f6fa228-300c-59de-b89c-3cbdce1b6374" date = "2022-03-18" modified = "2022-03-18" reference = "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/defray777/vatet_loader.yar#L1-L27" license_url = "N/A" - logic_hash = "v1_sha256_3767398112759689078f992eb272cfec3e59f6d9ca30f8da68c2053e1217fd18" + logic_hash = "3767398112759689078f992eb272cfec3e59f6d9ca30f8da68c2053e1217fd18" score = 75 quality = 20 tags = "DEFRAY777" @@ -209840,13 +209840,13 @@ rule TELEKOM_SECURITY_Fake_Gzip_Bokbot_202104 meta: description = "fake gzip provided by CC" author = "Thomas Barabosch, Telekom Security" - id = "bbd3914b-74d2-5218-8584-8fc2829fa0e8" + id = "538d84d8-aff2-571c-ba60-102f18262434" date = "2021-04-20" modified = "2021-07-08" reference = "https://github.com/telekom-security/malware_analysis/" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/icedid/icedid_20210507.yar#L1-L11" license_url = "N/A" - logic_hash = "v1_sha256_0f0205234eae1b011b899a59e4430c2de9d913b05efee90ce844a06f1cff04f3" + logic_hash = "0f0205234eae1b011b899a59e4430c2de9d913b05efee90ce844a06f1cff04f3" score = 75 quality = 70 tags = "" @@ -209862,13 +209862,13 @@ rule TELEKOM_SECURITY_Win_Iceid_Gzip_Ldr_202104 : FILE meta: description = "2021 initial Bokbot / Icedid loader for fake GZIP payloads" author = "Thomas Barabosch, Telekom Security" - id = "ab4a62f0-e840-5dd1-a8e3-81070a127657" + id = "9d905e90-dfec-596b-bd09-72413df49345" date = "2021-04-12" modified = "2021-07-08" reference = "https://github.com/telekom-security/malware_analysis/" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/icedid/icedid_20210507.yar#L14-L38" license_url = "N/A" - logic_hash = "v1_sha256_caf997e623920a230acce8a7256516aceb6a587823e0525a17e5d69d0ed45d12" + logic_hash = "caf997e623920a230acce8a7256516aceb6a587823e0525a17e5d69d0ed45d12" score = 75 quality = 45 tags = "FILE" @@ -209895,13 +209895,13 @@ rule TELEKOM_SECURITY_Win_Iceid_Core_Ldr_202104 : FILE meta: description = "2021 loader for Bokbot / Icedid core (license.dat)" author = "Thomas Barabosch, Telekom Security" - id = "1f44d96c-b4cb-5053-ac62-bfb3da44ce5e" + id = "f096e18d-3a31-5236-b3c3-0df39b408d9a" date = "2021-04-13" modified = "2021-07-08" reference = "https://github.com/telekom-security/malware_analysis/" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/icedid/icedid_20210507.yar#L40-L62" license_url = "N/A" - logic_hash = "v1_sha256_d814dbaffb38dc71aaf373512246fd6d811750d526c4afffb0b8018329dcdd90" + logic_hash = "d814dbaffb38dc71aaf373512246fd6d811750d526c4afffb0b8018329dcdd90" score = 75 quality = 70 tags = "FILE" @@ -209926,13 +209926,13 @@ rule TELEKOM_SECURITY_Win_Iceid_Core_202104 : FILE meta: description = "2021 Bokbot / Icedid core" author = "Thomas Barabosch, Telekom Security" - id = "276b586c-f97d-5467-9418-bc371bb0756c" + id = "526a73da-415f-58fe-bb5f-4c3df6b2e647" date = "2021-04-12" modified = "2021-07-08" reference = "https://github.com/telekom-security/malware_analysis/" source_url = "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/icedid/icedid_20210507.yar#L64-L88" license_url = "N/A" - logic_hash = "v1_sha256_c208b4122159d24d010e2913c515d2ff730b30306f787d703816b5af1522ae88" + logic_hash = "c208b4122159d24d010e2913c515d2ff730b30306f787d703816b5af1522ae88" score = 75 quality = 70 tags = "FILE" @@ -209958,9 +209958,9 @@ rule TELEKOM_SECURITY_Win_Iceid_Core_202104 : FILE * YARA Rule Set * Repository Name: Volexity * Repository: https://github.com/volexity/threat-intel - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: b2dd39c31efbb1ed004fb25faaace7d5caf2f424 - * Number of Rules: 88 + * Number of Rules: 94 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) * * @@ -209981,13 +209981,13 @@ rule VOLEXITY_Apt_Malware_Py_Upstyle : UTA0218 FILE MEMORY meta: description = "Detect the UPSTYLE webshell." author = "threatintel@volexity.com" - id = "d59df16f-2f70-5e46-a156-1fe826c4ab2f" + id = "45726f35-8b3e-5095-b145-9e7f6da6838b" date = "2024-04-11" modified = "2024-04-12" reference = "TIB-20240412" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-04-12 Palo Alto Networks GlobalProtect/indicators/rules.yar#L1-L33" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_51923600b23d23f4ce29eac7f5ab9f7e1ddb45bed5f6727ddec4dcb75872e473" + logic_hash = "51923600b23d23f4ce29eac7f5ab9f7e1ddb45bed5f6727ddec4dcb75872e473" score = 75 quality = 80 tags = "UTA0218, FILE, MEMORY" @@ -210017,13 +210017,13 @@ rule VOLEXITY_Susp_Any_Jarischf_User_Path : FILE MEMORY meta: description = "Detects paths embedded in samples in released projects written by Ferdinand Jarisch, a pentester in AISEC. These tools are sometimes used by attackers in real world intrusions." author = "threatintel@volexity.com" - id = "d896095d-3107-5239-921a-21b58dfc8520" + id = "062a6fdb-c516-5643-9c7c-deff32eeb95e" date = "2024-04-10" modified = "2024-04-12" reference = "TIB-20240412" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-04-12 Palo Alto Networks GlobalProtect/indicators/rules.yar#L57-L78" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_574d5b1fadb91c39251600e7d73d4993d4b16565bd1427a0e8d6ed4e7905ab54" + logic_hash = "574d5b1fadb91c39251600e7d73d4993d4b16565bd1427a0e8d6ed4e7905ab54" score = 50 quality = 80 tags = "FILE, MEMORY" @@ -210046,13 +210046,13 @@ rule VOLEXITY_Hacktool_Golang_Reversessh_Fahrj : FILE MEMORY meta: description = "Detects a reverse SSH utility available on GitHub. Attackers may use this tool or similar tools in post-exploitation activity." author = "threatintel@volexity.com" - id = "683e9c91-8e33-5262-bb91-b545ca3a49ef" + id = "332e323f-cb16-5aa2-8b66-f3d6d50d94f2" date = "2024-04-10" modified = "2024-04-12" reference = "TIB-20240412" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-04-12 Palo Alto Networks GlobalProtect/indicators/rules.yar#L79-L112" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_38b40cc7fc1e601da2c7a825f1c2eff209093875a5829ddd2f4c5ad438d660f8" + logic_hash = "38b40cc7fc1e601da2c7a825f1c2eff209093875a5829ddd2f4c5ad438d660f8" score = 75 quality = 80 tags = "FILE, MEMORY" @@ -210084,13 +210084,13 @@ rule VOLEXITY_Apt_Malware_Any_Reloadext_Plugin : STORMBAMBOO FILE MEMORY meta: description = "Detection for RELOADEXT, a Google Chrome extension malware." author = "threatintel@volexity.com" - id = "d4510cd3-db69-5f0a-9c4a-fafd35a6929a" + id = "6c6c8bee-2a13-5645-89ef-779f00264fd9" date = "2024-02-23" modified = "2024-08-02" reference = "TIB-20240227" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L4-L36" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_2b11f8fc5b6260ebf00bde83585cd7469709a4979ca579cdf065724bc15052fc" + logic_hash = "2b11f8fc5b6260ebf00bde83585cd7469709a4979ca579cdf065724bc15052fc" score = 75 quality = 80 tags = "STORMBAMBOO, FILE, MEMORY" @@ -210118,13 +210118,13 @@ rule VOLEXITY_Apt_Malware_Macos_Reloadext_Installer : STORMBAMBOO FILE MEMORY meta: description = "Detect the RELOADEXT installer." author = "threatintel@volexity.com" - id = "7499b1fc-3cfd-5844-84e7-8a4782e908b9" + id = "c65ea2b5-ab98-5693-92ea-05c0f1ea1e5b" date = "2024-02-23" modified = "2024-08-02" reference = "TIB-20240227" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L37-L62" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_8688796839202d95ded15e10262a7a7c7cbbae4a332b60305402e5984005d452" + logic_hash = "8688796839202d95ded15e10262a7a7c7cbbae4a332b60305402e5984005d452" score = 75 quality = 80 tags = "STORMBAMBOO, FILE, MEMORY" @@ -210151,13 +210151,13 @@ rule VOLEXITY_Apt_Malware_Any_Macma_A : STORMBAMBOO FILE MEMORY meta: description = "Detects variants of the MACMA backdoor, variants of MACMA have been discovered for Windows, macOS and android." author = "threatintel@volexity.com" - id = "81825776-9712-5cbb-96f2-b69eb72fe729" + id = "6ab45af1-41e5-53fc-9297-e2bc07ebf797" date = "2021-11-12" modified = "2024-08-02" reference = "https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L64-L112" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_7ebaff9fddf6491d6b1ed9ab14c1b87dc8df850536e55aa723d625a593b33ed7" + logic_hash = "7ebaff9fddf6491d6b1ed9ab14c1b87dc8df850536e55aa723d625a593b33ed7" score = 75 quality = 53 tags = "STORMBAMBOO, FILE, MEMORY" @@ -210205,13 +210205,13 @@ rule VOLEXITY_Apt_Malware_Macos_Gimmick : STORMBAMBOO FILE MEMORY meta: description = "Detects the macOS port of the GIMMICK malware." author = "threatintel@volexity.com" - id = "c23b240c-10fc-5f83-b6cb-641afc60aa2a" + id = "3d485788-4aab-511b-a49e-5dc09d1950a9" date = "2021-10-18" modified = "2024-08-02" reference = "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L113-L171" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_00fba9df2212874a45d44b3d098a7b76c97fcd53ff083c76b784d2b510a4a467" + logic_hash = "00fba9df2212874a45d44b3d098a7b76c97fcd53ff083c76b784d2b510a4a467" score = 75 quality = 78 tags = "STORMBAMBOO, FILE, MEMORY" @@ -210263,13 +210263,13 @@ rule VOLEXITY_Apt_Malware_Win_Dustpan_Apihashes : STORMBAMBOO FILE meta: description = "Detects DUSTPAN malware using API hashes used to resolve functions at runtime." author = "threatintel@volexity.com" - id = "e049abc5-d637-53e0-9f3a-35bb884ef123" + id = "ed275da4-cd95-5fa3-a568-e610fb405bb3" date = "2023-08-17" modified = "2024-08-02" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L173-L210" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_3edb66ade428c451c18aa152244f869f9f8c10e62ed942bf722b4d1cf1893e93" + logic_hash = "3edb66ade428c451c18aa152244f869f9f8c10e62ed942bf722b4d1cf1893e93" score = 75 quality = 80 tags = "STORMBAMBOO, FILE" @@ -210304,13 +210304,13 @@ rule VOLEXITY_Apt_Malware_Win_Pocostick_Jul23 : STORMBAMBOO FILE MEMORY meta: description = "Detects the July 2023 POCOSTICK variant. These strings are only visible in memory after several rounds of shellcode decryption." author = "threatintel@volexity.com" - id = "bfa9c805-983a-5b2c-805e-532e05e831af" + id = "9632a7fc-06da-58b4-b95c-b46aeb9dd41d" date = "2023-07-24" modified = "2024-08-02" reference = "TIB-20231221" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L212-L241" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_19487db733c7f793be2a1287df32a165e46f6af0e940b13b389f4d675b5100c4" + logic_hash = "19487db733c7f793be2a1287df32a165e46f6af0e940b13b389f4d675b5100c4" score = 75 quality = 80 tags = "STORMBAMBOO, FILE, MEMORY" @@ -210341,13 +210341,13 @@ rule VOLEXITY_Apt_Malware_Py_Dustpan_Pyloader : STORMBAMBOO FILE MEMORY meta: description = "Detects Python script used by KPlayer to update, modified by attackers to download a malicious payload." author = "threatintel@volexity.com" - id = "9f8d5318-75e2-57c3-bf8e-9a3391e09750" + id = "446d2eef-c60a-50ed-9ff1-df86b6210dff" date = "2023-07-21" modified = "2024-08-02" reference = "TIB-20231221" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L243-L279" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_bb3a70dad28181534e27abbbd618165652c137264bfd3726ae4480c642493a3b" + logic_hash = "bb3a70dad28181534e27abbbd618165652c137264bfd3726ae4480c642493a3b" score = 75 quality = 80 tags = "STORMBAMBOO, FILE, MEMORY" @@ -210375,22 +210375,22 @@ rule VOLEXITY_Apt_Malware_Py_Dustpan_Pyloader : STORMBAMBOO FILE MEMORY condition: 3 of ( $s_* ) or any of ( $url_* ) or $path_1 } -import "pe" import "hash" +import "pe" rule VOLEXITY_Apt_Malware_Win_Pocostick_B : STORMBAMBOO FILE { meta: description = "Detects the POCOSTICK family, variant B." author = "threatintel@volexity.com" - id = "76f88bda-c2ea-55bd-a9f8-58de96810a37" + id = "2a8a455d-6b5c-53a7-aa5e-91d29efd3aa8" date = "2020-07-08" modified = "2024-08-02" reference = "TIB-20231221" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L281-L312" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585" - logic_hash = "v1_sha256_a51e836425ec407706c7b2a4c21cc12398620c7dae6c9504a855f99e4b4d6ab2" + logic_hash = "a51e836425ec407706c7b2a4c21cc12398620c7dae6c9504a855f99e4b4d6ab2" score = 75 quality = 80 tags = "STORMBAMBOO, FILE" @@ -210416,14 +210416,14 @@ rule VOLEXITY_Apt_Malware_Elf_Catchdns_Aug20_Memory : DRIFTINGBAMBOO FILE MEMORY meta: description = "Looks for strings from CatchDNS component used to intercept and modify DNS responses, and likely also intercept/monitor http. This rule would only match against memory in the example file analyzed by Volexity." author = "threatintel@volexity.com" - id = "2019ed83-c61d-5100-891e-4b67866080e8" + id = "95306735-cdae-5407-ad49-d465d245378d" date = "2020-08-20" modified = "2024-08-02" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-08-02 StormBamboo/rules.yar#L313-L387" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "4f3d35f4f8b810362cbd4c59bfe5a961e559fe5713c9478294ccb3af2d306515" - logic_hash = "v1_sha256_a7d677d7eecf388df7e7c2343fd3e46188594473c01075bf8a0b54292a51db94" + logic_hash = "a7d677d7eecf388df7e7c2343fd3e46188594473c01075bf8a0b54292a51db94" score = 75 quality = 55 tags = "DRIFTINGBAMBOO, FILE, MEMORY" @@ -210489,13 +210489,13 @@ rule VOLEXITY_Apt_Webshell_Pl_Complyshell : UTA0178 FILE MEMORY meta: description = "Detection for the COMPLYSHELL webshell." author = "threatintel@volexity.com" - id = "f1fa6923-b489-5fc9-891e-1518b682c78c" + id = "6b44b5bc-a75f-573c-b9c3-562b7874e408" date = "2023-12-13" modified = "2024-01-09" reference = "TIB-20231215" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-01-10 Ivanti Connect Secure/indicators/yara.yar#L1-L22" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_ff46691f1add20cff30fe996e2fb199ce42408e86d5642a8a43c430f2245b1f5" + logic_hash = "ff46691f1add20cff30fe996e2fb199ce42408e86d5642a8a43c430f2245b1f5" score = 75 quality = 80 tags = "UTA0178, FILE, MEMORY" @@ -210518,13 +210518,13 @@ rule VOLEXITY_Apt_Webshell_Aspx_Glasstoken : UTA0178 FILE MEMORY meta: description = "Detection for a custom webshell seen on external facing server. The webshell contains two functions, the first is to act as a Tunnel, using code borrowed from reGeorg, the second is custom code to execute arbitrary .NET code." author = "threatintel@volexity.com" - id = "4b865ecd-1e86-55ec-b768-9e5cc0cdf29b" + id = "5d96294c-aa61-5752-ab06-d5b27f6ac3a1" date = "2023-12-12" modified = "2024-01-09" reference = "TIB-20231215" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-01-10 Ivanti Connect Secure/indicators/yara.yar#L24-L49" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_34844dc2ba4b18b25dcb5b14b7b80ec655595c9638600a0f2a6367610c542dd1" + logic_hash = "34844dc2ba4b18b25dcb5b14b7b80ec655595c9638600a0f2a6367610c542dd1" score = 75 quality = 80 tags = "UTA0178, FILE, MEMORY" @@ -210548,14 +210548,14 @@ rule VOLEXITY_Webshell_Aspx_Regeorg : FILE MEMORY meta: description = "Detects the reGeorg webshell based on common strings in the webshell. May also detect other webshells which borrow code from ReGeorg." author = "threatintel@volexity.com" - id = "91c0d4ad-77b8-5c5e-a36b-2dc885035858" + id = "02365a30-769e-5c47-8d36-a79608ffd121" date = "2018-08-29" modified = "2024-01-09" reference = "TIB-20231215" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-01-10 Ivanti Connect Secure/indicators/yara.yar#L51-L83" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988" - logic_hash = "v1_sha256_4fed023e85a32052917f6db1e2e155c91586538938c03acc59f200a8264888ca" + logic_hash = "4fed023e85a32052917f6db1e2e155c91586538938c03acc59f200a8264888ca" score = 75 quality = 80 tags = "FILE, MEMORY" @@ -210583,13 +210583,13 @@ rule VOLEXITY_Hacktool_Py_Pysoxy : FILE MEMORY meta: description = "SOCKS5 proxy tool used to relay connections." author = "threatintel@volexity.com" - id = "35d798ba-7c95-538c-a489-e7cf9f7bba2c" + id = "88094b55-784d-5245-9c40-b1eebf0e6e72" date = "2024-01-09" modified = "2024-01-09" reference = "TIB-20240109" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-01-10 Ivanti Connect Secure/indicators/yara.yar#L85-L111" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_f73e9d3c2f64c013218469209f3b69fc868efafc151a7de979dde089bfdb24b2" + logic_hash = "f73e9d3c2f64c013218469209f3b69fc868efafc151a7de979dde089bfdb24b2" score = 75 quality = 80 tags = "FILE, MEMORY" @@ -210616,13 +210616,13 @@ rule VOLEXITY_Apt_Malware_Vbs_Basicstar : CHARMINGCYPRESS FILE MEMORY meta: description = "VBS backdoor which bares architectural similarity to the POWERSTAR malware family." author = "threatintel@volexity.com" - id = "ae5cde9c-2f8e-546a-a277-153b49860ae3" + id = "e790defe-2bd5-5629-8420-ce8091483589" date = "2024-01-04" modified = "2024-01-11" reference = "TIB-20240111" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-02-13 CharmingCypress/rules.yar#L64-L92" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_977bb42553bb6585c8d0e1e89675644720ca9abf294eccd797e20d4bca516810" + logic_hash = "977bb42553bb6585c8d0e1e89675644720ca9abf294eccd797e20d4bca516810" score = 75 quality = 80 tags = "CHARMINGCYPRESS, FILE, MEMORY" @@ -210650,13 +210650,13 @@ rule VOLEXITY_Apt_Malware_Ps1_Powerless_B : CHARMINGCYPRESS FILE MEMORY meta: description = "Detects POWERLESS malware." author = "threatintel@volexity.com" - id = "6020de25-2fea-57b7-a293-183f216f8ec4" + id = "74dd8412-c099-5ecb-af97-c22fede14252" date = "2023-10-25" modified = "2023-11-03" reference = "TIB-20231027" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-02-13 CharmingCypress/rules.yar#L93-L150" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_a95fe2c8d09d66e07a999eef3a5666cc622bbc063d747626c48b26cfecf35849" + logic_hash = "a95fe2c8d09d66e07a999eef3a5666cc622bbc063d747626c48b26cfecf35849" score = 75 quality = 78 tags = "CHARMINGCYPRESS, FILE, MEMORY" @@ -210713,13 +210713,13 @@ rule VOLEXITY_Apt_Malware_Macos_Vpnclient_Cc_Oct23 : CHARMINGCYPRESS FILE MEMORY meta: description = "Detection for fake macOS VPN client used by CharmingCypress." author = "threatintel@volexity.com" - id = "1809d749-4b45-5195-990c-da025b1edea2" + id = "e0957936-dc6e-5de6-bb23-d0ef61655029" date = "2023-10-17" modified = "2023-10-27" reference = "TIB-20231027" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-02-13 CharmingCypress/rules.yar#L236-L261" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_da5e9be752648b072a9aaeed884b8e1729a14841e33ed6633a0aaae1f11bd139" + logic_hash = "da5e9be752648b072a9aaeed884b8e1729a14841e33ed6633a0aaae1f11bd139" score = 75 quality = 80 tags = "CHARMINGCYPRESS, FILE, MEMORY" @@ -210746,13 +210746,13 @@ rule VOLEXITY_Apt_Malware_Charmingcypress_Openvpn_Configuration : CHARMINGCYPRES meta: description = "Detection for a .ovpn file used in a malicious VPN client on victim machines by CharmingCypress." author = "threatintel@volexity.com" - id = "147b7497-bde0-5f52-8a21-0f991883da3c" + id = "f39b2d7c-f0c5-5623-a114-02ba32469e59" date = "2023-10-17" modified = "2023-10-27" reference = "TIB-20231027" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-02-13 CharmingCypress/rules.yar#L262-L286" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_f4c5f13ac75504b14def9c37d3a41c6eea4c45845d4b54c50030b1f00691e4bf" + logic_hash = "f4c5f13ac75504b14def9c37d3a41c6eea4c45845d4b54c50030b1f00691e4bf" score = 75 quality = 80 tags = "CHARMINGCYPRESS, FILE" @@ -210778,13 +210778,13 @@ rule VOLEXITY_Apt_Delivery_Win_Charming_Openvpn_Client : CHARMINGCYPRESS FILE meta: description = "Detects a fake OpenVPN client developed by CharmingCypress." author = "threatintel@volexity.com" - id = "961fa733-eb33-5fb7-a2c5-6babcd148cda" + id = "b69fdd72-4a55-5e83-b754-401fe9339007" date = "2023-10-17" modified = "2023-10-27" reference = "TIB-20231027" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-02-13 CharmingCypress/rules.yar#L287-L310" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_02596a62cb1ba17ecabef0ae93f434e4774b00422a6da2106a2bc4c59d2f8077" + logic_hash = "02596a62cb1ba17ecabef0ae93f434e4774b00422a6da2106a2bc4c59d2f8077" score = 75 quality = 80 tags = "CHARMINGCYPRESS, FILE" @@ -210809,13 +210809,13 @@ rule VOLEXITY_Apt_Malware_Ps1_Powerstar_Generic : CHARMINGCYPRESS FILE MEMORY meta: description = "Detects POWERSTAR modules based on common HTTP functions used across modules." author = "threatintel@volexity.com" - id = "9db4e4b3-df5b-5e49-a153-2d4bb1ea94ae" + id = "71a3e99d-e1c8-5ac1-abbc-2ba5cba80799" date = "2023-06-02" modified = "2023-06-28" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-02-13 CharmingCypress/rules.yar#L311-L335" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_4da02190ffd16304eccbc0d12dfcc5637a6b785af0e3dc3dfcafcfe114597eb2" + logic_hash = "4da02190ffd16304eccbc0d12dfcc5637a6b785af0e3dc3dfcafcfe114597eb2" score = 75 quality = 80 tags = "CHARMINGCYPRESS, FILE, MEMORY" @@ -210840,13 +210840,13 @@ rule VOLEXITY_Apt_Malware_Win_Deepdata_Module : BRAZENBAMBOO FILE MEMORY meta: description = "Detects modules used by DEEPDATA based on the required export names used by those modules." author = "threatintel@volexity.com" - id = "20d4cb5f-4b15-54ec-a7d1-feb87f25994f" + id = "1287f5dd-9229-57ce-a91a-73d61041df80" date = "2024-07-30" modified = "2024-11-14" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-11-15 BrazenBamboo/rules.yar#L1-L25" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_d36f34343826daf7f7368118c7127c7181a54c99a01803016c9a6965abb309cb" + logic_hash = "d36f34343826daf7f7368118c7127c7181a54c99a01803016c9a6965abb309cb" score = 75 quality = 80 tags = "BRAZENBAMBOO, FILE, MEMORY" @@ -210873,13 +210873,13 @@ rule VOLEXITY_Apt_Malware_Win_Lightspy_Orchestrator_Decoded_Core : BRAZENBAMBOO meta: description = "Detects the decoded orchestrator for the Windows variant of the LightSpy malware family. This file is normally stored in an encoded state on the C2 server and is used as the core component of this malware family, loading additional plugins from the C2 whilst managing all the C2 communication etc." author = "threatintel@volexity.com" - id = "4398b057-b3cf-50f9-ac5e-5c445a60e761" + id = "44f8d7a4-7f48-5960-91a7-baf475f7d291" date = "2024-02-15" modified = "2024-07-03" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-11-15 BrazenBamboo/rules.yar#L247-L290" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_f0189c0a84c53e365130e9683f2f2b2f73c14412d8e4d0251a4780d0e80162d8" + logic_hash = "f0189c0a84c53e365130e9683f2f2b2f73c14412d8e4d0251a4780d0e80162d8" score = 75 quality = 78 tags = "BRAZENBAMBOO, FILE, MEMORY" @@ -210923,13 +210923,13 @@ rule VOLEXITY_Apt_Malware_Win_Lightspy_Orchestrator_Decoded_C2_Strings : BRAZENB meta: description = "Detects the decoded orchestrator for the Windows variant of the LightSpy malware family. This file is normally stored in an encoded state on the C2 server and is used as the core component of this malware family, loading additional plugins from the C2 whilst managing all the C2 communication etc." author = "threatintel@volexity.com" - id = "5cc2f0c8-d00e-5d45-b1cf-b913075b072c" + id = "a0af8fb7-13a3-54e8-8569-e8622fa80d89" date = "2024-02-15" modified = "2024-07-03" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-11-15 BrazenBamboo/rules.yar#L291-L339" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_eeaaf6e16d4854a2279bd62596f75cb8b8ec1b05f3b050f5dac97254704b9005" + logic_hash = "eeaaf6e16d4854a2279bd62596f75cb8b8ec1b05f3b050f5dac97254704b9005" score = 75 quality = 78 tags = "BRAZENBAMBOO, FILE, MEMORY" @@ -210979,13 +210979,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_Modules : UTA0137 FILE MEMORY meta: description = "Detects DISGOMOJI modules based on strings in the ELF." author = "threatintel@volexity.com" - id = "dab704e8-646e-54f8-9936-bf2e133e0d1e" + id = "b9e4ecdc-9b02-546f-9b79-947cb6b1f99a" date = "2024-02-22" modified = "2024-02-27" reference = "TIB-20240228" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L1-L23" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_7880288e3230b688b780bdfbac2b0761fd7831b7df233672c2242c21a86e1297" + logic_hash = "7880288e3230b688b780bdfbac2b0761fd7831b7df233672c2242c21a86e1297" score = 75 quality = 80 tags = "UTA0137, FILE, MEMORY" @@ -211009,13 +211009,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_Loader : UTA0137 FILE MEMORY meta: description = "Detects the DISGOMOJI loader using strings in the ELF." author = "threatintel@volexity.com" - id = "b3c480d3-f43e-53d0-b0ba-e4b479b4f0f8" + id = "6d7848db-f1a5-5ccc-977a-7597b966a31c" date = "2024-02-22" modified = "2024-02-27" reference = "TIB-20240228" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L25-L46" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_d9be4846bab5fffcfd60eaec377443819404f30ec088905c2ee26bd3b7525832" + logic_hash = "d9be4846bab5fffcfd60eaec377443819404f30ec088905c2ee26bd3b7525832" score = 75 quality = 80 tags = "UTA0137, FILE, MEMORY" @@ -211038,13 +211038,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_Debug_String : UTA0137 FILE MEMORY meta: description = "Detects the DISGOMOJI malware using strings in the ELF." author = "threatintel@volexity.com" - id = "05775d14-14ee-576d-ab0a-554a29a3b242" + id = "a1bbf285-a8ad-5877-ae2a-a7dd5e61cf46" date = "2024-02-22" modified = "2024-02-27" reference = "TIB-20240228" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L48-L69" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_030d8044b5d17ba8786ff7a4d6ac0282bc0b0e193ad89a3e84b5ba44505e5be5" + logic_hash = "030d8044b5d17ba8786ff7a4d6ac0282bc0b0e193ad89a3e84b5ba44505e5be5" score = 75 quality = 80 tags = "UTA0137, FILE, MEMORY" @@ -211067,13 +211067,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_2 : UTA0137 FILE MEMORY meta: description = "Detects the DISGOMOJI malware using strings in the ELF." author = "threatintel@volexity.com" - id = "b628e69e-3f7b-5f98-b681-74c844cb6362" + id = "609beb47-5e93-5f69-b89d-2cf62f20851a" date = "2024-02-22" modified = "2024-02-27" reference = "TIB-20240228" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L71-L101" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_e03a774cca2946c1becdbd775ef465033dae089d578ea18a4f43fd7bdae9168e" + logic_hash = "e03a774cca2946c1becdbd775ef465033dae089d578ea18a4f43fd7bdae9168e" score = 75 quality = 80 tags = "UTA0137, FILE, MEMORY" @@ -211105,13 +211105,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_1 : UTA0137 FILE MEMORY meta: description = "Detects the DISGOMOJI malware using strings in the ELF." author = "threatintel@volexity.com" - id = "fbcdc4be-4632-5617-959e-0e7b98f53941" + id = "f6643e9a-ca41-57e0-9fce-571d340f1cfe" date = "2024-02-22" modified = "2024-02-27" reference = "TIB-20240228" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L103-L129" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_dd3535079881ae9cfe25c129803668cb595be89b7f62eb82af19cc3839f92b6d" + logic_hash = "dd3535079881ae9cfe25c129803668cb595be89b7f62eb82af19cc3839f92b6d" score = 75 quality = 80 tags = "UTA0137, FILE, MEMORY" @@ -211139,13 +211139,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_Bogus_Strings : UTA0137 FILE meta: description = "Detects the DISGOMOJI malware using bogus strings introduced in the newer versions." author = "threatintel@volexity.com" - id = "9857e276-2772-5013-91a2-ad8daefe46ab" + id = "ecff8d3c-d4fe-5b6d-a227-6ff531cf8e2b" date = "2024-03-14" modified = "2024-03-14" reference = "TIB-20240318" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L131-L157" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_0d8a2b371ffb182e60a8cc0cc500d1a9f906718a55f23f35f6c12f7faabbe971" + logic_hash = "0d8a2b371ffb182e60a8cc0cc500d1a9f906718a55f23f35f6c12f7faabbe971" score = 75 quality = 80 tags = "UTA0137, FILE" @@ -211173,13 +211173,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_Script_Uevent_Seqnum : UTA0137 FILE meta: description = "Detects a script deployed as part of DISGOMOJI malware chain." author = "threatintel@volexity.com" - id = "aa219abd-37d5-54d4-9572-1cefa55773ba" + id = "9df61164-6a92-5042-ba4f-64dc7e998283" date = "2024-03-07" modified = "2024-03-14" reference = "TIB-20240318" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L159-L185" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_e390e83d9fc15499c9f32ad47d1c526273105602bda7b3532720b0a3f6abc835" + logic_hash = "e390e83d9fc15499c9f32ad47d1c526273105602bda7b3532720b0a3f6abc835" score = 75 quality = 80 tags = "UTA0137, FILE" @@ -211207,13 +211207,13 @@ rule VOLEXITY_Apt_Malware_Linux_Disgomoji_Script_Lan_Conf : UTA0137 FILE meta: description = "Detects a script deployed as part of DISGOMOJI malware chain." author = "threatintel@volexity.com" - id = "09a01dfb-8e04-57f7-931e-9ffbcf79c533" + id = "b338b3cf-22ce-5767-bdea-503e883bc84b" date = "2024-03-07" modified = "2024-03-14" reference = "TIB-20240318" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L187-L213" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_2a19d5cff7adc9b1b92538a5df4e3cadea694f925f65080f5093fc5425e840f4" + logic_hash = "2a19d5cff7adc9b1b92538a5df4e3cadea694f925f65080f5093fc5425e840f4" score = 75 quality = 80 tags = "UTA0137, FILE" @@ -211241,13 +211241,13 @@ rule VOLEXITY_Malware_Golang_Discordc2_Bmdyy_1 : FILE MEMORY meta: description = "Detects a opensource malware available on github using strings in the ELF. DISGOMOJI used by UTA0137 is based on this malware." author = "threatintel@volexity.com" - id = "1cddd3a1-ed3c-5395-9eab-acadefbbd578" + id = "6816d264-4311-5e90-948b-2e27cdf0b720" date = "2024-03-28" modified = "2024-03-28" reference = "TIB-20240229" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L215-L241" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_22b3e5109d0738552fbc310344b2651ab3297e324bc883d5332c1e8a7a1df29b" + logic_hash = "22b3e5109d0738552fbc310344b2651ab3297e324bc883d5332c1e8a7a1df29b" score = 75 quality = 80 tags = "FILE, MEMORY" @@ -211274,13 +211274,13 @@ rule VOLEXITY_Malware_Golang_Discordc2_Bmdyy : FILE MEMORY meta: description = "Detects a opensource malware available on github using strings in the ELF. DISGOMOJI used by UTA0137 is based on this malware." author = "threatintel@volexity.com" - id = "b44c6a24-f1ef-55a3-8adc-acd5ad60d695" + id = "1ddbf476-ba2d-5cbb-ad95-38e0ae8db71b" date = "2024-02-22" modified = "2024-03-28" reference = "https://github.com/bmdyy/discord-c2" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2024/2024-06-13 DISGOMOJI/indicators/rules.yar#L243-L265" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_38b860a43b9937351f74b01983888f18ad101cbe66560feb7455d46b713eba0f" + logic_hash = "38b860a43b9937351f74b01983888f18ad101cbe66560feb7455d46b713eba0f" score = 75 quality = 80 tags = "FILE, MEMORY" @@ -211303,14 +211303,14 @@ rule VOLEXITY_Webshell_Aspx_Simpleseesharp : WEBSHELL UNCLASSIFIED FILE meta: description = "A simple ASPX Webshell that allows an attacker to write further files to disk." author = "threatintel@volexity.com" - id = "e29deb0d-6f21-5b59-8da6-aa128d501a83" + id = "469fdf5c-e09e-5d44-a2e6-0864dcd0e18a" date = "2021-03-01" modified = "2021-09-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-03-02 - Operation Exchange Marauder/indicators/yara.yar#L1-L19" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2" - logic_hash = "v1_sha256_6f62249a68bae94e5cbdb4319ea5cde9dc071ec7a4760df3aafe78bc1e072c30" + logic_hash = "6f62249a68bae94e5cbdb4319ea5cde9dc071ec7a4760df3aafe78bc1e072c30" score = 75 quality = 80 tags = "WEBSHELL, UNCLASSIFIED, FILE" @@ -211328,14 +211328,14 @@ rule VOLEXITY_Webshell_Aspx_Regeorgtunnel : WEBSHELL COMMODITY meta: description = "variation on reGeorgtunnel" author = "threatintel@volexity.com" - id = "4797c93a-fd9a-5836-9d63-b7688792530a" + id = "b8aa27c9-a28a-5051-8f81-1184f28842ed" date = "2021-03-01" modified = "2021-09-01" reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-03-02 - Operation Exchange Marauder/indicators/yara.yar#L21-L43" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928" - logic_hash = "v1_sha256_ea3d0532cb609682922469e8272dc8061efca3b3ae27df738ef2646e30404c6f" + logic_hash = "ea3d0532cb609682922469e8272dc8061efca3b3ae27df738ef2646e30404c6f" score = 75 quality = 80 tags = "WEBSHELL, COMMODITY" @@ -211358,14 +211358,14 @@ rule VOLEXITY_Webshell_Aspx_Sportsball : WEBSHELL meta: description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system." author = "threatintel@volexity.com" - id = "8890d5eb-1b97-5f71-9d10-3ff61eef614a" + id = "d8cf1eb7-c08b-5c3c-b7d8-135b15418a7d" date = "2021-03-01" modified = "2021-09-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-03-02 - Operation Exchange Marauder/indicators/yara.yar#L45-L68" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a" - logic_hash = "v1_sha256_4f90d727db91a93f53d08d2134f57bd03e7e2367aec3d78d275cfd192d7fb928" + logic_hash = "4f90d727db91a93f53d08d2134f57bd03e7e2367aec3d78d275cfd192d7fb928" score = 75 quality = 80 tags = "WEBSHELL" @@ -211389,14 +211389,14 @@ rule VOLEXITY_Apt_Win_Flipflop_Ldr : APT29 meta: description = "A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload." author = "threatintel@volexity.com" - id = "1eeb08e3-b762-5b27-ac85-8c45142f3710" + id = "58696a6f-55a9-5212-9372-a539cc327e6b" date = "2021-05-25" modified = "2021-09-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-05-27 - Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns/indicators/yara.yar#L3-L19" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330" - logic_hash = "v1_sha256_a79d2b0700ae14f7a2af23c8f7df3df3564402b1137478008ccabefea0f543ad" + logic_hash = "a79d2b0700ae14f7a2af23c8f7df3df3564402b1137478008ccabefea0f543ad" score = 75 quality = 80 tags = "APT29" @@ -211415,14 +211415,14 @@ rule VOLEXITY_Trojan_Win_Cobaltstrike : COMMODITY meta: description = "The CobaltStrike malware family." author = "threatintel@volexity.com" - id = "ac1fd8f3-afdd-53ce-b442-344ba138d479" + id = "113ba304-261f-5c59-bc56-57515c239b6d" date = "2021-05-25" modified = "2021-09-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-05-27 - Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns/indicators/yara.yar#L21-L41" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "b041efb8ba2a88a3d172f480efa098d72eef13e42af6aa5fb838e6ccab500a7c" - logic_hash = "v1_sha256_1e8a68050ff25f77e903af2e0a85579be1af77c64684e42e8f357eee4ae59377" + logic_hash = "1e8a68050ff25f77e903af2e0a85579be1af77c64684e42e8f357eee4ae59377" score = 75 quality = 80 tags = "COMMODITY" @@ -211447,14 +211447,14 @@ rule VOLEXITY_Apt_Win_Freshfire : APT29 meta: description = "The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server." author = "threatintel@volexity.com" - id = "1ece0d8f-cd02-5a2f-ae1c-f0ceb70a3242" + id = "050b8e61-139a-5ff5-998a-7de67c9975bf" date = "2021-05-27" modified = "2021-09-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-05-27 - Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns/indicators/yara.yar#L43-L67" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "ad67aaa50fd60d02f1378b4155f69cffa9591eaeb80523489a2355512cc30e8c" - logic_hash = "v1_sha256_69cd73f5812ba955c1352fb1552774d5cf49019d6b65a304fd1e33f852e678ba" + logic_hash = "69cd73f5812ba955c1352fb1552774d5cf49019d6b65a304fd1e33f852e678ba" score = 75 quality = 80 tags = "APT29" @@ -211475,13 +211475,13 @@ rule VOLEXITY_Apt_Win_Bluelight_B : INKYSQUID meta: description = "North Korean origin malware which uses a custom Google App for c2 communications." author = "threatintel@volexity.com" - id = "41bd1fb3-282e-56e8-956e-e833b214d4e7" + id = "8dc51d15-d0ca-5307-ac00-5b20e4900655" date = "2021-06-21" modified = "2021-09-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-08-17 - InkySquid Part 1/indicators/yara.yar#L1-L100" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_a6e83ca2ae15f1a7819f065449f84166da401739d091565605d62ebba3d47a50" + logic_hash = "a6e83ca2ae15f1a7819f065449f84166da401739d091565605d62ebba3d47a50" score = 75 quality = 55 tags = "INKYSQUID" @@ -211573,13 +211573,13 @@ rule VOLEXITY_Apt_Win_Bluelight : INKYSQUID meta: description = "The BLUELIGHT malware family. Leverages Microsoft OneDrive for network communications." author = "threatintel@volexity.com" - id = "39cae893-04e6-5fe9-96c6-b70fbcbb8201" + id = "3ec2d44c-4c08-514d-a839-acef3f53f7dc" date = "2021-04-23" modified = "2021-09-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-08-17 - InkySquid Part 1/indicators/yara.yar#L102-L132" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_52589348f42aadbe453ad8a40ac36b58fcc9e07cd298486f09b6f793823d8cc7" + logic_hash = "52589348f42aadbe453ad8a40ac36b58fcc9e07cd298486f09b6f793823d8cc7" score = 75 quality = 80 tags = "INKYSQUID" @@ -211611,13 +211611,13 @@ rule VOLEXITY_Trojan_Win_Backwash_Cpp : XEGROUP meta: description = "CPP loader for the Backwash malware." author = "threatintel@volexity.com" - id = "e76c5bbf-b35a-5ab9-91cb-ce9f9f7d86b6" + id = "8a1c4ff1-1827-5e6f-b838-664d8c3be840" date = "2021-11-17" modified = "2021-12-07" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-12-06 - XEGroup/indicators/yara.yar#L3-L20" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_c8ed2d3103aa85363acd7f5573aeb936a5ab5a3bacbcf1f04e6b298299f24dae" + logic_hash = "c8ed2d3103aa85363acd7f5573aeb936a5ab5a3bacbcf1f04e6b298299f24dae" score = 75 quality = 80 tags = "XEGROUP" @@ -211638,13 +211638,13 @@ rule VOLEXITY_Trojan_Win_Iis_Shellsave : XEGROUP meta: description = "Detects an AutoIT backdoor designed to run on IIS servers and to install a webshell. This rule will only work against memory samples." author = "threatintel@volexity.com" - id = "d56e7ca3-e4e7-5884-ae88-44bcd9501be9" + id = "a89defa5-4b22-5650-a0c0-f4b3cf3377a7" date = "2021-11-17" modified = "2021-12-07" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-12-06 - XEGroup/indicators/yara.yar#L22-L40" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_f34d6f4ecaa4cde5965f6b0deac55c7133a2be96f5c466f34775be6e7f730493" + logic_hash = "f34d6f4ecaa4cde5965f6b0deac55c7133a2be96f5c466f34775be6e7f730493" score = 75 quality = 80 tags = "XEGROUP" @@ -211666,13 +211666,13 @@ rule VOLEXITY_Trojan_Backwash_Iis_Scout : XEGROUP meta: description = "Simple backdoor which collects information about the IIS server it is installed on. It appears to the attacker refers to this components as 'XValidate' - i.e. to validate infected machines." author = "threatintel@volexity.com" - id = "7d4765fa-e633-5f96-bd68-dcda5b839644" + id = "1f768b39-21a0-574d-9043-5104540003f7" date = "2021-11-17" modified = "2021-12-07" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-12-06 - XEGroup/indicators/yara.yar#L42-L66" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_18c4e338905ff299d75534006037e63a8f9b191f062cc97b0592245518015f88" + logic_hash = "18c4e338905ff299d75534006037e63a8f9b191f062cc97b0592245518015f88" score = 75 quality = 80 tags = "XEGROUP" @@ -211700,13 +211700,13 @@ rule VOLEXITY_Web_Js_Xeskimmer : XEGROUP meta: description = "Detects JScript code using in skimming credit card details." author = "threatintel@volexity.com" - id = "9b710c3c-db02-5588-a42d-d4b54b95c913" + id = "2c0911cf-a679-5d4e-baad-777745a28e27" date = "2021-11-17" modified = "2021-12-07" reference = "https://github.com/MBThreatIntel/skimmers/blob/master/null_gif_skimmer.js" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-12-06 - XEGroup/indicators/yara.yar#L68-L97" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_cc46e9fab5f408fde13c3897d378a1a2e4acb448f40ca4935c19024ebdc252d7" + logic_hash = "cc46e9fab5f408fde13c3897d378a1a2e4acb448f40ca4935c19024ebdc252d7" score = 75 quality = 80 tags = "XEGROUP" @@ -211731,14 +211731,14 @@ rule VOLEXITY_Trojan_Win_Xe_Backwash : XEGROUP FILE meta: description = "The BACKWASH malware family, which acts as a reverse shell on the victim machine." author = "threatintel@volexity.com" - id = "fe39e400-d876-5b4f-91b0-387ad17965b3" + id = "93bbbf58-8ba2-565f-98f5-51d6f1a1ab06" date = "2020-09-04" modified = "2021-12-07" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-12-06 - XEGroup/indicators/yara.yar#L99-L129" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "815d262d38a26d5695606d03d5a1a49b9c00915ead1d8a2c04eb47846100e93f" - logic_hash = "v1_sha256_cabe7d17017c95943b7ae9d1827b3a5cb8ed3b02506222367498a73fec8d0914" + logic_hash = "cabe7d17017c95943b7ae9d1827b3a5cb8ed3b02506222367498a73fec8d0914" score = 75 quality = 80 tags = "XEGROUP, FILE" @@ -211764,14 +211764,14 @@ rule VOLEXITY_Trojan_Win_Pngexe : XEGROUP FILE meta: description = "Detects PNGEXE, a simple reverse shell loader." author = "threatintel@volexity.com" - id = "c611e192-5193-5343-935c-7990fe1af08a" + id = "a0168176-6b2d-56ba-baaa-f011d9f5e3ad" date = "2020-09-04" modified = "2021-12-07" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-12-06 - XEGroup/indicators/yara.yar#L132-L159" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "72f7d4d3b9d2e406fa781176bd93e8deee0fb1598b67587e1928455b66b73911" - logic_hash = "v1_sha256_05ab554eaf208ff0f5fde37b835c92e55bf0de21bd2700fdd31d81ba338cbdc7" + logic_hash = "05ab554eaf208ff0f5fde37b835c92e55bf0de21bd2700fdd31d81ba338cbdc7" score = 75 quality = 80 tags = "XEGROUP, FILE" @@ -211791,14 +211791,14 @@ rule VOLEXITY_Trojan_Win_Backwash_Iis : XEGROUP meta: description = "Variant of the BACKWASH malware family with IIS worm functionality." author = "threatintel@volexity.com" - id = "e5c8f95f-70b1-5d38-852f-b3f952852bc0" + id = "08a86a58-32af-5c82-90d2-d6603dae8d63" date = "2020-09-04" modified = "2021-12-07" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-12-06 - XEGroup/indicators/yara.yar#L161-L184" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "98e39573a3d355d7fdf3439d9418fdbf4e42c2e03051b5313d5c84f3df485627" - logic_hash = "v1_sha256_95a7f9e0afb031b49cd0da66b5a887d26ad2e06cce625bc45739b4a80e96ce9c" + logic_hash = "95a7f9e0afb031b49cd0da66b5a887d26ad2e06cce625bc45739b4a80e96ce9c" score = 75 quality = 80 tags = "XEGROUP" @@ -211822,13 +211822,13 @@ rule VOLEXITY_Apt_Rb_Rokrat_Loader : INKYSQUID meta: description = "Ruby loader seen loading the ROKRAT malware family." author = "threatintel@volexity.com" - id = "2af078ec-4953-562f-961e-2af32bfe6f8a" + id = "69d09560-a769-55d3-a442-e37f10453cde" date = "2021-06-22" modified = "2021-09-02" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-08-24 - InkySquid Part 2/indicators/yara.yar#L1-L25" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_30ae14fd55a3ab60e791064f69377f3b9de9b871adfd055f435df657f89f8007" + logic_hash = "30ae14fd55a3ab60e791064f69377f3b9de9b871adfd055f435df657f89f8007" score = 75 quality = 80 tags = "INKYSQUID" @@ -211853,13 +211853,13 @@ rule VOLEXITY_Apt_Py_Bluelight_Ldr : INKYSQUID meta: description = "Python Loader used to execute the BLUELIGHT malware family." author = "threatintel@volexity.com" - id = "50c334e7-ec0c-5c96-aa49-898e50ac0481" + id = "f8da3e40-c3b0-5b7f-8ece-81874993d8cd" date = "2021-06-22" modified = "2021-09-02" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-08-24 - InkySquid Part 2/indicators/yara.yar#L27-L45" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_e7e18a6d648b1383706439ba923335ac4396f6b5d2a3dc8f30f63ded7df29eda" + logic_hash = "e7e18a6d648b1383706439ba923335ac4396f6b5d2a3dc8f30f63ded7df29eda" score = 75 quality = 80 tags = "INKYSQUID" @@ -211881,14 +211881,14 @@ rule VOLEXITY_Apt_Win_Decrok : INKYSQUID meta: description = "The DECROK malware family, which uses the victim's hostname to decrypt and execute an embedded payload." author = "threatintel@volexity.com" - id = "c93b6741-5f55-577f-af6b-ed82c8efb8a5" + id = "dc83843d-fd2a-52f1-82e8-8e36b135a0c5" date = "2021-06-23" modified = "2021-09-02" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-08-24 - InkySquid Part 2/indicators/yara.yar#L47-L67" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "6a452d088d60113f623b852f33f8f9acf0d4197af29781f889613fed38f57855" - logic_hash = "v1_sha256_47fa03e95ac17ba7195858cd63b1769e5d56ab8a5edf872b345989b767050b87" + logic_hash = "47fa03e95ac17ba7195858cd63b1769e5d56ab8a5edf872b345989b767050b87" score = 75 quality = 80 tags = "INKYSQUID" @@ -211908,14 +211908,14 @@ rule VOLEXITY_Apt_Win_Rokload : INKYSQUID meta: description = "A shellcode loader used to decrypt and run an embedded executable." author = "threatintel@volexity.com" - id = "d2fea970-f225-55c0-944c-b13f3af6093c" + id = "229dbf3c-1538-5ecd-b5f8-8c9a9c81c515" date = "2021-06-23" modified = "2021-09-02" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2021/2021-08-24 - InkySquid Part 2/indicators/yara.yar#L69-L83" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "85cd5c3bb028fe6931130ccd5d0b0c535c01ce2bcda660a3b72581a1a5382904" - logic_hash = "v1_sha256_8d65d32fd5bc055ca0e3831d3db88299e7c99f8547a170d3c53ec2c4001496a3" + logic_hash = "8d65d32fd5bc055ca0e3831d3db88299e7c99f8547a170d3c53ec2c4001496a3" score = 75 quality = 80 tags = "INKYSQUID" @@ -211932,13 +211932,13 @@ rule VOLEXITY_Apt_Win_Applejeus_Oct22 : LAZARUS meta: description = "Detects AppleJeus DLL samples." author = "threatintel@volexity.com" - id = "3d347d4e-df6b-55d5-8726-465ecc6b4d89" + id = "f88e2253-e296-57d8-a627-6cb4ccff7a92" date = "2022-11-03" modified = "2022-12-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-12-01 Buyer Beware - Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware/yara.yar#L1-L16" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_46f3325a7e8e33896862b1971f561f4871670842aecd46bcc7a5a1af869ecdc4" + logic_hash = "46f3325a7e8e33896862b1971f561f4871670842aecd46bcc7a5a1af869ecdc4" score = 75 quality = 80 tags = "LAZARUS" @@ -211957,13 +211957,13 @@ rule VOLEXITY_Apt_Win_Applejeus_B_Oct22 : LAZARUS meta: description = "Detected AppleJeus unpacked samples." author = "threatintel@volexity.com" - id = "1ed00d2b-4d75-512a-bc65-be49c01ddd2f" + id = "8586dc64-225b-5f28-a6d6-b9b6e8f1c815" date = "2022-11-03" modified = "2022-12-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-12-01 Buyer Beware - Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware/yara.yar#L18-L41" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_76f3c9692ea96d3cadbbcad03477ab6c53445935352cb215152b9b5483666d43" + logic_hash = "76f3c9692ea96d3cadbbcad03477ab6c53445935352cb215152b9b5483666d43" score = 75 quality = 80 tags = "LAZARUS" @@ -211985,13 +211985,13 @@ rule VOLEXITY_Apt_Win_Applejeus_C_Oct22 : LAZARUS meta: description = "Detected AppleJeus unpacked samples." author = "threatintel@volexity.com" - id = "7b70cc04-201e-5c93-8ce0-40ca5e227b54" + id = "6f467e0e-2932-5ba7-9fe3-0f9d28466e23" date = "2022-11-03" modified = "2022-12-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-12-01 Buyer Beware - Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware/yara.yar#L43-L63" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_566f5840ff2023f4fd8ffaa9ba1308a7012913cf587838173358b8f1fe4abca8" + logic_hash = "566f5840ff2023f4fd8ffaa9ba1308a7012913cf587838173358b8f1fe4abca8" score = 75 quality = 80 tags = "LAZARUS" @@ -212015,13 +212015,13 @@ rule VOLEXITY_Apt_Win_Applejeus_D_Oct22 : LAZARUS meta: description = "Detected AppleJeus unpacked samples." author = "threatintel@volexity.com" - id = "205a31e0-2476-5da1-b79b-a70b602fbd40" + id = "80d2821b-a437-573e-9e9d-bf79f9422cc9" date = "2022-11-10" modified = "2022-12-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-12-01 Buyer Beware - Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware/yara.yar#L65-L83" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_23c0642e5be15a75a39d089cd52f2f14d633f7af6889140b9ec6e53c5c023974" + logic_hash = "23c0642e5be15a75a39d089cd52f2f14d633f7af6889140b9ec6e53c5c023974" score = 75 quality = 80 tags = "LAZARUS" @@ -212043,13 +212043,13 @@ rule VOLEXITY_Cf_Office_Win_Macro_Lazarus_Jeus_B : LAZARUS meta: description = "Detects macros used by the Lazarus threat actor to distribute AppleJeus." author = "threatintel@volexity.com" - id = "83dac501-9491-5834-b61f-f138f6c9f061" + id = "ac4d4e82-e29f-5134-999d-b8dcef59d285" date = "2022-11-03" modified = "2022-12-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-12-01 Buyer Beware - Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware/yara.yar#L85-L104" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_e55199e6ad26894f98e930cd4716127ee868872d08ada1c44675e4db1ec27894" + logic_hash = "e55199e6ad26894f98e930cd4716127ee868872d08ada1c44675e4db1ec27894" score = 75 quality = 80 tags = "LAZARUS" @@ -212072,13 +212072,13 @@ rule VOLEXITY_Cf_Office_Win_Macro_Lazarus_Jeus : LAZARUS meta: description = "Detects malicious documents used by Lazarus in a campaign dropping the AppleJeus malware." author = "threatintel@volexity.com" - id = "0ecf31f8-a15e-53d5-bebb-4592fcabd303" + id = "03d41314-c19f-566f-9571-48915a292433" date = "2022-11-02" modified = "2022-12-01" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-12-01 Buyer Beware - Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware/yara.yar#L106-L124" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_8e5a9042ec1ddaf4da511743434461c9865f259c30a9b02c28475b3a59fe4fc1" + logic_hash = "8e5a9042ec1ddaf4da511743434461c9865f259c30a9b02c28475b3a59fe4fc1" score = 75 quality = 80 tags = "LAZARUS" @@ -212100,13 +212100,13 @@ rule VOLEXITY_Webshell_Jsp_Converge : WEBSHELL meta: description = "File upload webshell observed in incident involving compromise of Confluence server." author = "threatintel@volexity.com" - id = "7326e963-8325-5c46-a10e-2cbae5e767bb" + id = "2a74678e-cb00-567c-a2e0-2e095f3e5ee8" date = "2022-06-01" modified = "2022-06-06" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-02 Active Exploitation Of Confluence 0-day/indicators/yara.yar#L1-L15" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_bb48516342eddd48c35e6db0eb74f95e116dc723503552b99ba721b5bdb391e5" + logic_hash = "bb48516342eddd48c35e6db0eb74f95e116dc723503552b99ba721b5bdb391e5" score = 75 quality = 80 tags = "WEBSHELL" @@ -212124,13 +212124,13 @@ rule VOLEXITY_General_Jsp_Possible_Tiny_Fileuploader : GENERAL WEBSHELLS FILE meta: description = "Detects small .jsp files which have possible file upload utility." author = "threatintel@volexity.com" - id = "bc5e30fe-1bb1-54d9-bac9-166bf90a8818" + id = "d111aab3-af6e-59cb-a445-ebd4a454fb9a" date = "2022-06-01" modified = "2022-06-06" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-02 Active Exploitation Of Confluence 0-day/indicators/yara.yar#L17-L50" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_bad62e6fd33ffb0d8551302fd7f85528066992c272b670d44a33b5b2eb174886" + logic_hash = "bad62e6fd33ffb0d8551302fd7f85528066992c272b670d44a33b5b2eb174886" score = 75 quality = 80 tags = "GENERAL, WEBSHELLS, FILE" @@ -212154,13 +212154,13 @@ rule VOLEXITY_Webshell_Java_Realcmd : COMMODITY WEBSHELLS meta: description = "Detects the RealCMD webshell, one of the payloads for BEHINDER." author = "threatintel@volexity.com" - id = "88c8a1fb-f07e-5588-9de7-51eaef23cb2e" + id = "d5e7e3c8-a0aa-5c2e-8a2d-654e066593eb" date = "2022-06-01" modified = "2022-06-06" reference = "https://github.com/Freakboy/Behinder/blob/master/src/main/java/vip/youwe/sheller/payload/java/RealCMD.java" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-02 Active Exploitation Of Confluence 0-day/indicators/yara.yar#L52-L79" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_244add844570b23e5df23882a3fdacf894f3e201b01373d949b0752361960536" + logic_hash = "244add844570b23e5df23882a3fdacf894f3e201b01373d949b0752361960536" score = 75 quality = 80 tags = "COMMODITY, WEBSHELLS" @@ -212188,13 +212188,13 @@ rule VOLEXITY_Webshell_Java_Behinder_Shellservice : WEBSHELLS COMMODITY meta: description = "Looks for artifacts generated (generally seen in .class files) related to the Behinder framework." author = "threatintel@volexity.com" - id = "0e670637-9cab-5f18-9303-72b9d1dd3d28" + id = "21c1e3e9-d048-5c60-9c21-8e54b27f359a" date = "2022-03-18" modified = "2022-07-28" reference = "https://github.com/MountCloud/BehinderClientSource/blob/master/src/main/java/net/rebeyond/behinder/core/ShellService.java" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L1-L23" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_373a8d4ef81e9bbbf1f24ebf0389e7da4b73f88786cc8e1d286ccc9f4c36debc" + logic_hash = "373a8d4ef81e9bbbf1f24ebf0389e7da4b73f88786cc8e1d286ccc9f4c36debc" score = 75 quality = 30 tags = "WEBSHELLS, COMMODITY" @@ -212219,13 +212219,13 @@ rule VOLEXITY_General_Java_Encoding_And_Classloader : WEBSHELLS GENERAL FILE meta: description = "Identifies suspicious java-based files which have all the ingredients required for a webshell." author = "threatintel@volexity.com" - id = "a537237b-0237-5e5f-994c-4f3136aa7491" + id = "7de5449d-de70-5153-b1b1-8a995ac8b7a0" date = "2022-04-07" modified = "2022-07-28" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L25-L43" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_21c226b03451eb98a8be5b26a9f00169f16454ecd21d4131c9991b63d2e3c8cd" + logic_hash = "21c226b03451eb98a8be5b26a9f00169f16454ecd21d4131c9991b63d2e3c8cd" score = 65 quality = 80 tags = "WEBSHELLS, GENERAL, FILE" @@ -212246,13 +212246,13 @@ rule VOLEXITY_Webshell_Php_Str_Replace_Create_Func : WEBSHELLS GENERAL FILE meta: description = "Looks for obfuscated PHP shells where create_function() is obfuscated using str_replace and then called using no arguments." author = "threatintel@volexity.com" - id = "a84da6e4-2f6e-52ff-8065-387ba4ce8779" + id = "e0a5965c-54c3-5699-a45b-58f7152574dd" date = "2022-04-04" modified = "2022-07-28" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L45-L73" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_6a9ded1f1a8e4b8ae5f3db06f71bec6e9f62b6126b7444408d6319a35ed23827" + logic_hash = "6a9ded1f1a8e4b8ae5f3db06f71bec6e9f62b6126b7444408d6319a35ed23827" score = 75 quality = 80 tags = "WEBSHELLS, GENERAL, FILE" @@ -212266,20 +212266,20 @@ rule VOLEXITY_Webshell_Php_Str_Replace_Create_Func : WEBSHELLS GENERAL FILE $anon_func = "(''," ascii condition: - filesize < 100KB and $php at 0 and for any i in ( 1 .. #s ) : ( for any j in ( 1 .. #anon_func ) : ( uint16be( @s [ i ] - 2 ) == uint16be( @anon_func [ j ] - 2 ) ) ) + filesize < 100KB and $php at 0 and for any i in ( 1 .. #s ) : ( for any j in ( 1 .. #anon_func ) : ( uint16be( @s [ i ] -2 ) == uint16be( @anon_func [ j ] -2 ) ) ) } rule VOLEXITY_Trojan_Golang_Pantegana : COMMODITY { meta: description = "Detects PANTEGANA, a Golang backdoor used by a range of threat actors due to its public availability." author = "threatintel@volexity.com" - id = "93c2e655-4adb-5139-ad6c-f4dfb95e36ed" + id = "b6154165-68e0-5986-a0cf-5631d369c230" date = "2022-03-30" modified = "2022-07-28" reference = "https://github.com/elleven11/pantegana" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L75-L99" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_791a664a6b4b98051cbfacb451099de085cbab74d73771709377ab68a5a23d2b" + logic_hash = "791a664a6b4b98051cbfacb451099de085cbab74d73771709377ab68a5a23d2b" score = 75 quality = 80 tags = "COMMODITY" @@ -212304,13 +212304,13 @@ rule VOLEXITY_Trojan_Any_Pupyrat_B : COMMODITY meta: description = "Detects the PUPYRAT malware family, a cross-platform RAT written in Python." author = "threatintel@volexity.com" - id = "ea804f71-cae2-5053-9565-884144a08f20" + id = "1da1e5ba-cf00-5935-b3d1-0ff2713b7e34" date = "2022-04-07" modified = "2022-07-28" reference = "https://github.com/n1nj4sec/pupy" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L101-L134" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_65eebfea2338deed682693f048a88d46ea4621177acb77c0642583b0dc35c818" + logic_hash = "65eebfea2338deed682693f048a88d46ea4621177acb77c0642583b0dc35c818" score = 75 quality = 80 tags = "COMMODITY" @@ -212341,13 +212341,13 @@ rule VOLEXITY_General_Php_Fileinput_Eval : WEBSHELLS GENERAL meta: description = "Look for PHP files which use file_get_contents and then shortly afterwards use an eval statement." author = "threatintel@volexity.com" - id = "8321e50a-4f4b-5dd1-9491-7d7405da81f0" + id = "c00d8fee-f667-5979-ad2a-dbb762544c2f" date = "2021-06-16" modified = "2022-07-28" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L136-L152" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_c61f0ee13007e398f45711354a1ca948f7f34893c9bcbdf845be932b63bd746d" + logic_hash = "c61f0ee13007e398f45711354a1ca948f7f34893c9bcbdf845be932b63bd746d" score = 75 quality = 80 tags = "WEBSHELLS, GENERAL" @@ -212367,13 +212367,13 @@ rule VOLEXITY_General_Php_Call_User_Func : GENERAL WEBSHELLS meta: description = "Webshells using call_user_func against an object from a file input or POST variable." author = "threatintel@volexity.com" - id = "2ec09628-c2c1-547e-afb5-9d62df9b6de5" + id = "48c7857e-7dda-5e3f-b82c-7d34c251f083" date = "2021-06-16" modified = "2022-07-28" reference = "https://zhuanlan.zhihu.com/p/354906657" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L154-L170" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_46c999da97682023861e58f9cd2c8651480db990a0361c1985c6d5c35b5bf0ea" + logic_hash = "46c999da97682023861e58f9cd2c8651480db990a0361c1985c6d5c35b5bf0ea" score = 75 quality = 80 tags = "GENERAL, WEBSHELLS" @@ -212392,13 +212392,13 @@ rule VOLEXITY_Webshell_Php_Icescorpion : COMMODITY WEBSHELL FILE meta: description = "Detects the IceScorpion webshell." author = "threatintel@volexity.com" - id = "f3895b69-ddc4-5532-9c01-101c375e53a5" + id = "dd165d67-375e-5d51-825a-45241345e268" date = "2022-01-17" modified = "2022-07-28" reference = "https://www.codenong.com/cs106064226/" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-06-15 DriftingCloud - Zero-Day Sophos Firewall Exploitation and an Insidious Breach/indicators/yara.yar#L172-L190" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_0c75ec7cbbfdba8ce5f71a83d78caf19366954b84f304c1864e68bbe11a9a2df" + logic_hash = "0c75ec7cbbfdba8ce5f71a83d78caf19366954b84f304c1864e68bbe11a9a2df" score = 75 quality = 80 tags = "COMMODITY, WEBSHELL, FILE" @@ -212418,13 +212418,13 @@ rule VOLEXITY_Apt_Macos_Gimmick : STORMCLOUD meta: description = "Detects the macOS port of the GIMMICK malware." author = "threatintel@volexity.com" - id = "d7349922-1d22-5e9b-ac72-0747408891b2" + id = "258a2bbe-7822-5f74-b4eb-8776ecb15b76" date = "2021-10-18" modified = "2022-03-22" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-03-22 GIMMICK/indicators/yara.yar#L1-L50" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_403ed1102fe5a99c0aacde02e0830f9c4fa194f10aec4a192f4abf6cde0de99d" + logic_hash = "403ed1102fe5a99c0aacde02e0830f9c4fa194f10aec4a192f4abf6cde0de99d" score = 75 quality = 78 tags = "STORMCLOUD" @@ -212470,13 +212470,13 @@ rule VOLEXITY_Apt_Win_Gimmick_Dotnet_Base : STORMCLOUD meta: description = "Detects the base version of GIMMICK in .NET." author = "threatintel@volexity.com" - id = "aec300e7-e67d-518a-8543-09a6252ea32d" + id = "8723253f-ad11-509e-a9b4-f2c3258f9b5c" date = "2020-03-16" modified = "2022-03-22" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-03-22 GIMMICK/indicators/yara.yar#L52-L76" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_0dd2aab308b7057d3075c792339af89d7ff9d617f1beb78ecdb725554defa5dc" + logic_hash = "0dd2aab308b7057d3075c792339af89d7ff9d617f1beb78ecdb725554defa5dc" score = 75 quality = 80 tags = "STORMCLOUD" @@ -212502,13 +212502,13 @@ rule VOLEXITY_Apt_Js_Sharpext : SHARPTONGUE meta: description = "A malicious Chrome browser extention used by the SharpTongue threat actor to steal mail data from a victim." author = "threatintel@volexity.com" - id = "a7c37fc9-52b3-5bfb-b1a6-efd19dab9cb8" + id = "61b5176a-ff73-5fce-bc70-c9e09bb5afed" date = "2021-09-14" modified = "2022-07-28" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-07-28 SharpTongue SharpTongue Deploys Clever Mail-Stealing Browser Extension SHARPEXT/yara.yar#L1-L47" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_0ed58c8646582ee36aeac650fac02d1e4962d45c0f6a24783c021d9267bed192" + logic_hash = "0ed58c8646582ee36aeac650fac02d1e4962d45c0f6a24783c021d9267bed192" score = 75 quality = 80 tags = "SHARPTONGUE" @@ -212547,13 +212547,13 @@ rule VOLEXITY_Webshell_Jsp_Godzilla : WEBSHELLS COMMODITY meta: description = "Detects the JSP implementation of the Godzilla Webshell." author = "threatintel@volexity.com" - id = "03b6d2b2-b27b-5ba2-89b9-ef129487311b" + id = "47c8eab8-84d7-5566-b757-5a6dcc7579b7" date = "2021-11-08" modified = "2022-08-10" reference = "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-08-10 Mass exploitation of (Un)authenticated Zimbra RCE CVE-2022-27925/yara.yar#L1-L28" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_52cba9545f662da18ca6e07340d7a9be637b89e7ed702dd58cac545c702a00e3" + logic_hash = "52cba9545f662da18ca6e07340d7a9be637b89e7ed702dd58cac545c702a00e3" score = 75 quality = 80 tags = "WEBSHELLS, COMMODITY" @@ -212578,13 +212578,13 @@ rule VOLEXITY_Webshell_Jsp_General_Runtime_Exec_Req : GENERAL WEBSHELLS meta: description = "Looks for a common design pattern in webshells where a request attribute is passed directly to exec()." author = "threatintel@volexity.com" - id = "9f1630f5-913d-58d0-a2e4-b34b62594f16" + id = "7f1539bd-a2f0-50dd-b500-ada4e0971d13" date = "2022-02-02" modified = "2022-08-10" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-08-10 Mass exploitation of (Un)authenticated Zimbra RCE CVE-2022-27925/yara.yar#L30-L45" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_d3048aba80c1c39f1673931cd2d7c5ed83045603b0ad204073fd788d0103a6c8" + logic_hash = "d3048aba80c1c39f1673931cd2d7c5ed83045603b0ad204073fd788d0103a6c8" score = 75 quality = 80 tags = "GENERAL, WEBSHELLS" @@ -212603,13 +212603,13 @@ rule VOLEXITY_Webshell_Jsp_Regeorg : WEBSHELL COMMODITY meta: description = "Detects the reGeorg webshells' JSP version." author = "threatintel@volexity.com" - id = "394e968b-7b62-5ce4-9eca-3650c32371f1" + id = "205ee383-4298-5469-a509-4ce3eaf9dd0e" date = "2022-03-08" modified = "2022-08-10" reference = "https://github.com/SecWiki/WebShell-2/blob/master/reGeorg-master/tunnel.jsp" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2022/2022-08-10 Mass exploitation of (Un)authenticated Zimbra RCE CVE-2022-27925/yara.yar#L47-L70" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_cecb71605d9112d509823c26e40e1cf9cd6db581db448db5c9ffc63a2bfe529e" + logic_hash = "cecb71605d9112d509823c26e40e1cf9cd6db581db448db5c9ffc63a2bfe529e" score = 75 quality = 80 tags = "WEBSHELL, COMMODITY" @@ -212628,18 +212628,204 @@ rule VOLEXITY_Webshell_Jsp_Regeorg : WEBSHELL COMMODITY condition: $magic or all of ( $a* ) } +rule VOLEXITY_Apt_Ico_Uta0040_B64_C2 : UTA0040 FILE +{ + meta: + description = "Detection of malicious ICO files used in 3CX compromise." + author = "threatintel@volexity.com" + id = "1efb6376-a362-5f03-b4d3-08cd7d634de6" + date = "2023-03-30" + modified = "2023-03-30" + reference = "https://github.com/volexity/threat-intel" + source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30 3CX/indicators/rules.yar#L1-L31" + license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" + logic_hash = "2667a36ce151c6e964f9ce9a6f587eedbffdd6ec76e451a23c5cfdd08248d15e" + score = 75 + quality = 80 + tags = "UTA0040, FILE" + hash1 = "a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c" + memory_suitable = 0 + license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" + + strings: + $IEND_dollar = {49 45 4e 44 ae 42 60 82 24} + $IEND_nodollar = {49 45 4e 44 ae 42 60 82 } + + condition: + uint16be( 0 ) == 0x0000 and filesize < 120KB and ( $IEND_dollar in ( filesize -500 .. filesize ) and not $IEND_nodollar in ( filesize -20 .. filesize ) and for any k in ( 1 .. #IEND_dollar ) : ( for all i in ( 1 .. 4 ) : ( uint8( @IEND_dollar [ k ] + !IEND_dollar [ k ] + i ) < 123 and uint8( @IEND_dollar [ k ] + !IEND_dollar [ k ] + i ) > 47 ) ) ) +} +rule VOLEXITY_Apt_Mac_Iconic : UTA0040 +{ + meta: + description = "Detects the MACOS version of the ICONIC loader." + author = "threatintel@volexity.com" + id = "6d702ed3-e5b9-5324-a06b-507c9231cc00" + date = "2023-03-30" + modified = "2023-03-30" + reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" + source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30 3CX/indicators/rules.yar#L32-L50" + license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" + logic_hash = "7b689c3931632b01869ac2f21a1edca0a5ca9007299fe7cd16962d6866c27558" + score = 75 + quality = 80 + tags = "UTA0040" + hash1 = "a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67" + memory_suitable = 1 + license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" + + strings: + $str1 = "3CX Desktop App" xor(0x01-0xff) + $str2 = "__tutma=" xor(0x01-0xff) + $str3 = "Mozilla/5.0" xor(0x01-0xff) + + condition: + all of them +} +rule VOLEXITY_Apt_Win_Iconicstealer : UTA0040 +{ + meta: + description = "Detect the ICONICSTEALER malware family." + author = "threatintel@volexity.com" + id = "d7896506-6ce5-59b1-b24a-87ffdb2a5174" + date = "2023-03-30" + modified = "2023-03-30" + reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" + source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30 3CX/indicators/rules.yar#L51-L69" + license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" + logic_hash = "ed7731d2361e7d96a6a35f8359b61a2af049b16bc457cf870db8831e142aebe2" + score = 75 + quality = 80 + tags = "UTA0040" + hash1 = "8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423" + memory_suitable = 1 + license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" + + strings: + $str1 = "\\3CXDesktopApp\\config.json" wide + $str2 = "url, title FROM urls" wide + $str3 = "url, title FROM moz_places" wide + + condition: + all of them +} +rule VOLEXITY_Apt_Win_Iconic : UTA0040 +{ + meta: + description = "Detect the ICONIC loader." + author = "threatintel@volexity.com" + id = "e7d6fcc0-c830-5236-90fb-182c66873903" + date = "2023-03-30" + modified = "2023-03-30" + reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" + source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30 3CX/indicators/rules.yar#L70-L93" + license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" + logic_hash = "b62b1543c9af3afb8fc885f313e1a5d2fcb688657e3807cce72b31b56381681e" + score = 75 + quality = 55 + tags = "UTA0040" + hash1 = "f79c3b0adb6ec7bcc8bc9ae955a1571aaed6755a28c8b17b1d7595ee86840952" + memory_suitable = 1 + license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" + + strings: + $internal_name = "samcli.dll" + $str1 = "gzip, deflate, br" + $str2 = "__tutma" + $str3 = "__tutmc" + $str4 = "ChainingModeGCM" wide + $str5 = "ChainingMode" wide + $str6 = "icon%d.ico" wide + + condition: + all of them +} +rule VOLEXITY_Apt_Win_3Cx_Backdoored_Lib : UTA0040 +{ + meta: + description = "Detects the malicious library delivered in the backdoored 3CX installer." + author = "threatintel@volexity.com" + id = "39270b93-830e-598f-a38e-fcc5050e4d30" + date = "2023-03-30" + modified = "2023-03-30" + reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" + source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30 3CX/indicators/rules.yar#L94-L133" + license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" + logic_hash = "40be2d46a318ff03724ea1f6628d78001c14c85a3ae6d032c0324ea849d707f2" + score = 75 + quality = 80 + tags = "UTA0040" + hash1 = "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896" + memory_suitable = 1 + license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" + + strings: + $shellcode = { + 44 8D 4A ?? + 44 8D 92 ?? ?? ?? ?? + 45 85 C9 + 45 0F 49 D1 + 41 81 E2 00 FF FF FF + 41 F7 DA + 44 01 D2 + FF C2 + 4C 63 CA + 46 8A 94 0C ?? ?? ?? ?? + 45 00 D0 + 45 0F B6 D8 + 42 8A AC 1C ?? ?? ?? ?? + 46 88 94 1C ?? ?? ?? ?? + 42 88 AC 0C ?? ?? ?? ?? + 42 02 AC 1C ?? ?? ?? ?? + 44 0F B6 CD + 46 8A 8C 0C ?? ?? ?? ?? + 45 30 0C 0E + 48 FF C1 + 48 39 C8 + 75 ?? + } + + condition: + all of them +} +rule VOLEXITY_Informational_Win_3Cx_Msi : UTA0040 +{ + meta: + description = "Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time." + author = "threatintel@volexity.com" + id = "ac26e7b1-61eb-5074-bcda-46d714bdba4c" + date = "2023-03-30" + modified = "2023-03-30" + reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/" + source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-30 3CX/indicators/rules.yar#L134-L152" + license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" + logic_hash = "c04de2653ef587f27c7ebf058c6f6c345e16b67f36ccc4306bc49f8c4394728e" + score = 75 + quality = 80 + tags = "UTA0040" + hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868" + memory_suitable = 0 + license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" + + strings: + $cert = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 } + $app = "3CXDesktopApp.exe" + $data = "202303" + + condition: + all of them +} rule VOLEXITY_Apt_Win_Powerstar_Persistence_Batch : CHARMINGKITTEN { meta: description = "Detects the batch script used to persist PowerStar via Startup." author = "threatintel@volexity.com" - id = "3ff93719-056a-50f6-aeeb-9fa08390c775" + id = "f3ed7b46-d80d-55b1-b6c7-6ea6569f199c" date = "2023-05-16" modified = "2023-09-20" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-06-28 POWERSTAR/indicators/rules.yar#L1-L19" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_9c3a45b759516959eae1cdf8e73bf540b682c90359a6232aa4782a8d1fe15b7d" + logic_hash = "9c3a45b759516959eae1cdf8e73bf540b682c90359a6232aa4782a8d1fe15b7d" score = 75 quality = 80 tags = "CHARMINGKITTEN" @@ -212662,13 +212848,13 @@ rule VOLEXITY_Apt_Win_Powerstar_Memonly : CHARMINGKITTEN meta: description = "Detects the initial stage of the memory only variant of PowerStar." author = "threatintel@volexity.com" - id = "8b4a33be-8070-5255-9707-73408500bd1b" + id = "469fc433-da9e-55ed-99fb-9560ec86a179" date = "2023-05-16" modified = "2023-09-20" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-06-28 POWERSTAR/indicators/rules.yar#L20-L65" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_d790ff204e4e8adeb3e887d9ebce743e958b523c48317d017487b1b0c6aebc11" + logic_hash = "d790ff204e4e8adeb3e887d9ebce743e958b523c48317d017487b1b0c6aebc11" score = 75 quality = 78 tags = "CHARMINGKITTEN" @@ -212713,13 +212899,13 @@ rule VOLEXITY_Apt_Win_Powerstar_Logmessage : CHARMINGKITTEN meta: description = "Detects interesting log message embedded in memory only version of PowerStar." author = "threatintel@volexity.com" - id = "99d76c75-e494-5aa6-bb96-a12b4b7af94e" + id = "5979c776-5138-50e2-adab-0793ad86ba76" date = "2023-05-16" modified = "2023-09-20" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-06-28 POWERSTAR/indicators/rules.yar#L66-L79" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_539c9a8b3de24f2c8058d204900344756a8031822ebebc312612b8fb8422e341" + logic_hash = "539c9a8b3de24f2c8058d204900344756a8031822ebebc312612b8fb8422e341" score = 75 quality = 80 tags = "CHARMINGKITTEN" @@ -212737,13 +212923,13 @@ rule VOLEXITY_Apt_Win_Powerstar_Lnk : CHARMINGKITTEN meta: description = "Detects LNK command line used to install PowerStar." author = "threatintel@volexity.com" - id = "a18db3b5-56b6-57b5-85fb-4098e630bc46" + id = "33f16283-69b9-5109-b723-3ddc8abb8c41" date = "2023-05-16" modified = "2023-09-20" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-06-28 POWERSTAR/indicators/rules.yar#L80-L97" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_da53aeaf69e80f697068779f4741b8c23cff82dd1bfb0640916a1bcc98c4892f" + logic_hash = "da53aeaf69e80f697068779f4741b8c23cff82dd1bfb0640916a1bcc98c4892f" score = 75 quality = 80 tags = "CHARMINGKITTEN" @@ -212764,13 +212950,13 @@ rule VOLEXITY_Apt_Win_Powerstar_Decrypt_Function : CHARMINGKITTEN meta: description = "Detects PowerStar decrypt function, potentially downloaded standalone and then injected." author = "threatintel@volexity.com" - id = "67c7675d-dee9-5a64-9e7f-892044993d12" + id = "1fbc2689-8169-53b1-b581-c41ab2b3a16f" date = "2023-05-16" modified = "2023-09-20" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-06-28 POWERSTAR/indicators/rules.yar#L98-L121" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_d022e363464488836a1c161f2b9c7463ac91ae6f60f14dfd574189233201c9aa" + logic_hash = "d022e363464488836a1c161f2b9c7463ac91ae6f60f14dfd574189233201c9aa" score = 75 quality = 80 tags = "CHARMINGKITTEN" @@ -212795,13 +212981,13 @@ rule VOLEXITY_Apt_Win_Powerstar : CHARMINGKITTEN meta: description = "Custom PowerShell backdoor used by Charming Kitten." author = "threatintel@volexity.com" - id = "5287876f-fe6b-5746-8948-dead5dc5ba19" + id = "febcd23b-6545-571b-905d-18dffe8e913f" date = "2021-10-13" modified = "2023-09-20" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-06-28 POWERSTAR/indicators/rules.yar#L122-L150" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_2cbf59eaee60a8f84b1ac35cec3b01592a2a0f56c92a2db218bb26a15be24bf3" + logic_hash = "2cbf59eaee60a8f84b1ac35cec3b01592a2a0f56c92a2db218bb26a15be24bf3" score = 75 quality = 80 tags = "CHARMINGKITTEN" @@ -212827,14 +213013,14 @@ rule VOLEXITY_Apt_Win_Avburner : SNAKECHARMER meta: description = "Detects AVBurner based on a combination of API calls used, hard-coded strings and bytecode patterns." author = "threatintel@volexity.com" - id = "c242d5b9-2c3f-558d-90dc-df3f88bd4da6" + id = "1bde0861-4820-5bb1-98a3-516092c91be0" date = "2023-01-02" modified = "2023-03-07" reference = "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-03-07 AVBurner/yara.yar#L1-L36" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" hash = "4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb" - logic_hash = "v1_sha256_56ff6c8a4b737959a1219699a0457de1f0c34fead4299033840fb23c56a0caad" + logic_hash = "56ff6c8a4b737959a1219699a0457de1f0c34fead4299033840fb23c56a0caad" score = 75 quality = 80 tags = "SNAKECHARMER" @@ -212865,13 +213051,13 @@ rule VOLEXITY_Apt_Malware_Apk_Badbazaar_Common_Certificate : EVILBAMBOO FILE meta: description = "Detection of the common.cer file used for a large BADBAZAAR malware cluster for its certificate pinning for the C2 communication." author = "threatintel@volexity.com" - id = "0d45d971-6601-58c3-8bac-f7c69d9edf68" + id = "5a033770-7ad3-5c79-90ac-b1e3fff6b5f0" date = "2023-06-01" modified = "2023-06-13" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-09-22 EvilBamboo/indicators/rules.yar#L230-L255" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_861d4e1c40847c6ade04eddb047370d645afea6d5c16d55155fa58a16111c39e" + logic_hash = "861d4e1c40847c6ade04eddb047370d645afea6d5c16d55155fa58a16111c39e" score = 75 quality = 80 tags = "EVILBAMBOO, FILE" @@ -212897,13 +213083,13 @@ rule VOLEXITY_Apt_Malware_Apk_Badbazaar_Stage2_Implant_May23 : EVILBAMBOO FILE meta: description = "Detection of the second stage capability of the BadBazaar android malware that has the main malicious capabilities. Will gather various info about the user/phone and routinely send this to the C2." author = "threatintel@volexity.com" - id = "82a64a7c-c78d-5b8d-b884-57ff2f15f1e9" + id = "1f97c610-773f-5385-935a-445cb9192157" date = "2023-05-25" modified = "2023-08-30" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-09-22 EvilBamboo/indicators/rules.yar#L257-L285" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_2186369298ebfa0b892ecb14ebacc93c6d14c9c35012e8e6cdff077634cf3773" + logic_hash = "2186369298ebfa0b892ecb14ebacc93c6d14c9c35012e8e6cdff077634cf3773" score = 75 quality = 80 tags = "EVILBAMBOO, FILE" @@ -212932,13 +213118,13 @@ rule VOLEXITY_Apt_Delivery_Web_Js_Jmask_Str_Array_Variant : EVILBAMBOO FILE meta: description = "Detects the JMASK profiling script in an obfuscated format using a string array and an offset." author = "threatintel@volexity.com" - id = "c00dfddc-06f0-51ff-9051-9a9d049960f8" + id = "d5d32c8b-53fb-5103-ac73-05f320e71c97" date = "2023-06-27" modified = "2023-09-21" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-09-22 EvilBamboo/indicators/rules.yar#L408-L444" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_0ae7c96e0f866f21d66d7a23bf937d6ce48c9dd1ea19142dbb13487208780146" + logic_hash = "0ae7c96e0f866f21d66d7a23bf937d6ce48c9dd1ea19142dbb13487208780146" score = 75 quality = 80 tags = "EVILBAMBOO, FILE" @@ -212973,13 +213159,13 @@ rule VOLEXITY_Apt_Delivery_Web_Js_Jmask : EVILBAMBOO FILE meta: description = "Detects the JMASK profiling script in its minified // obfuscated format." author = "threatintel@volexity.com" - id = "2943c798-2eeb-5108-9390-e42b7cd79d7b" + id = "a7b653e1-f7c6-56cc-ab99-3de91d29ef3b" date = "2023-06-15" modified = "2023-09-21" reference = "https://github.com/volexity/threat-intel" source_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/2023/2023-09-22 EvilBamboo/indicators/rules.yar#L446-L472" license_url = "https://github.com/volexity/threat-intel/blob/b2dd39c31efbb1ed004fb25faaace7d5caf2f424/LICENSE.txt" - logic_hash = "v1_sha256_64315ac05049954d36297a616a25ffdd7ce81c6313c0878d5ba4082da24c21bb" + logic_hash = "64315ac05049954d36297a616a25ffdd7ce81c6313c0878d5ba4082da24c21bb" score = 75 quality = 80 tags = "EVILBAMBOO, FILE" @@ -213004,7 +213190,7 @@ rule VOLEXITY_Apt_Delivery_Web_Js_Jmask : EVILBAMBOO FILE * YARA Rule Set * Repository Name: JPCERTCC * Repository: https://github.com/JPCERTCC/MalConfScan/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 19ec0d145535a6a4cfd37c0960114f455a8c343e * Number of Rules: 30 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -213039,13 +213225,13 @@ rule JPCERTCC_Tscookie_1 meta: description = "detect TSCookie in memory" author = "JPCERT/CC Incident Response Group" - id = "792e39d1-2f21-5b98-840a-2f0c96f99772" + id = "5407a5c9-2fc5-5b9b-977f-81384a343d15" date = "2021-08-16" modified = "2021-08-16" reference = "https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L8-L21" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_71e51ceb51cff25abefd698ce33f32388cc28ad5936f30fbbb9925d9af79ad85" + logic_hash = "71e51ceb51cff25abefd698ce33f32388cc28ad5936f30fbbb9925d9af79ad85" score = 75 quality = 80 tags = "" @@ -213064,13 +213250,13 @@ rule JPCERTCC_TSC_Loader meta: description = "detect TSCookie Loader in memory" author = "JPCERT/CC Incident Response Group" - id = "ebb5027d-8f28-5975-a84a-00b4f5bbd3f4" + id = "378cc8a3-6a76-50d1-b1d2-1a6ca1a75a46" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L23-L35" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_c825253ba897f0f7310162d0473e645dc40b421e9251977384cca2fdc735f7a8" + logic_hash = "c825253ba897f0f7310162d0473e645dc40b421e9251977384cca2fdc735f7a8" score = 75 quality = 80 tags = "" @@ -213088,13 +213274,13 @@ rule JPCERTCC_Redleaves meta: description = "detect RedLeaves in memory" author = "JPCERT/CC Incident Response Group" - id = "29802ff1-599d-544f-b11e-ff08345feede" + id = "e17a85de-6a15-5de5-ba9e-03ac6d896d7d" date = "2021-08-16" modified = "2021-08-16" reference = "https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L53-L66" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_c79815dd26070184688d43b336dc2be07df5e2236e60c8ecc42f5efec2cab190" + logic_hash = "c79815dd26070184688d43b336dc2be07df5e2236e60c8ecc42f5efec2cab190" score = 75 quality = 80 tags = "" @@ -213113,13 +213299,13 @@ rule JPCERTCC_Himawari meta: description = "detect Himawari(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" - id = "031e4ddd-21e8-5143-902f-300fabaa53b9" + id = "85c33dc6-0f9b-5645-b236-f416df16b4a4" date = "2021-08-16" modified = "2021-08-16" reference = "https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L68-L82" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_9014e6e02fb9d8fa0f646c61647ab28c3cb08f10f8f584ddd11eba27211307f5" + logic_hash = "9014e6e02fb9d8fa0f646c61647ab28c3cb08f10f8f584ddd11eba27211307f5" score = 75 quality = 80 tags = "" @@ -213139,13 +213325,13 @@ rule JPCERTCC_Lavender meta: description = "detect Lavender(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" - id = "56e4dc21-0c8b-5007-b8ac-80416c8bb180" + id = "8c30ae73-161f-5117-a1f9-fad0bd5278de" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L84-L97" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_bf64f927e2c8e9be0f11497f94357de8e3fadcf09ba224d6fec92841c89c1dc5" + logic_hash = "bf64f927e2c8e9be0f11497f94357de8e3fadcf09ba224d6fec92841c89c1dc5" score = 75 quality = 80 tags = "" @@ -213164,13 +213350,13 @@ rule JPCERTCC_Armadill meta: description = "detect Armadill(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" - id = "57f17a57-4350-5328-b08e-c0095975e987" + id = "0e6fb091-5c26-5419-ac99-5ddc9db29fc0" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L99-L111" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_a76d434469a45e1c48b8ec3dc9622017c78ea52824006ddfcf3c368fbda7c912" + logic_hash = "a76d434469a45e1c48b8ec3dc9622017c78ea52824006ddfcf3c368fbda7c912" score = 75 quality = 80 tags = "" @@ -213188,13 +213374,13 @@ rule JPCERTCC_Zark20Rk meta: description = "detect zark20rk(a variant of RedLeaves) in memory" author = "JPCERT/CC Incident Response Group" - id = "1baeca4e-cc6f-5970-a81d-e77a10f85944" + id = "baf3ebfe-80dd-5601-9ba9-8866b6ab6f14" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L113-L126" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_07c5c97916bd9ec19591d90f8b7d872fca571f3479148157cf1ee9e05c272e5c" + logic_hash = "07c5c97916bd9ec19591d90f8b7d872fca571f3479148157cf1ee9e05c272e5c" score = 75 quality = 80 tags = "" @@ -213213,13 +213399,13 @@ rule JPCERTCC_Ursnif_1 meta: description = "detect Ursnif(a.k.a. Dreambot, Gozi, ISFB) in memory" author = "JPCERT/CC Incident Response Group" - id = "12b65964-2b82-55c7-b6cb-8aa59b0d7195" + id = "e93bc13b-33a9-5d9a-92a9-52f16a97fb16" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L128-L158" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_6c224b43e8ec0fa9540a1fdedce7ce4b97f8ab7196a9619594b7dcb9c2dc5169" + logic_hash = "6c224b43e8ec0fa9540a1fdedce7ce4b97f8ab7196a9619594b7dcb9c2dc5169" score = 60 quality = 60 tags = "" @@ -213255,13 +213441,13 @@ rule JPCERTCC_Emotet_1 meta: description = "detect Emotet in memory" author = "JPCERT/CC Incident Response Group" - id = "afadbd62-700a-59a8-8279-6a4e6f7587fe" + id = "f1cb5e3e-069d-54bb-829d-2ff4aa80e2bb" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L160-L176" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_32f6c25f324eb9f79b8f0b4bc37d648ed95d6347712208f13f74584ee164dc4f" + logic_hash = "32f6c25f324eb9f79b8f0b4bc37d648ed95d6347712208f13f74584ee164dc4f" score = 75 quality = 80 tags = "" @@ -213283,13 +213469,13 @@ rule JPCERTCC_Smokeloader_1 meta: description = "detect SmokeLoader in memory" author = "JPCERT/CC Incident Response Group" - id = "3a5d6e1f-595e-5736-af4e-fd37004350fe" + id = "19666821-1fe9-50e7-958e-22f2260099aa" date = "2021-08-16" modified = "2021-08-16" reference = "https://www.cert.pl/en/news/single/dissecting-smoke-loader/" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L178-L191" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_11b7a297d3dcacba57de9b04a6d126970c2be9d5551f7976ac8129b0afbc9bfd" + logic_hash = "11b7a297d3dcacba57de9b04a6d126970c2be9d5551f7976ac8129b0afbc9bfd" score = 75 quality = 80 tags = "" @@ -213308,13 +213494,13 @@ rule JPCERTCC_Hawkeye meta: description = "detect HawkEye in memory" author = "JPCERT/CC Incident Response Group" - id = "915fa6c9-f2a1-52be-b659-472ca126c28f" + id = "fc988aaf-bdac-5a53-a90c-d35d86285cd6" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L259-L272" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_45256e1e56de3934d2e57a7c036d49a0f56c25538ed7ad3eb7ee8efa7f549e98" + logic_hash = "45256e1e56de3934d2e57a7c036d49a0f56c25538ed7ad3eb7ee8efa7f549e98" score = 75 quality = 80 tags = "" @@ -213333,13 +213519,13 @@ rule JPCERTCC_Lokibot meta: description = "detect Lokibot in memory" author = "JPCERT/CC Incident Response Group" - id = "6fc5cf5f-27af-5fbf-8a2f-1b1ecdf02587" + id = "12e8469b-83e9-5f93-a543-1c2efb4d303a" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L274-L288" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_3d2db6acb565d705ba26acb7f75be24096ab619a03726f4898391bfe5944bc46" + logic_hash = "3d2db6acb565d705ba26acb7f75be24096ab619a03726f4898391bfe5944bc46" score = 75 quality = 80 tags = "" @@ -213359,13 +213545,13 @@ rule JPCERTCC_Bebloh meta: description = "detect Bebloh(a.k.a. URLZone) in memory" author = "JPCERT/CC Incident Response Group" - id = "f8e4eb97-ecfc-5b4c-9120-478de3cf3d85" + id = "7c3decb2-9cb5-5569-bab2-982c769ee233" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L290-L304" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_22b8ae9d40d34f83d8cc6c2dab56a866c8de8c9cc38b5da962c7071302f91f03" + logic_hash = "22b8ae9d40d34f83d8cc6c2dab56a866c8de8c9cc38b5da962c7071302f91f03" score = 75 quality = 80 tags = "" @@ -213385,13 +213571,13 @@ rule JPCERTCC_Xxmm meta: description = "detect xxmm in memory" author = "JPCERT/CC Incident Response Group" - id = "76ea7d04-8863-5307-acf7-1e705532ff9a" + id = "be459cbf-84a1-539e-b0b5-b7a00b6d278d" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L306-L319" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_4a860ac3efb97ce03fa906c2d0e7cd08654f6e82531d9449af7891be83a036d5" + logic_hash = "4a860ac3efb97ce03fa906c2d0e7cd08654f6e82531d9449af7891be83a036d5" score = 75 quality = 80 tags = "" @@ -213410,13 +213596,13 @@ rule JPCERTCC_Azorult_1 meta: description = "detect Azorult in memory" author = "JPCERT/CC Incident Response Group" - id = "2971df05-7be9-57dc-9fea-4abfaa2ada3d" + id = "c73a007c-4d5f-5504-9635-9bffe1282aef" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L321-L334" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_158d65dcd8f3ce8fe4ab2d9bcc97edf585c1d665cc54e1e4969ef83c8103a149" + logic_hash = "158d65dcd8f3ce8fe4ab2d9bcc97edf585c1d665cc54e1e4969ef83c8103a149" score = 75 quality = 80 tags = "" @@ -213435,13 +213621,13 @@ rule JPCERTCC_Poisonivy meta: description = "detect PoisonIvy in memory" author = "JPCERT/CC Incident Response Group" - id = "bcac1161-5442-5841-977e-b717478fdba2" + id = "e7b27a88-490f-5f79-9e8c-65b8f7505a72" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L336-L349" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_dec7a95c877078f77cbcdcf8646680f6f1d55d438af98e519d13461a7854b095" + logic_hash = "dec7a95c877078f77cbcdcf8646680f6f1d55d438af98e519d13461a7854b095" score = 75 quality = 80 tags = "" @@ -213460,13 +213646,13 @@ rule JPCERTCC_Netwire meta: description = "detect netwire in memory" author = "JPCERT/CC Incident Response Group" - id = "76256e5c-0bd8-53d6-abfc-74b39a956def" + id = "cf71b80f-2618-5209-bb49-fefea9e0a7f3" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L351-L367" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_fa6ec967b6b3de226dcdb06d6b8f684800331a2420f038dd6274a8b9c3d8be78" + logic_hash = "fa6ec967b6b3de226dcdb06d6b8f684800331a2420f038dd6274a8b9c3d8be78" score = 75 quality = 80 tags = "" @@ -213488,13 +213674,13 @@ rule JPCERTCC_Nanocore meta: description = "detect Nanocore in memory" author = "JPCERT/CC Incident Response Group" - id = "21234914-8c17-5f7e-8ed8-7c478bb2a621" + id = "0b12ad94-99c2-5d48-a860-ff75b82971af" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L369-L382" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_471dcda6f5fb9c30e3a1df7171fdba889114d54166d038d18c7910e2765d5250" + logic_hash = "471dcda6f5fb9c30e3a1df7171fdba889114d54166d038d18c7910e2765d5250" score = 75 quality = 80 tags = "" @@ -213513,13 +213699,13 @@ rule JPCERTCC_Formbook_1 meta: description = "detect Formbook in memory" author = "JPCERT/CC Incident Response Group" - id = "2b5303ca-6c3f-5e9b-9771-2c78ff002cc7" + id = "71291f9b-eb8e-55e5-a499-df54c35efdbf" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L384-L397" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_62bd3717af8970f67f28d923ce2483ff55a5ef4585a183d4d510e3a2c45fcc8c" + logic_hash = "62bd3717af8970f67f28d923ce2483ff55a5ef4585a183d4d510e3a2c45fcc8c" score = 75 quality = 80 tags = "" @@ -213538,13 +213724,13 @@ rule JPCERTCC_Agenttesla_Type1 meta: description = "detect Agenttesla in memory" author = "JPCERT/CC Incident Response Group" - id = "55b3ab81-d7f0-581b-ba06-18edf827ae4a" + id = "92bfb3ab-d8d0-50ec-8ab8-ad34f1edb906" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L399-L411" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_24b9b815400967a9086048527f7aa1fce08bcd94a16aec8080aeac97045b297a" + logic_hash = "24b9b815400967a9086048527f7aa1fce08bcd94a16aec8080aeac97045b297a" score = 75 quality = 80 tags = "" @@ -213563,13 +213749,13 @@ rule JPCERTCC_Agenttesla_Type2 : FILE meta: description = "detect Agenttesla in memory" author = "JPCERT/CC Incident Response Group" - id = "b2f7899e-0065-53ed-bc89-f54ba30fdbbd" + id = "6a0b8075-4a7a-56e8-99d2-794340fd1f8b" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L413-L427" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_22f0a7e8f542aa1861f580a2ec3fb2b58ff0ac5d1c606ced0d207a3c350c3633" + logic_hash = "22f0a7e8f542aa1861f580a2ec3fb2b58ff0ac5d1c606ced0d207a3c350c3633" score = 75 quality = 80 tags = "FILE" @@ -213590,13 +213776,13 @@ rule JPCERTCC_Noderat meta: description = "detect Noderat in memory" author = "JPCERT/CC Incident Response Group" - id = "f6ffb336-c300-5f42-9b23-7ca3e02febef" + id = "9c2c4b0f-0f45-54f6-a98c-b592af882eef" date = "2021-08-16" modified = "2021-08-16" reference = "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L429-L442" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_e1254b6cf28161943db202ea0a6ff2d86aa7975d4a3ecc0f26eed58101e54960" + logic_hash = "e1254b6cf28161943db202ea0a6ff2d86aa7975d4a3ecc0f26eed58101e54960" score = 75 quality = 80 tags = "" @@ -213615,13 +213801,13 @@ rule JPCERTCC_Njrat meta: description = "detect njRAT in memory" author = "JPCERT/CC Incident Response Group" - id = "dda849d8-b7af-52be-99ac-f19b3ceb5ea2" + id = "96b35796-3e1d-5721-998a-e678612e4de7" date = "2021-08-16" modified = "2021-08-16" reference = "https://github.com/JPCERTCC/MalConfScan/" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L444-L456" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_398614ff5ea37dfaf6c36f60702cb7cdfe66b4569c698e9c3ea29563e4031856" + logic_hash = "398614ff5ea37dfaf6c36f60702cb7cdfe66b4569c698e9c3ea29563e4031856" score = 75 quality = 80 tags = "" @@ -213641,13 +213827,13 @@ rule JPCERTCC_Trickbot meta: description = "detect TrickBot in memory" author = "JPCERT/CC Incident Response Group" - id = "4b6202c2-232a-51fe-bf07-5d54a48a8b57" + id = "1a3c5193-bea1-5f64-be40-47bd22c09772" date = "2021-08-16" modified = "2021-08-16" reference = "https://github.com/JPCERTCC/MalConfScan/" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L458-L478" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_b0c3437bc4b4f9e7b2a1562e2d514b7aad398d5e387bb79829757b5772a1ebc3" + logic_hash = "b0c3437bc4b4f9e7b2a1562e2d514b7aad398d5e387bb79829757b5772a1ebc3" score = 75 quality = 80 tags = "" @@ -213675,13 +213861,13 @@ rule JPCERTCC_Remcos_1 meta: description = "detect Remcos in memory" author = "JPCERT/CC Incident Response Group" - id = "484b3454-44f3-5142-88c2-f735ea3fc770" + id = "4a27a16a-2669-5009-bc82-082ec0c9b2c1" date = "2021-08-16" modified = "2021-08-16" reference = "https://github.com/JPCERTCC/MalConfScan/" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L480-L493" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_1b4b9f7a88f33faeda71ea9a354eeccba8889800f48a6280c4ec533bb1b3ef3d" + logic_hash = "1b4b9f7a88f33faeda71ea9a354eeccba8889800f48a6280c4ec533bb1b3ef3d" score = 75 quality = 80 tags = "" @@ -213702,13 +213888,13 @@ rule JPCERTCC_Quasar meta: description = "detect QuasarRAT in memory" author = "JPCERT/CC Incident Response Group" - id = "4fc48a28-85d6-5c8a-bbf0-1dfc8b551faf" + id = "f0a81a46-c19b-5012-a1a2-f2f4310fcde3" date = "2021-08-16" modified = "2021-08-16" reference = "https://github.com/JPCERTCC/MalConfScan/" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L495-L513" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_a3bb45f2ea217ae1825d80e1ead9c3e47ca88575c960ce1f9feb2db09f489e08" + logic_hash = "a3bb45f2ea217ae1825d80e1ead9c3e47ca88575c960ce1f9feb2db09f489e08" score = 75 quality = 80 tags = "" @@ -213734,14 +213920,14 @@ rule JPCERTCC_Elf_Plead meta: description = "ELF_PLEAD" author = "JPCERT/CC Incident Response Group" - id = "2d291c78-de65-5dd4-b134-92d41fbf0976" + id = "12f93939-812f-52b6-9582-b375bb361892" date = "2021-08-16" modified = "2021-08-16" reference = "https://github.com/JPCERTCC/MalConfScan/" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L515-L529" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" hash = "f704303f3acc2fd090145d5ee893914734d507bd1e6161f82fb34d45ab4a164b" - logic_hash = "v1_sha256_088d17afe77076f8b1e5f7cb285d825d597d9c971a03f878bf64b6d2af14a01f" + logic_hash = "088d17afe77076f8b1e5f7cb285d825d597d9c971a03f878bf64b6d2af14a01f" score = 75 quality = 80 tags = "" @@ -213761,13 +213947,13 @@ rule JPCERTCC_Asyncrat meta: description = "detect AsyncRat in memory" author = "JPCERT/CC Incident Response Group" - id = "3a957c59-5780-5eb2-b8e6-92d48c9d2509" + id = "758614e8-df93-54ff-9f06-0020b54fbf88" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L531-L548" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_0a60718ea3412129c40e2eee53591dbf094a6b914502242b5ab9b54f8fd95da0" + logic_hash = "0a60718ea3412129c40e2eee53591dbf094a6b914502242b5ab9b54f8fd95da0" score = 75 quality = 76 tags = "" @@ -213791,13 +213977,13 @@ rule JPCERTCC_Wellmess : FILE meta: description = "detect WellMess in memory" author = "JPCERT/CC Incident Response Group" - id = "f6693695-2f70-5147-9b8c-cb8b86be233d" + id = "07084b85-b4fa-5534-aca5-1ddac3a3988b" date = "2021-08-16" modified = "2021-08-16" reference = "internal research" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L550-L569" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" - logic_hash = "v1_sha256_1f5a1ba51dd99eadaf5de344539712057f4635b060d4f306b50a6ecb65931970" + logic_hash = "1f5a1ba51dd99eadaf5de344539712057f4635b060d4f306b50a6ecb65931970" score = 75 quality = 80 tags = "FILE" @@ -213823,14 +214009,14 @@ rule JPCERTCC_Elf_Wellmess : FILE meta: description = "ELF_Wellmess" author = "JPCERT/CC Incident Response Group" - id = "666f4edf-9019-5080-a0b9-127abf86180a" + id = "3e6cb461-fc51-5ea6-bd6f-6dab11d5704c" date = "2021-08-16" modified = "2021-08-16" reference = "https://github.com/JPCERTCC/MalConfScan/" source_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/yara/rule.yara#L571-L584" license_url = "https://github.com/JPCERTCC/MalConfScan//blob/19ec0d145535a6a4cfd37c0960114f455a8c343e/LICENSE.txt" hash = "00654dd07721e7551641f90cba832e98c0acb030e2848e5efc0e1752c067ec07" - logic_hash = "v1_sha256_99789bba9c398b7927b3ab42bb4df40e5470e0816cc048dcc7d09c6a78a1a505" + logic_hash = "99789bba9c398b7927b3ab42bb4df40e5470e0816cc048dcc7d09c6a78a1a505" score = 75 quality = 80 tags = "FILE" @@ -213848,7 +214034,7 @@ rule JPCERTCC_Elf_Wellmess : FILE * YARA Rule Set * Repository Name: SecuInfra * Repository: https://github.com/SIFalcon/Detection - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd * Number of Rules: 45 * Skipped: 0 (age), 11 (quality), 0 (score), 0 (importance) @@ -213863,13 +214049,13 @@ rule SECUINFRA_OBFUS_Javascript_Wscript_Hex_Strings_Usage meta: description = "Detects the frequent usage of Wscript to get an hex encoded string from an array and interpret it. Used by e.g WSHRAT" author = "SECUINFRA Falcon Team" - id = "5e8eb5c8-6e90-52c2-8192-97e37cfe89fd" + id = "dd55753e-4f7b-56be-a6d4-66f1d7dc8747" date = "2022-12-02" modified = "2022-02-13" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Obfuscation/javascript_obfuscation.yar#L2-L19" license_url = "N/A" - logic_hash = "v1_sha256_62bc3261b3c2e902a82423239a7ee0bcedfccbeeeda11833b935197144dc7c35" + logic_hash = "62bc3261b3c2e902a82423239a7ee0bcedfccbeeeda11833b935197144dc7c35" score = 75 quality = 70 tags = "" @@ -213889,13 +214075,13 @@ rule SECUINFRA_OBFUS_VBS_Reverse_Startup : FILE meta: description = "Detecs reversed StartUp Path. Sometimes used as obfuscation" author = "SECUINFRA Falcon Team" - id = "d9b08c0a-6ad6-513f-a8db-22ffecf584f6" + id = "ecb96e30-0ac0-530a-83af-bb030f7dce4c" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Obfuscation/vbs_obfuscation.yar#L2-L13" license_url = "N/A" - logic_hash = "v1_sha256_7b4d56d3bbe8d16d5e01fa9a021a368feb28b8b062860df76a2569966a97b8bc" + logic_hash = "7b4d56d3bbe8d16d5e01fa9a021a368feb28b8b062860df76a2569966a97b8bc" score = 75 quality = 70 tags = "FILE" @@ -213911,13 +214097,13 @@ rule SECUINFRA_OBFUS_Powershell_Execution : FILE meta: description = "Detects some variations of obfuscated PowerShell code to execute further PowerShell code" author = "SECUINFRA Falcon Team" - id = "75e9a4d3-a048-5958-97bc-13a6cc4128f7" + id = "b32c2a92-599c-5916-a335-dc996dcdc1bf" date = "2022-09-02" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Obfuscation/powershell_obfuscation.yar#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_b201774edc4a20a0035cd68898a785a6c2fc03fb8739d515196e428d4a88af70" + logic_hash = "b201774edc4a20a0035cd68898a785a6c2fc03fb8739d515196e428d4a88af70" score = 75 quality = 70 tags = "FILE" @@ -213935,13 +214121,13 @@ rule SECUINFRA_OBFUS_Powershell_Replace_Tilde : FILE meta: description = "Detects usage of Replace to replace tilde. Often observed in obfuscation" author = "SECUINFRA Falcon Team" - id = "79f51545-31ad-58fd-843f-397fa485e6e8" + id = "59b68982-01ae-588a-9802-bb92c72342a8" date = "2022-10-02" modified = "2022-02-27" reference = "https://bazaar.abuse.ch/sample/4c391b57d604c695925938bfc10ceb4673edd64e9655759c2aead9e12b3e17cf/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Obfuscation/powershell_obfuscation.yar#L19-L32" license_url = "N/A" - logic_hash = "v1_sha256_a2693757f9aedc1019a94a15ae00f87af852d319aa698dadd7f9bb98128622a0" + logic_hash = "a2693757f9aedc1019a94a15ae00f87af852d319aa698dadd7f9bb98128622a0" score = 75 quality = 70 tags = "FILE" @@ -213957,13 +214143,13 @@ rule SECUINFRA_MALWARE_Plugx_USB_Delivery_LNK_Jun23 meta: description = "Detects PlugX-style Malware delivery via removable Drives (USB) - LNK File" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "5d64ddf9-748d-57bb-a757-460448d10034" + id = "14c2e37e-91d7-5b66-916f-a1544a69a6fc" date = "2023-06-21" modified = "2023-06-21" reference = "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/MALWARE_PlugX_USB_Delivery_Jun21.yar#L1-L31" license_url = "N/A" - logic_hash = "v1_sha256_afbbaf44e97b6db584780e0739bffd9c70e05e86284cb25b25a9d02cbeffff1f" + logic_hash = "afbbaf44e97b6db584780e0739bffd9c70e05e86284cb25b25a9d02cbeffff1f" score = 75 quality = 70 tags = "" @@ -213986,13 +214172,13 @@ rule SECUINFRA_MALWARE_Plugx_USB_Delivery_Ini_Icon_Jun23 meta: description = "Detects PlugX-style Malware delivery via removable Drives (USB) - Desktop.ini Icon File; could potentially yield FPs" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "6bb49a2f-d149-5f5a-b6e7-89c05a1f6ee1" + id = "faaa507f-8478-5412-be86-4cae7fe28d21" date = "2023-06-21" modified = "2023-06-21" reference = "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/MALWARE_PlugX_USB_Delivery_Jun21.yar#L33-L49" license_url = "N/A" - logic_hash = "v1_sha256_1cf552c4627073d13832cf0ac602a610e0919af9e9a197aa07fef5d6a414644b" + logic_hash = "1cf552c4627073d13832cf0ac602a610e0919af9e9a197aa07fef5d6a414644b" score = 75 quality = 70 tags = "" @@ -214010,13 +214196,13 @@ rule SECUINFRA_MALWARE_Plugx_USB_Delivery_Ini_Recbin_Jun23 meta: description = "Detects PlugX-style Malware delivery via removable Drives (USB) - Desktop.ini Recycle Bin; could potentially yield FPs" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "1df504b9-5385-5a3a-a7b9-8acfb3ecbbaa" + id = "026eba63-12c1-55aa-b736-aea0494c1ab9" date = "2023-06-21" modified = "2023-06-21" reference = "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/MALWARE_PlugX_USB_Delivery_Jun21.yar#L51-L70" license_url = "N/A" - logic_hash = "v1_sha256_af5a1f20e46d9db3a9b50b5d8845e60f058c2885a560756266afbd8f3a01bf1e" + logic_hash = "af5a1f20e46d9db3a9b50b5d8845e60f058c2885a560756266afbd8f3a01bf1e" score = 75 quality = 70 tags = "" @@ -214035,13 +214221,13 @@ rule SECUINFRA_RANSOM_Esxiargs_Ransomware_Bash_Feb23 meta: description = "Detects the ESXiArgs Ransomware encryption bash script" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "6e3f98ef-3b38-5de9-a395-74487634f274" + id = "dafcb312-bad2-5dcc-8260-80d09e11853b" date = "2023-02-07" modified = "2023-02-07" reference = "https://secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/RANSOM_ESXiArgs_Ransomware_Bash_Feb23.yar#L1-L45" license_url = "N/A" - logic_hash = "v1_sha256_e9838fd86e25c434f419dcc8d37a56f4f83c38930b0558181585bbfe77cd1baf" + logic_hash = "e9838fd86e25c434f419dcc8d37a56f4f83c38930b0558181585bbfe77cd1baf" score = 75 quality = 70 tags = "" @@ -214076,13 +214262,13 @@ rule SECUINFRA_MALWARE_Formbook_Filename_Stage_2 : FILE meta: description = "No description has been set in the source file - SecuInfra" author = "SECUINFRA Falcon Team" - id = "6bdca5e0-26d8-5341-a3f0-eb90a708c8b6" + id = "74ae157c-30b3-5f07-83a3-6bc9e854fa84" date = "2022-02-19" modified = "2022-02-27" reference = "https://bazaar.abuse.ch/sample/295a708fd87173762a4971443304e23990462f94e8db48d83472f19425daaa87" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/formbook.yar#L2-L14" license_url = "N/A" - logic_hash = "v1_sha256_707fa457a99b47419b0b77716ed1f61cdb493f04cc26a156f903a30ef30ac428" + logic_hash = "707fa457a99b47419b0b77716ed1f61cdb493f04cc26a156f903a30ef30ac428" score = 75 quality = 70 tags = "FILE" @@ -214099,14 +214285,14 @@ rule SECUINFRA_RANSOM_Magniber_LNK_Jan23 meta: description = "Detects Magniber Ransomware LNK files from fake Windows Update delivery method" author = "SECUINFRA Falcon Team" - id = "ae044f24-ef62-5659-a582-106c6bddbb09" + id = "2459a9e9-a6bb-50fc-9920-7632fdec7e91" date = "2023-01-13" modified = "2023-01-13" reference = "https://twitter.com/SI_FalconTeam/status/1613540054382559234" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/RANSOM_Magniber_LNK_Jan23.yar#L1-L18" license_url = "N/A" hash = "16ecec4efa2174dec11f6a295779f905c8f593ab5cc96ae0f5249dc50469841c" - logic_hash = "v1_sha256_074611d74e382bb19a45b052b5b2cc186bf3667420cb1625e9bda37f2e9774c5" + logic_hash = "074611d74e382bb19a45b052b5b2cc186bf3667420cb1625e9bda37f2e9774c5" score = 75 quality = 70 tags = "" @@ -214124,13 +214310,13 @@ rule SECUINFRA_RANSOM_Esxiargs_Ransomware_Encryptor_Feb23 meta: description = "Detects the ESXiArgs Ransomware 'encrypt' binary" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "74731dbb-65cc-5b33-ae64-35c48c732fdd" + id = "e91398bd-c8b5-5702-974e-017d2c0f6054" date = "2023-02-07" modified = "2023-02-07" reference = "https://secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/RANSOM_ESXiArgs_Ransomware_Encrypt_Feb23.yar#L1-L32" license_url = "N/A" - logic_hash = "v1_sha256_f0c9858275f547d4cf7d907377f079b817bf69cae9940b134e523bd7794d6f3b" + logic_hash = "f0c9858275f547d4cf7d907377f079b817bf69cae9940b134e523bd7794d6f3b" score = 75 quality = 70 tags = "" @@ -214155,13 +214341,13 @@ rule SECUINFRA_RANSOM_Medusalocker_July22 : RANSOMWARE FILE meta: description = "Detects MedusaLocker Ransomware" author = "SECUINFRA Falcon Team" - id = "78617397-85c6-5796-8b29-0b64cb21bd16" + id = "ca8c4ab6-cb7d-5b1d-a3c3-6921133c646c" date = "2022-07-08" modified = "2022-07-08" reference = "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/RANSOM_MedusaLocker_July22.yar#L3-L68" license_url = "N/A" - logic_hash = "v1_sha256_f585e29cf8d381813e489296b88fbd8ebd0e48b48395237b264596f54e0db472" + logic_hash = "f585e29cf8d381813e489296b88fbd8ebd0e48b48395237b264596f54e0db472" score = 75 quality = 68 tags = "RANSOMWARE, FILE" @@ -214216,14 +214402,14 @@ rule SECUINFRA_RANSOM_Magniber_ISO_Jan23 : FILE meta: description = "Detects Magniber Ransomware ISO files from fake Windows Update delivery method" author = "SECUINFRA Falcon Team" - id = "01634001-d4ff-516c-ad95-13798c1cb7bb" + id = "6d5a937d-ac31-5c59-8e93-3fadc772d132" date = "2023-01-13" modified = "2023-01-13" reference = "https://twitter.com/SI_FalconTeam/status/1613540054382559234" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/RANSOM_Magniber_ISO_Jan23.yar#L1-L24" license_url = "N/A" hash = "4dcbcc070e7e3d0696c777b63e185406e3042de835b734fe7bb33cc12e539bf6" - logic_hash = "v1_sha256_238baa794f4a87102534f7d6901819aa1b5dbb8156d56fb311e9fb1a6bc77f30" + logic_hash = "238baa794f4a87102534f7d6901819aa1b5dbb8156d56fb311e9fb1a6bc77f30" score = 75 quality = 68 tags = "FILE" @@ -214244,13 +214430,13 @@ rule SECUINFRA_RANSOM_Esxiargs_Ransomware_Python_Feb23 meta: description = "Detects the ESXiArgs Ransomware encryption bash script" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "8f8775f6-725a-5b8e-803a-4eb2f84ece72" + id = "6e2d6695-b727-5b71-bfa0-e8290e057c36" date = "2023-02-07" modified = "2023-02-07" reference = "https://secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/RANSOM_ESXiArgs_Ransomware_Python_Feb23.yar#L1-L31" license_url = "N/A" - logic_hash = "v1_sha256_b821d1829ab4fb5eea896156a303198d6531d734196f0f947aef5d46754e6ccb" + logic_hash = "b821d1829ab4fb5eea896156a303198d6531d734196f0f947aef5d46754e6ccb" score = 75 quality = 70 tags = "" @@ -214280,13 +214466,13 @@ rule SECUINFRA_RANSOM_Lockbit_Black_Packer : RANSOMWARE FILE meta: description = "Detects the packer used by Lockbit Black (Version 3)" author = "SECUINFRA Falcon Team" - id = "d09ad53a-eb4c-5697-86a1-0a603e53b8d4" + id = "f4c1a12b-eb89-5a46-97a9-f0207ca1bbde" date = "2022-07-04" modified = "2022-07-04" reference = "https://twitter.com/vxunderground/status/1543661557883740161" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/RANSOM_Lockbit_Black_Packer.yar#L5-L40" license_url = "N/A" - logic_hash = "v1_sha256_cde7f5374b97b2462cfd951994b6bb3ef0962e1be71253e25ca14d53c3d3d615" + logic_hash = "cde7f5374b97b2462cfd951994b6bb3ef0962e1be71253e25ca14d53c3d3d615" score = 75 quality = 45 tags = "RANSOMWARE, FILE" @@ -214310,13 +214496,13 @@ rule SECUINFRA_MALWARE_Emotet_Onenote_Delivery_Wsf_Mar23 meta: description = "Detects Microsoft OneNote files used to deliver Emotet (.wsf Payload)" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "df7adc1c-943e-59dc-892c-9c87963127a5" + id = "a9201240-407d-5ca9-b7fd-37372a2e7d2a" date = "2023-03-16" modified = "2023-03-16" reference = "https://www.secuinfra.com/en/news/the-whale-surfaces-again-emotet-epoch4-spam-botnet-returns/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Malware/MALWARE_Emotet_OneNote_Delivery_wsf_Mar23.yar#L1-L33" license_url = "N/A" - logic_hash = "v1_sha256_ca48f5e694b18e3f0b89b0128817848a7d36f60d8a3ada522739849bf3f7126b" + logic_hash = "ca48f5e694b18e3f0b89b0128817848a7d36f60d8a3ada522739849bf3f7126b" score = 75 quality = 70 tags = "" @@ -214345,13 +214531,13 @@ rule SECUINFRA_HUNT_RTF_CVE_2023_21716_Mar23 : CVE_2023_21716 meta: description = "Detects RTF documents with an inflated fonttable. Hunting for CVE-2023-21716" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "2b1a8ff2-cee3-56a3-99fa-8a03899b25bb" + id = "1b76f428-f2a8-5d1d-a78c-b4a70ac4f5db" date = "2023-03-07" modified = "2023-03-07" reference = "https://www.bleepingcomputer.com/news/security/proof-of-concept-released-for-critical-microsoft-word-rce-bug/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Hunting/HUNT_RTF_CVE_2023_21716.yar#L3-L20" license_url = "N/A" - logic_hash = "v1_sha256_456008db725b8348f9f3851bb9aae9990e7613e1b9056846b121605c3e080297" + logic_hash = "456008db725b8348f9f3851bb9aae9990e7613e1b9056846b121605c3e080297" score = 50 quality = 70 tags = "CVE-2023-21716" @@ -214368,13 +214554,13 @@ rule SECUINFRA_SUSP_Scheduled_Tasks_Create_From_Susp_Dir : FILE meta: description = "Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory" author = "SECUINFRA Falcon Team" - id = "af348eea-eb96-5149-89c5-4082957ce94e" + id = "65aad597-c5fe-50c3-8970-19fb502f1602" date = "2022-02-21" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Windows/windows_misc.yar#L2-L25" license_url = "N/A" - logic_hash = "v1_sha256_abe0592a8936898a43a1df9039829948f8a4a425c74cb970d2899d513c9cfffe" + logic_hash = "abe0592a8936898a43a1df9039829948f8a4a425c74cb970d2899d513c9cfffe" score = 60 quality = 25 tags = "FILE" @@ -214399,13 +214585,13 @@ rule SECUINFRA_SUSP_Reverse_Run_Key : FILE meta: description = "Detects a Reversed Run Key" author = "SECUINFRA Falcon Team" - id = "4c46675f-c417-5ea1-a21c-5fe46920cf34" + id = "230bed16-278e-574c-bb9b-cf6c44a7e9cd" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Windows/windows_misc.yar#L27-L38" license_url = "N/A" - logic_hash = "v1_sha256_dcb1a7e2c688287d08ade3d75e5c3d0dde6b645889bd4ec09ce8c131d8d3265e" + logic_hash = "dcb1a7e2c688287d08ade3d75e5c3d0dde6b645889bd4ec09ce8c131d8d3265e" score = 65 quality = 70 tags = "FILE" @@ -214423,13 +214609,13 @@ rule SECUINFRA_MAL_Redline_Certificate_Bosch : FILE meta: description = "Detects Certificate used by Redline Stealer" author = "SECUINFRA Falcon Team" - id = "c1d30185-78e2-5cc5-94d5-99a957a4aa49" + id = "a91d0510-ab4e-5f22-bcce-9a42beff5190" date = "2022-12-02" modified = "2022-02-13" reference = "https://bazaar.abuse.ch/sample/60e40ccfc16ca9f36dee7ec2b4e2fc81398ff408bf7cc63fb7ddf0fef1d4b72b" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Stealer/redline_stealer.yar#L3-L16" license_url = "N/A" - logic_hash = "v1_sha256_b3084bee5151543c0931bef9d320805d9e4d63c25be029da4e592d5a0b080a0e" + logic_hash = "b3084bee5151543c0931bef9d320805d9e4d63c25be029da4e592d5a0b080a0e" score = 75 quality = 70 tags = "FILE" @@ -214444,13 +214630,13 @@ rule SECUINFRA_MAL_Redline_Certificate_Geforce : FILE meta: description = "Detects Certificate used by Redline Stealer" author = "SECUINFRA Falcon Team" - id = "9088c2ed-9d7a-5346-8dca-4f3ef6d945b4" + id = "70081810-704e-5734-8a78-f97e17989460" date = "2022-02-13" modified = "2022-02-13" reference = "https://bazaar.abuse.ch/sample/f36c1c2f6b6f334be93b72fccb8e46cadd59304dc244b3a5aabecc8f4018eb77" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Stealer/redline_stealer.yar#L18-L31" license_url = "N/A" - logic_hash = "v1_sha256_04e9bfd886be1550b0efd22f0098cc13a5fb6e7cae30b866a4066d0c8f433367" + logic_hash = "04e9bfd886be1550b0efd22f0098cc13a5fb6e7cae30b866a4066d0c8f433367" score = 75 quality = 70 tags = "FILE" @@ -214463,13 +214649,13 @@ rule SECUINFRA_MALWARE_Onenote_Delivery_Jan23 meta: description = "Detects suspicious Microsoft OneNote files used to deliver Malware" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "39ea1f67-9c3c-5ac5-a3a3-cef591b16a9a" + id = "ebf02a11-6f53-573d-bd7a-9948cef9fb3a" date = "2023-01-19" modified = "2023-01-19" reference = "https://twitter.com/James_inthe_box/status/1615421130877329409" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/MALWARE_OneNote_Delivery_Jan23.yar#L1-L56" license_url = "N/A" - logic_hash = "v1_sha256_08c38eedf500fd1a0224e396b41aebb8ac82b3705321ca798ac1007ea34366e1" + logic_hash = "08c38eedf500fd1a0224e396b41aebb8ac82b3705321ca798ac1007ea34366e1" score = 65 quality = 66 tags = "" @@ -214513,13 +214699,13 @@ rule SECUINFRA_SUS_Unsigned_APPX_MSIX_Installer_Feb23 meta: description = "Detects suspicious, unsigned Microsoft Windows APPX/MSIX Installer Packages" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "30252da4-8094-5cde-b290-ab6e4ade4826" + id = "beaf08a8-a1c3-5d9c-b7cb-81a49c5bc2ec" date = "2023-02-01" modified = "2023-02-07" reference = "https://twitter.com/SI_FalconTeam/status/1620500572481945600" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/SUS_Unsigned_APPX_MSIX_Installer_Feb23.yar#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_ad3f0545b2fe285adf67f053c8b422126a1bdff1b6835631280442495d975d16" + logic_hash = "ad3f0545b2fe285adf67f053c8b422126a1bdff1b6835631280442495d975d16" score = 50 quality = 30 tags = "" @@ -214539,13 +214725,13 @@ rule SECUINFRA_SUS_Unsigned_APPX_MSIX_Manifest_Feb23 meta: description = "Detects suspicious Microsoft Windows APPX/MSIX Installer Manifests" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "5f821581-cf0e-51e4-84d1-0a6671478305" + id = "f24f7e03-3cc5-5214-b6d2-205b69898636" date = "2023-02-01" modified = "2023-02-07" reference = "https://twitter.com/SI_FalconTeam/status/1620500572481945600" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/SUS_Unsigned_APPX_MSIX_Manifest_Feb23.yar#L1-L25" license_url = "N/A" - logic_hash = "v1_sha256_4e3de25fdad9d76cefbb191424a739368b521c4f234656c397f4122debe749fa" + logic_hash = "4e3de25fdad9d76cefbb191424a739368b521c4f234656c397f4122debe749fa" score = 65 quality = 70 tags = "" @@ -214566,13 +214752,13 @@ rule SECUINFRA_SUSP_Discord_Attachments_URL : PE DOWNLOAD FILE meta: description = "Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads" author = "SECUINFRA Falcon Team" - id = "7b2122ae-f4f8-58f0-a9ac-787e2a7e5fa3" + id = "bf81920b-f8ab-594a-aa45-d92446411113" date = "2022-02-19" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/exe.yar#L3-L16" license_url = "N/A" - logic_hash = "v1_sha256_3270b74506e520064361379b274f44a467c55bdcd3d8456967e864526aca8521" + logic_hash = "3270b74506e520064361379b274f44a467c55bdcd3d8456967e864526aca8521" score = 65 quality = 70 tags = "PE, DOWNLOAD, FILE" @@ -214591,13 +214777,13 @@ rule SECUINFRA_SUSP_DOTNET_PE_Download_To_Specialfolder : DOTNET DOWNLOAD FILE meta: description = "Detects a .NET Binary that downloads further payload and retrieves a special folder" author = "SECUINFRA Falcon Team" - id = "d80a746a-f3db-5a73-a38a-83019f5702b2" + id = "106683bf-1d36-58ee-b5af-4723aa70fdad" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/exe.yar#L45-L64" license_url = "N/A" - logic_hash = "v1_sha256_d44c89ab126f79596c8bf3f1327b37a2463faa4e3bb258f9a96d495ac40003f8" + logic_hash = "d44c89ab126f79596c8bf3f1327b37a2463faa4e3bb258f9a96d495ac40003f8" score = 65 quality = 70 tags = "DOTNET, DOWNLOAD, FILE" @@ -214617,13 +214803,13 @@ rule SECUINFRA_SUSP_DOTNET_PE_List_AV : DOTNET AV FILE meta: description = "Detecs .NET Binary that lists installed AVs" author = "SECUINFRA Falcon Team" - id = "ae40af55-279b-5564-9a11-c2b486d6875f" + id = "0f27567a-ab41-5d17-a1d8-a59c9602eb35" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/exe.yar#L66-L82" license_url = "N/A" - logic_hash = "v1_sha256_b82e6ed5740cab26eb3848717204190d61663e7e42ff42536386b00181a15ebb" + logic_hash = "b82e6ed5740cab26eb3848717204190d61663e7e42ff42536386b00181a15ebb" score = 65 quality = 70 tags = "DOTNET, AV, FILE" @@ -214640,13 +214826,13 @@ rule SECUINFRA_SUSP_Netsh_Firewall_Command : PE FILE meta: description = "No description has been set in the source file - SecuInfra" author = "SECUINFRA Falcon Team" - id = "f4c36477-bce6-521f-853f-013e8d8523c1" + id = "c62cbe3f-9585-56c0-bb09-83a36437abda" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/exe.yar#L84-L97" license_url = "N/A" - logic_hash = "v1_sha256_7d19b433785684ce1d2b008b3fdd36b22c5c82bfec476c787dfa025080b6178d" + logic_hash = "7d19b433785684ce1d2b008b3fdd36b22c5c82bfec476c787dfa025080b6178d" score = 65 quality = 70 tags = "PE, FILE" @@ -214663,13 +214849,13 @@ rule SECUINFRA_SUSP_Powershell_Download_Temp_Rundll : POWERSHELL DOWNLOAD FILE meta: description = "Detect a Download to %temp% and execution with rundll32.exe" author = "SECUINFRA Falcon Team" - id = "b5c2e8d9-c1e7-5c71-9427-fa6e63f4a070" + id = "6b09a6f0-29c6-5baf-ae64-7aa49a37a9d3" date = "2022-09-02" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/powershell.yar#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_4d7860dc94614b10bc0eea0189ad9b964399d4ee6404ebeaef40720c716c592d" + logic_hash = "4d7860dc94614b10bc0eea0189ad9b964399d4ee6404ebeaef40720c716c592d" score = 65 quality = 70 tags = "POWERSHELL, DOWNLOAD, FILE" @@ -214687,13 +214873,13 @@ rule SECUINFRA_SUSP_Powershell_Base64_Decode : POWERSHELL B64 FILE meta: description = "Detects PowerShell code to decode Base64 data. This can yield many FP" author = "SECUINFRA Falcon Team" - id = "986623ae-994b-55ca-ac01-00cda18f6602" + id = "7cb01c0b-d7e3-5196-b78d-f41765ba0368" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/powershell.yar#L19-L31" license_url = "N/A" - logic_hash = "v1_sha256_b323089ac61823d969d04a05890ad9fffe8589165d4b026b08e9fd633d4247de" + logic_hash = "b323089ac61823d969d04a05890ad9fffe8589165d4b026b08e9fd633d4247de" score = 60 quality = 50 tags = "POWERSHELL, B64, FILE" @@ -214709,13 +214895,13 @@ rule SECUINFRA_SUSP_LNK_Staging_Directory : FILE meta: description = "Detects typical staging directories being referenced inside lnk files" author = "SECUINFRA Falcon Team" - id = "0ae9a112-b8d0-5669-8383-b303334a91d8" + id = "459ed2e6-133c-5cde-bf49-95bf8a5eb8c8" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Filetypes/lnk.yar#L31-L46" license_url = "N/A" - logic_hash = "v1_sha256_3f2a04702b39bce48fc85aa68f39e6062c3b5ee37667eb086222a866a5e438e4" + logic_hash = "3f2a04702b39bce48fc85aa68f39e6062c3b5ee37667eb086222a866a5e438e4" score = 65 quality = 70 tags = "FILE" @@ -214732,13 +214918,13 @@ rule SECUINFRA_SUSP_Powershell_Download_Temp_Rundll_1 : POWERSHELL DOWNLOAD meta: description = "Detect a Download to %temp% and execution with rundll32.exe" author = "SECUINFRA Falcon Team" - id = "6e2b69e0-caa6-5f1a-b34e-494454e50c8f" + id = "f7a9d2e6-bebf-598b-9e59-db0a3001b9f9" date = "2022-09-02" modified = "2022-02-19" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/PowerShell_Misc/download_variations.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_7982438c032127349fb1c3477a23bab1c92eb68d9c3b26e2f5fb0a8c332dbc44" + logic_hash = "7982438c032127349fb1c3477a23bab1c92eb68d9c3b26e2f5fb0a8c332dbc44" score = 65 quality = 70 tags = "POWERSHELL, DOWNLOAD" @@ -214756,13 +214942,13 @@ rule SECUINFRA_APT_Bitter_Maldoc_Verify : CVE_2018_0798 meta: description = "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "50b9545c-74b3-5148-85d9-e09bcb23f741" + id = "8e0e32d3-f00e-5145-9386-f42ddca703ae" date = "2022-06-01" modified = "2022-07-05" reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/APT/APT_Bitter_T-APT-17.yar#L11-L40" license_url = "N/A" - logic_hash = "v1_sha256_1d30e2ad0d99d274a4e3dd029ff41ec05e8ba4160bea37762bce1bb5286493d8" + logic_hash = "1d30e2ad0d99d274a4e3dd029ff41ec05e8ba4160bea37762bce1bb5286493d8" score = 75 quality = 70 tags = "CVE-2018-0798" @@ -214791,14 +214977,14 @@ rule SECUINFRA_APT_Bitter_Almond_RAT : FILE meta: description = "Detects Bitter (T-APT-17) Almond RAT (.NET)" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "830e3e4b-9767-58e4-8d74-09ffffae7e28" + id = "191fadf9-4f64-56c9-bc2a-a7b4e27ab0fc" date = "2022-06-01" modified = "2022-07-05" reference = " https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/APT/APT_Bitter_T-APT-17.yar#L82-L108" license_url = "N/A" hash = "55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396" - logic_hash = "v1_sha256_b8d6b95987fe434fc16c87a7bc144f1fe69301a32bb93588df7c2abbfef62d75" + logic_hash = "b8d6b95987fe434fc16c87a7bc144f1fe69301a32bb93588df7c2abbfef62d75" score = 75 quality = 70 tags = "FILE" @@ -214820,13 +215006,13 @@ rule SECUINFRA_APT_Bitter_PDB_Paths : FILE meta: description = "Detects Bitter (T-APT-17) PDB Paths" author = "SECUINFRA Falcon Team (@SI_FalconTeam)" - id = "334be759-c6de-5b6b-b589-1f8e11e7c2ca" + id = "e2ad4ac3-45fe-5087-b0d6-a5de16774229" date = "2022-06-22" modified = "2022-07-05" reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/APT/APT_Bitter_T-APT-17.yar#L110-L133" license_url = "N/A" - logic_hash = "v1_sha256_7eb9e4c1b4e0cca070596f3702045756eb32716481bb59f2f8322221804291f5" + logic_hash = "7eb9e4c1b4e0cca070596f3702045756eb32716481bb59f2f8322221804291f5" score = 75 quality = 70 tags = "FILE" @@ -214847,14 +215033,14 @@ rule SECUINFRA_MAL_WSHRAT : RAT JAVASCRIPT WSHRAT FILE meta: description = "Detects the final Payload of WSHART" author = "SECUINFRA Falcon Team" - id = "a642c203-2827-50e8-91e9-bfefc3ce4bbd" + id = "8db5e349-c83e-53c3-a44d-cfe4732fe08d" date = "2022-12-02" modified = "2022-02-13" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/RAT/wshrat.yar#L2-L44" license_url = "N/A" hash = "b7f53ccc492400290016e802e946e526" - logic_hash = "v1_sha256_12d893f0ca83e805fa570d3f72eb733c8d8b1ae6c0d37bf179ac675d108c7412" + logic_hash = "12d893f0ca83e805fa570d3f72eb733c8d8b1ae6c0d37bf179ac675d108c7412" score = 75 quality = 68 tags = "RAT, JAVASCRIPT, WSHRAT, FILE" @@ -214900,13 +215086,13 @@ rule SECUINFRA_MAL_Njrat : FILE meta: description = "No description has been set in the source file - SecuInfra" author = "SECUINFRA Falcon Team" - id = "bc2c1ade-6102-519a-980d-40e8e2df6049" + id = "eeea8bcf-0d19-5c43-92cc-55c1110f46e5" date = "2022-02-27" modified = "2022-02-27" reference = "https://github.com/SIFalcon/Detection" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/RAT/njrat.yar#L3-L35" license_url = "N/A" - logic_hash = "v1_sha256_e6f5ce20df70bc2f9d00931a84db08c1918a0639555204de8e86f3ba583a73f5" + logic_hash = "e6f5ce20df70bc2f9d00931a84db08c1918a0639555204de8e86f3ba583a73f5" score = 75 quality = 70 tags = "FILE" @@ -214933,14 +215119,14 @@ rule SECUINFRA_MAL_Nw0Rm : FILE meta: description = "Detect the final RAT dropped by N-W0rm" author = "SECUINFRA Falcon Team" - id = "b50c9e20-1231-574f-92f4-f01c7b448be4" + id = "b014ce63-33ec-51df-a529-0c197dac2d7a" date = "2022-03-02" modified = "2022-02-07" reference = "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/RAT/n-w0rm.yar#L1-L24" license_url = "N/A" hash = "08587e04a2196aa97a0f939812229d2d" - logic_hash = "v1_sha256_04078c57c1aa0065fceec7dc92b201bda23de1c5f5a940803a81250bdd685736" + logic_hash = "04078c57c1aa0065fceec7dc92b201bda23de1c5f5a940803a81250bdd685736" score = 75 quality = 70 tags = "FILE" @@ -214963,14 +215149,14 @@ rule SECUINFRA_DROPPER_WSHRAT_Stage_1 : FILE meta: description = "Detects the first stage of WSHRAT as obfuscated JavaScript" author = "SECUINFRA Falcon Team" - id = "a8b0bfae-d06b-5cfc-8e1b-08ad07c1873f" + id = "3bd363dc-3183-595e-931b-668eb17495f5" date = "2022-11-02" modified = "2022-02-27" reference = "https://bazaar.abuse.ch/sample/ad24ae27346d930e75283b10d4b949a4986c18dbd5872a91f073334a08169a14/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Dropper/wshrat.yar#L1-L18" license_url = "N/A" hash = "793eff1b2039727e76fdd04300d44fc6" - logic_hash = "v1_sha256_1390929d06bd1259dbab425fd4e953119f632be460f57756a0c226e9f510d75a" + logic_hash = "1390929d06bd1259dbab425fd4e953119f632be460f57756a0c226e9f510d75a" score = 75 quality = 70 tags = "FILE" @@ -214989,13 +215175,13 @@ rule SECUINFRA_DROPPER_Njrat_VBS : VBS NJRAT DROPPER FILE meta: description = "No description has been set in the source file - SecuInfra" author = "SECUINFRA Falcon Team" - id = "917a5313-9e75-505e-afc7-0d3298958e7f" + id = "5296667a-2932-597e-8f49-b7fa755cb387" date = "2022-02-27" modified = "2022-02-27" reference = "https://bazaar.abuse.ch/sample/daea0b5dfcc3e20b75292df60fe5f0e16a40735254485ff6cc7884697a007c0d/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Dropper/njrat.yar#L2-L23" license_url = "N/A" - logic_hash = "v1_sha256_7640be8850992ee7f05e85e1f781b4c63ccf958cf62da8deacfe9bb116627ceb" + logic_hash = "7640be8850992ee7f05e85e1f781b4c63ccf958cf62da8deacfe9bb116627ceb" score = 75 quality = 70 tags = "VBS, NJRAT, DROPPER, FILE" @@ -215017,13 +215203,13 @@ rule SECUINFRA_DROPPER_Vjw0Rm_Stage_1 : JAVASCRIPT DROPPER VJW0RM FILE meta: description = "No description has been set in the source file - SecuInfra" author = "SECUINFRA Falcon Team" - id = "b8856fc7-b910-5b0a-a458-1797904d4ca9" + id = "a07f80e4-56c3-5b75-be64-648bc1fde964" date = "2022-02-19" modified = "2022-02-27" reference = "https://bazaar.abuse.ch/browse.php?search=tag%3AVjw0rm" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Dropper/Vjw0rm.yar#L2-L19" license_url = "N/A" - logic_hash = "v1_sha256_e5cc23431239e8a650369729050809cf6fe2acc58941086f79ce004b4f506eed" + logic_hash = "e5cc23431239e8a650369729050809cf6fe2acc58941086f79ce004b4f506eed" score = 75 quality = 20 tags = "JAVASCRIPT, DROPPER, VJW0RM, FILE" @@ -215043,13 +215229,13 @@ rule SECUINFRA_DROPPER_Valyria_Stage_1 : JAVASCRIPT VBS VALYRIA FILE meta: description = "Family was taken from VirusTotal" author = "SECUINFRA Falcon Team" - id = "5a12e833-212a-5b32-ada7-72772ad89454" + id = "7e2ab9db-142c-5dee-92b7-4a70d747c540" date = "2022-02-18" modified = "2022-02-18" reference = "https://bazaar.abuse.ch/sample/c8a8fea3cbe08cd97e56a0e0dbc59a892f8ab1ff3b5217ca3c9b326eeee6ca66/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Dropper/valyria.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_94643123a4be26c818d43a77b907edf8651d306463f4df750db67cef790f10eb" + logic_hash = "94643123a4be26c818d43a77b907edf8651d306463f4df750db67cef790f10eb" score = 75 quality = 70 tags = "JAVASCRIPT, VBS, VALYRIA, FILE" @@ -215073,14 +215259,14 @@ rule SECUINFRA_DROPPER_Unknown_1 : DROPPER HTA FILE meta: description = "Detects unknown HTA Dropper" author = "SECUINFRA Falcon Team" - id = "5cfd547b-be8b-59a6-9258-ba07f08b08e2" + id = "70c06b9d-8474-5b6e-bd9c-d45a25585ee9" date = "2022-10-02" modified = "2022-02-19" reference = "https://bazaar.abuse.ch/sample/c2bf8931028e0a18eeb8f1a958ade0ab9d64a00c16f72c1a3459f160f0761348/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Dropper/unknown.yar#L1-L21" license_url = "N/A" hash = "1749f4127bba3f7204710286b1252e14" - logic_hash = "v1_sha256_d02874514bcb6c3603d1bfee702ec9e18c15153bc14a55ca8d637308c3f35a75" + logic_hash = "d02874514bcb6c3603d1bfee702ec9e18c15153bc14a55ca8d637308c3f35a75" score = 75 quality = 43 tags = "DROPPER, HTA, FILE" @@ -215101,14 +215287,14 @@ rule SECUINFRA_MAL_Agenttesla_Stage_1 : JAVASCRIPT AGENTTESLA OBFUSCATORIO FILE meta: description = "Detects the first stage of AgentTesla (JavaScript)" author = "SECUINFRA Falcon Team" - id = "9b5129b0-1d6d-58bc-a593-5e949f6b4c03" + id = "0a098f27-8dbc-5749-9a0d-fd0198184c7a" date = "2022-02-27" modified = "2022-02-27" reference = "https://bazaar.abuse.ch/sample/bd257d674778100639b298ea35550bf3bcb8b518978c502453e9839846f9bbec/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Dropper/agent_tesla.yar#L1-L18" license_url = "N/A" hash = "bd257d674778100639b298ea35550bf3bcb8b518978c502453e9839846f9bbec" - logic_hash = "v1_sha256_7c21f80a02aa161ffb2edf47aff796f22aff2a563abcb0097cc86371c05e516d" + logic_hash = "7c21f80a02aa161ffb2edf47aff796f22aff2a563abcb0097cc86371c05e516d" score = 75 quality = 45 tags = "JAVASCRIPT, AGENTTESLA, OBFUSCATORIO, FILE" @@ -215128,13 +215314,13 @@ rule SECUINFRA_DROPPER_Asyncrat_VBS_February_2022_1 : FILE meta: description = "No description has been set in the source file - SecuInfra" author = "SECUINFRA Falcon Team" - id = "0aa7c733-e24a-548f-98ee-9a16f11b4061" + id = "80f84c2f-7af0-55c1-bc06-d605beae3e33" date = "2022-02-21" modified = "2022-02-21" reference = "https://bazaar.abuse.ch/sample/06cd1e75f05d55ac1ea77ef7bee38bb3b748110b79128dab4c300f1796a2b941/" source_url = "https://github.com/SIFalcon/Detection/blob/2d7c66d7d16c7541bf2a9a83a7a6d334364a26fd/Yara/Dropper/asyncrat.yar#L2-L18" license_url = "N/A" - logic_hash = "v1_sha256_80c86b0cbb7382135bb9ae8c80ac42f499081fe1fe48fadf21f0e136bcc04358" + logic_hash = "80c86b0cbb7382135bb9ae8c80ac42f499081fe1fe48fadf21f0e136bcc04358" score = 75 quality = 70 tags = "FILE" @@ -215152,9 +215338,9 @@ rule SECUINFRA_DROPPER_Asyncrat_VBS_February_2022_1 : FILE * YARA Rule Set * Repository Name: RussianPanda * Repository: https://github.com/RussianPanda95/Yara-Rules - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 2b40630c067f4ba3a207fcf1951e07a9a01ba69a - * Number of Rules: 75 + * Number of Rules: 76 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) * * @@ -215167,14 +215353,14 @@ rule RUSSIANPANDA_Susp_Obf_Py_Marshal_Module : FILE meta: description = "Detects Obfuscated Code Using Python Marshal Module" author = "RussianPanda" - id = "0e41950f-f225-5375-b997-e889927a195d" + id = "23ed45f6-69ba-5027-ad68-4be858fc1f91" date = "2024-01-16" modified = "2024-01-16" reference = "https://www.trendmicro.com/fr_fr/research/23/j/infection-techniques-across-supply-chains-and-codebases.html" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Techniques/susp_obf_py_marshal_module.yar#L1-L18" license_url = "N/A" hash = "d740129ff6bdb65a324eadf4ac8de3893a54306cf2a11712a305ef6247204092" - logic_hash = "v1_sha256_f150fae6d7a4642f714f4620dab65f452e5eb9cb57e9cbea46010aac3ecbb3cb" + logic_hash = "f150fae6d7a4642f714f4620dab65f452e5eb9cb57e9cbea46010aac3ecbb3cb" score = 65 quality = 60 tags = "FILE" @@ -215194,13 +215380,13 @@ rule RUSSIANPANDA_Win_Sus_Internetshortcutfile meta: description = "Detects suspicious Internet Shortcut Files that are often used to retrieve malware" author = "RussianPanda" - id = "cd0b3f87-25f0-5bb1-99c8-f0ce02a62a8c" + id = "88d5d33f-0342-5575-b5e4-31ac5695abf2" date = "2024-02-17" modified = "2024-02-17" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Techniques/win_sus_InternetShortcutFile.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_9ec321ba521949fcc1db09b843913424182bfbb14eac61e92b7132d88b275ceb" + logic_hash = "9ec321ba521949fcc1db09b843913424182bfbb14eac61e92b7132d88b275ceb" score = 65 quality = 58 tags = "" @@ -215224,14 +215410,14 @@ rule RUSSIANPANDA_Golang_Base64_Enc : FILE meta: description = "Detects Base64 Encoding and Decoding patterns in Golang binaries" author = "RussianPanda" - id = "4295cfaf-c3e6-5ae0-b907-16e26b6bd064" + id = "6330e005-9c67-5acd-9063-aa7e30e92f5f" date = "2024-01-10" modified = "2024-01-14" reference = "https://unprotect.it/technique/base64/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Techniques/golang_base64_enc.yar#L1-L18" license_url = "N/A" hash = "509a359b4d0cd993497671b91255c3775628b078cde31a32158c1bc3b2ce461c" - logic_hash = "v1_sha256_72cf3ee948df9c4ce593f16a49397e79fdc5ecc3264b3685bbc54f60ed1278bd" + logic_hash = "72cf3ee948df9c4ce593f16a49397e79fdc5ecc3264b3685bbc54f60ed1278bd" score = 75 quality = 83 tags = "FILE" @@ -215250,14 +215436,14 @@ rule RUSSIANPANDA_Check_Installed_Software : FILE meta: description = "No description has been set in the source file - RussianPanda" author = "RussianPanda" - id = "b6844286-b923-52bd-b9c5-f2ad7d5ca39a" + id = "a45c7012-dc83-59da-a691-251f0a06be12" date = "2024-01-14" modified = "2024-01-15" reference = "https://unprotect.it/technique/checking-installed-software/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Techniques/check_installed_software.yar#L1-L19" license_url = "N/A" hash = "db44d4cd1ea8142790a6b26880b41ee23de5db5c2a63afb9ee54585882f1aa07" - logic_hash = "v1_sha256_ab079f1edaffca5bce1e872d6e4fc44f7c22b9260feaed7cd38e578646d420ef" + logic_hash = "ab079f1edaffca5bce1e872d6e4fc44f7c22b9260feaed7cd38e578646d420ef" score = 45 quality = 35 tags = "FILE" @@ -215276,14 +215462,14 @@ rule RUSSIANPANDA_Zharkbot : FILE meta: description = "Detects ZharkBot, version 1.2.5" author = "RussianPanda" - id = "35751844-4a0c-5fb1-acff-3ed320e3a0cd" + id = "e20875ed-a0a1-5ac8-8758-33766c522c17" date = "2024-09-02" modified = "2024-09-03" reference = "https://research.openanalysis.net/zharkbot/triage/x64dbg/2024/09/02/zharkbot-config.html" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/ZharkBot/Zharkbot.yar#L1-L15" license_url = "N/A" hash = "1aa0622a744ec4d28a561bac60ec5e907476587efbadfde546d2b145be4b8109" - logic_hash = "v1_sha256_fded6a0c7af4fda13619778669ef619f88b43e12f12284a3c551c4fddac01024" + logic_hash = "fded6a0c7af4fda13619778669ef619f88b43e12f12284a3c551c4fddac01024" score = 75 quality = 85 tags = "FILE" @@ -215300,14 +215486,14 @@ rule RUSSIANPANDA_Zharkbot_1 : FILE meta: description = "Detects ZharkBot" author = "RussianPanda" - id = "e60461bb-5633-5152-ac6f-3541c7ba0cf1" + id = "54213d76-7e27-559d-b653-5390a0c6813c" date = "2024-01-21" modified = "2024-03-12" reference = "https://x.com/ViriBack/status/1749184882822029564?s=20" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/ZharkBot/zharkbot.yar#L1-L15" license_url = "N/A" hash = "d53ce8c0a8a89c2e3eb080849da8b1c47eaac614248fc55d03706dd5b4e10bdd" - logic_hash = "v1_sha256_ffaec6b19dd4385cd1bc156fdfde39a356367c7fba4135c48a8de62a18a78576" + logic_hash = "ffaec6b19dd4385cd1bc156fdfde39a356367c7fba4135c48a8de62a18a78576" score = 75 quality = 85 tags = "FILE" @@ -215324,14 +215510,14 @@ rule RUSSIANPANDA_Sentinel_Stealer meta: description = "Detects Sentinel Stealer" author = "RussianPanda" - id = "d743f249-4388-533c-8cb2-67905791e64e" + id = "8a221d7b-8fa6-53cd-a3e8-63cc67285186" date = "2024-01-19" modified = "2024-01-19" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SentinelStealer/sentinel_stealer.yar#L1-L14" license_url = "N/A" hash = "3a540a8a81c5a5b452f154d7875423a3" - logic_hash = "v1_sha256_b9d72848842ea4d26544633bb83fccd17239b28493bde3f73341eb2004d8ee0c" + logic_hash = "b9d72848842ea4d26544633bb83fccd17239b28493bde3f73341eb2004d8ee0c" score = 75 quality = 85 tags = "" @@ -215349,14 +215535,14 @@ rule RUSSIANPANDA_Lummac2 : FILE meta: description = "Detects LummaC2 Stealer" author = "RussianPanda" - id = "b4070d9e-48b2-5ce4-9717-d7177f811ec5" + id = "94d6b63f-066e-59d2-9d14-24c5d5219ba8" date = "2024-09-12" modified = "2024-09-12" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/LummaC2/LummaC2.yar#L1-L14" license_url = "N/A" hash = "988f54f9694dd1ae701bacec3b83c752" - logic_hash = "v1_sha256_875709f48ff93c8e986f3c1d2e32268bf3458d870082072e7727d8ec85b1a021" + logic_hash = "875709f48ff93c8e986f3c1d2e32268bf3458d870082072e7727d8ec85b1a021" score = 75 quality = 85 tags = "FILE" @@ -215373,14 +215559,14 @@ rule RUSSIANPANDA_Johnwalkertexasloader_V2 : FILE meta: description = "Detects JohnWalkerTexasLoader (JWTL)" author = "RussianPanda" - id = "a0504ae4-b0fa-56b4-bdb2-8a978f95f448" + id = "1a05245e-5ee0-5916-801b-4f7f3a573e71" date = "2024-10-15" modified = "2024-10-15" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/JWTL/JohnWalkerTexasLoader_v2.yar#L1-L16" license_url = "N/A" hash = "9f6bf0473f5541d84faad4c33a0bc5b1928fceb5938f2d6a7e6e02b7f0980341" - logic_hash = "v1_sha256_70cbf6cf0602dc8087f4845451d13d0043872733615050161c077e3346387873" + logic_hash = "70cbf6cf0602dc8087f4845451d13d0043872733615050161c077e3346387873" score = 75 quality = 81 tags = "FILE" @@ -215398,14 +215584,14 @@ rule RUSSIANPANDA_Johnwalkertexasloader : FILE meta: description = "Detects JohnWalkerTexasLoader (JWTL)" author = "RussianPanda" - id = "5628bc7b-4dc4-5bb3-8228-9de082be62d0" + id = "af91ab47-245b-58f2-a35a-1cb408b2229a" date = "2024-10-10" modified = "2024-10-10" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/JWTL/JohnWalkerTexasLoader.yar#L1-L16" license_url = "N/A" hash = "3784fc39dc5c0dec08ad0a49bbbb990359e313a9fa87e6842fd67ed7cc1c0baa" - logic_hash = "v1_sha256_414be3219d12823639d140d132a9bbc2ca7bf8c44d0c560e4a49b76323be3f8a" + logic_hash = "414be3219d12823639d140d132a9bbc2ca7bf8c44d0c560e4a49b76323be3f8a" score = 75 quality = 85 tags = "FILE" @@ -215423,13 +215609,13 @@ rule RUSSIANPANDA_Danabot meta: description = "Detects DanaBot" author = "RussianPanda" - id = "b0ecf5b5-a40f-56a9-8374-bf53ee8e9d32" + id = "804604d9-db3b-5678-ae0d-67f0e876c93e" date = "2023-12-01" modified = "2023-12-01" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/DanaBot/danabot_yara.yar#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_4968531f27fa1a8bc3fca536a04b75277adefc42addb9f1999c564510cbcb684" + logic_hash = "4968531f27fa1a8bc3fca536a04b75277adefc42addb9f1999c564510cbcb684" score = 75 quality = 83 tags = "" @@ -215450,14 +215636,14 @@ rule RUSSIANPANDA_Win_Mal_Rustydropper : FILE meta: description = "Detects RustyDropper" author = "RussianPanda" - id = "f254ed4b-fed4-5189-bb2b-e0c46fa2e4d6" + id = "9f217080-81e0-547a-9336-cf8ac2fadf36" date = "2024-03-01" modified = "2024-03-01" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/RustyDropper/win_mal_RustyDropper.yar#L1-L12" license_url = "N/A" hash = "a3a5e7011335a2284e2d4f73fd464ff129f0c9276878a054c1932bc50608584b" - logic_hash = "v1_sha256_d0c76bcd1af63cc1b1fbabc3fa33e6caafd7d9c7c3780a94a1ed37eadef655d7" + logic_hash = "d0c76bcd1af63cc1b1fbabc3fa33e6caafd7d9c7c3780a94a1ed37eadef655d7" score = 75 quality = 81 tags = "FILE" @@ -215474,13 +215660,13 @@ rule RUSSIANPANDA_Win_Mal_Zloader : FILE meta: description = "Detects Zloader and other Zloader modules that employ the same encryption" author = "RussianPanda" - id = "ce58383a-a3b7-5610-91cb-c08465d503af" + id = "3f72e067-c82b-5c65-92c8-010955971d87" date = "2024-03-10" modified = "2024-03-10" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Zloader/win_mal_Zloader.yar#L1-L13" license_url = "N/A" - logic_hash = "v1_sha256_9ac9e8ca4a6f84e1bccac2292705ee6ebbc1595eb3f40ed777f7973e9bda7fc1" + logic_hash = "9ac9e8ca4a6f84e1bccac2292705ee6ebbc1595eb3f40ed777f7973e9bda7fc1" score = 75 quality = 85 tags = "FILE" @@ -215499,14 +215685,14 @@ rule RUSSIANPANDA_Win_Mal_Glorysprout_Stealer : FILE meta: description = "Detects GlorySprout Stealer" author = "RussianPanda" - id = "bd63520d-9e0a-5401-9e42-51fb9c529eb2" + id = "44c50f20-479e-5960-9ab9-97b9a17d7cbf" date = "2024-03-16" modified = "2024-03-16" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/GlorySprout/win_mal_GlorySprout_Stealer.yar#L1-L13" license_url = "N/A" hash = "8996c252fc41b7ec0ec73ce814e84136be6efef898822146c25af2330f4fd04a" - logic_hash = "v1_sha256_c843f7924e69c1b9fc3676178aa630319fe25605deddcd73c4905c51cc97d7eb" + logic_hash = "c843f7924e69c1b9fc3676178aa630319fe25605deddcd73c4905c51cc97d7eb" score = 75 quality = 85 tags = "FILE" @@ -215524,14 +215710,14 @@ rule RUSSIANPANDA_Mal_Botnetfenix_Payload : FILE meta: description = "Detects BotnetFenix payload" author = "RussianPanda" - id = "279f3c2a-f849-5e58-97d3-c54273ab5895" + id = "566bfae1-c43d-5bd6-adcf-faff32d8c325" date = "2024-02-02" modified = "2024-02-04" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/FenixBotnet/mal_BotnetFenix_Payload.yar#L1-L16" license_url = "N/A" hash = "65a9575c50a96d04a3f649fe0f6b8ccd" - logic_hash = "v1_sha256_27f423b509ad8de0f8389c7b3e3bfec2eeb10c964aa8c70bad47cc4334df1a5e" + logic_hash = "27f423b509ad8de0f8389c7b3e3bfec2eeb10c964aa8c70bad47cc4334df1a5e" score = 75 quality = 85 tags = "FILE" @@ -215552,14 +215738,14 @@ rule RUSSIANPANDA_Mal_Fenixbotnet_Jse meta: description = "Detects Fenix Botnet JSE downloader" author = "RussianPanda" - id = "1e756db2-68a9-5337-a2f1-6acde19f5797" + id = "00c6f8a6-c2e2-5b08-b332-b91371060bbe" date = "2024-01-18" modified = "2024-02-02" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/FenixBotnet/mal_FenixBotnet_jse.yar#L1-L14" license_url = "N/A" hash = "a7fadf0050d4d0b2cefd808e16dfde69" - logic_hash = "v1_sha256_848c00361fba60e63e8ec4098404e87d4ba2b11d8489ad16d49c20fc653a5e45" + logic_hash = "848c00361fba60e63e8ec4098404e87d4ba2b11d8489ad16d49c20fc653a5e45" score = 75 quality = 85 tags = "" @@ -215578,13 +215764,13 @@ rule RUSSIANPANDA_Mal_Asuka_Stealer : FILE meta: description = "Detects AsukaStealer" author = "RussianPanda" - id = "f6d1b85e-c7ce-5a4a-b97c-2dc5e1bf98d3" + id = "a718be5f-dc76-5610-9237-038a9719d7e5" date = "2024-02-02" modified = "2024-03-18" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/AsukaStealer/mal_asuka_stealer.yar#L1-L12" license_url = "N/A" - logic_hash = "v1_sha256_7974e0de821ddcafd4f00b27d587108f0d80f8a231dd0db4d2be4fa6ab44fef4" + logic_hash = "7974e0de821ddcafd4f00b27d587108f0d80f8a231dd0db4d2be4fa6ab44fef4" score = 75 quality = 85 tags = "FILE" @@ -215604,13 +215790,13 @@ rule RUSSIANPANDA_Swaetrat meta: description = "Detects SwaetRAT" author = "RussianPanda" - id = "5784af70-a809-5372-b84f-e04423ebd223" + id = "e5238ae4-7ae3-505c-a3fd-ecf6be608fac" date = "2023-11-27" modified = "2023-11-27" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SwaetRAT/swaetrat.yar#L3-L19" license_url = "N/A" - logic_hash = "v1_sha256_4dc1107a34d678c3fa0939fab7986fe744ac246400823d08b1ab6db0942821da" + logic_hash = "4dc1107a34d678c3fa0939fab7986fe744ac246400823d08b1ab6db0942821da" score = 75 quality = 85 tags = "" @@ -215631,14 +215817,14 @@ rule RUSSIANPANDA_Purecrypter_Core : FILE meta: description = "Detects PureCrypter Core payload" author = "RussianPanda" - id = "b897aa42-13ae-5d14-a526-9d2dcadab9de" + id = "41aaa187-0fb5-53fe-a162-8d1a4974ccc1" date = "2024-01-09" modified = "2024-01-09" reference = "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/PureCrypter/purecrypter_core.yar#L3-L28" license_url = "N/A" hash = "e4faa7d7a098414449abffb210fd874798207ee9d27643c8088676ff429b56b7" - logic_hash = "v1_sha256_8c761a98369436ffbe1379152461753778985a42ae656567018b47c71af7d866" + logic_hash = "8c761a98369436ffbe1379152461753778985a42ae656567018b47c71af7d866" score = 75 quality = 81 tags = "FILE" @@ -215663,14 +215849,14 @@ rule RUSSIANPANDA_Purecrypter : FILE meta: description = "Detects PureCrypter" author = "RussianPanda" - id = "dcc81b77-6894-5da7-b1b9-812c397aef22" + id = "5670772c-ada1-55fa-b7fd-9dadd1756259" date = "2024-01-09" modified = "2024-01-09" reference = "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/PureCrypter/purecrypter.yar#L3-L22" license_url = "N/A" hash = "566d8749e166436792dfcbb5e5514f18c9afc0e1314833ac2e3d86f37ff2030f" - logic_hash = "v1_sha256_dd8592fa0b7d240d23235008601500a20e068032f6dcd6e90a38b06ac747b8af" + logic_hash = "dd8592fa0b7d240d23235008601500a20e068032f6dcd6e90a38b06ac747b8af" score = 75 quality = 83 tags = "FILE" @@ -215692,13 +215878,13 @@ rule RUSSIANPANDA_Bandit_Stealer : FILE meta: description = "Detects the latest build of Bandit Stealer" author = "RussianPanda" - id = "c28c30b4-64bc-5032-b9ac-ec961ed5358a" + id = "ed61177d-d70d-5062-8703-f2f2b9d63751" date = "2023-05-05" modified = "2023-05-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/BanditStealer/bandit_stealer.yar#L3-L21" license_url = "N/A" - logic_hash = "v1_sha256_304bf05a58d5b762ffe078457739188692f4f7109db929418832c4379b21ae72" + logic_hash = "304bf05a58d5b762ffe078457739188692f4f7109db929418832c4379b21ae72" score = 50 quality = 85 tags = "FILE" @@ -215715,13 +215901,13 @@ rule RUSSIANPANDA_Win_Mal_Gobitloader : FILE meta: description = "Detects GoBitLoader" author = "RussianPanda" - id = "eea80726-3923-5683-8fef-9575a9981138" + id = "4ebc7987-c1b2-5682-943f-7c19a9cb6b36" date = "2024-03-24" modified = "2024-03-24" reference = "https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader-pushes-rhadamanthys" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/GoBitLoader/win_mal_GoBitLoader.yar#L1-L13" license_url = "N/A" - logic_hash = "v1_sha256_66951b290bef6a6c9eef4ea674472465dfe0ec5072dce21f48b58191f7ce90e3" + logic_hash = "66951b290bef6a6c9eef4ea674472465dfe0ec5072dce21f48b58191f7ce90e3" score = 75 quality = 79 tags = "FILE" @@ -215739,14 +215925,14 @@ rule RUSSIANPANDA_Easycrypter : FILE meta: description = "Detects EasyCrypter" author = "RussianPanda" - id = "61a1d5cb-81a4-5102-af36-09d3b7e809a1" + id = "73b01a6c-dcd1-502e-a431-daf82ab3ed50" date = "2024-01-05" modified = "2024-01-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/EasyCrypter/easycrypter.yar#L1-L16" license_url = "N/A" hash = "60063c99fda3b6c5c839ec1c310b03e8f9c7c8823f2eb7bf75e22c6d738ffa8f" - logic_hash = "v1_sha256_761ed4629150453009b76d9c2ad251754009b464550b92dab3395fa30422f6ef" + logic_hash = "761ed4629150453009b76d9c2ad251754009b464550b92dab3395fa30422f6ef" score = 75 quality = 85 tags = "FILE" @@ -215763,14 +215949,14 @@ rule RUSSIANPANDA_Win_Mal_Mpxdropper : FILE meta: description = "Detects MpxDropper" author = "RussianPanda" - id = "0616c052-4bd7-5fe5-a4ca-b732b0ab5fa6" + id = "26ee0a12-c727-5953-8ebb-dd8a8d772561" date = "2024-03-01" modified = "2024-03-01" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/MpxDropper/mal_win_MpxDropper.yar#L1-L11" license_url = "N/A" hash = "3a44a45afbfe5fc7cdeb3723e05c4e892b079abdb7d1e8d6fc70496ef0a14d5d" - logic_hash = "v1_sha256_e8d2672553c7f44e1cc177fad6596bd58b5c32a7541f91ce1207e6b21ef6e52d" + logic_hash = "e8d2672553c7f44e1cc177fad6596bd58b5c32a7541f91ce1207e6b21ef6e52d" score = 75 quality = 83 tags = "FILE" @@ -215786,14 +215972,14 @@ rule RUSSIANPANDA_Ghostgambit : FILE meta: description = "Detects GhostGambit dropper" author = "RussianPanda" - id = "17ea7fbe-4041-5fd9-a3d0-7d795388e6e7" + id = "0348b9fa-59be-5f30-8ebc-f1e87cf98b07" date = "2024-07-09" modified = "2024-07-09" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/GhostGambit/GhostGambit.yar#L1-L14" license_url = "N/A" hash = "2b16c68d9bafbd2ecf3634d991d7c794" - logic_hash = "v1_sha256_419efbea3c347d0ec9365c0c21cccb6f229f8c42d22a2bcfdf14854e7f83aea1" + logic_hash = "419efbea3c347d0ec9365c0c21cccb6f229f8c42d22a2bcfdf14854e7f83aea1" score = 75 quality = 85 tags = "FILE" @@ -215814,13 +216000,13 @@ rule RUSSIANPANDA_Ducktail_Myrdpservice_Bot : FILE meta: description = "Detects Ducktail myRdpService bot" author = "RussianPanda" - id = "e5e0a2b6-9cb3-5075-a6b2-215320a560d0" + id = "50786786-a7db-5290-a363-6fda139a0343" date = "2023-12-24" modified = "2023-12-26" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Ducktail/ducktail_myrdpservice-12-2023.yar#L3-L17" license_url = "N/A" - logic_hash = "v1_sha256_a329067fbb2acc34c4970167bbce0706c5a3ec09ee89ce16817c105ae1c17b1b" + logic_hash = "a329067fbb2acc34c4970167bbce0706c5a3ec09ee89ce16817c105ae1c17b1b" score = 75 quality = 85 tags = "FILE" @@ -215838,13 +216024,13 @@ rule RUSSIANPANDA_Ducktail : FILE meta: description = "Ducktail Infostealer" author = "RussianPanda" - id = "f7df4df0-de62-537e-88a7-903e38367ea4" + id = "14ba165f-a1f3-5820-a6d8-e2b6ab2fbb51" date = "2023-04-25" modified = "2023-05-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Ducktail/ducktail.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_cb248870f6945d7a6d60d54944dc726d40ba326448af39b87325ec56445602a5" + logic_hash = "cb248870f6945d7a6d60d54944dc726d40ba326448af39b87325ec56445602a5" score = 75 quality = 73 tags = "FILE" @@ -215867,13 +216053,13 @@ rule RUSSIANPANDA_Ducktail_Mainbot : FILE meta: description = "Detects Ducktail mainbot" author = "RussianPanda" - id = "8cbd09ed-10ec-5cd8-b0e3-bc305176bf56" + id = "f280903f-13d3-54e1-8308-781e3f777d13" date = "2023-12-24" modified = "2023-12-26" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Ducktail/ducktail_mainbot-12-2023.yar#L3-L19" license_url = "N/A" - logic_hash = "v1_sha256_33b85c6e1e1137aeeb07eba957b73d738a70ddc561b42bd2d39258e90280fca4" + logic_hash = "33b85c6e1e1137aeeb07eba957b73d738a70ddc561b42bd2d39258e90280fca4" score = 75 quality = 85 tags = "FILE" @@ -215892,13 +216078,13 @@ rule RUSSIANPANDA_Prysmax_Stealer : FILE meta: description = "Detects Prysmax Stealer" author = "RussianPanda" - id = "86096c82-455b-5b71-b2cb-5a8b9adffdf4" + id = "97ab92b8-1771-5881-9cd1-d8ff76b8f380" date = "2024-01-09" modified = "2024-01-10" reference = "https://www.cyfirma.com/outofband/new-maas-prysmax-launches-fully-undetectable-infostealer/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Prysmax Stealer/prysmax_stealer.yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_869eee7dd5209bdea98c248791b9ac911e3daabe6d440aa62aecefa43539a41c" + logic_hash = "869eee7dd5209bdea98c248791b9ac911e3daabe6d440aa62aecefa43539a41c" score = 75 quality = 73 tags = "FILE" @@ -215921,13 +216107,13 @@ rule RUSSIANPANDA_Metastealer meta: description = "Detects the old version of MetaStealer 11-2023" author = "RussianPanda" - id = "ef7e51c1-3c0d-5088-bc64-a221db90a9ce" + id = "c178630b-d188-5faf-86b3-436894241d77" date = "2023-11-16" modified = "2023-12-30" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/MetaStealer/metastealer.yar#L2-L19" license_url = "N/A" - logic_hash = "v1_sha256_f78b376713daf82aa2e0cbd6bf45f33d25530449fa05673c8a7c6b4c0dddca79" + logic_hash = "f78b376713daf82aa2e0cbd6bf45f33d25530449fa05673c8a7c6b4c0dddca79" score = 75 quality = 85 tags = "" @@ -215947,13 +216133,13 @@ rule RUSSIANPANDA_Metastealer_NET_Reactor_Packer : FILE meta: description = "Detects NET_Reactor_packer 12-2023 used in MetaStealer" author = "RussianPanda" - id = "67bcaf63-12fa-5926-9222-20e57db05211" + id = "5d4f62d2-6a27-53af-9b03-61daa99c10a4" date = "2023-12-29" modified = "2023-12-30" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/MetaStealer/metastealer_12-2023_packer.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_1951d8b05f11b8a77a5bf792ad2b0ad95b8dede936ab5cd0699383468c3c97a8" + logic_hash = "1951d8b05f11b8a77a5bf792ad2b0ad95b8dede936ab5cd0699383468c3c97a8" score = 75 quality = 83 tags = "FILE" @@ -215974,13 +216160,13 @@ rule RUSSIANPANDA_Metastealer_Core_Payload meta: description = "Detects MetaStealer Core Payload" author = "RussianPanda" - id = "2a1c5e2b-0246-5d21-aa10-751f68ff5362" + id = "ff5854b5-4dac-59d7-8c5a-d5b808d63483" date = "2023-12-29" modified = "2023-12-29" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/MetaStealer/metastealer_core_payload_12-2023.yar#L2-L19" license_url = "N/A" - logic_hash = "v1_sha256_99a319023f2c1b714a70458bd33649d6cc343b500a409af12c2eb1ce38ba4241" + logic_hash = "99a319023f2c1b714a70458bd33649d6cc343b500a409af12c2eb1ce38ba4241" score = 75 quality = 85 tags = "" @@ -216000,13 +216186,13 @@ rule RUSSIANPANDA_Aurorastealer_March_2023 meta: description = "Detects an unobfuscated AuroraStealer March update binary" author = "RussianPanda" - id = "c336b8f0-6431-5f19-89e9-7ae5578efc30" + id = "a115de7a-bff7-5bb0-b83f-f66a29bbcf3f" date = "2023-03-23" modified = "2023-05-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/AuroraStealer/Aurora_March_2023.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_d74d2843a03e826f334ce3c5eb10cc2b43cfd832174769e5d067fb877abe13a0" + logic_hash = "d74d2843a03e826f334ce3c5eb10cc2b43cfd832174769e5d067fb877abe13a0" score = 75 quality = 85 tags = "" @@ -216023,13 +216209,13 @@ rule RUSSIANPANDA_Aurorastealer_1 meta: description = "Detects the Build/Group IDs if present / detects an unobfuscated AuroraStealer binary; tested on version 22.12.2022" author = "RussianPanda" - id = "87979a9d-4ff1-51ff-ad9b-9b24892e39f3" + id = "1a94096f-c838-5272-856e-42efbd123a31" date = "2023-02-07" modified = "2023-05-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/AuroraStealer/AuroraStealer.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_7a9900266a0dfa7bf0ea91a0260a1d30bd7799a491fba87db083f4fea4115f2a" + logic_hash = "7a9900266a0dfa7bf0ea91a0260a1d30bd7799a491fba87db083f4fea4115f2a" score = 50 quality = 85 tags = "" @@ -216049,13 +216235,13 @@ rule RUSSIANPANDA_Purelogs_Stealer_Core : FILE meta: description = "Detects Pure Logs Stealer Core Payload" author = "RussianPanda" - id = "735760fe-6b07-5b90-ae3b-4d5e83c2c0da" + id = "bda876c3-76ce-5e1e-8dd4-f06e8240fc11" date = "2023-12-26" modified = "2024-01-10" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Pure Logs Stealer/purelogs_stealer_core.yar#L3-L18" license_url = "N/A" - logic_hash = "v1_sha256_7388299ebcc70aeb86c46c29a787f790993a67148d9f3968def1109e45f69452" + logic_hash = "7388299ebcc70aeb86c46c29a787f790993a67148d9f3968def1109e45f69452" score = 75 quality = 83 tags = "FILE" @@ -216073,13 +216259,13 @@ rule RUSSIANPANDA_Purelogs_Stealer_Initial_Dropper : FILE meta: description = "Detects PureLogs Stealer Initial Payload" author = "RussianPanda" - id = "2ee7d3a5-07b9-56ee-8481-19025c5ab857" + id = "c1e6a0a0-f8ed-5b78-bcae-55c1c1dfc9e4" date = "2024-01-10" modified = "2024-01-10" reference = "https://russianpanda.com/2023/12/26/Pure-Logs-Stealer-Malware-Analysis/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Pure Logs Stealer/purelogs_stealer_initial_payload.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_0fe94c705b94f82163f952d0a29aac4689947a1d439bdc1847ee510c25cf2e40" + logic_hash = "0fe94c705b94f82163f952d0a29aac4689947a1d439bdc1847ee510c25cf2e40" score = 75 quality = 85 tags = "FILE" @@ -216099,14 +216285,14 @@ rule RUSSIANPANDA_Darkvnc : FILE meta: description = "Detects DarkVNC" author = "RussianPanda" - id = "fc9c70ca-4dfb-5430-8b8a-883095ab21a4" + id = "dbc86ac8-5ea3-59a7-b3ab-68c603165720" date = "2024-01-15" modified = "2024-01-15" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/DarkVNC/darkvnc.yar#L1-L15" license_url = "N/A" hash = "3c74dccd06605bcf527ffc27b3122959" - logic_hash = "v1_sha256_1dd1246e0b22181706433f0cff9b231017e747d8faaa2db4cb9adefeab492ab7" + logic_hash = "1dd1246e0b22181706433f0cff9b231017e747d8faaa2db4cb9adefeab492ab7" score = 75 quality = 85 tags = "FILE" @@ -216125,14 +216311,14 @@ rule RUSSIANPANDA_Legionloader_Dropper : FILE meta: description = "Detects malicious LegionLoader DLL dropper" author = "RussianPanda" - id = "1d61d2ab-93b8-5291-a718-ec18d8c0bb7f" + id = "a1b04033-cfe0-5088-bfee-d08752e8840b" date = "2024-09-23" modified = "2024-09-23" reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.satacom" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/LegionLoader/LegionLoader_dropper.yar#L1-L17" license_url = "N/A" hash = "ef5b961ebc6167e728f9bf40e726ac71" - logic_hash = "v1_sha256_0871a6a0ab2c405793e8a49e662ba41acdcc6c8afac315f290de2cc05abd39fa" + logic_hash = "0871a6a0ab2c405793e8a49e662ba41acdcc6c8afac315f290de2cc05abd39fa" score = 75 quality = 85 tags = "FILE" @@ -216150,13 +216336,13 @@ rule RUSSIANPANDA_Win_Mal_Planetstealer : FILE meta: description = "Detects PlanetStealer" author = "RussianPanda" - id = "2b78ac1e-78ba-5ef6-ad5f-6cbca8140a70" + id = "f912066f-4151-5f83-8d34-6bffdf9e25e5" date = "2024-03-04" modified = "2024-03-24" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/PlanetStealer/win_mal_PlanetStealer.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_e1660d6fed4c48b45b40bd51fb52254c5b19ca6f1938b68f2344bde473820b86" + logic_hash = "e1660d6fed4c48b45b40bd51fb52254c5b19ca6f1938b68f2344bde473820b86" score = 75 quality = 79 tags = "FILE" @@ -216176,14 +216362,14 @@ rule RUSSIANPANDA_Mal_Cleanuploader : FILE meta: description = "Detects CleanUpLoader" author = "RussianPanda" - id = "31ad6642-e02d-561f-94c3-44c1336eac5b" + id = "fc75fed2-0f8c-55c9-bd10-efe95a678f31" date = "2024-02-14" modified = "2024-02-14" reference = "https://x.com/AnFam17/status/1757871703282077857?s=20" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/CleanUpLoader/mal_cleanuploader.yar#L1-L14" license_url = "N/A" hash = "2b62dd154b431d8309002d5b4a35de07" - logic_hash = "v1_sha256_a9267c568c11420e36f0781469aa7d932c87d52707981912558eb0f4f84f673a" + logic_hash = "a9267c568c11420e36f0781469aa7d932c87d52707981912558eb0f4f84f673a" score = 75 quality = 83 tags = "FILE" @@ -216201,13 +216387,13 @@ rule RUSSIANPANDA_Pikabot_1 : FILE meta: description = "Detects PikaBot" author = "RussianPanda" - id = "c92a6faf-fbf3-5e0e-a055-55171bfa79d2" + id = "e740b821-69cc-5053-9f90-439b4364656f" date = "2024-01-02" modified = "2024-01-02" reference = "https://research.openanalysis.net/pikabot/debugging/string%20decryption/2023/11/12/new-pikabot.html" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/PikaBot/Pikabot_1-2-2024.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_f2dd26c23aba72c2b6b959fb411381b7d3a7466f94bf5259f57e96e44d3ee153" + logic_hash = "f2dd26c23aba72c2b6b959fb411381b7d3a7466f94bf5259f57e96e44d3ee153" score = 75 quality = 85 tags = "FILE" @@ -216225,13 +216411,13 @@ rule RUSSIANPANDA_Vidar_DLL_Embedded meta: description = "Vidar Stealer with embedded DLL dependencies" author = "RussianPanda" - id = "e47af203-fb28-5d09-97d1-5b6ca4a166f0" + id = "462fe42a-2504-5e7e-ad90-2c7e54478204" date = "2023-05-02" modified = "2023-05-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/VidarStealer/vidar_ver3.6_3.7_dll_embedded.yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_98d23523c2ab196f670dc33164954fc69a1c1692fa870a476e25d7dd3cebace2" + logic_hash = "98d23523c2ab196f670dc33164954fc69a1c1692fa870a476e25d7dd3cebace2" score = 75 quality = 85 tags = "" @@ -216254,14 +216440,14 @@ rule RUSSIANPANDA_Raccoonstealer : FILE meta: description = "Detects Raccoon Stealer v2.3.1.1" author = "RussianPanda" - id = "8dc7c512-8bc5-5d83-b129-a59915bae98f" + id = "29f28cd5-370b-5831-8b71-a253f468f7e4" date = "2024-01-08" modified = "2024-01-08" reference = "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-0" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/RaccoonStealer_v2/raccoonstealer_v2.3.1.1.yar#L1-L20" license_url = "N/A" hash = "c6d0d98dd43822fe12a1d785df4e391db3c92846b0473b54762fbb929de6f5cb" - logic_hash = "v1_sha256_ee2b39c1c2068b97e63a03330a2f9e2f12e53aaf9cfffb274acde2372a11fe45" + logic_hash = "ee2b39c1c2068b97e63a03330a2f9e2f12e53aaf9cfffb274acde2372a11fe45" score = 75 quality = 85 tags = "FILE" @@ -216282,13 +216468,13 @@ rule RUSSIANPANDA_Raccoonstealerv2 : FILE meta: description = "Detects the latest unpacked/unobfuscated build 2.1.0-4" author = "RussianPanda" - id = "f540a7b5-e627-5f70-a37b-9b11db723706" + id = "eda6216a-219b-5f60-8084-4c0c240a4cb4" date = "2023-04-17" modified = "2023-05-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/RaccoonStealer_v2/raccoonstealerv2_2.1.0-4_build.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_e2226f08753a3571045953363c04ec52de3c79cd0cd29e7ecb6afaf2ad573e4e" + logic_hash = "e2226f08753a3571045953363c04ec52de3c79cd0cd29e7ecb6afaf2ad573e4e" score = 50 quality = 85 tags = "FILE" @@ -216308,14 +216494,14 @@ rule RUSSIANPANDA_Atomic_Stealer : FILE meta: description = "Detects Atomic Stealer targering MacOS" author = "RussianPanda" - id = "ea10360e-8cfb-54a9-98fb-4c10989f0803" + id = "259c5c33-0164-568f-aec4-4fe0a2c6d015" date = "2024-01-13" modified = "2024-01-17" reference = "https://www.bleepingcomputer.com/news/security/macos-info-stealers-quickly-evolve-to-evade-xprotect-detection/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/AtomicStealer/Atomic_Stealer.yar#L1-L27" license_url = "N/A" hash = "dd8aa38c7f06cb1c12a4d2c0927b6107" - logic_hash = "v1_sha256_7601e508aeccba943b54e675212993920c984271f655e68c19efaf6d12cfebd5" + logic_hash = "7601e508aeccba943b54e675212993920c984271f655e68c19efaf6d12cfebd5" score = 75 quality = 58 tags = "FILE" @@ -216332,18 +216518,47 @@ rule RUSSIANPANDA_Atomic_Stealer : FILE condition: ( uint32( 0 ) == 0xfeedface or uint32( 0 ) == 0xcefaedfe or uint32( 0 ) == 0xfeedfacf or uint32( 0 ) == 0xcffaedfe or uint32( 0 ) == 0xcafebabe or uint32( 0 ) == 0xbebafeca ) and all of ( $s* ) and #s1 > 60 and #s2 > 100 or ( all of ( $t* ) and #t1 > 10 and #t2 > 5 ) or ( #c1 > 200 and $c2 ) } +rule RUSSIANPANDA_Darkgate_Autoit +{ + meta: + description = "Detects DarkGate AutoIT script" + author = "RussianPanda" + id = "b30544b5-88c9-5a84-8582-f4f72b228f24" + date = "2024-01-26" + modified = "2024-01-26" + reference = "https://yara.readthedocs.io/en/stable/writingrules.html?highlight=xor" + source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/DarkGate/darkgate_autoit.yar#L1-L19" + license_url = "N/A" + hash = "e1803b01e3f187355dbeb87a0c91b76c" + logic_hash = "dda6726d09035d6f61ca331d18ed37f032c6f6a5ab88e1754a21587f4c79ac87" + score = 75 + quality = 85 + tags = "" + + strings: + $h = "AU3!EA06" + $s1 = "just_test.txt" xor(0x01-0xff) + $s2 = "c:\\temp\\data.txt" xor(0x01-0xff) + $s3 = "test.txt" xor(0x01-0xff) + $s4 = "cc.txt" xor(0x01-0xff) + $s5 = "c:\\temp\\data.txt" xor(0x01-0xff) + $s6 = "uu.txt" xor(0x01-0xff) + + condition: + 3 of ( $s* ) and $h +} rule RUSSIANPANDA_Workersdevbackdoor_PS : FILE { meta: description = "Detects WorkersDevBackdoor PowerShell script" author = "RussianPanda" - id = "d9a41923-718d-5364-a418-546e7449fc96" + id = "d2b526c1-a9f5-57de-818c-99b02e778a0d" date = "2023-12-15" modified = "2023-12-15" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/WorkersDevBackdoor/WorkersDevBackdoor_PS.yar#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_c71eed8fd7a44f3018150cc6ef55d10779093ed8e4c77fd9babcf9b1b9fadfda" + logic_hash = "c71eed8fd7a44f3018150cc6ef55d10779093ed8e4c77fd9babcf9b1b9fadfda" score = 75 quality = 85 tags = "FILE" @@ -216366,13 +216581,13 @@ rule RUSSIANPANDA_Workersdevbackdoor : FILE meta: description = "Detects WorkersDevBackdoor" author = "RussianPanda" - id = "3b37afdf-fb4e-5455-bbbe-464883abfca8" + id = "725e0924-c108-5927-8d27-e4bc5b284883" date = "2023-12-15" modified = "2024-01-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/WorkersDevBackdoor/WorkDevBackdoor.yar#L3-L20" license_url = "N/A" - logic_hash = "v1_sha256_f92ad9dc657d87a47e539ea2ee896f9b86bb95e51a890a838c6e6b0efa5deb7d" + logic_hash = "f92ad9dc657d87a47e539ea2ee896f9b86bb95e51a890a838c6e6b0efa5deb7d" score = 75 quality = 85 tags = "FILE" @@ -216391,13 +216606,13 @@ rule RUSSIANPANDA_PSWSTEALER : FILE meta: description = "PSWSTEALER" author = "RussianPanda" - id = "09e7b4c4-8ef5-5479-b804-cdd9f93379e3" + id = "8a596074-ffe3-5979-b384-487ebe8b953c" date = "2023-04-02" modified = "2023-05-05" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/PSWSTEALER/pswstealer.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_7d85b0ccaa07419f22b9f38a4bc66435cd689b21fa7e4584ef8bea485b6bd2c1" + logic_hash = "7d85b0ccaa07419f22b9f38a4bc66435cd689b21fa7e4584ef8bea485b6bd2c1" score = 75 quality = 85 tags = "FILE" @@ -216418,13 +216633,13 @@ rule RUSSIANPANDA_Andeloader meta: description = "Detects Ande Loader" author = "RussianPanda" - id = "9fc46b01-761e-58d3-9162-c33bc1e7b5cf" + id = "c08d63b6-9fef-505d-9611-9dd0403c7c7c" date = "2023-12-11" modified = "2023-12-11" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/AndeLoader/ande_loader.yar#L3-L18" license_url = "N/A" - logic_hash = "v1_sha256_cd55153077e5cfbd84cbe5b062dbd842def245417acfea4ed6c2b1db702dcc81" + logic_hash = "cd55153077e5cfbd84cbe5b062dbd842def245417acfea4ed6c2b1db702dcc81" score = 75 quality = 83 tags = "" @@ -216442,13 +216657,13 @@ rule RUSSIANPANDA_Fakebat_Powershell meta: description = "Detects FakeBat PowerShell scripts" author = "RussianPanda" - id = "2cbb9451-6d1c-5c47-8489-44d6d513c8dc" + id = "76149a6f-c370-5e48-82cc-c89b545c0aa8" date = "2023-12-01" modified = "2023-12-01" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/FakeBat/fakebat_powershell.yar#L1-L13" license_url = "N/A" - logic_hash = "v1_sha256_df6b30d97ac6c9b248fed0d901e8a0a6ad1d855483a5006b008b839d9961092a" + logic_hash = "df6b30d97ac6c9b248fed0d901e8a0a6ad1d855483a5006b008b839d9961092a" score = 75 quality = 85 tags = "" @@ -216465,14 +216680,14 @@ rule RUSSIANPANDA_Garystealer : FILE meta: description = "Detects GaryStealer 1-3-2024" author = "RussianPanda" - id = "20ffbda3-e2e8-5716-9591-dea0d76f153e" + id = "4b0af30e-2cf1-539d-89fa-7e4e32cd6eab" date = "2024-01-03" modified = "2024-01-03" reference = "https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskagos-coordinated-strike-on-macos-and-windows" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/GaryStealer/garystealer-1-3-2024.yar#L1-L20" license_url = "N/A" hash = "6efa29a0f9d112cfbb982f7d9c0ddfe395b0b0edb885c2d5409b33ad60ce1435" - logic_hash = "v1_sha256_f71655d0cb237c08af9c298ec9eec1ae9bd1efd50e26d61afddf9056b6883a15" + logic_hash = "f71655d0cb237c08af9c298ec9eec1ae9bd1efd50e26d61afddf9056b6883a15" score = 75 quality = 79 tags = "FILE" @@ -216491,14 +216706,14 @@ rule RUSSIANPANDA_Mal_Xred_Backdoor : FILE meta: description = "Detects XRed backdoor" author = "RussianPanda" - id = "9e4a9ff0-24c2-5fc1-95f2-26ce9473da6d" + id = "61f5fcb8-9351-5db0-8bce-123c96d2a443" date = "2024-02-09" modified = "2024-02-09" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/XRed_Backdoor/mal_xred_backdoor.yar#L1-L18" license_url = "N/A" hash = "9e1fbae3a659899dde8db18a32daa46a" - logic_hash = "v1_sha256_36d138a0efade1d5c075662dc528235fe66b49879730db78c4c7290fec7420b5" + logic_hash = "36d138a0efade1d5c075662dc528235fe66b49879730db78c4c7290fec7420b5" score = 75 quality = 73 tags = "FILE" @@ -216519,14 +216734,14 @@ rule RUSSIANPANDA_Win_Mal_Xworm : FILE meta: description = "Detects XWorm RAT" author = "RussianPanda" - id = "5bb71bf3-66a0-51cf-a4e0-0d68d09d2108" + id = "5701f382-3c97-5a00-9673-6c39b0f11cc2" date = "2024-03-11" modified = "2024-03-11" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/XWorm/win_mal_XWorm.yar#L1-L15" license_url = "N/A" hash = "fc422800144383ef6e2e0eee37e7d6ba" - logic_hash = "v1_sha256_c42544285517dc61628e8df2ee5ab6733924fbb2cc08b9b2df273eec0a401d90" + logic_hash = "c42544285517dc61628e8df2ee5ab6733924fbb2cc08b9b2df273eec0a401d90" score = 75 quality = 85 tags = "FILE" @@ -216546,13 +216761,13 @@ rule RUSSIANPANDA_Meduzastealer : FILE meta: description = "Detects MeduzaStealer 1-2024" author = "RussianPanda" - id = "5841acc1-a354-5983-be49-ba215be2ffc1" + id = "6bc4c048-a32d-5a9c-b213-980c64d08d29" date = "2024-01-01" modified = "2024-01-01" reference = "https://russianpanda.com/2023/06/28/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/MeduzaStealer/MeduzaStealer_1-1-2024.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_0547e51abd04302c45f1319bc21046ade019bc98eb85d9cba67cb2109ff642eb" + logic_hash = "0547e51abd04302c45f1319bc21046ade019bc98eb85d9cba67cb2109ff642eb" score = 75 quality = 83 tags = "FILE" @@ -216571,14 +216786,14 @@ rule RUSSIANPANDA_Jinxloader : FILE meta: description = "Detects JinxLoader Golang version" author = "RussianPanda" - id = "429d4b94-09d2-5eba-b844-b2c409ee884d" + id = "25570c99-5938-5be0-a153-a07be0d0571c" date = "2024-01-02" modified = "2024-01-02" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/JinxLoader/JinxLoader-1-2-2024.yar#L1-L16" license_url = "N/A" hash = "6bd7ff5d764214f239af2bb58b368308c2d04f1147678c2f638f37a893995f71" - logic_hash = "v1_sha256_13dee435fb4d40c629c0a30b6f655b87f14b10a6f6acf61d00e6c692c9bb0ff1" + logic_hash = "13dee435fb4d40c629c0a30b6f655b87f14b10a6f6acf61d00e6c692c9bb0ff1" score = 75 quality = 81 tags = "FILE" @@ -216597,14 +216812,14 @@ rule RUSSIANPANDA_Smartapesg_JS_Netsupportrat_Stage2 : FILE meta: description = "Detects SmartApeSG JavaScript Stage 2 retrieving NetSupportRAT" author = "RussianPanda" - id = "cda8c131-b162-53a8-a2bb-f4ea74f2f735" + id = "2a614e11-be32-5bf1-9fd1-da224f0a644e" date = "2024-01-11" modified = "2024-01-12" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SmartApeSG/SmartApeSG_JS_NetSupportRAT_stage2.yar#L1-L23" license_url = "N/A" hash = "67d8f84b37732cf85e05b327ad6b6a9f" - logic_hash = "v1_sha256_5a2afaa14d513e0a3c4e52acfb433e53a4541983a05d15318a217c14dc06453c" + logic_hash = "5a2afaa14d513e0a3c4e52acfb433e53a4541983a05d15318a217c14dc06453c" score = 75 quality = 85 tags = "FILE" @@ -216626,14 +216841,14 @@ rule RUSSIANPANDA_Smartapesg_JS_Dropper_Stage1 : FILE meta: description = "Detects SmartApeSG initial JavaScript file" author = "RussianPanda" - id = "3f701e6c-1875-5edf-a0d8-d89d494b7afd" + id = "9513f323-c315-5ae2-92a5-c831d0a7ce2a" date = "2024-01-11" modified = "2024-01-11" reference = "https://medium.com/walmartglobaltech/smartapesg-4605157a5b80" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SmartApeSG/SmartApeSG_JS_dropper_stage1.yar#L1-L18" license_url = "N/A" hash = "8769d9ebcf14b24a657532cd96f9520f54aa0e799399d840285311dfebe3fb15" - logic_hash = "v1_sha256_de7e4ec30c780699b46de7baf2a916fdb7331da2ee7c2d637422ea664cd03b82" + logic_hash = "de7e4ec30c780699b46de7baf2a916fdb7331da2ee7c2d637422ea664cd03b82" score = 75 quality = 85 tags = "FILE" @@ -216655,14 +216870,14 @@ rule RUSSIANPANDA_Gh0Strat : FILE meta: description = "Detects Gh0stRAT" author = "RussianPanda" - id = "6d378476-10f5-5c13-af4c-fac00d89f762" + id = "db310549-feed-57b8-9ec0-232b6eda62f9" date = "2024-07-09" modified = "2024-07-09" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Gh0stRAT/Gh0stRAT.yar#L1-L14" license_url = "N/A" hash = "678b06ecdbc9b186788cf960332566f9" - logic_hash = "v1_sha256_bc4bdad83a0e23273774c3d4812cabe9fa44897c8ff2e308004e03b4f1622cd5" + logic_hash = "bc4bdad83a0e23273774c3d4812cabe9fa44897c8ff2e308004e03b4f1622cd5" score = 75 quality = 85 tags = "FILE" @@ -216681,13 +216896,13 @@ rule RUSSIANPANDA_Whitesnakestealer : FILE meta: description = "WhiteSnake Stealer" author = "RussianPanda" - id = "e7b1b060-16f6-57c5-b451-09ac3ffe5a66" + id = "70b69aba-5096-59a6-bb0b-44d248aecc26" date = "2023-07-04" modified = "2023-12-11" reference = "https://russianpanda.com/2023/07/04/WhiteSnake-Stealer-Malware-Analysis/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/WhiteSnake-Stealer/WhiteSnake_rc4.yar#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_24985a2c3b0d72858decd17cb2b8e485caa94c01ad72a014edc68ed4facfd71e" + logic_hash = "24985a2c3b0d72858decd17cb2b8e485caa94c01ad72a014edc68ed4facfd71e" score = 75 quality = 83 tags = "FILE" @@ -216706,13 +216921,13 @@ rule RUSSIANPANDA_Whitesnakestealer_1 : FILE meta: description = "Detects WhiteSnake Stealer XOR samples " author = "RussianPanda" - id = "2ab82bdf-cf77-5c5d-8e3f-43b14e2bd901" + id = "cfe168a6-cc2f-5cfe-985c-78b232dc2651" date = "2023-07-04" modified = "2023-12-11" reference = "https://russianpanda.com/2023/07/04/WhiteSnake-Stealer-Malware-Analysis/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/WhiteSnake-Stealer/WhiteSnake_xor.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_0bd0e250b8598be297296ecf6644d3bf649e3dc4598438325a0913afed04c819" + logic_hash = "0bd0e250b8598be297296ecf6644d3bf649e3dc4598438325a0913afed04c819" score = 75 quality = 83 tags = "FILE" @@ -216729,14 +216944,14 @@ rule RUSSIANPANDA_Solarmarker_Loader_PS2EXE : FILE meta: description = "Detects SolarMarker loader using PS2EXE" author = "RussianPanda" - id = "5bb82d33-abcf-5606-9c8c-4c7416083880" + id = "837883a1-b657-52ae-95c4-ebafc8ac55de" date = "2024-01-04" modified = "2024-01-04" reference = "https://www.esentire.com/blog/solarmarker-to-jupyter-and-back" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SolarMarker/solarmarker_loader.yar#L1-L17" license_url = "N/A" hash = "b45c31679c2516b38c7ff8c395f1d11d" - logic_hash = "v1_sha256_4f579f350c3320e7b811cae0efe7302e852f59adc02d805f64ba464f8a995f25" + logic_hash = "4f579f350c3320e7b811cae0efe7302e852f59adc02d805f64ba464f8a995f25" score = 75 quality = 85 tags = "FILE" @@ -216754,13 +216969,13 @@ rule RUSSIANPANDA_Solardropper meta: description = "SolarMarker first stage detection" author = "RussianPanda" - id = "d85e3e33-be85-55ee-929b-4b9e013be207" + id = "8e40b001-ae00-5768-bb91-e45264748087" date = "2024-01-03" modified = "2024-01-03" reference = "https://www.esentire.com/blog/solarmarker-to-jupyter-and-back" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SolarMarker/solardropper.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_5dccb7be94e814335c0c867f8b3dd8855043375fe9f1235d5519c690fc7df842" + logic_hash = "5dccb7be94e814335c0c867f8b3dd8855043375fe9f1235d5519c690fc7df842" score = 75 quality = 85 tags = "" @@ -216778,14 +216993,14 @@ rule RUSSIANPANDA_Solarmarker_First_Stage_Payload : FILE meta: description = "Detects SolarMarker First Stage payload" author = "RussianPanda" - id = "8a3101b9-a428-5a97-9554-af4448084ca8" + id = "56eec644-9ad7-51db-9d11-68ea3e12c36a" date = "2024-01-30" modified = "2024-01-30" reference = "https://x.com/luke92881/status/1751968350689771966?s=20" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SolarMarker/solarmarker_first_stage_payload.yar#L1-L21" license_url = "N/A" hash = "f53563541293a826738d3b8f1164ea43" - logic_hash = "v1_sha256_e704614782b0f3cba60c53413e889113d2d44f37e60801205e5ed5ff921b13ee" + logic_hash = "e704614782b0f3cba60c53413e889113d2d44f37e60801205e5ed5ff921b13ee" score = 75 quality = 71 tags = "FILE" @@ -216808,13 +217023,13 @@ rule RUSSIANPANDA_Solarphantom : FILE meta: description = "SolarPhantom Backdoor Detection" author = "RussianPanda" - id = "a3e38bb8-04f4-5b47-9d3a-cc4f19b69c9a" + id = "f564a943-e83b-5c1b-ba8c-b227d69d3fd8" date = "2023-12-11" modified = "2023-12-11" reference = "https://www.esentire.com/blog/solarmarker-to-jupyter-and-back" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SolarMarker/solarphantom.yar#L1-L16" license_url = "N/A" - logic_hash = "v1_sha256_3b49d301e625d5abf1b726481a80d6a97d33acd3301c12964f2f37d37130c1b7" + logic_hash = "3b49d301e625d5abf1b726481a80d6a97d33acd3301c12964f2f37d37130c1b7" score = 75 quality = 83 tags = "FILE" @@ -216834,14 +217049,14 @@ rule RUSSIANPANDA_Solarmarker_Loader : FILE meta: description = "Detects SolarMarker loader 1-4-2024" author = "RussianPanda" - id = "7f98815a-78ee-5a1a-a6ff-875d80c83e00" + id = "b385fcd4-62b7-5a83-8a2e-6841fdd17526" date = "2024-01-04" modified = "2024-01-04" reference = "https://www.esentire.com/blog/solarmarker-to-jupyter-and-back" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/SolarMarker/solarmarker_backdoor.yar#L3-L19" license_url = "N/A" hash = "8eeefe0df0b057fc866b8d35625156de" - logic_hash = "v1_sha256_035eccb41f2ecdeb196003542c165cedad96e3e8e741511b4beda3dfe1ece74e" + logic_hash = "035eccb41f2ecdeb196003542c165cedad96e3e8e741511b4beda3dfe1ece74e" score = 75 quality = 85 tags = "FILE" @@ -216857,13 +217072,13 @@ rule RUSSIANPANDA_Neptune_Loader : FILE meta: description = "Detects Neptune Loader" author = "RussianPanda" - id = "0f19af97-e840-56a7-b6e5-dc5c9835b52d" + id = "d576bf47-10bd-55d0-99b0-69c02dc87f17" date = "2024-01-17" modified = "2024-01-21" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/NeptuneLoader/neptune_loader.yar#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_ca54b8a624d48aa28bc727420f25e6f0fd67b193ac79443a357d88a9fe7cbdbb" + logic_hash = "ca54b8a624d48aa28bc727420f25e6f0fd67b193ac79443a357d88a9fe7cbdbb" score = 75 quality = 81 tags = "FILE" @@ -216885,14 +217100,14 @@ rule RUSSIANPANDA_Mal_Narniarat : FILE meta: description = "Detects NarniaRAT from BotnetFenix campaign" author = "RussianPanda" - id = "e729451a-fb5b-56c4-8907-4b310097d62e" + id = "64c3a44b-5d75-5fec-bfc1-b66a5eb5780c" date = "2024-02-02" modified = "2024-02-02" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/NarniaRAT/mal_NarniaRAT.yar#L1-L16" license_url = "N/A" hash = "43f6c3f92a025d12de4c4f14afa5d098" - logic_hash = "v1_sha256_3ee8bf6b3970c6f56ca98c87752050217e350da160a650e1724b19f340bf0230" + logic_hash = "3ee8bf6b3970c6f56ca98c87752050217e350da160a650e1724b19f340bf0230" score = 75 quality = 85 tags = "FILE" @@ -216913,14 +217128,14 @@ rule RUSSIANPANDA_Truecrypt_Crypter : FILE meta: description = "Detects TrueCrypt crypter" author = "RussianPanda" - id = "748a8683-fe3b-5433-aed0-a1b282949f7a" + id = "3ecf9c2f-6205-5e55-83a5-2b4e3ba89f07" date = "2024-01-06" modified = "2024-01-06" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/TrueCrypt/truecrypt_crypter.yar#L1-L27" license_url = "N/A" hash = "167637397fb45ea19bafcf208d8f27dceec82caa7ab19d40ecdb08eb1b7d4f60" - logic_hash = "v1_sha256_68612c68053e9fb81d9616c04b04ac2e2cb685f3b7ed71f8b31e8f22e3a539e7" + logic_hash = "68612c68053e9fb81d9616c04b04ac2e2cb685f3b7ed71f8b31e8f22e3a539e7" score = 75 quality = 81 tags = "FILE" @@ -216944,14 +217159,14 @@ rule RUSSIANPANDA_Obfuscation_Powershell_Special_Chars meta: description = "Detects PowerShell special character obfuscation" author = "RussianPanda" - id = "31449f3d-09f4-5d9c-90c1-56b4cf2afcea" + id = "dd2d41d4-3431-5252-adf1-d537f3b8db7e" date = "2024-01-12" modified = "2024-02-02" reference = "https://perl-users.jp/articles/advent-calendar/2010/sym/11" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/PowerShell Obfuscation/obfuscation_powershell_special_chars.yar#L1-L15" license_url = "N/A" hash = "d77efad78ef3afc5426432597ba129141952719846bc5ccd058249bb23d8a905" - logic_hash = "v1_sha256_4cc4ebffe7bf712b412a060536acc51d94381d24b46e5494195ae17482076cd6" + logic_hash = "4cc4ebffe7bf712b412a060536acc51d94381d24b46e5494195ae17482076cd6" score = 75 quality = 81 tags = "" @@ -216972,14 +217187,14 @@ rule RUSSIANPANDA_Illyrianstealer : FILE meta: description = "Detects Illyrian Stealer" author = "RussianPanda" - id = "c59695c4-c3ee-5b0d-9e36-dab0b4b2dee4" + id = "2f85e87c-6883-5f41-a37c-00f9e93f61bf" date = "2024-01-08" modified = "2024-01-08" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/IllyrianStealer/illyrian_stealer.yar#L2-L18" license_url = "N/A" hash = "fae0aed6173804e8c22027cbb0c121eedd927f16ea7e2b23662dbe6e016980e8" - logic_hash = "v1_sha256_2012d401d3e7ce2d4d6ea12ed01a30b7d3e18f4ed47dbf70d43bae6c328960ea" + logic_hash = "2012d401d3e7ce2d4d6ea12ed01a30b7d3e18f4ed47dbf70d43bae6c328960ea" score = 75 quality = 85 tags = "FILE" @@ -216998,14 +217213,14 @@ rule RUSSIANPANDA_Mal_Msedge_Dll_Virusloader : FILE meta: description = "Detects malicious msedge.dll file" author = "RussianPanda" - id = "c8fc3ab7-54a0-5ae4-acb4-bebffcadc397" + id = "7139ee30-de9a-5ef0-a96f-2ab9c239c6ff" date = "2024-01-19" modified = "2024-01-19" reference = "https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/virusloader/mal_msedge_dll_virusloader.yar#L1-L16" license_url = "N/A" hash = "ab2e3b07170ef1516af3af0d03388868" - logic_hash = "v1_sha256_659fd5fa3121fec5bf4cceb6f3dea95bf4cbcde7441d6f11c35288d8ad75a803" + logic_hash = "659fd5fa3121fec5bf4cceb6f3dea95bf4cbcde7441d6f11c35288d8ad75a803" score = 75 quality = 85 tags = "FILE" @@ -217023,13 +217238,13 @@ rule RUSSIANPANDA_Mal_Nitrogen : FILE meta: description = "Detects Nitrogen campaign" author = "RussianPanda" - id = "a6ec667e-8bd5-5e15-9660-dffc112acd09" + id = "9d591f87-47ec-54ea-b0ae-26a0542733a0" date = "2024-02-04" modified = "2024-02-04" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Nitrogen/mal_nitrogen.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_642d5a16c7fb217a297bba683221de474eb028ac48ec8f52be897eaa056acb9b" + logic_hash = "642d5a16c7fb217a297bba683221de474eb028ac48ec8f52be897eaa056acb9b" score = 75 quality = 79 tags = "FILE" @@ -217050,14 +217265,14 @@ rule RUSSIANPANDA_Win_Mal_Koistealer_PS meta: description = "Detects KoiStealer PowerShell script" author = "RussianPanda" - id = "12bc4093-8c00-5d9a-8cbf-0decb81640db" + id = "6dfdb39c-1b6a-5969-9c2d-e09869af6e0f" date = "2024-04-04" modified = "2024-04-04" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Koi/win_mal_KoiStealer_PS.yar#L1-L12" license_url = "N/A" hash = "4f55be0b55ec67dfda42b88e9c743a2a" - logic_hash = "v1_sha256_8a60a1d770eb4b5048762ddfd4657fdf7a430b09eb454ae5a5bb3103460907db" + logic_hash = "8a60a1d770eb4b5048762ddfd4657fdf7a430b09eb454ae5a5bb3103460907db" score = 75 quality = 85 tags = "" @@ -217074,14 +217289,14 @@ rule RUSSIANPANDA_Win_Mal_Koi_Loader_Decrypted : FILE meta: description = "Detects decrypted Koi Loader" author = "RussianPanda" - id = "b21c9524-2e9c-5b7a-b1f1-26c6affacd31" + id = "71de93d3-5c9f-5994-a54d-d4455d500280" date = "2024-04-04" modified = "2024-04-04" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Koi/win_mal_Koi_loader_decrypted.yar#L1-L12" license_url = "N/A" hash = "1901593e0299930d46b963866f33a93b" - logic_hash = "v1_sha256_f73ada7185ff109afe1e186a0fb7b4420b3d0e04c93c7c5423243db97eb34e49" + logic_hash = "f73ada7185ff109afe1e186a0fb7b4420b3d0e04c93c7c5423243db97eb34e49" score = 75 quality = 85 tags = "FILE" @@ -217098,14 +217313,14 @@ rule RUSSIANPANDA_Win_Mal_Koi_Loader : FILE meta: description = "Detects Koi Loader" author = "RussianPanda" - id = "e4becd2c-cb4b-5c93-a74d-5a7a64b4880f" + id = "a608558d-97c8-5161-a6eb-29fd420458a8" date = "2024-04-04" modified = "2024-04-04" reference = "https://github.com/RussianPanda95/Yara-Rules" source_url = "https://github.com/RussianPanda95/Yara-Rules/blob/2b40630c067f4ba3a207fcf1951e07a9a01ba69a/Koi/win_mal_Koi_loader.yar#L1-L14" license_url = "N/A" hash = "47e208687c2fb40bdbaa17e368aaa1bd" - logic_hash = "v1_sha256_4f909865c6d274804c3fa7f66822d7bea71bb93e7c6a422ebaf220df056ac095" + logic_hash = "4f909865c6d274804c3fa7f66822d7bea71bb93e7c6a422ebaf220df056ac095" score = 75 quality = 85 tags = "FILE" @@ -217123,7 +217338,7 @@ rule RUSSIANPANDA_Win_Mal_Koi_Loader : FILE * YARA Rule Set * Repository Name: Check Point * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 4 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -217138,7 +217353,7 @@ rule CHECK_POINT_Apt_Nazar_Component_Guids meta: description = "Detect Nazar Components by COM Objects' GUID" author = "Itay Cohen" - id = "ccffba17-9ead-5d0d-a6d7-de995270a864" + id = "1bdc0b54-4903-559d-9037-450470fc7ef7" date = "2020-04-27" modified = "2023-04-10" reference = "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/" @@ -217157,7 +217372,7 @@ rule CHECK_POINT_Apt_Nazar_Component_Guids hash = "d34a996826ea5a028f5b4713c797247913f036ca0063cc4c18d8b04736fa0b65" hash = "d9801b4da1dbc5264e83029abb93e800d3c9971c650ecc2df5f85bcc10c7bd61" hash = "eb705459c2b37fba5747c73ce4870497aa1d4de22c97aaea4af38cdc899b51d3" - logic_hash = "v1_sha256_9fb69a0ea7272f1b1cbb290ae81e08f7e2b2f6c5409bbca12d9b0b781cb4c267" + logic_hash = "9fb69a0ea7272f1b1cbb290ae81e08f7e2b2f6c5409bbca12d9b0b781cb4c267" score = 75 quality = 85 tags = "" @@ -217178,13 +217393,13 @@ rule CHECK_POINT_Injector_ZZ_Dotrunpex : FILE meta: description = "Detects new version of dotRunpeX - configurable .NET injector" author = "Jiri Vinopal (jiriv)" - id = "46b69d36-95fd-5468-965e-9af7f708f7ad" + id = "6cdbe54b-2e8d-5f7b-81ac-983236d1449f" date = "2022-10-30" modified = "2023-04-10" reference = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Checkpoint/injector_ZZ_dotRunpeX.yar#L1-L58" license_url = "N/A" - logic_hash = "v1_sha256_ca4336533f90598a6b6f594036e20595073e0e7cab5fcd186995c5c7f2be287e" + logic_hash = "ca4336533f90598a6b6f594036e20595073e0e7cab5fcd186995c5c7f2be287e" score = 75 quality = 83 tags = "FILE" @@ -217243,13 +217458,13 @@ rule CHECK_POINT_Injector_ZZ_Dotrunpex_Oldnew : FILE meta: description = "Detects new and old version of dotRunpeX - configurable .NET injector" author = "Jiri Vinopal (jiriv)" - id = "4b4c64ea-022a-5f9d-bee3-833e78841515" + id = "43e2d520-bfe4-5530-a5b4-508cfba9d06e" date = "2022-10-30" modified = "2023-04-10" reference = "https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar#L1-L45" license_url = "N/A" - logic_hash = "v1_sha256_c6ae0b4fb6cae16ae8d71e238f7753e0eadd23820507616fa2331375f4403052" + logic_hash = "c6ae0b4fb6cae16ae8d71e238f7753e0eadd23820507616fa2331375f4403052" score = 75 quality = 85 tags = "FILE" @@ -217296,13 +217511,13 @@ rule CHECK_POINT_Malware_Bumblebee_Packed meta: description = "Detects the packer used by bumblebee, the rule is based on the code responsible for allocating memory for a critical structure in its logic." author = "Marc Salinas @ CheckPoint Research" - id = "5e85e593-cdcd-5b3c-927e-3b2d9cb952f5" + id = "35f00c87-c26e-5189-b66d-15d5a1b1dd20" date = "2022-07-13" modified = "2023-04-10" reference = "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Checkpoint/malware_bumblebee_packed.yar#L1-L31" license_url = "N/A" - logic_hash = "v1_sha256_063209aad7ab8a0be46fd578a16b04afc086f930cbdb6c2f7b02824f704d7330" + logic_hash = "063209aad7ab8a0be46fd578a16b04afc086f930cbdb6c2f7b02824f704d7330" score = 75 quality = 85 tags = "" @@ -217337,7 +217552,7 @@ rule CHECK_POINT_Malware_Bumblebee_Packed * YARA Rule Set * Repository Name: Dragon Threat Labs * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 7 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -217352,14 +217567,14 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win_Disk_Pcclient : DISK meta: description = "Encoded version of pcclient found on disk" author = "@dragonthreatlab" - id = "f4fda4fa-2cf8-54d3-a28c-f40c659f3f52" + id = "40e9133c-60e8-5fec-be56-1115c8bde9b1" date = "2015-01-11" modified = "2016-09-27" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Dragonthreatlabs/apt_c16_win_disk_pcclient.yar#L1-L13" license_url = "N/A" hash = "55f84d88d84c221437cd23cdbc541d2e" - logic_hash = "v1_sha256_47e9588ef1f350ee0d2aecc7686d9e4df1ad6c19f27d749e31340eff7e31adcb" + logic_hash = "47e9588ef1f350ee0d2aecc7686d9e4df1ad6c19f27d749e31340eff7e31adcb" score = 75 quality = 80 tags = "DISK" @@ -217375,14 +217590,14 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win32_Dropper : DROPPER FILE meta: description = "APT malware used to drop PcClient RAT" author = "@dragonthreatlab" - id = "0beafe4b-6192-5ce6-af54-ccc4fced7df9" + id = "a1546f02-f01b-50ba-b4d9-9676e52dc4c1" date = "2015-01-11" modified = "2016-09-27" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Dragonthreatlabs/apt_c16_win32_dropper.yar#L1-L18" license_url = "N/A" hash = "ad17eff26994df824be36db246c8fb6a" - logic_hash = "v1_sha256_bb29bcf5e62cb1a55d7f0cb87b53bace26b99f858513dc4e544d531f70f54281" + logic_hash = "bb29bcf5e62cb1a55d7f0cb87b53bace26b99f858513dc4e544d531f70f54281" score = 75 quality = 28 tags = "DROPPER, FILE" @@ -217403,13 +217618,13 @@ rule DRAGON_THREAT_LABS_Apt_Win_Mocelpa meta: description = "APT malware; Mocelpa, downloader." author = "@int0x00" - id = "56541477-ce0d-5a69-9051-08b3d001caf8" + id = "2cf2ba5e-86b1-5533-9e14-61113e5f574d" date = "2023-04-10" modified = "2023-04-10" reference = "https://github.com/DragonThreatLabs/IntelReports/blob/master/DTL-06282015-01.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Dragonthreatlabs/apt_win_mocelpa.yar#L1-L11" license_url = "N/A" - logic_hash = "v1_sha256_0331c0f690ac7a8870b3f4012f2828ed23850340edcf0b6ff80bc408d9174977" + logic_hash = "0331c0f690ac7a8870b3f4012f2828ed23850340edcf0b6ff80bc408d9174977" score = 75 quality = 28 tags = "" @@ -217426,14 +217641,14 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win_Swisyn : MEMORY FILE meta: description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check." author = "@dragonthreatlab" - id = "9cba57d9-1546-5aee-93ff-0565f6a92b9b" + id = "af369075-aca3-576d-a10b-849703ffb4f1" date = "2015-01-11" modified = "2016-09-27" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Dragonthreatlabs/apt_c16_win_swisyn.yar#L1-L17" license_url = "N/A" hash = "a6a18c846e5179259eba9de238f67e41" - logic_hash = "v1_sha256_2fa29d3b17aa37501131132640953645d0089c9bc5ec13ffed7a498ad89c1558" + logic_hash = "2fa29d3b17aa37501131132640953645d0089c9bc5ec13ffed7a498ad89c1558" score = 75 quality = 28 tags = "MEMORY, FILE" @@ -217453,14 +217668,14 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win_Memory_Pcclient : MEMORY APT meta: description = "File matching the md5 above tends to only live in memory, hence the lack of MZ header check." author = "@dragonthreatlab" - id = "325eb739-c6a2-59e0-9116-0baa5e3d14b1" + id = "59333cd4-b532-510e-afe5-fc3b2e96698f" date = "2015-01-11" modified = "2016-09-27" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Dragonthreatlabs/dragonthreatlabs_index.yara#L4-L19" license_url = "N/A" hash = "ec532bbe9d0882d403473102e9724557" - logic_hash = "v1_sha256_e863fcbcbde61db569a34509061732371143f38734a0213dc856dc3c9188b042" + logic_hash = "e863fcbcbde61db569a34509061732371143f38734a0213dc856dc3c9188b042" score = 75 quality = 80 tags = "MEMORY, APT" @@ -217479,13 +217694,13 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win_Wateringhole meta: description = "Detects code from APT wateringhole" author = "@dragonthreatlab" - id = "11c498d2-0987-5f8a-9af3-553c7c32faea" + id = "4958f894-91a7-56b4-90f0-40085c03382c" date = "2015-01-11" modified = "2016-09-27" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Dragonthreatlabs/dragonthreatlabs_index.yara#L72-L85" license_url = "N/A" - logic_hash = "v1_sha256_e866499ec77984f5bacf3f5e352393b63e0dd08fd8fd57b4990292a1dc7fbcbe" + logic_hash = "e866499ec77984f5bacf3f5e352393b63e0dd08fd8fd57b4990292a1dc7fbcbe" score = 75 quality = 80 tags = "" @@ -217503,13 +217718,13 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win64_Dropper : DROPPER FILE meta: description = "APT malware used to drop PcClient RAT" author = "@dragonthreatlab" - id = "245a728c-7276-535d-8d48-f405cb855a38" + id = "dbd1a16c-52a5-5b07-b34f-7eb7b78c1eab" date = "2015-01-11" modified = "2016-09-27" reference = "http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Dragonthreatlabs/dragonthreatlabs_index.yara#L87-L104" license_url = "N/A" - logic_hash = "v1_sha256_df905711eca68c698ad6340e88ae99fdcae918c86ec2b7c26b62eead54fef892" + logic_hash = "df905711eca68c698ad6340e88ae99fdcae918c86ec2b7c26b62eead54fef892" score = 75 quality = 28 tags = "DROPPER, FILE" @@ -217528,7 +217743,7 @@ rule DRAGON_THREAT_LABS_Apt_C16_Win64_Dropper : DROPPER FILE * YARA Rule Set * Repository Name: Microsoft * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 21 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -217543,14 +217758,14 @@ rule MICROSOFT_Trojan_Win32_Plasrv : PLATINUM meta: description = "Hotpatching Injector" author = "Microsoft" - id = "17809055-a991-58a2-8b8e-e1e4be694ebd" + id = "2a099b68-fb13-5926-8a86-4d788326609c" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L1-L19" license_url = "N/A" hash = "ff7f949da665ba8ce9fb01da357b51415634eaad" - logic_hash = "v1_sha256_5978502454d66a930a535ffe61d78f2106c3c17c8df9be1b22bc10ef900c891f" + logic_hash = "5978502454d66a930a535ffe61d78f2106c3c17c8df9be1b22bc10ef900c891f" score = 75 quality = 80 tags = "PLATINUM" @@ -217570,14 +217785,14 @@ rule MICROSOFT_Trojan_Win32_Platual : PLATINUM meta: description = "Installer component" author = "Microsoft" - id = "41649dac-3594-5231-92e7-36e01e5d4d91" + id = "ac963388-cc73-5842-96be-77349398efcc" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L21-L38" license_url = "N/A" hash = "e0ac2ae221328313a7eee33e9be0924c46e2beb9" - logic_hash = "v1_sha256_3692b5c1d873fb799b64ea69f3762177198dbb0fb971bc29bb80048c0de735d4" + logic_hash = "3692b5c1d873fb799b64ea69f3762177198dbb0fb971bc29bb80048c0de735d4" score = 75 quality = 80 tags = "PLATINUM" @@ -217597,14 +217812,14 @@ rule MICROSOFT_Trojan_Win32_Plaplex : PLATINUM meta: description = "Variant of the JPin backdoor" author = "Microsoft" - id = "7f483c9c-dd9a-5563-a580-93289a0b18f0" + id = "2d670c09-dc0a-556e-8d00-5f94e5907d99" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L40-L57" license_url = "N/A" hash = "ca3bda30a3cdc15afb78e54fa1bbb9300d268d66" - logic_hash = "v1_sha256_ff7b9a52befae5f22f7c6093af44bef4a4cf271548c1caf22f30d3c8aec42de4" + logic_hash = "ff7b9a52befae5f22f7c6093af44bef4a4cf271548c1caf22f30d3c8aec42de4" score = 75 quality = 80 tags = "PLATINUM" @@ -217624,13 +217839,13 @@ rule MICROSOFT_Trojan_Win32_Dipsind_B : PLATINUM meta: description = "Dipsind Family" author = "Microsoft" - id = "d9048d7a-130b-5034-988e-293452b19bc9" + id = "513c18a6-af25-58ad-9232-9a089f4ced3d" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L59-L77" license_url = "N/A" - logic_hash = "v1_sha256_1f99f298dc4d1483eb95cfb898dd9eee32b2f72a8da562f58a57f44559cbd2c7" + logic_hash = "1f99f298dc4d1483eb95cfb898dd9eee32b2f72a8da562f58a57f44559cbd2c7" score = 75 quality = 80 tags = "PLATINUM" @@ -217651,14 +217866,14 @@ rule MICROSOFT_Trojan_Win32_Plakeylog_B : PLATINUM meta: description = "Keylogger component" author = "Microsoft" - id = "0cd16ec0-be16-53ed-b667-841b31930ee0" + id = "bc84ef20-f428-5f3d-bc88-ab14991a2350" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L79-L97" license_url = "N/A" hash = "0096a3e0c97b85ca75164f48230ae530c94a2b77" - logic_hash = "v1_sha256_288fb5a724baaa032ca36124cf803698e315aaf61662f999f3b894049ece63f2" + logic_hash = "288fb5a724baaa032ca36124cf803698e315aaf61662f999f3b894049ece63f2" score = 75 quality = 80 tags = "PLATINUM" @@ -217678,14 +217893,14 @@ rule MICROSOFT_Trojan_Win32_Adupib : PLATINUM meta: description = "Adupib SSL Backdoor" author = "Microsoft" - id = "5a770573-43f2-5818-8913-0c06dc149112" + id = "4c5a63e5-7110-57e9-b939-df8999f317d3" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L99-L120" license_url = "N/A" hash = "d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd" - logic_hash = "v1_sha256_b83f642929a372a21e63055cd4adcab5d24b98b5a98b6fd0b35ee31e9f7f3b90" + logic_hash = "b83f642929a372a21e63055cd4adcab5d24b98b5a98b6fd0b35ee31e9f7f3b90" score = 75 quality = 80 tags = "PLATINUM" @@ -217708,14 +217923,14 @@ rule MICROSOFT_Trojan_Win32_Plalsalog : PLATINUM meta: description = "Loader / possible incomplete LSA Password Filter" author = "Microsoft" - id = "115b0e25-156d-5c1d-938a-2c05ef2b788b" + id = "e5c7e07d-79e3-580f-ac24-28920a9b0e70" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L122-L140" license_url = "N/A" hash = "fa087986697e4117c394c9a58cb9f316b2d9f7d8" - logic_hash = "v1_sha256_58d937be220c0f356396c28367ab63ff4c4a6bf2cbf9e0ce8f8cac25e4fe3fec" + logic_hash = "58d937be220c0f356396c28367ab63ff4c4a6bf2cbf9e0ce8f8cac25e4fe3fec" score = 75 quality = 80 tags = "PLATINUM" @@ -217735,14 +217950,14 @@ rule MICROSOFT_Trojan_Win32_Plagon : PLATINUM meta: description = "Dipsind variant" author = "Microsoft" - id = "6da24e2c-399b-5d0f-85cb-081e769ed293" + id = "ae3b7eb0-d54e-5817-9484-c054cd27c1fd" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L142-L162" license_url = "N/A" hash = "48b89f61d58b57dba6a0ca857bce97bab636af65" - logic_hash = "v1_sha256_99e0d300f030bb6407de1fda488b47c73f8278e9c015bf779259ddf1b68903a2" + logic_hash = "99e0d300f030bb6407de1fda488b47c73f8278e9c015bf779259ddf1b68903a2" score = 75 quality = 78 tags = "PLATINUM" @@ -217764,14 +217979,14 @@ rule MICROSOFT_Trojan_Win32_Plakelog : PLATINUM meta: description = "Raw-input based keylogger" author = "Microsoft" - id = "e5071526-c4e8-58a7-89e9-e7b28028c579" + id = "26f552e6-9abf-59ca-a8df-19473d6d775a" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L164-L184" license_url = "N/A" hash = "3907a9e41df805f912f821a47031164b6636bd04" - logic_hash = "v1_sha256_e18cae8bb2a79f7d39a80669896b1f7a7c1726f14192abcc91388fd53781ffef" + logic_hash = "e18cae8bb2a79f7d39a80669896b1f7a7c1726f14192abcc91388fd53781ffef" score = 75 quality = 80 tags = "PLATINUM" @@ -217793,14 +218008,14 @@ rule MICROSOFT_Trojan_Win32_Plainst : PLATINUM meta: description = "Installer component" author = "Microsoft" - id = "5b7ef00e-3e6c-5bfb-bcd4-afc43811e673" + id = "41a4770a-b4d8-5ddc-8b4f-a4e87a1f3923" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L186-L204" license_url = "N/A" hash = "99c08d31af211a0e17f92dd312ec7ca2b9469ecb" - logic_hash = "v1_sha256_5fa8e52c044e05d96c2c09b69ef884ed0ea863ceb3ba00cdf243a4907050de69" + logic_hash = "5fa8e52c044e05d96c2c09b69ef884ed0ea863ceb3ba00cdf243a4907050de69" score = 75 quality = 80 tags = "PLATINUM" @@ -217820,14 +218035,14 @@ rule MICROSOFT_Trojan_Win32_Plagicom : PLATINUM meta: description = "Installer component" author = "Microsoft" - id = "78a32a8f-dc06-55cc-a719-a31b4ba193f2" + id = "86ef6fbf-cd39-533f-893c-72f22d73c99a" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L206-L225" license_url = "N/A" hash = "99dcb148b053f4cef6df5fa1ec5d33971a58bd1e" - logic_hash = "v1_sha256_d2645ecc3b4400af7d9949eeca01b1ed5d74516010658c66934772e04040d9cf" + logic_hash = "d2645ecc3b4400af7d9949eeca01b1ed5d74516010658c66934772e04040d9cf" score = 75 quality = 80 tags = "PLATINUM" @@ -217848,14 +218063,14 @@ rule MICROSOFT_Trojan_Win32_Plaklog : PLATINUM meta: description = "Hook-based keylogger" author = "Microsoft" - id = "0ce14bfd-37d5-5289-85d3-17c282f9e58d" + id = "4faffe66-63fc-5498-be59-dbbbb909ad74" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L227-L246" license_url = "N/A" hash = "831a5a29d47ab85ee3216d4e75f18d93641a9819" - logic_hash = "v1_sha256_af8dd0749d07f0b99cf3dd24bc144d38fe6db00f699bc7f45f197ac6e1663cad" + logic_hash = "af8dd0749d07f0b99cf3dd24bc144d38fe6db00f699bc7f45f197ac6e1663cad" score = 75 quality = 80 tags = "PLATINUM" @@ -217876,14 +218091,14 @@ rule MICROSOFT_Trojan_Win32_Plapiio : PLATINUM meta: description = "JPin backdoor" author = "Microsoft" - id = "61be2001-62d2-55b5-a36c-01184341811f" + id = "538086b5-eb06-5e41-90d4-ab8f2b001c42" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L248-L267" license_url = "N/A" hash = "3119de80088c52bd8097394092847cd984606c88" - logic_hash = "v1_sha256_580fb1377d98e7ffcb9823b5c485ff536813e3df5d8bded745373b2a3a82fcfd" + logic_hash = "580fb1377d98e7ffcb9823b5c485ff536813e3df5d8bded745373b2a3a82fcfd" score = 75 quality = 80 tags = "PLATINUM" @@ -217904,13 +218119,13 @@ rule MICROSOFT_Trojan_Win32_Plabit : PLATINUM meta: description = "Installer component" author = "Microsoft" - id = "1d7e25ad-e881-5bfd-bca9-9aed9caa3d9a" + id = "cee48cbb-f980-50cc-b28a-2e80e7f1798b" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L269-L287" license_url = "N/A" - logic_hash = "v1_sha256_35f12d45c8ee5f8e2b0bcd57ae14c0ba52670abc1212f94aa276efbbe1043146" + logic_hash = "35f12d45c8ee5f8e2b0bcd57ae14c0ba52670abc1212f94aa276efbbe1043146" score = 75 quality = 80 tags = "PLATINUM" @@ -217931,14 +218146,14 @@ rule MICROSOFT_Trojan_Win32_Placisc2 : PLATINUM meta: description = "Dipsind variant" author = "Microsoft" - id = "ad15ca7f-804e-5c60-9973-de79f0fa52e9" + id = "a5557cfa-354c-5913-9b63-f53ffb294796" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L289-L309" license_url = "N/A" hash = "bf944eb70a382bd77ee5b47548ea9a4969de0527" - logic_hash = "v1_sha256_6629ca96c73e48bc14c811df781973f8040f88bcbf9eda601e9f5db86e11c20b" + logic_hash = "6629ca96c73e48bc14c811df781973f8040f88bcbf9eda601e9f5db86e11c20b" score = 75 quality = 80 tags = "PLATINUM" @@ -217960,14 +218175,14 @@ rule MICROSOFT_Trojan_Win32_Placisc3 : PLATINUM meta: description = "Dipsind variant" author = "Microsoft" - id = "2ea82576-cc07-5095-a8e1-d417dc9a2b1f" + id = "f2089236-8227-5042-9086-fb77aebd147f" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L311-L329" license_url = "N/A" hash = "1b542dd0dacfcd4200879221709f5fa9683cdcda" - logic_hash = "v1_sha256_3a1afe737c08b4d9149380e04f5d6240a00b237822c3c82d82eccf5412cb05d1" + logic_hash = "3a1afe737c08b4d9149380e04f5d6240a00b237822c3c82d82eccf5412cb05d1" score = 75 quality = 80 tags = "PLATINUM" @@ -217988,14 +218203,14 @@ rule MICROSOFT_Trojan_Win32_Placisc4 : PLATINUM meta: description = "Installer for Dipsind variant" author = "Microsoft" - id = "80fe3dbd-f4d4-5fa6-9c02-acf0170c9c12" + id = "04770059-06ca-5315-a7b3-0e9fbcecfc57" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L331-L350" license_url = "N/A" hash = "3d17828632e8ff1560f6094703ece5433bc69586" - logic_hash = "v1_sha256_4fa4f48d6747cde6d635eca2f5277da7be17473a561828eafa604fbc2801073a" + logic_hash = "4fa4f48d6747cde6d635eca2f5277da7be17473a561828eafa604fbc2801073a" score = 75 quality = 80 tags = "PLATINUM" @@ -218016,14 +218231,14 @@ rule MICROSOFT_Trojan_Win32_Plakpers : PLATINUM meta: description = "Injector / loader component" author = "Microsoft" - id = "ca0e862e-77fa-5455-b0ce-eca959cbcdf1" + id = "d37c6ac5-ca46-5fb2-80bd-ab63c8dbcd21" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L352-L371" license_url = "N/A" hash = "fa083d744d278c6f4865f095cfd2feabee558056" - logic_hash = "v1_sha256_d3705a34232ba2b00786b32f84823d3a6b037ed6a5882983e69addc020bc0b35" + logic_hash = "d3705a34232ba2b00786b32f84823d3a6b037ed6a5882983e69addc020bc0b35" score = 75 quality = 80 tags = "PLATINUM" @@ -218044,14 +218259,14 @@ rule MICROSOFT_Trojan_Win32_Plainst2 : PLATINUM meta: description = "Zc tool" author = "Microsoft" - id = "19da2356-2a9d-5f6a-9f94-e49533b6aa2e" + id = "7202eeb5-269d-5e9a-9a93-bdf489639e74" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L373-L392" license_url = "N/A" hash = "3f2ce812c38ff5ac3d813394291a5867e2cddcf2" - logic_hash = "v1_sha256_4dc897a598fd491694f8fe3ec4ae9278dc341ffd9f95f416eb5e98fb5aa200e4" + logic_hash = "4dc897a598fd491694f8fe3ec4ae9278dc341ffd9f95f416eb5e98fb5aa200e4" score = 75 quality = 80 tags = "PLATINUM" @@ -218072,14 +218287,14 @@ rule MICROSOFT_Trojan_Win32_Plakpeer : PLATINUM meta: description = "Zc tool v2" author = "Microsoft" - id = "a78ea91a-11d5-510c-9ba1-67542958cec5" + id = "e573279b-4a7b-5e15-8ab2-a77cd98a8b6e" date = "2016-04-12" modified = "2016-12-21" reference = "https://www.threatminer.org/report.php?q=Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf&y=2016" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/Platinum.yara#L394-L414" license_url = "N/A" hash = "2155c20483528377b5e3fde004bb604198463d29" - logic_hash = "v1_sha256_cc34ce9f12c95133872783090efd5813d3e2f44a1c726d29b2ba834509c9a1d5" + logic_hash = "cc34ce9f12c95133872783090efd5813d3e2f44a1c726d29b2ba834509c9a1d5" score = 75 quality = 80 tags = "PLATINUM" @@ -218103,13 +218318,13 @@ rule MICROSOFT_Devilstongue_Hijackdll : FILE meta: description = "Detects SOURGUM's DevilsTongue hijack DLL" author = "Microsoft Threat Intelligence Center (MSTIC)" - id = "123f9c0e-59dc-5f2c-863d-5e1c3e0afd88" + id = "b5de2a8c-e0c8-5c8c-bb65-aee5701b4bb3" date = "2021-07-15" modified = "2022-07-07" reference = "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/Microsoft/DevilsTongue_HijackDll.yar#L2-L45" license_url = "N/A" - logic_hash = "v1_sha256_d1c01df74a00672bb8229d5433314d7cfa49ab22565e6cf78a4b6b2884dbd299" + logic_hash = "d1c01df74a00672bb8229d5433314d7cfa49ab22565e6cf78a4b6b2884dbd299" score = 75 quality = 80 tags = "FILE" @@ -218132,7 +218347,7 @@ rule MICROSOFT_Devilstongue_Hijackdll : FILE * YARA Rule Set * Repository Name: NCSC * Repository: https://github.com/mikesxrs/Open-Source-YARA-rules - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: ec0056f767db98bf6d5fd63877ad51fb54d350e9 * Number of Rules: 17 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -218149,13 +218364,13 @@ rule NCSC_Sparrowdoor_Clipshot : FILE meta: description = "The SparrowDoor loader contains a feature it calls clipshot, which logs clipboard data to a file." author = "NCSC" - id = "e3c5ad1c-0e62-5336-94d7-89eeeceefc18" + id = "186e694b-6ae1-5042-847a-f54708dc76ef" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_clipshot.yar#L3-L20" license_url = "N/A" - logic_hash = "v1_sha256_7662e3be2752ac82d6cfe4b2e420157e78367c201c25ae34b5d956dc53ba20ae" + logic_hash = "7662e3be2752ac82d6cfe4b2e420157e78367c201c25ae34b5d956dc53ba20ae" score = 75 quality = 80 tags = "FILE" @@ -218174,13 +218389,13 @@ rule NCSC_Sparrowdoor_Loader : FILE meta: description = "Targets code features of the SparrowDoor loader. This rule detects the previous variant and this new variant." author = "NCSC" - id = "9b751019-6813-57e1-8251-860ee1abce01" + id = "7107cb82-c4c9-503f-b006-baec6b667498" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_loader.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_fa1bd386114d912722a5101a0112355dec654e2e9446c885c12946c7fae1c8f4" + logic_hash = "fa1bd386114d912722a5101a0112355dec654e2e9446c885c12946c7fae1c8f4" score = 75 quality = 80 tags = "FILE" @@ -218199,13 +218414,13 @@ rule NCSC_Sparrowdoor_Config : FILE meta: description = "Targets the XOR encoded loader config and shellcode in the file libhost.dll using the known position of the XOR key." author = "NCSC" - id = "0d098a09-1e2c-5ca7-9499-907634cbb017" + id = "16eec5b6-c77a-585d-88f3-2c86abdbf2bd" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_config.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_bd52496b6e7cabc875a277ce7d49f6b891c3f61591edef295dbee43716c15509" + logic_hash = "bd52496b6e7cabc875a277ce7d49f6b891c3f61591edef295dbee43716c15509" score = 75 quality = 80 tags = "FILE" @@ -218219,14 +218434,14 @@ rule NCSC_Neuron_Common_Strings : FILE meta: description = "Rule for detection of Neuron based on commonly used strings" author = "NCSC UK" - id = "b8d4b128-6dd5-5cbe-8936-1f3ca60b8876" + id = "b0f12276-300c-537e-b495-a06c97deccd7" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L1-L23" license_url = "N/A" hash = "d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29" - logic_hash = "v1_sha256_ac5926d6173f291e7907a2ced61c9968660d24fdd28ed3dca097567040b059e3" + logic_hash = "ac5926d6173f291e7907a2ced61c9968660d24fdd28ed3dca097567040b059e3" score = 75 quality = 55 tags = "FILE" @@ -218253,14 +218468,14 @@ rule NCSC_Neuron_Standalone_Signature : FILE meta: description = "Rule for detection of Neuron based on a standalone signature from .NET metadata" author = "NCSC UK" - id = "1d7d0a03-6fb0-5c4b-9854-a199ff047f14" + id = "e0be2fe2-32fd-5bdf-bfac-a596264be7ba" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L25-L37" license_url = "N/A" hash = "d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29" - logic_hash = "v1_sha256_a0d8d7e834fb07c22951ea4a31bf507e0c3d471e7cd500b60096f5e09844b452" + logic_hash = "a0d8d7e834fb07c22951ea4a31bf507e0c3d471e7cd500b60096f5e09844b452" score = 75 quality = 80 tags = "FILE" @@ -218277,14 +218492,14 @@ rule NCSC_Neuron_Functions_Classes_And_Vars : FILE meta: description = "Rule for detection of Neuron based on .NET function, variable and class names" author = "NCSC UK" - id = "622025c1-3f74-5edc-891b-05c847e08b71" + id = "6c785b63-637b-5343-b839-0b482cfc9cf6" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L39-L66" license_url = "N/A" hash = "d1d7a96fcadc137e80ad866c838502713db9cdfe59939342b8e3beacf9c7fe29" - logic_hash = "v1_sha256_2e378af2ddb15ed1285eafecee1075caf958c7ff470608801c49c951e044d912" + logic_hash = "2e378af2ddb15ed1285eafecee1075caf958c7ff470608801c49c951e044d912" score = 75 quality = 80 tags = "FILE" @@ -218316,14 +218531,14 @@ rule NCSC_Nautilus_Modified_Rc4_Loop : FILE meta: description = "Rule for detection of Nautilus based on assembly code for a modified RC4 loop" author = "NCSC UK" - id = "aed45e07-75bb-51c2-805a-24d3c11906b4" + id = "0c5da057-0f1d-5852-ad75-94bf40c133e4" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L68-L79" license_url = "N/A" hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3" - logic_hash = "v1_sha256_58673db1d995ac2fed1eefa8baab426558bb9d46b239cdc8715d41925d5f4657" + logic_hash = "58673db1d995ac2fed1eefa8baab426558bb9d46b239cdc8715d41925d5f4657" score = 75 quality = 80 tags = "FILE" @@ -218339,14 +218554,14 @@ rule NCSC_Nautilus_Rc4_Key : FILE meta: description = "Rule for detection of Nautilus based on a hardcoded RC4 key" author = "NCSC UK" - id = "3cb7b8cc-3158-5c5b-9971-d2b7654e87e9" + id = "124c8b95-46fb-5cc1-9b10-b10536e1781d" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L81-L92" license_url = "N/A" hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3" - logic_hash = "v1_sha256_215c0a20b3793411eea3cbf85a2e5ada8ce6b1f5aa8d84fc468a354c53df2b0c" + logic_hash = "215c0a20b3793411eea3cbf85a2e5ada8ce6b1f5aa8d84fc468a354c53df2b0c" score = 75 quality = 78 tags = "FILE" @@ -218362,14 +218577,14 @@ rule NCSC_Nautilus_Common_Strings : FILE meta: description = "Rule for detection of Nautilus based on common plaintext strings" author = "NCSC UK" - id = "553add82-b7ea-5e59-af47-645ce36bd721" + id = "0e3af6ef-1a97-5324-a186-95e6f3d836f4" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L94-L110" license_url = "N/A" hash = "a415ab193f6cd832a0de4fcc48d5f53d6f0b06d5e13b3c359878c6c31f3e7ec3" - logic_hash = "v1_sha256_28d664018e396d48928678de35ea95148ca1c6579efcb832c50606f43089a862" + logic_hash = "28d664018e396d48928678de35ea95148ca1c6579efcb832c50606f43089a862" score = 75 quality = 80 tags = "FILE" @@ -218390,14 +218605,14 @@ rule NCSC_Neuron2_Loader_Strings : FILE meta: description = "Rule for detection of Neuron2 based on strings within the loader" author = "NCSC" - id = "41a42a6c-d752-5b42-89ae-31c7aadff061" + id = "eaef4710-1971-55a2-9079-07a9b8bd86eb" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L130-L146" license_url = "N/A" hash = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927" - logic_hash = "v1_sha256_c873eaf6f00ea1ee7d86dad451b997d4c8c45c27ac07c3a222b57b5dc203a810" + logic_hash = "c873eaf6f00ea1ee7d86dad451b997d4c8c45c27ac07c3a222b57b5dc203a810" score = 75 quality = 80 tags = "FILE" @@ -218418,14 +218633,14 @@ rule NCSC_Neuron2_Decryption_Routine : FILE meta: description = "Rule for detection of Neuron2 based on the routine used to decrypt the payload" author = "NCSC" - id = "179d0b38-afbd-52d0-8ec2-d18bc006bc51" + id = "6fa43865-f970-57c0-81c7-e9c851e9453c" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L148-L159" license_url = "N/A" hash = "51616b207fde2ff1360a1364ff58270e0d46cf87a4c0c21b374a834dd9676927" - logic_hash = "v1_sha256_27a9de186dd1a91e3e3c18a786e5604e46e8d2f6364d76fa441bff15eb1aed84" + logic_hash = "27a9de186dd1a91e3e3c18a786e5604e46e8d2f6364d76fa441bff15eb1aed84" score = 75 quality = 80 tags = "FILE" @@ -218441,14 +218656,14 @@ rule NCSC_Neuron2_Dotnet_Strings : FILE meta: description = "Rule for detection of the .NET payload for Neuron2 based on strings used" author = "NCSC" - id = "4ee29a31-fb9e-50bd-8be8-3c1efa65423f" + id = "a36e4009-e1a1-520a-9397-8b6f2ad4065a" date = "2018-02-06" modified = "2018-02-06" reference = "https://www.ncsc.gov.uk/alerts/turla-group-malware" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/turla_neuron_nautilus.yar#L161-L176" license_url = "N/A" hash = "83d8922e7a8212f1a2a9015973e668d7999b90e7000c31f57be83803747df015" - logic_hash = "v1_sha256_9a0e8a3b627fa46f11fb5bbf926665aed4de6250c5229c8acb59c784e66943e5" + logic_hash = "9a0e8a3b627fa46f11fb5bbf926665aed4de6250c5229c8acb59c784e66943e5" score = 75 quality = 80 tags = "FILE" @@ -218468,13 +218683,13 @@ rule NCSC_Sparrowdoor_Apipatch meta: description = "Identifies code segments in SparrowDoor responsible for patching APIs. No MZ/PE match as the backdoor has no header. Targeting in memory." author = "NCSC" - id = "459390af-131f-58cc-b41e-562d0129f516" + id = "119b7f3a-1850-53ab-a5d1-8882e34a34b4" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_apipatch.yar#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_302ad7fc0354636c57e6ec86876c7d4a5baaa784f5ecf0f2d51ce47631b8542a" + logic_hash = "302ad7fc0354636c57e6ec86876c7d4a5baaa784f5ecf0f2d51ce47631b8542a" score = 75 quality = 80 tags = "" @@ -218496,13 +218711,13 @@ rule NCSC_Sparrowdoor_Shellcode meta: description = "Targets code features of the reflective loader for SparrowDoor. Targeting in memory." author = "NCSC" - id = "7bfc74fe-a774-5a85-8607-13c916936303" + id = "572187fb-1a11-54f2-9fe7-2b7468b56556" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_shellcode.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_7186bab23114b4825161f58fb02ff397ec8278385482232a4086c86c6fc47082" + logic_hash = "7186bab23114b4825161f58fb02ff397ec8278385482232a4086c86c6fc47082" score = 75 quality = 80 tags = "" @@ -218522,13 +218737,13 @@ rule NCSC_Sparrowdoor_Strings meta: description = "Strings that appear in SparrowDoor’s backdoor. Targeting in memory." author = "NCSC" - id = "052da73d-0f40-5366-a601-d229cc32d6f6" + id = "6f96a577-fb59-57db-a66a-f514ecfbf982" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_strings.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_65ec5d266ecd81ab8e4cfbcb352173f825bdae92fd4737b577cb209bace2a943" + logic_hash = "65ec5d266ecd81ab8e4cfbcb352173f825bdae92fd4737b577cb209bace2a943" score = 75 quality = 80 tags = "" @@ -218556,13 +218771,13 @@ rule NCSC_Sparrowdoor_Xor meta: description = "Highlights XOR routines in SparrowDoor. No MZ/PE match as the backdoor has no header. Targeting in memory." author = "NCSC" - id = "23711ae8-707d-5817-9f9c-baf871de89c5" + id = "9c07feea-91fc-528e-91ac-14d09fa1fc10" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_xor.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_3244e9017e5a0bf1c54e03b3191a5c695b2c1586b3ed4c529742f9b48903a348" + logic_hash = "3244e9017e5a0bf1c54e03b3191a5c695b2c1586b3ed4c529742f9b48903a348" score = 75 quality = 80 tags = "" @@ -218581,13 +218796,13 @@ rule NCSC_Sparrowdoor_Sleep_Routine meta: description = "SparrowDoor implements a Sleep routine with value seeded on GetTickCount. This signature detects the previous and this variant of SparrowDoor. No MZ/PE match as the backdoor has no header." author = "NCSC" - id = "7f017f10-b162-5348-bf95-37f6252d85a7" + id = "9a0aa77d-7dbe-5007-b875-211cf528614b" date = "2022-02-28" modified = "2022-07-06" reference = "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" source_url = "https://github.com/mikesxrs/Open-Source-YARA-rules/blob/ec0056f767db98bf6d5fd63877ad51fb54d350e9/NCSC/SparrowDoor_sleep_routine.yar#L1-L12" license_url = "N/A" - logic_hash = "v1_sha256_8ae231cb43440e1771d9f7ecaccfedae33f4d14e5ebabd94a909e05bd9fe1bc1" + logic_hash = "8ae231cb43440e1771d9f7ecaccfedae33f4d14e5ebabd94a909e05bd9fe1bc1" score = 75 quality = 80 tags = "" @@ -218603,7 +218818,7 @@ rule NCSC_Sparrowdoor_Sleep_Routine * YARA Rule Set * Repository Name: Dr4k0nia * Repository: https://github.com/dr4k0nia/yara-rules - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8 * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -218635,14 +218850,14 @@ rule DR4K0NIA_MAL_MSIL_NET_Typhonlogger_Jul23 : FILE meta: description = "Detects TyphonLogger .NET payloads" author = "dr4k0nia" - id = "828cbf24-6773-5284-9b01-b1f23160e31a" + id = "2fbc1d9e-9c07-560b-9476-a176cdbe1bad" date = "2023-11-07" modified = "2023-07-11" reference = "https://github.com/dr4k0nia/yara-rules" source_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/dotnet/mal_msil_typhon_logger.yar#L1-L21" license_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/LICENSE.md" hash = "fc8733c217b49ca14702a59a637efc7dba6a2993d57e67424513ce2f5e9d8ed8" - logic_hash = "v1_sha256_5c22aab1942e31095989b8267e0231191718d4ec44eb3afc6a50f929aae872c8" + logic_hash = "5c22aab1942e31095989b8267e0231191718d4ec44eb3afc6a50f929aae872c8" score = 75 quality = 81 tags = "FILE" @@ -218667,14 +218882,14 @@ rule DR4K0NIA_Msil_Susp_Obf_Antidump : FILE meta: description = "No description has been set in the source file - Dr4k0nia" author = "dr4k0nia" - id = "a38b3494-f592-5dac-bfb2-c7d92a942951" + id = "d9217ade-a016-548e-b63f-f6ee78ff8775" date = "2023-12-03" modified = "2023-03-13" reference = "https://github.com/dr4k0nia/yara-rules" source_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/dotnet/msil_susp_obf_antidump.yar#L7-L39" license_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/LICENSE.md" hash = "ef7bb2464a2b430aa98bd65a1a40b851b57cb909ac0aea3e53729c0ff900fa42" - logic_hash = "v1_sha256_18cfc720f54b2178398f8214591a3fb777ea11e67a8a6d2ce26cc4891a62fd35" + logic_hash = "18cfc720f54b2178398f8214591a3fb777ea11e67a8a6d2ce26cc4891a62fd35" score = 65 quality = 85 tags = "FILE" @@ -218707,13 +218922,13 @@ rule DR4K0NIA_Msil_Susp_Obf_Xorstringsnet : FILE meta: description = "Detects XorStringsNET string encryption, and other obfuscators derived from it" author = "dr4k0nia" - id = "86529061-c16f-51ab-8d3a-e0324c1d5340" + id = "0bea654d-9244-5320-a815-691384decc74" date = "2023-03-26" modified = "2023-03-26" reference = "https://github.com/dr4k0nia/yara-rules" source_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/dotnet/msil_susp_obf_xorstringsnet.yar#L3-L16" license_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/LICENSE.md" - logic_hash = "v1_sha256_c494b5b64bcb63d1edd611206fb41eb9a23a940a72c3e9fc3f626e91482b1352" + logic_hash = "c494b5b64bcb63d1edd611206fb41eb9a23a940a72c3e9fc3f626e91482b1352" score = 65 quality = 85 tags = "FILE" @@ -218730,13 +218945,13 @@ rule DR4K0NIA_MAL_Msil_Net_Niximports_Loader : FILE meta: description = "Detects NixImports .NET loader" author = "dr4k0nia" - id = "0984a80f-88ab-5486-a2ee-1d15bfc2b20a" + id = "ba0d072d-674a-5790-9381-4dac98204268" date = "2023-05-21" modified = "2023-05-22" reference = "https://github.com/dr4k0nia/NixImports" source_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/dotnet/msil_mal_niximports_loader.yar#L1-L21" license_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/LICENSE.md" - logic_hash = "v1_sha256_79421b2677705852f893fa53478deb2e4aa8bd354ac05cbf5438a3a2a15d70bf" + logic_hash = "79421b2677705852f893fa53478deb2e4aa8bd354ac05cbf5438a3a2a15d70bf" score = 75 quality = 85 tags = "FILE" @@ -218759,14 +218974,14 @@ rule DR4K0NIA_Msil_Suspicious_Use_Of_Strreverse : FILE meta: description = "Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse" author = "dr4k0nia" - id = "6a560868-aca5-5b38-9201-e3d6ca2ce84e" + id = "6d4682c3-b372-5d9e-bd6b-747c63e507c6" date = "2023-01-31" modified = "2023-02-22" reference = "https://github.com/dr4k0nia/yara-rules" source_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/dotnet/msil_suspicious_use_of_strreverse.yar#L3-L26" license_url = "https://github.com/dr4k0nia/yara-rules/blob/4b10f9b79a4cfb3ec9cb5675f32cc7ee6885fbd8/LICENSE.md" hash = "02ce0980427dea835fc9d9eed025dd26672bf2c15f0b10486ff8107ce3950701" - logic_hash = "v1_sha256_ce44f1df536104134303b705bda5798dd14dc413296636f2380ecf5811dd63b7" + logic_hash = "ce44f1df536104134303b705bda5798dd14dc413296636f2380ecf5811dd63b7" score = 60 quality = 55 tags = "FILE" @@ -218784,7 +218999,7 @@ rule DR4K0NIA_Msil_Suspicious_Use_Of_Strreverse : FILE * YARA Rule Set * Repository Name: EmbeeResearch * Repository: https://github.com/embee-research/Yara-detection-rules/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4 * Number of Rules: 39 * Skipped: 0 (age), 8 (quality), 0 (score), 0 (importance) @@ -218799,14 +219014,14 @@ rule EMBEERESEARCH_Win_Redline_Updated_Bytecodes_Oct_2023 meta: description = "Configuration related bytecodes in redline .net files" author = "Matthew @ Embee_Research" - id = "87aac748-1fb2-5c43-a85a-36240bcb3f42" + id = "1e4470cf-fad3-57e5-8a95-deb97e98dbdc" date = "2023-10-11" modified = "2023-10-11" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_redline_bytecodes_oct_2023.yar#L2-L35" license_url = "N/A" hash = "0cc3a0f8b48ef8d8562b9cdf9c7cfe7f63faf43a5ac6dc6973dc8bf13b6c88cf" - logic_hash = "v1_sha256_77273ba3736baf2c197fb8b17de1e22ba8f2380f73f9114f324ef56bfa508654" + logic_hash = "77273ba3736baf2c197fb8b17de1e22ba8f2380f73f9114f324ef56bfa508654" score = 75 quality = 75 tags = "" @@ -218837,14 +219052,14 @@ rule EMBEERESEARCH_Win_Lumma_Simple_Strings : FILE meta: description = "" author = "Matthew @ Embee_Research" - id = "fb701eba-bcdf-5a27-b0f5-3b17b5601f6a" + id = "d949d547-a2ee-56d9-8510-74f3b718b2c0" date = "2023-09-13" modified = "2023-09-21" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_lumma _simple_sep_2023.yar#L1-L40" license_url = "N/A" hash = "277d7f450268aeb4e7fe942f70a9df63aa429d703e9400370f0621a438e918bf" - logic_hash = "v1_sha256_0b3cb6721d26b79afe892b1c4df5e54c18cd7a5492aeacd442deca6b9b926f3c" + logic_hash = "0b3cb6721d26b79afe892b1c4df5e54c18cd7a5492aeacd442deca6b9b926f3c" score = 75 quality = 75 tags = "FILE" @@ -218866,7 +219081,7 @@ rule EMBEERESEARCH_Win_Darkgate_Xllloader_Oct_2023 meta: description = "Detects XLL Files Related to DarkGate" author = "Matthew @ Embee_Research" - id = "118caa8a-ac81-541c-8659-95beb18e41e8" + id = "4b5d9a2d-90ee-5452-83be-1677e1888045" date = "2023-10-03" modified = "2023-10-04" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -218878,7 +219093,7 @@ rule EMBEERESEARCH_Win_Darkgate_Xllloader_Oct_2023 hash = "27ec297e1fc34e29963303782ff881e74f8bd4126f4c5be0c4754f745d85f79a" hash = "392fd4d218a8e333bc422635e48fdfae59054413c7a6be764c0275752d45ab23" hash = "9a34b32d0a66dd4f59aeea82ef48f335913c47c6ca901ab109df702cd166892f" - logic_hash = "v1_sha256_ea9a166550c53225b0a06e2cd86760f63aed8973e889a457470bdba3d87ce6af" + logic_hash = "ea9a166550c53225b0a06e2cd86760f63aed8973e889a457470bdba3d87ce6af" score = 75 quality = 75 tags = "" @@ -218897,14 +219112,14 @@ rule EMBEERESEARCH_Win_Solarmarker_Bytecodes : FILE meta: description = "Detects bytecodes present in solarmarker Packer" author = "Matthew @ Embee_Research" - id = "3005f23a-0d6b-5862-8514-e39f4a42f1a4" + id = "d405e7ae-f09b-5993-a510-e5e1bc289898" date = "2023-09-10" modified = "2023-09-11" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_solarmarker_bytecodes_aug_2023.yar#L3-L21" license_url = "N/A" hash = "a433dad1e31f2e19ab5d22b6348c73fa4c874502acc20d5517d785b554754279" - logic_hash = "v1_sha256_52256184706b7173ee8e8683ac79c1b9d4773778c135e4dae255376c0a6651fb" + logic_hash = "52256184706b7173ee8e8683ac79c1b9d4773778c135e4dae255376c0a6651fb" score = 75 quality = 75 tags = "FILE" @@ -218922,14 +219137,14 @@ rule EMBEERESEARCH_Win_Exela_Stealer_Simple_Strings_Sep_2023 meta: description = "No description has been set in the source file - EmbeeResearch" author = "Matthew @embee_research" - id = "adcb2546-8bc7-5b47-900c-44dee5d4764c" + id = "e63aa1d3-997e-5200-93fc-869c177fe1a8" date = "2023-09-24" modified = "2023-09-26" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_exela_stealer_simple_strings_sep_2023.yar#L4-L32" license_url = "N/A" hash = "bf5d70ca2faf355d86f4b40b58032f21e99c3944b1c5e199b9bb728258a95c1b" - logic_hash = "v1_sha256_2312b63fe86fd34eb12f42f079f470eb3af27ef8c199f3620253c828ad28441a" + logic_hash = "2312b63fe86fd34eb12f42f079f470eb3af27ef8c199f3620253c828ad28441a" score = 75 quality = 75 tags = "" @@ -218954,14 +219169,14 @@ rule EMBEERESEARCH_Win_Redline_Loader_Dec_2023 meta: description = "Patterns observed in redline loader" author = "Matthew @ Embee_Research" - id = "ceb681ce-a5b0-569c-8e1f-e044be6b713b" + id = "59d933a8-8ccd-565f-b379-e0bf6c3d3111" date = "2023-12-24" modified = "2023-12-29" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_redline_loader_dec_2023.yar#L1-L20" license_url = "N/A" hash = "" - logic_hash = "v1_sha256_831c32f9998b97f7ceeb14df73a264a998df5f8800aaa5271755aaaeac070010" + logic_hash = "831c32f9998b97f7ceeb14df73a264a998df5f8800aaa5271755aaaeac070010" score = 75 quality = 75 tags = "" @@ -218982,7 +219197,7 @@ rule EMBEERESEARCH_Win_Quasar_Rat_Client : FILE meta: description = "Detects strings present in Quasar Rat Samples." author = "Matthew @ Embee_Research" - id = "96d7bac0-c01e-5acd-852c-d8418654d35f" + id = "7fc0bd6d-e187-51b7-a8b8-68b17271cef8" date = "2023-08-27" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -218991,7 +219206,7 @@ rule EMBEERESEARCH_Win_Quasar_Rat_Client : FILE hash = "914d88f295ac2213f37d3f71e6d4383979283d1728079a208f286effb44d840c" hash = "45a724179ae1d08044c4bafb69c7f9cdb4ed35891dc9cf24aa664d75464ceb6d" hash = "7e13bcd73232c3f33410aa95f61e1196a2f9ae35e05c1f9c8f251e07077a9dfb" - logic_hash = "v1_sha256_efba911780ffb144f277e88ff8ca8f53a90c32a677ccb19ec26e71f974a1b91f" + logic_hash = "efba911780ffb144f277e88ff8ca8f53a90c32a677ccb19ec26e71f974a1b91f" score = 75 quality = 75 tags = "FILE" @@ -219004,7 +219219,7 @@ rule EMBEERESEARCH_Win_Quasar_Rat_Client : FILE $s5 = "Yandex\\YandexBrowser\\User Data\\Default\\" wide condition: - uint16( 0 ) == 0x5a4d and dotnet.is_dotnet and filesize < 7000KB and ( for any i in ( 0 .. dotnet.number_of_resources - 1 ) : ( dotnet.resources [ i ] . name == "Quasar.Client*" ) or ( 3 of ( $s* ) ) ) + uint16( 0 ) == 0x5a4d and dotnet.is_dotnet and filesize < 7000KB and ( for any i in ( 0 .. dotnet.number_of_resources -1 ) : ( dotnet.resources [ i ] . name == "Quasar.Client*" ) or ( 3 of ( $s* ) ) ) } import "dotnet" @@ -219013,7 +219228,7 @@ rule EMBEERESEARCH_Win_Xworm_Bytestring meta: description = "Detects bytestring present in unobfuscated xworm" author = "Matthew @ Embee_Research" - id = "368f35e3-8ec3-5b0c-a720-3cad56a96d45" + id = "b7bad89d-ff15-50ae-8c97-64b181dad07f" date = "2023-08-27" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219021,7 +219236,7 @@ rule EMBEERESEARCH_Win_Xworm_Bytestring license_url = "N/A" hash = "8948b34d471db1e334e6caa00492bd11a60d0ec378933386b0cb7bc1b971c102" hash = "52634ade55558807042eae35e2777894e405e811102e980a2e2b25d151fde121" - logic_hash = "v1_sha256_dd9955c3616ee65cf94625f5fc92298464a9a3b6deaf32ae70d7e8206c0ceb5b" + logic_hash = "dd9955c3616ee65cf94625f5fc92298464a9a3b6deaf32ae70d7e8206c0ceb5b" score = 50 quality = 75 tags = "" @@ -219037,7 +219252,7 @@ rule EMBEERESEARCH_Win_Pikabot_Loader_Bytecodes_Oct_2023 meta: description = "Detects bytecodes in recent PikaBot Loaders" author = "Matthew @ Embee_Research" - id = "652b0b07-06a1-5b7d-a6f4-d618c1c4bd7b" + id = "c15b9390-1d20-5325-81c3-c6cf59ffb21f" date = "2023-10-03" modified = "2023-10-08" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219046,7 +219261,7 @@ rule EMBEERESEARCH_Win_Pikabot_Loader_Bytecodes_Oct_2023 hash = "778b6797bb9c9d2f868d3faaaf6b36ce3f06178c133bb592c5345c95ffb034a9" hash = "e26d44d740b4edbd37fa6196dcc9171e49e711d8ce64f67aae36c4299e352108" hash = "2d212cacc4767ef4383bdf462a9bb8aaf87f0b3c55b4c2f4a47c97c710ec1cd8" - logic_hash = "v1_sha256_a078df39fda5ab6f432c4bf42fb61bdf106386d9684188189e3cea81803b3952" + logic_hash = "a078df39fda5ab6f432c4bf42fb61bdf106386d9684188189e3cea81803b3952" score = 75 quality = 75 tags = "" @@ -219066,7 +219281,7 @@ rule EMBEERESEARCH_Win_Agent_Tesla_Bytecodes_Sep_2023 meta: description = "No description has been set in the source file - EmbeeResearch" author = "Matthew @embee_research" - id = "97b9a38d-e2d1-5204-8cd5-9d1d74c05b5b" + id = "9d1c5010-7c64-5a6a-bf60-35c042732761" date = "2023-09-21" modified = "2023-09-21" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219075,7 +219290,7 @@ rule EMBEERESEARCH_Win_Agent_Tesla_Bytecodes_Sep_2023 hash = "ce696cf7a6111f5e7c6781854de04ddc262b6c9b39c059fd5435dfb3b8901f04" hash = "afc29232c4989587db2c54b7c9f145fd0d73537e045ece15338582ede5389fce" hash = "fba4374163ba25c9dc572f1a5d7f3e46e09531ab964d808f3dde2a19c05a2ee5" - logic_hash = "v1_sha256_1cc40ab16dfa5245b3146e4512509037f540d59e155040a2336a97cd0f42e612" + logic_hash = "1cc40ab16dfa5245b3146e4512509037f540d59e155040a2336a97cd0f42e612" score = 75 quality = 75 tags = "" @@ -219091,14 +219306,14 @@ rule EMBEERESEARCH_Win_Cobalt_Sleep_Encrypt : FILE meta: description = "Detects Sleep Encryption Logic Found in Cobalt Strike Deployments" author = "Matthew @ Embee_Research" - id = "e472a49c-4e0c-5a7d-a082-a689f5f5071d" + id = "6bd6fbb4-6634-5b51-90f0-f24e48d69043" date = "2023-08-27" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_cobalt_sleep_encrypt_aug_2023.yar#L1-L55" license_url = "N/A" hash = "26b2f12906c3590c8272b80358867944fd86b9f2cc21ee6f76f023db812e5bb1" - logic_hash = "v1_sha256_7aa2674ecaaae819c3f26924fa0622df322b1214493f37b1bdf5e00ba5ee98e6" + logic_hash = "7aa2674ecaaae819c3f26924fa0622df322b1214493f37b1bdf5e00ba5ee98e6" score = 75 quality = 75 tags = "FILE" @@ -219115,7 +219330,7 @@ rule EMBEERESEARCH_Win_Cobaltstrike_Pipe_Strings_Nov_2023 : FILE meta: description = "Detects default strings related to cobalt strike named pipes" author = "Matthew @ Embee_Research" - id = "924ea723-1807-5ce1-bd48-bd57c26929ae" + id = "9237f4e8-b9c4-54cb-9cb2-999d267392af" date = "2023-11-04" modified = "2023-11-04" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219124,7 +219339,7 @@ rule EMBEERESEARCH_Win_Cobaltstrike_Pipe_Strings_Nov_2023 : FILE hash = "99986d438ec146bbb8b5faa63ce47264750a8fdf508a4d4250a8e1e3d58377fd" hash = "090402a6e2db12cbdd3a889b7b46bb7702acc0cad37d87ff201230b618fe7ed5" hash = "eb2b263937f8d28aa9df7277b6f25d10604a5037d5644c98ee0ab8f7a25db7b4" - logic_hash = "v1_sha256_ff17fe9d04d9ad6aa5c034b69d412b0d62c48c537c3a54a465761e27e9255e6d" + logic_hash = "ff17fe9d04d9ad6aa5c034b69d412b0d62c48c537c3a54a465761e27e9255e6d" score = 75 quality = 75 tags = "FILE" @@ -219145,14 +219360,14 @@ rule EMBEERESEARCH_Win_Njrat_Strings_Oct_2023 meta: description = "" author = "Matthew @ Embee_Research" - id = "fc1b016b-10f2-5703-b55a-0eccc1c8c3cf" + id = "c89711cb-aae9-5409-80c2-145a8d5fca56" date = "2023-10-03" modified = "2023-10-03" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_njrat_strings_oct_2023.yar#L3-L25" license_url = "N/A" hash = "59d6e2958780d15131c102a93fefce6e388e81da7dc78d9c230aeb6cab7e3474" - logic_hash = "v1_sha256_ed36a991aa2699486f1ef34f4f4d559a3dd351180602f017ad7d868e146c703b" + logic_hash = "ed36a991aa2699486f1ef34f4f4d559a3dd351180602f017ad7d868e146c703b" score = 75 quality = 75 tags = "" @@ -219175,7 +219390,7 @@ rule EMBEERESEARCH_Win_Xworm_Simple_Strings meta: description = "Detects simple strings present in unobfuscated xworm" author = "Matthew @ Embee_Research" - id = "a33ed275-ea94-568e-a1a0-6b8840f6a8f5" + id = "8d5d8f07-72fa-596b-a3fc-1dee4b7fd058" date = "2023-08-30" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219183,7 +219398,7 @@ rule EMBEERESEARCH_Win_Xworm_Simple_Strings license_url = "N/A" hash = "4459d95c0493d640ecc9453cf6a4f2b7538b1a7b95032f70803fc726b8e40422" hash = "820bb1a31f421b90ea51efc3e71cc720c8c2784fb1e882e732e8fafb8631a389" - logic_hash = "v1_sha256_f7df310b24b2078249cdb670ece71ebe30f985c92b3e44b6dcf0e37405a26bc3" + logic_hash = "f7df310b24b2078249cdb670ece71ebe30f985c92b3e44b6dcf0e37405a26bc3" score = 75 quality = 75 tags = "" @@ -219202,14 +219417,14 @@ rule EMBEERESEARCH_Win_Redline_Bytecodes_Jan_2024 : FILE meta: description = "Bytecodes found in late 2023 Redline malware" author = "Matthew @ Embee_Research" - id = "7a108c6b-a45a-5150-a481-651e261f933e" + id = "8acf0fbb-f7d1-5a3d-9ccb-ee21926d6a31" date = "2023-08-27" modified = "2024-01-02" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_redline_bytecodes_jan_2024.yar#L1-L22" license_url = "N/A" hash = "ea1271c032046d482ed94c6d2c2c6e3ede9bea57dff13156cabca42b24fb9332" - logic_hash = "v1_sha256_43f4d718611c16983071587c2806f92550ebba6bae737c59c63cd8584a5cc01f" + logic_hash = "43f4d718611c16983071587c2806f92550ebba6bae737c59c63cd8584a5cc01f" score = 75 quality = 75 tags = "FILE" @@ -219226,14 +219441,14 @@ rule EMBEERESEARCH_Win_Redline_Payload_Dec_2023 meta: description = "Patterns observed in redline" author = "Matthew @ Embee_Research" - id = "d9035b96-df10-5303-84f7-1c48bbfd4350" + id = "6208779a-69b2-55b5-9744-987575c00d96" date = "2023-12-24" modified = "2023-12-29" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_redline_payload_dec_2023.yar#L1-L16" license_url = "N/A" hash = "5790aead07ce0b9b508392b9a2f363ef77055ae16c44231773849c87a1dd15a4" - logic_hash = "v1_sha256_d016baa5017120a3037e9cef7fd649228f7be60e511ecbdedf97916f59eec881" + logic_hash = "d016baa5017120a3037e9cef7fd649228f7be60e511ecbdedf97916f59eec881" score = 75 quality = 75 tags = "" @@ -219249,14 +219464,14 @@ rule EMBEERESEARCH_Win_Remcos_Rat_Unpacked : FILE meta: description = "Detects strings present in remcos rat Samples." author = "Matthew @ Embee_Research" - id = "2802342f-4423-543c-a9d4-937d0609cf5c" + id = "d4282638-592a-5c07-b07b-937e2a7879e4" date = "2023-08-27" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_remcos_rat_unpacked_aug_2023.yar#L2-L32" license_url = "N/A" hash = "ec901217558e77f2f449031a6a1190b1e99b30fa1bb8d8dabc3a99bc69833784" - logic_hash = "v1_sha256_c6d1772a5517b104de3022f4bab55d92784d35c3a252a4e0516083d8bd28cad0" + logic_hash = "c6d1772a5517b104de3022f4bab55d92784d35c3a252a4e0516083d8bd28cad0" score = 75 quality = 75 tags = "FILE" @@ -219280,7 +219495,7 @@ rule EMBEERESEARCH_Win_Stealc_Bytecodes_Oct_2023 meta: description = "Bytecodes present in Stealc decoding routine" author = "Matthew @ Embee_Research" - id = "43397d18-6c69-5fc5-a5df-63d7522cf210" + id = "ecac28a0-cd77-5e6a-8af2-59ea62e733bf" date = "2023-08-27" modified = "2023-10-09" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219288,7 +219503,7 @@ rule EMBEERESEARCH_Win_Stealc_Bytecodes_Oct_2023 license_url = "N/A" hash = "74ff68245745b9d4cec9ef3c539d8da15295bdc70caa6fdb0632acdd9be4130a" hash = "9f44a4cbc30e7a05d7eb00b531a9b3a4ada5d49ecf585b48892643a189358526" - logic_hash = "v1_sha256_d50f57e32a7f513d92625549fcd139b7fa1e478879283fd61426fcd19d03d296" + logic_hash = "d50f57e32a7f513d92625549fcd139b7fa1e478879283fd61426fcd19d03d296" score = 75 quality = 75 tags = "" @@ -219304,14 +219519,14 @@ rule EMBEERESEARCH_Win_Lumma_Update_Simple_Strings_Sep_2023 : FILE meta: description = "" author = "Matthew @ Embee_Research" - id = "3c93e046-c4f0-57e3-894e-290c917e21a5" + id = "90209fc6-fd50-5b55-a400-112b2f207885" date = "2023-09-13" modified = "2023-09-21" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_lumma_updated_sep_2023.yar#L1-L25" license_url = "N/A" hash = "898a2bdbbb33ccd63b038c67d217554a668a52e9642874bd0f57e08153e6e5be" - logic_hash = "v1_sha256_61571057a5a9c114b6ed5b94b922f2b389406a05e705b3e9e6ddbee221f74c92" + logic_hash = "61571057a5a9c114b6ed5b94b922f2b389406a05e705b3e9e6ddbee221f74c92" score = 75 quality = 75 tags = "FILE" @@ -219330,7 +219545,7 @@ rule EMBEERESEARCH_Win_Solarmarker_Stage2_Bytecodes_Dec_2023 meta: description = "Patterns observed in Solarmarker stage2 dll" author = "Matthew @ Embee_Research" - id = "ce85727e-fc17-5b61-8ce9-efd98f2170c2" + id = "9aba6cdf-1491-579d-b4a7-fe229272015d" date = "2023-12-28" modified = "2023-12-28" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219338,7 +219553,7 @@ rule EMBEERESEARCH_Win_Solarmarker_Stage2_Bytecodes_Dec_2023 license_url = "N/A" hash = "4a3b60496a793ee96a51fecf8690ef8312429a6b54d32f2a4424395c47b47fc8" hash = "e0b2457491a8c2d50710aa343ad1957a76f83ceaf680165ffa0e287fe18abbd6" - logic_hash = "v1_sha256_8e50e5942f0029ffda1d9750f8cc8e004a2512e50b6a14c1619ae0b83477a944" + logic_hash = "8e50e5942f0029ffda1d9750f8cc8e004a2512e50b6a14c1619ae0b83477a944" score = 75 quality = 75 tags = "" @@ -219356,7 +219571,7 @@ rule EMBEERESEARCH_Win_Icedid_Snowloader_Bytecodes_Oct_2023 meta: description = "No description has been set in the source file - EmbeeResearch" author = "Matthew @ Embee_Research" - id = "e0844fee-97bb-5fb7-9b86-2c95ebbc508b" + id = "ad5d7bf5-813d-519d-91ae-e6a69fd557df" date = "2023-08-27" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219365,7 +219580,7 @@ rule EMBEERESEARCH_Win_Icedid_Snowloader_Bytecodes_Oct_2023 hash = "e096de90f65ff83ed0e929b330aa765a8e2322625325fb042775bff1748467cc" hash = "e87928fcddf13935c91a0b5577e28efd29bb6a5c1d98e5129dec63e231601053" hash = "82a01607ebdcaa73b9ff201ccb76780ad8de4a99dd3df026dcb71b0f007456ed" - logic_hash = "v1_sha256_5baa308ce130cbbe80f94fc127b083f26ae87552910c2bc6f3bae3008cf1aa63" + logic_hash = "5baa308ce130cbbe80f94fc127b083f26ae87552910c2bc6f3bae3008cf1aa63" score = 75 quality = 75 tags = "" @@ -219383,14 +219598,14 @@ rule EMBEERESEARCH_Win_Berbew_Strings_Dec_2023 meta: description = "Strings observed in Berbew malware." author = "Matthew @ Embee_Research" - id = "6cd82f17-a6a4-58b2-a600-7e98bc2eed68" + id = "402711af-c543-5c95-ae9e-e663825b6653" date = "2023-12-24" modified = "2023-12-26" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_berbew_strings_dec_2023.yar#L1-L19" license_url = "N/A" hash = "24dc0af3c51118697df999d8bffcdfc9cbf0d07f2630473450dd826a1ae4b9ae" - logic_hash = "v1_sha256_a7f687e749ec69961777063d52678461a8e288c80037fac051d7b1a5b568d9e8" + logic_hash = "a7f687e749ec69961777063d52678461a8e288c80037fac051d7b1a5b568d9e8" score = 75 quality = 75 tags = "" @@ -219408,14 +219623,14 @@ rule EMBEERESEARCH_Win_Orcus_Rat_Simple_Strings_Dec_2023 meta: description = "Strings observed in Orcus RAT" author = "Matthew @ Embee_Research" - id = "e58d6ff9-9f74-5bb6-9ddd-d1be42c9c1ec" + id = "baef6b96-bf94-5363-9186-9761a8055afd" date = "2023-12-24" modified = "2023-12-24" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_orcus_rat_simple_strings_dec_2023.yar#L1-L26" license_url = "N/A" hash = "30a2a674d55d7898d304713dd2f69a043d875230ea7ebee22596ba4c640768db" - logic_hash = "v1_sha256_2e0a44ec2749e0fc646dfb003a2d32b3fecfa07ece72ca5a65116250d80496b8" + logic_hash = "2e0a44ec2749e0fc646dfb003a2d32b3fecfa07ece72ca5a65116250d80496b8" score = 75 quality = 75 tags = "" @@ -219440,7 +219655,7 @@ rule EMBEERESEARCH_Win_Njrat_Bytecodes_V2_Oct_2023 meta: description = "" author = "Matthew @ Embee_Research" - id = "eaf944b6-9bb9-5510-b81d-473a1d4e81e1" + id = "9090574e-7ad4-5207-af8b-7b56f2a1c917" date = "2023-10-03" modified = "2023-10-08" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219448,7 +219663,7 @@ rule EMBEERESEARCH_Win_Njrat_Bytecodes_V2_Oct_2023 license_url = "N/A" hash = "9877fc613035d533feda6adc6848e183bf8c8660de3a34b1acd73c75e62e2823" hash = "40f07bdfb74e61fe7d7973bcd4167ffefcff2f8ba2ed6f82e9fcb5a295aaf113" - logic_hash = "v1_sha256_0bdbf5715e3873d96c88a24ba08487af2b798d26cdcd3e35d783ce4828dae775" + logic_hash = "0bdbf5715e3873d96c88a24ba08487af2b798d26cdcd3e35d783ce4828dae775" score = 75 quality = 75 tags = "" @@ -219468,7 +219683,7 @@ rule EMBEERESEARCH_Win_Pikabot_Resource_Entropy_Oct_2023 meta: description = "Pikabot Loaders embedding encrypted inside of numerous png images" author = "Matthew @ Embee_Research" - id = "0aeedec2-f960-506c-87da-94a4964f72be" + id = "253d35ae-a325-51c7-8da5-32bb46c51acd" date = "2023-10-03" modified = "2023-10-08" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219483,7 +219698,7 @@ rule EMBEERESEARCH_Win_Pikabot_Resource_Entropy_Oct_2023 hash = "951c906a1fa179050d30c06849d42e49a295dd1baad91efb244b2e5486b5801d" hash = "a06bd2623c389f2547d0bf750ca720ab7a74c90982267aad49ba31d5de345288" hash = "aeb2bf8898636b572b0703d9ddb90b9a4c5c6db9eee631ee726ad753f197ac12" - logic_hash = "v1_sha256_7beec034fc927990734691bd6859870921027860c0591c7a0d5a3815f919112d" + logic_hash = "7beec034fc927990734691bd6859870921027860c0591c7a0d5a3815f919112d" score = 75 quality = 50 tags = "" @@ -219503,7 +219718,7 @@ rule EMBEERESEARCH_Win_Njrat_Bytecodes_Oct_2023 meta: description = "" author = "Matthew @ Embee_Research" - id = "d9ead83d-015f-5a17-a32b-03c068b11a0e" + id = "9e39587a-e878-5f99-806f-e9964952f0ac" date = "2023-10-03" modified = "2023-10-03" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219512,7 +219727,7 @@ rule EMBEERESEARCH_Win_Njrat_Bytecodes_Oct_2023 hash = "59d6e2958780d15131c102a93fefce6e388e81da7dc78d9c230aeb6cab7e3474" hash = "4c56ade4409add1d78eac3b202a9fbd6afbd71878c31f798026082467ace2628" hash = "d5a78790a1b388145424327e78f019584466d30d2d450bba832c0128aa3cd274" - logic_hash = "v1_sha256_7df39219e2f2da55e461b1536e92ab125d488a048e41daaaa1fb9516be395d10" + logic_hash = "7df39219e2f2da55e461b1536e92ab125d488a048e41daaaa1fb9516be395d10" score = 75 quality = 75 tags = "" @@ -219528,7 +219743,7 @@ rule EMBEERESEARCH_Win_Mystic_Stealer_Bytecodes_Sep_2023 meta: description = "No description has been set in the source file - EmbeeResearch" author = "Matthew @ Embee_reserch" - id = "1f732dff-6181-5981-a96f-ff972c23a24c" + id = "ef7c51e1-9c8c-5b66-bc1e-f35a796c84f2" date = "2023-09-21" modified = "2023-11-12" reference = "https://github.com/embee-research/Yara-detection-rules/" @@ -219537,7 +219752,7 @@ rule EMBEERESEARCH_Win_Mystic_Stealer_Bytecodes_Sep_2023 hash = "ef9fce75334befe0b435798c0b61dab1239ea5bc62b97654943676dd96dc6318" hash = "36d8cb1447e2c5da60d2b86bf29856919c25f8e71a17f1d0d61d03c5e0505e4b" hash = "e907c22288dacb37efa07481fef7a0d4ec0ce42954f12b2572ea7f5ffeecf313" - logic_hash = "v1_sha256_f68b6ef307e48b7ff6f944cfcf9c906a83611400af5af7d8621227874356960d" + logic_hash = "f68b6ef307e48b7ff6f944cfcf9c906a83611400af5af7d8621227874356960d" score = 75 quality = 75 tags = "" @@ -219565,13 +219780,13 @@ rule EMBEERESEARCH_Win_Ursnif_Patterns_Oct_2022 meta: description = "No description has been set in the source file - EmbeeResearch" author = "Embee_Research @ Huntress" - id = "9735d647-6338-530b-acee-220bee5cac12" + id = "2c8da2b7-63f2-5cce-86ab-8a88f50d0263" date = "2022-10-14" modified = "2023-06-14" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_ursnif_patterns_oct_2022.yar#L1-L14" license_url = "N/A" - logic_hash = "v1_sha256_241804ea3b7ac98071c533d9a98a45cdd0f7043f11994327c1f79e29f5fdce2c" + logic_hash = "241804ea3b7ac98071c533d9a98a45cdd0f7043f11994327c1f79e29f5fdce2c" score = 75 quality = 75 tags = "" @@ -219588,14 +219803,14 @@ rule EMBEERESEARCH_Win_Medusa_Bytecodes meta: description = "Medusa Bytecodes" author = "Matthew @ Embee_Research" - id = "fce19b52-749e-55da-9150-1c9dc7a909ff" + id = "48b659f8-cd26-540a-89b6-6349f8d21e8f" date = "2023-08-27" modified = "2024-03-03" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_medusa_dotnet_bytecodes.yar#L1-L17" license_url = "N/A" hash = "a1211549b4e1a7befd953d03b4d929b3dc9f25ec6c1bc9c05ae92a0ec08fb77c" - logic_hash = "v1_sha256_aa01afd6981af99625a9fca93e512cc00931aca18e55c5cb6dee11efb9ea2968" + logic_hash = "aa01afd6981af99625a9fca93e512cc00931aca18e55c5cb6dee11efb9ea2968" score = 75 quality = 75 tags = "" @@ -219612,14 +219827,14 @@ rule EMBEERESEARCH_Win_Marsstealer_Encryption_Bytecodes meta: description = "Encryption observed in MarsStealer" author = "Matthew @ Embee_Research" - id = "5fee994d-1b16-523f-8392-0753146a4134" + id = "7a66ea9c-966e-5780-8b36-a268904b9c1b" date = "2023-12-24" modified = "2023-12-24" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_marsStealer_encryption_bytecodes_dec_2023.yar#L1-L16" license_url = "N/A" hash = "7a391340b6677f74bcf896b5cc16a470543e2a384049df47949038df5e770df1" - logic_hash = "v1_sha256_49ffde28c8823c00959ddbaa516fc48c7908b533c8f91608b0e3a645045c9048" + logic_hash = "49ffde28c8823c00959ddbaa516fc48c7908b533c8f91608b0e3a645045c9048" score = 75 quality = 75 tags = "" @@ -219635,13 +219850,13 @@ rule EMBEERESEARCH_Win_Cobalt_Strike_Loader_Shellcode_Jun_2023 : FILE meta: description = "Detection of an encoder observed with Cobalt Strike shellcode" author = "Matthew @ Embee_research" - id = "04396c3c-1662-5d20-9d91-e1c29ec9b39e" + id = "ea52b9e7-f2bd-5c9f-9ee1-506baa48be84" date = "2023-07-03" modified = "2023-07-03" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/win_cobalt_shellcode_encoder_jun_2023.yar#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_42b4b9ab681f3164168de84e76bcd8161865fa9e5871d70a6de534b23896e4f0" + logic_hash = "42b4b9ab681f3164168de84e76bcd8161865fa9e5871d70a6de534b23896e4f0" score = 75 quality = 75 tags = "FILE" @@ -219660,13 +219875,13 @@ rule EMBEERESEARCH_Win_Emotet_String_Patterns_Oct_2022 : FILE meta: description = "Detection of string hashing routines observed in emotet" author = "Embee_Research @ HuntressLabs" - id = "2ccc7cea-2738-589a-a1ed-f8a5aaf5b8ca" + id = "fd9c3133-95dc-5dd8-9e94-ed85ad8e1fc7" date = "2022-10-14" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_emotet_string_patterns_oct_2022.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_36f4a3fed124b8c25711f706c5b4f1c9b0801c2105cf86077b8c002dd70a6fbc" + logic_hash = "36f4a3fed124b8c25711f706c5b4f1c9b0801c2105cf86077b8c002dd70a6fbc" score = 75 quality = 75 tags = "FILE" @@ -219685,13 +219900,13 @@ rule EMBEERESEARCH_Win_Qakbot_String_Decrypt_Nov_2022 : FILE meta: description = "No description has been set in the source file - EmbeeResearch" author = "Embee_Research @ Huntress" - id = "8e39d71d-e48d-50c1-baed-0eb3aae40ea5" + id = "0023872f-8edb-59d6-88eb-a76528ba6ec8" date = "2022-11-14" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_qakbot_string_decrypt_nov_2022.yar#L1-L15" license_url = "N/A" - logic_hash = "v1_sha256_d225f69fa4dd0e8d7c98e7f8968ad285f05b232225e9ce1070b7a23257a0ef9d" + logic_hash = "d225f69fa4dd0e8d7c98e7f8968ad285f05b232225e9ce1070b7a23257a0ef9d" score = 75 quality = 75 tags = "FILE" @@ -219707,13 +219922,13 @@ rule EMBEERESEARCH_Win_Gracewire_Loader_Dec_2022 : FILE meta: description = "Yara rule to detect GraceWireLoader via usage of Stack Strings" author = "Embee_Research @ Huntress" - id = "b0e902ed-69df-54ed-96ad-0a317d226f87" + id = "63d0cd9f-34f7-5ec4-8061-66d36859bd0c" date = "2022-12-12" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_gracewire_loader_dec_2022.yar#L2-L24" license_url = "N/A" - logic_hash = "v1_sha256_168af6d24c0646e90717f27e6ba4a18da8e92950ffa7a881243860305037da48" + logic_hash = "168af6d24c0646e90717f27e6ba4a18da8e92950ffa7a881243860305037da48" score = 75 quality = 75 tags = "FILE" @@ -219732,13 +219947,13 @@ rule EMBEERESEARCH_Win_Bruteratel_Syscall_Hashes_Oct_2022 : FILE meta: description = "Detection of Brute Ratel Badger via api hashes of Nt* functions. " author = "Embee_Research @ Huntress" - id = "bb4cdbdb-9bfa-5e23-ba4a-341dd2bfd0d9" + id = "b82612b4-272e-5ae2-bd87-3593e55918f8" date = "2022-10-12" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_bruteratel_syscall_hashes_oct_2022.yar#L1-L23" license_url = "N/A" - logic_hash = "v1_sha256_e284d5568e0b5ffa0f231f98ecce13b5f5518a4e005ea001a5c89087c91eb8a1" + logic_hash = "e284d5568e0b5ffa0f231f98ecce13b5f5518a4e005ea001a5c89087c91eb8a1" score = 60 quality = 25 tags = "FILE" @@ -219758,13 +219973,13 @@ rule EMBEERESEARCH_Win_Icedid_Encryption_Oct_2022 : FILE meta: description = "No description has been set in the source file - EmbeeResearch" author = "Embee_Research @ Huntress" - id = "92d59584-7ddc-5b43-8ab5-8740bcd8002a" + id = "1ecbb3b3-dfc1-5d69-807d-3a44c39a3536" date = "2022-10-14" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_icedid_encryption_oct_2022.yar#L1-L18" license_url = "N/A" - logic_hash = "v1_sha256_da657cf87e043a1fdb2ec683de8a7a12acb8c8f1c24034bb376d525c0a1c5740" + logic_hash = "da657cf87e043a1fdb2ec683de8a7a12acb8c8f1c24034bb376d525c0a1c5740" score = 75 quality = 75 tags = "FILE" @@ -219780,13 +219995,13 @@ rule EMBEERESEARCH_Win_Nighthawk_Nov_2022 : FILE meta: description = "Experimental Yara rule for patterns observed in Nighthawk" author = "Embee_Research @ Huntress" - id = "2c303027-da31-5af5-aced-16fe552fbccc" + id = "853b0623-ea35-5055-90d0-bb2b5aea8ecd" date = "2022-11-23" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_nighthawk_nov_2022.yar#L1-L100" license_url = "N/A" - logic_hash = "v1_sha256_ef39067c12396db1de2feb560ff5628cbb3126e34e6318e88bdb08f6eb7940fb" + logic_hash = "ef39067c12396db1de2feb560ff5628cbb3126e34e6318e88bdb08f6eb7940fb" score = 50 quality = 67 tags = "FILE" @@ -219831,13 +220046,13 @@ rule EMBEERESEARCH_Win_Qakbot_Api_Hashing_Oct_2022 : FILE meta: description = "No description has been set in the source file - EmbeeResearch" author = "@Embee_Research" - id = "d3650228-9c96-5be7-8946-df4976aca40a" + id = "b5478404-659d-5b3a-b722-f8ba33875d8a" date = "2022-11-14" modified = "2022-12-01" reference = "https://twitter.com/embee_research/status/1592067841154756610" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_qakbot_api_hashing_oct_2022.yar#L2-L21" license_url = "N/A" - logic_hash = "v1_sha256_595cabd508ee60c5606f965eb9a290ae21ea32af0f56e213f6ce2d2e35dc4e11" + logic_hash = "595cabd508ee60c5606f965eb9a290ae21ea32af0f56e213f6ce2d2e35dc4e11" score = 75 quality = 75 tags = "FILE" @@ -219854,13 +220069,13 @@ rule EMBEERESEARCH_Win_Havoc_Djb2_Hashing_Routine_Oct_2022 : FILE meta: description = "No description has been set in the source file - EmbeeResearch" author = "embee_research @ HuntressLabs" - id = "2bc00be0-edc0-5728-865f-9e6cac78dbdd" + id = "cde3e14f-0671-5bcf-93e8-e0a0af9b462c" date = "2022-10-11" modified = "2023-10-18" reference = "https://github.com/embee-research/Yara-detection-rules/" source_url = "https://github.com/embee-research/Yara-detection-rules//blob/ac56d6f6fd2a30c8cb6e5c0455d6519210a8b0f4/Rules/2022/win_havoc_djb2_hashing_routine_oct_2022.yar#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_9f645480c3d78153186a247440739a1d2e627ec64a4225083bd8db4ad9bd5ef3" + logic_hash = "9f645480c3d78153186a247440739a1d2e627ec64a4225083bd8db4ad9bd5ef3" score = 75 quality = 75 tags = "FILE" @@ -219877,7 +220092,7 @@ rule EMBEERESEARCH_Win_Havoc_Djb2_Hashing_Routine_Oct_2022 : FILE * YARA Rule Set * Repository Name: AvastTI * Repository: https://github.com/avast/ioc - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: c696ec4bc17b1d41d5585d40ccf476f445b4a3de * Number of Rules: 33 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -219892,13 +220107,13 @@ private rule AVASTTI_EXE_PRIVATE : FILE meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "69b37032-9cce-58c3-891a-a3977b4b4040" + id = "1096b81d-5853-5d19-b502-c8166b712a3d" date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/Manjusaka/Manjusaka.yar#L9-L13" license_url = "N/A" - logic_hash = "v1_sha256_0688672446142f95a22e49a04234cc90b6c9021efeda9ce57034c88d84944663" + logic_hash = "0688672446142f95a22e49a04234cc90b6c9021efeda9ce57034c88d84944663" score = 75 quality = 90 tags = "FILE" @@ -219911,13 +220126,13 @@ private rule AVASTTI_ELF_PRIVATE meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "74b86d32-88a1-5b8c-b61e-222d1a823e52" + id = "38aa7852-e7ea-5b90-a5f6-0862ad19a051" date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/Manjusaka/Manjusaka.yar#L1-L7" license_url = "N/A" - logic_hash = "v1_sha256_eb05e5d53bb8dea91467a76a164542894cdb1355cf3909f56818e27c589344ec" + logic_hash = "eb05e5d53bb8dea91467a76a164542894cdb1355cf3909f56818e27c589344ec" score = 75 quality = 90 tags = "" @@ -219933,7 +220148,7 @@ rule AVASTTI_Manjusaka_Framework_Go_Build_Id meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "a8015382-2c43-582c-aa34-c459667d47fd" + id = "eca3324c-c029-53b5-b33d-9ec758dcd863" date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" @@ -219952,7 +220167,7 @@ rule AVASTTI_Manjusaka_Framework_Go_Build_Id hash = "4a0f47132867c12a6d009e43812729a1bb41f4eb83472ac352fc5b20fe937bef" hash = "bb1b7d506559c783ed747da461f58ea5256ba0a083768ae6aa1a2325017c4387" hash = "bd0e09e9ee4db74ada6433f00024a543f799046c15f635216ca4ae5e1f0c42e2" - logic_hash = "v1_sha256_de68bc483255c9c1095771925a7c2fc3062489a4468d42e7c6aa9f0146841c5c" + logic_hash = "de68bc483255c9c1095771925a7c2fc3062489a4468d42e7c6aa9f0146841c5c" score = 75 quality = 88 tags = "" @@ -219980,13 +220195,13 @@ rule AVASTTI_Manjusaka_Payload_Encoded_Hexstring meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "87f702ab-3675-569c-a64e-fb3ad231c856" + id = "9799081c-67ec-5ab8-9b23-31f60c05fc05" date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/Manjusaka/Manjusaka.yar#L64-L93" license_url = "N/A" - logic_hash = "v1_sha256_5c0b83e709baea7db6185d888bfa10bab073eb0eb2f3fb72df2da76fff3f6f22" + logic_hash = "5c0b83e709baea7db6185d888bfa10bab073eb0eb2f3fb72df2da76fff3f6f22" score = 75 quality = 90 tags = "" @@ -220010,7 +220225,7 @@ rule AVASTTI_Manjusaka_Payload_Elf meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "e2491acc-b103-58fc-b7dc-e110ec603cad" + id = "010398f6-ca9b-58b4-a9d8-12428f649ffc" date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" @@ -220022,7 +220237,7 @@ rule AVASTTI_Manjusaka_Payload_Elf hash = "63e7f6fa89faa88b346d0cceddf2ef2e3ebf5d5828aa0087663c227422041db7" hash = "400855b63b8452221869630c58b7ab03373dabf77c0f10df635e746c13f98ea9" hash = "4eb337c12f0e0ee73b3209bed4b819719c4af9f63f3e81dbc3bbf06212450f1c" - logic_hash = "v1_sha256_bbc496788381b57b3ea2814dd61a824d552233f9c5f73287f8bc284252fbedfe" + logic_hash = "bbc496788381b57b3ea2814dd61a824d552233f9c5f73287f8bc284252fbedfe" score = 75 quality = 90 tags = "" @@ -220046,7 +220261,7 @@ rule AVASTTI_Manjusaka_Payload_Mz meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "8d29574d-4b61-5331-bd68-226e48b567c5" + id = "808fe840-27e2-5361-b97a-4b04e6d8f7da" date = "2022-10-05" modified = "2022-10-05" reference = "https://github.com/avast/ioc" @@ -220061,7 +220276,7 @@ rule AVASTTI_Manjusaka_Payload_Mz hash = "51857882d1202e72c0cf18ff21de773c2a31ee68ff28385f968478401c5ab4bb" hash = "e07aa10f19574a856a4ac389a3ded96f2d78f41f939935dd678811bd12b5bd03" hash = "9e7144540430d97de38a2adcef16ad43e23c91281462b135fcc56cafc2f34160" - logic_hash = "v1_sha256_81b01eff8384707ce67f6d888e59e690d7fb7b4e32359043ced9230499813aa7" + logic_hash = "81b01eff8384707ce67f6d888e59e690d7fb7b4e32359043ced9230499813aa7" score = 60 quality = 50 tags = "" @@ -220092,13 +220307,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Dns_Stager_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "03df1c25-bb01-5f85-a84d-c8d9da2777df" + id = "817c4a72-7be1-5a58-987d-fe203d7778ea" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L1-L26" license_url = "N/A" - logic_hash = "v1_sha256_d447fac16f0a712b1c264bc83b4cf2e56e5e98b369617799b981cd75b37c3511" + logic_hash = "d447fac16f0a712b1c264bc83b4cf2e56e5e98b369617799b981cd75b37c3511" score = 75 quality = 90 tags = "" @@ -220114,13 +220329,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Smb_Stager_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "1e13c697-bbae-59b2-80c4-fd5410fe5d5e" + id = "29911a14-08ea-54de-9c07-630c6516bd49" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L28-L57" license_url = "N/A" - logic_hash = "v1_sha256_7459bcb0353f114a869aa61adc0229197ca9a1cfce0741dc227fabbeea2afba9" + logic_hash = "7459bcb0353f114a869aa61adc0229197ca9a1cfce0741dc227fabbeea2afba9" score = 75 quality = 90 tags = "" @@ -220136,13 +220351,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "6d643f41-9c89-5520-a6a4-5e1f05d3783e" + id = "ec0a9e27-3650-5393-a93b-2a461b9a0e29" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L59-L96" license_url = "N/A" - logic_hash = "v1_sha256_5c56e1f1d85375f19b6085b3d4654d2d1ba38d3dfcfea66707ca8957a6ed7bf8" + logic_hash = "5c56e1f1d85375f19b6085b3d4654d2d1ba38d3dfcfea66707ca8957a6ed7bf8" score = 75 quality = 90 tags = "" @@ -220158,13 +220373,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X64 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "83e4a899-a055-50a5-b659-e59708554cd9" + id = "3575408a-3309-5723-a49a-9c2088d43de9" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L98-L133" license_url = "N/A" - logic_hash = "v1_sha256_a803a9c76142ccadda5f5c8f6abf78ac9a60523576edf62f4a1600556f4b6261" + logic_hash = "a803a9c76142ccadda5f5c8f6abf78ac9a60523576edf62f4a1600556f4b6261" score = 75 quality = 90 tags = "" @@ -220180,13 +220395,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "71231dd3-28e8-5698-8470-69e049191651" + id = "ac824189-614d-5bff-9bbb-a4244cace563" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L135-L164" license_url = "N/A" - logic_hash = "v1_sha256_c20de49c3225a7aed8460d0e3cc3bce715c8746fb4313a2faf9da3c8d1d87387" + logic_hash = "c20de49c3225a7aed8460d0e3cc3bce715c8746fb4313a2faf9da3c8d1d87387" score = 75 quality = 90 tags = "" @@ -220202,13 +220417,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X64 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "9fe50c32-90ac-5c3c-936e-e9223cee472b" + id = "21151a9c-1d15-514f-b33b-c9eff08463fb" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L166-L195" license_url = "N/A" - logic_hash = "v1_sha256_58ae5351bac70ab9530cb033d1f6bb90acb6b66df395d59a55d221ef2a2e5dcf" + logic_hash = "58ae5351bac70ab9530cb033d1f6bb90acb6b66df395d59a55d221ef2a2e5dcf" score = 75 quality = 90 tags = "" @@ -220224,13 +220439,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "5a42c801-1d0e-5d78-9e35-517c0ff570af" + id = "01f89b14-55f2-5a5e-b0d5-6bca609621fe" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L197-L232" license_url = "N/A" - logic_hash = "v1_sha256_d3c74ff363d113d25d9ecca114dd0872487e713a978da4f94f3cccc2e92943ff" + logic_hash = "d3c74ff363d113d25d9ecca114dd0872487e713a978da4f94f3cccc2e92943ff" score = 75 quality = 90 tags = "" @@ -220246,13 +220461,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X64 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "68c1ce16-6fe4-53b0-b9a3-6af6b3f21913" + id = "7eeeb2a1-4903-5649-ae30-fd43367ab468" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L234-L263" license_url = "N/A" - logic_hash = "v1_sha256_a89a8e25d894bf7e5c4a10e2a14b78a52543e42fb185667db9f9548f52ef58bf" + logic_hash = "a89a8e25d894bf7e5c4a10e2a14b78a52543e42fb185667db9f9548f52ef58bf" score = 75 quality = 90 tags = "" @@ -220268,13 +220483,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "1b407e3f-902a-5cba-ba4b-1af5715bac5e" + id = "f1d7e939-92b5-5441-8014-b2390854d059" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L266-L303" license_url = "N/A" - logic_hash = "v1_sha256_c168b6f2ce35e57cd4c572ce40652261df7af7900beab7ffcdae58113cad88c0" + logic_hash = "c168b6f2ce35e57cd4c572ce40652261df7af7900beab7ffcdae58113cad88c0" score = 75 quality = 90 tags = "" @@ -220290,13 +220505,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X64 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "6b11e3fb-8a57-5cd2-a255-6a3d339751d5" + id = "5f9c7426-63be-5049-91fc-63b5c29618bd" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L306-L337" license_url = "N/A" - logic_hash = "v1_sha256_cb36d75efcd0e76bf96793863d1aa5145237ec3ce5c7195e679f2e1019d5bbab" + logic_hash = "cb36d75efcd0e76bf96793863d1aa5145237ec3ce5c7195e679f2e1019d5bbab" score = 75 quality = 90 tags = "" @@ -220312,13 +220527,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Dns_Stager_X86_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "bf151d9a-d06d-5592-8438-9c7b12b9de23" + id = "d148ca33-b233-519d-8ba4-d389de721d15" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L339-L354" license_url = "N/A" - logic_hash = "v1_sha256_3519d2af99a159483ba22cd87907bcc87bea1cfc2fb92f5f0334fff1c385ef00" + logic_hash = "3519d2af99a159483ba22cd87907bcc87bea1cfc2fb92f5f0334fff1c385ef00" score = 75 quality = 90 tags = "" @@ -220334,13 +220549,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Smb_Stager_X86_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "02172e3b-73b2-58b5-97aa-32f2a848715a" + id = "d88e050f-9e6c-5349-b809-ad7dc25a79b9" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L356-L373" license_url = "N/A" - logic_hash = "v1_sha256_74c50e1c989167ea6d9309e2b53629c7103484faa809a80e90b7d5c318b2370c" + logic_hash = "74c50e1c989167ea6d9309e2b53629c7103484faa809a80e90b7d5c318b2370c" score = 75 quality = 90 tags = "" @@ -220356,13 +220571,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X86_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "edb204c1-868c-5b0b-9318-8cc43a283fcf" + id = "7f17985d-b245-5e95-9b35-af669aafc263" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L375-L396" license_url = "N/A" - logic_hash = "v1_sha256_2c5ac98ffbea197d14cd6e508729885b5f86adbace0a6d978664908e070965cf" + logic_hash = "2c5ac98ffbea197d14cd6e508729885b5f86adbace0a6d978664908e070965cf" score = 75 quality = 90 tags = "" @@ -220378,13 +220593,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Bind_X64_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "9fa4a505-b61e-564d-bced-fb09fe0ebeb3" + id = "bd52fb44-379a-5c82-9c7c-b10c8080b53f" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L398-L418" license_url = "N/A" - logic_hash = "v1_sha256_cdd8e0c9bdaf8d7662a118964abdea8eaea6c0e17fe1f20a80497c0c43d496d6" + logic_hash = "cdd8e0c9bdaf8d7662a118964abdea8eaea6c0e17fe1f20a80497c0c43d496d6" score = 75 quality = 90 tags = "" @@ -220400,13 +220615,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X86_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "e4527d35-5a11-54e5-8ea1-3016a257c9f5" + id = "321c1f3f-b7fc-5408-b460-6aa4423d381c" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L420-L437" license_url = "N/A" - logic_hash = "v1_sha256_5495405ef3a54c960cf27147dce0d25cb298fee84a99415b59bc548c4f64a1e6" + logic_hash = "5495405ef3a54c960cf27147dce0d25cb298fee84a99415b59bc548c4f64a1e6" score = 75 quality = 90 tags = "" @@ -220422,13 +220637,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Tcp_Reverse_X64_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "b1953a76-ecd1-5587-b0b4-7440fb240348" + id = "1cc2494c-1f39-5a72-93af-c267eaf768fe" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L439-L456" license_url = "N/A" - logic_hash = "v1_sha256_d7e8fe5d2e07b7a85fadaa432bf345231ac4ddac5458167431403ddfe05467fc" + logic_hash = "d7e8fe5d2e07b7a85fadaa432bf345231ac4ddac5458167431403ddfe05467fc" score = 75 quality = 90 tags = "" @@ -220444,13 +220659,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X86_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "dc5738d2-395a-544e-a8ce-4f836b3f18d1" + id = "c1602e85-5b42-5005-a6d1-7140cb57a3c7" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L458-L478" license_url = "N/A" - logic_hash = "v1_sha256_b6e19ee9141aa22d73de6d8145257eba7b3b2bb2edc0996591085c84f242ec87" + logic_hash = "b6e19ee9141aa22d73de6d8145257eba7b3b2bb2edc0996591085c84f242ec87" score = 75 quality = 90 tags = "" @@ -220466,13 +220681,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Http_Stager_X64_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "33984e6a-ed78-5c32-b560-83e89f736f08" + id = "78672e3b-6f76-573a-8a9a-610334baa389" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L480-L497" license_url = "N/A" - logic_hash = "v1_sha256_f88378749f0da0c66d66b917eeb11a56f083bb487c19c22a230dee4f50e1e309" + logic_hash = "f88378749f0da0c66d66b917eeb11a56f083bb487c19c22a230dee4f50e1e309" score = 75 quality = 90 tags = "" @@ -220488,13 +220703,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X86_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "05d2479e-ab75-5ab5-82cd-55a8582b6e5a" + id = "dcd3e5c8-7626-5a78-9f90-7a8e67311d90" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L499-L520" license_url = "N/A" - logic_hash = "v1_sha256_5003ebd545182bb105cdcaaac2105a92cdd99a0178c24eb5ae2888232897aeb5" + logic_hash = "5003ebd545182bb105cdcaaac2105a92cdd99a0178c24eb5ae2888232897aeb5" score = 75 quality = 90 tags = "" @@ -220510,13 +220725,13 @@ rule AVASTTI_Cobaltstrike_Raw_Payload_Https_Stager_X64_Utf16 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "74a273f2-8333-50ce-8b61-93e2ba570fa3" + id = "aa93dd56-9589-5958-9711-ca2f9c763665" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L522-L540" license_url = "N/A" - logic_hash = "v1_sha256_dee3eb3353da0179c58a33c3be0af6ad1e6aa9f13e9e6b9821c94f11d209266f" + logic_hash = "dee3eb3353da0179c58a33c3be0af6ad1e6aa9f13e9e6b9821c94f11d209266f" score = 75 quality = 90 tags = "" @@ -220532,13 +220747,13 @@ rule AVASTTI_Cobaltstrike_Payload_Encoded meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "6274d8aa-f907-5084-a60d-1349c1c38ff4" + id = "b5176740-2dda-5e5d-8c0f-47a27846753d" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L542-L593" license_url = "N/A" - logic_hash = "v1_sha256_03c650b3c1797c03c635e25ea9d1d4589c6a4b31da0a3e48631fa16d0e3a342b" + logic_hash = "03c650b3c1797c03c635e25ea9d1d4589c6a4b31da0a3e48631fa16d0e3a342b" score = 75 quality = 68 tags = "" @@ -220577,13 +220792,13 @@ rule AVASTTI_Cobaltstrike_Strike_Payload_Xored meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "0e118a1c-64e2-55ea-bcf6-54cc4e09ab13" + id = "0e075644-e278-5c5b-bdcc-dc2d6a32ce73" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L595-L613" license_url = "N/A" - logic_hash = "v1_sha256_532cf38554ad7211fab74d050007f6fe8d63c20e05f21a6737fff12ac92a81d7" + logic_hash = "532cf38554ad7211fab74d050007f6fe8d63c20e05f21a6737fff12ac92a81d7" score = 75 quality = 90 tags = "" @@ -220599,13 +220814,13 @@ rule AVASTTI_Cobaltstrike_Beacon_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "69ce47ef-9ad9-5f88-8421-018f1e80a9b6" + id = "6ffaafe6-2758-53e4-b5b8-6d8350baf428" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L615-L632" license_url = "N/A" - logic_hash = "v1_sha256_e6328aae5954ac8e3914e65603813ba4f11d97ff91d08a1398e1f71740879463" + logic_hash = "e6328aae5954ac8e3914e65603813ba4f11d97ff91d08a1398e1f71740879463" score = 75 quality = 90 tags = "" @@ -220624,13 +220839,13 @@ rule AVASTTI_Cobaltstrike_Beacon_X64 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "b0ccdbed-429c-5c79-a16d-970596d4f248" + id = "5d6d86ec-9e05-5596-b623-30f44c6f44db" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L634-L651" license_url = "N/A" - logic_hash = "v1_sha256_7abf5f9a337c60944a52efcc7a16a768652c46843d2da3df2f946dd6e63f9375" + logic_hash = "7abf5f9a337c60944a52efcc7a16a768652c46843d2da3df2f946dd6e63f9375" score = 75 quality = 90 tags = "" @@ -220649,13 +220864,13 @@ rule AVASTTI_Cobaltstrike_Beacon_Encoded meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "55b773b0-701c-5442-aeb0-31388f68edc3" + id = "497e2a32-015a-5786-a6fa-de7084bfc389" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L653-L703" license_url = "N/A" - logic_hash = "v1_sha256_f763c0c41a69c6bafb65517d20ef76242bf7b1626d6745d9a1c26772de3ffa26" + logic_hash = "f763c0c41a69c6bafb65517d20ef76242bf7b1626d6745d9a1c26772de3ffa26" score = 75 quality = 68 tags = "" @@ -220694,13 +220909,13 @@ rule AVASTTI_Cobaltstrike_Beacon_Xored_X86 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "88375a9c-2c06-5155-a717-6865af828bcc" + id = "d93c20e6-3e01-5132-88a0-63ace507cae9" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L705-L726" license_url = "N/A" - logic_hash = "v1_sha256_1415c8ab5b4ddd6eb0f561b570358f04f967621dfc6274e0380879563b612c27" + logic_hash = "1415c8ab5b4ddd6eb0f561b570358f04f967621dfc6274e0380879563b612c27" score = 75 quality = 90 tags = "" @@ -220718,13 +220933,13 @@ rule AVASTTI_Cobaltstrike_Beacon_Xored_X64 meta: description = "No description has been set in the source file - AvastTI" author = "Avast Threat Intel Team" - id = "5097999d-9da8-5a86-a56d-ee7aebbc97ef" + id = "15be610a-7552-5473-8da2-639220313783" date = "2021-07-08" modified = "2021-07-08" reference = "https://github.com/avast/ioc" source_url = "https://github.com/avast/ioc/blob/c696ec4bc17b1d41d5585d40ccf476f445b4a3de/CobaltStrike/yara_rules/cs_rules.yar#L728-L746" license_url = "N/A" - logic_hash = "v1_sha256_11e6c8be28325d42f24fb5bb43c0b5fd35990a46857bae7c9940262a33c02a8c" + logic_hash = "11e6c8be28325d42f24fb5bb43c0b5fd35990a46857bae7c9940262a33c02a8c" score = 75 quality = 90 tags = "" @@ -220740,7 +220955,7 @@ rule AVASTTI_Cobaltstrike_Beacon_Xored_X64 * YARA Rule Set * Repository Name: SBousseaden * Repository: https://github.com/sbousseaden/YaraHunts/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 71b27a2a7c57c2aa1877a11d8933167794e2b4fb * Number of Rules: 36 * Skipped: 0 (age), 4 (quality), 0 (score), 0 (importance) @@ -220755,13 +220970,13 @@ rule SBOUSSEADEN_Infinityhook : FILE meta: description = "Infinityhook is a legit research PoC to hook NT Syscalls bypassing PatchGuard" author = "SBousseaden" - id = "8345e51b-8b86-5003-95b2-a5c6f60ec52a" + id = "82f4eef2-fca7-58b1-a85c-3c237f523740" date = "2020-09-07" modified = "2020-07-10" reference = "https://github.com/everdox/InfinityHook" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/infinityhook.yara#L1-L17" license_url = "N/A" - logic_hash = "v1_sha256_c621ce3be8049de7584af73ca4472df5561d3c4ac8b458937db2ad68fdcbe2d8" + logic_hash = "c621ce3be8049de7584af73ca4472df5561d3c4ac8b458937db2ad68fdcbe2d8" score = 75 quality = 73 tags = "FILE" @@ -220780,14 +220995,14 @@ rule SBOUSSEADEN_APT_Solarwind_Backdoor_Encoded_Strings : FILE meta: description = "This rule is looking for some key encoded strings of the SUNBURST backdoor" author = "SBousseaden" - id = "b59eea8e-cf77-5781-a5ae-c149380bca42" + id = "04a63bd6-9737-568f-a20e-c573b915cbd4" date = "2020-12-14" modified = "2020-12-18" reference = "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/apt_solarwinds_backdoor_encoded_strings.yara#L1-L28" license_url = "N/A" hash = "846e27a652a5e1bfbd0ddd38a16dc865" - logic_hash = "v1_sha256_8808cca8d89f089a8bca5ef62c1764061c8210ba5f9813c886d6ed9f79579ba6" + logic_hash = "8808cca8d89f089a8bca5ef62c1764061c8210ba5f9813c886d6ed9f79579ba6" score = 75 quality = 75 tags = "FILE" @@ -220820,13 +221035,13 @@ rule SBOUSSEADEN_Zerlologon_Mimikatz : FILE meta: description = "Generic Hunting rule for Mimikatz Implementation of ZeroLogon PrivEsc Exploit" author = "SBousseaden" - id = "c8c6955c-3204-597c-a6e0-4124490d90d4" + id = "0fd32f14-d82d-5af4-b4a2-b21e2325ade8" date = "2020-09-17" modified = "2020-09-17" reference = "https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20200916" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_mimikatz_zerologon.yar#L1-L19" license_url = "N/A" - logic_hash = "v1_sha256_5b8d618e8e680acd4e5a9def4e3b56617080dec0c5787c3d6f948489346a6888" + logic_hash = "5b8d618e8e680acd4e5a9def4e3b56617080dec0c5787c3d6f948489346a6888" score = 50 quality = 75 tags = "FILE" @@ -220850,13 +221065,13 @@ rule SBOUSSEADEN_Hunt_Common_Credit_Card_Memscrapper : FILE meta: description = "Hunting rule for possible CC data memory scrapper" author = "SBousseaden" - id = "a515a2da-2057-5e49-8c61-770dd388ff91" + id = "f342535f-2236-5da0-8a4d-d7fecb7737b8" date = "2020-07-17" modified = "2020-07-18" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_creditcard_memscrap.yara#L1-L28" license_url = "N/A" - logic_hash = "v1_sha256_983cc0c93dd19b32f729540dcc691b3a01ead8ed916e3ef5259456f5e25bd009" + logic_hash = "983cc0c93dd19b32f729540dcc691b3a01ead8ed916e3ef5259456f5e25bd009" score = 50 quality = 75 tags = "FILE" @@ -220892,13 +221107,13 @@ rule SBOUSSEADEN_Shad0W_Beacon : FILE meta: description = "Shad0w beacon default suspicous strings" author = "SBousseaden" - id = "5c8ee640-4ab7-512e-b7d9-69f0dd2aa686" + id = "e725172d-dd07-5027-ac85-86d366881856" date = "2020-06-04" modified = "2020-06-05" reference = "https://github.com/bats3c/shad0w" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/shad0w.yara#L3-L15" license_url = "N/A" - logic_hash = "v1_sha256_9ea7cf72da0d93f607f58b61cc0fb5f3f114d4454101c69b08c59e6b61353550" + logic_hash = "9ea7cf72da0d93f607f58b61cc0fb5f3f114d4454101c69b08c59e6b61353550" score = 75 quality = 73 tags = "FILE" @@ -220918,13 +221133,13 @@ rule SBOUSSEADEN_Susp_Winsvc_Upx : FILE meta: description = "broad hunt for any PE exporting ServiceMain API and upx packed" author = "SBousseaden" - id = "4edbda1d-bfa4-5347-8837-1888cd606334" + id = "883691fe-3858-5177-97ca-122ff2ec54af" date = "2019-01-28" modified = "2020-06-05" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/susp_winsvc_upx.yara#L3-L13" license_url = "N/A" - logic_hash = "v1_sha256_85b1932eaab4e559f0805aa76ad9b58553708391b3ac894a8e4f1cf34470dcb7" + logic_hash = "85b1932eaab4e559f0805aa76ad9b58553708391b3ac894a8e4f1cf34470dcb7" score = 65 quality = 75 tags = "FILE" @@ -220942,13 +221157,13 @@ rule SBOUSSEADEN_TDL_Loader_Bootstrap_Shellcode : FILE meta: description = "No description has been set in the source file - SBousseaden" author = "SBousseaden" - id = "ec42a3e5-6fd7-53c6-8177-1828775cbdf9" + id = "a2adedef-ba38-599f-b52c-e2156aa5ef98" date = "2020-10-10" modified = "2020-10-10" reference = "https://github.com/hfiref0x/TDL" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/tdl_loader_bootstrat_shellcode.yara#L1-L9" license_url = "N/A" - logic_hash = "v1_sha256_14a993b415e330e284503c409ab66445c5e369a21ef0be37297d9c8946b5559b" + logic_hash = "14a993b415e330e284503c409ab66445c5e369a21ef0be37297d9c8946b5559b" score = 75 quality = 75 tags = "FILE" @@ -220965,13 +221180,13 @@ rule SBOUSSEADEN_Shad0W_Ldrloaddll_Hook : FILE meta: description = "Shad0w beacon LdrLoadDll hook" author = "SBousseaden" - id = "51236b90-d180-5e3d-afd7-d751254f1d53" + id = "f9f75b96-2341-553f-b6ca-28d6cb9b880a" date = "2020-06-06" modified = "2020-06-07" reference = "https://github.com/bats3c/shad0w" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/shad0w_ldrhook.yara#L1-L13" license_url = "N/A" - logic_hash = "v1_sha256_28e8ca9eee2377fd816dd3bd29e05f4146cea975e0ba5ec180073e10a49895e0" + logic_hash = "28e8ca9eee2377fd816dd3bd29e05f4146cea975e0ba5ec180073e10a49895e0" score = 75 quality = 75 tags = "FILE" @@ -220992,13 +221207,13 @@ rule SBOUSSEADEN_Susp_Msoffice_Addins_Wxll : FILE meta: description = "hunt for suspicious MS Office Addins with code injection capabilities" author = "SBousseaden" - id = "4ab27ed2-ae38-5cda-a564-0c6576bc8089" + id = "39d3b2af-f848-51c0-a13b-13c0fe3a79dd" date = "2020-11-10" modified = "2023-03-27" reference = "https://twitter.com/JohnLaTwC/status/1315287078855352326" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_susp_msoffice_addins_wxll.yara#L3-L29" license_url = "N/A" - logic_hash = "v1_sha256_130a0292b16e934311597d4f91456e6a605477e306a7b1d8171cc4e13794db31" + logic_hash = "130a0292b16e934311597d4f91456e6a605477e306a7b1d8171cc4e13794db31" score = 65 quality = 75 tags = "FILE" @@ -221031,13 +221246,13 @@ rule SBOUSSEADEN_APT_Xdsspy_Xdupload : FILE meta: description = "No description has been set in the source file - SBousseaden" author = "SBousseaden" - id = "ec56abdf-353a-5eca-b234-fa920b668d66" + id = "ae38d017-6420-596c-af29-62f15cfe56b8" date = "2020-05-10" modified = "2020-10-05" reference = "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/apt_xdspy_xdupload.yara#L1-L11" license_url = "N/A" - logic_hash = "v1_sha256_648ea81d1b44d8514439683cf2f86a8027f9e1eb64abf76d42347fc2ce9c4e68" + logic_hash = "648ea81d1b44d8514439683cf2f86a8027f9e1eb64abf76d42347fc2ce9c4e68" score = 75 quality = 75 tags = "FILE" @@ -221055,7 +221270,7 @@ rule SBOUSSEADEN_Hunt_Slub_Backdoor : FILE meta: description = "No description has been set in the source file - SBousseaden" author = "SBousseaden" - id = "5efb7960-db6f-5c9d-9490-df59e00f278c" + id = "c15d5f14-d17f-528b-bf85-e06a5e23518c" date = "2020-10-22" modified = "2020-10-22" reference = "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf" @@ -221065,7 +221280,7 @@ rule SBOUSSEADEN_Hunt_Slub_Backdoor : FILE hash = "59e4510b7b15011d67eb2f80484589f7211e67756906a87ce466a7bb68f2095b" hash = "c7788c015244e12e4c8cc69a2b1344d589284c84102c2f1871bbb4f4c32c2936" hash = "6678a5964db74d477b39bd0a8c18adf02844bed8b112c7bcca6984032918bdfb" - logic_hash = "v1_sha256_aa17dcfde1e2227ff04bda708d4c40c1e1f07b404d2c43582632d83c98d65e83" + logic_hash = "aa17dcfde1e2227ff04bda708d4c40c1e1f07b404d2c43582632d83c98d65e83" score = 50 quality = 73 tags = "FILE" @@ -221090,13 +221305,13 @@ rule SBOUSSEADEN_Cve_2019_1458 : FILE meta: description = "No description has been set in the source file - SBousseaden" author = "SBousseaden" - id = "beb61edf-a1ac-5130-9557-f57a12c77bfc" + id = "7bcbfccb-2db0-5438-9ed1-eee4c92710b6" date = "2020-10-23" modified = "2020-10-23" reference = "https://github.com/unamer/CVE-2019-1458" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_cve_2019_1458.yara#L1-L22" license_url = "N/A" - logic_hash = "v1_sha256_8c5eac6b9fb9f87e0ffb219f0af8f83475799e062ed339da7a0525180292f5f2" + logic_hash = "8c5eac6b9fb9f87e0ffb219f0af8f83475799e062ed339da7a0525180292f5f2" score = 75 quality = 75 tags = "FILE" @@ -221126,13 +221341,13 @@ rule SBOUSSEADEN_Mem_Webcreds_Regexp_Xor meta: description = "No description has been set in the source file - SBousseaden" author = "SBousseaden" - id = "3ac2971d-619b-5bb7-a9a6-ffd06e0f98d1" + id = "38087b99-5f64-58c0-b3dc-51c7981912e7" date = "2020-03-08" modified = "2020-12-28" reference = "https://github.com/orlyjamie/mimikittenz/blob/master/Invoke-mimikittenz.ps1" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L3-L22" license_url = "N/A" - logic_hash = "v1_sha256_0ecc15dd51807ccd1c35b5a6152aa16714d8a14889524163a421f79becd6a775" + logic_hash = "0ecc15dd51807ccd1c35b5a6152aa16714d8a14889524163a421f79becd6a775" score = 60 quality = 45 tags = "" @@ -221159,13 +221374,13 @@ rule SBOUSSEADEN_Webcreds_Regexp_B64 meta: description = "No description has been set in the source file - SBousseaden" author = "SBousseaden" - id = "20ac2adc-b36a-5e7e-8049-34da45796dcc" + id = "85283a81-5bc3-5e3f-89f6-bcc1f40f3dc2" date = "2020-03-08" modified = "2020-12-28" reference = "https://github.com/orlyjamie/mimikittenz/blob/master/Invoke-mimikittenz.ps1" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L24-L43" license_url = "N/A" - logic_hash = "v1_sha256_432c812177a50c50d08feb88a1293ecb625b9b0aa6a839789da150255bc83228" + logic_hash = "432c812177a50c50d08feb88a1293ecb625b9b0aa6a839789da150255bc83228" score = 75 quality = 75 tags = "" @@ -221192,13 +221407,13 @@ rule SBOUSSEADEN_Adsync_Creddump_Wide meta: description = "AD Connect Sync Credential Extract" author = "SBousseaden" - id = "01f73156-ef6d-5272-9a42-8d60550b0582" + id = "ccbfa79a-924b-512a-a9e9-005567b4fe83" date = "2020-04-08" modified = "2020-12-28" reference = "https://blog.xpnsec.com/azuread-connect-for-redteam/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L45-L67" license_url = "N/A" - logic_hash = "v1_sha256_e8b0ff1fa9117a98799239d37c5a0ae8be25c2c2519c4fc2a1d7f085a9ebe2e1" + logic_hash = "e8b0ff1fa9117a98799239d37c5a0ae8be25c2c2519c4fc2a1d7f085a9ebe2e1" score = 75 quality = 75 tags = "" @@ -221226,13 +221441,13 @@ rule SBOUSSEADEN_Adsync_Creddump_Xor meta: description = "Azure AdSync Service Account Password Dumping" author = "SBousseaden" - id = "8fc06aa5-31b2-5433-9802-58d9dcb32cc0" + id = "e0d951ec-ec39-5f37-b5a8-ddd0b1dc588d" date = "2020-03-08" modified = "2020-12-28" reference = "https://blog.xpnsec.com/azuread-connect-for-redteam/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L69-L89" license_url = "N/A" - logic_hash = "v1_sha256_831ed0410000ad9dfa7be2ab1f64a4130810465cf699bb3e45c93075db6fdb74" + logic_hash = "831ed0410000ad9dfa7be2ab1f64a4130810465cf699bb3e45c93075db6fdb74" score = 75 quality = 75 tags = "" @@ -221259,13 +221474,13 @@ rule SBOUSSEADEN_Adsync_Creddump_V64 meta: description = "Azure AdSync Service Account Password Dumping" author = "SBousseaden" - id = "8f8fc081-b78b-5f93-a5f2-5cbe04d88404" + id = "9f536ff2-95b6-5f93-8c6f-e3738d6404c7" date = "2020-03-08" modified = "2020-12-28" reference = "https://blog.xpnsec.com/azuread-connect-for-redteam/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L91-L111" license_url = "N/A" - logic_hash = "v1_sha256_e2465fec6dd9384d5d7f31f1c0e7661f4fbd5e3f87a14abfcb9b0412985cb1d6" + logic_hash = "e2465fec6dd9384d5d7f31f1c0e7661f4fbd5e3f87a14abfcb9b0412985cb1d6" score = 75 quality = 75 tags = "" @@ -221292,13 +221507,13 @@ rule SBOUSSEADEN_Adsync_Creddump_Xwide meta: description = "Azure AdSync Service Account Password Dumping" author = "SBousseaden" - id = "b284980b-c019-567c-9259-889fb8773a40" + id = "a8c3e60a-99b8-50c8-992c-fbe18499a615" date = "2020-03-08" modified = "2020-12-28" reference = "https://blog.xpnsec.com/azuread-connect-for-redteam/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L112-L132" license_url = "N/A" - logic_hash = "v1_sha256_9015005494cb3cc52645a9c82f6179992942243a816b05273bc26f58ac70a2e0" + logic_hash = "9015005494cb3cc52645a9c82f6179992942243a816b05273bc26f58ac70a2e0" score = 75 quality = 75 tags = "" @@ -221325,13 +221540,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Cloud meta: description = "hunt for the presence of more than 1 known cloud client utility related credential paths" author = "SBousseaden" - id = "3df37d45-2e6e-5c3d-812c-a150dc4c7e87" + id = "a1916a13-ba08-57b4-8615-5ff08986e128" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L134-L150" license_url = "N/A" - logic_hash = "v1_sha256_09814a4bb118b5015936943c8585475fd88e0b49d08587fedeeb2c0b4d7ab979" + logic_hash = "09814a4bb118b5015936943c8585475fd88e0b49d08587fedeeb2c0b4d7ab979" score = 50 quality = 75 tags = "" @@ -221355,13 +221570,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Cloud_Wide_Xor meta: description = "hunt for the presence of more than 1 known cloud client utility related credential paths" author = "SBousseaden" - id = "e46bb8bf-a274-5b66-a064-bbb35f612865" + id = "8e48151c-8a9b-57b1-8464-5be28afc347b" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L152-L168" license_url = "N/A" - logic_hash = "v1_sha256_0625fc019eeeac8c219fa997c5957b69e5073c82d5cb1b880a5c1f7295ba2b7a" + logic_hash = "0625fc019eeeac8c219fa997c5957b69e5073c82d5cb1b880a5c1f7295ba2b7a" score = 50 quality = 75 tags = "" @@ -221385,13 +221600,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Cloud_Base64 meta: description = "hunt for the presence of more than 1 known cloud client utility related credential paths" author = "SBousseaden" - id = "bf05b5cc-69bc-5050-b5ad-446f6a609111" + id = "34460cb1-acf4-53e7-9c95-f69824a87836" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L170-L186" license_url = "N/A" - logic_hash = "v1_sha256_bf0acdc6e72e3528a93709b99f40aa13b45d9a3d22d8373d54414cc9be49d4d0" + logic_hash = "bf0acdc6e72e3528a93709b99f40aa13b45d9a3d22d8373d54414cc9be49d4d0" score = 50 quality = 75 tags = "" @@ -221415,13 +221630,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Cloud_Wide_Base64 meta: description = "hunt for the presence of more than 1 known cloud client utility related credential paths" author = "SBousseaden" - id = "024805cd-4b4a-5067-b9b4-db6db66ef154" + id = "5c9a77b6-612b-5d5d-926c-833e49f8020e" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L188-L204" license_url = "N/A" - logic_hash = "v1_sha256_1dd7aba89ddef2d18807bef77abd106a74f2e339e1e3bbd102c2edee14ffcf6f" + logic_hash = "1dd7aba89ddef2d18807bef77abd106a74f2e339e1e3bbd102c2edee14ffcf6f" score = 50 quality = 75 tags = "" @@ -221445,13 +221660,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Iis meta: description = "hunt for strings related to iis credential access" author = "SBousseaden" - id = "89b622d3-eda3-54d3-882d-d0e615e44522" + id = "0edfb8a5-83ab-5d6f-b8c9-7d3e03a6e32a" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L206-L219" license_url = "N/A" - logic_hash = "v1_sha256_b193e40e932d3168c826baaa070b2484e7e4781a481ab911a9526f9bc23d24a1" + logic_hash = "b193e40e932d3168c826baaa070b2484e7e4781a481ab911a9526f9bc23d24a1" score = 50 quality = 73 tags = "" @@ -221472,13 +221687,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Iis_Xor meta: description = "hunt for strings related to iis credential access" author = "SBousseaden" - id = "b36e0315-f6d6-5584-b334-8999a0c9ec50" + id = "ed5dd469-cf08-5eb1-bfde-36460c10197b" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L221-L234" license_url = "N/A" - logic_hash = "v1_sha256_58c316238cacfbfd5a539d6dbae9bc31836c414d5179ca5c40aa2cfae6c69655" + logic_hash = "58c316238cacfbfd5a539d6dbae9bc31836c414d5179ca5c40aa2cfae6c69655" score = 60 quality = 45 tags = "" @@ -221499,13 +221714,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Iis_Base64 meta: description = "hunt for strings related to iis credential access" author = "SBousseaden" - id = "f5429241-6096-5da1-ae7e-4dcf91562ef8" + id = "3a6b41b1-5a6a-536e-ac99-fb45ec460767" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L236-L249" license_url = "N/A" - logic_hash = "v1_sha256_b09c4cfaefeae28cb9381ae7b94ef970f10a6a265a3e40766d2a8c109b2df054" + logic_hash = "b09c4cfaefeae28cb9381ae7b94ef970f10a6a265a3e40766d2a8c109b2df054" score = 50 quality = 75 tags = "" @@ -221526,13 +221741,13 @@ rule SBOUSSEADEN_Hunt_Credaccess_Iis_Wide_Base64 meta: description = "hunt for strings related to iis credential access" author = "SBousseaden" - id = "19fc69bb-3963-5e16-a2f4-123f75735180" + id = "9e709338-2b61-53b6-99b4-36b52991bc27" date = "2020-07-20" modified = "2020-12-28" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L251-L264" license_url = "N/A" - logic_hash = "v1_sha256_6b06ef3a19fc4ce4d6a3f23815ac411094574cf15bfcc18d675017c7e357d1cf" + logic_hash = "6b06ef3a19fc4ce4d6a3f23815ac411094574cf15bfcc18d675017c7e357d1cf" score = 50 quality = 75 tags = "" @@ -221553,13 +221768,13 @@ rule SBOUSSEADEN_Hunt_Teamviewer_Registry_Pwddump : CVE_2019_18988 FILE meta: description = "cve-2019-18988 - decryption of AES 128 bits encrypted TV config pwds saved in TV registry hive" author = "SBousseaden" - id = "819ce25a-1e11-5cf9-a2bf-bb98487e0180" + id = "b2240cda-a37a-572e-b915-be39cbaabaaf" date = "2020-07-23" modified = "2020-12-28" reference = "https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_capab_credentials_access.yara#L266-L286" license_url = "N/A" - logic_hash = "v1_sha256_a0cb06e06904e98e963798fddc28e2a7cf8b737a50ff7d380e7f871c78ed9479" + logic_hash = "a0cb06e06904e98e963798fddc28e2a7cf8b737a50ff7d380e7f871c78ed9479" score = 50 quality = 63 tags = "CVE-2019-18988, FILE" @@ -221586,13 +221801,13 @@ rule SBOUSSEADEN_Hunt_Dllhijack_Wow64Log : FILE meta: description = "broad hunt for non MS wow64log module" author = "SBousseaden" - id = "33d4d58f-0e36-50f4-9fe0-6bcc5c0d4ffb" + id = "1d01917f-0690-5ede-947a-90fc86c03c38" date = "2020-06-05" modified = "2020-06-05" reference = "http://waleedassar.blogspot.com/2013/01/wow64logdll.html" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/wow64log.yara#L3-L13" license_url = "N/A" - logic_hash = "v1_sha256_e8ec491fe579b7e57b7e9078515a9628cfc2e0f3645882b9a352ff28a2fcb817" + logic_hash = "e8ec491fe579b7e57b7e9078515a9628cfc2e0f3645882b9a352ff28a2fcb817" score = 50 quality = 75 tags = "FILE" @@ -221605,13 +221820,13 @@ rule SBOUSSEADEN_Dcsync_Mimikatz : FILE meta: description = "Hunting rule for Mimikatz Implementation of DCSync Attack" author = "SBousseaden" - id = "9baa93f8-06db-5f9e-8cdb-053de852e6b3" + id = "2d5d5fdb-8a84-5e88-b136-4e3e788c46cd" date = "2020-09-22" modified = "2020-09-22" reference = "https://github.com/gentilkiwi/mimikatz" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_mimikatz_dcsync.yara#L1-L24" license_url = "N/A" - logic_hash = "v1_sha256_436979d794b7b599f2186252c7f233f091100880c2d39008d8bd7f839553fb53" + logic_hash = "436979d794b7b599f2186252c7f233f091100880c2d39008d8bd7f839553fb53" score = 50 quality = 75 tags = "FILE" @@ -221641,13 +221856,13 @@ rule SBOUSSEADEN_Hunt_Evtmutehook_Memory meta: description = "memory hunt for default wevtsv EtwEventCallback hook pattern to apply to eventlog svchost memory dump" author = "SBousseaden" - id = "c4c32b8b-e1c8-5ff0-a5ab-3fdfd00cf84f" + id = "5326581e-90d9-59b9-8dc5-74df97571600" date = "2020-09-05" modified = "2020-09-05" reference = "https://blog.dylan.codes/pwning-windows-event-logging/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_memory_evtmutehook.yara#L1-L11" license_url = "N/A" - logic_hash = "v1_sha256_3db66069ed67d90031a6fe071dad4d0200ddd661b263dd2860df026673031e48" + logic_hash = "3db66069ed67d90031a6fe071dad4d0200ddd661b263dd2860df026673031e48" score = 50 quality = 75 tags = "" @@ -221664,13 +221879,13 @@ rule SBOUSSEADEN_Hunt_Procinj_Instrumentationcallback : FILE meta: description = "hunt for possible injection with Instrumentation Callback PE" author = "SBousseaden" - id = "24398247-2907-56e1-8c34-baad7a6bbff8" + id = "f450bf71-d848-540e-b700-c046662f1cbc" date = "2020-07-25" modified = "2020-07-25" reference = "https://movaxbx.ru/2020/07/24/weaponizing-mapping-injection-with-instrumentation-callback-for-stealthier-process-injection/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_procinj_instrcallback.yara#L1-L21" license_url = "N/A" - logic_hash = "v1_sha256_b33dae550bae9508b9fd5b2d6cabf1d4d928792d3988af23cdba34d9d3d03162" + logic_hash = "b33dae550bae9508b9fd5b2d6cabf1d4d928792d3988af23cdba34d9d3d03162" score = 50 quality = 71 tags = "FILE" @@ -221697,13 +221912,13 @@ rule SBOUSSEADEN_Hunt_Susp_Vhd : FILE meta: description = "Virtual hard disk file with embedded PE" author = "SBousseaden" - id = "bba4c86e-0710-566b-9c70-83629105411a" + id = "14b082b2-c5cd-5f34-85e9-5987650eaacd" date = "2020-07-13" modified = "2020-07-13" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_susp_vhd.yara#L1-L12" license_url = "N/A" - logic_hash = "v1_sha256_4ba2e3f533942b27c1d235be4677afdac774b558429c414043a8e3a609123ad3" + logic_hash = "4ba2e3f533942b27c1d235be4677afdac774b558429c414043a8e3a609123ad3" score = 65 quality = 73 tags = "FILE" @@ -221724,13 +221939,13 @@ rule SBOUSSEADEN_Maliciousdllgenerator : FILE meta: description = "MaliciousDLLGenerator default decoder and export name" author = "SBousseaden" - id = "210a39a3-8442-5b46-ac10-2988abe6b974" + id = "a5f4d0b2-ef40-5e69-935e-208464944487" date = "2020-06-07" modified = "2020-06-08" reference = "https://github.com/Mr-Un1k0d3r/MaliciousDLLGenerator" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/MaliciousDLLGenerator.yara#L3-L12" license_url = "N/A" - logic_hash = "v1_sha256_70976f4a7043f52277a1d436c1725b2583383880d7158c74c4d93f3e603708c7" + logic_hash = "70976f4a7043f52277a1d436c1725b2583383880d7158c74c4d93f3e603708c7" score = 75 quality = 75 tags = "FILE" @@ -221748,13 +221963,13 @@ rule SBOUSSEADEN_Gosliver meta: description = "No description has been set in the source file - SBousseaden" author = "SBousseaden" - id = "fa299fbc-11dc-5544-86c7-c456fd6f50a2" + id = "eba5043a-ca4d-5c5d-a895-51218b03e59e" date = "2020-10-11" modified = "2020-10-11" reference = "https://github.com/BishopFox/sliver" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/hunt_sliver_go_framwwork.yara#L2-L9" license_url = "N/A" - logic_hash = "v1_sha256_8dc96e533adc29c78a998d9f064ff294d2ef8a4ff00cef8b0c81ef465ef70b08" + logic_hash = "8dc96e533adc29c78a998d9f064ff294d2ef8a4ff00cef8b0c81ef465ef70b08" score = 75 quality = 75 tags = "" @@ -221770,13 +221985,13 @@ rule SBOUSSEADEN_Mimikatz_Kiwikey meta: description = "hunt for default mimikatz kiwikey" author = "SBousseaden" - id = "7849ba37-46bc-5625-b1d8-d6421e1480e6" + id = "3141e679-6e07-5017-9675-4557fb876ebc" date = "2020-08-08" modified = "2020-08-09" reference = "https://github.com/sbousseaden/YaraHunts/" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/kiwikey.yara#L1-L10" license_url = "N/A" - logic_hash = "v1_sha256_03745aed838dafad2fc6e190f181141bda31c212af56edb8ba665b86671f8bee" + logic_hash = "03745aed838dafad2fc6e190f181141bda31c212af56edb8ba665b86671f8bee" score = 75 quality = 75 tags = "" @@ -221793,13 +222008,13 @@ rule SBOUSSEADEN_Shad0W_Beacon_16June : FILE meta: description = "Shad0w beacon compressed" author = "SBousseaden" - id = "e9f1417d-69e3-589f-8adb-e9a00f4a3918" + id = "1229e84f-bf6e-5e87-9351-a48cd50397b0" date = "2020-06-16" modified = "2020-06-17" reference = "https://github.com/bats3c/shad0w" source_url = "https://github.com/sbousseaden/YaraHunts//blob/71b27a2a7c57c2aa1877a11d8933167794e2b4fb/shad0w_beacon_16June.yara#L1-L13" license_url = "N/A" - logic_hash = "v1_sha256_c313e995d6eaae6d2ee63964f6fc94964065af7a61d7f304280d914e6f0dd548" + logic_hash = "c313e995d6eaae6d2ee63964f6fc94964065af7a61d7f304280d914e6f0dd548" score = 75 quality = 75 tags = "FILE" @@ -221817,7 +222032,7 @@ rule SBOUSSEADEN_Shad0W_Beacon_16June : FILE * YARA Rule Set * Repository Name: Elceef * Repository: https://github.com/elceef/yara-rulz - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 05834717d1464d5efce8ad9d688ff7b53886a0bb * Number of Rules: 17 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -221853,13 +222068,13 @@ rule ELCEEF_Obfuscated_IP_Address_In_URL meta: description = "Detects hexadecimal and octal IP address representations in URL" author = "marcin@ulikowski.pl" - id = "a0eb25d7-9515-5a64-b550-a68e8e969762" + id = "f2ebf5f7-5446-5eaa-8e30-90d08b8616d9" date = "2020-09-17" modified = "2024-03-04" reference = "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam/" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Obfuscated_IPAddr_URL.yara#L1-L17" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_ab2a2a3a56e6eed9f4a3a8f994c89a167f00b86ce442820c81d8ee673b0ab85c" + logic_hash = "ab2a2a3a56e6eed9f4a3a8f994c89a167f00b86ce442820c81d8ee673b0ab85c" score = 75 quality = 65 tags = "" @@ -221878,13 +222093,13 @@ rule ELCEEF_Base64_SVG_Javascript meta: description = "Detects base64 encoded SVG objects containing Javascript" author = "marcin@ulikowski.pl" - id = "962489d0-b83f-5733-ac59-1926dd2bb389" + id = "99275772-1f4f-5616-9a9c-f76b613fe143" date = "2022-10-25" modified = "2022-12-12" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Base64_SVG_Javascript.yara#L1-L16" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_e4cb08ccc75dc00b518c4ee1495409ae6bb99e7d493be55312b8d39aa9099cfc" + logic_hash = "e4cb08ccc75dc00b518c4ee1495409ae6bb99e7d493be55312b8d39aa9099cfc" score = 75 quality = 75 tags = "" @@ -221903,13 +222118,13 @@ rule ELCEEF_HTML_Smuggling_A : T1027 FILE meta: description = "Generic detection for HTML smuggling (T1027.006)" author = "marcin@ulikowski.pl" - id = "457bd8eb-8686-56d3-827e-a8288d96b789" + id = "b711318f-81d2-5d0b-968f-04ae18fdea5b" date = "2021-05-13" modified = "2023-04-16" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/HTML_Smuggling.yara#L1-L31" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_bc076e9f3d4c6d2aa5a3602436408e5b2ac3140ca9f7cc776c44835cba211951" + logic_hash = "bc076e9f3d4c6d2aa5a3602436408e5b2ac3140ca9f7cc776c44835cba211951" score = 75 quality = 75 tags = "T1027, FILE" @@ -221939,13 +222154,13 @@ rule ELCEEF_HTML_Smuggling_B : T1027 FILE meta: description = "Generic detection for HTML smuggling (T1027.006)" author = "marcin@ulikowski.pl" - id = "f99cd5db-b0b7-58c7-8665-3a3ad2ecbb17" + id = "640d70c2-f1fc-5e32-a720-ebc92839ec40" date = "2022-12-02" modified = "2023-04-16" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/HTML_Smuggling.yara#L33-L60" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_3c42e6f715bd5476aea4d47e9f6431747ddf7c7c8098840560201e2c21723eeb" + logic_hash = "3c42e6f715bd5476aea4d47e9f6431747ddf7c7c8098840560201e2c21723eeb" score = 75 quality = 75 tags = "T1027, FILE" @@ -221972,13 +222187,13 @@ rule ELCEEF_HTML_Smuggling_C : T1027 FILE meta: description = "Generic detection for HTML smuggling (T1027.006)" author = "marcin@ulikowski.pl" - id = "08b82a07-cdcd-552c-9f8e-b0b8d8301dda" + id = "ea1eafad-905b-571e-a016-8774e65bd976" date = "2023-04-17" modified = "2023-04-17" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/HTML_Smuggling.yara#L62-L82" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_83409b0b173980975f6349e448e72fe1b2115fc7dbdec8ee7ad1826a65db17d3" + logic_hash = "83409b0b173980975f6349e448e72fe1b2115fc7dbdec8ee7ad1826a65db17d3" score = 75 quality = 75 tags = "T1027, FILE" @@ -222000,13 +222215,13 @@ rule ELCEEF_OLE2_Autoopen_Reversed_Payload : FILE meta: description = "Detects suspiciously reversed payloads in OLE2 objects with auto-open macros" author = "marcin@ulikowski.pl" - id = "a728cbda-8476-595f-ad3c-08378c4019e2" + id = "9244fdb7-9949-58a0-9e39-e61e04cc1574" date = "2021-12-01" modified = "2023-04-04" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/OLE2_Reversed.yara#L1-L20" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_425750e77d31ddc356f803ee6e2f192f93f64534a9633fef02da5caaa60dbcaf" + logic_hash = "425750e77d31ddc356f803ee6e2f192f93f64534a9633fef02da5caaa60dbcaf" score = 65 quality = 67 tags = "FILE" @@ -222025,13 +222240,13 @@ rule ELCEEF_Suspicious_SFX : FILE meta: description = "Detects self-extracting archives (SFX) executing cmd.exe or powershell.exe" author = "marcin@ulikowski.pl" - id = "4eddc90f-014b-5461-b81b-16ede0c0fc3c" + id = "78f4ae8b-ba17-5c02-a6f0-66bec873aba8" date = "2023-04-04" modified = "2023-04-04" reference = "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Suspicious_SFX.yara#L1-L22" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_688ed356e2fa936a0e07a8479591c28fb457053ed94351bad4bf367b02f04b0a" + logic_hash = "688ed356e2fa936a0e07a8479591c28fb457053ed94351bad4bf367b02f04b0a" score = 65 quality = 73 tags = "FILE" @@ -222051,13 +222266,13 @@ rule ELCEEF_HTML_Windows_Search_Abuse meta: description = "Detects HTML files abusing Windows system functionalities to redirect and download malicious payloads" author = "marcin@ulikowski.pl" - id = "ac53acf4-6f4c-5c3d-88b4-a19ca660c9ee" + id = "537cb46e-4cfc-517c-8d6d-0019f2c3e5ef" date = "2024-06-15" modified = "2024-06-16" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/HTML_Windows_Search.yara#L1-L22" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_6a0d490cf08ab0aad3c535645abe9ebc26d12768cf2a2e932cdb7ec93cf3e2bd" + logic_hash = "6a0d490cf08ab0aad3c535645abe9ebc26d12768cf2a2e932cdb7ec93cf3e2bd" score = 75 quality = 73 tags = "" @@ -222082,13 +222297,13 @@ rule ELCEEF_Winrar_CVE_2023_38831_Exploit : CVE_2023_38831 FILE meta: description = "Detects ZIP archives exploiting CVE-2023-38831 in WinRAR" author = "marcin@ulikowski.pl" - id = "39f38d0d-1af5-580d-a341-b8e74bda00ca" + id = "7d592eb7-b344-59ed-adf8-fe69ebb1e43f" date = "2023-09-23" modified = "2023-09-28" reference = "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/WinRAR_CVE_2023_38831.yara#L1-L17" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_06f1d807429fb175831cf333b05b44b6ce33b4ae981e16c03e36ec7564a4fdd1" + logic_hash = "06f1d807429fb175831cf333b05b44b6ce33b4ae981e16c03e36ec7564a4fdd1" score = 75 quality = 75 tags = "CVE-2023-38831, FILE" @@ -222106,13 +222321,13 @@ rule ELCEEF_EICAR_Encrypted_ZIP meta: description = "Detects EICAR file in any encrypted ZIP archive" author = "marcin@ulikowski.pl" - id = "1240f186-9db2-565f-84a1-e4f8631798cf" + id = "c12d42de-356a-584b-9c48-71e65940f1cf" date = "2022-12-13" modified = "2022-12-16" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/EICAR_Encrypted_ZIP.yara#L14-L44" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_56851056671bde38338bd200d9fde59c042f35a2cd84ac9401e716f376c9502c" + logic_hash = "56851056671bde38338bd200d9fde59c042f35a2cd84ac9401e716f376c9502c" score = 75 quality = 75 tags = "" @@ -222138,13 +222353,13 @@ rule ELCEEF_BAT_Obfuscated_Setenv meta: description = "Detects batch script with obfuscated SET command located directly after @echo off" author = "marcin@ulikowski.pl" - id = "8f24ce35-fd4b-5cb0-9820-c4eeb681aaf4" + id = "999d192e-a792-5953-b9e2-de4b298444d3" date = "2023-05-01" modified = "2023-05-05" reference = "https://twitter.com/wdormann/status/1651631372438585344" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Suspicious_BAT.yara#L1-L20" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_da3a2245207d79cb720079cc2bc88d5f9db22fc16601d21e7c8dcea381ed11e9" + logic_hash = "da3a2245207d79cb720079cc2bc88d5f9db22fc16601d21e7c8dcea381ed11e9" score = 75 quality = 75 tags = "" @@ -222165,13 +222380,13 @@ rule ELCEEF_BAT_Chunked_Payload_Setenv meta: description = "Detects batch script storing chunks of payload in random environment variables" author = "marcin@ulikowski.pl" - id = "e52ffe28-5429-53ba-8d9c-ddd3d00e6903" + id = "18f3ddac-bc19-5b54-891e-93271d59490a" date = "2023-05-05" modified = "2024-04-10" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Suspicious_BAT.yara#L22-L37" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_6b202d1a5723db664c7ca689c73fc1f84365801fd56fc9a035c8d3a0b6b2b9da" + logic_hash = "6b202d1a5723db664c7ca689c73fc1f84365801fd56fc9a035c8d3a0b6b2b9da" score = 75 quality = 75 tags = "" @@ -222189,13 +222404,13 @@ rule ELCEEF_BAT_Begin_Substring_Env meta: description = "Detects suspicious substring syntax at the begining of batch script" author = "marcin@ulikowski.pl" - id = "ca3b032b-f0a2-5f1c-a8f9-fda473ec9c08" + id = "3fca187b-d2e7-595c-9330-25141a54285b" date = "2023-06-02" modified = "2024-04-10" reference = "https://cybersecurity.att.com/blogs/labs-research/seroxen-rat-for-sale" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Suspicious_BAT.yara#L39-L55" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_cc5e6e511bbc0a5cbb277ed0cbac1f2b21db8e21c4cdc802b6a1c3313d3b55cc" + logic_hash = "cc5e6e511bbc0a5cbb277ed0cbac1f2b21db8e21c4cdc802b6a1c3313d3b55cc" score = 65 quality = 75 tags = "" @@ -222213,13 +222428,13 @@ rule ELCEEF_Polymorph_BAT_CAB : FILE meta: description = "Detects polymorphic BAT/CAB files self-extracting payload with extrac32.exe/extract.exe" author = "marcin@ulikowski.pl" - id = "1397c822-7bf0-5244-bac9-66131e370b36" + id = "10a46120-beaf-5443-bc35-c6d9ef065bb4" date = "2024-04-10" modified = "2024-04-10" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Suspicious_BAT.yara#L57-L72" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_d29d488b0ebcfb485818c181ac674e3586aa1a41ab68185a1f1d3e49295ffbce" + logic_hash = "d29d488b0ebcfb485818c181ac674e3586aa1a41ab68185a1f1d3e49295ffbce" score = 75 quality = 75 tags = "FILE" @@ -222236,13 +222451,13 @@ rule ELCEEF_HTA_Wscriptshell_Onenote : FILE meta: description = "Detects suspicious OneNote documents with embedded HTA + WScript.Shell" author = "marcin@ulikowski.pl" - id = "7ee9ca40-5a4a-5d99-bb08-813429d2b2a4" + id = "8cebd862-8dfb-5f5d-befb-5c41cde945ff" date = "2023-02-01" modified = "2023-02-02" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/HTA_OneNote.yara#L1-L17" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_0287ac5d618c9a8332d167f1a05157aa829c7e8a052c35100fcaeb644d452e5c" + logic_hash = "0287ac5d618c9a8332d167f1a05157aa829c7e8a052c35100fcaeb644d452e5c" score = 65 quality = 75 tags = "FILE" @@ -222261,13 +222476,13 @@ rule ELCEEF_Suspicious_Onenote meta: description = "Detects OneNote documents with FileDataStoreObject structure containing: PE32, shortcut files (*.lnk), encoded JS, Windows Help File (*.chm), or batch script" author = "marcin@ulikowski.pl" - id = "66abec5b-2467-5306-bd56-d8a38c0ac249" + id = "57f6fc7f-666f-5887-ac97-513588415757" date = "2023-01-22" modified = "2023-02-21" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/Suspicious_OneNote.yara#L1-L23" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_b65f0976b71c1e827ecce09f0c435d9ffa6a5d3b3a41401efc6a14b6259af4ad" + logic_hash = "b65f0976b71c1e827ecce09f0c435d9ffa6a5d3b3a41401efc6a14b6259af4ad" score = 65 quality = 75 tags = "" @@ -222293,13 +222508,13 @@ rule ELCEEF_ZIP_High_Ratio_Single_Doc : FILE meta: description = "Detects ZIP archives containing single MS Word document with unusually high compression ratio" author = "marcin@ulikowski.pl" - id = "e1e9708d-e85e-5bd8-9c2e-bc0ab70e4907" + id = "0fbe89d9-1bf5-50a9-b6c1-1d739162a2ba" date = "2023-03-08" modified = "2023-03-08" reference = "https://github.com/elceef/yara-rulz" source_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/rules/ZIP_High_Ratio_Single_Doc.yara#L8-L27" license_url = "https://github.com/elceef/yara-rulz/blob/05834717d1464d5efce8ad9d688ff7b53886a0bb/LICENSE" - logic_hash = "v1_sha256_470300b8d6356cff43a1e2be3a23a97be5d1e2ce5a76f2fb2eccdbbb47a4d327" + logic_hash = "470300b8d6356cff43a1e2be3a23a97be5d1e2ce5a76f2fb2eccdbbb47a4d327" score = 75 quality = 75 tags = "FILE" @@ -222313,11 +222528,282 @@ rule ELCEEF_ZIP_High_Ratio_Single_Doc : FILE condition: filesize < 1MB and $magic at 0 and #magic == 1 and uint32( 22 ) > 1024 * 1024 * 100 and $ext at ( uint16( 26 ) + 26 ) } +/* + * YARA Rule Set + * Repository Name: GodModeRules + * Repository: https://github.com/Neo23x0/god-mode-rules/ + * Retrieval Date: 2024-12-23 + * Git Commit: 436dc682164cf17a123d6b09d1424e7e2acf0c25 + * Number of Rules: 1 + * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) + * + * + * LICENSE + * + * Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + */ +rule GODMODERULES_IDDQD_God_Mode_Rule +{ + meta: + description = "Detects a wide array of cyber threats, from malware and ransomware to advanced persistent threats (APTs)" + author = "Florian Roth" + id = "cb16ab74-1452-5898-b819-4346fea28c69" + date = "2019-05-15" + modified = "2024-01-12" + reference = "Internal Research - get a god mode rule set with THOR by Nextron Systems" + source_url = "https://github.com/Neo23x0/god-mode-rules//blob/436dc682164cf17a123d6b09d1424e7e2acf0c25/godmode.yar#L24-L69" + license_url = "https://github.com/Neo23x0/god-mode-rules//blob/436dc682164cf17a123d6b09d1424e7e2acf0c25/LICENSE" + logic_hash = "f2996ad7090a79c470e64c9e0ac43c2ba3fc1bf18e39686ecda9dc5b89744d7e" + score = 60 + quality = 46 + tags = "" + importance = 60 + + strings: + $ = "sekurlsa::logonpasswords" ascii wide nocase + $ = "ERROR kuhl" wide xor + $ = " -w hidden " ascii wide nocase + $ = "Koadic." ascii + $ = "ReflectiveLoader" fullword ascii wide xor + $ = "%s as %s\\%s: %d" ascii xor + $ = "[System.Convert]::FromBase64String(" ascii + $ = "/meterpreter/" ascii xor + $ = / -[eE][decoman]{0,41} ['"]?(JAB|SUVYI|aWV4I|SQBFAFgA|aQBlAHgA|cgBlAG)/ ascii wide + $ = / (sEt|SEt|SeT|sET|seT) / ascii wide + $ = ");iex " nocase ascii wide + $ = "Nir Sofer" fullword wide + $ = "impacket." ascii + $ = /\[[\+\-!E]\] (exploit|target|vulnerab|shell|inject)/ nocase + $ = "0000FEEDACDC}" ascii wide + $ = "vssadmin delete shadows" ascii nocase + $ = ".exe delete shadows" ascii nocase + $ = " shadowcopy delete" ascii wide nocase + $ = " delete catalog -quiet" ascii wide nocase + $ = "stratum+tcp://" ascii wide + $ = /\\(Debug|Release)\\(Key[lL]og|[Ii]nject|Steal|By[Pp]ass|Amsi|Dropper|Loader|CVE\-)/ + $ = /(Dropper|Bypass|Injection|Potato)\.pdb/ nocase + $ = "Mozilla/5.0" xor(0x01-0xff) ascii wide + $ = "amsi.dllATVSH" ascii xor + $ = "BeaconJitter" xor + $ = "main.Merlin" ascii fullword + $ = "\x48\x83\xec\x50\x4d\x63\x68\x3c\x48\x89\x4d\x10" xor + $ = "}{0}\"-f " ascii wide + $ = "HISTORY=/dev/null" ascii + $ = " /tmp/x;" ascii + $ = /comsvcs(\.dll)?[, ]{1,2}(MiniDump|#24)/ + $ = "AmsiScanBuffer" base64 base64wide + $ = "AmsiScanBuffer" xor(0x01-0xff) + $ = "%%%%%%%%%%%######%%%#%%####% &%%**#" ascii wide xor + + condition: + 1 of them +} /* * YARA Rule Set * Repository Name: Cod3nym * Repository: https://github.com/cod3nym/detection-rules/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: ad485bff0ce30afb56e367b7f2b76fea81e78fc9 * Number of Rules: 13 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -222370,14 +222856,14 @@ rule COD3NYM_SUSP_NET_Shellcode_Loader_Indicators_Jan24 : FILE meta: description = "Detects indicators of shellcode loaders in .NET binaries" author = "Jonathan Peters" - id = "004a6481-a20d-5c5a-8f7a-cbb468b32757" + id = "606a444a-b894-5076-8d5e-1716bbfa588e" date = "2024-01-11" modified = "2024-01-12" reference = "https://github.com/Workingdaturah/Payload-Generator/tree/main" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/suspicious_indicators.yar#L1-L22" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "c48752a5b07b58596564f13301276dd5b700bd648a04af2e27d3f78512a06408" - logic_hash = "v1_sha256_28267eb54a4108924df57512bbae9f47f51fd4860b3cf93c014d73b0d4b2dec2" + logic_hash = "28267eb54a4108924df57512bbae9f47f51fd4860b3cf93c014d73b0d4b2dec2" score = 65 quality = 80 tags = "FILE" @@ -222399,14 +222885,14 @@ rule COD3NYM_SUSP_OBF_NET_Eazfuscator_String_Encryption_Jan24 : FILE meta: description = "Detects .NET images obfuscated with Eazfuscator string encryption. Eazfuscator is a widely used commercial obfuscation solution used by both legitimate software and malware." author = "Jonathan Peters" - id = "19c6b7b3-46d8-57ef-be21-1fe8ff9e0559" + id = "09a400f5-e837-58c2-9b51-9213c8ab0883" date = "2024-01-01" modified = "2024-01-03" reference = "https://www.gapotchenko.com/eazfuscator.net" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/obf_eazfuscator.yar#L1-L28" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "3a9ee09ed965e3aee677043ba42c7fdbece0150ef9d1382c518b4b96bbd0e442" - logic_hash = "v1_sha256_5f3f3358e3cfb274aa2e8465dde58a080f9fb282aa519885b9d39429521db6d9" + logic_hash = "5f3f3358e3cfb274aa2e8465dde58a080f9fb282aa519885b9d39429521db6d9" score = 50 quality = 80 tags = "FILE" @@ -222429,14 +222915,14 @@ rule COD3NYM_SUSP_OBF_NET_Eazfuscator_Virtualization_Jan24 : FILE meta: description = "Detects .NET images obfuscated with Eazfuscator virtualization protection. Eazfuscator is a widely used commercial obfuscation solution used by both legitimate software and malware." author = "Jonathan Peters" - id = "0f40a18c-18e3-5390-a332-92a90c94aaf6" + id = "d39bba65-1220-5b60-b919-1bd88f1bc7f1" date = "2024-01-02" modified = "2024-01-03" reference = "https://www.gapotchenko.com/eazfuscator.net" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/obf_eazfuscator.yar#L30-L51" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "53d5c2574c7f70b7aa69243916acf6e43fe4258fbd015660032784e150b3b4fa" - logic_hash = "v1_sha256_7a647973eae9163cb5b82c27141956da58f4a9fd2ad51cf82523b93536cfaea3" + logic_hash = "7a647973eae9163cb5b82c27141956da58f4a9fd2ad51cf82523b93536cfaea3" score = 60 quality = 80 tags = "FILE" @@ -222457,14 +222943,14 @@ rule COD3NYM_SUSP_OBF_NET_Confuserex_Name_Pattern_Jan24 : FILE meta: description = "Detects Naming Pattern used by ConfuserEx. ConfuserEx is a widely used open source obfuscator often found in malware" author = "Jonathan Peters" - id = "367b4090-9684-51aa-9e50-b8a50884506c" + id = "2b57f135-9d9d-5401-be29-a1053f4249ec" date = "2024-01-03" modified = "2024-01-09" reference = "https://github.com/yck1509/ConfuserEx/tree/master" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/obf_confuserex.yar#L1-L21" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "2f67f590cabb9c79257d27b578d8bf9d1a278afa96b205ad2b4704e7b9a87ca7" - logic_hash = "v1_sha256_f28f3bd61c6f257cc622f6f323a5b5113d7d7b79ce8b852df02c42af22ecf033" + logic_hash = "f28f3bd61c6f257cc622f6f323a5b5113d7d7b79ce8b852df02c42af22ecf033" score = 50 quality = 80 tags = "FILE" @@ -222485,14 +222971,14 @@ rule COD3NYM_SUSP_OBF_NET_Confuserex_Packer_Jan24 : FILE meta: description = "Detects binaries packed with ConfuserEx compression packer. This feature compresses and encrypts the actual image into a stub that unpacks and loads the original image on runtime." author = "Jonathan Peters" - id = "d4d67d06-bb6f-58f1-af92-e7f39873975f" + id = "cd53a62f-62e3-58a1-8bc3-7f40949e3f00" date = "2024-01-09" modified = "2024-01-09" reference = "https://github.com/yck1509/ConfuserEx/tree/master" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/obf_confuserex.yar#L23-L42" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "2570bd4c3f564a61d6b3d589126e0940af27715e1e8d95de7863579fbe25f86f" - logic_hash = "v1_sha256_43aee4c01b47ca04ee516d418939ec3e90fd08566f2a4b501c4698b7f9e0225d" + logic_hash = "43aee4c01b47ca04ee516d418939ec3e90fd08566f2a4b501c4698b7f9e0225d" score = 70 quality = 80 tags = "FILE" @@ -222514,13 +223000,13 @@ rule COD3NYM_DOTNET_Singlefilehost_Bundled_App : FILE meta: description = "Detects single file host .NET bundled apps." author = "Jonathan Peters" - id = "74c70d43-f709-5819-a818-06f8b8f2ef4f" + id = "061bd294-58d6-57be-b8b5-b8a8f31ce316" date = "2024-01-02" modified = "2024-01-05" reference = "https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/framework_identiciation.yar#L3-L17" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" - logic_hash = "v1_sha256_12075b07a9feb951898ac8eba303471d9253ed9535db927244e5562f4fad33d6" + logic_hash = "12075b07a9feb951898ac8eba303471d9253ed9535db927244e5562f4fad33d6" score = 75 quality = 80 tags = "FILE" @@ -222539,14 +223025,14 @@ rule COD3NYM_SUSP_OBF_NET_Reactor_Native_Stub_Jan24 meta: description = "Detects native packer stub for version 4.5-4.7 of .NET Reactor. A pirated copy of version 4.5 of this commercial obfuscation solution is used by various malware families like BlackBit, RedLine, AgentTesla etc." author = "Jonathan Peters" - id = "2a09e111-2103-5f85-8d87-61954513707d" + id = "529dce88-a81d-5a98-aa6c-1f1b739ad074" date = "2024-01-05" modified = "2024-01-12" reference = "https://notes.netbytesec.com/2023/08/understand-ransomware-ttps-blackbit.html" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/obf_net_reactor.yar#L3-L16" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "6e8a7adf680bede7b8429a18815c232004057607fdfbf0f4b0fb1deba71c5df7" - logic_hash = "v1_sha256_287273babd3cd6bc1986b018367317019f2249851a2c19fc83857f7ff0b90b54" + logic_hash = "287273babd3cd6bc1986b018367317019f2249851a2c19fc83857f7ff0b90b54" score = 70 quality = 80 tags = "" @@ -222555,21 +223041,21 @@ rule COD3NYM_SUSP_OBF_NET_Reactor_Native_Stub_Jan24 $op = {C6 44 24 18 E0 C6 44 24 19 3B C6 44 24 1A 8D C6 44 24 1B 2A C6 44 24 1C A2 C6 44 24 1D 2A C6 44 24 1E 2A C6 44 24 1F 41 C6 44 24 20 D3 C6 44 24 21 20 C6 44 24 22 64 C6 44 24 23 06 C6 44 24 24 8A C6 44 24 25 F7 C6 44 24 26 3D C6 44 24 27 9D C6 44 24 28 D9 C6 44 24 29 EE C6 44 24 2A 15 C6 44 24 2B 68 C6 44 24 2C F4 C6 44 24 2D 76 C6 44 24 2E B9 C6 44 24 2F 34 C6 44 24 30 BF C6 44 24 31 1E C6 44 24 32 E7 C6 44 24 33 78 C6 44 24 34 98 C6 44 24 35 E9 C6 44 24 36 6F C6 44 24 37 B4} condition: - for any i in ( 0 .. pe.number_of_resources - 1 ) : ( pe.resources [ i ] . name_string == "_\x00_\x00" ) and $op + for any i in ( 0 .. pe.number_of_resources -1 ) : ( pe.resources [ i ] . name_string == "_\x00_\x00" ) and $op } rule COD3NYM_SUSP_OBF_NET_Reactor_Indicators_Jan24 : FILE { meta: description = "Detects indicators of .NET Reactors managed obfuscation. Reactor is a commercial obfuscation solution, pirated versions are often abused by threat actors." author = "Jonathan Peters" - id = "9918de8b-8f06-5c7b-95b5-203b81dafe50" + id = "8dc07bbd-cbeb-5214-a27a-555a0d396197" date = "2024-01-09" modified = "2024-01-12" reference = "https://www.eziriz.com/dotnet_reactor.htm" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/obf_net_reactor.yar#L18-L34" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "be842a9de19cfbf42ea5a94e3143d58390a1abd1e72ebfec5deeb8107dddf038" - logic_hash = "v1_sha256_40a03eb487e2c02a032c4bfb51580dbb764e0a49ceee5ae92c54a5ee3ede9696" + logic_hash = "40a03eb487e2c02a032c4bfb51580dbb764e0a49ceee5ae92c54a5ee3ede9696" score = 65 quality = 80 tags = "FILE" @@ -222587,14 +223073,14 @@ rule COD3NYM_MAL_NET_Niximports_Loader_Jan24 : FILE meta: description = "Detects open-source NixImports .NET malware loader. A stealthy loader using dynamic import resolving to evade static detection" author = "Jonathan Peters" - id = "bc49c84d-8ac4-5dae-9653-aff6690f30d3" + id = "f36ad127-4c4b-5b7e-a13c-bfb9d222a438" date = "2024-01-12" modified = "2024-01-12" reference = "https://github.com/dr4k0nia/NixImports/tree/master" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/mal/mal_net_niximports_loader.yar#L1-L22" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "dd3f22871879b0bc4990c96d1de957848c7ed0714635bb036c73d8a989fb0b39" - logic_hash = "v1_sha256_e41d7f4cb46aa0baa87d3024e0550efe5058ca49d908bbd34197431c7c054e58" + logic_hash = "e41d7f4cb46aa0baa87d3024e0550efe5058ca49d908bbd34197431c7c054e58" score = 80 quality = 80 tags = "FILE" @@ -222616,14 +223102,14 @@ rule COD3NYM_MAL_NET_Limecrypter_Runpe_Jan24 : FILE meta: description = "Detects LimeCrypter RunPE module. LimeCrypter is an open source .NET based crypter and loader commonly used by threat actors" author = "Jonathan Peters" - id = "26c333ec-867b-531e-9c20-a137846b7d35" + id = "06ecd638-0102-5762-b363-fdc390dda04b" date = "2024-01-16" modified = "2024-01-16" reference = "https://github.com/NYAN-x-CAT/Lime-Crypter/tree/master" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/dotnet/mal/mal_net_limecrypter_runpe.yar#L1-L22" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "bcc8c679acfc3aabf22ebdb2349b1fabd351a89fd23a716d85154049d352dd12" - logic_hash = "v1_sha256_b01a68c60d62cf94ef16340316acb9b96d1e671c372559b86a8e6a5d8e80f7d9" + logic_hash = "b01a68c60d62cf94ef16340316acb9b96d1e671c372559b86a8e6a5d8e80f7d9" score = 80 quality = 80 tags = "FILE" @@ -222644,14 +223130,14 @@ rule COD3NYM_SUSP_Direct_Syscall_Shellcode_Invocation_Jan24 : FILE meta: description = "Detects direct syscall evasion technqiue using NtProtectVirtualMemory to invoke shellcode" author = "Jonathan Peters" - id = "b4c909a6-2406-57ec-9fc8-63f9132ff24c" + id = "2a0ce887-299d-5aad-bed3-3e698b4dea79" date = "2024-01-14" modified = "2024-01-14" reference = "https://unprotect.it/technique/evasion-using-direct-syscalls/" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/other/susp_direct_syscall_shellcode_invocation.yar#L1-L14" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "f7cd214e7460c539d6f8d02b6650098e3983862ff658b76ea02c33f5a45fc836" - logic_hash = "v1_sha256_b5b0ad86289a4e2af7cdc909192f4dc9325c1763259f40adcc1e60c088c9e4f3" + logic_hash = "b5b0ad86289a4e2af7cdc909192f4dc9325c1763259f40adcc1e60c088c9e4f3" score = 65 quality = 80 tags = "FILE" @@ -222667,14 +223153,14 @@ rule COD3NYM_SUSP_OBF_Pyarmor_Jan24 meta: description = "Detects PyArmor python code obfuscation. PyArmor is used by various threat actors like BatLoader" author = "Jonathan Peters" - id = "9691acb1-c01b-5b82-b496-e0efff8fbc5f" + id = "2627c764-57ed-5781-8c77-ad2d9f4bd0ee" date = "2024-01-16" modified = "2024-01-16" reference = "https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/other/susp_obf_pyarmor.yar#L1-L18" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "2727a418f31e8c0841f8c3e79455067798a1c11c2b83b5c74d2de4fb3476b654" - logic_hash = "v1_sha256_6bbbe4c9ad54a1d1042b53803ca6011f3eaaeebbe864703e741c25a0d788342f" + logic_hash = "6bbbe4c9ad54a1d1042b53803ca6011f3eaaeebbe864703e741c25a0d788342f" score = 65 quality = 80 tags = "" @@ -222694,14 +223180,14 @@ rule COD3NYM_SUSP_RLO_Exe_Extension_Spoofing_Jan24 meta: description = "Detects Right-To-Left (RLO) Unicode (U+202E) extension spoofing for .exe files" author = "Jonathan Peters" - id = "86eed888-19dc-5e92-92d9-ae4ff0472991" + id = "60c1a8db-6bfc-547b-98d9-21c198a703f0" date = "2024-01-14" modified = "2024-02-19" reference = "https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/" source_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/yara/other/susp_rlo_exe_extension_spoofing.yar#L2-L58" license_url = "https://github.com/cod3nym/detection-rules//blob/ad485bff0ce30afb56e367b7f2b76fea81e78fc9/LICENSE.md" hash = "cae0ab10f7c1afd7941aff767a9b59901270e3de4d44167e932dae0991515487" - logic_hash = "v1_sha256_6126f36b3cd695b4002c29c9163faa6ec295699863d8db7fe17afc407f5a5736" + logic_hash = "6126f36b3cd695b4002c29c9163faa6ec295699863d8db7fe17afc407f5a5736" score = 70 quality = 55 tags = "" @@ -222759,7 +223245,7 @@ rule COD3NYM_SUSP_RLO_Exe_Extension_Spoofing_Jan24 * YARA Rule Set * Repository Name: craiu * Repository: https://github.com/craiu/yararules - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 23cf0ca22021fa3684e180a18416b9ae1b695243 * Number of Rules: 13 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -223448,7 +223934,7 @@ rule CRAIU_Crime_Noabot : FILE meta: description = "Noabot is a clone of Mirai" author = "Costin G. Raiu, Art of Noh, craiu@noh.ro" - id = "d2cae1fc-2cda-5de2-85fa-946bcc821a06" + id = "8626783b-898c-587d-9b23-c8c9111cde66" date = "2024-01-11" modified = "2024-01-11" reference = "https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining" @@ -223461,7 +223947,7 @@ rule CRAIU_Crime_Noabot : FILE hash = "829b3c298f7003f49986fb26920f7972e52982651ae6127c6e8e219a86f46890" hash = "c723a221cff37a700e0e3b9dc5f69cdd6a4cc82502ac7c144d6ca1eaf963e800" hash = "c8d3c0b87176b7f8d5667d479cb40d1b9f030d30afe588826254f26ebb4ac58e" - logic_hash = "v1_sha256_51c63f45f891ee80c5e8428575f12cb5881665cb9fe26018d173335db0f02012" + logic_hash = "51c63f45f891ee80c5e8428575f12cb5881665cb9fe26018d173335db0f02012" score = 75 quality = 85 tags = "FILE" @@ -223490,13 +223976,13 @@ rule CRAIU_Susp_Ios_Shutdown meta: description = "Detect shutdown.log files from sysdiags with suspicious entries" author = "Costin G. Raiu, Art of Noh, craiu@noh.ro" - id = "653c93c7-5e5a-5652-921d-eb39da145f63" + id = "08aa1fb9-7af0-515a-91a8-09ed35e48155" date = "2023-12-28" modified = "2024-03-05" reference = "https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/susp_ios_shutdown.yara#L2-L25" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" - logic_hash = "v1_sha256_936101f2dddb73f6dda41be47d775199c458aa4fecdcf348ed479da620343ea1" + logic_hash = "936101f2dddb73f6dda41be47d775199c458aa4fecdcf348ed479da620343ea1" score = 65 quality = 85 tags = "" @@ -223517,14 +224003,14 @@ rule CRAIU_Crime_Chaos_Ransomware_Gen : FILE meta: description = "Chaos ransomware generic strings" author = "Costin G. Raiu, Art of Noh, craiu@noh.ro" - id = "10b830e8-1026-5054-87d7-bbb6794d8e60" + id = "e909f7e4-50c2-54a6-8274-9ef92f95bf93" date = "2024-05-27" modified = "2024-05-28" reference = "https://blog.sonicwall.com/en-us/2024/05/politically-charged-ransomware-weaponized-as-a-file-destroyer/" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/crime_chaos_ransomware.yara#L2-L39" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" hash = "524a898e18999ceac864dbac5b85fa2f14392e389b3c32f77d58e2a89cdf01c4" - logic_hash = "v1_sha256_7d2e1c9178d5bf360cebc90056bbdae6a11729b1b3c5e963c522a29fd7ba7a3e" + logic_hash = "7d2e1c9178d5bf360cebc90056bbdae6a11729b1b3c5e963c522a29fd7ba7a3e" score = 75 quality = 60 tags = "FILE" @@ -223553,7 +224039,7 @@ rule CRAIU_Crime_Lockbit3_Ransomware : FILE meta: description = "Generic LockBit detection, also catches the version used in attacks in Indonesia." author = "Costin G. Raiu, TLPBLACK, craiu@noh.ro" - id = "ce2891c8-7950-5460-be54-dde17c17cf73" + id = "167788a4-a610-5770-9f51-aa4cc4d3d350" date = "2024-07-03" modified = "2024-07-03" reference = "https://www.bleepingcomputer.com/news/security/meet-brain-cipher-the-new-ransomware-behind-indonesia-data-center-attack/" @@ -223561,7 +224047,7 @@ rule CRAIU_Crime_Lockbit3_Ransomware : FILE license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" hash = "eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12" hash = "6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417" - logic_hash = "v1_sha256_84efb899315379d85a03959359f89fbcb97cbb6477f1ec439380a4d15fed4f53" + logic_hash = "84efb899315379d85a03959359f89fbcb97cbb6477f1ec439380a4d15fed4f53" score = 75 quality = 85 tags = "FILE" @@ -223583,13 +224069,13 @@ rule CRAIU_Apt_ZZ_Orangeworm_Kwampirs_Dropperandmainpayload : KWAMPIRS meta: description = "Kwampirs dropper and main payload components" author = "Symantec" - id = "636e7d03-adf9-5c8b-b9b7-545a5a6cb8e5" + id = "5a40a5e7-0b98-5f6e-a808-493676b57cda" date = "2018-04-23" modified = "2020-03-31" reference = "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/apt_zz_orangeworm.yara#L2-L80" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" - logic_hash = "v1_sha256_40e197f4278a2d14e8fe1359676558319e86728f7e61ddf612bcc894c311d53a" + logic_hash = "40e197f4278a2d14e8fe1359676558319e86728f7e61ddf612bcc894c311d53a" score = 75 quality = 85 tags = "KWAMPIRS" @@ -223660,13 +224146,13 @@ rule CRAIU_Apt_ZZ_Orangeworm_Kwampirs_Shamoon_Code : FILE meta: description = "Kwampirs and Shamoon common code" author = "FBI / cywatch@fbi.gov" - id = "f4988b6a-1785-59c3-9aaf-2e197da49dfc" + id = "0d403b3b-a5a8-5ac6-a12d-7181a1ad11b3" date = "2020-01-14" modified = "2020-03-31" reference = "https://assets.documentcloud.org/documents/6821582/FLASH-CP-000118-MW-Downgraded-Version.pdf" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/apt_zz_orangeworm.yara#L85-L105" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" - logic_hash = "v1_sha256_5ab949280be87d242ad2843dee001eee5a338e266ef52da55883f7c77e66cf5b" + logic_hash = "5ab949280be87d242ad2843dee001eee5a338e266ef52da55883f7c77e66cf5b" score = 75 quality = 85 tags = "FILE" @@ -223687,13 +224173,13 @@ rule CRAIU_Apt_ZZ_Orangeworm_Kwampirs_Installer : FILE meta: description = "Kwampirs installer xor keys and Unicode string length routine" author = "FBI / cywatch@fbi.gov" - id = "ecbe82f6-ba05-5492-88cf-1a0ffb766766" + id = "8c80d0d5-8c65-5cef-ad86-b38f4d671bec" date = "2020-01-14" modified = "2020-03-31" reference = "https://assets.documentcloud.org/documents/6821582/FLASH-CP-000118-MW-Downgraded-Version.pdf" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/apt_zz_orangeworm.yara#L109-L127" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" - logic_hash = "v1_sha256_ac9c3ba7188cbbe736ff81b41086fdc874ac24ae83d3cec390907f8edd0a0ce5" + logic_hash = "ac9c3ba7188cbbe736ff81b41086fdc874ac24ae83d3cec390907f8edd0a0ce5" score = 75 quality = 85 tags = "FILE" @@ -223712,13 +224198,13 @@ rule CRAIU_Apt_ZZ_Orangeworm_Kwampirs_Implant : FILE meta: description = "Kwampirs implant xor and rsa keys" author = "FBI / cywatch@fbi.gov" - id = "e654762a-8d07-5911-8e9f-69e463e1bac6" + id = "d1c1ab0e-e07d-5f0e-97e8-5aee53ab620e" date = "2020-01-14" modified = "2020-03-31" reference = "https://assets.documentcloud.org/documents/6821582/FLASH-CP-000118-MW-Downgraded-Version.pdf" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/apt_zz_orangeworm.yara#L130-L177" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" - logic_hash = "v1_sha256_a9559c17c802c6060799d0a1ee96d68bd521475dd12ff6040a74874cabe3a9a9" + logic_hash = "a9559c17c802c6060799d0a1ee96d68bd521475dd12ff6040a74874cabe3a9a9" score = 75 quality = 85 tags = "FILE" @@ -223767,13 +224253,13 @@ rule CRAIU_Apt_ZZ_Orangeworm_Kwampirs_Shamoon : FILE meta: description = "Kwampirs Shamoon overlap" author = "FBI / cywatch@fbi.gov" - id = "3f41e2b8-9276-5997-8b94-48013aa1c725" + id = "87d28867-383e-5e09-8369-63c8a4e3f966" date = "2020-01-14" modified = "2020-03-31" reference = "https://assets.documentcloud.org/documents/6821582/FLASH-CP-000118-MW-Downgraded-Version.pdf" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/apt_zz_orangeworm.yara#L200-L221" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" - logic_hash = "v1_sha256_43f352c3db016d2831d11a13ae6c0baf440fa464560090e00432780df6a8982d" + logic_hash = "43f352c3db016d2831d11a13ae6c0baf440fa464560090e00432780df6a8982d" score = 75 quality = 60 tags = "FILE" @@ -223794,7 +224280,7 @@ rule CRAIU_Unk_Liblzma_Backdoor : FILE meta: description = "liblzma backdoored" author = "Costin G. Raiu, Art of Noh, craiu@noh.ro" - id = "4ded5723-5bd2-5ac5-99dd-f79352a9897d" + id = "3527227b-e19f-5704-8a56-f7d318890658" date = "2024-03-30" modified = "2024-03-30" reference = "https://seclists.org/oss-sec/2024/q1/268" @@ -223804,7 +224290,7 @@ rule CRAIU_Unk_Liblzma_Backdoor : FILE hash = "319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae" hash = "b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963" hash = "cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537" - logic_hash = "v1_sha256_ac58a38bff3020dbc881a78b70cf18279644cf6f3ede8d652be3f345ba00974f" + logic_hash = "ac58a38bff3020dbc881a78b70cf18279644cf6f3ede8d652be3f345ba00974f" score = 75 quality = 85 tags = "FILE" @@ -223822,13 +224308,13 @@ rule CRAIU_Unk_Liblzma_Encstrings : FILE meta: description = "liblzma backdoor, encoded strings" author = "Costin G. Raiu, Art of Noh, craiu@noh.ro" - id = "c26e974b-a429-58cb-b9a9-5c7df8164ddd" + id = "ca491b9c-400e-5f5e-9372-e403a095edba" date = "2024-03-30" modified = "2024-03-30" reference = "https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/unk_liblzma_backdoor.yara#L32-L70" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" - logic_hash = "v1_sha256_99f5c82f941bb5c1f908209e108f9f80a835ad84157a383faa0dde502486dbd3" + logic_hash = "99f5c82f941bb5c1f908209e108f9f80a835ad84157a383faa0dde502486dbd3" score = 75 quality = 85 tags = "FILE" @@ -223862,14 +224348,14 @@ rule CRAIU_Crashstrike : FILE meta: description = "Crowdstrike C-00000???-*.sys files" author = "Costin G. Raiu, Art of Noh, craiu@noh.ro" - id = "db1451e6-bcac-5108-a96e-9973c5242067" + id = "9a5168c4-0a7f-5269-bafa-728f123a04c5" date = "2024-07-19" modified = "2024-07-19" reference = "https://en.wikipedia.org/wiki/July_2024_global_cyber_outages" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/20240719_crashstrike.yara#L2-L26" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" hash = "9d001ef3206fe2f955095244e6103ad7f8f318c7c5cbd91a0dd1f33e4217fcb2" - logic_hash = "v1_sha256_9a8dacf9d95042851073c40f5eab2a6aff61be3a576363ffcd8c21aaec7f0b96" + logic_hash = "9a8dacf9d95042851073c40f5eab2a6aff61be3a576363ffcd8c21aaec7f0b96" score = 75 quality = 85 tags = "FILE" @@ -223887,14 +224373,14 @@ rule CRAIU_Exploit_CVE_2024_6387 : CVE_2024_6387 FILE meta: description = "Strings from CVE-2024-6387 exploit PoC by zgzhang." author = "Costin G. Raiu, TLPBLACK, craiu@noh.ro" - id = "affb786d-47dd-587b-be52-2d670825822d" + id = "6ac63016-864d-57af-bb36-3115a0a91021" date = "2024-07-02" modified = "2024-07-03" reference = "https://github.com/zgzhang/cve-2024-6387-poc/tree/main" source_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/exploit_cve_2024_6387.yara#L2-L38" license_url = "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE" hash = "62b06a6c30a0c891c2246ff87c0ad9ae03d2123601ba5331d6348c43b38d185e" - logic_hash = "v1_sha256_d43a77c2690b5e01639590bc31fa64fa36b1da5efd3cc0761be7369ce80e4253" + logic_hash = "d43a77c2690b5e01639590bc31fa64fa36b1da5efd3cc0761be7369ce80e4253" score = 75 quality = 85 tags = "CVE-2024-6387, FILE" @@ -223924,7 +224410,7 @@ rule CRAIU_Exploit_CVE_2024_6387 : CVE_2024_6387 FILE * YARA Rule Set * Repository Name: DitekSHen * Repository: https://github.com/ditekshen/detection - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: e76c93dcdedff04076380ffc60ea54e45b313635 * Number of Rules: 1443 * Skipped: 0 (age), 112 (quality), 0 (score), 0 (importance) @@ -223947,13 +224433,13 @@ rule DITEKSHEN_INDICATOR_RMM_Meshagent : FILE meta: description = "Detects MeshAgent. Review RMM Inventory" author = "ditekSHen" - id = "732591cb-c95a-5f9a-8c42-7972b9a18122" + id = "3d0baa87-22c9-569d-ba84-37ccaac577b8" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L3-L27" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f36c0e23b20e4466100cf4ea2a91515bf1d54505e7b1f0926a4e416a04e0dbcf" + logic_hash = "f36c0e23b20e4466100cf4ea2a91515bf1d54505e7b1f0926a4e416a04e0dbcf" score = 75 quality = 75 tags = "FILE" @@ -223983,13 +224469,13 @@ rule DITEKSHEN_INDICATOR_RMM_Meshagent_CERT : FILE meta: description = "Detects Mesh Agent by (default) certificate. Review RMM Inventory" author = "ditekSHen" - id = "5c98e2f4-a966-564f-970b-969b5fb5ffdb" + id = "b4b52faa-53a5-5ecf-bff8-984994449ee0" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L29-L42" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d8ac3aec723a87146be99aefbde5642d095d8d41f69c6f5e9981c39104790d33" + logic_hash = "d8ac3aec723a87146be99aefbde5642d095d8d41f69c6f5e9981c39104790d33" score = 75 quality = 75 tags = "FILE" @@ -224002,13 +224488,13 @@ rule DITEKSHEN_INDICATOR_RMM_Connectwise_Screenconnect : FILE meta: description = "Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory" author = "ditekSHen" - id = "33822bd5-655b-5657-b819-f13d64a9b538" + id = "d752b7e4-b595-56cb-97f1-a60e73160e5a" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L62-L83" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_43003f97c33c631a2806ce2b82b2367d2452ceb21b0267b5dfe78b350b66924a" + logic_hash = "43003f97c33c631a2806ce2b82b2367d2452ceb21b0267b5dfe78b350b66924a" score = 75 quality = 75 tags = "FILE" @@ -224035,13 +224521,13 @@ rule DITEKSHEN_INDICATOR_RMM_Connectwise_Screenconnect_CERT : FILE meta: description = "Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory" author = "ditekSHen" - id = "0dbf5c9d-914f-56d0-aaa4-ee7730ab4c91" + id = "7a032c24-8a9e-51c3-983e-62e13594aa35" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L85-L99" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_14291bd9ddb7fd3ee7932f8104687aae58fe7f5de13726153e5e1ee9c211f598" + logic_hash = "14291bd9ddb7fd3ee7932f8104687aae58fe7f5de13726153e5e1ee9c211f598" score = 75 quality = 75 tags = "FILE" @@ -224054,13 +224540,13 @@ rule DITEKSHEN_INDICATOR_RMM_Fleetdeck_Agent : FILE meta: description = "Detects FleetDeck Agent. Review RMM Inventory" author = "ditekSHen" - id = "ba5a9bae-c22a-559b-aaac-315ae0ea8093" + id = "342a196c-1c5c-5951-85e4-d288311b4980" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L101-L123" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_121e59ea0088c519b618e740b57c560d60cced4a48c9d468e6bf1ab22fa8c8ff" + logic_hash = "121e59ea0088c519b618e740b57c560d60cced4a48c9d468e6bf1ab22fa8c8ff" score = 75 quality = 75 tags = "FILE" @@ -224086,13 +224572,13 @@ rule DITEKSHEN_INDICATOR_RMM_Fleetdeck_Commander : FILE meta: description = "Detects FleetDeck Commander. Review RMM Inventory" author = "ditekSHen" - id = "78ea4cf1-9776-502d-b4d6-cb0e6008cae1" + id = "27d533b5-7a66-507e-8ef8-ad9a6cd39ab1" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L125-L143" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_feee888c6649af0d8e8b08a38dda0bf7970089cf064f58b8bd9c6ebd8378e094" + logic_hash = "feee888c6649af0d8e8b08a38dda0bf7970089cf064f58b8bd9c6ebd8378e094" score = 75 quality = 75 tags = "FILE" @@ -224114,13 +224600,13 @@ rule DITEKSHEN_INDICATOR_RMM_Fleetdeck_Commander_SVC : FILE meta: description = "Detects FleetDeck Commander SVC. Review RMM Inventory" author = "ditekSHen" - id = "84fd1651-fd5a-51c6-bd56-d5ab9b1c9f0e" + id = "c03b61b4-36d0-5d38-9af8-e78b9930231f" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L145-L162" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_20bd69df3d058c24f83af312671cf249a3f26f54ef2e60f6b5b48a5bdb21b68b" + logic_hash = "20bd69df3d058c24f83af312671cf249a3f26f54ef2e60f6b5b48a5bdb21b68b" score = 75 quality = 75 tags = "FILE" @@ -224141,13 +224627,13 @@ rule DITEKSHEN_INDICATOR_RMM_Fleetdeck_Commander_Launcher : FILE meta: description = "Detects FleetDeck Commander Launcher. Review RMM Inventory" author = "ditekSHen" - id = "cb009e5d-0aa2-5855-9cc3-68707e0b194e" + id = "9a4a221e-7a7a-5008-b509-7f01e4a3eea6" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L164-L178" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9429f55f162eebc58a7a9af8706244438cb76b1f0987facbb52d29997ed48b95" + logic_hash = "9429f55f162eebc58a7a9af8706244438cb76b1f0987facbb52d29997ed48b95" score = 75 quality = 75 tags = "FILE" @@ -224167,13 +224653,13 @@ rule DITEKSHEN_INDICATOR_RMM_Fleetdeck_CERT : FILE meta: description = "Detects FleetDeck agent by (default) certificate. Review RMM Inventory" author = "ditekSHen" - id = "ddb8fb5e-c0ad-5628-94a5-1d5f4a16205c" + id = "49a6b0bb-599a-54b0-85bc-b2f6849e3ae8" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L180-L198" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8f72713eb4a5d9d32629351b937eee7de5d83abe1cd409cd8c3a8c9c52e6e490" + logic_hash = "8f72713eb4a5d9d32629351b937eee7de5d83abe1cd409cd8c3a8c9c52e6e490" score = 75 quality = 75 tags = "FILE" @@ -224186,13 +224672,13 @@ rule DITEKSHEN_INDICATOR_RMM_Pdqconnect_Agent : FILE meta: description = "Detects PDQ Connect Agent. Review RMM Inventory" author = "ditekSHen" - id = "b3748589-9b77-59d7-8874-a0eed939c9e0" + id = "067e75a3-291b-500f-865d-8758eebe91e7" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L200-L227" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_34d0b07925551d1b08b86aa226c59aba569b6548cfa00a86ce6b1f271e427662" + logic_hash = "34d0b07925551d1b08b86aa226c59aba569b6548cfa00a86ce6b1f271e427662" score = 75 quality = 75 tags = "FILE" @@ -224225,13 +224711,13 @@ rule DITEKSHEN_INDICATOR_RMM_Pdqconnect_Agent_CERT : FILE meta: description = "Detects PDQ Connect Agent by (default) certificate. Review RMM Inventory" author = "ditekSHen" - id = "bee7a712-125f-521b-a58c-0fda8c0e3b6e" + id = "7e830cf0-8f47-5b38-85cd-9777a6878cf1" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L229-L243" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_373a32b8bfd8c4295ba0c0302a217ccfbb7c7c616f91035097adbc5384b8afdb" + logic_hash = "373a32b8bfd8c4295ba0c0302a217ccfbb7c7c616f91035097adbc5384b8afdb" score = 75 quality = 75 tags = "FILE" @@ -224244,13 +224730,13 @@ rule DITEKSHEN_INDICATOR_RMM_Pulseway_Pcmontasksrv : FILE meta: description = "Detects Pulseway pcmontask and service user agent responsible for Remote Control, Screens View, Computer Lock, etc" author = "ditekSHen" - id = "33e93449-8c62-51f4-b1da-33fcc0499d18" + id = "83901679-ffff-5710-b472-ece592e6764f" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L245-L266" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_80ba217960dd1ddeb220545c1cccbe96d9b676d327364e1ca8a9dde2b059261f" + logic_hash = "80ba217960dd1ddeb220545c1cccbe96d9b676d327364e1ca8a9dde2b059261f" score = 75 quality = 75 tags = "FILE" @@ -224275,13 +224761,13 @@ rule DITEKSHEN_INDICATOR_RMM_Pulseway_Remotedesktop : FILE meta: description = "Detects Pulseway Rempte Desktop client" author = "ditekSHen" - id = "dd31b111-6506-5ab3-a760-164a07eefdac" + id = "8bca3cef-b24f-597a-a6e2-86040ed726f4" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L268-L286" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a542c11f21ab48f4da69df4e7cb46531658a714687e2c2f8ccf78dc2a0338b68" + logic_hash = "a542c11f21ab48f4da69df4e7cb46531658a714687e2c2f8ccf78dc2a0338b68" score = 75 quality = 75 tags = "FILE" @@ -224305,13 +224791,13 @@ rule DITEKSHEN_INDICATOR_RMM_Pulseway_CERT : FILE meta: description = "Detects PulseWay by (default) certificate. Review RMM Inventory" author = "ditekSHen" - id = "60a3bf7e-f339-5412-a0a7-400dce352b3e" + id = "e00f51dc-261e-5a38-89ed-1899d9b522d4" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L288-L302" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c667caa9b7de4b166630c66e5162071948fa93c68b1cdb3038fce28e13dcb1a9" + logic_hash = "c667caa9b7de4b166630c66e5162071948fa93c68b1cdb3038fce28e13dcb1a9" score = 75 quality = 75 tags = "FILE" @@ -224324,13 +224810,13 @@ rule DITEKSHEN_INDICATOR_RMM_Manageengine_Zohomeeting : FILE meta: description = "Detects ManageEngine Zoho Meeting (dc_rds.exe)" author = "ditekSHen" - id = "02bf2ff6-63e5-5174-9cc3-dd3930276f07" + id = "b15efdd1-323c-5ed6-894d-b44f04d2eaf3" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L304-L324" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8066bcd17245efcc73f2bef7f022ad23ab648fe0ad15ca66c0d387ce4eda998b" + logic_hash = "8066bcd17245efcc73f2bef7f022ad23ab648fe0ad15ca66c0d387ce4eda998b" score = 75 quality = 75 tags = "FILE" @@ -224354,13 +224840,13 @@ rule DITEKSHEN_INDICATOR_RMM_Atera : FILE meta: description = "Detects Atera. Review RMM Inventory" author = "ditekSHen" - id = "90d112ab-03a2-5cc5-839b-36bc8b504630" + id = "9801f5c9-bc1e-5502-8bca-ee1f5ca0f497" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L345-L366" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dbc37a941b38d36ea9bc31880c3cba6cd2b88b534583e86741f7686fcb410235" + logic_hash = "dbc37a941b38d36ea9bc31880c3cba6cd2b88b534583e86741f7686fcb410235" score = 75 quality = 75 tags = "FILE" @@ -224387,13 +224873,13 @@ rule DITEKSHEN_INDICATOR_RMM_Atera_CERT : FILE meta: description = "Detects Atera by certificate. Review RMM Inventory" author = "ditekSHen" - id = "9505fc92-8060-5b40-a75d-ae9919df98cb" + id = "a5ccb684-1e28-51c8-a4d6-0b5abba97de0" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L368-L383" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f51fef767cd529271f06d578146634e1ab5ee5ac3ffb829cbaa870e7c69ca3f6" + logic_hash = "f51fef767cd529271f06d578146634e1ab5ee5ac3ffb829cbaa870e7c69ca3f6" score = 75 quality = 75 tags = "FILE" @@ -224407,13 +224893,13 @@ rule DITEKSHEN_INDICATOR_RMM_Splashtopstreamer : FILE meta: description = "Detects Splashtop Streamer. Review RMM Inventory" author = "ditekSHen" - id = "977571d6-37a6-53dd-88a1-68f2b3f939e8" + id = "317f2be4-983f-5528-b629-75a13de7b411" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L385-L403" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_67181cd6ae071074c6bf35f44963c11c9ee9b7df242027c15b1e165d108f7b98" + logic_hash = "67181cd6ae071074c6bf35f44963c11c9ee9b7df242027c15b1e165d108f7b98" score = 75 quality = 75 tags = "FILE" @@ -224437,13 +224923,13 @@ rule DITEKSHEN_INDICATOR_RMM_Splashtopstreamer_CERT : FILE meta: description = "Detects Splashtop Streamer by certificate. Review RMM Inventory" author = "ditekSHen" - id = "9ee59123-2573-5c6e-9cc5-1c17f2c27c2b" + id = "7e0e4d6f-38a3-5cac-8a82-8aea7943d373" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L405-L419" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0a1225a79ff30678846b9cb4315419be04b46276b3e05310a21d088b30f01b72" + logic_hash = "0a1225a79ff30678846b9cb4315419be04b46276b3e05310a21d088b30f01b72" score = 75 quality = 75 tags = "FILE" @@ -224456,13 +224942,13 @@ rule DITEKSHEN_INDICATOR_RMM_Aeroadmin : FILE meta: description = "Detects AeroAdmin. Review RMM Inventory" author = "ditekSHen" - id = "7a02a63d-a3b2-5e9f-bed6-8958adf9e7be" + id = "0f69c6da-40e4-5952-b6f9-ed401279eb9e" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L421-L442" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a0a9e15f31b6b06fbc749b863563c30351c775c1b1d17952013670e7e1d68c41" + logic_hash = "a0a9e15f31b6b06fbc749b863563c30351c775c1b1d17952013670e7e1d68c41" score = 75 quality = 75 tags = "FILE" @@ -224489,13 +224975,13 @@ rule DITEKSHEN_INDICATOR_RMM_Aeroadmin_CERT : FILE meta: description = "Detects AeroAdmin by certificate. Review RMM Inventory" author = "ditekSHen" - id = "9771e605-dc11-5df4-b336-16ec18fce9ab" + id = "ca34fd3c-eb76-57e3-8b62-ab0d0c9ec7b3" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L444-L461" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f1fe2d2bb6a8afd25fc5ee7a60fe5a931484591bafab24c5d488c7f0483e248a" + logic_hash = "f1fe2d2bb6a8afd25fc5ee7a60fe5a931484591bafab24c5d488c7f0483e248a" score = 75 quality = 75 tags = "FILE" @@ -224509,13 +224995,13 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagentlib : FILE meta: description = "Detect DWAgent Remote Administration Tool library" author = "ditekSHen" - id = "173a26a0-f1af-5756-8889-177187319c9a" + id = "af0f9940-fbec-5775-9b74-bd73b55ec0ca" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L463-L482" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_608dd9bc8cfcec5a671bee9456dccedace31d7ae37180387ac2408f79fd9f452" + logic_hash = "608dd9bc8cfcec5a671bee9456dccedace31d7ae37180387ac2408f79fd9f452" score = 75 quality = 75 tags = "FILE" @@ -224538,13 +225024,13 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagentsvc : FILE meta: description = "Detect DWAgent Remote Administration Tool service" author = "ditekSHen" - id = "877f15b3-03b9-5e8c-af16-d62ae658ffde" + id = "5d124c20-a0f8-5e82-8bab-93a782a2a649" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L484-L501" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_590d41d2e433a7a1bb373fbd0b0d47818a9867bee0399101881b05e83b586f6e" + logic_hash = "590d41d2e433a7a1bb373fbd0b0d47818a9867bee0399101881b05e83b586f6e" score = 75 quality = 75 tags = "FILE" @@ -224565,13 +225051,13 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagent_Screencapture : FILE meta: description = "Detect DWAgent Remote Administration Tool Screen Capture Module" author = "ditekSHen" - id = "40c5c1df-abef-56c5-a946-2b369628c78f" + id = "79586e5e-b7e5-5adc-97f3-0d29ad695079" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L503-L528" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d3160fd4cce445aa6d2bc6c083893c7610ea5e72824fe9824ad853700f4d3874" + logic_hash = "d3160fd4cce445aa6d2bc6c083893c7610ea5e72824fe9824ad853700f4d3874" score = 75 quality = 75 tags = "FILE" @@ -224600,13 +225086,13 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagent_Soundcapture : FILE meta: description = "Detect DWAgent Remote Administration Tool Sound Capture Module" author = "ditekSHen" - id = "803e7bf4-3de0-5bb1-adad-fcf461584797" + id = "4e395d1e-96a1-5ecc-abe5-6f8323a2c8ca" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L530-L545" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c0efa9f383373dec1c5b9d127c2b4c6f4906718ae8f62eea28d7a369001be5af" + logic_hash = "c0efa9f383373dec1c5b9d127c2b4c6f4906718ae8f62eea28d7a369001be5af" score = 75 quality = 75 tags = "FILE" @@ -224627,13 +225113,13 @@ rule DITEKSHEN_INDICATOR_RMM_Dwagent_CERT : FILE meta: description = "Detects DWAgent by certificate. Review RMM Inventory" author = "ditekSHen" - id = "4c3adfc9-8d41-5b4c-a597-41a13dedb4e7" + id = "96572e83-ffb9-58d9-93d1-84e16ae1a3ba" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L547-L563" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ed86f053c8d1423aae8cfc6e0bba6021510dfb6d722430c8c7edb15d3e8233a" + logic_hash = "9ed86f053c8d1423aae8cfc6e0bba6021510dfb6d722430c8c7edb15d3e8233a" score = 75 quality = 75 tags = "FILE" @@ -224647,13 +225133,13 @@ rule DITEKSHEN_INDICATOR_OSX_RMM_Dwagent : FILE meta: description = "Detect DWAgent Remote Administration Tool macOS run" author = "ditekSHen" - id = "1715ac27-4136-5b2b-b4cc-91c4ffe00bf7" + id = "0eeb9ae3-826e-52b7-bbb8-3f8c4920f5c3" date = "2024-10-04" modified = "2024-10-04" reference = "https://www.cisa.gov/sites/default/files/2023-08/JCDC_RMM_Cyber_Defense_Plan_TLP_CLEAR_508c_1.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_rmm.yar#L565-L580" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9864668abdd534d8a33940f9513d07356451ce1eaa9233771e82b8138dc0b41b" + logic_hash = "9864668abdd534d8a33940f9513d07356451ce1eaa9233771e82b8138dc0b41b" score = 75 quality = 75 tags = "FILE" @@ -224674,13 +225160,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_56203Db039Adbd6094B6A142C5E50587 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "6b623521-d906-5b88-8c79-54dddeb99c62" + id = "b3e56f78-e79a-52e3-b29e-1f566946609e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3-L14" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_38380bc1a22b8d0fe851f76d2ecadba638f10b01873be44766124fb738e23d71" + logic_hash = "38380bc1a22b8d0fe851f76d2ecadba638f10b01873be44766124fb738e23d71" score = 75 quality = 75 tags = "FILE" @@ -224697,13 +225183,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_B5F34B7C326C73C392B515Eb4C2Ec80E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "68d57d5a-c2a3-5e15-a86e-5e685b0764e4" + id = "f5d19333-4aee-52d3-aeac-822b39ec653a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L16-L27" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_553ef777cb7a93934caa53cc9acdc37fc4cbe2a28ae320f4a7f10b2a4073d675" + logic_hash = "553ef777cb7a93934caa53cc9acdc37fc4cbe2a28ae320f4a7f10b2a4073d675" score = 75 quality = 75 tags = "FILE" @@ -224720,13 +225206,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A1Dc99E4D5264C45A5090F93242A30A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "736d652a-f25b-523b-977d-ab6a76eae747" + id = "8efea9da-a3ae-5af3-83b2-cac5baa4fa89" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L29-L40" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cb230503e17e93f78b04723c32d7ce66bdf146846e0208d268eebc0e446a6917" + logic_hash = "cb230503e17e93f78b04723c32d7ce66bdf146846e0208d268eebc0e446a6917" score = 75 quality = 75 tags = "FILE" @@ -224743,13 +225229,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0D53690631Dd186C56Be9026Eb931Ae2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "bf0f24b2-5b8a-5d66-93f8-3c392d58575c" + id = "f0afbdf4-68db-522f-95d7-cd76aa7b9710" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L42-L53" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_645c2340fe7e7ce992f3f655d5058834d0df6a64ea20ef7794893a592124c55e" + logic_hash = "645c2340fe7e7ce992f3f655d5058834d0df6a64ea20ef7794893a592124c55e" score = 75 quality = 75 tags = "FILE" @@ -224766,13 +225252,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Fd8C468Cc1B45C9Cfb41Cbd8C835Cc9E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "a6ee48a0-fb54-5c3e-b70b-f919b022c563" + id = "836af706-3a82-5aaf-9a96-244eef5820b2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L55-L66" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_495ec6dbfdec3f608e387280e2d34093bb4965f5ada7c101e3119ae970eaf80d" + logic_hash = "495ec6dbfdec3f608e387280e2d34093bb4965f5ada7c101e3119ae970eaf80d" score = 75 quality = 75 tags = "FILE" @@ -224789,13 +225275,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_32Fbf8Cfa43Dca3F85Efabe96Dfefa49 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "368605e9-e302-5ee7-a84d-73264acce425" + id = "9a228e0e-256b-547d-af6d-960089f2f803" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L68-L79" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7e53dcd2e10285f710f1fb2355d77db3507ce346e8d0f26843ca8df2271a6e9e" + logic_hash = "7e53dcd2e10285f710f1fb2355d77db3507ce346e8d0f26843ca8df2271a6e9e" score = 75 quality = 75 tags = "FILE" @@ -224812,13 +225298,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7E0Ccda0Ef37Acef6C2Ebe4538627E5C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "411698ce-f13d-5280-844c-662ab6786aa5" + id = "89006ac2-5cbc-5e7f-9ca6-51316b8d4bfd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L81-L92" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aed6c65f9c6400c0cc94386be684d3b9dd8d7637f9798fb49f4f651cf28b2d12" + logic_hash = "aed6c65f9c6400c0cc94386be684d3b9dd8d7637f9798fb49f4f651cf28b2d12" score = 75 quality = 75 tags = "FILE" @@ -224835,13 +225321,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0095E5793F2Abe0B4Ec9Be54Fd24F76Ae5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "919e5850-388e-5f40-801e-5351e20e5d3e" + id = "94878b56-5b29-55a8-a8ec-7ace588e34ef" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L94-L105" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b1f8867b47c1bec43b3603af343d6d5728ec218a66863a6777c0ee59ae1faa98" + logic_hash = "b1f8867b47c1bec43b3603af343d6d5728ec218a66863a6777c0ee59ae1faa98" score = 75 quality = 75 tags = "FILE" @@ -224858,13 +225344,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C167F04B338B1E8747B92C2197403C43 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "6ad99fbf-d116-5c9a-893d-6f8c88b3d509" + id = "d838e09b-e2f2-585a-a33d-bfe34f989e77" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L107-L118" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_008fe748c7956c1885c7d7e3a843d2310c17b7552dbbe9b4750809a5642d7ca6" + logic_hash = "008fe748c7956c1885c7d7e3a843d2310c17b7552dbbe9b4750809a5642d7ca6" score = 75 quality = 75 tags = "FILE" @@ -224881,13 +225367,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Fc7065Abf8303Fb472B8Af85918F5C24 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "ac19c2d4-8e4b-5e70-a0f7-0842884dfb5d" + id = "d8c25f8a-e129-5cd4-9e60-d2e7ebbb1ea6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L120-L131" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8ce0d25ef802948f754f155010f42d76256895ebd6ffdce8d97063dada58e668" + logic_hash = "8ce0d25ef802948f754f155010f42d76256895ebd6ffdce8d97063dada58e668" score = 75 quality = 75 tags = "FILE" @@ -224904,13 +225390,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B61B8E71514059Adc604Da05C283E514 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "8d7635fe-c645-557a-9934-d35abcdc276e" + id = "d52bd370-a1da-56f1-8edd-da61c9e2e75b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L133-L144" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b771d40e4e2db1d3f26d8fb2fa140f57871712700e584005d2377b701fc9538a" + logic_hash = "b771d40e4e2db1d3f26d8fb2fa140f57871712700e584005d2377b701fc9538a" score = 75 quality = 75 tags = "FILE" @@ -224927,13 +225413,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_51Cd5393514F7Ace2B407C3Dbfb09D8D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "99beedf5-d764-51b0-a794-a96929b90a8d" + id = "f2f7b08e-111c-570b-b376-79145050ca42" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L146-L157" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_389dbdc85035fdd94e831940eda910349134600e921720729840c932123db36d" + logic_hash = "389dbdc85035fdd94e831940eda910349134600e921720729840c932123db36d" score = 75 quality = 75 tags = "FILE" @@ -224950,13 +225436,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_030012F134E64347669F3256C7D050C5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "b94d22be-2739-54a1-9a5d-a6e5ef7b323b" + id = "7f16b535-8a0f-583d-8bc3-0abf24f26632" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L159-L170" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_68bfd2e146e3b2bd1222de7f9981bb0e373bcb4727a81eb7060af36e6275d438" + logic_hash = "68bfd2e146e3b2bd1222de7f9981bb0e373bcb4727a81eb7060af36e6275d438" score = 75 quality = 75 tags = "FILE" @@ -224973,13 +225459,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B7F19B13De9Bee8A52Ff365Ced6F67Fa : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "731f1943-154b-5ab6-a6f3-16cf653d312f" + id = "b9cbe1bd-b24f-5599-a8b9-9e6f9b70f37f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L172-L183" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_afdc41aed0480593bb8c92955db044ebe1a695d4912176123e26e052a3e9d3ea" + logic_hash = "afdc41aed0480593bb8c92955db044ebe1a695d4912176123e26e052a3e9d3ea" score = 75 quality = 75 tags = "FILE" @@ -224996,13 +225482,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4C8Def294478B7D59Ee95C61Fae3D965 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "7c773f9d-79bf-5d23-8a4c-7862334c38b4" + id = "2f95a688-2fb2-55b7-9cd5-44586d6d4dc8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L185-L196" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d9e956d7d5b9389aebafd4b7025818ac8eb5a72aaa1b94068a12aa7a8029f97c" + logic_hash = "d9e956d7d5b9389aebafd4b7025818ac8eb5a72aaa1b94068a12aa7a8029f97c" score = 75 quality = 75 tags = "FILE" @@ -225019,13 +225505,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A23B660E7322E54D7Bd0E5Acc890966 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "8ff025cc-8d2b-5035-b51f-f1e95a43fa27" + id = "c9817cbd-edce-5ae0-ad70-58d592ac415f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L198-L209" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6b9009d0c509b38107eba5742613f8ec6f48e447225c664e374ef56d64b035f0" + logic_hash = "6b9009d0c509b38107eba5742613f8ec6f48e447225c664e374ef56d64b035f0" score = 75 quality = 75 tags = "FILE" @@ -225042,13 +225528,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_04332C16724Ffeda5868D22Af56Aea43 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "e3598fb7-7de7-580c-a7b0-e3975db74c6a" + id = "7e6be2f5-2f34-5337-8beb-4ccc6c50ad2d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L211-L222" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_338e7d9374de04d00162c9caf86d922f4d659b024ae7908f0e02ca4709a14a1d" + logic_hash = "338e7d9374de04d00162c9caf86d922f4d659b024ae7908f0e02ca4709a14a1d" score = 75 quality = 75 tags = "FILE" @@ -225065,13 +225551,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_085B70224253486624Fc36Fa658A1E32 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "97800312-0741-51f0-a912-3b3d9e4c9dab" + id = "8d0f4499-1ed2-5277-be80-0b7f3499b360" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L224-L235" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8779cca652b366ce33a3735069fdc35657a6bed5b469a956cd236d76901f8f54" + logic_hash = "8779cca652b366ce33a3735069fdc35657a6bed5b469a956cd236d76901f8f54" score = 75 quality = 75 tags = "FILE" @@ -225088,13 +225574,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0086E5A9B9E89E5075C475006D0Ca03832 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "f040b32f-8026-5686-a018-e5b8d3680a4d" + id = "898bfe5f-5ac6-51f3-be55-09279a286835" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L237-L248" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_613f21989dc369ef6b1d8e42a0d707810ef064c608e4e34ba5eb475164f14abc" + logic_hash = "613f21989dc369ef6b1d8e42a0d707810ef064c608e4e34ba5eb475164f14abc" score = 75 quality = 75 tags = "FILE" @@ -225111,13 +225597,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_039668034826Df47E6207Ec9Daed57C3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "24f75e94-d63c-57f5-86a9-853d20acb2d5" + id = "8ae5f710-db8e-5d29-b247-a103f0878aa5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L250-L261" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b9579ba5dac45e38ef7b2b3381d1651395a4f648c68ae8e6fc36a0ea2d9b6300" + logic_hash = "b9579ba5dac45e38ef7b2b3381d1651395a4f648c68ae8e6fc36a0ea2d9b6300" score = 75 quality = 75 tags = "FILE" @@ -225134,13 +225620,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_736Dcfd309Ea4C3Bea23287473Ffe071 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "aab3772d-270d-5757-acc9-ce3d2b8f70d7" + id = "058c4e85-e004-5fe0-9e16-9dbe333371f6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L263-L274" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_68a91e0e042606d49a5c83c972b0a6bf387c9d7d20c2df132edec717ab4603a0" + logic_hash = "68a91e0e042606d49a5c83c972b0a6bf387c9d7d20c2df132edec717ab4603a0" score = 75 quality = 75 tags = "FILE" @@ -225157,13 +225643,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_09C89De6F64A7Fdf657E69353C5Fdd44 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "e5bb2f10-80e1-55b7-aa90-b8e1e53ee64f" + id = "613c4253-8a53-5faa-8376-10c9a35805cf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L276-L287" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7fcb517a4160226cf89c13b5b27310d1e8a02d3f164a338a8d2901ef604f1d8a" + logic_hash = "7fcb517a4160226cf89c13b5b27310d1e8a02d3f164a338a8d2901ef604f1d8a" score = 75 quality = 75 tags = "FILE" @@ -225180,13 +225666,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_03B630F9645531F8868Dae8Ac0F8Cfe6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "bed950fa-e0e2-5a23-9873-4a94f9b122ea" + id = "ca5203b8-3029-5914-b611-1717aefc7ccf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L289-L300" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0c388ee7cfc2f35d5e020520d0c5a04b872d5deff63fc551308168e60122f7fc" + logic_hash = "0c388ee7cfc2f35d5e020520d0c5a04b872d5deff63fc551308168e60122f7fc" score = 75 quality = 75 tags = "FILE" @@ -225203,13 +225689,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_020Bc03538Fbdc792F39D99A24A81B97 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "5ea3c381-48fa-528b-9712-a697804e1503" + id = "d5fd84b4-cccf-569d-96ea-26d9d21c6adf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L302-L313" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_154d7d814ff0b1c2d85557211dd68d0bd82e9953a9912ac3c26475a1316b0cb3" + logic_hash = "154d7d814ff0b1c2d85557211dd68d0bd82e9953a9912ac3c26475a1316b0cb3" score = 75 quality = 75 tags = "FILE" @@ -225226,13 +225712,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4E8D4Fc7D9F38Aca1169Fbf8Ef2Aaf50 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "c56c24ac-c49f-52f5-922b-07c15c0f4454" + id = "03a23987-bbec-5072-bea4-56773bdc7d53" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L315-L326" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2b440d21183745ac89de56f5ca22cf3f01be3212e20ce80fa67a45adbb6b16fe" + logic_hash = "2b440d21183745ac89de56f5ca22cf3f01be3212e20ce80fa67a45adbb6b16fe" score = 75 quality = 75 tags = "FILE" @@ -225249,13 +225735,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_09830675Eb483E265C3153F0A77C3De9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "870c4122-00b1-5d16-b723-442aad7af4b0" + id = "3370886e-6866-598b-b3bf-29c7f2537425" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L328-L339" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b0a504ed2a2816602ac378a700567909812650f409626a7b2c1e25cf7f8cb51c" + logic_hash = "b0a504ed2a2816602ac378a700567909812650f409626a7b2c1e25cf7f8cb51c" score = 75 quality = 75 tags = "FILE" @@ -225272,13 +225758,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_351Fe2Efdc0Ac56A0C822Cf8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "aab9f88c-ca21-5e94-8588-8d41008c5d55" + id = "dcd82e7a-f235-5ff6-805b-0da7e0c0e385" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L341-L352" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a661adcd9366da7eab0aa8059bbe6236022f7513996603eb06c43a0b38ff4b85" + logic_hash = "a661adcd9366da7eab0aa8059bbe6236022f7513996603eb06c43a0b38ff4b85" score = 75 quality = 75 tags = "FILE" @@ -225295,13 +225781,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_07Bb6A9D1C642C5973C16D5353B17Ca4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "6456c0a1-6ee2-5a96-b775-ed33c286e7a8" + id = "a29590bb-d8f9-5842-81bd-f9a9f7cea642" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L354-L365" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_faecdcd78bc60f730bfe5a049fd0bd1309b44d185c0cbc81dfc326a162d5fcb2" + logic_hash = "faecdcd78bc60f730bfe5a049fd0bd1309b44d185c0cbc81dfc326a162d5fcb2" score = 75 quality = 75 tags = "FILE" @@ -225318,13 +225804,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_044E05Bb1A01A1Cbb50Cfb6Cd24E5D6B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "6e77fe0a-32e8-5fb0-8b73-8f539cc816d9" + id = "e8dc8963-29c1-5306-bd7d-80ad9e1334d9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L367-L378" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c433b63f9c875a564f424ecc8e9239701ce8be78cd0046c1eefca8cf732abca3" + logic_hash = "c433b63f9c875a564f424ecc8e9239701ce8be78cd0046c1eefca8cf732abca3" score = 75 quality = 75 tags = "FILE" @@ -225341,13 +225827,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0C14B611A44A1Bae0E8C7581651845B6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "37747746-25b2-557d-902c-e22a02901c78" + id = "a6ebe304-e896-5cb3-8a49-ebffe0525601" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L380-L391" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dae6318cf6f8e33e11af5c4b06379f8ef2744e784bb793c78f782b6a6286b84b" + logic_hash = "dae6318cf6f8e33e11af5c4b06379f8ef2744e784bb793c78f782b6a6286b84b" score = 75 quality = 75 tags = "FILE" @@ -225364,13 +225850,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0B1926A5E8Ae50A0Efa504F005F93869 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "8c3226ea-0203-5329-ab2d-b057a507b5d5" + id = "905a4b5c-3255-5f53-be54-429038378ee0" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L393-L404" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_78d507f76d44ed982d12c293604d5c4fed14316cbc18473b7131bb89997bad28" + logic_hash = "78d507f76d44ed982d12c293604d5c4fed14316cbc18473b7131bb89997bad28" score = 75 quality = 75 tags = "FILE" @@ -225387,13 +225873,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Bab6A2Aa84B495D9E554A4C42C0126D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "03cb2c96-398a-5e51-90e8-fe2c387f9529" + id = "be364465-0cab-59cd-82a2-b7b16f260f34" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L406-L417" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a9ecdf1107cba0767ac3fa52c7dd65a13015e4fd735da70b6f1e6dbcfe2f7526" + logic_hash = "a9ecdf1107cba0767ac3fa52c7dd65a13015e4fd735da70b6f1e6dbcfe2f7526" score = 75 quality = 75 tags = "FILE" @@ -225410,13 +225896,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_066226Cf6A4D8Ae1100961A0C5404Ff9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "5c5bfdf9-8068-569c-96da-455522979198" + id = "75db8056-a5da-5db4-a837-84c5cc05f0fc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L419-L430" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0b7fa450d143de99650d0364e461178ad4e0b147b19dae53b59928b2a17c9b6d" + logic_hash = "0b7fa450d143de99650d0364e461178ad4e0b147b19dae53b59928b2a17c9b6d" score = 75 quality = 75 tags = "FILE" @@ -225433,13 +225919,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0E96837Dbe5F4548547203919B96Ac27 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "22b374f1-cb85-5085-ba22-357d61bfe4a7" + id = "83258afe-66e0-56d1-8361-125a1142ffe4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L432-L443" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2eedcc1d782df3c078c20a275680c2ff724e5b7675890af1335ff22d6138ab25" + logic_hash = "2eedcc1d782df3c078c20a275680c2ff724e5b7675890af1335ff22d6138ab25" score = 75 quality = 75 tags = "FILE" @@ -225456,13 +225942,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5B320A2F46C99C1Ba1357Bee : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "5db443a0-ea6e-5b60-90f8-1a5314ed1eb7" + id = "376aab03-0bc7-5993-bbbd-9bf5b742d29d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L445-L456" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b0a515aa69b5de58cf7d1a496f95038e090cefe511803e7a29332b411a20d19f" + logic_hash = "b0a515aa69b5de58cf7d1a496f95038e090cefe511803e7a29332b411a20d19f" score = 75 quality = 75 tags = "FILE" @@ -225479,13 +225965,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_02C5351936Abe405Ac760228A40387E8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "57f97601-cd51-597e-ab27-d1118c4091a7" + id = "32e200c3-678f-5be4-b55b-2a7a32e56843" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L458-L469" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ae9e428c5e7c1ab67be291da93e6d3fa694e3a9b347672817cbf1cac44837a04" + logic_hash = "ae9e428c5e7c1ab67be291da93e6d3fa694e3a9b347672817cbf1cac44837a04" score = 75 quality = 75 tags = "FILE" @@ -225502,13 +225988,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_08D4352185317271C1Cec9D05C279Af7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "fb50e333-031d-58d0-8f91-f00030dcf6a6" + id = "a0197037-874c-55e7-80aa-e8b7156a26a3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L471-L482" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6f4b8a52e152097a6e18f55b6b677eb1ba0f4da78ce68ffa35510bfb485e01e9" + logic_hash = "6f4b8a52e152097a6e18f55b6b677eb1ba0f4da78ce68ffa35510bfb485e01e9" score = 75 quality = 75 tags = "FILE" @@ -225525,13 +226011,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ed8Ade5D73B73Dade6943D557Ff87E5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "24ef11e1-9615-50c7-a632-049fe67a87f4" + id = "ebdab290-d388-528e-b392-0ae87941b69d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L484-L495" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e2e269a83a86567bf359996945cddc597406033aa7c5a7acf30b58d30816b28f" + logic_hash = "e2e269a83a86567bf359996945cddc597406033aa7c5a7acf30b58d30816b28f" score = 75 quality = 75 tags = "FILE" @@ -225548,13 +226034,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ed1847A2Ae5D71Def1E833Fddd33D38 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "92be3435-1222-57c8-af40-3fc38204598f" + id = "5e09087b-3fd0-5979-8f98-f242231c8b4f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L497-L508" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2acc6d2262bac8bfe49bb244d62be4dcf626dd9b2c9786b7a8963c48b17e6ab9" + logic_hash = "2acc6d2262bac8bfe49bb244d62be4dcf626dd9b2c9786b7a8963c48b17e6ab9" score = 75 quality = 75 tags = "FILE" @@ -225571,13 +226057,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0292C7D574132Ba5C0441D1C7Ffcb805 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "16a4a4a3-76d2-595e-94c3-806b3cdc37e0" + id = "0792bf83-c0e9-55f8-b6bd-b05bc575e2b4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L510-L521" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8d0a6714ce5bfed90c80dcfffe4f1d61ec25c817cdc48907cbc67bcee52a1d9a" + logic_hash = "8d0a6714ce5bfed90c80dcfffe4f1d61ec25c817cdc48907cbc67bcee52a1d9a" score = 75 quality = 75 tags = "FILE" @@ -225594,13 +226080,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_028D50Ae0C554B49148E82Db5B1C2699 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "b531046e-6587-5695-a2f6-ab70bb751d10" + id = "35cd05db-c399-5d37-a191-9170b048e263" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L523-L534" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7fe907059e83a058705a2884d514938c51fd206b0a175cfb9e8619244c20c62f" + logic_hash = "7fe907059e83a058705a2884d514938c51fd206b0a175cfb9e8619244c20c62f" score = 75 quality = 75 tags = "FILE" @@ -225617,13 +226103,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ca41D2D9F5E991F49B162D584B0F386 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "fb3f0020-92ea-54d3-b4a6-7ca40c9ec3f5" + id = "bd395177-daf6-56b1-822c-e659083e0f53" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L536-L547" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_51f80dfd63b273e62abaa8b60a00525cfdc6b28341466a9f414703382ad088bd" + logic_hash = "51f80dfd63b273e62abaa8b60a00525cfdc6b28341466a9f414703382ad088bd" score = 75 quality = 75 tags = "FILE" @@ -225640,13 +226126,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1389C8373C00B792207Bca20Aa40Aa40 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "d555aac3-b92f-5f79-8e81-10256e530d66" + id = "7f22411b-6e66-5177-8837-12b82b3b916b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L549-L560" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c0c9ca9e1179f253f1b2ecd9c8a1a0ed17345eb9830201c7c16050339d7ccbc" + logic_hash = "5c0c9ca9e1179f253f1b2ecd9c8a1a0ed17345eb9830201c7c16050339d7ccbc" score = 75 quality = 75 tags = "FILE" @@ -225663,13 +226149,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_A596Fd2779E507Aa466D159706Fe4150 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "ae07d5c1-0f08-5a94-869b-ef2dc428810f" + id = "8cf28e2a-d90f-5bf6-b746-7f46e8f6aa2a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L562-L573" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b88f346175e9084fdba94b9a8cbbf28a5012d28ab43350d927aac099921ab1a3" + logic_hash = "b88f346175e9084fdba94b9a8cbbf28a5012d28ab43350d927aac099921ab1a3" score = 75 quality = 75 tags = "FILE" @@ -225686,13 +226172,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_45D76C63929C4620Ab706772F5907F82 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "a12513a0-4697-5f45-8279-700a565ebe15" + id = "6ade67b1-cff5-5e5d-917c-f31010e09b82" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L575-L586" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9854a8812f55f2ae7cddc714b780def3d0511b236685a17ffe202711237c4b7e" + logic_hash = "9854a8812f55f2ae7cddc714b780def3d0511b236685a17ffe202711237c4b7e" score = 75 quality = 75 tags = "FILE" @@ -225709,13 +226195,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5029Daca439511456D9Ed8153703F4Bc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "621fdc6b-3077-5f2e-b997-91819783b173" + id = "1d7f0d61-fbe7-58d1-a9d8-083678e8b9bd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L588-L599" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_256b4bebbe4567de9e7d1938dd99f7f9fa13749de2f331aec0bc15f4ab5ab488" + logic_hash = "256b4bebbe4567de9e7d1938dd99f7f9fa13749de2f331aec0bc15f4ab5ab488" score = 75 quality = 75 tags = "FILE" @@ -225732,13 +226218,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1C7D3F6E116554809F49Ce16Ccb62E84 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "af960e38-d99b-5c3d-b498-51d7ebea0d38" + id = "66f4c531-5c0d-5467-a875-eff00a5d00c8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L601-L612" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f24037e6ac40844095e06ea12cebdf4dd22a35382c728f9586b90e40c57a4188" + logic_hash = "f24037e6ac40844095e06ea12cebdf4dd22a35382c728f9586b90e40c57a4188" score = 75 quality = 75 tags = "FILE" @@ -225755,13 +226241,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_75522215406335725687Af888Dcdc80C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "b48510ac-b03c-5f5a-ae69-dbd9d0197a0b" + id = "712d41e1-6760-5124-8af2-c57a87816237" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L614-L625" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5166ea726b1be824e5702c411800236d60c44fbfc89a39b1bc103de965249d7d" + logic_hash = "5166ea726b1be824e5702c411800236d60c44fbfc89a39b1bc103de965249d7d" score = 75 quality = 75 tags = "FILE" @@ -225778,13 +226264,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_768Ddcf9Ed8D16A6Bc77451Ee88Dfd90 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "23d57973-78cd-58c7-8234-1f24f3ce08ac" + id = "f7d24c5f-e102-568e-bf44-47ccaad6225c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L627-L638" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ba98f0da84b678262ee98e5c5fec2aaeab9a0c304fd4552dd27e87aa54f79cdf" + logic_hash = "ba98f0da84b678262ee98e5c5fec2aaeab9a0c304fd4552dd27e87aa54f79cdf" score = 75 quality = 75 tags = "FILE" @@ -225801,13 +226287,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_59E378994Cf1C0022764896D826E6Bb8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "e69e25da-25b9-5115-8666-936280347d2e" + id = "465d0b0c-c9fa-5364-a5f4-0d765ee40081" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L640-L651" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1720636723f0eeab074e29e7c9bf2df3c8d951e27b25ea4b7db60f6c00102589" + logic_hash = "1720636723f0eeab074e29e7c9bf2df3c8d951e27b25ea4b7db60f6c00102589" score = 75 quality = 75 tags = "FILE" @@ -225824,13 +226310,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3D2580E89526F7852B570654Efd9A8Bf : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "d4f8404e-8d17-52ec-aa57-714a6d74d012" + id = "a80493e6-ed0c-597a-a87e-19c8fa8dd8ce" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L668-L679" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_19f418672850536aaac1983b45c3239d5c81c1e4b9b6ee36a761cfc7e2351531" + logic_hash = "19f418672850536aaac1983b45c3239d5c81c1e4b9b6ee36a761cfc7e2351531" score = 75 quality = 75 tags = "FILE" @@ -225847,13 +226333,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5Da173Eb1Ac76340Ac058E1Ff4Bf5E1B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "5f7dfd38-06e7-545a-9491-44074b664095" + id = "1ef8f8b6-e4e9-5504-94bd-b24e81de5694" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L681-L692" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c9bfbef4470ee2339ef68484f8a4f21628c0cf9a07770d68d91e6c11e0345786" + logic_hash = "c9bfbef4470ee2339ef68484f8a4f21628c0cf9a07770d68d91e6c11e0345786" score = 75 quality = 75 tags = "FILE" @@ -225870,13 +226356,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_378D5543048E583A06A0819F25Bd9E85 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "4cbb0928-484b-5d64-8b31-fdc5c3429388" + id = "3525888c-9558-5164-b94e-b16511a5ea72" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L694-L705" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_29c6ae99675b8ab2c497faad71791c3fc018e92447bd96f5b2b3f426e1a1322b" + logic_hash = "29c6ae99675b8ab2c497faad71791c3fc018e92447bd96f5b2b3f426e1a1322b" score = 75 quality = 75 tags = "FILE" @@ -225893,13 +226379,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Fdb6F4C09A1Ad69D4Fd2E46Bb1F54313 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "eb09a1ba-4345-5fce-884e-682ee251aefa" + id = "e1250c37-fa89-5b8e-bea2-3b5e14039aea" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L720-L731" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ce78ab52d8aeb87ada9cb86007907a8ad46e91982cc8fff43a61e7ec96609eb2" + logic_hash = "ce78ab52d8aeb87ada9cb86007907a8ad46e91982cc8fff43a61e7ec96609eb2" score = 75 quality = 75 tags = "FILE" @@ -225916,13 +226402,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_E5Bf5B5C0880Db96477C24C18519B9B9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "daeab014-460e-5efa-9c95-990f8871e390" + id = "a28dbf8f-1b30-525d-baaf-51342aaf1cb3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L733-L744" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b3e0401a9cf3005abac24114193f34bf439107bf6661b7c2c0b66ca91438c7b9" + logic_hash = "b3e0401a9cf3005abac24114193f34bf439107bf6661b7c2c0b66ca91438c7b9" score = 75 quality = 75 tags = "FILE" @@ -225939,13 +226425,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ede6Cfbf9Fa18337B0Fdb49C1F693020 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "e56eab7c-815a-5fa7-a0fe-fbf992344acc" + id = "f1f34147-132e-53a3-b82c-d98121fc3f2c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L746-L757" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_27f06a7a07b818fd34f5d23fd8e78f041063e035c1f8caa99aaaf53ec73a717a" + logic_hash = "27f06a7a07b818fd34f5d23fd8e78f041063e035c1f8caa99aaaf53ec73a717a" score = 75 quality = 75 tags = "FILE" @@ -225962,13 +226448,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4F407Eb50803845Cc43937823E1344C0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "6ee14e73-effb-57c0-9cab-4ffe53a6e0a5" + id = "d5a6df76-bbbc-5025-b0c4-49e0034c03f3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L759-L770" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bb01e912cf40155b0b00e1901bbb3235048ee033d0ddea7a809f0ce8e871e1ce" + logic_hash = "bb01e912cf40155b0b00e1901bbb3235048ee033d0ddea7a809f0ce8e871e1ce" score = 75 quality = 75 tags = "FILE" @@ -225985,13 +226471,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2Bffef48E6A321B418041310Fdb9B0D0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "ef412928-2ec9-568e-bcd2-0f54fd516bf9" + id = "fc945c76-b743-52d3-8e15-77afdc629f6d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L785-L796" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8d0223b6366f7bc22fd6dd053c1fb6c9e52f80b3bdf9ee46017ddf038bd1e00f" + logic_hash = "8d0223b6366f7bc22fd6dd053c1fb6c9e52f80b3bdf9ee46017ddf038bd1e00f" score = 75 quality = 75 tags = "FILE" @@ -226008,13 +226494,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_73B60719Ee57974447C68187E49969A2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "0f0145e0-ad89-53f4-9320-7d9fcf954c03" + id = "c72fb0b8-efdc-5734-9754-2289bd95ae3c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L798-L809" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f9cc0f526a3acbfc30c6b76b6705f1a2d9c905b9bb7c996e4db3ca6d4d63be1c" + logic_hash = "f9cc0f526a3acbfc30c6b76b6705f1a2d9c905b9bb7c996e4db3ca6d4d63be1c" score = 75 quality = 75 tags = "FILE" @@ -226031,13 +226517,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2925263B65C7Fe1Cd47B0851Cc6951E3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "ec8bf1ab-f644-5b50-b71c-34d5a46ed0b4" + id = "9e531592-b68c-550b-8609-51f7c9ac63ae" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L811-L822" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_163293ce805cdd3ec265fb9c527a5ce19ddab0f6b96355acb636c941ce0bc5f2" + logic_hash = "163293ce805cdd3ec265fb9c527a5ce19ddab0f6b96355acb636c941ce0bc5f2" score = 75 quality = 75 tags = "FILE" @@ -226054,13 +226540,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4Ff4Eda5Fa641E70162713426401F438 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "9da087b2-b26a-5b36-ba32-09d08b53b5f4" + id = "cc81ed1d-bd77-5cec-8bee-23e8ef448edc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L824-L835" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d08e12e74e9c0b7a89ffa81a1b8595953d857e571a5b7a6947eba18bf39610f6" + logic_hash = "d08e12e74e9c0b7a89ffa81a1b8595953d857e571a5b7a6947eba18bf39610f6" score = 75 quality = 75 tags = "FILE" @@ -226077,13 +226563,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_04C7Cdcc1698E25B493Eb4338D5E2F8B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "7f512be3-a10a-58e4-a746-9b7759f8eac5" + id = "446608c2-4c9e-56a9-8ac4-2c90397d68e5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L837-L848" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d1e81d040a279d6024989acbdd40f69de99c97baf789591400370806e846a1c4" + logic_hash = "d1e81d040a279d6024989acbdd40f69de99c97baf789591400370806e846a1c4" score = 75 quality = 75 tags = "FILE" @@ -226100,13 +226586,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4C450Eccd61D334E0Afb2B2D9Bb1D812 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "82a69a9d-64ab-5989-ace7-8553d916ea13" + id = "116c86c1-facf-5b69-94f1-3f0f81c38a7d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L850-L861" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_70851d76af4a4dfe8f1ca4de9925f030d9b937050876828775b78eddd123e3cd" + logic_hash = "70851d76af4a4dfe8f1ca4de9925f030d9b937050876828775b78eddd123e3cd" score = 75 quality = 75 tags = "FILE" @@ -226123,13 +226609,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0E1Bacb85E77D355Ea69Ba0B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "f0a4e6cd-9d0f-5af1-96eb-3811b0f807bd" + id = "18e2dce1-c6aa-55d8-907a-75097feb7acf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L863-L874" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f0753c83001e2b9d235afe51ce5d245e085551584ee052a35aaadd95c6c5eeb7" + logic_hash = "f0753c83001e2b9d235afe51ce5d245e085551584ee052a35aaadd95c6c5eeb7" score = 75 quality = 75 tags = "FILE" @@ -226146,13 +226632,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5998B4Affe2Adf592E6528Ff800E567C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "c0179140-5d07-572f-a76b-65792f6e0912" + id = "b81787fd-a8f1-5640-bf8a-8129f708a337" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L876-L887" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d9f589ce6367517f3c93b7b0675b19249108849e52bd9264e31bf8109e5a121f" + logic_hash = "d9f589ce6367517f3c93b7b0675b19249108849e52bd9264e31bf8109e5a121f" score = 75 quality = 75 tags = "FILE" @@ -226169,13 +226655,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B7E0Cf12E4Ae50Dd643A24285485602F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "80e3e1d6-b244-54c6-9fa9-4d4427dff785" + id = "d314925c-c6b2-5a7f-ba73-038ea4759149" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L889-L900" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7aefb436b7e3865b1abb6bbc3e0027a628f39e25cb4b28f35f070e000c19c1c7" + logic_hash = "7aefb436b7e3865b1abb6bbc3e0027a628f39e25cb4b28f35f070e000c19c1c7" score = 75 quality = 75 tags = "FILE" @@ -226192,13 +226678,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_767436921B2698Bd18400A24B01341B6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "5fea4100-53fd-5e70-90d8-55fe1899b6f4" + id = "ffd19457-1a5d-5782-89e2-3dd4090f124f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L902-L913" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b09ec625a06dcf90df52c56b78889f24d55dbd8cbd7d82a07bdbc842318ff19a" + logic_hash = "b09ec625a06dcf90df52c56b78889f24d55dbd8cbd7d82a07bdbc842318ff19a" score = 75 quality = 75 tags = "FILE" @@ -226215,13 +226701,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_26B125E669E77A5E58Db378E9816Fbc3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "e2de7d19-7d53-562e-990d-0633a16e1406" + id = "18985965-9e26-526c-9354-20667d472615" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L915-L926" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_859793bfeba55c9912a1e18db86cd391d4c4981f4be11f3a53d887d429882671" + logic_hash = "859793bfeba55c9912a1e18db86cd391d4c4981f4be11f3a53d887d429882671" score = 75 quality = 75 tags = "FILE" @@ -226238,13 +226724,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_29A248A77D5D4066Fe5Da75F32102Bb5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "ae83463c-c052-5acf-abb0-28aa15ce0f4e" + id = "b71f4ee4-55d1-51c7-8fc3-1c6fcaa64a86" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L928-L939" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_063a8b361e9fc91619912109427f6a0cbc7755e85dae820ea0f16709ac580ed1" + logic_hash = "063a8b361e9fc91619912109427f6a0cbc7755e85dae820ea0f16709ac580ed1" score = 75 quality = 75 tags = "FILE" @@ -226261,13 +226747,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3A9Bdec10E00E780316Baaebfe7A772C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "73c2f158-2599-55b4-8809-4633d490d301" + id = "0879b4f7-4058-5391-b8bf-90a46ef337f6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L941-L952" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f1c0d23c9aa2ff705e3350e15b7ff83fc007ce6aaa57c4ed59201f3022f5d00a" + logic_hash = "f1c0d23c9aa2ff705e3350e15b7ff83fc007ce6aaa57c4ed59201f3022f5d00a" score = 75 quality = 75 tags = "FILE" @@ -226284,13 +226770,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_73F9819F3A1A49Bac1E220D7F3E0009B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "a1241ae6-f473-5928-b5af-e0c51ee92e94" + id = "06f448cf-1f0e-5db5-bdb5-30238c5f7341" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L954-L965" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9244fae0be6c1addbd0c740d7e153fd4109101184bc61375ddadb6d784769010" + logic_hash = "9244fae0be6c1addbd0c740d7e153fd4109101184bc61375ddadb6d784769010" score = 75 quality = 75 tags = "FILE" @@ -226307,13 +226793,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0989C97804C93Ec0004E2843 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "a52bdc4b-439b-5751-9507-d40068d56ca9" + id = "13b2dd06-878e-5539-91d1-eff8607997c3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L967-L978" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_65b695eed221db86928ebd32a1f3cb35729754ba41cb2e5b6cf944890d211120" + logic_hash = "65b695eed221db86928ebd32a1f3cb35729754ba41cb2e5b6cf944890d211120" score = 75 quality = 75 tags = "FILE" @@ -226330,13 +226816,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6Ba32F984444Ea464Bea41D99A977Ea8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "4b3d02c8-1652-5797-ac27-5c591e1a982d" + id = "6fee5b3f-f72e-531e-b11e-e402207072ff" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L980-L991" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fcabdd038a2594dffddbfff71a7a8a1abae89c637355b3be7e5f26c1eb9e39c7" + logic_hash = "fcabdd038a2594dffddbfff71a7a8a1abae89c637355b3be7e5f26c1eb9e39c7" score = 75 quality = 75 tags = "FILE" @@ -226353,13 +226839,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4F5A9Bf75Da76B949645475473793A7D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "2868a00c-a99b-5ae8-beb1-484be07e4aac" + id = "094b56b9-15fc-5366-9023-c706613882c4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L993-L1004" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8f00efcd62a934fb6ec0205dc1d7bb7f7f3ab168150fee942536ef92f686d21d" + logic_hash = "8f00efcd62a934fb6ec0205dc1d7bb7f7f3ab168150fee942536ef92f686d21d" score = 75 quality = 75 tags = "FILE" @@ -226376,13 +226862,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_68B050Aa3D2C16F77E14A16Dc8D1C1Ac : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "328347e4-2343-5423-ab6b-357d2be8474c" + id = "b49d3f1d-34b4-578e-ab36-b0744deef548" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1006-L1017" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9de23897fbfe3c4a6d649558d1d71f890117ec80967bc5bd975aa6f33576c702" + logic_hash = "9de23897fbfe3c4a6d649558d1d71f890117ec80967bc5bd975aa6f33576c702" score = 75 quality = 75 tags = "FILE" @@ -226399,13 +226885,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0F2B44E398Ba76C5F57779C41548607B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "942dc1be-7790-5de6-b240-9e4ba4a31215" + id = "6a962fd8-c2cd-5abd-8f80-95697771037c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1019-L1030" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_172622595a3f6a6ab4ac2677c3064fab87b0a872c261031331c99cbd58671da2" + logic_hash = "172622595a3f6a6ab4ac2677c3064fab87b0a872c261031331c99cbd58671da2" score = 75 quality = 75 tags = "FILE" @@ -226422,13 +226908,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5Ad4Ce116B131Daf8D784C6Fab2Ea1F1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "260ba222-9998-5a06-a226-56439fd306f3" + id = "abb6c51b-987a-5a1f-9d31-1422b41a6a6d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1032-L1043" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3221ffd8203cbef8735ed48acd77daae6bee33ade236b1ff2ced81a0f27d4ce5" + logic_hash = "3221ffd8203cbef8735ed48acd77daae6bee33ade236b1ff2ced81a0f27d4ce5" score = 75 quality = 75 tags = "FILE" @@ -226445,13 +226931,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_48Ce01Ac7E137F4313Cc5723Af817Da0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "1afc0e10-76fe-5fe3-9c33-dc291bbc1643" + id = "d5eb08a7-eb2b-5318-a941-da3ce0a6b634" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1045-L1056" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d92d4aa491b028620f17fd997a782f5e75247b2d3de7ef9026e2c62309275ce1" + logic_hash = "d92d4aa491b028620f17fd997a782f5e75247b2d3de7ef9026e2c62309275ce1" score = 75 quality = 75 tags = "FILE" @@ -226468,13 +226954,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C7E62986C36246C64B8C9F2348141570 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "3f17562a-c6d5-57ee-98d1-1d6d1b5d2512" + id = "44d75e1d-5d5b-5d6f-8f7b-d94cd3908ed7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1058-L1069" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dfb669ad42ac16d954405dc243b9d81dd9a748a14044d1fce3b71b490c58c82e" + logic_hash = "dfb669ad42ac16d954405dc243b9d81dd9a748a14044d1fce3b71b490c58c82e" score = 75 quality = 75 tags = "FILE" @@ -226491,13 +226977,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ee663737D82Df09C7038A6A6693A8323 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "862d0cdd-f712-566c-8e00-f50fcbfab338" + id = "c6684a9f-ca92-53e9-9723-9d2437a16fc6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1086-L1097" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4057374b73ef13b6f101b939e11569cf010896097fd9322ab490c73d6808fa6f" + logic_hash = "4057374b73ef13b6f101b939e11569cf010896097fd9322ab490c73d6808fa6f" score = 75 quality = 75 tags = "FILE" @@ -226514,13 +227000,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3D568325Dec56Abf48E72317675Cacb7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "a8c7a2ec-15ea-55e0-b37c-d586b8a418f8" + id = "e958b9c4-2f1b-5b5d-8a44-7393204a6f41" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1099-L1110" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a575c9989a3ee7824e8734940877ddb255b19070def460508f70d32f457411ac" + logic_hash = "a575c9989a3ee7824e8734940877ddb255b19070def460508f70d32f457411ac" score = 75 quality = 75 tags = "FILE" @@ -226537,13 +227023,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3533080B377F80C0Ea826B2492Bf767B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "66e1c090-d945-500d-9877-034eb32e2dad" + id = "42d2328e-742e-5c35-aa14-3b42442543ce" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1127-L1138" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a7adb9190be4a9cf60adf4b55c8abaa80e01224ea834fc05705afef37703899e" + logic_hash = "a7adb9190be4a9cf60adf4b55c8abaa80e01224ea834fc05705afef37703899e" score = 75 quality = 75 tags = "FILE" @@ -226560,13 +227046,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B0Ecd32F95F8761B8A6D5710C7F34590 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "17eeac94-5f6e-5099-aa48-d1dc20a6477d" + id = "2535c9eb-ed4a-52b9-8ad5-80c44c035135" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1140-L1151" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c181dab1f39138c67650d6654353de2be29cdbf45e0f5235776d28d40194f24" + logic_hash = "5c181dab1f39138c67650d6654353de2be29cdbf45e0f5235776d28d40194f24" score = 75 quality = 75 tags = "FILE" @@ -226583,13 +227069,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3A727248E1940C5Bf91A466B29C3B9Cd : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "ff72521f-8287-5303-8a70-ef00971ec16c" + id = "db43ed73-de46-526e-a255-137a4eaaedce" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1153-L1164" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0afeb50b36d0ca1adbd6cb3accccb3ee093434b8c0bd8b03ae70ecc45c7423b5" + logic_hash = "0afeb50b36d0ca1adbd6cb3accccb3ee093434b8c0bd8b03ae70ecc45c7423b5" score = 75 quality = 75 tags = "FILE" @@ -226606,13 +227092,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ce40906451925405D0F6C130Db461F71 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "82acbd4b-1f09-5d62-9ef3-11a54b57ee73" + id = "5e858504-b1c4-579e-b0e8-f6cf4f434672" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1166-L1177" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_02b03b18942cff20ddce429f7be7cc9e54dfbf4884c79c7438c9b9d4415c5b93" + logic_hash = "02b03b18942cff20ddce429f7be7cc9e54dfbf4884c79c7438c9b9d4415c5b93" score = 75 quality = 75 tags = "FILE" @@ -226629,13 +227115,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E130D3537E0B7A4Dda47B4D6F95F9481 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "4ea621dc-4999-5c95-89f4-b16a974aae67" + id = "efcc63ba-51f9-5b16-a33d-05d536efa6c6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1179-L1190" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c394a115fa3fbd7fb2838b61b3c439df3daa9aa44b1901d1740060df0539411e" + logic_hash = "c394a115fa3fbd7fb2838b61b3c439df3daa9aa44b1901d1740060df0539411e" score = 75 quality = 75 tags = "FILE" @@ -226652,13 +227138,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4Bec555C48Aada75E83C09C9Ad22Dc7C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "1ddbcfce-30df-5c79-8bde-2241cf64bfc9" + id = "664b8f55-03f8-5f36-aaf7-60ee4e613af4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1192-L1203" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_de4562f70bbe25aa053f2476efca12b99cd4f2ee721df620d02d004bac2a59f9" + logic_hash = "de4562f70bbe25aa053f2476efca12b99cd4f2ee721df620d02d004bac2a59f9" score = 75 quality = 75 tags = "FILE" @@ -226675,13 +227161,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_009356E0361Bcf983Ab14276C332F814E7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "35ad52af-fb1b-5917-b7e7-b60b7c94c75c" + id = "6b5966d7-59ab-5d8a-936e-71b937424234" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1205-L1216" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e85adfa9c004a46fe6060a36def3f8387de1484eb9fc3ae935d00265da135eab" + logic_hash = "e85adfa9c004a46fe6060a36def3f8387de1484eb9fc3ae935d00265da135eab" score = 75 quality = 75 tags = "FILE" @@ -226698,13 +227184,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E5D20477E850C9F35C5C47123Ef34271 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "0ab9efe7-fbbd-5e1a-8aca-f1e418accaef" + id = "c8777008-b15f-58c8-9172-f54a4864d2cc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1218-L1229" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_984f6dba8613ca43a9ffdcba63e57516bd2c6df02698b87aa4a080f89cc6abc0" + logic_hash = "984f6dba8613ca43a9ffdcba63e57516bd2c6df02698b87aa4a080f89cc6abc0" score = 75 quality = 75 tags = "FILE" @@ -226721,13 +227207,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C865D49345F1Ed9A84Bea40743Cdf1D7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "24ca79b2-4afb-59ce-84d9-09b51c52f193" + id = "2ef45336-bb59-5510-af6f-29e41c9258b9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1231-L1242" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1a43e85e8c8d254dc3ba48ee9be5c233818fd6137967cd0235e802a2de1f9564" + logic_hash = "1a43e85e8c8d254dc3ba48ee9be5c233818fd6137967cd0235e802a2de1f9564" score = 75 quality = 75 tags = "FILE" @@ -226744,13 +227230,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_29F2093E925B7Fe70A9Ba7B909415251 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "21213e2d-4f6a-57d8-b1c6-10ba684aed47" + id = "51c21421-18e4-52df-8fe7-75db7141824c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1244-L1255" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b3c6a0571c096e431594d9331b3ae8127b02cc3cdf1e994a113026d77bbae4c" + logic_hash = "9b3c6a0571c096e431594d9331b3ae8127b02cc3cdf1e994a113026d77bbae4c" score = 75 quality = 75 tags = "FILE" @@ -226767,13 +227253,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0889E4181E71B16C4A810Bee38A78419 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "2918c8cc-0489-5301-99b8-fc756967db49" + id = "e9ada9f1-4b52-5da6-ba82-3ea2625ccefd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1257-L1268" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2411f7ac79d18af295d77078c6e1c98c5a116ab24125c08946cb6ca09c28bc7b" + logic_hash = "2411f7ac79d18af295d77078c6e1c98c5a116ab24125c08946cb6ca09c28bc7b" score = 75 quality = 75 tags = "FILE" @@ -226790,13 +227276,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C1Afabdaa1321F815Cdbb9467728Bc08 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "87d42025-40e5-5a15-b679-8c971e7907a3" + id = "e7904179-672a-5668-8b6d-f7f7090678fb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1270-L1281" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be637a192a90a35be9879d5e36fb3cf9a56ca4158329d6b1fad458e2d05e3d26" + logic_hash = "be637a192a90a35be9879d5e36fb3cf9a56ca4158329d6b1fad458e2d05e3d26" score = 75 quality = 75 tags = "FILE" @@ -226813,13 +227299,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_371381A66Fb96A07077860Ae4A6721E1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "e982a24d-6ff4-5d06-8ef7-9d7d37ce3966" + id = "cd9c9965-922c-5ced-839c-97d1dcde33ff" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1283-L1294" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f087df37fdb6d921f411f130f26f9b5a58c36ae163bc88565178e0ed12be79d9" + logic_hash = "f087df37fdb6d921f411f130f26f9b5a58c36ae163bc88565178e0ed12be79d9" score = 75 quality = 75 tags = "FILE" @@ -226836,13 +227322,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Deb004E56D7Fcec1Caa8F2928D4E768 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "855e0826-18bc-5115-a949-436514869ddf" + id = "bb4e62b1-3528-56db-b004-1d590ad1ee61" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1296-L1307" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_69910c81ce85bc59972b644f548a4382b8f3b70ec2737ada9da7adcb4779ce9c" + logic_hash = "69910c81ce85bc59972b644f548a4382b8f3b70ec2737ada9da7adcb4779ce9c" score = 75 quality = 75 tags = "FILE" @@ -226859,13 +227345,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7Bd36898217B4Cc6B6427Dd7C361E43D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "71c66de4-7c66-5754-8a8e-628ee106045b" + id = "ff5be4ad-9471-5d9f-a1ad-ed7aca345a7f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1309-L1320" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ff149b5a12e154c0ede5015a0432fb70d6001507356c006952e8db91afaa72d" + logic_hash = "9ff149b5a12e154c0ede5015a0432fb70d6001507356c006952e8db91afaa72d" score = 75 quality = 75 tags = "FILE" @@ -226882,13 +227368,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_02D17Fbf4869F23Fea43C7863902Df93 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "a42e1fcb-a1aa-5b43-9fad-d9e2acbfd840" + id = "6e96f5b2-f3de-5d5a-babe-d46b9e3edd3e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1322-L1333" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a66e10934cc58e364a694dde3865d0de33e61ce0128ef144c61fa5728d22b8f8" + logic_hash = "a66e10934cc58e364a694dde3865d0de33e61ce0128ef144c61fa5728d22b8f8" score = 75 quality = 75 tags = "FILE" @@ -226905,13 +227391,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1E74Cfe7De8C5F57840A61034414Ca9F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "d7f06726-8add-5a80-af51-1841d688ea79" + id = "b46992d5-f4fb-5e51-8f3c-eb87d4397f14" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1335-L1346" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_14f57732a82b5139059bbe6f713184659187b57419d79e85a12ab197def4b761" + logic_hash = "14f57732a82b5139059bbe6f713184659187b57419d79e85a12ab197def4b761" score = 75 quality = 75 tags = "FILE" @@ -226928,13 +227414,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_009272607Cfc982B782A5D36C4B78F5E7B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "53c1920e-87fd-5e74-87ad-1d3d7215c054" + id = "dfb01400-dff2-5df1-b38e-7eb2ee2c71b8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1348-L1359" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d1c2b44e782befc8dae6852935b6f5b0071c13dd9b56857c38cb290c9069df18" + logic_hash = "d1c2b44e782befc8dae6852935b6f5b0071c13dd9b56857c38cb290c9069df18" score = 75 quality = 75 tags = "FILE" @@ -226951,13 +227437,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7B91468122273Aa32B7Cfc80C331Ea13 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "426ec8ff-bbcf-5317-84cc-d0aebb21934f" + id = "4369d88d-f592-5a5a-bdf6-c63b77d45326" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1361-L1372" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4c0fa18edb23c6a7474185adc67101ad9b13c71188f25612165cb97d236562d8" + logic_hash = "4c0fa18edb23c6a7474185adc67101ad9b13c71188f25612165cb97d236562d8" score = 75 quality = 75 tags = "FILE" @@ -226974,13 +227460,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0082Cb93593B658100Cdd7A00C874287F2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "88ad4db8-31ec-57de-8261-028dd8fcdde6" + id = "3e618656-6c9d-5172-bad4-f507cec1dc0c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1374-L1385" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_df8eb4feef3992bae7097a05860f57a1408fc79d92741e3ea2f202d072d9f47e" + logic_hash = "df8eb4feef3992bae7097a05860f57a1408fc79d92741e3ea2f202d072d9f47e" score = 75 quality = 75 tags = "FILE" @@ -226997,13 +227483,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Df683D46D8C3832489672Cc4E82D3D5D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "419710e6-ffc5-54ce-ab8e-d8398698f667" + id = "532ee72a-00f6-513e-b4f9-0827f77d643e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1387-L1398" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_153fdb25769d912732a1fb4ecc757fc8c7e4766cd6588ea16d9cf642b4be8bf6" + logic_hash = "153fdb25769d912732a1fb4ecc757fc8c7e4766cd6588ea16d9cf642b4be8bf6" score = 75 quality = 75 tags = "FILE" @@ -227020,13 +227506,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_105440F57E9D04419F5A3E72195110E6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "8b3570fe-d2b6-5b3e-b17c-76933760cde5" + id = "44600134-156b-5762-bdae-f4c016f454a3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1400-L1411" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f8b7aebe91466a587dac366cf6483586f22f95ebc186aa139e55c6e52d276f63" + logic_hash = "f8b7aebe91466a587dac366cf6483586f22f95ebc186aa139e55c6e52d276f63" score = 75 quality = 75 tags = "FILE" @@ -227043,13 +227529,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C01E41Ff29078E6626A640C5A19A8D80 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "8f294014-6778-5248-afe8-323386f106aa" + id = "93ee927f-71bd-5490-8f70-5486ee9c3b79" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1413-L1424" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1ee6f365d46fb1ee0e448fc0ab9d07c51a46f6ee95155094ec956f1cad6c1052" + logic_hash = "1ee6f365d46fb1ee0e448fc0ab9d07c51a46f6ee95155094ec956f1cad6c1052" score = 75 quality = 75 tags = "FILE" @@ -227066,13 +227552,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Fa3Dcac19B884B44Ef4F81541184D6B0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "80860bdb-0f04-51f6-8f85-76ad4dd09ea2" + id = "a188e033-4381-5ff0-8f54-f36571ae7097" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1426-L1437" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7e9e2b22f6f2cfd5d7c962fb43c85d703d0a600f954f614073c708f4b881d90e" + logic_hash = "7e9e2b22f6f2cfd5d7c962fb43c85d703d0a600f954f614073c708f4b881d90e" score = 75 quality = 75 tags = "FILE" @@ -227089,13 +227575,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_70E1Ebd170Db8102D8C28E58392E5632 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "86bc7b05-ce01-5572-a812-f2b690f5c531" + id = "f5ccfbdd-d72d-5060-84e6-0ab8477f73fe" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1439-L1450" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b639424c97fb1da440c458cf5cb8f04562292284db7b576c0676a632704f597b" + logic_hash = "b639424c97fb1da440c458cf5cb8f04562292284db7b576c0676a632704f597b" score = 75 quality = 75 tags = "FILE" @@ -227112,13 +227598,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6Cfa5050C819C4Acbb8Fa75979688Dff : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "233be86c-1836-548d-af51-86941a7e1da0" + id = "35673979-5578-5d32-b8f9-9e74f0c336a2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1452-L1463" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e5978deb84a0c6cee9132f8806f239f33478462da31a423a04922c195cbd343a" + logic_hash = "e5978deb84a0c6cee9132f8806f239f33478462da31a423a04922c195cbd343a" score = 75 quality = 75 tags = "FILE" @@ -227135,13 +227621,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B8164F7143E1A313003Ab0C834562F1F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "a1427947-00f3-5236-96d3-d86ea1fa36d6" + id = "d6ebdfb9-55db-58e2-89a8-d47d747e3432" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1465-L1476" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_77f8f125740de97e6fdd98103eefa2a431df0cbe2e7de44f7e863e22ebcfea4c" + logic_hash = "77f8f125740de97e6fdd98103eefa2a431df0cbe2e7de44f7e863e22ebcfea4c" score = 75 quality = 75 tags = "FILE" @@ -227158,13 +227644,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_E3C7Cc0950152E9Ceead4304D01F6C89 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "ea0b29ac-1e73-563c-a24a-5cb3da87bee2" + id = "8bea34fa-3620-5f5f-895f-3baa3b7b458a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1478-L1489" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_395ed4c9c8668f6416632f85883c5fd5b6038ce8388410f22bcbe2a9e6281c35" + logic_hash = "395ed4c9c8668f6416632f85883c5fd5b6038ce8388410f22bcbe2a9e6281c35" score = 75 quality = 75 tags = "FILE" @@ -227181,13 +227667,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6A241Ffe96A6349Df608D22C02942268 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b9f088ab-5e8d-5886-9417-5d9184afb597" + id = "571f5f11-576a-511b-975d-0643ae834502" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1491-L1502" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_41db1a9b11e2d5b8de5ba81496d0e76ea5eddacc01c77bc28c7e05496842df04" + logic_hash = "41db1a9b11e2d5b8de5ba81496d0e76ea5eddacc01c77bc28c7e05496842df04" score = 75 quality = 75 tags = "FILE" @@ -227204,13 +227690,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C04F5D17Af872Cb2C37E3367Fe761D0D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7df831c7-e086-50af-81a6-8feba589e4ce" + id = "9d008f04-8d02-5c6b-b38d-234409cce277" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1504-L1518" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7fa0d16600ae89e41d7b2b0655b142ea36202e8bbbf5f8e25cbb45a005995e79" + logic_hash = "7fa0d16600ae89e41d7b2b0655b142ea36202e8bbbf5f8e25cbb45a005995e79" score = 75 quality = 75 tags = "FILE" @@ -227227,13 +227713,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5C7E78F53C31D6Aa5B45De14B47Eb5C4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8d576369-0f76-5c97-b8f0-65c475412549" + id = "e6bd4476-d287-54d9-82b3-d80f328d7831" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1520-L1531" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0c804e7f1e43a98b150a97adcbba882f7764000abdf7c7408e3361aefa9298b5" + logic_hash = "0c804e7f1e43a98b150a97adcbba882f7764000abdf7c7408e3361aefa9298b5" score = 75 quality = 75 tags = "FILE" @@ -227250,13 +227736,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7156Ec47Ef01Ab8359Ef4304E5Af1A05 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0dbc8cca-7270-52f1-858c-91d4129b9b22" + id = "f77ccdb6-77b6-5c47-bde6-2b1b449f9533" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1533-L1544" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fc8073ebb9847d642f15cc74859b643afe00b3c331f68c06f3ff62c037225201" + logic_hash = "fc8073ebb9847d642f15cc74859b643afe00b3c331f68c06f3ff62c037225201" score = 75 quality = 75 tags = "FILE" @@ -227273,13 +227759,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B2E730B0526F36Faf7D093D48D6D9997 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "094567a6-2070-51b9-b75c-55f643fc2a76" + id = "7c74d3aa-dc4f-51ed-9574-74e0539cd22b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1546-L1557" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_16c50b7a2b7b55662d5cdb2261a6b352657b2689a9328916fcf63ddfbef5d08f" + logic_hash = "16c50b7a2b7b55662d5cdb2261a6b352657b2689a9328916fcf63ddfbef5d08f" score = 75 quality = 75 tags = "FILE" @@ -227296,13 +227782,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2C90Eaf4De3Afc03Ba924C719435C2A3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f9f9c17b-362f-5af9-9e8a-9b429666cb32" + id = "0b1ae208-bf81-55d0-b4e5-b1c1f7556387" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1559-L1570" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_792898b34ebe4dfc603b3f3b54777a86827a52fd3699a799e95c436317be77da" + logic_hash = "792898b34ebe4dfc603b3f3b54777a86827a52fd3699a799e95c436317be77da" score = 75 quality = 75 tags = "FILE" @@ -227319,13 +227805,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Bdc81Bc76090Dae0Eee2E1Eb744A4F9A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "89c994dc-441f-5a36-9cee-bd12cdd52cf5" + id = "9c91e39e-a120-537d-a24c-f0b8ffe9dd6e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1572-L1583" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_90c695b0cffd4786471faca21b77161ae6e930540766c4f18796a7adea74b6f5" + logic_hash = "90c695b0cffd4786471faca21b77161ae6e930540766c4f18796a7adea74b6f5" score = 75 quality = 75 tags = "FILE" @@ -227342,13 +227828,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E38259Cf24Cc702Ce441B683Ad578911 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f079a83e-82b7-5f7b-9439-a9fe67ed22b1" + id = "79e00e92-4ddb-5f87-8f60-78f326674c66" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1585-L1596" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_53d135553b88484e2c40976a9eaa0eb3f4f34c40ce775c198dfd6552155d1859" + logic_hash = "53d135553b88484e2c40976a9eaa0eb3f4f34c40ce775c198dfd6552155d1859" score = 75 quality = 75 tags = "FILE" @@ -227365,13 +227851,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4929Ab561C812Af93Ddb9758B545F546 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "65e618a5-3f65-527e-936c-1e15e109b038" + id = "e57e442a-6fe3-5d09-bbc4-d290a7a80090" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1598-L1609" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a03f37840b24456a4a2ef8e7c456dc99396886682156e4e95f7547bf38d8dc4d" + logic_hash = "a03f37840b24456a4a2ef8e7c456dc99396886682156e4e95f7547bf38d8dc4d" score = 75 quality = 75 tags = "FILE" @@ -227388,13 +227874,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B649A966410F62999C939384Af553919 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7792dd13-ebf4-5801-8dc4-6fbcbef4165f" + id = "6b88b712-6d25-5152-80bf-562bf82f336c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1611-L1622" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_231b0aa0a1e7c72552d683cc4f93b39444f7c1ebb3bb719bee224aa62e9a28dd" + logic_hash = "231b0aa0a1e7c72552d683cc4f93b39444f7c1ebb3bb719bee224aa62e9a28dd" score = 75 quality = 75 tags = "FILE" @@ -227411,13 +227897,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_22367Dbefd0A325C3893Af52547B14Fa : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6937b608-db97-5048-9382-da86049f2d5a" + id = "301f126d-1ff6-5512-a38b-ca1dd7d67765" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1624-L1635" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7b717a86ba0a6c3c8ba59c7b7c97dae802c351340ad67a9baf3f526b084e995a" + logic_hash = "7b717a86ba0a6c3c8ba59c7b7c97dae802c351340ad67a9baf3f526b084e995a" score = 75 quality = 75 tags = "FILE" @@ -227434,13 +227920,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E04A344B397F752A45B128A594A3D6B5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ecb1a466-971d-5d5d-878d-a2a09f82b296" + id = "85a7c3f7-a449-54ad-aac4-53f2a2c6c30e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1637-L1648" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_db3c854b68387aa5c6976783e6f79f99fe3389344b64d38c603d298128193e12" + logic_hash = "db3c854b68387aa5c6976783e6f79f99fe3389344b64d38c603d298128193e12" score = 75 quality = 75 tags = "FILE" @@ -227457,13 +227943,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00A7989F8Be0C82D35A19E7B3Dd4Be30E5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f3754d33-3686-5e0c-bd33-9003eac88b22" + id = "0bb81ddc-b63b-534b-852f-7b0a2feeef9e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1650-L1661" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_66d600d97b5aca1aa9a302671f06aef0d5c4ae9829d6cb16f191bd4c59462d2e" + logic_hash = "66d600d97b5aca1aa9a302671f06aef0d5c4ae9829d6cb16f191bd4c59462d2e" score = 75 quality = 75 tags = "FILE" @@ -227480,13 +227966,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_39F56251Df2088223Cc03494084E6081 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ba70fae7-1d16-5df7-adf7-d5b0e9c469c8" + id = "4b5c27e0-0b3e-52e6-a867-1c2adadf3af3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1663-L1674" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dc757f831b2537f12151f4f9e886ccf83bacfbcaea3ce12b2199f13ae00b199e" + logic_hash = "dc757f831b2537f12151f4f9e886ccf83bacfbcaea3ce12b2199f13ae00b199e" score = 75 quality = 75 tags = "FILE" @@ -227503,13 +227989,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_009Cfbb4C69008821Aaacecde97Ee149Ab : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "04818898-ee0e-51e2-9b06-d9f9cfc34bcc" + id = "0b0d815b-2232-5159-9b78-9227d9b2ec11" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1676-L1687" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_de04f12b1fb1e12860bf4ac077b700d180b8d412890922b75264319559fbd997" + logic_hash = "de04f12b1fb1e12860bf4ac077b700d180b8d412890922b75264319559fbd997" score = 75 quality = 75 tags = "FILE" @@ -227526,13 +228012,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008Cff807Edaf368A60E4106906D8Df319 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "860df7e0-095a-5620-8870-a9d8411abdc2" + id = "ad8bed7f-3bc6-53d3-9e7a-0868e2ad267a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1689-L1700" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_48752aff88cd3d546757a4220a64ca17cc9a5f00a42d2bc0571dedf5de769bc2" + logic_hash = "48752aff88cd3d546757a4220a64ca17cc9a5f00a42d2bc0571dedf5de769bc2" score = 75 quality = 75 tags = "FILE" @@ -227549,13 +228035,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2924785Fd7990B2D510675176Dae2Bed : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8df46218-68d2-5520-bd2f-ed9de2dda4dd" + id = "2aedb37c-8991-5750-b0c6-b9d6e7bb5e79" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1702-L1713" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dbdd714575d3c5f9554026fea97c6e91073d30cf728396111a5106303bb7b624" + logic_hash = "dbdd714575d3c5f9554026fea97c6e91073d30cf728396111a5106303bb7b624" score = 75 quality = 75 tags = "FILE" @@ -227572,13 +228058,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_F2C4B99487Ed33396D77029B477494Bc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "69853229-35ba-5c67-89b4-fb4593148d1d" + id = "594a5def-2516-5639-a72b-9b84b65de1e0" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1715-L1726" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_109d71674b652a2f42bb2a45c877d3a6cbfe280d0324f9ac8fa746d322440694" + logic_hash = "109d71674b652a2f42bb2a45c877d3a6cbfe280d0324f9ac8fa746d322440694" score = 75 quality = 75 tags = "FILE" @@ -227595,13 +228081,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C54Cccff8Acceb9654B6F585E2442Ef7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7ca7d890-2ff1-532b-8c1b-0ffe19921437" + id = "c199b65f-5e95-5c6a-8ccc-7f343b867885" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1728-L1739" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4be5e0f9f522f0d4096a63b001a02ea130ef56149dec7f0ac90be686b885cc4a" + logic_hash = "4be5e0f9f522f0d4096a63b001a02ea130ef56149dec7f0ac90be686b885cc4a" score = 75 quality = 75 tags = "FILE" @@ -227618,13 +228104,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_690910Dc89D7857C3500Fb74Bed2B08D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2ccceb8d-159f-5ed8-bc76-f6ef2837c7b7" + id = "d10931e2-8abb-592b-a070-3767f286bd74" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1741-L1752" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_62a1be8435f73f3768030feb6b5917d9a8075e7abac52e654231ba9d16ccc374" + logic_hash = "62a1be8435f73f3768030feb6b5917d9a8075e7abac52e654231ba9d16ccc374" score = 75 quality = 75 tags = "FILE" @@ -227641,13 +228127,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Af9B523180F34A24Fcfd11B74E7D6Cd : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7b140f17-5640-5530-b935-722f83165e9f" + id = "d9ef3746-8b8e-5259-bcc4-408e27bc8ce3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1754-L1765" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e06c87bddfc4fbb8918b7b1d64ec66b810a5a0c635c34d820b33c3cf9789229c" + logic_hash = "e06c87bddfc4fbb8918b7b1d64ec66b810a5a0c635c34d820b33c3cf9789229c" score = 75 quality = 75 tags = "FILE" @@ -227664,13 +228150,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00F4D2Def53Bccb0Dd2B7D54E4853A2Fc5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5d3b0c1f-c651-5319-b410-b31793506519" + id = "8c1970b7-10b5-5976-a89c-a0d30f4b04af" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1767-L1778" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0d9813d79f86ff22d5478469bee6cf457afe3780dd4308caa5da502faf816377" + logic_hash = "0d9813d79f86ff22d5478469bee6cf457afe3780dd4308caa5da502faf816377" score = 75 quality = 75 tags = "FILE" @@ -227687,13 +228173,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_56D576A062491Ea0A5877Ced418203A1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1524284a-b2ea-53d8-bafe-7f2a08409510" + id = "94e29354-b6bc-5936-abc8-2b42d2e65294" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1780-L1791" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_877b773cb1bdc6c6c309374e95dc7eac4d525c681200169fcf492476f6335342" + logic_hash = "877b773cb1bdc6c6c309374e95dc7eac4d525c681200169fcf492476f6335342" score = 75 quality = 75 tags = "FILE" @@ -227710,13 +228196,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4152169F22454Ed604D03555B7Afb175 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "54b31e1f-e499-5fee-9982-f5b3171e6dce" + id = "61286549-7561-5607-9073-2a3ee0d54a44" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1793-L1804" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ee965ee8b6ebbb6171e3b10a7887acf35c9ed7fcbe49b7f403190c7fb046ec63" + logic_hash = "ee965ee8b6ebbb6171e3b10a7887acf35c9ed7fcbe49b7f403190c7fb046ec63" score = 75 quality = 75 tags = "FILE" @@ -227733,13 +228219,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_41D05676E0D31908Be4Dead3486Aeae3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8f6cc4ad-a31a-5bb9-be06-e058188d6d4f" + id = "d668f53b-3d1c-5fcb-9f9c-2923e63f93a9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1806-L1817" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e4eb406e433b38ac127ba22040c48b510636eb55e2b524b02386710709d343b6" + logic_hash = "e4eb406e433b38ac127ba22040c48b510636eb55e2b524b02386710709d343b6" score = 75 quality = 75 tags = "FILE" @@ -227756,13 +228242,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_13C7B92282Aae782Bfb00Baf879935F4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7db8d59c-5e0c-54e3-8ec7-ae3f6af67000" + id = "244ff442-0bce-5f9f-85ea-33fafe9a2e7b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1819-L1830" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2742fd71eb8219db7785ad46be18a906fdab0914f632dfbf531238fd551a5b65" + logic_hash = "2742fd71eb8219db7785ad46be18a906fdab0914f632dfbf531238fd551a5b65" score = 75 quality = 75 tags = "FILE" @@ -227779,13 +228265,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D627F1000D12485995514Bfbdefc55D9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "895cc049-e8f0-5de6-8404-b9eaf202be50" + id = "dd18086c-063b-542e-915b-5bd452ee452e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1832-L1843" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ff60a73b889c8f1df127ead90a93fbf92131cfb475d58eea1ba1569f3e99e00" + logic_hash = "9ff60a73b889c8f1df127ead90a93fbf92131cfb475d58eea1ba1569f3e99e00" score = 75 quality = 75 tags = "FILE" @@ -227802,13 +228288,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_62205361A758B00572D417Cba014F007 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "917f9015-b94b-56a4-8765-4d5571f459e4" + id = "7838c733-7212-5e86-bb3c-5dfefb727a4b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1845-L1856" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_52d67bc94e82bb9a36e969d393c395465c84ff76f89c5f8407c20e2c761000e3" + logic_hash = "52d67bc94e82bb9a36e969d393c395465c84ff76f89c5f8407c20e2c761000e3" score = 75 quality = 75 tags = "FILE" @@ -227825,13 +228311,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_566Ac16A57B132D3F64Dced14De790Ee : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f17125f4-7e81-5eb2-9b8c-671b5ae63272" + id = "05f49d36-7bf1-5bbc-b728-e1616366c15e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1858-L1869" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0618ce3ce0c5f8923c12a99586bbec8ec86229c7e08af75f5b0756f348d53bd5" + logic_hash = "0618ce3ce0c5f8923c12a99586bbec8ec86229c7e08af75f5b0756f348d53bd5" score = 75 quality = 75 tags = "FILE" @@ -227848,13 +228334,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_661Ba8F3C9D1B348413484E9A49502F7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cfcadded-5db3-50dc-94cf-804881132087" + id = "75fb83a1-c493-510a-8c01-4cc699d71465" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1871-L1882" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_661af02d7a206f50e996caf690ded541acab8c8268df9e86744d36f7322efe5c" + logic_hash = "661af02d7a206f50e996caf690ded541acab8c8268df9e86744d36f7322efe5c" score = 75 quality = 75 tags = "FILE" @@ -227871,13 +228357,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0092D9B92F8Cf7A1Ba8B2C025Be730C300 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6addbb57-4f7a-5f0a-bc9e-891977466d5a" + id = "856b4522-f314-5cbb-872e-08b21107881b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1884-L1895" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_207fcc48053afb6a435c40fd8e25a88753139c35f4882a1975fdb8c55dc8ea89" + logic_hash = "207fcc48053afb6a435c40fd8e25a88753139c35f4882a1975fdb8c55dc8ea89" score = 75 quality = 75 tags = "FILE" @@ -227894,13 +228380,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E5Ad42C509A7C24605530D35832C091E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "bacaeca8-33a8-5c56-8e7e-ab55a173be93" + id = "44615e9d-6677-5642-b56d-82c0577f758c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1897-L1908" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8d76474257ee9a24d4785ddd119e586712a157ff7b420a7db2b8efe06c43f76c" + logic_hash = "8d76474257ee9a24d4785ddd119e586712a157ff7b420a7db2b8efe06c43f76c" score = 75 quality = 75 tags = "FILE" @@ -227917,13 +228403,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3E57584Db26A2C2Ebc24Ae3E1954Fff6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "03484203-2707-5cc4-8121-a21b82d1895a" + id = "9073846e-97c7-5b2e-a81f-3bbd06699842" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1910-L1921" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cfc68c32ceba351610651d34fb420c64bab9a3b1564d9b6392f0ee8cdcdac7de" + logic_hash = "cfc68c32ceba351610651d34fb420c64bab9a3b1564d9b6392f0ee8cdcdac7de" score = 75 quality = 75 tags = "FILE" @@ -227940,13 +228426,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_13794371C052Ec0559E9B492Abb25C26 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a91fc0b0-6a0a-5f71-b9e6-f5bfd2b4e08b" + id = "e2a4fdb2-fa04-5662-bb84-5c0c4892e3af" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1923-L1934" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_af80177181efd92b4e1a4a5c665df01add069dc3b47074bcbdd503516cf5a844" + logic_hash = "af80177181efd92b4e1a4a5c665df01add069dc3b47074bcbdd503516cf5a844" score = 75 quality = 75 tags = "FILE" @@ -227963,13 +228449,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_51Aead5A9Ab2D841B449Fa82De3A8A00 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3045a700-438d-5c8a-98dd-4bf99a64d8ca" + id = "d64ff10d-e4dd-5d89-a600-d136571be940" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1936-L1947" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1658a12bb040b5b16c61469fe52abbaaecf5bd66bf5e45a2c2da9f80fa0c66f5" + logic_hash = "1658a12bb040b5b16c61469fe52abbaaecf5bd66bf5e45a2c2da9f80fa0c66f5" score = 75 quality = 75 tags = "FILE" @@ -227986,13 +228472,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Bce1D49Ff444D032Ba3Dda6394A311E9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0de55ef3-fc27-5ad3-b08e-dff7b7d4e308" + id = "ee980353-b7c3-5738-84ae-e51c021e6597" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1949-L1960" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eeb1556808e790eea964658a8499ec2d9cc5638bf696fbbade2bc08a29fb3e65" + logic_hash = "eeb1556808e790eea964658a8499ec2d9cc5638bf696fbbade2bc08a29fb3e65" score = 75 quality = 75 tags = "FILE" @@ -228009,13 +228495,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Dadf44E4046372313Ee97B8E394C4079 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b9667032-bd91-5b2a-acf6-e5e130fa3c2f" + id = "bb7178f4-079f-5f7e-9761-3f73203603c7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1962-L1973" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e4480ad6ce302a87e38915ef7ba09a94a4626ed359333276b899474f21d46238" + logic_hash = "e4480ad6ce302a87e38915ef7ba09a94a4626ed359333276b899474f21d46238" score = 75 quality = 75 tags = "FILE" @@ -228032,13 +228518,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00F8C2E08438Bb0E9Adc955E4B493E5821 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cf5ae09f-927a-5d16-b969-7289fee077d4" + id = "75f505d0-c79a-5eab-a61f-29ec238ac045" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1975-L1986" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2258ea96b56acb3025b5b2f39c07d482c375e75323d6f8e8ded91b8dab00656e" + logic_hash = "2258ea96b56acb3025b5b2f39c07d482c375e75323d6f8e8ded91b8dab00656e" score = 75 quality = 75 tags = "FILE" @@ -228055,13 +228541,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D2Caf7908Aaebfa1A8F3E2136Fece024 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "668d8a42-ea40-545a-983d-edd5a704b15e" + id = "043a598d-8b84-597f-ac2e-035cc9ccef77" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L1988-L1999" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2c8a322e687ed575e66ff308bcf0950ab87bc5ac3ab561c8cc3d81e9181ac708" + logic_hash = "2c8a322e687ed575e66ff308bcf0950ab87bc5ac3ab561c8cc3d81e9181ac708" score = 75 quality = 75 tags = "FILE" @@ -228078,13 +228564,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_003223B4616C2687C04865Bee8321726A8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0ccd577e-fb24-5326-9897-51d1885d97cd" + id = "05320823-08e5-58f4-896c-ae7f01b40a3b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2001-L2012" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_671e3a589fb24a6c5e38126df45a4767815eff32014172930cab6ffbe135af81" + logic_hash = "671e3a589fb24a6c5e38126df45a4767815eff32014172930cab6ffbe135af81" score = 75 quality = 75 tags = "FILE" @@ -228101,13 +228587,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Fa13Ae98E17Ae23Fcfe7Ae873D0C120 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e7ac456a-9887-541e-8c3f-6aaeef3a3729" + id = "5e926cb1-efd0-5f9d-9327-341bb2f1a5f5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2014-L2025" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_312d810386aebb509ffbd09d6b1ad6a761a03bc07ba5e4a158235786063389a9" + logic_hash = "312d810386aebb509ffbd09d6b1ad6a761a03bc07ba5e4a158235786063389a9" score = 75 quality = 75 tags = "FILE" @@ -228124,13 +228610,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3696883055975D571199C6B5D48F3Cd5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fe9b35a9-8f5c-531f-ab33-a9626903cb5f" + id = "8af62be2-488f-5474-b674-73bf157dff00" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2027-L2038" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9232413a071a6100ba806b1fad2cd6cd2bb85351c36ad25cfc31b66ad041d686" + logic_hash = "9232413a071a6100ba806b1fad2cd6cd2bb85351c36ad25cfc31b66ad041d686" score = 75 quality = 75 tags = "FILE" @@ -228147,13 +228633,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Aff762E907F0644E76Ed8A7485Fb12A1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "791fb1ea-608d-5e27-813b-dd4b61e3629d" + id = "92113fc4-ef5b-5e86-bc8e-baf342ddf276" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2040-L2051" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0be4642f6aaf2183d593240efcc8c2046970d3806a67ff53ca4ce7ee85df90e5" + logic_hash = "0be4642f6aaf2183d593240efcc8c2046970d3806a67ff53ca4ce7ee85df90e5" score = 75 quality = 75 tags = "FILE" @@ -228170,13 +228656,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5B440A47E8Ce3Dd202271E5C7A666C78 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "af565050-bd78-588a-b57f-436cfa4b6fd6" + id = "62c9a37c-e4dd-5925-a019-08bf6a77476d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2053-L2064" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f898a3495e173d85fd62598da87ab15cbee0674519231a5e770204a4db3cd93f" + logic_hash = "f898a3495e173d85fd62598da87ab15cbee0674519231a5e770204a4db3cd93f" score = 75 quality = 75 tags = "FILE" @@ -228193,13 +228679,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Fe41941464B9992A69B7317418Ae8Eb7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e1a77e3e-6039-58be-9d4a-2061f7bcefff" + id = "44626304-7f68-5d3a-81b4-91ee0bd09cc3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2066-L2077" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_713a2cfc95b83de71064e198b26b716790c7cf21674961720695ab6749cb2ad1" + logic_hash = "713a2cfc95b83de71064e198b26b716790c7cf21674961720695ab6749cb2ad1" score = 75 quality = 75 tags = "FILE" @@ -228216,13 +228702,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_29128A56E7B3Bfb230742591Ac8B4718 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b3d2839c-bf90-59c3-a4f6-c9fe6f5b039a" + id = "58a9e9f1-531b-5dee-aa11-1537838e9d3f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2079-L2090" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_16c9843b5e3edafa64e07626fda494452efa5d0bcaa80d7d80683258c2b9acd4" + logic_hash = "16c9843b5e3edafa64e07626fda494452efa5d0bcaa80d7d80683258c2b9acd4" score = 75 quality = 75 tags = "FILE" @@ -228239,13 +228725,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C2Bb11Cfc5E80Bf4E8Db2Ed0Aa7E50C5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9c739af0-cc92-58bc-8a61-9ca399369fe1" + id = "d22ee868-71a7-52f4-93f3-b04b105fd399" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2092-L2103" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e54eeea70e85396b26fe188b848ef37c619aae5fc909c1a06ad0bc42fb9b0468" + logic_hash = "e54eeea70e85396b26fe188b848ef37c619aae5fc909c1a06ad0bc42fb9b0468" score = 75 quality = 75 tags = "FILE" @@ -228262,13 +228748,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_040Cc2255Db4E48Da1B4F242F5Edfa73 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0520fa6e-714c-53f1-a7fb-9d524af4a2ac" + id = "4673a61f-1c2b-5f92-af28-d55b5d913784" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2105-L2116" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ade204ebb2bf26515984d20ae459aaea56136acfd37a54abc794969fd05c54ce" + logic_hash = "ade204ebb2bf26515984d20ae459aaea56136acfd37a54abc794969fd05c54ce" score = 75 quality = 75 tags = "FILE" @@ -228285,13 +228771,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3Bcaed3Ef678F2F9Bf38D09E149B8D70 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3905b95a-c947-5ca3-bf66-fdbebfee2e94" + id = "decdae98-333f-58b3-8c48-b997da5fc3f3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2118-L2129" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9981e0aed672ebfcbe7f0bc1eee6a26a1523b8577d5ee572612aaebf23d1fbcf" + logic_hash = "9981e0aed672ebfcbe7f0bc1eee6a26a1523b8577d5ee572612aaebf23d1fbcf" score = 75 quality = 75 tags = "FILE" @@ -228308,13 +228794,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_091736D368A5980Ebeb433A0Ecb49Fbb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "052ec2bd-891b-5c85-8910-67c1dbe9fae6" + id = "fb9446b5-2d49-51de-bedb-ea541d415ae2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2131-L2142" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_858a98ba8fd3244b2c0f6d3dd89a294b0187dd1a82cdcca67c162985d80ca6ed" + logic_hash = "858a98ba8fd3244b2c0f6d3dd89a294b0187dd1a82cdcca67c162985d80ca6ed" score = 75 quality = 75 tags = "FILE" @@ -228331,13 +228817,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E48Cb3314977D77Dedcd4C77Dd144C50 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fa147843-1ec9-5af5-9bc0-9eb527a84d92" + id = "9b708e1b-a878-5244-8fe2-3061f058a9ab" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2144-L2155" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a2ca0ce3812be5e46cb0bc9c73fc4f31294c8d594ca821ad924a3f06cf2430ca" + logic_hash = "a2ca0ce3812be5e46cb0bc9c73fc4f31294c8d594ca821ad924a3f06cf2430ca" score = 75 quality = 75 tags = "FILE" @@ -228354,13 +228840,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1E72A72351Aecf884Df9Cdb77A16Fd84 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cde21894-69d7-5494-90ba-0ce919725599" + id = "7972befe-3a88-5ea5-a865-3d008b712bc9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2157-L2168" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6555b89f1643f2e461a936df402dcbe8dd5100a1def76c7c6d8f792d1c0ed006" + logic_hash = "6555b89f1643f2e461a936df402dcbe8dd5100a1def76c7c6d8f792d1c0ed006" score = 75 quality = 75 tags = "FILE" @@ -228377,13 +228863,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B383658885E271129A43D19De40C1Fc6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "deb79387-2539-51cd-8b0f-bb7a3e90c25c" + id = "47389dc4-8092-5e12-91a1-f370c9c507a9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2170-L2181" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9312bc8f1005d71393ab63f05bdabff52752ad939dd4311485dc4b56f75eece9" + logic_hash = "9312bc8f1005d71393ab63f05bdabff52752ad939dd4311485dc4b56f75eece9" score = 75 quality = 75 tags = "FILE" @@ -228400,13 +228886,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ca7D54577243934F665Fd1D443855A3D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "aacc93ed-673e-5ef7-8807-f27ac5ecf725" + id = "8519119d-a37b-5438-a642-48e1d40024b8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2183-L2194" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_867844464609a043902f07aad3fa568b482259655bc181d992bd409437165790" + logic_hash = "867844464609a043902f07aad3fa568b482259655bc181d992bd409437165790" score = 75 quality = 75 tags = "FILE" @@ -228423,13 +228909,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7709D2Df39E9A4F7Db2F3Cbc29B49743 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fa816a2f-f56c-51ec-9bea-c13803233868" + id = "55e8815f-0885-5eb0-bf85-05bbd874a821" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2196-L2207" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b63fa6e4e92549ae92b9a414390471c49fd50010bb7e10e1db72ff53370a6354" + logic_hash = "b63fa6e4e92549ae92b9a414390471c49fd50010bb7e10e1db72ff53370a6354" score = 75 quality = 75 tags = "FILE" @@ -228446,13 +228932,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_186D49Fac34Ce99775B8E7Ffbf50679D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "298e1273-9489-55c4-80b1-6a4085090178" + id = "eeea3085-9fd7-5077-8c13-e0c4438b2e79" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2209-L2220" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_950b14787e707be843d1443a612c372ceb0c2830de20bce1f62317fa39149e5b" + logic_hash = "950b14787e707be843d1443a612c372ceb0c2830de20bce1f62317fa39149e5b" score = 75 quality = 75 tags = "FILE" @@ -228469,13 +228955,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0097Df46Acb26B7C81A13Cc467B47688C8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0a007d44-e6d4-50fc-ae1f-b08e2c3ac81f" + id = "1c281766-abd4-534b-9442-233369e1f55e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2222-L2233" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ab4da0ddd001acf9f8d78c4beb28c648f8516088561e3140739b4b41d93b58ef" + logic_hash = "ab4da0ddd001acf9f8d78c4beb28c648f8516088561e3140739b4b41d93b58ef" score = 75 quality = 75 tags = "FILE" @@ -228492,13 +228978,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2A52Acb34Bd075Ac9F58771D2A4Bbfba : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1fd65170-3c27-5247-b966-709fd4984ad8" + id = "2d6b6ff5-e081-5e91-b03f-6e0d02afdb8f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2235-L2246" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ffad34a94e9210bb98021c0ee0ddba4144406cca976537efe24e63367a295cd" + logic_hash = "9ffad34a94e9210bb98021c0ee0ddba4144406cca976537efe24e63367a295cd" score = 75 quality = 75 tags = "FILE" @@ -228515,13 +229001,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5A9D897077A22Afe7Ad4C4A01Df6C418 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fc00e808-d96f-5034-b9ee-6cca73c3ebfc" + id = "e44fcc54-9d0c-5b9b-a34a-03f31ae5333d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2248-L2259" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f82b59f5d1996ae37b0cb7f7a799e2fcc7d9da0ffddfe63cbbb84b6f0e7e7b23" + logic_hash = "f82b59f5d1996ae37b0cb7f7a799e2fcc7d9da0ffddfe63cbbb84b6f0e7e7b23" score = 75 quality = 75 tags = "FILE" @@ -228538,13 +229024,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D7C432E8D4Edef515Bfb9D1C214Ff0F5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2de9dab3-057d-57f5-8b7c-b867b8d0ec57" + id = "fc3fd388-91f6-5f53-a284-4ef0a7d22290" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2261-L2272" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ef64774a0b6b11820321cd36d49213ad245cea82960aab99bb18e44a2ee79a8" + logic_hash = "9ef64774a0b6b11820321cd36d49213ad245cea82960aab99bb18e44a2ee79a8" score = 75 quality = 75 tags = "FILE" @@ -228561,13 +229047,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0085E1Af2Be0F380E5A5D11513Ddf45Fc6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f967f5e0-165b-54af-812d-2d1f84905f46" + id = "d55fd5ca-0e20-51de-84b6-f30dd2660529" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2274-L2285" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5a86b9aecf7697bd8e1f40407934c6a9941714404a931b0f1bed4ae7440f6921" + logic_hash = "5a86b9aecf7697bd8e1f40407934c6a9941714404a931b0f1bed4ae7440f6921" score = 75 quality = 75 tags = "FILE" @@ -228584,13 +229070,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_02Aa497D39320Fc979Ad96160D90D410 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "276e2d1e-d8fb-5128-b0f4-13a6817f259d" + id = "9387010e-94f5-5787-b30f-609d98c48ddf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2287-L2298" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_762b1730c8cfcf5a89e49858723d5701c1fb958eb2cd4da5b240f21763cdabf8" + logic_hash = "762b1730c8cfcf5a89e49858723d5701c1fb958eb2cd4da5b240f21763cdabf8" score = 75 quality = 75 tags = "FILE" @@ -228607,13 +229093,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_D0B094274C761F367A8Eaea08E1D9C8F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "734edca9-f7a8-56ba-a9f4-b315da4c1e8f" + id = "3683b66b-3dc0-5b89-be71-1e1267ef7de8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2300-L2311" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5ce9be0bdd8350dd5a8ae8cf2447d1be6b34ee3abc5c19754c63ef03b7cccec9" + logic_hash = "5ce9be0bdd8350dd5a8ae8cf2447d1be6b34ee3abc5c19754c63ef03b7cccec9" score = 75 quality = 75 tags = "FILE" @@ -228630,13 +229116,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D59A05955A4A421500F9561Ce983Aac4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "251e771d-8263-548a-a5c7-01b5b0564a4c" + id = "97c4e8fa-8d66-500f-a63f-fac84ad9e508" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2313-L2324" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9187dcdbf29e5119d90ede266a14c7e46f5050800a38c57fa86e957c885c1d60" + logic_hash = "9187dcdbf29e5119d90ede266a14c7e46f5050800a38c57fa86e957c885c1d60" score = 75 quality = 75 tags = "FILE" @@ -228653,13 +229139,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_35590Ebe4A02Dc23317D8Ce47A947A9B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "252a5f74-dac7-56c2-a304-f0254f9beccf" + id = "36630916-26df-5d2c-8faf-9fa2e240bff3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2326-L2337" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c01f9ecb1e69f6d0cb8061930cda27469eb18be19c0471192b31d516cddf828f" + logic_hash = "c01f9ecb1e69f6d0cb8061930cda27469eb18be19c0471192b31d516cddf828f" score = 75 quality = 75 tags = "FILE" @@ -228676,13 +229162,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1F23F001458716D435Cca1A55D660Ec5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0188e0bb-5507-5fb2-b9c4-a9922d9b983f" + id = "16a904e4-bf1a-5530-9269-d92c0f1bb4d3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2339-L2350" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3e91429f7b25ad54103ee230a36d4b51060adb458b533b9cbd00178a02676629" + logic_hash = "3e91429f7b25ad54103ee230a36d4b51060adb458b533b9cbd00178a02676629" score = 75 quality = 75 tags = "FILE" @@ -228699,13 +229185,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C2Fc83D458E653837Fcfc132C9B03062 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f73f3061-9d6c-53e5-8236-27c577d15e9e" + id = "fbc9420d-4670-502f-af6a-13d17fb73938" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2352-L2363" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_96ed5e78195f12cdc0316ed454ad4e2235253ed897905c4a97756b306933d874" + logic_hash = "96ed5e78195f12cdc0316ed454ad4e2235253ed897905c4a97756b306933d874" score = 75 quality = 75 tags = "FILE" @@ -228722,13 +229208,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Fcb3D3519E66E5B6D90B8B595F558E81 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5093a703-8bd1-5f9f-9f34-7423af8c451a" + id = "966650b5-d776-5ed0-a99b-507b46abd882" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2365-L2376" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_62c7189cc906b9f2d2724492489218d9aecf08ef431463ebf1963b034222f2ad" + logic_hash = "62c7189cc906b9f2d2724492489218d9aecf08ef431463ebf1963b034222f2ad" score = 75 quality = 75 tags = "FILE" @@ -228745,13 +229231,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4B03Cabe6A0481F17A2Dbeb9Aefad425 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "37230816-bab3-5ea1-8c20-b6168db071f3" + id = "3995296a-58ce-5615-8524-525698af3537" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2378-L2389" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e3c0d68a65bc53b83a48310857605afda0004b4122201c18a66fea085a210924" + logic_hash = "e3c0d68a65bc53b83a48310857605afda0004b4122201c18a66fea085a210924" score = 75 quality = 75 tags = "FILE" @@ -228768,13 +229254,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_539015999E304A5952985A994F9C3A53 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "55fc19ec-ff81-5c46-9ebf-e548aab3df7c" + id = "b53f5843-fb4c-5c61-be24-21bdbc445239" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2391-L2402" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_72304761de1d5e81659487947a1cfa017f7f41d5639f18634db4dfd094980518" + logic_hash = "72304761de1d5e81659487947a1cfa017f7f41d5639f18634db4dfd094980518" score = 75 quality = 75 tags = "FILE" @@ -228791,13 +229277,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_016836311Fc39Fbb8E6F308Bb03Cc2B3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ac05afc9-2054-53e5-9bbb-7818c041b010" + id = "06cc9c38-c5a6-5311-8ceb-943ea3993fc7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2404-L2415" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_912d490ac5d746c584e4dd5639be98d9577faba215cc1f8ebdf360581be53d5c" + logic_hash = "912d490ac5d746c584e4dd5639be98d9577faba215cc1f8ebdf360581be53d5c" score = 75 quality = 75 tags = "FILE" @@ -228814,13 +229300,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_009Bd81A9Adaf71F1Ff081C1F4A05D7Fd7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f5927668-0ac2-592d-b7d9-163f434d9bea" + id = "deedbc3a-8c77-5c2c-b3c1-40e5d082ec5a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2417-L2428" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_85efd10f6c49b93215c9f8f97915c62fb3ed3bb158b2137e953022b550263726" + logic_hash = "85efd10f6c49b93215c9f8f97915c62fb3ed3bb158b2137e953022b550263726" score = 75 quality = 75 tags = "FILE" @@ -228837,13 +229323,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_082023879112289Bf351D297Cc8Efcfc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7b3e04df-09ee-5b38-8cf0-10dffb51dca9" + id = "292f99be-2eb0-5ad1-bd07-766de7822f1e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2430-L2441" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0747b37139daaba10a17098aeb0c6246290fbd997345de34ce9de8da26d7db05" + logic_hash = "0747b37139daaba10a17098aeb0c6246290fbd997345de34ce9de8da26d7db05" score = 75 quality = 75 tags = "FILE" @@ -228860,13 +229346,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ece6Cbf67Dc41635A5E5D075F286Af23 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3e602e0f-9fd3-5aef-a0b6-f2d2c0fa4e4c" + id = "53312007-179d-547c-8195-0b5d78181300" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2443-L2454" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_27ecc138f8d574c15095032c35ad51c00d8b98f21162d1f59f1f9ca9e5b54391" + logic_hash = "27ecc138f8d574c15095032c35ad51c00d8b98f21162d1f59f1f9ca9e5b54391" score = 75 quality = 75 tags = "FILE" @@ -228883,13 +229369,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5Fb6Bae8834Edd8D3D58818Edc86D7D7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c0f2f608-5646-5e7c-947b-8b1cd3d7fc1a" + id = "65f5e05c-f5cd-53ba-b4ec-7f412aa63796" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2456-L2467" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9cec6eae024d738c68d670fb61f7667bdc156245da83e5d0ae0f2012baa5bc0a" + logic_hash = "9cec6eae024d738c68d670fb61f7667bdc156245da83e5d0ae0f2012baa5bc0a" score = 75 quality = 75 tags = "FILE" @@ -228906,13 +229392,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6E0Ccbdfb4777E10Ea6221B90Dc350C2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6281b2de-9b2f-5754-a42f-990f86dae795" + id = "c8f66f21-db29-5a5d-a74d-58c152a17bc3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2469-L2480" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fee9662133f0a3d88ce97c27f150bcea8faf21b4c4b97f90bb2aae73ee332bb9" + logic_hash = "fee9662133f0a3d88ce97c27f150bcea8faf21b4c4b97f90bb2aae73ee332bb9" score = 75 quality = 75 tags = "FILE" @@ -228929,13 +229415,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1249Aa2Ada4967969B71Ce63Bf187C38 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "44a90840-c747-5c67-93f5-82ecbccd1d89" + id = "3af35255-7583-5463-b130-ebc8abd4803b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2482-L2493" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9f8ff46a3b0f5179c2c3b89e82188183fa399c67c3f0ebc28218cf3cb4ce5c70" + logic_hash = "9f8ff46a3b0f5179c2c3b89e82188183fa399c67c3f0ebc28218cf3cb4ce5c70" score = 75 quality = 75 tags = "FILE" @@ -228952,13 +229438,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2Dcd0699Da08915Dde6D044Cb474157C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6e9455eb-7b62-586a-a568-c0166131dddb" + id = "0b4e1d10-d385-5ca8-b9e2-00341a4c6fd9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2495-L2506" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_096cf4bb17aa86821bd8d6c8b9fd603664beb12f54a97a87e660b560bd0fc246" + logic_hash = "096cf4bb17aa86821bd8d6c8b9fd603664beb12f54a97a87e660b560bd0fc246" score = 75 quality = 75 tags = "FILE" @@ -228975,13 +229461,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008D52Fb12A2511E86Bbb0Ba75C517Eab0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a1fc9aec-01fe-5c86-96d2-bea07a88944d" + id = "04b78a1c-bb2c-5844-933b-f95a0cc8c71e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2508-L2519" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_23dc0500af88af0e2c8ea7ff2c5a149d24fb7fd23853c4bf5ee5921a66a34672" + logic_hash = "23dc0500af88af0e2c8ea7ff2c5a149d24fb7fd23853c4bf5ee5921a66a34672" score = 75 quality = 75 tags = "FILE" @@ -228998,13 +229484,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B1Aea98Bf0Ce789B6C952310F14Edde0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d6f2e1f9-1994-5ce4-b617-29b18fde2c18" + id = "9ab5382f-d768-553c-b52c-88d3a3824459" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2521-L2532" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f7e8a4a0dcd952129e24e8e9351f271d7ea98ffcb7ef9ebe65c27dcc62e6a820" + logic_hash = "f7e8a4a0dcd952129e24e8e9351f271d7ea98ffcb7ef9ebe65c27dcc62e6a820" score = 75 quality = 75 tags = "FILE" @@ -229021,13 +229507,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00F097E59809Ae2E771B7B9Ae5Fc3408D7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5557b4d4-e4fb-5d91-bf4b-182fb08109aa" + id = "edd8674d-7d45-5f77-aa47-3fbe32176324" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2534-L2545" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_817876ab8e649b36cac2e7b23d58fe94963c55481fbf3deff7e60a70896af6d0" + logic_hash = "817876ab8e649b36cac2e7b23d58fe94963c55481fbf3deff7e60a70896af6d0" score = 75 quality = 75 tags = "FILE" @@ -229044,13 +229530,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2E8023A5A0328F66656E1Fc251C82680 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b39636db-2156-5ca0-bff5-1d6421fd23bf" + id = "192695ab-2f38-5a0b-98ba-5c800f6b9ec1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2547-L2558" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5f0ff46d6cb2a6fe50a4e433dfbf8f62acd92b7c92d922680894fdaee2558d31" + logic_hash = "5f0ff46d6cb2a6fe50a4e433dfbf8f62acd92b7c92d922680894fdaee2558d31" score = 75 quality = 75 tags = "FILE" @@ -229067,13 +229553,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_38B0Eaa7C533051A456Fb96C4Ecf91C4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "836f20be-405e-589c-af5f-41155e45d757" + id = "1133fb37-2616-5d95-83da-554d9a5a5373" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2560-L2571" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ea8eaf1fc17075a8c1f34f9b1d8a987071d58a4b68bed70db763402a9a6de97" + logic_hash = "3ea8eaf1fc17075a8c1f34f9b1d8a987071d58a4b68bed70db763402a9a6de97" score = 75 quality = 75 tags = "FILE" @@ -229090,13 +229576,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_738Db9460A10Bb8Bc03Dc59Feac3Be5E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c9f5485c-056a-587f-8578-6dfd5f55f6e5" + id = "3451fe9d-067a-57ea-9df1-35d427d8c71a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2573-L2584" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6a7060f2a5867e9974cb01de516ef34fb367ef9acf88e2f63c97dd05b1676504" + logic_hash = "6a7060f2a5867e9974cb01de516ef34fb367ef9acf88e2f63c97dd05b1676504" score = 75 quality = 75 tags = "FILE" @@ -229113,13 +229599,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_141D6Dafed065980D97520E666493396 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "13a1357e-8a90-5dc6-8427-367cb5f46819" + id = "1a2e44d7-b801-5c3e-bf74-616f211c6d93" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2586-L2597" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_37ed05b7a472ec6cbc1bba453f3be9ca1bd590ed6470d6607873ef52b28e3ea5" + logic_hash = "37ed05b7a472ec6cbc1bba453f3be9ca1bd590ed6470d6607873ef52b28e3ea5" score = 75 quality = 75 tags = "FILE" @@ -229136,13 +229622,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_07Cf63Bdccc15C55E5Ce785Bdfbeaacf : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e86aa8eb-a6e6-52c3-86a2-b58eac77759f" + id = "7bdc16ed-ff95-5e96-bfe9-ad326c77c82a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2599-L2610" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1fdd8f6535bf5a78fcd7e33475a650914053f1391fe04f885e9e5a84452bfe5a" + logic_hash = "1fdd8f6535bf5a78fcd7e33475a650914053f1391fe04f885e9e5a84452bfe5a" score = 75 quality = 75 tags = "FILE" @@ -229159,13 +229645,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0382Cd4B6Ed21Ed7C3Eaea266269D000 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "93629fd0-cd83-5477-9df6-1bd49a8f68c9" + id = "ad4bc1bc-4d72-51bf-a22c-cd98f33f3931" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2612-L2623" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7e8204f2ec30da73bc2eb83e065412c96e084d7ff5f8ab6125d643693d7407d1" + logic_hash = "7e8204f2ec30da73bc2eb83e065412c96e084d7ff5f8ab6125d643693d7407d1" score = 75 quality = 75 tags = "FILE" @@ -229182,13 +229668,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_08653Ef2Ed9E6Ebb56Ffa7E93F963235 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e23fe034-fc86-5b49-98c8-12afac13c624" + id = "8883185a-8239-5648-bebc-3a4c3578a7d6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2625-L2636" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b0e35f2dbd27de0dc9ea6ee7958c477e6a154bc4c8bb5484ba85ed5732502645" + logic_hash = "b0e35f2dbd27de0dc9ea6ee7958c477e6a154bc4c8bb5484ba85ed5732502645" score = 75 quality = 75 tags = "FILE" @@ -229205,13 +229691,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ddce8Cdc91B5B649Bb4B45Ffbba6C6C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "84107034-d5af-52d6-a248-4d6124bad8fe" + id = "180b2e63-7151-5899-8c12-7e4cd3bb2e0d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2638-L2649" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_940d257253a0a1a3f70dcec1cb57e9ab08108138ce3b80c9f74228a8b702601c" + logic_hash = "940d257253a0a1a3f70dcec1cb57e9ab08108138ce3b80c9f74228a8b702601c" score = 75 quality = 75 tags = "FILE" @@ -229228,13 +229714,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4Af27Cd14F5C809Eec1F46E483F03898 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3c7f2f28-7215-5d01-967a-c0605bde23bf" + id = "e7bbc10b-54fc-5950-99fc-80a459406780" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2651-L2662" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0297f156d1e4d1c20143953759000b286ac9e1f8864aa511e0e2f8fa5c3eac7f" + logic_hash = "0297f156d1e4d1c20143953759000b286ac9e1f8864aa511e0e2f8fa5c3eac7f" score = 75 quality = 75 tags = "FILE" @@ -229251,13 +229737,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_105765998695197De4109828A68A4Ee0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "372bddaa-6f46-5761-aa48-2c3398e846fa" + id = "97a4bad1-9b84-54e3-a1c2-6d01bd4cde4c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2664-L2675" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c251f28eec6f93522f5a3706e1abcfd892affa2b36ed84ec277dc0d4716ff667" + logic_hash = "c251f28eec6f93522f5a3706e1abcfd892affa2b36ed84ec277dc0d4716ff667" score = 75 quality = 75 tags = "FILE" @@ -229274,13 +229760,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_53F575F7C33Ee007887F30680486Db5E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "81d8164c-ada5-512c-bbef-1b0d74781648" + id = "8353ac89-1d98-5b05-a851-50d9e42f8f74" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2677-L2688" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_050d8c4dcb80cd637981c208c6d1316e9933d4f06bbf8af3717d2205a4f84f6d" + logic_hash = "050d8c4dcb80cd637981c208c6d1316e9933d4f06bbf8af3717d2205a4f84f6d" score = 75 quality = 75 tags = "FILE" @@ -229297,13 +229783,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7E89B9Df006Bd1Aa4C48D865039634Ca : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "20261414-f7f9-51f6-8d4f-f2f47afa118b" + id = "aa208da9-06e2-5bf5-8453-a545c640efa7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2690-L2701" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_825e4b69aec565b6ef6b4ac2394f5a562a84615e3c91331934fa378152635df4" + logic_hash = "825e4b69aec565b6ef6b4ac2394f5a562a84615e3c91331934fa378152635df4" score = 75 quality = 75 tags = "FILE" @@ -229320,13 +229806,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ddeb53F957337Fbeaf98C4A615B149D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "dffdfea9-5228-5062-9ec8-03ffa836994f" + id = "13347f66-c726-59be-9d0e-871512335bbd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2703-L2714" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4932dcea41879fd29250456cfef7a32a1303f599adbd4b61d91cb2e7e22cf5a2" + logic_hash = "4932dcea41879fd29250456cfef7a32a1303f599adbd4b61d91cb2e7e22cf5a2" score = 75 quality = 75 tags = "FILE" @@ -229343,13 +229829,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C88Af896B6452241Fe00E3Aaec11B1F8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ce7e899e-c32e-5c84-9ba9-134bd8df1ba2" + id = "4d73705a-e980-5aa0-a326-e35990226e37" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2716-L2727" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3a5f290f9479189ff83bf5da3a3d086453c9230311a48f4c0bd4654024ebeef8" + logic_hash = "3a5f290f9479189ff83bf5da3a3d086453c9230311a48f4c0bd4654024ebeef8" score = 75 quality = 75 tags = "FILE" @@ -229366,13 +229852,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_09E015E98E4Fabcc9Ac43E042C96090D : FILE meta: description = "Detects BestEncrypt commercial disk encryption and wiping software signing certificate" author = "ditekSHen" - id = "af438bd4-24a2-580f-bfe7-102743c2c5cf" + id = "577cff87-b676-598b-acea-e7c01df0ef15" date = "2024-10-04" modified = "2024-10-04" reference = "https://blog.macnica.net/blog/2020/11/dtrack.html" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2729-L2742" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_77f9f50c6dd862419edaa7c3fcee0ce3f607a5b7b939d7844969082ab9777bbf" + logic_hash = "77f9f50c6dd862419edaa7c3fcee0ce3f607a5b7b939d7844969082ab9777bbf" score = 75 quality = 75 tags = "FILE" @@ -229389,13 +229875,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_118D813D830F218C0F46D4Fc : FILE meta: description = "Detects BestEncrypt commercial disk encryption and wiping software signing certificate" author = "ditekSHen" - id = "7894a77d-91cb-5962-8093-d75c8d322392" + id = "b14b14c8-202d-533d-97dc-c6336ddf75c4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2744-L2755" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3240504794394c06f050ef3eb5ef82e0b476e2bbeabfb394fc4646e98bc6e976" + logic_hash = "3240504794394c06f050ef3eb5ef82e0b476e2bbeabfb394fc4646e98bc6e976" score = 75 quality = 75 tags = "FILE" @@ -229412,13 +229898,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2304Ecf0Ea2B2736Beddd26A903Ba952 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "94d3ec3b-1c24-5b89-85e3-e704011e1d7b" + id = "3e064799-2333-5d10-8841-8d0a44ad9c1b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2757-L2768" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c10695440ec4e39cf5b51c926ceeacc13caf3a58006c64b0168a04b4755978a6" + logic_hash = "c10695440ec4e39cf5b51c926ceeacc13caf3a58006c64b0168a04b4755978a6" score = 75 quality = 75 tags = "FILE" @@ -229435,13 +229921,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4D78E90E0950Fc630000000055657E1A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6a31e58c-1406-5266-aee6-64810f6ba147" + id = "bb48d309-e7b8-5c39-b989-cce4093b2082" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2770-L2781" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c2a3714173defa7b8e97ea92f8f85fb47011099bdc24067aafa273ebdd282f0f" + logic_hash = "c2a3714173defa7b8e97ea92f8f85fb47011099bdc24067aafa273ebdd282f0f" score = 75 quality = 75 tags = "FILE" @@ -229458,13 +229944,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0092Bc051F1811Bb0B86727C36394F7849 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "547f448d-871a-52e7-b667-534ab47c3103" + id = "9ffef880-ed00-54a7-8eb2-995c5c4e74f1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2783-L2794" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bdf847f95bc6cc50513b76c57c3e76bc17caacd3419baabb2cab0161feb67508" + logic_hash = "bdf847f95bc6cc50513b76c57c3e76bc17caacd3419baabb2cab0161feb67508" score = 75 quality = 75 tags = "FILE" @@ -229481,13 +229967,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_B4F42E2C153C904Fda64C957Ed7E1028 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c0786d64-b3bb-53a1-9f46-9240d27c94a2" + id = "d284b7f0-9728-5755-87d5-f8251903e778" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2796-L2807" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d47f85602234eae7629b778b09ed5c3656c6afa8b6a7ba42cc46f451202a16c0" + logic_hash = "d47f85602234eae7629b778b09ed5c3656c6afa8b6a7ba42cc46f451202a16c0" score = 75 quality = 75 tags = "FILE" @@ -229504,13 +229990,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ac307E5257Bb814B818D3633B630326F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4d2fc482-20e4-5ed7-887b-b29f86ad168d" + id = "b6d6c195-cd02-5ecd-82f3-348ab6f26eb5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2809-L2820" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f187d3084eb189cdd0e858aed1d9589d586f369b128679c6c1dec860e544f326" + logic_hash = "f187d3084eb189cdd0e858aed1d9589d586f369b128679c6c1dec860e544f326" score = 75 quality = 75 tags = "FILE" @@ -229527,13 +230013,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_063A7D09107Eddd8Aa1F733634C6591B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "31c392a3-3475-58d9-ba2d-6e67737e643a" + id = "489daa61-8409-500d-bc46-a42a444fcdc0" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2822-L2833" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8b6c1935d51207e6b9919c85d369dcc6963f52ee4d21758d18e2c57115e9051b" + logic_hash = "8b6c1935d51207e6b9919c85d369dcc6963f52ee4d21758d18e2c57115e9051b" score = 75 quality = 75 tags = "FILE" @@ -229550,13 +230036,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4C687A0022C36F89E253F91D1F6954E2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2a69caee-6809-5f89-b141-6793e5187930" + id = "d4b03832-60f2-5342-8186-3e6c3d7eeb63" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2835-L2846" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0bcbe8c85f02735378b5be95c098ca5088f451e390ec6ce76fb732f0db297c1f" + logic_hash = "0bcbe8c85f02735378b5be95c098ca5088f451e390ec6ce76fb732f0db297c1f" score = 75 quality = 75 tags = "FILE" @@ -229573,13 +230059,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3Cee26C125B8C188F316C3Fa78D9C2F1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "03a49c5d-d007-57ac-a228-e1cfc71b12a9" + id = "d9271a74-1a04-5863-afc6-4b1d2982f680" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2848-L2859" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_673a275a6d899b5de66d80cb55fa6438c2e14c70a96ba8461eb4946e1f4b4dfa" + logic_hash = "673a275a6d899b5de66d80cb55fa6438c2e14c70a96ba8461eb4946e1f4b4dfa" score = 75 quality = 75 tags = "FILE" @@ -229596,13 +230082,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_A0A27Aefd067Ac62Ce0247B72Bf33De3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "78aa7751-5e0f-53e1-abd4-586d4ee07a64" + id = "1e8db3c4-8d32-5a8d-96ac-785d8f703c7d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2861-L2872" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c49e1d8b1a2d0e27fd25574ce587f60770ecac75c1db437bf7538d2ff47c8d4c" + logic_hash = "c49e1d8b1a2d0e27fd25574ce587f60770ecac75c1db437bf7538d2ff47c8d4c" score = 75 quality = 75 tags = "FILE" @@ -229619,13 +230105,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Eee8Cf0A0E4C78Faa03D07470161A90E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "84b95867-f3e1-52d6-ab20-f7ef5ee23768" + id = "a91c84db-99b4-5e24-ba8a-4e009219eb05" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2874-L2885" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c14eeeab8cf9797499d23f451a695b443ecc8d3ebbc2edb830ae450e444178c" + logic_hash = "5c14eeeab8cf9797499d23f451a695b443ecc8d3ebbc2edb830ae450e444178c" score = 75 quality = 75 tags = "FILE" @@ -229642,13 +230128,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_79E1Cc0F6722E1A2C4647C21023Ca4Ee : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2382664a-894a-5152-a496-bc9e38e1f0f0" + id = "0abbd882-0224-5c94-98b2-870853344883" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2887-L2898" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9d0c02ae3eab7f7c28dba04cd08fdddef2be64a1622d7fb519a4bf3a40ef19b1" + logic_hash = "9d0c02ae3eab7f7c28dba04cd08fdddef2be64a1622d7fb519a4bf3a40ef19b1" score = 75 quality = 75 tags = "FILE" @@ -229665,13 +230151,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6D688Ecf46286Fe4B6823B91384Eca86 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c5385ecf-290f-57a6-adb5-62920e4d2a4a" + id = "4718996b-cb42-5b83-8fdf-d87751302a00" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2900-L2911" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_33296b5b9156af6d95bec9981a9fab3137bcd17bfb26ea2d212ae004275bf42e" + logic_hash = "33296b5b9156af6d95bec9981a9fab3137bcd17bfb26ea2d212ae004275bf42e" score = 75 quality = 75 tags = "FILE" @@ -229688,13 +230174,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_9Aa99F1B75A463460D38C4539Fae4F73 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7ea59a58-0c7b-5c5c-966b-3c5233af589f" + id = "5ffad411-49e2-5691-95e7-1e294a2a101e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2913-L2924" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b73c6ca2c0cd0e09f0add77c3af3c8e16f46cec29b49d4dcab5a569fed8d3d39" + logic_hash = "b73c6ca2c0cd0e09f0add77c3af3c8e16f46cec29b49d4dcab5a569fed8d3d39" score = 75 quality = 75 tags = "FILE" @@ -229711,13 +230197,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_E414655F025399Cca4D7225D89689A04 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6d9b330c-cdf6-513d-8422-80b88d29e0b6" + id = "2df4eb66-4890-540f-95e1-fb69eeb32df2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2926-L2937" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_589ad4939d235138791a98f5d43f6a786ad14345c995ad2e073d3673fb41365a" + logic_hash = "589ad4939d235138791a98f5d43f6a786ad14345c995ad2e073d3673fb41365a" score = 75 quality = 75 tags = "FILE" @@ -229734,13 +230220,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_64F82Ed8A90F92A940Be2Bb90Fbf6F48 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8a7b82ef-305c-5481-b489-25c88f21e8c9" + id = "70469507-30f1-56be-90bb-1055f7df2496" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2939-L2950" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eacb9d8834bdf618b5aa44bfb37b0b6413f9b4595b6261a948566a63e9855162" + logic_hash = "eacb9d8834bdf618b5aa44bfb37b0b6413f9b4595b6261a948566a63e9855162" score = 75 quality = 75 tags = "FILE" @@ -229757,13 +230243,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00F0031491B673Ecdf533D4Ebe4B54697F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2b7ab5aa-f32a-5742-b245-c653e85c1590" + id = "ad027dc9-14bc-50dd-b260-7672c528ef9a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2952-L2963" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4697ce0a7fcd1fa6ac1dd5246f2a23b85865bef4010280c4ca2e12c433b8ceb2" + logic_hash = "4697ce0a7fcd1fa6ac1dd5246f2a23b85865bef4010280c4ca2e12c433b8ceb2" score = 75 quality = 75 tags = "FILE" @@ -229780,13 +230266,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Becd4Ef55Ced54E5Bcde595D872Ae7Eb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0d6aee60-98a7-59bf-ac5b-f1ca16c539b1" + id = "85835042-a4ab-5cb2-963d-4ef776b740d1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2965-L2976" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b573853cfb28bdbda37c929834faa15475707684edfe99f14174599faf7b4fb6" + logic_hash = "b573853cfb28bdbda37c929834faa15475707684edfe99f14174599faf7b4fb6" score = 75 quality = 75 tags = "FILE" @@ -229803,13 +230289,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_55B5E1Cf84A89C4E023399784B42A268 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cd3b4fb8-43b2-5a64-9811-3f8151dc8b16" + id = "de2890d4-3758-5e90-a9af-dc519f0b9e4c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2978-L2989" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_37f08db5373cf46da7c0a4a03af21559fdcddb2481f935d5cece55a1fb4abc3c" + logic_hash = "37f08db5373cf46da7c0a4a03af21559fdcddb2481f935d5cece55a1fb4abc3c" score = 75 quality = 75 tags = "FILE" @@ -229826,13 +230312,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_84C3A47B739F1835D35B755D1E6741B5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2a43dc7a-86e0-51ff-b80f-5fa111e10d77" + id = "00fba5a5-b87d-54f7-a5b8-f7b377af2202" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L2991-L3002" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6beb0966f2ed981c2e1a859ff9f659a566de867888123c387eeb89a97620345e" + logic_hash = "6beb0966f2ed981c2e1a859ff9f659a566de867888123c387eeb89a97620345e" score = 75 quality = 75 tags = "FILE" @@ -229849,13 +230335,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_28F6Ca1F249Cfb6Bdb16Bc57Aaf0Bd79 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3ee6c40d-4c5b-5a2d-b3cb-9536a6d2d99c" + id = "b0568efe-d0cc-528d-a9b4-fdb8106c3d0f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3004-L3015" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c27ad7caa87b366593b82ff5e2b38bda5383e178e2cc01121aaaa5e90beaec86" + logic_hash = "c27ad7caa87b366593b82ff5e2b38bda5383e178e2cc01121aaaa5e90beaec86" score = 75 quality = 75 tags = "FILE" @@ -229872,13 +230358,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2C3E87B9D430C2F0B14Fc1152E961F1A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d385df48-db47-5f42-a0e4-695fc19be2a2" + id = "8e686e58-8fc5-50cf-9259-dcd70f5cc27b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3017-L3028" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_43a8f2d9055091f930af456abd334e38fb6a98bee3bfb8dcbf84c9563c777101" + logic_hash = "43a8f2d9055091f930af456abd334e38fb6a98bee3bfb8dcbf84c9563c777101" score = 75 quality = 75 tags = "FILE" @@ -229895,13 +230381,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4808C88Ea243Eefa47610D5F5F0D02A2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f42b9a64-02a5-5b70-9aca-74ed23fe11e3" + id = "ea3aadc6-3edd-5e4b-adfe-824103531deb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3030-L3041" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9fa722bfed0c31e263772615799bbdc054da1424b139c7d73e5755334fb86346" + logic_hash = "9fa722bfed0c31e263772615799bbdc054da1424b139c7d73e5755334fb86346" score = 75 quality = 75 tags = "FILE" @@ -229918,13 +230404,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2F184A6F054Dc9F7C74A63714B14Ce33 : FILE meta: description = "Detects executables signed AprelTech Silent Install Builder certificate" author = "ditekSHen" - id = "4439803a-a3d2-53b0-98d0-ef81de04b16f" + id = "17797e5c-acf2-5c4e-b3e0-c48fb7bff996" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3043-L3054" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d14428b81b4ae4a77a517d2148f4b67b45963b71d998139b42ed4e4352fae6a5" + logic_hash = "d14428b81b4ae4a77a517d2148f4b67b45963b71d998139b42ed4e4352fae6a5" score = 75 quality = 75 tags = "FILE" @@ -229941,13 +230427,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ced72Cc75Aa0Ebce09Dc0283076Ce9B1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a7793c20-8876-570d-9c03-c9699b9949da" + id = "7482c8a9-22d7-5ecf-951c-83818e2aeda7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3056-L3067" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_47fceb2a79271011bc6feed209ef4021db155dbc0fd4891f0dc1e900f2cb7fdb" + logic_hash = "47fceb2a79271011bc6feed209ef4021db155dbc0fd4891f0dc1e900f2cb7fdb" score = 75 quality = 75 tags = "FILE" @@ -229964,13 +230450,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C4564802095258281A284809930Dcf43 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "599929e8-2cc6-5343-9f90-601318eb82a5" + id = "f70f481c-f5cf-5767-9fb0-0adecd0dc1f3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3069-L3080" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_547613d507b04e3bd944515c77cb6ec161fe008b8e2b43cda574a46cbe2ef5ef" + logic_hash = "547613d507b04e3bd944515c77cb6ec161fe008b8e2b43cda574a46cbe2ef5ef" score = 75 quality = 75 tags = "FILE" @@ -229987,13 +230473,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3D31Ed3B22867F425Db86Fb532Eb449F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5f1516d1-6979-5c5d-83ab-a439490573f8" + id = "a9924b9e-381a-58b2-8839-fcafeb730a32" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3082-L3093" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e3ec4fcd47867b688241dee693bcec98e633e179757ec8e7afd755c7d53a0cd7" + logic_hash = "e3ec4fcd47867b688241dee693bcec98e633e179757ec8e7afd755c7d53a0cd7" score = 75 quality = 75 tags = "FILE" @@ -230010,13 +230496,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_531549Ed4D2D53Fc7E1Beb47C6B13D58 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "764117c6-66ff-5728-9e57-e9b0d9d9e331" + id = "6aec64ae-cda3-57e8-94c6-07c1e07d34ad" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3095-L3106" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_554574657a913dbe0c576dbfcdd93a2494f2ffccf51eaabf06e5fafe2a895c3a" + logic_hash = "554574657a913dbe0c576dbfcdd93a2494f2ffccf51eaabf06e5fafe2a895c3a" score = 75 quality = 75 tags = "FILE" @@ -230033,13 +230519,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_8035Ed9C58Ea895505B05Ff926D486Bc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0365389b-e5e7-5d22-a03f-04eb0cde3773" + id = "35b5d9a1-eaa8-53d8-9917-9a688fb95a04" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3108-L3119" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_caf1c962a0f4bd6c90753c6f1f0a2acadafa5fde6c7dacd02a3ca5cc15446ab4" + logic_hash = "caf1c962a0f4bd6c90753c6f1f0a2acadafa5fde6c7dacd02a3ca5cc15446ab4" score = 75 quality = 75 tags = "FILE" @@ -230056,13 +230542,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Ca646B4275406Df639Cf603756F63D77 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4c9c1297-143f-5b55-b37d-f994640f9dd0" + id = "46603413-3e03-57d0-a141-1fee730de6c5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3121-L3135" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_564ca7048413d6cd65371d65906132f62386410442b36b8bafeac5e09917465f" + logic_hash = "564ca7048413d6cd65371d65906132f62386410442b36b8bafeac5e09917465f" score = 75 quality = 75 tags = "FILE" @@ -230079,13 +230565,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E267Fdbdc16F22E8185D35C437F84C87 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "deae0261-0df8-5938-8bc1-32d1793af4a3" + id = "520e335d-4b9f-5006-959a-1510312807be" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3137-L3148" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_403f0f8a65997d27494d7ac4aa99cf5ebb1471839f67b2f8b380225a0263fd67" + logic_hash = "403f0f8a65997d27494d7ac4aa99cf5ebb1471839f67b2f8b380225a0263fd67" score = 75 quality = 75 tags = "FILE" @@ -230102,13 +230588,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Taffias : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0806b402-d7e2-545d-aad8-65222255f3b8" + id = "7ace9b76-104c-511a-801b-0c2d5860eaba" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3150-L3161" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dc6b65757ceb3818101c8694680d1f44af3726876bef30843cfc2cb51ec6ea02" + logic_hash = "dc6b65757ceb3818101c8694680d1f44af3726876bef30843cfc2cb51ec6ea02" score = 75 quality = 75 tags = "FILE" @@ -230125,13 +230611,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_9F2492304Fc9C93844Dea7E5D6F0Ec77 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "810fe4e9-dd83-5ca4-9ac5-18ef525c2a0d" + id = "73acca59-8362-5d34-b28a-71d141d3013a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3163-L3174" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9c76d5756cc79e96d194addc0e2c2c11fa4341ffa9df8f171f35df76cb9c56c0" + logic_hash = "9c76d5756cc79e96d194addc0e2c2c11fa4341ffa9df8f171f35df76cb9c56c0" score = 75 quality = 75 tags = "FILE" @@ -230148,13 +230634,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Dca9012634E8B609884Fe9284D30Eff5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a87a28e5-fca3-593e-bceb-ed48297a95c7" + id = "f22ef616-c7f1-5036-b303-ef8ae038ec4f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3176-L3189" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b5d663228a27d5dae46f9f03bd04833b129fc453852cb9cb9fe43e405cdcecca" + logic_hash = "b5d663228a27d5dae46f9f03bd04833b129fc453852cb9cb9fe43e405cdcecca" score = 75 quality = 75 tags = "FILE" @@ -230171,13 +230657,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_781Ec65C3E38392D4C2F9E7F55F5C424 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "70ce8431-50fb-50fb-83ac-d554cf3e268c" + id = "d056fb18-e641-50bb-af86-ea124203f16c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3191-L3202" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_00b01a874e29fd2e25200f5e50c7121c3cc4bca614c31dd149d6197088292b35" + logic_hash = "00b01a874e29fd2e25200f5e50c7121c3cc4bca614c31dd149d6197088292b35" score = 75 quality = 75 tags = "FILE" @@ -230194,13 +230680,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Bd1E93D5787A737Eef930C70986D2A69 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "91c548df-b5a1-5dca-a4c9-f39ed02119a7" + id = "3b5ec355-9d68-5285-bda0-ddd379ad1cf8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3204-L3215" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0332d05f0f53ad22516fd41cb10238ad0b92ef49011e9e71a82fa2da1de5e953" + logic_hash = "0332d05f0f53ad22516fd41cb10238ad0b92ef49011e9e71a82fa2da1de5e953" score = 75 quality = 75 tags = "FILE" @@ -230217,13 +230703,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_B0009Bb062F52Eb6001Ba79606De243D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "de65aa83-970e-532b-a165-b48f7727200c" + id = "41293f0b-604a-5993-8b05-9ca639828eec" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3217-L3228" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_111a08d62f483daf23220e7044cc291b6ea6922746d48934f72a892b7dfd762b" + logic_hash = "111a08d62f483daf23220e7044cc291b6ea6922746d48934f72a892b7dfd762b" score = 75 quality = 75 tags = "FILE" @@ -230240,13 +230726,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_294E7A2Ccfc28Ed02843Ecff25F2Ac98 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f4003a49-2575-5f50-af02-97ad617c2bf9" + id = "ae3c0758-7863-54eb-a94f-3c86d5d34d21" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3230-L3241" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_75c3093978875c7e523525a3b64bf985139359d9696fdb9dbd7db3e915043194" + logic_hash = "75c3093978875c7e523525a3b64bf985139359d9696fdb9dbd7db3e915043194" score = 75 quality = 75 tags = "FILE" @@ -230263,13 +230749,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_A61B5590C2D8Dc70A31F8Ea78Cda4353 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6e6b6898-4d0d-57a5-bf3e-27dd3c9a64b4" + id = "0a22b3a5-cc61-5aec-9fc7-bbd03cd4ab03" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3243-L3254" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7d57f5cb2691d8dfb5f5ef63f7bfb4290f0bd8d990c61fe0655e35c1b3f554f0" + logic_hash = "7d57f5cb2691d8dfb5f5ef63f7bfb4290f0bd8d990c61fe0655e35c1b3f554f0" score = 75 quality = 75 tags = "FILE" @@ -230286,13 +230772,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_21C9A6Daff942F2Db6A0614D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "22463e8f-2058-5109-8090-9d9d125b01d1" + id = "e09476f7-d48d-58e5-aeca-fffacf569243" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3256-L3267" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c466a829d8141ba40187309559f62af73ea47e325eb95ef4c634bac60167788b" + logic_hash = "c466a829d8141ba40187309559f62af73ea47e325eb95ef4c634bac60167788b" score = 75 quality = 75 tags = "FILE" @@ -230309,13 +230795,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1F55Ae3Fca38827Cde6Cc7Ca1C0D2731 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "31ec9682-3826-596f-9e33-b5ab881a40e6" + id = "8a32fa5d-671e-5012-9de1-6afc21751b94" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3269-L3280" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1aa7c6c5430f196d1031acabfe141c30044c23c4119619752c50f4665966606e" + logic_hash = "1aa7c6c5430f196d1031acabfe141c30044c23c4119619752c50f4665966606e" score = 75 quality = 75 tags = "FILE" @@ -230332,13 +230818,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008D1Bae9F7Aef1A2Bcc0D392F3Edf3A36 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7cdce7c1-03b7-53a1-8771-d5f6c23ed8b9" + id = "8d1e7615-f462-56eb-9198-30b868572cf1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3282-L3293" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6b15f97a51f25b1292cc3fd80889ea1edb01814d1951ef1d3b4cac5e83c7fbca" + logic_hash = "6b15f97a51f25b1292cc3fd80889ea1edb01814d1951ef1d3b4cac5e83c7fbca" score = 75 quality = 75 tags = "FILE" @@ -230355,13 +230841,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_239Ba103C2943D2Dff5E3211D6800D09 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "10a2a4cb-4bbe-5813-b775-ac8515b21127" + id = "1444a44e-2f45-547f-a5fc-0941edd506bc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3295-L3306" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b155ba969334945013af40fbf43b8318a221f6212c4a29e0ee98bc02bb9acafb" + logic_hash = "b155ba969334945013af40fbf43b8318a221f6212c4a29e0ee98bc02bb9acafb" score = 75 quality = 75 tags = "FILE" @@ -230378,13 +230864,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_205B80A74A5Dddedea6B84A1E1C44010 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "556a7a7f-3be7-51a8-8b66-b3776a503d1d" + id = "43e34fe4-e580-572e-a14e-5ee58b3bf594" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3308-L3319" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1af8527193acdbcb3ba0239879c3b23c6ba4e68d920ae4d5ce503d44e32991f7" + logic_hash = "1af8527193acdbcb3ba0239879c3b23c6ba4e68d920ae4d5ce503d44e32991f7" score = 75 quality = 75 tags = "FILE" @@ -230401,13 +230887,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6C8D0Cf4D1593Ee8Dc8D34Be71E90251 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "96fc5d6d-e81f-5b82-95fb-97a90cf838c5" + id = "fe5cbea2-1704-550c-bd2e-82defba20f24" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3321-L3332" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_981e4b426e926bd042f25a50de40d3e3462ed5fec0cf7261523b314b908a1276" + logic_hash = "981e4b426e926bd042f25a50de40d3e3462ed5fec0cf7261523b314b908a1276" score = 75 quality = 75 tags = "FILE" @@ -230424,13 +230910,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7D08A74747557D6016Aaaf47A679312F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d33f3203-b94d-5470-b7bd-3ff2feed45bb" + id = "031cf958-1c37-5190-8fbd-6896f1048c9a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3334-L3345" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ff7c9635b9b43bef7401861d5dbf984d1e2aa1ea9e4d3df9ad348c552767628e" + logic_hash = "ff7c9635b9b43bef7401861d5dbf984d1e2aa1ea9e4d3df9ad348c552767628e" score = 75 quality = 75 tags = "FILE" @@ -230447,13 +230933,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2095C6F1Eadb65Ce02862Bd620623B92 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "795f2f1d-4ebf-536d-a71c-e1b4dd363cc9" + id = "c44d8942-569b-50c6-8363-0576c7d54dfb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3347-L3358" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0b75d8c59486d197f2cdff298114a7367bb6ad4cf71ee28273e0946e42d3f7e8" + logic_hash = "0b75d8c59486d197f2cdff298114a7367bb6ad4cf71ee28273e0946e42d3f7e8" score = 75 quality = 75 tags = "FILE" @@ -230470,13 +230956,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_899E32C9Bf2B533B9275C39F8F9Ff96D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e7ca5444-8ef9-5a06-a916-36a4beb138f9" + id = "62ecae58-7576-5170-8eb5-2becd292e5de" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3373-L3384" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c5fe3726fd19d050e762cc9e4e2099e74e3780c89a75dab55c12e16bfecd8642" + logic_hash = "c5fe3726fd19d050e762cc9e4e2099e74e3780c89a75dab55c12e16bfecd8642" score = 75 quality = 75 tags = "FILE" @@ -230493,13 +230979,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0B5759Bc22Ad2128B8792E8535F9161E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2c6e1390-1d3a-5e42-8054-b13e54952f0b" + id = "c35c4e07-73d9-54d6-a8cb-1558502a82e9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3386-L3397" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1ee543c204e5bf004224a2010f8cfd3196bb9c1e96de350548403224eaa502f6" + logic_hash = "1ee543c204e5bf004224a2010f8cfd3196bb9c1e96de350548403224eaa502f6" score = 75 quality = 75 tags = "FILE" @@ -230516,13 +231002,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_630Cf0E612F12805Ffa00A41D1032D7C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "08ddd847-b13f-54c2-9139-c9a0bac7b63e" + id = "1c3e2b33-24e5-584c-b375-96c1e653a3ca" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3399-L3410" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2256858ae75c47568fc6a38e2a587d302d99dd396dd398a450eaa6459ed55d13" + logic_hash = "2256858ae75c47568fc6a38e2a587d302d99dd396dd398a450eaa6459ed55d13" score = 75 quality = 75 tags = "FILE" @@ -230539,13 +231025,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_603Bce30597089D068320Fc77E400D06 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0a2d0591-ba4c-535c-b38c-40615f19db8a" + id = "0f2a2411-f3d4-5959-8470-d7424d714c1d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3412-L3423" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1e13c78cec21a015d9593b492ce5040f93247be63c079bfece96a3a74055aeba" + logic_hash = "1e13c78cec21a015d9593b492ce5040f93247be63c079bfece96a3a74055aeba" score = 75 quality = 75 tags = "FILE" @@ -230562,13 +231048,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5D5D03Edb4Ec4E185Caa3041824Ab75C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2b1d7e38-c85f-5357-823d-c5511518a6ad" + id = "e1c93911-5c7c-5fe8-aed3-014a9bb7379e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3425-L3436" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_863a1496ce37449fa7e94c407ce0e63a9d727fef9094135715d0cb14ed442e5e" + logic_hash = "863a1496ce37449fa7e94c407ce0e63a9d727fef9094135715d0cb14ed442e5e" score = 75 quality = 75 tags = "FILE" @@ -230585,13 +231071,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Aec009984Fa957F3F48Fe3104Ca9Babc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f3ff773e-08e1-5c01-93ce-38bc98d9354a" + id = "76b5d6b6-f443-55b5-b353-88201fe09e1f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3438-L3449" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_de9008e30468b94b4afbc622403b0257f5c5e3964344b980c18fc95219e06667" + logic_hash = "de9008e30468b94b4afbc622403b0257f5c5e3964344b980c18fc95219e06667" score = 75 quality = 75 tags = "FILE" @@ -230608,13 +231094,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_283518F1940A11Caf187646D8063D61D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6c536e45-cee8-5afb-9f42-4bd9b26bf935" + id = "cf5f7f11-3af6-577b-9a5e-eafe2de34e2b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3451-L3462" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7db16bc44059e2538eb896011598a599c6aead90fb873c530ce8f5391e440164" + logic_hash = "7db16bc44059e2538eb896011598a599c6aead90fb873c530ce8f5391e440164" score = 75 quality = 75 tags = "FILE" @@ -230631,13 +231117,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_72F3E4707B94D0Eef214384De9B36E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f0cf814b-211a-5c41-b126-cbd9c8303c86" + id = "bf02ea89-b3f3-58a1-8bcd-1a23b3c96b68" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3464-L3475" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c2a310ff70012076856239b5b5e6b46ffa121479dea38815e61f5336cecf8868" + logic_hash = "c2a310ff70012076856239b5b5e6b46ffa121479dea38815e61f5336cecf8868" score = 75 quality = 75 tags = "FILE" @@ -230654,13 +231140,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D875B3E3F2Db6C3Eb426E24946066111 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a9d578e5-d82e-546a-a4f4-7ea012a466f0" + id = "a44cde8b-904b-5f1a-8cdb-4a8b16a42669" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3477-L3488" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_470424bf28b723063be5d6801ee27b0f3748b761f9005616dcab4bd864db5463" + logic_hash = "470424bf28b723063be5d6801ee27b0f3748b761f9005616dcab4bd864db5463" score = 75 quality = 75 tags = "FILE" @@ -230677,13 +231163,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3990362C34015Ce4C23Ecc3377Fd3C06 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "80ed2f49-e9c6-59df-925e-44670210f955" + id = "e76824c2-6ee7-5117-a83f-0b8e4f2d3b61" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3490-L3501" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5e91a10f5027cae35524bef326edf7d5bf3df5bbc37c111b01e33f7667b03ce3" + logic_hash = "5e91a10f5027cae35524bef326edf7d5bf3df5bbc37c111b01e33f7667b03ce3" score = 75 quality = 75 tags = "FILE" @@ -230700,13 +231186,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_54A6D33F73129E0Ef059Ccf51Be0C35E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2bbda6f3-9af2-532d-ad91-3ecd58bc28ac" + id = "7b010276-718f-5168-bd8c-414252996fe6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3503-L3514" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_93b332e4ad4e13c7e8241cf866091708232a6555a9240d828e558688167359a0" + logic_hash = "93b332e4ad4e13c7e8241cf866091708232a6555a9240d828e558688167359a0" score = 75 quality = 75 tags = "FILE" @@ -230723,13 +231209,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A55C15F733Bf1633E9Ffae8A6E3B37D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "633df735-07a3-53b7-9a8d-67471f4525a0" + id = "86d8453b-115d-59f8-8123-5aff071ec3dd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3516-L3527" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a772edb12dc0c351bb4d11f3e6ab3d9705af156ebeb4b8fff281bb418bfa1764" + logic_hash = "a772edb12dc0c351bb4d11f3e6ab3d9705af156ebeb4b8fff281bb418bfa1764" score = 75 quality = 75 tags = "FILE" @@ -230746,13 +231232,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00F675139Ea68B897A865A98F8E4611F00 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3a3f4d3a-d832-5e02-8fc2-cc17b5990f91" + id = "7035ed66-73f9-568e-9698-13d9bbede64e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3529-L3540" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9893e21fd2d5a475c9defb484921de17f4afc00619be413b9d5d55095e7f596a" + logic_hash = "9893e21fd2d5a475c9defb484921de17f4afc00619be413b9d5d55095e7f596a" score = 75 quality = 75 tags = "FILE" @@ -230769,13 +231255,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_121Fca3Cfa4Bd011669F5Cc4E053Aa3F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c48fad91-9045-51e4-87da-0b08952a3be9" + id = "be18fe1a-f810-5153-b565-97a0e33cf406" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3542-L3553" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c5f7f23d9ba35bed3540233217e18b84c5ac0528fd3fe809c162fce6ccce0791" + logic_hash = "c5f7f23d9ba35bed3540233217e18b84c5ac0528fd3fe809c162fce6ccce0791" score = 75 quality = 75 tags = "FILE" @@ -230792,13 +231278,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_62B80Fc5E1C02072019C88Ee356152C1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0b99017f-fb2f-5c03-9647-2f1605fbd2c7" + id = "08db7669-c3d6-5f27-988e-96e9fc0a60f3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3555-L3566" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c06e31f5a071ff7c87af216d22bffa2970372fa341ad2593ef0c3c6a71dac945" + logic_hash = "c06e31f5a071ff7c87af216d22bffa2970372fa341ad2593ef0c3c6a71dac945" score = 75 quality = 75 tags = "FILE" @@ -230815,13 +231301,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_F0E150C304De35F2E9086185581F4053 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1d9d3a31-3123-59b4-a7f3-a1b7a715ecc4" + id = "d2a5cd5b-1e4a-5714-bff2-08f2c958cd0b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3581-L3592" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fe3d5d57d0a98414e3e4f35248d3ebf64617c16a4119a21883c3679b06146745" + logic_hash = "fe3d5d57d0a98414e3e4f35248d3ebf64617c16a4119a21883c3679b06146745" score = 75 quality = 75 tags = "FILE" @@ -230838,13 +231324,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_A1A3E7280E0A2Df12F84309649820519 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6a5b8193-ce57-57c8-9541-9702a232e9a3" + id = "71ad82d6-e45e-52a9-b1ff-f00cfe7b5186" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3594-L3605" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c656fa5a6671f717cda5433c8780d308f11b7937e5ff66b4f3f74623b217365" + logic_hash = "5c656fa5a6671f717cda5433c8780d308f11b7937e5ff66b4f3f74623b217365" score = 75 quality = 75 tags = "FILE" @@ -230861,13 +231347,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1Fb984D5A7296Ba74445C23Ead7D20Aa : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e75423d0-6790-591a-9dba-4ce22371d05b" + id = "1e290f81-11ab-5d5f-ab7a-c703c875bde4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3607-L3618" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ff29013eb20bccbec16107404fc18b07c87ac5269b788c48a49a490271e94052" + logic_hash = "ff29013eb20bccbec16107404fc18b07c87ac5269b788c48a49a490271e94052" score = 75 quality = 75 tags = "FILE" @@ -230884,13 +231370,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C314A8736F82C411B9F02076A6Db4771 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f3161f35-2c04-5ca8-a39c-31df0b945d7d" + id = "0a8af16c-f232-5e09-9825-0e8203ba7b45" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3620-L3631" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8aa08c4d1da62d0629db6e29f7a730da3534f114620e30f8d89e5475c12f43de" + logic_hash = "8aa08c4d1da62d0629db6e29f7a730da3534f114620e30f8d89e5475c12f43de" score = 75 quality = 75 tags = "FILE" @@ -230907,13 +231393,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5F7Ef778D51Cd33A5Fc0D2E035Ccd29D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4b168816-e80e-5d06-8384-8ac2ff4791ec" + id = "95b1cba9-9625-55da-a321-08cdd4d3056f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3633-L3644" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b57fd9840dceea97a2f013f803e8639add6c6b01f3764b65b3c1fe60ae0dd57" + logic_hash = "9b57fd9840dceea97a2f013f803e8639add6c6b01f3764b65b3c1fe60ae0dd57" score = 75 quality = 75 tags = "FILE" @@ -230930,13 +231416,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ab1D5E43E4Dde77221381E21A764C082 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c744dfda-5e35-5208-bb8c-ef166a38d60d" + id = "55135b31-93d7-512f-8506-51e49bc3dc92" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3646-L3657" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3746c3494dca7fd2e0c7ab6641fe9ebbb8519df755022a3bde99c192158e4299" + logic_hash = "3746c3494dca7fd2e0c7ab6641fe9ebbb8519df755022a3bde99c192158e4299" score = 75 quality = 75 tags = "FILE" @@ -230953,13 +231439,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4743E140C05B33F0449023946Bd05Acb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "10a15324-fa26-53a1-bbd5-507df077177e" + id = "f3e8046a-0df7-5a67-a363-02961ec1545b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3659-L3670" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be8764a008743f8ca8c1a5760c5daa7f6896c8710f5f79f9d5b42b07ef0d5fa8" + logic_hash = "be8764a008743f8ca8c1a5760c5daa7f6896c8710f5f79f9d5b42b07ef0d5fa8" score = 75 quality = 75 tags = "FILE" @@ -230976,13 +231462,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2C1Ee9B583310B5E34A1Ee6945A34B26 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cf39b525-22c7-58f2-917a-92296cc40b82" + id = "0cc94ceb-a5bf-511a-bcd0-136b5d35c348" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3672-L3683" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4891757929b64b45591792dd2526ffb7588345f76bcbd3e47f567e72ba03d7f2" + logic_hash = "4891757929b64b45591792dd2526ffb7588345f76bcbd3e47f567e72ba03d7f2" score = 75 quality = 75 tags = "FILE" @@ -230999,13 +231485,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D338F8A490E37E6C2Be80A0E349929Fa : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7f1a32d0-ed29-546f-9e14-9827b1cc6da3" + id = "5bb542de-637f-58a4-b96a-f20dba7be1b7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3685-L3696" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ed7a48df55f2d7873795470b9074421f4008d715db07978c79b174fc3f2a801a" + logic_hash = "ed7a48df55f2d7873795470b9074421f4008d715db07978c79b174fc3f2a801a" score = 75 quality = 75 tags = "FILE" @@ -231022,13 +231508,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_778906D40695F65Ba518Db760Df44Cd3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "22e413d4-bfe6-5e71-84b6-778f05e7508c" + id = "87f5a591-ed92-5ee8-99f8-04afe302609e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3698-L3709" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2687ec82b9c968dca91b8f54c600fae794d01be43a31cce4b0e6ef63672870fd" + logic_hash = "2687ec82b9c968dca91b8f54c600fae794d01be43a31cce4b0e6ef63672870fd" score = 75 quality = 75 tags = "FILE" @@ -231045,13 +231531,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_45Eb9187A2505D8E6C842E6D366Ad0C8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b3d63758-4459-50a0-98c8-32e772aed695" + id = "75494bb2-fa70-5983-a75c-067b06c597e5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3711-L3722" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a900017eb33db455b94e3474ce3a2f1ebf6416ff21477a464aba68d32fd7c938" + logic_hash = "a900017eb33db455b94e3474ce3a2f1ebf6416ff21477a464aba68d32fd7c938" score = 75 quality = 75 tags = "FILE" @@ -231068,13 +231554,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Cbc2Af7D82295A8535F3B26B47522640 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4afe4123-0455-53c6-8013-f75651ff0de9" + id = "d4f422a7-2b1c-5db0-ad9b-1eb8b3a75e3c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3724-L3735" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6d9fb9b36bc4370851fd0f54bb9fb05e02fc7a6288355b57073c31b1feade41e" + logic_hash = "6d9fb9b36bc4370851fd0f54bb9fb05e02fc7a6288355b57073c31b1feade41e" score = 75 quality = 75 tags = "FILE" @@ -231091,13 +231577,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ca1D9391Cf5Fe3E696831D98D6C35A6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3cb5028d-f4be-5b39-b0ad-ac69c13b3483" + id = "e2f026d6-031d-5058-a7f1-fc492ea47908" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3737-L3748" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4c60dea4fe28c2799dc88712275e62a795c848120c4b463109942b8d9bc29a81" + logic_hash = "4c60dea4fe28c2799dc88712275e62a795c848120c4b463109942b8d9bc29a81" score = 75 quality = 75 tags = "FILE" @@ -231114,13 +231600,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_43A36A26Ebc78E111A874D8211A95E3F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "62f42897-1192-5d62-a0cc-041fde577d36" + id = "651ca649-c707-59d2-b482-5ca6d1e569b0" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3750-L3761" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2588c91e1cce7e595e4237843b03f3e65427b4c3ea634e9a4f8249e9c9f49dbe" + logic_hash = "2588c91e1cce7e595e4237843b03f3e65427b4c3ea634e9a4f8249e9c9f49dbe" score = 75 quality = 75 tags = "FILE" @@ -231137,13 +231623,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5172Caa2119185382343Fcbe09C43Bee : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a58c3335-db60-54fe-b226-7ae05978032c" + id = "54f38317-2d36-54ec-a3fc-04f8b0fc5529" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3763-L3774" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7aa1447bd0ac43ac29ed69bd6618c3695bfb50517a7ffce7d4e793ae0c5e0fa6" + logic_hash = "7aa1447bd0ac43ac29ed69bd6618c3695bfb50517a7ffce7d4e793ae0c5e0fa6" score = 75 quality = 75 tags = "FILE" @@ -231160,13 +231646,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_009245D1511923F541844Faa3C6Bfebcbe : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3bfbfe5a-f992-500e-8ad5-cc0983a799d7" + id = "db876459-a0d2-542f-8f7e-a486ba68aeb4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3776-L3787" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8d2c186b3aaaf353857e67ffd51a785e674335e824be78fc1c2ae1b9a0532eae" + logic_hash = "8d2c186b3aaaf353857e67ffd51a785e674335e824be78fc1c2ae1b9a0532eae" score = 75 quality = 75 tags = "FILE" @@ -231183,13 +231669,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E161F76Da3B5E4623892C8E6Fda1Ea3D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b1793332-7697-56f0-a717-c588b5613d9b" + id = "a010cf24-b29a-5613-8122-92ced507564f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3789-L3800" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7aae91e2873633989b3716930354361ee56d7fd7af35e105ae15ed6bf87de67a" + logic_hash = "7aae91e2873633989b3716930354361ee56d7fd7af35e105ae15ed6bf87de67a" score = 75 quality = 75 tags = "FILE" @@ -231206,13 +231692,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_009Faf8705A3Eaef9340800Cc4Fd38597C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9ca87827-d808-57d7-ae5a-f723452dae3c" + id = "5b85e806-6b13-5356-a225-23399b947114" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3802-L3813" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_41c6561ef50950c7a5b4107b788e0469f77b9905b777edb24501649e4c313bd6" + logic_hash = "41c6561ef50950c7a5b4107b788e0469f77b9905b777edb24501649e4c313bd6" score = 75 quality = 75 tags = "FILE" @@ -231229,13 +231715,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2888Cf0F953A4A3640Ee4Cfc6304D9D4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "56bf4b03-a1bc-5824-aa0f-c51bfa880b33" + id = "4c3153e4-d3ce-5e87-8e72-969cba972e26" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3815-L3826" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5e0d1b74422ae1004b0054c161d1dc949bb368ac17575e33c9b6d550bb136126" + logic_hash = "5e0d1b74422ae1004b0054c161d1dc949bb368ac17575e33c9b6d550bb136126" score = 75 quality = 75 tags = "FILE" @@ -231252,13 +231738,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C8Edcfe8Be174C2F204D858C5B91Dea5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fbb66734-0688-56ca-bcfe-36e802c08751" + id = "196da268-b9a3-562c-ad68-67d17ea94ccf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3828-L3839" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_56801a71547218413ab48381c412a8e1b7fd41a9f7a7c85dc6debdc38a19d6c4" + logic_hash = "56801a71547218413ab48381c412a8e1b7fd41a9f7a7c85dc6debdc38a19d6c4" score = 75 quality = 75 tags = "FILE" @@ -231275,13 +231761,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1A311630876F694Fe1B75D972A953Bca : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6e2b0ceb-b2a9-5a26-bf2f-668e67ad668b" + id = "2a39397f-1585-5f7f-a2a9-aab62d29a2b2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3841-L3852" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f14532caf49e6f46f75e42e334d3170db0ebebfe75c9f3e057c237691b5d86a2" + logic_hash = "f14532caf49e6f46f75e42e334d3170db0ebebfe75c9f3e057c237691b5d86a2" score = 75 quality = 75 tags = "FILE" @@ -231298,13 +231784,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00A496Bc774575C31Abec861B68C36Dcb6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "be197683-7b7b-5b03-86a1-a6f16472b0a7" + id = "2415bf62-15d4-562a-a448-682474d89af0" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3854-L3865" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bf5282687f4707bc16d388361ddc0af1102df0d29066ece0b57215fcf9fdcc94" + logic_hash = "bf5282687f4707bc16d388361ddc0af1102df0d29066ece0b57215fcf9fdcc94" score = 75 quality = 75 tags = "FILE" @@ -231321,13 +231807,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ea720222D92Dc8D48E3B3C3B0Fc360A6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ce65fc3d-4bc7-5172-bd4e-9a92f3abfb66" + id = "2e43e98a-61f8-5f93-a415-52cb6453620d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3867-L3878" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_97b2699d4cb0fd88e3440ea82dd6ea87cdac69c6ba2acd884f5aef577b55e79d" + logic_hash = "97b2699d4cb0fd88e3440ea82dd6ea87cdac69c6ba2acd884f5aef577b55e79d" score = 75 quality = 75 tags = "FILE" @@ -231344,13 +231830,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_333Ca7D100B139B0D9C1A97Cb458E226 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e7687d7b-60cd-5888-b740-e6600465011e" + id = "dd5b3eb8-81c0-570d-9ec8-6a55eb7864f9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3880-L3891" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4519127b975d93297cca9b465ad88b3d38ad0fce0de182246dca3f000e2438be" + logic_hash = "4519127b975d93297cca9b465ad88b3d38ad0fce0de182246dca3f000e2438be" score = 75 quality = 75 tags = "FILE" @@ -231367,13 +231853,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_58Ec8821Aa2A3755E1075F73321756F4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c23b7c9e-bcab-59be-b758-bc60a53de832" + id = "efa0e5c6-773a-5740-b7f9-ec10a92b1623" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3893-L3904" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b79f161c77cbae0bec55fb2b047983660c84d2bb93db8c91cb6c22fd4ad197cc" + logic_hash = "b79f161c77cbae0bec55fb2b047983660c84d2bb93db8c91cb6c22fd4ad197cc" score = 75 quality = 75 tags = "FILE" @@ -231390,13 +231876,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0940Fa9A4080F35052B2077333769C2F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1e707abb-b224-56ce-96df-431a51156524" + id = "2cc722de-97ff-53d1-9436-dc88c844186b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3906-L3917" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ecf6982c779a5fd867fef4b753313e379151491fa8865e8ae20f0c9362431a2" + logic_hash = "3ecf6982c779a5fd867fef4b753313e379151491fa8865e8ae20f0c9362431a2" score = 75 quality = 75 tags = "FILE" @@ -231413,13 +231899,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_56Fff139Df5Ae7E788E5D72196Dd563A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1fb00ed2-f99c-549f-a3e1-2402537e0eb3" + id = "7cdca79f-5bf3-5768-b034-4d3bb177ffc9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3919-L3930" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_022fd24ba023dba06f1c63d1d1c90d17dc82b060d634a27b237d37e37455964f" + logic_hash = "022fd24ba023dba06f1c63d1d1c90d17dc82b060d634a27b237d37e37455964f" score = 75 quality = 75 tags = "FILE" @@ -231436,13 +231922,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_03D433Fdc2469E9Fd878C80Bc0545147 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ebb67ea8-e5ef-5834-9bc5-710746a2244e" + id = "4f793397-2768-5b34-a9f5-9100dccfa80e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3932-L3943" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fde125138ade8ab1a61544b90160f2c1d4bba3a09ffcf828768f98d925ab91c6" + logic_hash = "fde125138ade8ab1a61544b90160f2c1d4bba3a09ffcf828768f98d925ab91c6" score = 75 quality = 75 tags = "FILE" @@ -231459,13 +231945,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Be3F393D1Ef0272Aed0E2319C1B5Dd0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5d6bef9c-ed75-56f0-89ec-3239da8cff86" + id = "2be05341-c7a2-58fd-9211-8d3a912a7d5c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3945-L3956" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a7ff863b07d5ce011bdbcf86a3f562e8201926c138848544559bd1d16597ff95" + logic_hash = "a7ff863b07d5ce011bdbcf86a3f562e8201926c138848544559bd1d16597ff95" score = 75 quality = 75 tags = "FILE" @@ -231482,13 +231968,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_65628C146Ace93037Fc58659F14Bd35F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4d2f5df4-643e-5d23-8bfe-535f4550db0b" + id = "9104836a-3385-5b78-9e1d-705b7ed4b721" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3958-L3969" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a6b4cc307d6e6f4d5d275ef0765a7082216b1d277c9b1328abe7cb2c2497e411" + logic_hash = "a6b4cc307d6e6f4d5d275ef0765a7082216b1d277c9b1328abe7cb2c2497e411" score = 75 quality = 75 tags = "FILE" @@ -231505,13 +231991,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0084817E07288A5025B9435570E7Fec1D3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "62627740-265c-58a1-bfc6-dc75e49094ba" + id = "31528b27-4a0c-5e97-b201-07e89248196a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3971-L3982" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_89da849911c6d6a3b6d45166bd9975828887b50ee149dea4cbae9cc5c0ecf6d2" + logic_hash = "89da849911c6d6a3b6d45166bd9975828887b50ee149dea4cbae9cc5c0ecf6d2" score = 75 quality = 75 tags = "FILE" @@ -231528,13 +232014,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4D26Bab89Fcf7Ff9Fa4Dc4847E563563 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e077fb43-37e1-58b6-8ddf-63594eb27d50" + id = "168281bf-35ad-542a-adb4-20d719e31e2d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3984-L3995" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3eadf6eda2819101a370688d636250085915be3ebf1b3dec7a86d12a6a5ce681" + logic_hash = "3eadf6eda2819101a370688d636250085915be3ebf1b3dec7a86d12a6a5ce681" score = 75 quality = 75 tags = "FILE" @@ -231551,13 +232037,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D9D419C9095A79B1F764297Addb935Da : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c960976e-aeeb-5905-8f57-e64abdeefa49" + id = "7c45a78c-2cde-5200-81fd-239effef7fe6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L3997-L4008" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dd35b48752eec01e1bfff182410da9a857735e0052e9c1a0d7c366dbee808d3c" + logic_hash = "dd35b48752eec01e1bfff182410da9a857735e0052e9c1a0d7c366dbee808d3c" score = 75 quality = 75 tags = "FILE" @@ -231574,13 +232060,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_02E44D7D1D38Ae223B27A02Bacd79B53 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "dd4d88c5-e17c-5944-8e90-873deee2d533" + id = "7f2ad143-c46b-58cb-9fe5-c7bb9c6d9234" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4010-L4021" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7ab506b2e4a716bc6f7115a071f46df4ea4ac88a4b636506a13ac0d383664e58" + logic_hash = "7ab506b2e4a716bc6f7115a071f46df4ea4ac88a4b636506a13ac0d383664e58" score = 75 quality = 75 tags = "FILE" @@ -231597,13 +232083,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_041868Dd49840Ff44F8E3D3070568350 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7c810670-f8fa-5e50-93fc-89eaf511b4c2" + id = "2cfbae1f-9c8a-5263-b9d6-5be27fdca822" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4023-L4034" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_80abb596d96cb388bf3ff23598fc889d4c14cccf262d01f10a5be3a738a4907e" + logic_hash = "80abb596d96cb388bf3ff23598fc889d4c14cccf262d01f10a5be3a738a4907e" score = 75 quality = 75 tags = "FILE" @@ -231620,13 +232106,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C501B7176B29A3Cb737361Cf85414874 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b1a7c64e-2b9a-5dcf-9152-c50fe6aacce6" + id = "8bebf02c-de14-5488-8720-5fc98b0799bd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4036-L4047" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f3eb67b39e0e4e12388f17d231fadfc2ea36b1568191a411950c2e24c32ed09c" + logic_hash = "f3eb67b39e0e4e12388f17d231fadfc2ea36b1568191a411950c2e24c32ed09c" score = 75 quality = 75 tags = "FILE" @@ -231643,13 +232129,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_234Bf4Ef892Df307373638014B35Ab37 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e2dff650-5284-5cbd-b882-cb43727f647d" + id = "af403af3-2c10-5742-80f2-c507695106a2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4049-L4060" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d01dbb798b309927e666e5e68c56c6eeabad7ccbc427d62f0507597c6e9e7aa7" + logic_hash = "d01dbb798b309927e666e5e68c56c6eeabad7ccbc427d62f0507597c6e9e7aa7" score = 75 quality = 75 tags = "FILE" @@ -231666,13 +232152,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C650Ae531100A91389A7F030228B3095 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "478be0d2-5793-5098-912c-37575c72b595" + id = "80ee9422-190d-5a4e-9a4c-fb8d1b2e2f8c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4062-L4073" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e5afd76711e1b466d7eba742f50c7f9551498796f0aca45566bd9686034efac3" + logic_hash = "e5afd76711e1b466d7eba742f50c7f9551498796f0aca45566bd9686034efac3" score = 75 quality = 75 tags = "FILE" @@ -231689,13 +232175,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4F8Ebbb263F3Cbe558D37118C43F8D58 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f1f7ab0c-dd6f-5f59-bff2-9b36f2a51cc7" + id = "c273f7e4-8c88-5205-be4b-3a8e8bed144e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4075-L4086" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e502e7e08fa82f8bd1b2b15c34999ece6b3d59d75ab1a4dda05b4b9440c49b7c" + logic_hash = "e502e7e08fa82f8bd1b2b15c34999ece6b3d59d75ab1a4dda05b4b9440c49b7c" score = 75 quality = 75 tags = "FILE" @@ -231712,13 +232198,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_01Ea62E443Cb2250C870Ff6Bb13Ba98E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "21295193-5e84-5c42-9b3f-d3221cd725c6" + id = "40c5f73b-70b6-5db7-8060-01ad77e5f319" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4088-L4099" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dbf281989fb89976f83e0e2395f02c1e8c4c9ec5f96095786d9c6406518eb315" + logic_hash = "dbf281989fb89976f83e0e2395f02c1e8c4c9ec5f96095786d9c6406518eb315" score = 75 quality = 75 tags = "FILE" @@ -231735,13 +232221,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_726Ee7F5999B9E8574Ec59969C04955C : FILE meta: description = "Detects IntelliAdmin commercial remote administration signing certificate" author = "ditekSHen" - id = "cc252b68-00b5-5844-8762-f2fbd9d99b6a" + id = "5e88abd2-97d5-5271-ace5-6b7cb2cd6633" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4101-L4112" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_494afa3711d93c56d52b8ae944db737cb53db8d27f2255c7045c3bf4478995a3" + logic_hash = "494afa3711d93c56d52b8ae944db737cb53db8d27f2255c7045c3bf4478995a3" score = 75 quality = 75 tags = "FILE" @@ -231758,13 +232244,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A005D2E2Bcd4137168217D8C727747C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "98e71087-8bc5-5857-863e-d99bebd2b4bd" + id = "c3888d90-0c09-539a-9155-a60e4670320d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4114-L4125" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b4024cd0d6c9a86d3956b9ba5d9692fc7ec2d7aa399a56a0b12f9387801a0b08" + logic_hash = "b4024cd0d6c9a86d3956b9ba5d9692fc7ec2d7aa399a56a0b12f9387801a0b08" score = 75 quality = 75 tags = "FILE" @@ -231781,13 +232267,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D3D74Ae548830D5B1Bca9856E16C564A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "90d52cf6-c91d-55a3-955b-e05cda8b410c" + id = "692ef744-9609-5cb1-b425-3bacf012fcdb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4127-L4138" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c72f10af530a6af4526ad956ef6058d097417a8fe3b902e3c7cba27b04e0c2c1" + logic_hash = "c72f10af530a6af4526ad956ef6058d097417a8fe3b902e3c7cba27b04e0c2c1" score = 75 quality = 75 tags = "FILE" @@ -231804,13 +232290,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_41F8253E1Ceafbfd8E49F32C34A68F9E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1a30a76a-f03b-5828-91a8-a6bf4971b9f5" + id = "84bd03de-88cd-5180-af11-916dbecd0366" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4140-L4151" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_53f71030815dcdda8424fe858d26a08cf947a683e69c50ea5fda53f51b88bb93" + logic_hash = "53f71030815dcdda8424fe858d26a08cf947a683e69c50ea5fda53f51b88bb93" score = 75 quality = 75 tags = "FILE" @@ -231827,13 +232313,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A5B4F67Ad8B22Afc2Debe6Ce5F8F679 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4ae9792c-5fbd-577a-b1d2-b13729702d15" + id = "e1cc3d27-4f76-58a8-8dd6-fd8dbe48252e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4153-L4164" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_19cf46c112b546c26f12891727fdbc74aaa78bbdcdbc4e041781394f4cf5f719" + logic_hash = "19cf46c112b546c26f12891727fdbc74aaa78bbdcdbc4e041781394f4cf5f719" score = 75 quality = 75 tags = "FILE" @@ -231850,13 +232336,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_65Cd323C2483668B90A44A711D2A6B98 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b6489511-a4ba-53f7-b3f1-efda2dd8cc85" + id = "b976e930-cf9a-5b0f-9a1b-c35c3f134bdd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4166-L4177" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e0a9868f9a42aeb8f90aff540a73bc8fa1bfebbf8ee6c0c71bd921cf914e0875" + logic_hash = "e0a9868f9a42aeb8f90aff540a73bc8fa1bfebbf8ee6c0c71bd921cf914e0875" score = 75 quality = 75 tags = "FILE" @@ -231873,13 +232359,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0F7E3Fda780E47E171864D8F5386Bc05 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0d4250b2-a7f4-5ba0-a889-9106d6fc3201" + id = "33b8ce54-fa2c-5aac-9022-2309f7fc4a86" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4192-L4203" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_30e2daf85ee7f9f9615a49af949a034b50a97a1a7abf6a318547809cc9e7b0b7" + logic_hash = "30e2daf85ee7f9f9615a49af949a034b50a97a1a7abf6a318547809cc9e7b0b7" score = 75 quality = 75 tags = "FILE" @@ -231896,13 +232382,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C2Cbbd946Bc3Fdb944D522931D61D51A : FILE meta: description = "Detects executables signed with Sordum Software certificate, particularly Defender Control" author = "ditekSHen" - id = "0b4b1abf-529e-53d1-a58e-c34140c2004a" + id = "b8ccfb1a-4e3f-5823-af38-e1607458023e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4231-L4242" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6e67835cf85c713ef5a21b866a277e90236c607fb67d3fd9b2bba627c31d9e97" + logic_hash = "6e67835cf85c713ef5a21b866a277e90236c607fb67d3fd9b2bba627c31d9e97" score = 75 quality = 75 tags = "FILE" @@ -231919,13 +232405,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6E3B09F43C3A0Fd53B7D600F08Fae2B5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6f6deefc-6e67-5a8a-a8d6-9520544f4e1b" + id = "d23e7b9b-4424-50c5-a768-9cb33e0de192" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4244-L4255" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_45e2833dedacd875912d07dc63216400ddff76846f9c7bdf808f1db56ed4720c" + logic_hash = "45e2833dedacd875912d07dc63216400ddff76846f9c7bdf808f1db56ed4720c" score = 75 quality = 75 tags = "FILE" @@ -231942,13 +232428,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Aa12C95D2Bcde0Ce141C6F1145B0D7Ef : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3ea27677-d551-5ea7-9106-c7c5738c7621" + id = "66ef7681-7467-5c9f-8e0b-749a9711f15a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4257-L4268" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_34edd92640d8059f074513b526c7a2bf0d9265af9466a2ae66b93255044744c4" + logic_hash = "34edd92640d8059f074513b526c7a2bf0d9265af9466a2ae66b93255044744c4" score = 75 quality = 75 tags = "FILE" @@ -231965,13 +232451,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_03E9Eb4Dff67D4F9A554A422D5Ed86F3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "09e92411-53cd-50db-b0b7-2f9600c58d92" + id = "b76ab1af-01f9-5d03-8d5e-7314a7a2de43" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4270-L4281" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a56f53cb94f78496b4935fc2a613d030bd550b749427501dd9dda18cb9e05ab3" + logic_hash = "a56f53cb94f78496b4935fc2a613d030bd550b749427501dd9dda18cb9e05ab3" score = 75 quality = 75 tags = "FILE" @@ -231988,13 +232474,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4A7F07C5D4Ad2E23F9E8E03F0E229Dd4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d11f3284-0dcd-5628-b6e3-32e80e6268c3" + id = "4e39ae25-c62c-5018-9780-d1549b10942f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4283-L4294" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2493dfe7e5a993a573c7b3c2f2642a8834feb525b3fc8402315a63ac09b9fccd" + logic_hash = "2493dfe7e5a993a573c7b3c2f2642a8834feb525b3fc8402315a63ac09b9fccd" score = 75 quality = 75 tags = "FILE" @@ -232011,13 +232497,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C6D7Ad852Af211Bf48F19Cc0242Dcd72 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0acfe608-d35f-5b20-a19a-f04ed3f7f033" + id = "1aca90d4-6cb6-5bcd-a4c9-e8f8cddc0d04" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4296-L4307" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e10de48bfa1edec81157eb95ef3478346c22dd6f7ef163e30887d3c7bb580c5e" + logic_hash = "e10de48bfa1edec81157eb95ef3478346c22dd6f7ef163e30887d3c7bb580c5e" score = 75 quality = 75 tags = "FILE" @@ -232034,13 +232520,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0084888D5A12228E8950683Ecdab62Fe7A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "57afe284-8b67-5122-892b-8b0e5e5a31a5" + id = "5036d604-55df-565a-b6db-c788da007ea8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4309-L4320" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4deda791923cdacccf57d54651ca44bd8c04d053a11ccf5700354f9f37be17de" + logic_hash = "4deda791923cdacccf57d54651ca44bd8c04d053a11ccf5700354f9f37be17de" score = 75 quality = 75 tags = "FILE" @@ -232057,13 +232543,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_709D547A2F09D39C4C2334983F2Cbf50 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8c45a1c9-52bf-5859-a90a-76980cea3e35" + id = "e3b2ab8b-be90-5593-843f-59f2d626e604" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4322-L4333" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f45a2047181f3f07a8fb9cc00aafc31ba7aa369fc5c0165557757306a0de0d44" + logic_hash = "f45a2047181f3f07a8fb9cc00aafc31ba7aa369fc5c0165557757306a0de0d44" score = 75 quality = 75 tags = "FILE" @@ -232080,13 +232566,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_98A04Ea05E8A949A4D880D0136794Df3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ccd0843a-ddf0-5c9c-be23-4d85d7ddbb74" + id = "cda10dcf-bc46-56d9-a4b5-60a76249334c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4335-L4346" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_05c63386558b954da3cfec1fd514a7a567189d9ac33d818cbbabf3eaf72ed130" + logic_hash = "05c63386558b954da3cfec1fd514a7a567189d9ac33d818cbbabf3eaf72ed130" score = 75 quality = 75 tags = "FILE" @@ -232103,13 +232589,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2355895F1759E9E3648026F4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1108f023-db22-5fbd-833d-da562e10f0e9" + id = "d716ed7f-8886-587d-a868-805da13bb925" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4348-L4360" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_429375af70872755ab2d517b125042795c9a20238405a4af5b0caecc46a3f563" + logic_hash = "429375af70872755ab2d517b125042795c9a20238405a4af5b0caecc46a3f563" score = 75 quality = 75 tags = "FILE" @@ -232127,13 +232613,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00818631110B5D14331Dac7E6Ad998B902 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fdc846b6-2d65-54cd-8d08-cc1d91a57d6b" + id = "15efa9cf-5457-5b04-abee-8f86721c5d56" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4376-L4390" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ee82090ceb1378b44c283586d0f0b6ec0d9779fab2497b0168acec8e5546a4a8" + logic_hash = "ee82090ceb1378b44c283586d0f0b6ec0d9779fab2497b0168acec8e5546a4a8" score = 75 quality = 75 tags = "FILE" @@ -232150,13 +232636,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7Ab21306B11Ff280A93Fc445876988Ab : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3f7bf900-84c9-51bb-b8b6-fec7ae150e03" + id = "583fccef-3ad5-5f9a-a030-d6bf9ebed00f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4392-L4403" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aa93d36d472d24cdd937c323ffa048fc71984fcf8a13400618ec8a0f2c172fc0" + logic_hash = "aa93d36d472d24cdd937c323ffa048fc71984fcf8a13400618ec8a0f2c172fc0" score = 75 quality = 75 tags = "FILE" @@ -232173,13 +232659,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0086909B91F07F9316984D888D1E28Ab76 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8b0a3064-67c8-5ac2-a78d-170c5ff15c96" + id = "58b191cc-82f2-5ad3-8d1e-91c7528880c6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4405-L4416" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eb8807437edbbba52a928de4ebf0a25513127bd9800088e0d85e41c8375a05b1" + logic_hash = "eb8807437edbbba52a928de4ebf0a25513127bd9800088e0d85e41c8375a05b1" score = 75 quality = 75 tags = "FILE" @@ -232196,13 +232682,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D4Ef1Ab6Ab5D3Cb35E4Efb7984Def7A2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b63af8b6-c362-5933-b122-58a766dd3234" + id = "d96df78b-3824-5f94-8a32-87dfd9cd585f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4418-L4429" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_845abc1f08a4d56b32477fbe8855f45633833c68f4255d0690f10cc23c167e84" + logic_hash = "845abc1f08a4d56b32477fbe8855f45633833c68f4255d0690f10cc23c167e84" score = 75 quality = 75 tags = "FILE" @@ -232219,13 +232705,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_13039Da3B2924B7A8B0A2Ac4637C2Efa : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "38ad56f1-681e-565e-9af0-7ed9edc6712f" + id = "9621584b-a115-5b96-8de5-15776232cdb2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4431-L4442" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7492f2a50effae809b512ce7a2a769f3db62ab3573974206b729417cc629ca83" + logic_hash = "7492f2a50effae809b512ce7a2a769f3db62ab3573974206b729417cc629ca83" score = 75 quality = 75 tags = "FILE" @@ -232242,13 +232728,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2Abd2Eef14D480Dfea9Ca9Fdd823Cf03 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "783a02d4-71e6-5cd0-838f-52067bb6518a" + id = "5e17d055-26d7-5dde-a905-9d03fb164fa2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4444-L4455" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5f0f5dac599923f385fcd8e8b14349263cabe1c83242fe097d9fb26ea0567c1a" + logic_hash = "5f0f5dac599923f385fcd8e8b14349263cabe1c83242fe097d9fb26ea0567c1a" score = 75 quality = 75 tags = "FILE" @@ -232265,13 +232751,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_08622B9Dd9D78E67678Ecc21E026522E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "af9fa5ea-ad95-5998-81d6-2c90cfe46ec4" + id = "922282e9-9f34-537b-9fd1-283ae44b9b54" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4457-L4468" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7e572c4241d92ad34efd91c3f6338da4093c83d84a734766448ac7cb2a72bc0c" + logic_hash = "7e572c4241d92ad34efd91c3f6338da4093c83d84a734766448ac7cb2a72bc0c" score = 75 quality = 75 tags = "FILE" @@ -232288,13 +232774,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5A17D5De74Fd8F09Df596Df3123139Bb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "841e42be-5168-5b8a-b719-ddb0b12e7e4a" + id = "871d9840-4540-58d3-980e-d356c856dbca" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4470-L4481" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f5ff9f7d857da3329708ba9c0bfac0999b04aeb170fb60387f4b48fa6029a641" + logic_hash = "f5ff9f7d857da3329708ba9c0bfac0999b04aeb170fb60387f4b48fa6029a641" score = 75 quality = 75 tags = "FILE" @@ -232311,13 +232797,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_15Da61D7E1A631803431561674Fb9B90 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8d8dc2a8-291f-5ac3-a346-382144817f02" + id = "d1fd8200-0960-567d-9bb6-2bd1ed99f61b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4483-L4494" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4d30a4bf1b0425081369351df707be0531dcc1751512d9012a859b621d61a1b3" + logic_hash = "4d30a4bf1b0425081369351df707be0531dcc1751512d9012a859b621d61a1b3" score = 75 quality = 75 tags = "FILE" @@ -232334,13 +232820,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_58Aa64564A50E8B2D6E31D5Cd6250Fde : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "dbaec48e-20a4-5691-b823-fbe1461796bc" + id = "b6eff323-241a-5f11-837f-bfacdc547d89" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4496-L4507" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7383dfc8b22379dc69cd1d93d2da40e177ba1e3b0b8b8891afb8ce594269d170" + logic_hash = "7383dfc8b22379dc69cd1d93d2da40e177ba1e3b0b8b8891afb8ce594269d170" score = 75 quality = 75 tags = "FILE" @@ -232357,13 +232843,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Bbd4Dc3768A51Aa2B3059C1Bad569276 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b2bf7f7d-9d69-5420-a881-f06c377e01c1" + id = "cb5214b4-1af5-5b31-b690-6531139e92b1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4509-L4520" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d506c2d6e630fabe1d4b805cd31aa54b04959db80630f656b3460c869ad544fa" + logic_hash = "d506c2d6e630fabe1d4b805cd31aa54b04959db80630f656b3460c869ad544fa" score = 75 quality = 75 tags = "FILE" @@ -232380,13 +232866,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3A236F003Bdefc0C55Aa42D9C6C0B08E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a761bef8-54be-5491-a1c5-24ef8ac91afb" + id = "02c95d8f-f694-5d0f-bf79-b806334e8af3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4522-L4533" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9930b2d3fdbd2f6da17d78dfbfe6229f0bd004686e4cc4960720710241237e48" + logic_hash = "9930b2d3fdbd2f6da17d78dfbfe6229f0bd004686e4cc4960720710241237e48" score = 75 quality = 75 tags = "FILE" @@ -232403,14 +232889,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_010000000001302693Cb45 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "236b3542-6eb9-530a-8312-e071c5d7977d" + id = "0ab8e30d-dd75-5dd1-9bc8-413e59d5d310" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4535-L4547" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "74069d20e8b8299590420c9af2fdc8856c14d94929c285948585fc89ab2f938f" - logic_hash = "v1_sha256_74c5d88012ab3e975123cde51ae3d01b6bee1ad0d6c0f5492c507fb2472b7532" + logic_hash = "74c5d88012ab3e975123cde51ae3d01b6bee1ad0d6c0f5492c507fb2472b7532" score = 75 quality = 75 tags = "FILE" @@ -232427,13 +232913,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3F8D23C136Ae9Cbeeac7605B24Ec0391 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "59b63b4d-cc43-591b-ab94-e4e31eac3243" + id = "86617b78-86b0-59dc-a072-cb4acecd60e1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4565-L4576" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f074e141e07cbf6b5b4726b52faa382b8ece809804dcfb9d45a5b2450125b5b7" + logic_hash = "f074e141e07cbf6b5b4726b52faa382b8ece809804dcfb9d45a5b2450125b5b7" score = 75 quality = 75 tags = "FILE" @@ -232450,13 +232936,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3972443Af922B751D7D36C10Dd313595 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "428a658e-23e2-5af6-9cb5-f3705d0870cd" + id = "21ada866-167a-54d5-a137-7720de32520e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4578-L4589" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_764d0a288edd3bac90c0b93319f4f8ff8a7d567cda42aa52fe6114f4e56216ad" + logic_hash = "764d0a288edd3bac90c0b93319f4f8ff8a7d567cda42aa52fe6114f4e56216ad" score = 75 quality = 75 tags = "FILE" @@ -232473,13 +232959,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_37F3384B16D4Eef0A9B3344B50F1D8A3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "737e87b3-e0a3-5a10-b1fe-540cb14a29e9" + id = "a7eef803-2c9e-5f23-acde-22ae2223fec2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4591-L4602" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4496052ff9677e0d031471e4ae9b3541099a2dbe024b4b5ba3f757800bfdcb07" + logic_hash = "4496052ff9677e0d031471e4ae9b3541099a2dbe024b4b5ba3f757800bfdcb07" score = 75 quality = 75 tags = "FILE" @@ -232496,13 +232982,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B3969Cd6B2F913Acc99C3F61Fc14852F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "13d7ce98-b004-5255-854a-68b9247e973a" + id = "2cd4cee3-0adc-595f-b86f-7c515cd0ea64" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4604-L4619" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4ee7f3da2ae707517c1c426e6a73fdede51514e4ddf60b93fd77c1b6c23e82c0" + logic_hash = "4ee7f3da2ae707517c1c426e6a73fdede51514e4ddf60b93fd77c1b6c23e82c0" score = 75 quality = 75 tags = "FILE" @@ -232520,13 +233006,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0D83E7F47189Cdbfc7Fa3E5F58882329 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "de07441d-d70e-59e0-8f39-46e38686af22" + id = "6574aab4-f307-53c2-8cf7-bcc7565facc8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4621-L4632" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c4dffcad286e161980ccec2188459b8b7eaf0e982c7c69ca5ffbaf8e4d85d1b4" + logic_hash = "c4dffcad286e161980ccec2188459b8b7eaf0e982c7c69ca5ffbaf8e4d85d1b4" score = 75 quality = 75 tags = "FILE" @@ -232543,13 +233029,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008385684419Ab26A3F2640B1496E1Fe94 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d716263b-41d5-57b2-b825-82cf4b67be05" + id = "5aa92ac6-241f-54a1-b828-f8a5deb6d212" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4634-L4645" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7c9de438d5c7156052e30ce70310aaa989ff1896f7b34ffc6c4fd8fc2bc60b85" + logic_hash = "7c9de438d5c7156052e30ce70310aaa989ff1896f7b34ffc6c4fd8fc2bc60b85" score = 75 quality = 75 tags = "FILE" @@ -232566,13 +233052,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1Aec3D3F752A38617C1D7A677D0B5591 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3583df49-73af-5ead-b8ce-6fe38450b4cc" + id = "8e1bb307-733c-5626-98f6-a5c2587bf800" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4647-L4658" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4bbe5aac8a470061abab48070fafd2100c577cab1f40fcc5924dbd13bc747487" + logic_hash = "4bbe5aac8a470061abab48070fafd2100c577cab1f40fcc5924dbd13bc747487" score = 75 quality = 75 tags = "FILE" @@ -232589,13 +233075,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_E5B2Af04Ea4B84A94609A47Eba3164Ec : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "22c6203f-01be-5949-a62c-78dcda890156" + id = "ea78ae13-cd9f-578a-95e4-906ab7045faf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4660-L4671" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2e32bb0d9689625cd860a75539961410241de341ad4b7ee661df7d3b2dd47c46" + logic_hash = "2e32bb0d9689625cd860a75539961410241de341ad4b7ee661df7d3b2dd47c46" score = 75 quality = 75 tags = "FILE" @@ -232612,13 +233098,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Dummy01 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3bbaf54f-82c2-513d-953a-979afd41922b" + id = "eaf3bbdd-72b4-513c-9a5b-04f16292fa00" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4673-L4687" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c72ac977ef92feead0a7ec72ec99b1a11f20b8c5258a08842a4dceddff91d659" + logic_hash = "c72ac977ef92feead0a7ec72ec99b1a11f20b8c5258a08842a4dceddff91d659" score = 75 quality = 75 tags = "FILE" @@ -232638,13 +233124,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00A7E1Dc5352C3852C5523030F57F2425C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "dfdadbe5-3891-57e6-bd1a-24a000ec08a0" + id = "fba8f1a8-ca08-5d6f-a83e-c817daf94703" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4689-L4700" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_06c151ae8b4a45eccef028ea69f0adf74445bd4d871fc65cc1d308f2005cede1" + logic_hash = "06c151ae8b4a45eccef028ea69f0adf74445bd4d871fc65cc1d308f2005cede1" score = 75 quality = 75 tags = "FILE" @@ -232661,13 +233147,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_635517466B67Bd4Bba805Bc67Ac3328C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ed1c0644-f9e0-569c-a214-e1da37f03520" + id = "b7533186-b5dc-53ce-912b-39bd42c92071" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4702-L4713" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_71cdb314e2f6bda70f9f627d72aea49290fdbce66f76a170aa6571873ca82860" + logic_hash = "71cdb314e2f6bda70f9f627d72aea49290fdbce66f76a170aa6571873ca82860" score = 75 quality = 75 tags = "FILE" @@ -232684,13 +233170,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_A2253Aeb5B0Ff1Aecbfd412C18Ccf07A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8b2e4423-937e-58aa-a99f-ff6c11dae315" + id = "82d70dae-97e7-5fa3-8a91-de6143fa2164" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4729-L4740" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_357de1cbdf3223dfb1a920bfb15bbbd66906de5225c0ed015e5a3fbbbb65a753" + logic_hash = "357de1cbdf3223dfb1a920bfb15bbbd66906de5225c0ed015e5a3fbbbb65a753" score = 75 quality = 75 tags = "FILE" @@ -232707,13 +233193,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_21E3Cae5B77C41528658Ada08509C392 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cefc516d-33f3-5c02-9012-c094b03dabe3" + id = "bd97478f-1b75-542d-814c-8d318d745240" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4742-L4753" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c860e888b19b98c40cf00babfb022a79a35f12def0077733e796b2aeeea324ea" + logic_hash = "c860e888b19b98c40cf00babfb022a79a35f12def0077733e796b2aeeea324ea" score = 75 quality = 75 tags = "FILE" @@ -232730,13 +233216,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_09B3A7E559Fcb024C4B66B794E9540Cb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "95bb1c0e-2572-5f72-8602-f113b3efcf59" + id = "5e1057d4-a40c-5e48-8965-91fd533c04dc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4790-L4802" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_345abbb31986fe3f8f6b7eb05c73d4d42daa9df6a7706b9cd2fb4f8aac61d40b" + logic_hash = "345abbb31986fe3f8f6b7eb05c73d4d42daa9df6a7706b9cd2fb4f8aac61d40b" score = 75 quality = 75 tags = "FILE" @@ -232754,13 +233240,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_19Beff8A6C129663E5E8C18953Dc1F67 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f6df7365-a97b-59ea-ba21-61065b312d56" + id = "8bc27a0c-898d-510f-ad9d-78d5bab40cad" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4804-L4815" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e62c4ab0652f872887b7bedadba3306c831351f57bc4a177302b1268d823f9f4" + logic_hash = "e62c4ab0652f872887b7bedadba3306c831351f57bc4a177302b1268d823f9f4" score = 75 quality = 75 tags = "FILE" @@ -232777,13 +233263,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Cf2D0B5Bfdd68Cf777A0C12F806A569 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "68355a05-f255-5425-bc91-b50e487ffe52" + id = "610f4147-9b32-5d96-bf27-10a8e0c3c347" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4817-L4828" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d3e625c05e974650bb9750f6dadbbba5825a34ea10902c807b9da457902d2b59" + logic_hash = "d3e625c05e974650bb9750f6dadbbba5825a34ea10902c807b9da457902d2b59" score = 75 quality = 75 tags = "FILE" @@ -232800,13 +233286,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_56F008E69A7C4C3Feb389C66Eaf58259 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c5c77878-7ef0-5dd3-96fe-37fd1d16f8cc" + id = "bcd0cd8e-82ec-5d20-85d1-cbad455b6d90" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4830-L4841" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ba02eb734b461b02744c5fc901e45f4574249607398fb8a73850d5d5e89788b" + logic_hash = "3ba02eb734b461b02744c5fc901e45f4574249607398fb8a73850d5d5e89788b" score = 75 quality = 75 tags = "FILE" @@ -232823,13 +233309,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_279B3A26F16A069Aa7Bca1811D44Ad9B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fbc94c0b-5235-563c-9b7e-87dc586c14dc" + id = "3ead1500-d510-5a9b-8a19-19f9f7f2cf95" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4857-L4873" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5a01fd3db421a4b41318fa1264e8bc621ddeddb44b82b8f0b15e97eccec616e8" + logic_hash = "5a01fd3db421a4b41318fa1264e8bc621ddeddb44b82b8f0b15e97eccec616e8" score = 75 quality = 75 tags = "FILE" @@ -232851,13 +233337,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_07Cef66A71C35Bc3Aed6D100C6493863 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "770fa57d-65e3-5533-80bd-3c659ff7db11" + id = "e07b0a2c-64ff-5e12-9f19-00a67a13fb89" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4875-L4886" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_24b89e65bc9d60a60e57f749735214c462e56c3194906e4bca52d74463617be4" + logic_hash = "24b89e65bc9d60a60e57f749735214c462e56c3194906e4bca52d74463617be4" score = 75 quality = 75 tags = "FILE" @@ -232874,13 +233360,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D3356318924C8C42959Bf1D1574E6482 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ed69bb3d-af1e-5486-9fbe-95e76852d136" + id = "7e23e9cf-5a34-55bb-a88d-4c0aef411372" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4888-L4899" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_86ca8da7e9e704f64be8ecd9e270108337d28b540ba8cd669a8d536ccfefea95" + logic_hash = "86ca8da7e9e704f64be8ecd9e270108337d28b540ba8cd669a8d536ccfefea95" score = 75 quality = 75 tags = "FILE" @@ -232897,13 +233383,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_038Fc745523B41B40D653B83Aa381B80 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7c36fca2-c45e-5f64-8f4a-b25840a3c241" + id = "ed7581eb-52e7-5216-86a2-079bc5741b05" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4901-L4912" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b760525c38610b8a5cc990335122eab81cb895dc523908ef841c5c3117a1a372" + logic_hash = "b760525c38610b8a5cc990335122eab81cb895dc523908ef841c5c3117a1a372" score = 75 quality = 75 tags = "FILE" @@ -232920,13 +233406,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ac0A7B9420B369Af3Ddb748385B981 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "50fb30cc-52d6-5da3-b4c7-e4ecde36ee88" + id = "0935fd31-3d8f-57d2-a00e-ad7d5cdbe12d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4914-L4925" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_47dca0d0b84dd0d210cf7fdda3bcce796d090e5de3f4266bbed01eebdd397bfa" + logic_hash = "47dca0d0b84dd0d210cf7fdda3bcce796d090e5de3f4266bbed01eebdd397bfa" score = 75 quality = 75 tags = "FILE" @@ -232943,13 +233429,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00913Ba16962Cd7Eee25965A6D0Eeffa10 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "729cd386-846c-585a-a39f-6e317152ee2b" + id = "7a053089-44c8-5f30-8eee-dcd4ba24efe8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4927-L4938" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a2e729c053d1a9d5895dc2247ea0804525f8f1744875d5c2f96b4255ad325dc5" + logic_hash = "a2e729c053d1a9d5895dc2247ea0804525f8f1744875d5c2f96b4255ad325dc5" score = 75 quality = 75 tags = "FILE" @@ -232966,13 +233452,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_F44A91704F9Ea388446D2635F2A8C8A5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b3db00fc-01bb-5960-8137-5e3a28b3bfce" + id = "52f08ec1-fb83-59bc-bb90-2ae12245c0f7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4940-L4953" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cec66648ecde5b11a2a20674b2e1f10c8b917ebeb26ddba0ead2b6af45c8519b" + logic_hash = "cec66648ecde5b11a2a20674b2e1f10c8b917ebeb26ddba0ead2b6af45c8519b" score = 75 quality = 75 tags = "FILE" @@ -232991,13 +233477,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_029685Cda1C8233D2409A31206F78F9F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6b86b849-f47d-5e26-b3d4-096182b52925" + id = "2c1d858b-3adc-5c05-bc72-2a6f12f7245e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4955-L4966" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a7eec901d92d6126cbc4468d7f2fbccc905f550c7dc8d28b405f583cfde9aea3" + logic_hash = "a7eec901d92d6126cbc4468d7f2fbccc905f550c7dc8d28b405f583cfde9aea3" score = 75 quality = 75 tags = "FILE" @@ -233014,13 +233500,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Aebe117A13B8Bca21685Df48C74F584D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "12f81e29-f950-512b-89b3-69d7feaca1b6" + id = "2b9c40e8-9c0e-523d-b746-4e31d0a780e0" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4968-L4979" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cb17c6f311d88125ad0c790c61fe0dd1ffbdefdbea45ffb54c47da5d98f99900" + logic_hash = "cb17c6f311d88125ad0c790c61fe0dd1ffbdefdbea45ffb54c47da5d98f99900" score = 75 quality = 75 tags = "FILE" @@ -233037,13 +233523,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_38989Ec61Ecdb7391Ff5647F7D58Ad18 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f73e986b-5a25-574d-a2e1-807c15c8e060" + id = "40c742ec-f683-57fe-bb35-7c44617f9199" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4981-L4992" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f2108c41c814a815047268d9934a01231936a1cf73cbb92476eb96c9fe4b1091" + logic_hash = "f2108c41c814a815047268d9934a01231936a1cf73cbb92476eb96c9fe4b1091" score = 75 quality = 75 tags = "FILE" @@ -233060,13 +233546,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D08D83Ff118Df3777E371C5C482Cce7B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1127dca7-06f1-5665-a2c4-1472fbbfb563" + id = "d4857ec5-2c99-51f8-a5b8-938c8d83169e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L4994-L5005" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b6c7f5c57c79d11132535bedce77276f67c4f854f5e8ef2c12aced64f8a188d0" + logic_hash = "b6c7f5c57c79d11132535bedce77276f67c4f854f5e8ef2c12aced64f8a188d0" score = 75 quality = 75 tags = "FILE" @@ -233083,13 +233569,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_249E3F1B7595E7D0Fe6Df13303287343 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d0389d45-919d-5131-afdb-4a958b795c72" + id = "3f780428-a482-5201-a7ca-d3608779a5e4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5007-L5018" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4df122a53f2c1a08d1694c8e64b802f58507bb985f1aed8c91e6d7ad24906fca" + logic_hash = "4df122a53f2c1a08d1694c8e64b802f58507bb985f1aed8c91e6d7ad24906fca" score = 75 quality = 75 tags = "FILE" @@ -233106,13 +233592,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_31D852F5Fca1A5966B5Ed08A14825C54 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fb459784-680a-5c46-81e8-9e7bde6f10c6" + id = "8d65caa2-ce28-5f9b-b8a5-3fe903dd5628" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5020-L5031" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e2890f8c623ce15d8a3f996e87be4b73a8cd9f96386ce8d356d7e0fad0342dd3" + logic_hash = "e2890f8c623ce15d8a3f996e87be4b73a8cd9f96386ce8d356d7e0fad0342dd3" score = 75 quality = 75 tags = "FILE" @@ -233129,14 +233615,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_510C5E540503F30C9Caa3082296Aa452 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ff8a4a55-3e11-56ac-b374-fdec6a19b291" + id = "eddbe6f1-fb7c-5129-afb4-6b4d67e39f60" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5033-L5045" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "cb01f31a322572035cf19f6cda00bcf1d8235dcc692588810405d0fc6e8d239c" - logic_hash = "v1_sha256_9b6ad8b3e90fcd63f86b353e89ce7e6226197bfcb491e2151b8dbf580466076e" + logic_hash = "9b6ad8b3e90fcd63f86b353e89ce7e6226197bfcb491e2151b8dbf580466076e" score = 75 quality = 75 tags = "FILE" @@ -233153,13 +233639,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_56Bba7Fe242E6B49695Bcf07870F5F5E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "00127ba4-132d-5788-ab31-2265cfde6d19" + id = "902c1949-81e6-5070-ac60-2ebbb363fc6d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5047-L5058" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6c9da28b90bcff069509fc8e91c0a960805bb8339d0fa21f5466c38b6d20f95f" + logic_hash = "6c9da28b90bcff069509fc8e91c0a960805bb8339d0fa21f5466c38b6d20f95f" score = 75 quality = 75 tags = "FILE" @@ -233176,13 +233662,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Dfef1A8C0Dbfef64Bc6C8A0647D6E873 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5d294190-a2c1-5d11-9f27-1322099e1e8e" + id = "a8e2a271-399f-531a-8e69-27a1598ba086" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5060-L5071" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_104f066ddfd34edc328844d06a84a1663b0d271c02599825c1797704e582883a" + logic_hash = "104f066ddfd34edc328844d06a84a1663b0d271c02599825c1797704e582883a" score = 75 quality = 75 tags = "FILE" @@ -233199,13 +233685,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0609B5Aad2Dfb81Fbe6B75E4Cfe372A6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5bccf41b-4d39-5be2-b3a4-5c182be7859c" + id = "db7bf2e3-f514-5133-a35a-87c43a5f12cf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5073-L5084" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2f483d06fd7af8db8e79203dcd4252d74f4859c0681e0bfcc4a97b351cb758a9" + logic_hash = "2f483d06fd7af8db8e79203dcd4252d74f4859c0681e0bfcc4a97b351cb758a9" score = 75 quality = 75 tags = "FILE" @@ -233222,13 +233708,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_02B6656292310B84022Db5541Bc48Faf : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "015038fd-72ee-56b0-9633-815eb4912788" + id = "252c8339-73d3-5de0-8f75-78a6a2da4abc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5086-L5097" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_374f7abfab6f7def8b895dc9536ca6bb7a605e9478934af6c97e8b7595fbee19" + logic_hash = "374f7abfab6f7def8b895dc9536ca6bb7a605e9478934af6c97e8b7595fbee19" score = 75 quality = 75 tags = "FILE" @@ -233245,13 +233731,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D609B6C95428954A999A8A99D4F198Af : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f9e396a6-deb8-5d3f-9d8d-161d949e00ec" + id = "e1b732d2-24fd-5819-a26a-049a9a569089" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5099-L5110" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_62eecc7cf240b9de6e04a43413bbeb84b673e9d3f1c4d67ec4082c099c6a87db" + logic_hash = "62eecc7cf240b9de6e04a43413bbeb84b673e9d3f1c4d67ec4082c099c6a87db" score = 75 quality = 75 tags = "FILE" @@ -233268,13 +233754,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6A568F85De2061F67Ded98707D4988Df : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9f3e0bf8-e1b5-545d-9174-81c8727a548c" + id = "ed8748ce-cd90-527b-a58e-da9c7164ed18" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5112-L5123" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f1aea9f6237cfbda49fea6d38ece935f9d4cc5abc678590c63b9a339aa37e104" + logic_hash = "f1aea9f6237cfbda49fea6d38ece935f9d4cc5abc678590c63b9a339aa37e104" score = 75 quality = 75 tags = "FILE" @@ -233291,14 +233777,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_F90E68Cbf92Fd7Ad409E281C3F2A0F0A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5bfc4ad5-46a7-5dcf-8d2a-002ac248ac6d" + id = "e92daa7b-2d8a-5806-840e-678a9aa24fef" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5125-L5137" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "d79a8f491c0112c3f26572350336fe7d22674f5550f37894643eba980ae5bd32" - logic_hash = "v1_sha256_ca8d80a446df0c28e9fb4944bd69d9fa008be968c449e5a469b182fbf8744a3f" + logic_hash = "ca8d80a446df0c28e9fb4944bd69d9fa008be968c449e5a469b182fbf8744a3f" score = 75 quality = 75 tags = "FILE" @@ -233315,13 +233801,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7Ddd3796A427B42F2E52D7C7Af0Ca54F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "65330090-3214-5837-b8b5-1dc565b74612" + id = "2619669f-cceb-5177-9738-d28236e1344e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5139-L5150" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_15df43212a842936e2ea0d834797f11fe80af3d376a19aa9a806aa6ed793e679" + logic_hash = "15df43212a842936e2ea0d834797f11fe80af3d376a19aa9a806aa6ed793e679" score = 75 quality = 75 tags = "FILE" @@ -233338,13 +233824,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_17D99Cc2F5B29522D422332E681F3E18 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "01ad3e5e-a445-52db-a05d-d32826171faf" + id = "98493d50-2bee-50a5-93f3-851559c494a6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5152-L5163" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_95116d1114239795707b310afea3122d274dac471546de1e0147992d1f3a1d4f" + logic_hash = "95116d1114239795707b310afea3122d274dac471546de1e0147992d1f3a1d4f" score = 75 quality = 75 tags = "FILE" @@ -233361,13 +233847,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_02De1Cc6C487954592F1Bf574Ca2B000 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7f9b0400-ec8c-59ed-a7a5-53269737e38d" + id = "1dc1b576-34f4-5017-8340-c6f58692a31c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5165-L5176" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5963377fee755a859bc4330a1094ea1c8b2b588133706a22f67c1fb85542e64f" + logic_hash = "5963377fee755a859bc4330a1094ea1c8b2b588133706a22f67c1fb85542e64f" score = 75 quality = 75 tags = "FILE" @@ -233384,13 +233870,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_142Aac4217E22B525C8587589773Ba9B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ccf02f70-11a1-586e-a4d2-712919a37ebc" + id = "86ef1337-71cc-5231-a31c-8d8a8d95873f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5178-L5188" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a0abe691c6b0a7be8ceea313068a6943d611b1424a1a03e43b82239ddfe9cbd2" + logic_hash = "a0abe691c6b0a7be8ceea313068a6943d611b1424a1a03e43b82239ddfe9cbd2" score = 75 quality = 75 tags = "FILE" @@ -233407,13 +233893,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4026D6291F1Ac7Cf86C2C81172Cfb200 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c522370a-bb4f-5b63-af45-f2db89cd1953" + id = "ea11705d-37a1-5050-b01a-b7fc523c675a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5218-L5229" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c821f288bb6555e3955dfccf02edde2448f0499942eea24c488a6426985bff74" + logic_hash = "c821f288bb6555e3955dfccf02edde2448f0499942eea24c488a6426985bff74" score = 75 quality = 75 tags = "FILE" @@ -233430,13 +233916,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B0A308Fc2E71Ac4Ac40677B9C27Ccbad : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e1c0fa8d-7c41-5845-b6f0-82a9efc81a6b" + id = "207aa920-528c-5fa2-a8d4-4a44da4c870e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5231-L5242" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a71c47475327fb6268db34cd9d47451090fa3e673accfa905d32ebfb35f11e40" + logic_hash = "a71c47475327fb6268db34cd9d47451090fa3e673accfa905d32ebfb35f11e40" score = 75 quality = 75 tags = "FILE" @@ -233453,13 +233939,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_009Ecaa6E28E7615Ef5A12D87E327264C0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "889e8352-ff1c-577c-83b1-ef6ef0e46dfc" + id = "8fd9f4e8-4ec3-5731-8032-e2657ee229ca" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5244-L5255" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_24858027f62fd057c06dbf58b4a6e1e5f1dcd9429676232a8e66d231e713f56a" + logic_hash = "24858027f62fd057c06dbf58b4a6e1e5f1dcd9429676232a8e66d231e713f56a" score = 75 quality = 75 tags = "FILE" @@ -233476,13 +233962,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_19985190B09206952Efd412D3Ccc18E2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "937f381c-5cba-52c7-8e1c-ccdbd7e8c613" + id = "bd94cfd0-adaa-5e37-880e-8ef50328499d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5257-L5268" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6db1aaabd9a257e863a5ff771a736b705391602f7f5e2b799f8c47d3ae566f0f" + logic_hash = "6db1aaabd9a257e863a5ff771a736b705391602f7f5e2b799f8c47d3ae566f0f" score = 75 quality = 75 tags = "FILE" @@ -233499,13 +233985,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_03B27D7F4Ee21A462A064A17Eef70D6C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "de4f1b22-8078-5733-8cf7-a13ff65004fb" + id = "96920ba8-b6d6-5cf4-9a3c-cb6f5c9b3048" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5270-L5281" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_53a4c4474b1add510624e23eac642e8cba145248d72a2ffc37d0aca141a041c2" + logic_hash = "53a4c4474b1add510624e23eac642e8cba145248d72a2ffc37d0aca141a041c2" score = 75 quality = 75 tags = "FILE" @@ -233522,14 +234008,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_66F98881Fbb02D0352Bef7C13Bd61Df2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ac369c69-f146-55b0-8a0d-25516979d553" + id = "9cc569f4-1686-5f17-99a4-90750023d519" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5283-L5294" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "f265524fb9a4a58274dbd32b2ed0c3f816c5eff05e1007a2e7bba286b8ffa72c" - logic_hash = "v1_sha256_3d70da3f644a90bc6e7b405a41225a328d7007187525a0b277f0fc1136be8b5b" + logic_hash = "3d70da3f644a90bc6e7b405a41225a328d7007187525a0b277f0fc1136be8b5b" score = 75 quality = 75 tags = "FILE" @@ -233546,13 +234032,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3F8B1D4C656982A34435F971C9F3C301 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "41e7b753-e0bc-5ae6-828b-0e2c8cc3b0a3" + id = "7bafe9c8-7ec5-5847-81dc-2f2d0753f784" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5296-L5307" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_95fd60c5f236b06fca308696dfe3e3aeb3aa6f255c6030d44822dc33a7c4c917" + logic_hash = "95fd60c5f236b06fca308696dfe3e3aeb3aa6f255c6030d44822dc33a7c4c917" score = 75 quality = 75 tags = "FILE" @@ -233569,13 +234055,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ef9D0Cf071D463Cd63D13083046A7B8D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c23a98db-c59c-5aa9-8d08-4da0e1c635b1" + id = "f4b83bdf-ce07-5bad-b3e2-2c192d67f9f1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5309-L5320" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9cf4ee1b3000d96d419bfd3e9ac3fb07f843aed735582c72e3a9799e2a56e364" + logic_hash = "9cf4ee1b3000d96d419bfd3e9ac3fb07f843aed735582c72e3a9799e2a56e364" score = 75 quality = 75 tags = "FILE" @@ -233592,13 +234078,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E1E7E596F8F5Ccbeed4Ab882B6Cfe6Ce : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "dd2edf7b-a686-5f30-a069-b3f41b857908" + id = "063d70e1-06b0-53f6-8edb-c81c89af0a05" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5322-L5333" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_56977d47d8fcfd5eb7b5b4a141a9465e1cd2c497f05e61854e0ab09e2c7065a0" + logic_hash = "56977d47d8fcfd5eb7b5b4a141a9465e1cd2c497f05e61854e0ab09e2c7065a0" score = 75 quality = 75 tags = "FILE" @@ -233615,13 +234101,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_047801D5B55C800B48411Fd8C320Ca5B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d266f857-79b0-5631-974d-42f065b61ced" + id = "750b5b0d-7752-5407-a29e-3272b764a276" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5335-L5346" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5e64b59f3d7f7554a482eaa32f5eac80f289bf57865a21381a3c1c78b1dabcab" + logic_hash = "5e64b59f3d7f7554a482eaa32f5eac80f289bf57865a21381a3c1c78b1dabcab" score = 75 quality = 75 tags = "FILE" @@ -233638,13 +234124,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Ceb6B2Eec12934A64F75A4592159F084 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0f66677a-111d-5232-b5e1-0ceb32425221" + id = "a37bf0a2-3205-515c-9957-374108e199e9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5366-L5377" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3e4aa8d970ead42bf1abb36a922ef31ac1b1aa308944cf099d6bbfb50e07c588" + logic_hash = "3e4aa8d970ead42bf1abb36a922ef31ac1b1aa308944cf099d6bbfb50e07c588" score = 75 quality = 75 tags = "FILE" @@ -233661,14 +234147,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6B6739E55F3F25B147C4A6767De41F57 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d29f79c5-8345-5771-87a7-e8da5a93e33f" + id = "ee84787b-cc90-545d-8e15-bf84676f222c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5379-L5391" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "da0921c1e416b3734272dfa619f88c8cd32e9816cdcbeeb81d9e2b2e8a95af4c" - logic_hash = "v1_sha256_9d1a20f3dfa6c31ed557e531f7a57c64032e518c033993234849882ef769fcbd" + logic_hash = "9d1a20f3dfa6c31ed557e531f7a57c64032e518c033993234849882ef769fcbd" score = 75 quality = 75 tags = "FILE" @@ -233685,13 +234171,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B97F66Bb221772Dc07Ef1D4Bed8F6085 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "30c340d3-2cda-5ab1-809e-7ac18db5be7c" + id = "c0797751-d03c-59c7-a02a-27e6f466bd96" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5393-L5404" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e68f6ebbeadc9381c2888abf77e040f27648a40d770524830f8a49fe2d11534f" + logic_hash = "e68f6ebbeadc9381c2888abf77e040f27648a40d770524830f8a49fe2d11534f" score = 75 quality = 75 tags = "FILE" @@ -233708,13 +234194,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Cc95D6Ebf18A3711E196Aea210465A19 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e59487c2-7c77-5797-a722-7659406a2bb5" + id = "bd6957ac-d5e0-5e77-87b3-a62c442f7f72" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5406-L5417" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_640ba6d64ad7e0791ef29d3ee9387e0944826f22f01a6a01486f6b3ac4138826" + logic_hash = "640ba6d64ad7e0791ef29d3ee9387e0944826f22f01a6a01486f6b3ac4138826" score = 75 quality = 75 tags = "FILE" @@ -233731,13 +234217,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Dde89C647Dc2138244228040E324Dc77 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "30bbf542-c60a-55e5-aeb0-051ed1667f16" + id = "5008d334-964a-516b-895e-761ae94e5bd4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5419-L5430" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d6c11a277f855ad8a4b235e1461ad024c4490d04530b91ecb47c8fcf8dee1239" + logic_hash = "d6c11a277f855ad8a4b235e1461ad024c4490d04530b91ecb47c8fcf8dee1239" score = 75 quality = 75 tags = "FILE" @@ -233754,13 +234240,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Fed006Fbf85Cd1C6Ba6B4345B198E1E6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1561ac43-b1b2-56ab-8afc-e63d108455e9" + id = "8f7d0337-7840-5c6e-b562-dbaef1a7c022" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5432-L5443" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_26690cb1ef7eb9b7009376b4c2a30505f01184f4462478f65379372e84e02bc8" + logic_hash = "26690cb1ef7eb9b7009376b4c2a30505f01184f4462478f65379372e84e02bc8" score = 75 quality = 75 tags = "FILE" @@ -233777,13 +234263,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4E7545C9Fc5938F5198Ab9F1749Ca31C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "579ef418-86aa-5cbc-bcac-d649efdf6b44" + id = "af27fbf7-f4e2-59e9-8b2b-b353704ce9d6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5445-L5456" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4b7bc07622ad3f7ec77f4bb0d51350c82734af4b73a26ecd21955e55e99bb515" + logic_hash = "4b7bc07622ad3f7ec77f4bb0d51350c82734af4b73a26ecd21955e55e99bb515" score = 75 quality = 75 tags = "FILE" @@ -233800,13 +234286,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_040F11F124A73Bdecc41259845A8A773 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "179ba33c-8215-5b85-8b83-0482eaac8ae4" + id = "0502773a-356e-5eae-9c37-e1ef89de3547" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5458-L5469" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_70edbe8be481ccb7b5c6a6485c2ac249ec5120a4cde18d551954cfeaae121f27" + logic_hash = "70edbe8be481ccb7b5c6a6485c2ac249ec5120a4cde18d551954cfeaae121f27" score = 75 quality = 75 tags = "FILE" @@ -233823,14 +234309,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1B1E87E90519D7273C0033Bf489B798F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6aec61cb-d54c-53b3-817b-c4d0fb56d125" + id = "b154ae08-108c-5980-a611-5e086877af2a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5471-L5483" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "84cef0aed269e6213bfa213d95a3db625bcdde130f33bf4227436985e4473252" - logic_hash = "v1_sha256_b47f80ecc895e73d69c60a5e88d6a6c95fcb9bddb30f14a1421b68aabc2290c9" + logic_hash = "b47f80ecc895e73d69c60a5e88d6a6c95fcb9bddb30f14a1421b68aabc2290c9" score = 75 quality = 75 tags = "FILE" @@ -233847,14 +234333,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D9E834182Dec62C654E775E809Ac1D1B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "535f067c-9baa-5324-b608-6ff0a7ef3ee7" + id = "ce1640b7-6631-5e8f-a2df-0716b2f86b99" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5485-L5497" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "645dbb6df97018fafb4285dc18ea374c721c86349cb75494c7d63d6a6afc27e6" - logic_hash = "v1_sha256_3e7ca9aec19f118c7a143826838244f3f8d0a603a44980522f5227a9c3a82a88" + logic_hash = "3e7ca9aec19f118c7a143826838244f3f8d0a603a44980522f5227a9c3a82a88" score = 75 quality = 75 tags = "FILE" @@ -233871,14 +234357,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ced87Bd70B092Cb93B182Fac32655F6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "14ee5701-1ddb-5f88-a2cb-f0e07c8573eb" + id = "5e716e70-0c78-5194-9134-0ee140221610" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5499-L5511" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89" - logic_hash = "v1_sha256_3d4d84a60095e608fbd774f2b3a0f86e32dd9fe25801da06ee10188425a029e0" + logic_hash = "3d4d84a60095e608fbd774f2b3a0f86e32dd9fe25801da06ee10188425a029e0" score = 75 quality = 75 tags = "FILE" @@ -233895,13 +234381,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1Afd1491D52F89Ba41Fa6C0281Bb9716 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7093e76c-fe60-59ee-a502-a1df46bdb558" + id = "a0e5569f-7895-519b-9c1b-9cea3126391f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5513-L5524" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_071895cc37527aa634410dc79bf1656068e4c2b9f61d24912160c5f847e154f9" + logic_hash = "071895cc37527aa634410dc79bf1656068e4c2b9f61d24912160c5f847e154f9" score = 75 quality = 75 tags = "FILE" @@ -233918,13 +234404,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_719Ac44966D05762Ef95245Eefcf3046 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fbd4801a-9bb7-599c-b4c4-1ba62aec9f6c" + id = "e215971c-67f0-5fdb-9525-7aef2559674f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5526-L5537" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2b7c5ccc7a09d3917cf8625bc3e78526ba9620eb8bb08490124c24a5c2eda629" + logic_hash = "2b7c5ccc7a09d3917cf8625bc3e78526ba9620eb8bb08490124c24a5c2eda629" score = 75 quality = 75 tags = "FILE" @@ -233941,13 +234427,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008Fe807310D98357A59382090634B93F0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "10a6c519-6bb1-5bbd-926a-1509e58567fa" + id = "bf4326b3-a838-5dff-a6e1-ac71c6fb871d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5539-L5550" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a90430a6f07f67ead37e5cba9f0baee92551511a9f33a2a1fd3d2419322aaa8b" + logic_hash = "a90430a6f07f67ead37e5cba9f0baee92551511a9f33a2a1fd3d2419322aaa8b" score = 75 quality = 75 tags = "FILE" @@ -233964,13 +234450,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00801689896Ed339237464A41A2900A969 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "197c56db-63a7-5aae-9f74-3ee05aa7fa29" + id = "91cecd18-0007-59a4-94f3-bdaa06b25822" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5552-L5563" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9dc505e00e0085587aee2bf2e70db04850e11d057b8d16e31e8caebb130e047b" + logic_hash = "9dc505e00e0085587aee2bf2e70db04850e11d057b8d16e31e8caebb130e047b" score = 75 quality = 75 tags = "FILE" @@ -233987,13 +234473,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Podangers : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d5e8ef27-6e00-5709-bd74-b5b334a6af14" + id = "b394c4a1-1614-578f-bbfc-6eb9998b4a06" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5565-L5576" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6a041e8ae4a7a1af59b81799b5c014691e347c8305266adeffd9d49337712b2e" + logic_hash = "6a041e8ae4a7a1af59b81799b5c014691e347c8305266adeffd9d49337712b2e" score = 75 quality = 75 tags = "FILE" @@ -234010,13 +234496,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E9A1E07314Bc2F2D51818454B63E5829 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f96e2f2a-4893-5c07-a0ba-e39b0cbc68b5" + id = "2c9f0497-0fcd-591c-be72-e92464b689f3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5578-L5589" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e3dfb75350bcdbb6861612f2f6cc757724260f99e4024df2b20c7b273bc50266" + logic_hash = "e3dfb75350bcdbb6861612f2f6cc757724260f99e4024df2b20c7b273bc50266" score = 75 quality = 75 tags = "FILE" @@ -234033,13 +234519,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_9D915138Acdac1A044Afa6E5D99567C5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e6216186-538e-5563-9c7c-2a4f02aac20a" + id = "89182dfb-b100-573c-85ae-38bdf7f24a64" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5591-L5602" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_32fb0d12a9b61461104e29571fcc7210f7ea8a82a8e240c747a0070d8d43a9b0" + logic_hash = "32fb0d12a9b61461104e29571fcc7210f7ea8a82a8e240c747a0070d8d43a9b0" score = 75 quality = 75 tags = "FILE" @@ -234056,13 +234542,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_11A9Bf6B2Dcbc683475B431A1C79133E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fad5f908-a7cc-5075-b776-050724873a3d" + id = "9c49f529-330f-5d37-b613-e45aad50afcb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5604-L5615" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fa424180e60d2fde2fce085d0c848c5b33bcc58c2ca54f327f446ff5cf361fe2" + logic_hash = "fa424180e60d2fde2fce085d0c848c5b33bcc58c2ca54f327f446ff5cf361fe2" score = 75 quality = 75 tags = "FILE" @@ -234079,13 +234565,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3Fd3661533Eef209153C9Afec3Ba4D8A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "38c0ea8a-74a0-5a9b-b9b9-46a1c5a9e0e3" + id = "d47bc223-f29e-54d3-a452-064f89fa80f7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5617-L5628" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e9662abf4c70d54fc719850ef216352fd59a559726fbad5db9e265660400b432" + logic_hash = "e9662abf4c70d54fc719850ef216352fd59a559726fbad5db9e265660400b432" score = 75 quality = 75 tags = "FILE" @@ -234102,13 +234588,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2Ba40F65086686Dd4Ab7171E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b9901bf9-c134-5f8e-80b6-9c84a0776ee8" + id = "13909741-cba3-5143-86eb-bcc227cfaa9c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5630-L5641" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8ed65c0b5d231be9dbbe34da493087d1bf83cf21c401435fed7e2851acdb6f60" + logic_hash = "8ed65c0b5d231be9dbbe34da493087d1bf83cf21c401435fed7e2851acdb6f60" score = 75 quality = 75 tags = "FILE" @@ -234125,13 +234611,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_67144B9Ed89Fb2D106D0233873C6E35F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "70f9d0d2-ead2-5cf5-b7c8-a21504691946" + id = "f9806e55-9efa-504a-b27c-d3418fc5cd38" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5643-L5654" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9d3c39c590a75b3ea1d1f699bea279c0c68498e51e2ab7f4ad3e3f8857d6d668" + logic_hash = "9d3c39c590a75b3ea1d1f699bea279c0c68498e51e2ab7f4ad3e3f8857d6d668" score = 75 quality = 75 tags = "FILE" @@ -234148,13 +234634,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ca4822E6905Aa4Fca9E28523F04F14A3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "af31c422-00df-5d24-a840-377ce8a7721a" + id = "713f84b3-b09a-5fcf-85ed-899be9f14b84" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5656-L5667" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6e0d7abd82805019c6b1c9df2479489bbd3fe7a4a1703971c02324072692b1e5" + logic_hash = "6e0d7abd82805019c6b1c9df2479489bbd3fe7a4a1703971c02324072692b1e5" score = 75 quality = 75 tags = "FILE" @@ -234171,13 +234657,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3769815A97A8Fb411E005282B37878E3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b97f6b88-f901-5102-82fc-2a052d61137b" + id = "da41e9a7-1660-5157-9148-f2f774df647a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5669-L5680" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ccd548ebe2be2c7b44e6c39df50ffea4703d0b1decd78cc6fb4b3bbf9d85be0b" + logic_hash = "ccd548ebe2be2c7b44e6c39df50ffea4703d0b1decd78cc6fb4b3bbf9d85be0b" score = 75 quality = 75 tags = "FILE" @@ -234194,13 +234680,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3B007314844B114C61Bc156A0609A286 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "04df50cc-5522-55f0-a11e-badfc498ff0b" + id = "bb68c2fc-2389-5fb8-96f0-5731f008fd3c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5682-L5693" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f6f4e551a9be96f43a81e4da69f7b312dbdc16da17659a00a3486543a9c078e9" + logic_hash = "f6f4e551a9be96f43a81e4da69f7b312dbdc16da17659a00a3486543a9c078e9" score = 75 quality = 75 tags = "FILE" @@ -234217,13 +234703,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_262Ca7Ae19D688138E75932832B18F9D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "087af643-27b6-5e4b-adf8-e120315fb851" + id = "891717e4-502f-5820-903c-3d9f2751a9d3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5695-L5706" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0e6e75206bea63856e4ab07ff9b1220448f3cad6d845ae09703b9e836015520d" + logic_hash = "0e6e75206bea63856e4ab07ff9b1220448f3cad6d845ae09703b9e836015520d" score = 75 quality = 75 tags = "FILE" @@ -234240,13 +234726,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6B0008Bbd5Eb53F5D9E616C3Ed00000008Bbd5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7dbd0b59-a6dd-5dd3-a3c8-0f7c00453a36" + id = "51e670b5-a679-52ef-9c07-5a2bd21f8a20" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5708-L5719" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_185334d7f484585cd88a1d89516f805d0248234a61153f8a38cc78b52d4bd764" + logic_hash = "185334d7f484585cd88a1d89516f805d0248234a61153f8a38cc78b52d4bd764" score = 75 quality = 75 tags = "FILE" @@ -234263,13 +234749,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6Abc3555Becca0Bc4B6987Ccc2Ea42B5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cb0d9322-af9f-5c57-86de-053de9255fa4" + id = "b3ced8b8-ec42-56e4-8a3e-9cb7f6845b6f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5721-L5732" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_76d4895f805a6638549c2d3b01a53873156e142d741b1fc2ccc0b18971b275a7" + logic_hash = "76d4895f805a6638549c2d3b01a53873156e142d741b1fc2ccc0b18971b275a7" score = 75 quality = 75 tags = "FILE" @@ -234286,13 +234772,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3C5Fc5D02273F297404F7B9306E447Bb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5d441fbb-34fb-5326-9d13-eace97f315df" + id = "2dd0805d-f43e-5aec-a0d9-98fc9fa6c088" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5734-L5745" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e73fd0a38c76783e3110abe82411cc3d22fbbc95684667dc754618f590f29970" + logic_hash = "e73fd0a38c76783e3110abe82411cc3d22fbbc95684667dc754618f590f29970" score = 75 quality = 75 tags = "FILE" @@ -234309,13 +234795,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7D36Cbb64Bc9Add17Ba71737D3Ecceca : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9c6fd840-1b95-53d4-9c62-0fc7743034b6" + id = "23786dd4-2ad2-5d86-a0d2-46bc5f1825eb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5763-L5774" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_070600994d7e137a769432e7c5995dac90f01cbce2c50de4c5baecea5d556baf" + logic_hash = "070600994d7e137a769432e7c5995dac90f01cbce2c50de4c5baecea5d556baf" score = 75 quality = 75 tags = "FILE" @@ -234332,13 +234818,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Df7139E106Dbb68Dfe4De97D862Af708 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3eaff912-66d8-5f0a-96b4-5d1768680479" + id = "8da7c163-02a7-571e-a995-c1d500d90b5b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5776-L5787" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_503ff5f570191ac61a20c2a6ffa5117d5c3ed632c04c4a02c710644c18a494d0" + logic_hash = "503ff5f570191ac61a20c2a6ffa5117d5c3ed632c04c4a02c710644c18a494d0" score = 75 quality = 75 tags = "FILE" @@ -234355,13 +234841,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D4F9Fc08895654F8Bde8D1Cc26Eff015 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f4b0427a-cd22-5a67-af43-8e02df870c7b" + id = "d32f82a7-36dd-555f-87cf-28e520a3916f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5789-L5800" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dfc90ce9c1d8a0fad9c50f61c90c4f7b00b6890ee45d218417f4a7196c3d1c18" + logic_hash = "dfc90ce9c1d8a0fad9c50f61c90c4f7b00b6890ee45d218417f4a7196c3d1c18" score = 75 quality = 75 tags = "FILE" @@ -234378,13 +234864,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0393Be7Fd785Ba0E3223A73B15Ee6736 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1bb1002f-4289-544a-9a19-6afacc8447c7" + id = "852c3c5c-e20c-5e45-acee-7f5a5a35fa24" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5802-L5813" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6805b2d04f8b89b9d4db8d47d74e83b6cdd7e778b038883fc8d3ef2e1b157070" + logic_hash = "6805b2d04f8b89b9d4db8d47d74e83b6cdd7e778b038883fc8d3ef2e1b157070" score = 75 quality = 75 tags = "FILE" @@ -234401,13 +234887,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008B7369B2F0C313634A1C1Dfc4A828A54 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "472b8999-d08e-5c4a-962b-fbe496f57d39" + id = "e4da4da0-68f1-548b-b307-e11ad6def316" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5815-L5826" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_857eaa56ff5106e3808750b8833fd33a328b53a04f6fd2939aca30dbc6048329" + logic_hash = "857eaa56ff5106e3808750b8833fd33a328b53a04f6fd2939aca30dbc6048329" score = 75 quality = 75 tags = "FILE" @@ -234424,13 +234910,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_59A57E8Ba3Dcf2B6F59981Fda14B03 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c38b0657-dbcb-5c3e-945f-d126639ef45d" + id = "07e68e53-ffb8-5f12-ad0e-cf64a3c9cb72" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5828-L5841" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1eeeef14502daafb303d1c09d8e55fb4df57a6bf250d1adc7e53862f2f5d5824" + logic_hash = "1eeeef14502daafb303d1c09d8e55fb4df57a6bf250d1adc7e53862f2f5d5824" score = 75 quality = 75 tags = "FILE" @@ -234449,13 +234935,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C79F817F082986Bef3209F6723C8Da97 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ee0dc3f5-21d9-57ee-b10b-ed6aa9a74dc3" + id = "2e831cd7-6992-5b5f-ad84-52590f3cc65a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5843-L5856" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b6dd9cb0d2383bce3ab13b6a660b3f5ba554a2bf1fce4aabb6dd36187cc57f45" + logic_hash = "b6dd9cb0d2383bce3ab13b6a660b3f5ba554a2bf1fce4aabb6dd36187cc57f45" score = 75 quality = 75 tags = "FILE" @@ -234474,13 +234960,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Beb721Fcb3274C984479D6554Efe8F49 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ca53a239-54f7-519c-aff8-00561d20e771" + id = "311b4a7a-3185-5c61-961e-bd7d9bca28dd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5858-L5869" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fdb28b4f8cf79d067ee8dcfc3109ceae38f7952c6fb34e61f489924d97d67151" + logic_hash = "fdb28b4f8cf79d067ee8dcfc3109ceae38f7952c6fb34e61f489924d97d67151" score = 75 quality = 75 tags = "FILE" @@ -234497,13 +234983,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C4188D6B70B4Bd3B977B19Abd04C1157 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0d8fdc36-cbef-53bc-82ff-45403a5366e5" + id = "f5b2b4cf-39a5-59c6-860e-b738a2acfd89" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5871-L5882" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6ed619e18d749c2524ad3c1ddc3268f9ddf77feb3a3f2c5954ae4e7124d63c75" + logic_hash = "6ed619e18d749c2524ad3c1ddc3268f9ddf77feb3a3f2c5954ae4e7124d63c75" score = 75 quality = 75 tags = "FILE" @@ -234520,13 +235006,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ad255D4Ebefa751F3782587396C08629 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cb979243-bd9b-5e9a-9fac-6d068e89d087" + id = "58e77872-5bd0-53b1-9595-c961c45e138c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5884-L5895" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cc51de3852257b12a780f80755c7ca21f5d82542649c65072fd9427271da12ef" + logic_hash = "cc51de3852257b12a780f80755c7ca21f5d82542649c65072fd9427271da12ef" score = 75 quality = 75 tags = "FILE" @@ -234543,13 +235029,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_084B6F19898214A02A5F32E6Ea69F0Fd : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9f7b64f0-ccd4-561f-8ff2-3172224ec4b8" + id = "37149424-6ce7-56db-98c5-3895bf3f5c9b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5897-L5908" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_844339ec8aaf93e279b294830a842f007d97adc4be4f6910d143ee16e5710ed5" + logic_hash = "844339ec8aaf93e279b294830a842f007d97adc4be4f6910d143ee16e5710ed5" score = 75 quality = 75 tags = "FILE" @@ -234566,13 +235052,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_24C1Ef800F275Ab2780280C595De3464 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a9480505-3f6a-5790-86d3-a91e3ea1749c" + id = "0bd14ac3-9761-5ac4-8cdc-6212a92c5b5d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5910-L5921" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_773fdb6d15a5bd1282dd9a48601b453b62de2e9832822858ad750c6462d6e116" + logic_hash = "773fdb6d15a5bd1282dd9a48601b453b62de2e9832822858ad750c6462d6e116" score = 75 quality = 75 tags = "FILE" @@ -234589,13 +235075,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6401831B46588B9D872B02076C3A7B00 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cf9006b4-82fb-5e61-9a05-f52ea211b636" + id = "d651bbe4-7e50-51bc-8f96-a78b11846699" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5923-L5934" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9a90c9d51dd6eb37bb3b6b17c5e3e5ebb6b6922efa14e3d8d60e72bcdb7b7259" + logic_hash = "9a90c9d51dd6eb37bb3b6b17c5e3e5ebb6b6922efa14e3d8d60e72bcdb7b7259" score = 75 quality = 75 tags = "FILE" @@ -234612,13 +235098,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Cf1Ed2A6Ff4Bee621Efdf725Ea174B7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4d9c5184-1eba-5c0f-b432-c20824565e10" + id = "f3cb7bd9-9e28-5478-b65d-60915157dd3b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5936-L5947" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2902b075f40f1413eee937c045e082a3141ec309f9d8e1dfd3a384050ea0776c" + logic_hash = "2902b075f40f1413eee937c045e082a3141ec309f9d8e1dfd3a384050ea0776c" score = 75 quality = 75 tags = "FILE" @@ -234635,13 +235121,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7Ed801843Fa001B8Add52D3A97B25931 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6d6fbf47-71b8-5659-9ec3-5737505a21ee" + id = "8dc9fbde-57bb-56ca-b925-902059612606" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5949-L5960" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2607dde1318b9b84056fc73664e4c1f82f20c23f311216e2201c3fdee0d1b6db" + logic_hash = "2607dde1318b9b84056fc73664e4c1f82f20c23f311216e2201c3fdee0d1b6db" score = 75 quality = 75 tags = "FILE" @@ -234658,13 +235144,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0F0Ed5318848703405D40F7C62D0F39A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f3db515c-c70a-563b-b7ae-40288298025b" + id = "6baebaa7-275c-571d-b321-9a21d7799a33" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5962-L5973" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_77bd8fd2dc48e2fc8abbf0f3411dfa8010326b6a9928fb392cce6e0fe8e9d309" + logic_hash = "77bd8fd2dc48e2fc8abbf0f3411dfa8010326b6a9928fb392cce6e0fe8e9d309" score = 75 quality = 75 tags = "FILE" @@ -234681,13 +235167,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_537Aa4F1Bae48F052C3E57C3E2E1Ee61 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6b48848e-6e20-5f7c-ad68-083b79ceea81" + id = "33316c5e-b14f-50b5-8971-3a8b5a3c2497" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5975-L5986" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_83d205998f43a2404146064e13726c149bc56fed6b886ee1812378c027f03da0" + logic_hash = "83d205998f43a2404146064e13726c149bc56fed6b886ee1812378c027f03da0" score = 75 quality = 75 tags = "FILE" @@ -234704,13 +235190,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_61B11Ef9726Ab2E78132E01Bd791B336 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a421b4fe-877a-58b8-997e-3ecd5166dcfa" + id = "5b830ab1-16d2-573c-81b7-b8b922af6f4b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L5988-L5999" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_50c89d732409ff680734f481d858256001245c10345d9e6f1cbb51dcdc9c2cc9" + logic_hash = "50c89d732409ff680734f481d858256001245c10345d9e6f1cbb51dcdc9c2cc9" score = 75 quality = 75 tags = "FILE" @@ -234727,13 +235213,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_E339C8069126Aa6313484Fea85B4B326F7B8860C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d61603fd-0a97-5e0d-8d5b-0183bf2e4d38" + id = "a8a6a285-98e1-5a2a-ab89-c67809fea3b2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6001-L6012" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6f373c5a8f99893088fa1afffeccdf24ae6ed118d7bea9df43281073bd8e85bb" + logic_hash = "6f373c5a8f99893088fa1afffeccdf24ae6ed118d7bea9df43281073bd8e85bb" score = 75 quality = 75 tags = "FILE" @@ -234750,13 +235236,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_734D0Baf7A6B44743Ff852C8Ba7A751A7Ff0Ec73 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "66027f3b-180d-5c7f-89d7-b4b022c553fb" + id = "1dc06f6e-2152-516a-b9cc-0d95c098c88f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6031-L6042" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_54620c58bae2c2f9859916a58b0fef4310dd27fdada663c28bb7d58bdaefc7c5" + logic_hash = "54620c58bae2c2f9859916a58b0fef4310dd27fdada663c28bb7d58bdaefc7c5" score = 75 quality = 75 tags = "FILE" @@ -234773,14 +235259,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_02Fa994D660De659Ee9037Ecb437D766 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5fa8d58c-29db-5247-8eb3-7585ab4f7e34" + id = "cb2aa5d6-913e-5d74-a903-1cb88fb63b1c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6044-L6056" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948" - logic_hash = "v1_sha256_04244701311fcdc77b1e3a8f20621e474ed607be3d109c629280d528e2f24e1f" + logic_hash = "04244701311fcdc77b1e3a8f20621e474ed607be3d109c629280d528e2f24e1f" score = 75 quality = 75 tags = "FILE" @@ -234797,14 +235283,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0B446546C36525Bf5F084F6Bbbba7097 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3d794a26-9f12-53ff-8a3c-568e8cc31fba" + id = "608a410d-d34f-5eea-92db-3d156d01d360" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6058-L6071" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "3163ffc06848f6c48ac460ab844470ef85a07b847bf187c2c9cb26c14032a1a5" - logic_hash = "v1_sha256_6dcf87b929c28cc013ee5c9de85aa026e335e1e5c38a440bc6b5dc11c6bf9a91" + logic_hash = "6dcf87b929c28cc013ee5c9de85aa026e335e1e5c38a440bc6b5dc11c6bf9a91" score = 75 quality = 75 tags = "FILE" @@ -234821,13 +235307,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E4E795Fd1Fd25595B869Ce22Aa7Dc49F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "99283db0-df1c-5e6b-ad2d-5645fe58da65" + id = "8807c05d-c13b-58e8-9dda-c2eae6b5979c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6087-L6101" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0aef5e2af3059597d218c544bc0b56078e1ef924af0530c62aa12679e0816410" + logic_hash = "0aef5e2af3059597d218c544bc0b56078e1ef924af0530c62aa12679e0816410" score = 75 quality = 75 tags = "FILE" @@ -234844,13 +235330,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008E0Fa6B464D466Df1B267504B04F7B27 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2ecf6a3e-6020-51b6-ba28-b0e82011cc1c" + id = "6de3aab7-7175-537b-8a33-56cb0662b7a6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6103-L6114" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1f992d81b63108840d457f3f1906524cf4a9d4bec4a91f7bc826fae9989d40e0" + logic_hash = "1f992d81b63108840d457f3f1906524cf4a9d4bec4a91f7bc826fae9989d40e0" score = 75 quality = 75 tags = "FILE" @@ -234867,13 +235353,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_559Cb90Fd16E9D1Ad375F050Ab6A6616 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8fd76e44-95c9-51f0-8be1-286409ca7e7a" + id = "8b2ed295-5aae-5ced-9603-8125b4e261f9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6116-L6127" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a91f23e2281efb95b780b26018f1c89485a87c6541ac84025dad3e6dd55c742e" + logic_hash = "a91f23e2281efb95b780b26018f1c89485a87c6541ac84025dad3e6dd55c742e" score = 75 quality = 75 tags = "FILE" @@ -234890,13 +235376,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Eb95A7Bd7553533D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "24ada41b-9315-5980-a04e-e9311e6e35c0" + id = "b9198469-4eba-552d-a8f5-5841893ff85e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6159-L6170" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e646346d94791c2a86a7240d4cf1f9138a30ca583b021ae5b17471cef20a98de" + logic_hash = "e646346d94791c2a86a7240d4cf1f9138a30ca583b021ae5b17471cef20a98de" score = 75 quality = 75 tags = "FILE" @@ -234913,14 +235399,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A1F3A057A1Dce4Bf7D76D0C7Adf837E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "efc595d9-6f06-562d-aa0c-985ed155992f" + id = "c4829ec0-b6be-5701-a4cf-e4b1205240b3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6172-L6184" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "2df05a70d3ce646285a0f888df15064b4e73034b67e06d9a4f4da680ed62e926" - logic_hash = "v1_sha256_de9ae66e497730db54fc21a745426c687c3a4d9819c08bc1dca0b42a5b8070ac" + logic_hash = "de9ae66e497730db54fc21a745426c687c3a4d9819c08bc1dca0b42a5b8070ac" score = 75 quality = 75 tags = "FILE" @@ -234937,13 +235423,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00849Ea0945Dd2Ea2Dc3Cc2486578A5715 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "647773b1-8da4-5e26-b871-1e5a2173d9dd" + id = "8584af2e-6b1e-5141-abbf-84e414ffaead" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6186-L6197" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_824744510e73cd6717e3626a5a250466bfb5817fd7172fc32466c2e68e20947b" + logic_hash = "824744510e73cd6717e3626a5a250466bfb5817fd7172fc32466c2e68e20947b" score = 75 quality = 75 tags = "FILE" @@ -234960,14 +235446,14 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0537F25A88E24Cafdd7919Fa301E8146 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d2607803-5620-5cdb-9e20-9c1bba215135" + id = "b0dd33b4-2040-5021-bebc-5ca26d75f14c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6215-L6227" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" hash = "72ac61e6311f2a6430d005052dbc0cc58587e7b75722b5e34a71081370f4ddd5" - logic_hash = "v1_sha256_8cd68612354a756c4a52d6baea9ef6ed74c94f5fcf25baa2f72c1131e0828f84" + logic_hash = "8cd68612354a756c4a52d6baea9ef6ed74c94f5fcf25baa2f72c1131e0828f84" score = 75 quality = 75 tags = "FILE" @@ -234984,13 +235470,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2E4A279Bde2Eb688E8Ab30F5904Fa875 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ecaec84a-2b79-519d-9183-fa1f75eb8740" + id = "3fd40418-9efe-5dfe-a4e2-01ff9c46a4d5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6229-L6240" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_768b2cb64f7ce359285721bbfd2f2f6aac4065ec234dc091933d962a7f0ab79a" + logic_hash = "768b2cb64f7ce359285721bbfd2f2f6aac4065ec234dc091933d962a7f0ab79a" score = 75 quality = 75 tags = "FILE" @@ -235007,13 +235493,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Fbe6758Ae785D7C678A4Ad8De5C3F7E6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "03e07ca5-c9d8-5f62-979d-a90f0fc14092" + id = "4d080acc-fb11-5e4d-9c59-562f30376936" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6242-L6253" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c6d84435c5c4f71696ce0414c87216bbb0603cb75d6e37abaf73e3708904032e" + logic_hash = "c6d84435c5c4f71696ce0414c87216bbb0603cb75d6e37abaf73e3708904032e" score = 75 quality = 75 tags = "FILE" @@ -235030,13 +235516,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00A73B6D821F84Db4451D6Eedd62C42848 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "348955b3-4acf-570f-a204-c754ad1b937d" + id = "c7533bc5-7d83-550e-a36c-eb459f2be842" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6255-L6266" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_448527bcbe2851bffefabe06a58e3ca68c092a2080041c51acacad3d5119aa0c" + logic_hash = "448527bcbe2851bffefabe06a58e3ca68c092a2080041c51acacad3d5119aa0c" score = 75 quality = 75 tags = "FILE" @@ -235053,13 +235539,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_500D76B1B4Bfaf4A131F027668Fea2D3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fbf0b28c-7d5d-5bd0-87c2-f75e65bdbe76" + id = "670138fc-7f2f-5145-8488-196912292ef7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6268-L6279" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a4f626e5ae9d273723814b0d944b067e70714e10776600a1bd0f90af31c1146a" + logic_hash = "a4f626e5ae9d273723814b0d944b067e70714e10776600a1bd0f90af31c1146a" score = 75 quality = 75 tags = "FILE" @@ -235076,13 +235562,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_54Cd7Ae1C27F1421136Ed25088F4979A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b7975ae7-ef32-56f6-9a31-513650dc19a0" + id = "2f7a0a34-6650-59d1-acf9-5ded0317ee6f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6281-L6292" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2b94ccd7f85a2b21edaf4b28f14827b399cdb82307c20320f77eb775c05751f1" + logic_hash = "2b94ccd7f85a2b21edaf4b28f14827b399cdb82307c20320f77eb775c05751f1" score = 75 quality = 75 tags = "FILE" @@ -235099,13 +235585,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_65Efa92A4164A3A2D888B5Cf8Ff073C8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "972f6c2f-5a9b-5614-8d81-7ea1946ef035" + id = "07392a87-7d81-58c1-8dd6-2a9cbc8caa6b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6294-L6305" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_189f154d5b71bea9c06cd2c79d2460a1fb8cc9e0670a9ef8545e3abad80c8a06" + logic_hash = "189f154d5b71bea9c06cd2c79d2460a1fb8cc9e0670a9ef8545e3abad80c8a06" score = 75 quality = 75 tags = "FILE" @@ -235122,13 +235608,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ad0A958Cdf188Bed43154A54Bf23Afba : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5f7ce373-0e27-58fb-a9ca-ef327c60c9e2" + id = "0b42f6fd-732c-5802-b616-774a1da9e3aa" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6307-L6321" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6031cb276cbb419789a3f3e57654dd9569feb612b0aebc2b72ae8b644f07bca9" + logic_hash = "6031cb276cbb419789a3f3e57654dd9569feb612b0aebc2b72ae8b644f07bca9" score = 75 quality = 75 tags = "FILE" @@ -235145,13 +235631,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_05Abac07F8D0Ce567F7D75Ee047Efee2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "742e4a94-d7ce-5311-b026-4b5330579d65" + id = "17355de3-08a9-585d-bc4f-fd16ff59e2a2" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6323-L6334" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0196ebd0b5821863c99676907a972e214f46411650fe20557e9f919609d12659" + logic_hash = "0196ebd0b5821863c99676907a972e214f46411650fe20557e9f919609d12659" score = 75 quality = 75 tags = "FILE" @@ -235168,13 +235654,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_62165B335C13A1A847Ce9Acff2B29368 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "277197dc-e5f3-5c87-9837-dd658a3781f0" + id = "62cd9a29-023d-5ff4-89cf-a2e74ec66ac4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6336-L6347" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_19e189c49f435f8b2aca0944d0f648a4126f83b7498982a262230e2f69ada8b7" + logic_hash = "19e189c49f435f8b2aca0944d0f648a4126f83b7498982a262230e2f69ada8b7" score = 75 quality = 75 tags = "FILE" @@ -235191,13 +235677,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4Cdffb4F02C55Ae60A099652605Da274 : FILE meta: description = "Enigma Protector Demo Certificate" author = "ditekSHen" - id = "86fb23c7-7ba1-58f5-9107-4089e988b607" + id = "843929be-68e5-56b0-99fc-f5d71b91c3cf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6366-L6377" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1b655f42302bed2091aaa5d37156c68eaf812f0c287bf42b24942a8b845b7476" + logic_hash = "1b655f42302bed2091aaa5d37156c68eaf812f0c287bf42b24942a8b845b7476" score = 75 quality = 75 tags = "FILE" @@ -235214,13 +235700,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_25Ad5Ae68C38Ad1021086F4Ffc8Ba470 : FILE meta: description = "Enigma Protector CA Certificate" author = "ditekSHen" - id = "54675b34-368f-55ba-abc1-cfd94fa9d591" + id = "6f1c6d3a-72a1-5c70-9c7d-1616b13767cd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6379-L6390" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_80b67b804e47fba825fabfee39f9a0aae78a4465b088c28b6f6972acd614bb89" + logic_hash = "80b67b804e47fba825fabfee39f9a0aae78a4465b088c28b6f6972acd614bb89" score = 75 quality = 75 tags = "FILE" @@ -235237,13 +235723,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_277Cd16De5D61B9398B645Afe41C09C7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b2fd2a7e-1bdb-50e6-b9e4-57de73c47211" + id = "d5ada3bf-322a-5794-aff7-75ff8dd9a7d1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6392-L6403" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dccfd52a3bcc11897d05f5450600dbd2f1f699732341cebed6dda37a76fd5f2d" + logic_hash = "dccfd52a3bcc11897d05f5450600dbd2f1f699732341cebed6dda37a76fd5f2d" score = 75 quality = 75 tags = "FILE" @@ -235260,13 +235746,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_066276Af2F2C7E246D3B1Cab1B4Aa42E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "faf181d0-6935-545b-a73d-724ec0f35c78" + id = "32b8e28b-361f-53e5-b06c-504dd9e86ae9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6405-L6416" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2a554105ae99de388621adefb2f53d2d0873ac3175ca2ccf00fc6a498ea2fd29" + logic_hash = "2a554105ae99de388621adefb2f53d2d0873ac3175ca2ccf00fc6a498ea2fd29" score = 75 quality = 75 tags = "FILE" @@ -235283,13 +235769,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_289051A83F350A2C600187C99B6C0A73 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "62ef3428-be9f-5f7e-ae7a-d7a5d9d6000c" + id = "f84a7749-a487-52e5-813b-e376ccde13d1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6418-L6429" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f094e923dc53cc1edc6ac83cf69fb60fd3c564606a5bfb68facb482918399799" + logic_hash = "f094e923dc53cc1edc6ac83cf69fb60fd3c564606a5bfb68facb482918399799" score = 75 quality = 75 tags = "FILE" @@ -235306,13 +235792,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_25A28E418Ef2D55B87Ee715B42Afbedb : FILE meta: description = "VMProtect Software CA Certificate" author = "ditekSHen" - id = "3ab251ec-e18c-5b40-b2c6-a5e7d9b48d25" + id = "dc0b80f1-c720-5d83-a92b-144b1fd05138" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6431-L6442" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be40d3b202b400eda7e78280b674823f789e292a35f0892ab3a323d1b055e789" + logic_hash = "be40d3b202b400eda7e78280b674823f789e292a35f0892ab3a323d1b055e789" score = 75 quality = 75 tags = "FILE" @@ -235329,13 +235815,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Vmprotect_Client : FILE meta: description = "VMProtect Client Certificate" author = "ditekSHen" - id = "3633d634-5ffe-58eb-906d-7d0a563c8f77" + id = "f9fd6478-0fe5-54b6-ba33-79c02eb9ad04" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6444-L6455" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d55d9fe608d5ff357a3bcf700a3d8bd9556f83c7c792b50d2276228a77209346" + logic_hash = "d55d9fe608d5ff357a3bcf700a3d8bd9556f83c7c792b50d2276228a77209346" score = 75 quality = 75 tags = "FILE" @@ -235353,13 +235839,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_44Fe73F320Aa8B7B4F5Ca910Aa22333A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "633a1c6a-8567-5e3d-8710-ed3dc9a7bbff" + id = "fb7a2f49-d5b4-59af-b64b-27624ff18323" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6457-L6468" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a456cd32eed6c1f037bc565e7a43f2a5a2237749afc31f6b7a8b8d7a657973c6" + logic_hash = "a456cd32eed6c1f037bc565e7a43f2a5a2237749afc31f6b7a8b8d7a657973c6" score = 75 quality = 75 tags = "FILE" @@ -235376,13 +235862,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Df45B36C9D0Bd248C3F9494E7Ca822 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a5d90391-d52f-5627-b027-fa1275e099f5" + id = "95100ec5-01bf-5a5a-a703-b10d320beed1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6470-L6481" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_40f4ad4183ca0bc76295c535a9286994ef0e3f8ac932372328016d543bb58ab5" + logic_hash = "40f4ad4183ca0bc76295c535a9286994ef0e3f8ac932372328016d543bb58ab5" score = 75 quality = 75 tags = "FILE" @@ -235399,13 +235885,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Adbb8Aebf8B53C6713Abaca38Be9Bf0A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "077b3bee-f8e0-56cd-b627-a6ac537117df" + id = "b3edea3e-8844-58a5-a600-b0695869b2c3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6483-L6497" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d5e85240df57bf3b5ec4f690943f71609aaf2fb2f751b2919b6024b4247cd571" + logic_hash = "d5e85240df57bf3b5ec4f690943f71609aaf2fb2f751b2919b6024b4247cd571" score = 75 quality = 75 tags = "FILE" @@ -235422,13 +235908,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1Ffc9825644Caf5B1F521780C5C7F42C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4ac5edd1-d3e7-5c71-80cf-6ef07e4f2330" + id = "b9ed2db5-b7d4-5d74-bb11-1e8b1dfe1648" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6499-L6510" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9866608a02a043e6873c6fbd231cd733b3b5a1e5b77e3205e5cf53f5ae2bcadd" + logic_hash = "9866608a02a043e6873c6fbd231cd733b3b5a1e5b77e3205e5cf53f5ae2bcadd" score = 75 quality = 75 tags = "FILE" @@ -235445,13 +235931,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3112C69D460C781Fd649C71E61Bfec82 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3a684a7b-64d7-5b99-9ff0-61312e674088" + id = "a8092e36-92f9-5cb0-a427-74d40a39d94f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6512-L6523" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9662a01369bc01367bcae7813b3fcb3050721471dd247885bcab8918de7c6b99" + logic_hash = "9662a01369bc01367bcae7813b3fcb3050721471dd247885bcab8918de7c6b99" score = 75 quality = 75 tags = "FILE" @@ -235468,13 +235954,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_F64E5B34Dc0E4893495D3B9Fd9Cde4B7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a8237220-bf9a-5953-a475-5e80999bdc6c" + id = "d408b662-6328-55a8-ab64-42ea8f18c1cf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6525-L6536" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_497e63e4a19fa5b05d1098177dc73ae2255d4608d97e1001461dc4f8edced169" + logic_hash = "497e63e4a19fa5b05d1098177dc73ae2255d4608d97e1001461dc4f8edced169" score = 75 quality = 75 tags = "FILE" @@ -235491,13 +235977,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6Bec31A0A40D2E834E51Ae704E1Bf9D3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "02a597ac-b338-55c6-95a2-b9aef65ee80a" + id = "9228c13e-b380-5867-ad1f-e483c8977196" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6538-L6549" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f1fdd6e76deea106db9fc4ef0916b2cecd6edb3849847946f15c194a9028a76e" + logic_hash = "f1fdd6e76deea106db9fc4ef0916b2cecd6edb3849847946f15c194a9028a76e" score = 75 quality = 75 tags = "FILE" @@ -235514,13 +236000,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_9Fac361Ee3304079 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3016bfa1-4572-51a8-915f-c59922776d18" + id = "4143adb3-bd23-549c-b862-0db3583be161" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6551-L6565" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a32fe70e2242e587007c3985420c3bea25d35aff37f62881cc386bdeff22ca93" + logic_hash = "a32fe70e2242e587007c3985420c3bea25d35aff37f62881cc386bdeff22ca93" score = 75 quality = 75 tags = "FILE" @@ -235537,13 +236023,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1895De749994D0Db : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b28b6f76-bb51-59af-97c7-942248cc7261" + id = "2a8129ac-9838-5798-a115-ec03c1b3c205" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6567-L6578" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0b5e7998bd6303a12a8681bca88b7802caa08d9272196b830ffac5573b6e3772" + logic_hash = "0b5e7998bd6303a12a8681bca88b7802caa08d9272196b830ffac5573b6e3772" score = 75 quality = 75 tags = "FILE" @@ -235560,13 +236046,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_28B691272719B1Ee : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b2296f4f-5626-5986-b602-933d2f3d2b9d" + id = "5a8cf540-701f-5f94-b630-ccbaa62abfdd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6580-L6591" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b2224f8107e7c50334c7e12963e4e37c0a6824c49842afb314c12d6de9d6bc5e" + logic_hash = "b2224f8107e7c50334c7e12963e4e37c0a6824c49842afb314c12d6de9d6bc5e" score = 75 quality = 75 tags = "FILE" @@ -235583,13 +236069,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E3B80C0932B52A708477939B0D32186F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fc7bd59c-742f-5885-9497-206c71072df4" + id = "41525cdd-f65a-5aad-bd99-1cdcf8b11981" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6593-L6607" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a0a95c20c5c82b460ddef686731d1053181cb5066bbb4f585a4f402f50efe030" + logic_hash = "a0a95c20c5c82b460ddef686731d1053181cb5066bbb4f585a4f402f50efe030" score = 75 quality = 75 tags = "FILE" @@ -235606,13 +236092,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00C667Ffe3A5B0A5Ae7Cf3A9E41682E91B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2adf42ab-198b-5b43-bd26-bd79ce2da493" + id = "509dcc22-1202-5b6e-a602-6b06c282b28d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6609-L6623" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6d3d0cfb42758f917b003f7979f7123c1789c9e9b4e01b1aebf265a298eac08f" + logic_hash = "6d3d0cfb42758f917b003f7979f7123c1789c9e9b4e01b1aebf265a298eac08f" score = 75 quality = 75 tags = "FILE" @@ -235629,13 +236115,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Sagsanlgs : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "077a4847-de22-55c6-a1da-cd18eed827ba" + id = "b08e46a5-de76-5711-98dc-2144c7bbe66f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6639-L6650" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ab10d8605f501f3c4f3a3afa31c5b001e03354846ff1953e7e36ceb9b564bf6" + logic_hash = "3ab10d8605f501f3c4f3a3afa31c5b001e03354846ff1953e7e36ceb9b564bf6" score = 75 quality = 75 tags = "FILE" @@ -235652,13 +236138,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00989A33B72A2Aa29E32D0A5E155C53963 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e12ad0d4-0db3-5b70-8da1-9ca24a993320" + id = "59fcdc74-ca44-5d30-b9b0-5e9c7a3b50f3" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6668-L6682" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f016093cd512bcbf31814ff1619441e476b3988d0670f469f6311eda37ae295d" + logic_hash = "f016093cd512bcbf31814ff1619441e476b3988d0670f469f6311eda37ae295d" score = 75 quality = 75 tags = "FILE" @@ -235675,13 +236161,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00B8F726508Cf1D7B7913Bf4Bbd1E5C19C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b9680c05-f12f-51ca-9b34-766677719f0d" + id = "0acaaed9-ba18-56b0-95b9-e05181843129" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6684-L6698" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_71eb50a47465d69dbdd488c57b3fd9f70a4dd3b0bc086ed14038320928bc947e" + logic_hash = "71eb50a47465d69dbdd488c57b3fd9f70a4dd3b0bc086ed14038320928bc947e" score = 75 quality = 75 tags = "FILE" @@ -235698,13 +236184,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Aa099E64E214D655801Ea38Ad876711 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "309e33dc-c7bc-575c-bc92-05f4006f2bab" + id = "00b9cd1f-e389-51fd-8a08-73334bb0d0ef" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6700-L6712" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a4211bc2f3cedb8b135566d4b22251523a3a2bbdb04c1f1c5b1336ae7c198773" + logic_hash = "a4211bc2f3cedb8b135566d4b22251523a3a2bbdb04c1f1c5b1336ae7c198773" score = 75 quality = 75 tags = "FILE" @@ -235722,13 +236208,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_54Cc50D147Fa549E3F721C754E4E3A91 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f91096c7-ff56-50db-b886-f981c0a3bf6e" + id = "2007dabd-74c0-5cc7-986c-21fb1df9136a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6714-L6726" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_367237a9370542a4506fb13683f0a91e4bf5eb871e4b9f62b4cae8316bdf2d9a" + logic_hash = "367237a9370542a4506fb13683f0a91e4bf5eb871e4b9f62b4cae8316bdf2d9a" score = 75 quality = 75 tags = "FILE" @@ -235746,13 +236232,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1E508Bb2398808Bc420A5A1F67Ba5D0B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d7702548-41fc-587c-86fe-c4b8b11e02f3" + id = "32f79595-6526-5dea-824a-cc073b6a2b5c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6728-L6740" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_71b7efab5359408e3897498ce031c8375e2d67bfc8ff15c685df5ac6dd4bb015" + logic_hash = "71b7efab5359408e3897498ce031c8375e2d67bfc8ff15c685df5ac6dd4bb015" score = 75 quality = 75 tags = "FILE" @@ -235770,13 +236256,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_008B3333D32B2C2A1D33B41Ba5Db9D4D2D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "03c8e856-082a-5524-8dcc-a0895ff1baf6" + id = "90947492-2f42-5d90-b635-62a5f7e79ffc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6742-L6757" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c15a248dd52e7e888da381fda296cf19c53196ef52c4c4ce74af646d427eccde" + logic_hash = "c15a248dd52e7e888da381fda296cf19c53196ef52c4c4ce74af646d427eccde" score = 75 quality = 75 tags = "FILE" @@ -235794,13 +236280,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_B548765Eebe9468348Af40B9891C1E63 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e3a480a6-e605-5c9d-9237-7964bc2ecf58" + id = "0ee1a31b-6324-5dbd-bd0d-765bc4891415" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6759-L6771" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_db8136f63657130bb3fe2527bb597e70bc3d46395aa3137810f4ee4b4de6c6ec" + logic_hash = "db8136f63657130bb3fe2527bb597e70bc3d46395aa3137810f4ee4b4de6c6ec" score = 75 quality = 75 tags = "FILE" @@ -235818,13 +236304,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4697C7Ddd3E37Fe275Fdc6961A9093E3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "25aebf37-02f8-5a99-9f45-8572dd03bbc1" + id = "9d611fee-cf29-523e-86f7-5c67f0e563a9" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6773-L6785" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b3de1a753ac7a2f43ae64ee54fc81d92f70c32d4a04398a6dfc9a6ec856d8300" + logic_hash = "b3de1a753ac7a2f43ae64ee54fc81d92f70c32d4a04398a6dfc9a6ec856d8300" score = 75 quality = 75 tags = "FILE" @@ -235842,13 +236328,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_74C94Ef697Dc9783F845D26Dccc1E7Fd : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5b11134e-7ad1-5965-a047-0568fcabb609" + id = "3cd08af1-8999-59a8-a679-a39871ecf68e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6787-L6799" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_226dfe366c31e9cb38910df7d6cb2037c545745594fd133d7b7359175f153a90" + logic_hash = "226dfe366c31e9cb38910df7d6cb2037c545745594fd133d7b7359175f153a90" score = 75 quality = 75 tags = "FILE" @@ -235866,13 +236352,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5Dd1Cb148A90123Dcc13498B54E5A798 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f9f137f3-4c2d-5323-aff2-b6bda1a922c0" + id = "8bdc91bc-5a59-5c22-8d39-fe1bf4267813" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6801-L6812" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b5ec1b9d3fd15259d3628b5199b274f85674b404c57329d8af4f779ae357454" + logic_hash = "9b5ec1b9d3fd15259d3628b5199b274f85674b404c57329d8af4f779ae357454" score = 75 quality = 75 tags = "FILE" @@ -235889,13 +236375,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00A758504E7971869D0Aec2775Fffa03D5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c6f8eb49-7c5f-59a9-95b2-67d9938290f2" + id = "1ecfe521-0148-5a13-b23f-dd1b14b835ed" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6814-L6829" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_08f52e96d1e93e2d406753fd0dee5d03501ac037ab022b710362b113eaae6239" + logic_hash = "08f52e96d1e93e2d406753fd0dee5d03501ac037ab022b710362b113eaae6239" score = 75 quality = 75 tags = "FILE" @@ -235913,13 +236399,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00F13A4F94Bf233525 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3327c861-cb28-5962-95cd-ec22a955caaa" + id = "1d048571-661e-5d7f-a255-f07b84069b20" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6831-L6845" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_29284d9ced0d5e6d587edc9727321cdc7bf5ce4ad8407d460afa7f1e6d1bcb90" + logic_hash = "29284d9ced0d5e6d587edc9727321cdc7bf5ce4ad8407d460afa7f1e6d1bcb90" score = 75 quality = 75 tags = "FILE" @@ -235936,13 +236422,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_119Acead668Bad57A48B4F42F294F8F0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "06cffa63-71a3-501a-9f01-857653886767" + id = "d3f45ee1-134f-5b16-81f8-83405a5e3181" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6847-L6858" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bae9aed4f53059b2ec0de630f681bb157c148d9ad38be35dd8c1a74b19619077" + logic_hash = "bae9aed4f53059b2ec0de630f681bb157c148d9ad38be35dd8c1a74b19619077" score = 75 quality = 75 tags = "FILE" @@ -235959,13 +236445,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_21144343720267Ba42F586105Ff279De : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f17337ff-08d9-576f-9aec-598c72cfd297" + id = "54e4133f-4fb7-5f70-a4dc-77c6f8120d29" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6860-L6871" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a1eacebed0966ad5d78eb7e38d8b854d183f21a19a53bbcb57503e4271b2cc84" + logic_hash = "a1eacebed0966ad5d78eb7e38d8b854d183f21a19a53bbcb57503e4271b2cc84" score = 75 quality = 75 tags = "FILE" @@ -235982,13 +236468,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00A3Cb8E964244768969B837Ca9981De68 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "695e4b67-4403-576b-afd0-78f92cad6f84" + id = "a9d74cc6-0d89-5de9-8f13-966455e49b9c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6873-L6884" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d88c9ac03a4b3803b85c5ee30ad127aca43cbfc33d754bc42c15593f7294b1bc" + logic_hash = "d88c9ac03a4b3803b85c5ee30ad127aca43cbfc33d754bc42c15593f7294b1bc" score = 75 quality = 75 tags = "FILE" @@ -236005,13 +236491,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Bd96F0B87Edca41E777507015B3B2775 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "66f665af-7fec-5c03-b318-35115bb2c98b" + id = "5ef0b542-01de-53ee-9a52-0a05bccccd22" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6886-L6900" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a9906821de34bf6a20bfe1a4be81563a22b110bde68fbe36b491955c23d2dcc6" + logic_hash = "a9906821de34bf6a20bfe1a4be81563a22b110bde68fbe36b491955c23d2dcc6" score = 75 quality = 75 tags = "FILE" @@ -236028,13 +236514,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00E41537B8Dd65670D6Eb01954Becacf1E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8c5ec8ca-ffcc-5683-92f7-0790ca57f9a9" + id = "80ac0d4e-5865-562a-a4a1-fa02b6859bdb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6902-L6916" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_94b7feb2d1ed8a7004599ac2018746bf43529f7cf7c4776fbdf21282013935c8" + logic_hash = "94b7feb2d1ed8a7004599ac2018746bf43529f7cf7c4776fbdf21282013935c8" score = 75 quality = 75 tags = "FILE" @@ -236051,13 +236537,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_06808C5934Da036A1297A936D72E93D4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a65b5e89-54ce-58f2-a813-3df77059e7b9" + id = "c75ae0da-e8b9-581f-bfde-f23b3b3f9d22" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6918-L6929" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_45840d354dcea86c38effc86b3b6f92540f32eab78286d51ff7f472618accb8b" + logic_hash = "45840d354dcea86c38effc86b3b6f92540f32eab78286d51ff7f472618accb8b" score = 75 quality = 75 tags = "FILE" @@ -236074,13 +236560,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_97D50C7E3Ab45B9A441A37D870484C10 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8cf21fe4-1b1c-5b0f-8c6f-aff7b04fbe57" + id = "54c391df-ea76-5944-aae6-63f44ec557e5" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6931-L6942" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2f535f66a4aabffff48f167ffcabcb366398e358eaafa2b3d67ee4c7ad19eb66" + logic_hash = "2f535f66a4aabffff48f167ffcabcb366398e358eaafa2b3d67ee4c7ad19eb66" score = 75 quality = 75 tags = "FILE" @@ -236097,13 +236583,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0B2B192657B37632518B08A06E201381 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8c25a7ad-608c-5360-89f1-6a2ca6e4ec41" + id = "917d2d66-f4b4-59b1-aeed-3b10c337d4b8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6944-L6955" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_361005555e5d4b51c4538617c99fe668fca61ccc0c0847611e1423f69194999c" + logic_hash = "361005555e5d4b51c4538617c99fe668fca61ccc0c0847611e1423f69194999c" score = 75 quality = 75 tags = "FILE" @@ -236120,13 +236606,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00945Aaac27E7D6D810C0A542Bedd562A4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "968850ef-0fb5-5bf1-8078-c65c289adc37" + id = "5698130c-0696-5474-8b86-b6ba290d2822" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6957-L6972" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_292657717cb42835324b6ff42d563bca47e042e82afef24b5d666b16979b8103" + logic_hash = "292657717cb42835324b6ff42d563bca47e042e82afef24b5d666b16979b8103" score = 75 quality = 75 tags = "FILE" @@ -236144,13 +236630,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6D450Cc59Acdb4B7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a47887e1-24f7-52fe-8a2d-6d98892d054b" + id = "845e3f48-5660-525e-bd18-5953c64322f1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6974-L6985" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8328159dce3586c26b777f92d7a87e0660520cf08d122505d34ed427bdd7ff6f" + logic_hash = "8328159dce3586c26b777f92d7a87e0660520cf08d122505d34ed427bdd7ff6f" score = 75 quality = 75 tags = "FILE" @@ -236167,13 +236653,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_66390Fc17786D4A342F0Ee89996D6522 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f12d268f-75ea-510f-aa09-7be887f1d892" + id = "202e4270-9b49-5516-8188-a64bd528a9c4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L6987-L6998" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a38d09beee8ddaa6e8273e04fe3c5cc9ff9a4e55344e2b9191bb3e5928e9e79b" + logic_hash = "a38d09beee8ddaa6e8273e04fe3c5cc9ff9a4e55344e2b9191bb3e5928e9e79b" score = 75 quality = 75 tags = "FILE" @@ -236190,13 +236676,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00D1737E5A94D2Aff121163Df177Ed7Cf7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fa240be0-a54c-554f-8bd4-d7b944e6b655" + id = "92ba22ba-9610-5b9b-9075-1da84fb148c1" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7000-L7015" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7889e42ca0bc6c4aad0c7cf90459958e9d256b984fae719bd418fc17120cb4a2" + logic_hash = "7889e42ca0bc6c4aad0c7cf90459958e9d256b984fae719bd418fc17120cb4a2" score = 75 quality = 75 tags = "FILE" @@ -236214,13 +236700,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5Aa94583A95D42F1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8f654f54-5f8a-5441-a521-b9ae7074753c" + id = "a77e58c7-c613-5416-9bcd-336c036d99bd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7017-L7028" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_174ce032fd87028e34843417d5a4695d6d6e2eb444095e005588f1acf291cdf8" + logic_hash = "174ce032fd87028e34843417d5a4695d6d6e2eb444095e005588f1acf291cdf8" score = 75 quality = 75 tags = "FILE" @@ -236237,13 +236723,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6Ce7A0C62F27Fa98F78853E1Ad11173F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "dbb45686-90f4-5eef-9253-cf9d99fe4931" + id = "dd6ba685-deac-5ba0-8268-2ff17f3efc5a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7030-L7041" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_48692213d57293d28d0eb146d24036fa7e7357e55df07330d596a51a0665f063" + logic_hash = "48692213d57293d28d0eb146d24036fa7e7357e55df07330d596a51a0665f063" score = 75 quality = 75 tags = "FILE" @@ -236260,13 +236746,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_670C3494206B9F0C18714Fdcffaaa42F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "76d2209f-dc45-56df-8641-089edbcf833f" + id = "cbe10923-794e-50f0-bcc7-026ca2235836" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7043-L7054" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5215f3e877ac4b37d33a29f9d2e92567db02f41f5fa1592d2de199ee06b43885" + logic_hash = "5215f3e877ac4b37d33a29f9d2e92567db02f41f5fa1592d2de199ee06b43885" score = 75 quality = 75 tags = "FILE" @@ -236283,13 +236769,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5F11C47D3F8C468E5D38279De98078Ce : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "791ea2be-beab-551c-9b84-029f04c05839" + id = "d7ec5ceb-df6d-518c-977d-84ab2a40f6ed" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7056-L7067" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_82db6d0b96303be79aa9a0980a4ce491a1216adbba65443e8e59c5cf69a4a1e4" + logic_hash = "82db6d0b96303be79aa9a0980a4ce491a1216adbba65443e8e59c5cf69a4a1e4" score = 75 quality = 75 tags = "FILE" @@ -236306,13 +236792,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Bdb99D5Ecf8271D48E35F1039C2160Ef : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "62ffc9a2-5314-5ef6-b0ad-246f9fe94259" + id = "a87a3295-fbdb-5501-97a1-7cb23009f925" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7069-L7083" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3a7fd1705d440306e7643167f46b0735bedab291e714cd01068be321f489e3f3" + logic_hash = "3a7fd1705d440306e7643167f46b0735bedab291e714cd01068be321f489e3f3" score = 75 quality = 75 tags = "FILE" @@ -236329,13 +236815,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_025020668F51235E9Ecfff8Cf00Da63E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "fa55f3dd-f7cc-59fb-8e8d-c47ce98b0a1d" + id = "5b9af281-09b0-5df5-af3b-4868a7243636" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7085-L7096" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c99caf6ada228fe1229ea8e8ca0b160468f044a9a1e13ed9a83c12afeae337a1" + logic_hash = "c99caf6ada228fe1229ea8e8ca0b160468f044a9a1e13ed9a83c12afeae337a1" score = 75 quality = 75 tags = "FILE" @@ -236352,13 +236838,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Cfae7E6F538B9F2E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4fd88bc0-b279-5d98-a0ee-99808065ab82" + id = "c144fe64-ad45-5ac6-b2ee-904a66230674" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7098-L7112" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_23032d387bbfc81edb08982a196b90a136faf935d74c46771c59ef19095ac3a4" + logic_hash = "23032d387bbfc81edb08982a196b90a136faf935d74c46771c59ef19095ac3a4" score = 75 quality = 75 tags = "FILE" @@ -236375,13 +236861,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Bc9B800F480691Bd6B60963466B0C75 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b81581d0-fd71-5e6c-8beb-20b7adada311" + id = "ff76c8b3-8120-54ed-90e1-3ee01e57895e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7114-L7125" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_15143a6dc374f22252880ce61a419df46d81bc1ee99a29d03a61348f9c230064" + logic_hash = "15143a6dc374f22252880ce61a419df46d81bc1ee99a29d03a61348f9c230064" score = 75 quality = 75 tags = "FILE" @@ -236398,13 +236884,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_69Ad1E8B5941C93D5017B7C3Fdb8E7B6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6a269ff7-e03e-5f56-93b8-c8004f19be72" + id = "4b961b30-dc0d-513c-8a66-ed8fe71f5439" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7127-L7138" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1a37133dcc7af9c3f229f517dca847d7c007b8a2fdc6af50721d68f68c5d9c20" + logic_hash = "1a37133dcc7af9c3f229f517dca847d7c007b8a2fdc6af50721d68f68c5d9c20" score = 75 quality = 75 tags = "FILE" @@ -236421,13 +236907,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_072472F2386F4608A0790Da2Be8A48F7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6f10a19b-946d-5032-a843-9c19bd5b9c33" + id = "79f1e6da-003a-5291-a60c-7693ca2efbeb" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7140-L7151" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_32b61f42ee9f3109c747e8a159376d03349d8a5061be0c31504e929cb3c3042e" + logic_hash = "32b61f42ee9f3109c747e8a159376d03349d8a5061be0c31504e929cb3c3042e" score = 75 quality = 75 tags = "FILE" @@ -236444,13 +236930,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Ea734E1Dfb6E69Ed2Bc55E513Bf95B5E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "48f854b0-07f0-5d9e-b2e0-94ab468541c8" + id = "4e40ce70-d5d1-5719-bb43-40f860510093" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7153-L7168" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e2d07a2af36608d6eab6db85bcb968e486293239d0cfaeea7de2bb8223e58a29" + logic_hash = "e2d07a2af36608d6eab6db85bcb968e486293239d0cfaeea7de2bb8223e58a29" score = 75 quality = 75 tags = "FILE" @@ -236468,13 +236954,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Dfa4F0Cff90319951B019A4681Ebd2A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2b738ad3-7dea-5c5e-8d64-c844e214bf19" + id = "bbb0be70-de74-5da9-80d2-2ba474b7f472" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7170-L7182" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d89cda38cf6149c004f7d7b307243567768cba73bd49979d7d4f92f902ef4508" + logic_hash = "d89cda38cf6149c004f7d7b307243567768cba73bd49979d7d4f92f902ef4508" score = 75 quality = 75 tags = "FILE" @@ -236492,13 +236978,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4D03Ae6512B85Eab4184Ca7F4Fa2E49C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "84a3c83f-089e-5988-98e4-537f1ededbc2" + id = "a7dc0a07-f295-5aff-9df0-71f27f0fe88c" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7184-L7196" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2cbeaf65b0d3340df08baf67134a2fe0b26921f2e35ce541884209e3ecddf233" + logic_hash = "2cbeaf65b0d3340df08baf67134a2fe0b26921f2e35ce541884209e3ecddf233" score = 75 quality = 75 tags = "FILE" @@ -236516,13 +237002,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_333705C20B56E57F60B5Eb191Eef0D90 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a26db843-8a27-50ef-a44c-8457958fef8a" + id = "e868c3ff-a701-59bd-9cd6-bf49305fe28a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7198-L7209" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f5ca35381842a0ea7c319d8388753347a72fc6df746064e520794aeb4b6724d0" + logic_hash = "f5ca35381842a0ea7c319d8388753347a72fc6df746064e520794aeb4b6724d0" score = 75 quality = 75 tags = "FILE" @@ -236539,13 +237025,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_79906Faf4Fbd75Baa10B322356A07F6D : FILE meta: description = "Detects NetSupport (client) signed executables" author = "ditekSHen" - id = "c8850d15-9a5f-53b2-be4a-bddb1115cbf0" + id = "afca727c-ff08-5e47-9ef4-4cd2af96d294" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7211-L7222" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_59862f31d0ba0cf56a93a86783ad802ea2e511845ab1d141aa224c0c61b720a7" + logic_hash = "59862f31d0ba0cf56a93a86783ad802ea2e511845ab1d141aa224c0c61b720a7" score = 75 quality = 75 tags = "FILE" @@ -236562,13 +237048,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_030Ba877Daf788A0048D04A85B1F6Eca : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "87292629-2c1e-5cbb-9927-e8f310c8d688" + id = "66689847-aa67-5029-9f37-cc410a564633" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7224-L7235" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_70b5b9011b53b7c9ac9dc286f3512a7a8bec5ec35ade0ee1c4bedd0a128994da" + logic_hash = "70b5b9011b53b7c9ac9dc286f3512a7a8bec5ec35ade0ee1c4bedd0a128994da" score = 75 quality = 75 tags = "FILE" @@ -236585,13 +237071,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Fe83F58D001327Fbaafd7Bac76Ae6818 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "747ca5f0-cf34-58cc-a89b-7f67746f43ab" + id = "5d41be99-85de-55bc-817b-eea510aff308" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7237-L7251" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8aac715daba042ca4a57cd65b98e6192c87a13e7e0c8ff4a3bc81c43223035ad" + logic_hash = "8aac715daba042ca4a57cd65b98e6192c87a13e7e0c8ff4a3bc81c43223035ad" score = 75 quality = 75 tags = "FILE" @@ -236608,13 +237094,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0788260F8541539D97F49Ddaa837B166 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "276324f8-2f02-5765-a2d9-9c130c6143f1" + id = "fb102e07-92fc-5ed8-a9cf-1cfd53f54281" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7253-L7265" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_48985ac2c450bc4b3c5de635717dcf3a7ecf64109aa4059477ba79606f7fc2a4" + logic_hash = "48985ac2c450bc4b3c5de635717dcf3a7ecf64109aa4059477ba79606f7fc2a4" score = 75 quality = 75 tags = "FILE" @@ -236632,13 +237118,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Ca5Acafb5Fdca6F8B5D66D1339A5D85 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9f11908f-52b2-5e3d-9f9b-8bad222937b1" + id = "6f0e9e3a-52fc-5ffd-90b3-743d925388df" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7267-L7279" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2612e58b4e1a6fa65b32fe855b3542882c79345e93ab134933c893e90bb1a75c" + logic_hash = "2612e58b4e1a6fa65b32fe855b3542882c79345e93ab134933c893e90bb1a75c" score = 75 quality = 75 tags = "FILE" @@ -236656,13 +237142,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_387Eeb89B8Bf626Bbf4C7C9F5B998B40 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "287e6b12-0f03-5230-bb05-9b9c192dec08" + id = "56dfc1b5-3aba-5c21-93e6-85d41a2a4415" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7281-L7293" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3436b7954e5488614f8f0998fe9eae7773d821c776436836d7b2230cd9c97f46" + logic_hash = "3436b7954e5488614f8f0998fe9eae7773d821c776436836d7b2230cd9c97f46" score = 75 quality = 75 tags = "FILE" @@ -236680,13 +237166,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_035B41766660B08Aaf121536F0D83D4D : FILE meta: description = "Detects signed excutable of DiskCryptor open encryption solution that offers encryption of all disk partitions" author = "ditekSHen" - id = "50542bf9-c537-5bdd-a852-5a32cc524ba9" + id = "80c803e1-16b8-583d-9d4f-3a0f693c9e24" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7295-L7306" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_924ed1d3c6a8d378471a2e5301f3a813ee8622135ce001d3061918d9454cdcc4" + logic_hash = "924ed1d3c6a8d378471a2e5301f3a813ee8622135ce001d3061918d9454cdcc4" score = 75 quality = 75 tags = "FILE" @@ -236703,13 +237189,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1A041Db92237C18948109789F627B3Cd : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "62f6fbee-d3e2-57fe-9fe6-0f91a156e261" + id = "0a5a6b19-0fbe-5e0c-bfb1-ca201207f6c7" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7308-L7320" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f5e07eb58a68dea062522869c43daeddab666f12b078a4f2ce9aa37885e46cbd" + logic_hash = "f5e07eb58a68dea062522869c43daeddab666f12b078a4f2ce9aa37885e46cbd" score = 75 quality = 75 tags = "FILE" @@ -236727,13 +237213,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_06Df5C318759D6Ea9D090Bfb2Faf1D94 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "50ce81e8-8cfc-5fed-a042-7cdb97168ca8" + id = "8c1f226f-6fc0-5136-ac19-7d88d7505a8e" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7322-L7334" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3be08901a44c1c94cfb93e56075270ed974399ccc0a4dce15299456dad645822" + logic_hash = "3be08901a44c1c94cfb93e56075270ed974399ccc0a4dce15299456dad645822" score = 75 quality = 75 tags = "FILE" @@ -236751,13 +237237,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_330000026551Ae1Bbd005Cbfbd000000000265 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e2556e7a-5dfa-5985-945a-5c44ff7ce8d7" + id = "7f86e427-110f-5bcc-bb53-ca534f7444fc" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7337-L7351" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ae836069665d088c6a309efe5166e260836dce6398c51701b2274515bdaa2cbd" + logic_hash = "ae836069665d088c6a309efe5166e260836dce6398c51701b2274515bdaa2cbd" score = 75 quality = 75 tags = "FILE" @@ -236775,13 +237261,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_309368B122Ab63103Dddd4Ad6321A82C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "25eb5c39-86f9-5aff-b441-975df7588846" + id = "a9c2fa86-506e-503a-a864-8368f63662c4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7353-L7365" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_37a39d63e2bce6d4ce501e3032ee12fe8c5b39e8d8cb0f3e0c6d0be375bcffc8" + logic_hash = "37a39d63e2bce6d4ce501e3032ee12fe8c5b39e8d8cb0f3e0c6d0be375bcffc8" score = 75 quality = 75 tags = "FILE" @@ -236799,13 +237285,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_19F613Cf951D49814250701037442Ee2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "15990942-3df6-5a1b-b653-55544c78b580" + id = "780c515e-811c-5f44-97a2-9ed93a7d9d89" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7367-L7384" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1ea5f770ddbb7dba836049bec0c7b73cd5bc6a87514f8ea00288cb9d52d17651" + logic_hash = "1ea5f770ddbb7dba836049bec0c7b73cd5bc6a87514f8ea00288cb9d52d17651" score = 75 quality = 75 tags = "FILE" @@ -236825,13 +237311,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2D8Cfcf04209Dc7F771D8D18E462C35A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6460dc2f-8009-59aa-874e-07f11d062d42" + id = "6b2b25af-dae5-5055-851d-e515f6beee58" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7386-L7398" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e7eee6a6593c231c193145eeefd03a0f32c1d8cc103c97cfa26b5af7363c9b08" + logic_hash = "e7eee6a6593c231c193145eeefd03a0f32c1d8cc103c97cfa26b5af7363c9b08" score = 75 quality = 75 tags = "FILE" @@ -236849,13 +237335,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_06De439Ba2Df4Dcd8240C211D60Cdf5E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "574a8b84-acd7-5f61-9a20-8260a7d18e3d" + id = "90623074-58ac-51fd-9b80-881d3187dc74" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7400-L7412" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a2847853e2e9cc9e6909871b3f8e6de399fb76353e997b084c92dbcfe6c1a48f" + logic_hash = "a2847853e2e9cc9e6909871b3f8e6de399fb76353e997b084c92dbcfe6c1a48f" score = 75 quality = 75 tags = "FILE" @@ -236873,13 +237359,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00F454F2Fdc800B3454059D8889Bd73D67 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d9ac7733-d810-57b5-8124-35231afad48b" + id = "277ac503-91c4-5266-b8a4-c01a48b8df4d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7414-L7429" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_91b33a3e915a007d00482905471e124045a373fef9c8b0fe9a987196d2ec013a" + logic_hash = "91b33a3e915a007d00482905471e124045a373fef9c8b0fe9a987196d2ec013a" score = 75 quality = 75 tags = "FILE" @@ -236897,13 +237383,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3Afe693728F8406054A613F6736F89E3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ed61d542-cc09-52cd-a85c-22211f121438" + id = "64c4157e-2183-5f41-b938-df29e210ee80" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7431-L7443" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6993a13546a1eff8a4f770f224a14bffe7e3393f628337cff27cbf57ebab2a65" + logic_hash = "6993a13546a1eff8a4f770f224a14bffe7e3393f628337cff27cbf57ebab2a65" score = 75 quality = 75 tags = "FILE" @@ -236921,13 +237407,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Fd7F9Cac1E9Ce71Ac757F93266E3B13 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "71ab5969-4878-533f-b751-1c21ceec4395" + id = "6021f566-e297-5af4-b692-663480091296" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7445-L7457" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_319f858a15f8752d7637ab7036ed89b17c501c2422769339578e685fe6a57eea" + logic_hash = "319f858a15f8752d7637ab7036ed89b17c501c2422769339578e685fe6a57eea" score = 75 quality = 75 tags = "FILE" @@ -236945,13 +237431,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5Fbf16A33D26390A15F046C310030Cf0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "155c38e1-9f29-5a7a-8163-dd01f8077ba9" + id = "6c010106-141d-5121-9594-73edc872a381" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7459-L7471" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fc68fe14ec70de74a6dae7891dfbb82ee7974f37469cfa72d735e70e9194c405" + logic_hash = "fc68fe14ec70de74a6dae7891dfbb82ee7974f37469cfa72d735e70e9194c405" score = 75 quality = 75 tags = "FILE" @@ -236969,13 +237455,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_292Eb1133507F42E6F36C5549C189D5E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "73326ea9-79e3-590a-9533-28a9191706ad" + id = "60d3cc6e-bf58-55ae-a13b-0e22ecc8d5cd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7473-L7485" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_456a09b1939d3f60e6ef735631eb681a9d15ea573552672fd14b19f60e8d8c73" + logic_hash = "456a09b1939d3f60e6ef735631eb681a9d15ea573552672fd14b19f60e8d8c73" score = 75 quality = 75 tags = "FILE" @@ -236993,13 +237479,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2Aaa455A172F7E3A2Dffb5C6B14F9C16 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "6614b600-df8e-5b7c-950f-76f6339ac42c" + id = "81c115a7-7ddf-58ba-b56e-a92652c7f217" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7487-L7499" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dd10d388e9122585c8e5b2073725f50edbc85d0ca1e94a4b034e500e0e89b608" + logic_hash = "dd10d388e9122585c8e5b2073725f50edbc85d0ca1e94a4b034e500e0e89b608" score = 75 quality = 75 tags = "FILE" @@ -237017,13 +237503,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1Ef6392B2993A6F67578299659467Ea8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "55980cb6-ab10-501f-b4b3-8929e42fc174" + id = "f5539ca9-d5cc-538e-8e53-3274791bfa2b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7501-L7513" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eabfeb7abc968188276ba76cd94bd80aba340f5f920881fe13c0f7b093d65a55" + logic_hash = "eabfeb7abc968188276ba76cd94bd80aba340f5f920881fe13c0f7b093d65a55" score = 75 quality = 75 tags = "FILE" @@ -237041,13 +237527,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0F007898Afcba5F8Af8Ae65D01803617 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "381c150f-b563-5317-bce3-e2c327e33980" + id = "1c3fddc2-3348-5f94-bf3e-5ce95b6ef009" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7515-L7527" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_260dbdd3d295ace9c478cc27061065803c159957a1eb2f7965ee2b358f02a73c" + logic_hash = "260dbdd3d295ace9c478cc27061065803c159957a1eb2f7965ee2b358f02a73c" score = 75 quality = 75 tags = "FILE" @@ -237065,13 +237551,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00Aa1D84779792B57F91Fe7A4Bde041942 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a40c3096-eeba-555b-b1a7-d1b788ec56c4" + id = "57b4741a-a23d-51aa-ad83-3a7d80368290" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7529-L7543" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2e57d646910c570f421939fd0d47ddee60bc38bb2ca2ba1991bf334cf8d5574b" + logic_hash = "2e57d646910c570f421939fd0d47ddee60bc38bb2ca2ba1991bf334cf8d5574b" score = 75 quality = 75 tags = "FILE" @@ -237088,13 +237574,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0690Ee21E99B1Cb3B599Bba7B9262Cdc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ebbc471c-9205-5309-96f8-5e181258f43b" + id = "0fa2103e-c04e-5380-b4e3-6ac35f0b71d8" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7545-L7556" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bc2aac1bd21f80d4233af37028820a36ebd56bceed9b1318e99e75b28b9408e3" + logic_hash = "bc2aac1bd21f80d4233af37028820a36ebd56bceed9b1318e99e75b28b9408e3" score = 75 quality = 75 tags = "FILE" @@ -237111,13 +237597,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_425Dc3E0Ca8Bcdce19D00D87E3F0Ba28 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "7055f575-a1ee-591e-9677-5b4e4e232172" + id = "41423db4-c475-558b-9a27-2b0ea59102ad" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7558-L7569" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0fc85d3d01b37ff7870cade6f8e0e756593ff0b5c9eea3b687ff52985caa20dd" + logic_hash = "0fc85d3d01b37ff7870cade6f8e0e756593ff0b5c9eea3b687ff52985caa20dd" score = 75 quality = 75 tags = "FILE" @@ -237134,13 +237620,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_00881573Fc67Ff7395Dde5Bccfbce5B088 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "167e4586-a004-58f3-9d2f-528576191932" + id = "10ef1865-9267-5f06-a1d5-9196b00f3dc6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7571-L7585" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5b137cccecb16ad116b73fa1f9025f76846b85009fbd4962956499031d6eff35" + logic_hash = "5b137cccecb16ad116b73fa1f9025f76846b85009fbd4962956499031d6eff35" score = 75 quality = 75 tags = "FILE" @@ -237157,13 +237643,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_15C5Af15Afecf1C900Cbab0Ca9165629 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "abe2e400-cf23-5c8d-9693-6978dda1c4ff" + id = "795fa78b-0cd4-5eb4-9d37-72b5c38e7466" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7587-L7599" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cfc72a85954cb12d89a09b47b5937216a7cfee4a71ac6335a2a94faadea1f68c" + logic_hash = "cfc72a85954cb12d89a09b47b5937216a7cfee4a71ac6335a2a94faadea1f68c" score = 75 quality = 75 tags = "FILE" @@ -237181,13 +237667,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_12705Fb66Bc22C68372A1C4E5Fa662E2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "60070717-21bc-5816-8b7e-324da9d571dd" + id = "c9604f76-ad8a-5ac0-ba12-5030b12bedbf" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7601-L7613" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a212e491ce661dec5512f82eed42b1863afb75ce7fb185c41af178f3852b78c8" + logic_hash = "a212e491ce661dec5512f82eed42b1863afb75ce7fb185c41af178f3852b78c8" score = 75 quality = 75 tags = "FILE" @@ -237205,13 +237691,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_205483936F360924E8D2A4Eb6D3A9F31 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1c0cf950-4fc8-5060-9cdb-35f323804e37" + id = "5cce232b-4dfc-5931-a4ea-2e3df5616026" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7615-L7627" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_09bf63b88eda95aae094cecb868838f08b88a6b4fe2993145e20293034c12863" + logic_hash = "09bf63b88eda95aae094cecb868838f08b88a6b4fe2993145e20293034c12863" score = 75 quality = 75 tags = "FILE" @@ -237229,13 +237715,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_06Bcb74291D96096577Bdb1E165Dce85 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a003178d-642f-581c-86bc-eef4af1b1f18" + id = "e7c24edc-2e59-5ee1-ad2f-d260b4014fdd" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7629-L7641" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_34f533f7c7e12aaac9a1998654fae6ffde366affa90e9cba061b356fa7190e71" + logic_hash = "34f533f7c7e12aaac9a1998654fae6ffde366affa90e9cba061b356fa7190e71" score = 75 quality = 75 tags = "FILE" @@ -237253,13 +237739,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0D261C8470Adbb65800Ceaf3Eac70819 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificate" author = "ditekSHen" - id = "6a29b7d5-c9e7-5cba-aed6-f6e4dea1f8b7" + id = "0304b3ae-6a3c-5831-a749-76432b3356b4" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7643-L7655" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e71f5d24500ac202aad5a439aa0d5f1bf7e6259c1d7e11bb40c7b9ae93bd86c0" + logic_hash = "e71f5d24500ac202aad5a439aa0d5f1bf7e6259c1d7e11bb40c7b9ae93bd86c0" score = 75 quality = 75 tags = "FILE" @@ -237277,13 +237763,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_40E27B7404Aa9B485F8A2Fc0C8E53Af3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "23d681a2-3f68-5012-b500-8627ab25ab76" + id = "1aee45e6-ff0b-56a6-a50e-284bf2122e3b" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7657-L7668" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_95a0bcf9b52ba8f4b63453abf0ee28027689450557a2408c6b27f8aafcbbe945" + logic_hash = "95a0bcf9b52ba8f4b63453abf0ee28027689450557a2408c6b27f8aafcbbe945" score = 75 quality = 75 tags = "FILE" @@ -237300,13 +237786,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_627Dfdf73A1455De5143A270799E6B7B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2f8768ac-f0e2-5108-ba5a-6f46d5d4af26" + id = "7d5f0279-9498-5713-9c02-a025268d108f" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7670-L7681" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_833e772e56e87f730ee1acb9d6ed747d239903cfd9470d777efab73c5d656f49" + logic_hash = "833e772e56e87f730ee1acb9d6ed747d239903cfd9470d777efab73c5d656f49" score = 75 quality = 75 tags = "FILE" @@ -237323,13 +237809,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1966Bc76Bda1A708334792Da9A336F69 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4856380c-5461-5827-9e23-9f17a6f35f4f" + id = "254ccdb7-df1c-560a-af68-123ea66c3463" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7683-L7694" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d0293e76f8a595d769fd302829bd94a576d647bbacb586728e804bf4dce1af78" + logic_hash = "d0293e76f8a595d769fd302829bd94a576d647bbacb586728e804bf4dce1af78" score = 75 quality = 75 tags = "FILE" @@ -237346,13 +237832,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_82D224323Efa65060B641F51Fadfef02 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "eeb1caad-1c76-5d2b-b08c-4a29aaa16fe1" + id = "2c0b0e6d-2c82-506b-88ea-a6d49f0f64a6" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7696-L7710" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ed849dfd905e01145274d41b3bbb2c0265b099e540ac17909b6ed59f006e245" + logic_hash = "3ed849dfd905e01145274d41b3bbb2c0265b099e540ac17909b6ed59f006e245" score = 75 quality = 75 tags = "FILE" @@ -237369,13 +237855,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Be2F22C152Bb218B898C4029056816A9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "abdf4c7d-1b17-5df4-90d6-0156054ed178" + id = "50c0cee3-39d5-5c57-9515-11356f8cab93" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7712-L7726" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9eba1585d92b184afb7b75b84e0010539ac42ca27e4d5d8bccee6b01e3471cca" + logic_hash = "9eba1585d92b184afb7b75b84e0010539ac42ca27e4d5d8bccee6b01e3471cca" score = 75 quality = 75 tags = "FILE" @@ -237392,13 +237878,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_29E8E993D2406454B6B18Cb377471Bc6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "837be216-7f18-567b-88a7-e14b32b05b74" + id = "a80f015c-3793-52ac-a405-1a7fe2ca0caa" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7728-L7739" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bf248e664d00675d3fc87070b6358ca7539ef6e748b8bfafcba7ecb91cb1ea05" + logic_hash = "bf248e664d00675d3fc87070b6358ca7539ef6e748b8bfafcba7ecb91cb1ea05" score = 75 quality = 75 tags = "FILE" @@ -237415,13 +237901,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6Daa67498C3A5D8133F28Fefe9Ccc20E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "bfe85bb4-4950-59a9-b70a-88665684194d" + id = "5eb899b3-347d-5e74-8afa-29ffa73c7231" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7741-L7754" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dc66a18e4f8d14f98e5a8073d32b641e0eb795e989fb62ac23207e765838561a" + logic_hash = "dc66a18e4f8d14f98e5a8073d32b641e0eb795e989fb62ac23207e765838561a" score = 75 quality = 75 tags = "FILE" @@ -237439,13 +237925,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_59F296D0Af649E0962D724248D9Fdcdb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "48840741-5537-5674-85d1-95296b126b20" + id = "c9423cae-07a7-5ecb-966d-b1636563934a" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7756-L7769" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0212033b2ea12f568a3c2e4d3768194c8035c6b6ebf054af90fe82ffcd7e6a5b" + logic_hash = "0212033b2ea12f568a3c2e4d3768194c8035c6b6ebf054af90fe82ffcd7e6a5b" score = 75 quality = 75 tags = "FILE" @@ -237463,13 +237949,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_A32F3Ba229704Ad400473F7479E4C3E4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "39092df2-663e-5641-9d6d-74511948b5cf" + id = "28d687bc-e67c-51d1-82af-53255ee44a8d" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7771-L7784" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9c7b9b6827e10a8c2a6d771d14068a074104683fe75f24dea85c5bf3f3bc04db" + logic_hash = "9c7b9b6827e10a8c2a6d771d14068a074104683fe75f24dea85c5bf3f3bc04db" score = 75 quality = 75 tags = "FILE" @@ -237487,13 +237973,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3Ab74A2Ebf93447Adb83554B5564Fe03 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5604c445-201c-5ec2-8cfc-e9df815b2f2e" + id = "1b0be137-ddcf-5215-9cb0-d687d7b6ca6c" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7786-L7799" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8dbc549ecaf1cb3f07486bac7ed265882af4b6b29b9772736118490eb9233303" + logic_hash = "8dbc549ecaf1cb3f07486bac7ed265882af4b6b29b9772736118490eb9233303" score = 75 quality = 75 tags = "FILE" @@ -237511,13 +237997,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_90212473C706F523Fe84Bdb9A78A01F4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "bc498f60-b2f8-5a57-a034-7ea3d3204052" + id = "f195cf1e-4e01-51ec-ae12-21ff56dd58e2" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7801-L7814" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8cd1e984bb81f071053614ae9d037d7ff5e01fb95aaa0474492386a7b5faecec" + logic_hash = "8cd1e984bb81f071053614ae9d037d7ff5e01fb95aaa0474492386a7b5faecec" score = 75 quality = 75 tags = "FILE" @@ -237535,13 +238021,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5C9F5F96726A6E6Fc3B8Bb153Ac82Af2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f359ef16-93eb-5e76-a57b-a9d2eb3b8857" + id = "f79e1a89-c7b4-5390-b20b-3f563f409cfe" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7816-L7829" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_da76d86509aee2f9cac992e6b081dce5e68c747ad34abd2daeb32e6e390b880b" + logic_hash = "da76d86509aee2f9cac992e6b081dce5e68c747ad34abd2daeb32e6e390b880b" score = 75 quality = 75 tags = "FILE" @@ -237559,13 +238045,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2A2F270535C2D5E7630720Fb229B5D1C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "2285f251-b7ff-509d-8d02-2fd6c534f544" + id = "3ed98546-92b2-5566-9716-ae8209ece9d6" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7831-L7844" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7d9785c12d2d744fbafab009edfb1ef232eadcdbc8eee99d0ad0daacabbabf26" + logic_hash = "7d9785c12d2d744fbafab009edfb1ef232eadcdbc8eee99d0ad0daacabbabf26" score = 75 quality = 75 tags = "FILE" @@ -237583,13 +238069,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4659Fa5Fc1E0397Df79Fd6A4083D93B0 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f7e3e416-2b11-553c-a3e1-47c01cfce541" + id = "a0d2449c-c1b0-5e6a-9fa3-d8fe8e318c62" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7846-L7859" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6d8a10d77e63d2a62ce45606dd9a317220aa124a50fa95028a45d9f5899ec6e3" + logic_hash = "6d8a10d77e63d2a62ce45606dd9a317220aa124a50fa95028a45d9f5899ec6e3" score = 75 quality = 75 tags = "FILE" @@ -237607,13 +238093,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_651F3E5B491B197D20C49B9C7B25B775 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c95f617a-a8c8-5d4f-bd71-7d714ad1d244" + id = "fb8b4a88-631b-5a5c-ab36-286b74a3a346" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7861-L7874" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fe06e8f6fd87d5a9044a6ff609da73b7d9e7d1f07cc9e84ee2fd2940be615323" + logic_hash = "fe06e8f6fd87d5a9044a6ff609da73b7d9e7d1f07cc9e84ee2fd2940be615323" score = 75 quality = 75 tags = "FILE" @@ -237631,13 +238117,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_67936A84Bed66Ef021Dbe771De331772 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1fcb52d4-ff12-544e-86df-a4c602847c7a" + id = "2739308a-7396-5fe2-bf1b-fe7e6e5d1f80" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7876-L7889" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_da149e6835be937e0bf2763052d4cbabb367910061aec3c394dffaa45d9b0ac6" + logic_hash = "da149e6835be937e0bf2763052d4cbabb367910061aec3c394dffaa45d9b0ac6" score = 75 quality = 75 tags = "FILE" @@ -237655,13 +238141,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_8538A6C5018F50Fc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "af9d792c-078c-59d6-95a3-75d880f981a1" + id = "8790c06a-3b7a-5e40-9a9c-0f2064029daf" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7891-L7904" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2ef3c7a45eb1d46e6c159ec9692fa5c17ff7679f41d96d04de52aa52ce96fa6b" + logic_hash = "2ef3c7a45eb1d46e6c159ec9692fa5c17ff7679f41d96d04de52aa52ce96fa6b" score = 75 quality = 75 tags = "FILE" @@ -237679,13 +238165,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Fecc3B3C675F7Ffd7De22507F3Fdacd7 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f99a1bee-3dfc-50f3-b293-3b392dd35d46" + id = "b91a7dcd-6212-5750-9bc8-0eb37d9e129b" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7906-L7919" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1319f4ccb5ab07c1c538d6a183fa25726b3d42192eaa878a2c402be2c93219f7" + logic_hash = "1319f4ccb5ab07c1c538d6a183fa25726b3d42192eaa878a2c402be2c93219f7" score = 75 quality = 75 tags = "FILE" @@ -237703,13 +238189,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5294F0F841F29855E33A18402421949A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "62719793-83ca-50d9-9a55-cd81cb9de464" + id = "3153f039-afd2-5eb5-b090-b205d9778eb7" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7921-L7934" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b9d2b10c4117de276cb41148b41921115f414aa17e261956c8550adf6127d5b9" + logic_hash = "b9d2b10c4117de276cb41148b41921115f414aa17e261956c8550adf6127d5b9" score = 75 quality = 75 tags = "FILE" @@ -237727,13 +238213,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1614Ef66B2C4B886E71A93Dd34869F48 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "062b741a-3c35-5d5a-87b2-6ea19ca0279f" + id = "27bead15-f7fa-55a1-9347-ea551e1e0e18" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7936-L7949" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_26265d54d8b58128c1a9a3b322f339d1beb438f403637519b11ff324af91d1e2" + logic_hash = "26265d54d8b58128c1a9a3b322f339d1beb438f403637519b11ff324af91d1e2" score = 75 quality = 75 tags = "FILE" @@ -237751,13 +238237,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_65Cfd8419D70Ce4011D97Bc79D18315E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1f5ac78a-2817-5807-9a6e-4167b3f3401b" + id = "2368b3d1-1cd5-575b-a3ff-270349563d1a" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7951-L7964" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_675ab6ef0f744f62db892992c6b3614e14b95f64e2800a0d10e55b915a2b4e74" + logic_hash = "675ab6ef0f744f62db892992c6b3614e14b95f64e2800a0d10e55b915a2b4e74" score = 75 quality = 75 tags = "FILE" @@ -237775,13 +238261,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_01Cf0B0F01B20B70Bfaa69722979Ef5C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b5993055-861d-53b2-a7c0-70cea1e70d54" + id = "23f5047d-b8f9-5f17-9add-6e29dce9a976" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7966-L7979" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5942c0196d7264783590c599ccfb0fe6518b338238ddb3df4e4f8999922ce86b" + logic_hash = "5942c0196d7264783590c599ccfb0fe6518b338238ddb3df4e4f8999922ce86b" score = 75 quality = 75 tags = "FILE" @@ -237799,13 +238285,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_698Ff388Adb50B88Afb832E76B0A0Ad1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "46fd90be-0912-591a-b940-57eabf72c034" + id = "8118e0ee-6214-54f3-b025-234f9e685832" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7981-L7994" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7734256201739dece5ae039d45ed79c74be6228f7da51fc82c0cfd2d4aacfd4b" + logic_hash = "7734256201739dece5ae039d45ed79c74be6228f7da51fc82c0cfd2d4aacfd4b" score = 75 quality = 75 tags = "FILE" @@ -237823,13 +238309,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5143Cf38D5Fd26858830826632Be9Fda : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "695c787a-d21b-5b04-bd66-287c3fb6ef4b" + id = "653a969a-9aed-5a26-9962-92bc173ddfdd" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L7996-L8009" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b6f33fd94f8098ca9d4fe98b3dc0a833f0be78fe854c62d715b98a2ba980b8ac" + logic_hash = "b6f33fd94f8098ca9d4fe98b3dc0a833f0be78fe854c62d715b98a2ba980b8ac" score = 75 quality = 75 tags = "FILE" @@ -237847,13 +238333,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3628B93Bcd902B6B3E1Ffdf2E13Dfcf5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "96874d78-a12e-5737-a4f4-02afcb498c0f" + id = "8b8fa36d-181b-57a1-853e-ab11a5127fd7" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8011-L8024" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bf9b2ab7a379437daa04565fdf7adc04db2f6f1a6284d1fd91f037b255523c42" + logic_hash = "bf9b2ab7a379437daa04565fdf7adc04db2f6f1a6284d1fd91f037b255523c42" score = 75 quality = 75 tags = "FILE" @@ -237871,13 +238357,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_A32B8B4F1Be43C23Eb2848Ab4Ef06Bb2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cf3b9c47-c74c-5eee-b793-f0f78870b509" + id = "f0baf7ea-7022-5834-a46c-b67bfbe706d0" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8026-L8039" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_438667b55f23b689627fc1e5bce0e53b960ef51d1a7d3203e398c59bd94ffe93" + logic_hash = "438667b55f23b689627fc1e5bce0e53b960ef51d1a7d3203e398c59bd94ffe93" score = 75 quality = 75 tags = "FILE" @@ -237895,13 +238381,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_17Ccecc181Ed65A357Edf3B01Df62Cc9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f9041d83-57ed-51c6-9f89-f33515549c75" + id = "b692d8dd-e7c9-53cb-8c65-0001c2af3f6f" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8041-L8054" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d79968633717744ab9e9006f8d958c1e240a1e0f99fd0b4c603d42bb7cd4773c" + logic_hash = "d79968633717744ab9e9006f8d958c1e240a1e0f99fd0b4c603d42bb7cd4773c" score = 75 quality = 75 tags = "FILE" @@ -237919,13 +238405,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_332Bd5801E8415585E72C87E0E2Ec71D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "0dc6c1c6-a5ce-5b87-b06f-09060437aec4" + id = "a4e1560f-12e4-5f49-a714-7df939dad513" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8056-L8069" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ad3b1aebedd1ecef9af96da991cdbaca8033e0d48b5e7b776dd3fd3c4024928e" + logic_hash = "ad3b1aebedd1ecef9af96da991cdbaca8033e0d48b5e7b776dd3fd3c4024928e" score = 75 quality = 75 tags = "FILE" @@ -237943,13 +238429,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0139Dde119Bb320Dfb9F5Defe3F71245 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5400edcd-db34-5f5b-9d47-d7b057e2b9ef" + id = "4962ea0c-ce99-57d3-8848-48dcaab4f346" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8071-L8084" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b2a7154d73eb9271a181d71d65c73e399bb2f7d1fe031240e94b6ef4c4f7cb18" + logic_hash = "b2a7154d73eb9271a181d71d65c73e399bb2f7d1fe031240e94b6ef4c4f7cb18" score = 75 quality = 75 tags = "FILE" @@ -237967,13 +238453,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2F96A89Bfec6E44Dd224E8Fd7E72D9Bb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "adbd9cc3-3b69-5627-a0e9-4dac3432c00c" + id = "a905ee22-94c6-5d16-a9a4-a1c1528e4ac2" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8086-L8099" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_94a5721bd3089f46699a947afcd03287712f94754666809e6495b01fc9cd6dcf" + logic_hash = "94a5721bd3089f46699a947afcd03287712f94754666809e6495b01fc9cd6dcf" score = 75 quality = 75 tags = "FILE" @@ -237991,13 +238477,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_626735Ed30E50E3E0553986D806Bfc54 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "23ee05fa-d51e-5c46-aa4e-424d21762673" + id = "5cab852e-8483-5c38-a396-3a53cf64450a" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8101-L8114" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_960005fe1a28ddb50261aeaaa850a2410ac03ee9709af2a75485313676c92c53" + logic_hash = "960005fe1a28ddb50261aeaaa850a2410ac03ee9709af2a75485313676c92c53" score = 75 quality = 75 tags = "FILE" @@ -238015,13 +238501,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4A2E337Fff23E5B2A1321Ffde56D1759 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1610c800-7ca1-5c4a-94b8-9dae440941cc" + id = "60d218b2-5297-59e6-9370-fc0ba036c688" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8116-L8129" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_524048d39de89002efbb8bf75135551b300e03f1126e5e117a4682c79ec04c9a" + logic_hash = "524048d39de89002efbb8bf75135551b300e03f1126e5e117a4682c79ec04c9a" score = 75 quality = 75 tags = "FILE" @@ -238039,13 +238525,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_967Cb0898680D1C174B2Baae5Fa332Db : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3e4df6a9-dd04-5abc-814d-eba54382f6c7" + id = "a95f7912-89fc-5c80-96ab-19e6ee2ccafd" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8131-L8144" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8c68127b29d1a1aa4c1e2033c809fa57466f224c2bb4ede0ffb2b572a3d58c0f" + logic_hash = "8c68127b29d1a1aa4c1e2033c809fa57466f224c2bb4ede0ffb2b572a3d58c0f" score = 75 quality = 75 tags = "FILE" @@ -238063,13 +238549,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_890570B6B0E2868A53Be3F8F904A88Ee : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "77915577-ba4d-5a6e-85a9-64d3c70129c6" + id = "8d619117-00cb-5276-87c1-3f6cd701218d" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8146-L8159" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_952b211cc2c7988b9a09ca5a96c44fea24bbaced28a79ab0ae6732675fda7365" + logic_hash = "952b211cc2c7988b9a09ca5a96c44fea24bbaced28a79ab0ae6732675fda7365" score = 75 quality = 75 tags = "FILE" @@ -238087,13 +238573,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_7D27332C3Cb3A382A4Fd232C5C66A2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e9e60dae-3f4e-57d1-a8f3-5b3e9e38a38d" + id = "d9f0d30b-ac9d-57f9-8220-c6a376fe68db" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8161-L8174" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d21218469ae41def8eed3d2cff38744ae928d9e8fed8ff68c539d33193136e0f" + logic_hash = "d21218469ae41def8eed3d2cff38744ae928d9e8fed8ff68c539d33193136e0f" score = 75 quality = 75 tags = "FILE" @@ -238111,13 +238597,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_40F5660A90301E7A8A8C3B42 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ace92961-3499-5d7c-abae-8a5a1382b5ca" + id = "c3c8fbdf-49ca-5898-b267-74256154973a" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8176-L8189" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ed584aa8ad833066ed9f7ddbf98dc75efe88e0b7e69f564a90eade63dc2aee2d" + logic_hash = "ed584aa8ad833066ed9f7ddbf98dc75efe88e0b7e69f564a90eade63dc2aee2d" score = 75 quality = 75 tags = "FILE" @@ -238135,13 +238621,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Dfc1F1B0F205Cc17Ed7D216Bb991F859 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "de291853-786c-5e81-a7a7-af94a409a333" + id = "93d5fd87-af92-5449-9d02-4666afa38fff" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8191-L8204" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_24783267ab27f8102f724810322a7fbb010b7a2abf59ad206b96a3eb75968907" + logic_hash = "24783267ab27f8102f724810322a7fbb010b7a2abf59ad206b96a3eb75968907" score = 75 quality = 75 tags = "FILE" @@ -238159,13 +238645,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_E573D9C8B403C41Bd59Ffa0A8Efd4168 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "29553e84-bc51-57b1-b8f7-d80bb1278aec" + id = "683ea9a6-2002-5c48-8512-51f65e70dd2c" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8206-L8219" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ec53ab007d8be2f3cad45e787e724c5af0dd3f18c2b66a179b822bdeeb0d1560" + logic_hash = "ec53ab007d8be2f3cad45e787e724c5af0dd3f18c2b66a179b822bdeeb0d1560" score = 75 quality = 75 tags = "FILE" @@ -238183,13 +238669,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_2F38De4Ced0B070973B9E9B9B1Dcfa7F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "976d6f30-2b2f-5a16-8d4a-4b119693fd3b" + id = "39910712-4a11-5722-9b48-c069bfcefb14" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8221-L8234" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_84c3d89e8393bcaddea53326730d795f482ec65c574fde5c1c81f395178b591a" + logic_hash = "84c3d89e8393bcaddea53326730d795f482ec65c574fde5c1c81f395178b591a" score = 75 quality = 75 tags = "FILE" @@ -238207,13 +238693,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_53E1F226Cb77574F8Fbeb5682Da091Bb : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "80250bc3-3381-5443-a2f7-9a546e7a1637" + id = "6967042e-156b-541d-970c-491dece12f08" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8236-L8249" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_41f4902e9d02254efdfd19a73de16e1128b15d264c3ed128d5ec28bd92f2d8a4" + logic_hash = "41f4902e9d02254efdfd19a73de16e1128b15d264c3ed128d5ec28bd92f2d8a4" score = 75 quality = 75 tags = "FILE" @@ -238231,13 +238717,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Df2547B2Cab5689A81D61De80Eaaa3A2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "91e612cd-5ec6-5160-aaf5-8c2fa86ebe76" + id = "4eba17f8-df3c-552d-90b5-faef7b860203" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8251-L8264" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c32a6510bd3cfd09e84ccf36140eb405945059c981fb1888298501493f6ef68f" + logic_hash = "c32a6510bd3cfd09e84ccf36140eb405945059c981fb1888298501493f6ef68f" score = 75 quality = 75 tags = "FILE" @@ -238255,13 +238741,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_58Af00Ce542760Fc116B41Fa92E18589 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "a463b7a8-c7d3-550b-9a84-351b410980ac" + id = "62fd5f76-b890-5532-8c6f-e26942584899" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8266-L8279" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bcabd77b40ad9eae4c499c8cd4b3e3d39e5478fa590be536860375e890c1b62e" + logic_hash = "bcabd77b40ad9eae4c499c8cd4b3e3d39e5478fa590be536860375e890c1b62e" score = 75 quality = 75 tags = "FILE" @@ -238279,13 +238765,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5B1F9Ec88D185631Ab032Dbfd5166C0D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "13ec6f6c-0bd8-59a7-82bb-cecaa34e3011" + id = "233466e6-7b5f-50d7-967a-976b698e9194" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8281-L8294" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_05428b4e636a60fb409ead0f4aeb25ed08dae24d58c98a17bb77aa521706763a" + logic_hash = "05428b4e636a60fb409ead0f4aeb25ed08dae24d58c98a17bb77aa521706763a" score = 75 quality = 75 tags = "FILE" @@ -238303,13 +238789,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Ff52Eb011Bb748Fee75153Cbe1E50Dd6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9f83889c-a042-552c-9d20-8a68327283a6" + id = "452d9f84-a950-5503-adaf-fba95b45e798" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8296-L8309" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e439f15c3312ed3a1840967bb165300a491ffe3d1c9c629abcbebf3efd9b1f50" + logic_hash = "e439f15c3312ed3a1840967bb165300a491ffe3d1c9c629abcbebf3efd9b1f50" score = 75 quality = 75 tags = "FILE" @@ -238327,13 +238813,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Eda0F47B3B38E781Cdf6Ef6Be5D3F6Ee : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "5469e3d3-e25a-51c5-abea-d14602239a9b" + id = "4d845dd7-4153-5082-bff0-d5f9a7b4b46e" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8311-L8324" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7b53d30e5b6176eaae854bf4046339864225b417a147fe6f24fb51dfb0535911" + logic_hash = "7b53d30e5b6176eaae854bf4046339864225b417a147fe6f24fb51dfb0535911" score = 75 quality = 75 tags = "FILE" @@ -238351,13 +238837,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4728189Fa0F57793484Cdf764F5E283D : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1539391a-0803-5716-a490-8ee29bb45fcb" + id = "02ec531e-aa1b-50b8-ae32-d885a0185cfe" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8326-L8339" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_181971946ee4d643430b733ed57ccf07c940205853c9e5102b08b7bc509bcc63" + logic_hash = "181971946ee4d643430b733ed57ccf07c940205853c9e5102b08b7bc509bcc63" score = 75 quality = 75 tags = "FILE" @@ -238375,13 +238861,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_24E4A2B3Db6Be1007B9Ddc91995Bc0C8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "208b7c23-ecd7-50c0-ac4f-f2707b5b225a" + id = "47ca5986-3de8-56f2-a15d-ef588d8a9e03" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8341-L8354" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_71d1f8e9113170f410007b31c0d7316c537001b2a761f1e35d6bd2aa0b39f2d9" + logic_hash = "71d1f8e9113170f410007b31c0d7316c537001b2a761f1e35d6bd2aa0b39f2d9" score = 75 quality = 75 tags = "FILE" @@ -238399,13 +238885,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0772B4D1D63233D2B8771997Bc8Da5C4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b9fe9b85-56c1-5843-9c70-cb1d3e07e184" + id = "a05a2bc4-a4a3-5e86-9a1c-ed82de7786df" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8356-L8369" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_056fefbc03cff00a40ea9bb65893b92fcc15134c7cf7bf7dedf98f43b44bc03d" + logic_hash = "056fefbc03cff00a40ea9bb65893b92fcc15134c7cf7bf7dedf98f43b44bc03d" score = 75 quality = 75 tags = "FILE" @@ -238423,13 +238909,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_1Deea179F5757Fe529043577762419Df : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "f2f38adb-8998-59de-97db-334a24a92103" + id = "a6b9b9e4-0998-5f67-8c12-7628ba3a5a56" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8371-L8384" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b521363d1d38a4ed1b2b4126aec85ed6bffc23dc4e30f6f6c942e1fa96b0dd8d" + logic_hash = "b521363d1d38a4ed1b2b4126aec85ed6bffc23dc4e30f6f6c942e1fa96b0dd8d" score = 75 quality = 75 tags = "FILE" @@ -238447,13 +238933,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_061A27A3A3771Bb440Fc16Cadf2675C4 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "484687a7-7733-500f-9f71-ec555c770f85" + id = "ef600135-6f5d-59a9-b387-60e8eb97cbf9" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8386-L8399" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d85b9d2b6fe4ce99670a8f51e84d63f1ec6d0341a3715eeed3e3d6a0fda93dc5" + logic_hash = "d85b9d2b6fe4ce99670a8f51e84d63f1ec6d0341a3715eeed3e3d6a0fda93dc5" score = 75 quality = 75 tags = "FILE" @@ -238471,13 +238957,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_06675181E7B5E1030B3D40926E2A47D3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e11fc6de-d136-506f-9d77-4e9945620504" + id = "2452580b-bbe8-5d54-888e-6f8fffb055cf" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8401-L8414" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_14d963fd03187afb7afabc208e36d8bb45ec818b27782a6c3037229f82bf22d6" + logic_hash = "14d963fd03187afb7afabc208e36d8bb45ec818b27782a6c3037229f82bf22d6" score = 75 quality = 75 tags = "FILE" @@ -238495,13 +238981,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Dbc03Ca7E6Ae6Db6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8e96ce83-856c-5256-bb34-6f4b792c0aef" + id = "801bc9fc-0bd6-5c46-8c45-8cb06cfc4309" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8416-L8429" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7d188663b00870e98984b4be4c72b0fd183b5fb8dd61512c1d65d386f1ebad0a" + logic_hash = "7d188663b00870e98984b4be4c72b0fd183b5fb8dd61512c1d65d386f1ebad0a" score = 75 quality = 75 tags = "FILE" @@ -238519,13 +239005,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_26F855A25890B749578F13E4B9459768 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "41d10184-f83b-56cf-b63d-72726197047a" + id = "2953afc3-6a46-5126-8f82-52f8dc1f89d6" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8431-L8444" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2de5a2d4d692c14660a9ec3ed18a7d2d6741a862c86812fcd640b1378281c328" + logic_hash = "2de5a2d4d692c14660a9ec3ed18a7d2d6741a862c86812fcd640b1378281c328" score = 75 quality = 75 tags = "FILE" @@ -238543,13 +239029,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_25Ba18A267D6D8E08Ebc6E2457D58D1E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9d334b85-14e7-5739-9d40-2e1d24487ea5" + id = "d2c4907e-cec2-5386-96d3-8c122c7557fa" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8446-L8459" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_38bdfa2291c7c3f81b29d41c65814002db3e4de11928699d2d946e87d313558d" + logic_hash = "38bdfa2291c7c3f81b29d41c65814002db3e4de11928699d2d946e87d313558d" score = 75 quality = 75 tags = "FILE" @@ -238567,13 +239053,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A2787Fbb4627C91611573E323584113 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "1096ef5d-ec18-53d5-9427-1e8a111bc000" + id = "5da7ac8f-34f7-5949-9987-32e983a77ebe" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8461-L8474" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e4ea9149f28798b48482ff68c3e08593a4510e3bd01e49ebdca7d450f15537e4" + logic_hash = "e4ea9149f28798b48482ff68c3e08593a4510e3bd01e49ebdca7d450f15537e4" score = 75 quality = 75 tags = "FILE" @@ -238591,13 +239077,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C81319D20C6F1F1Aec3398522189D90C : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e8553f30-9275-592f-9316-44c934db86b6" + id = "d93f571b-49f6-5a8b-9478-1054ede2257f" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8476-L8489" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1271d0cc05d35a70a90f605e7c68fc52605570e453e9e67fbeb74762a88a0a96" + logic_hash = "1271d0cc05d35a70a90f605e7c68fc52605570e453e9e67fbeb74762a88a0a96" score = 75 quality = 75 tags = "FILE" @@ -238615,13 +239101,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_77550Ed697992B397E3F1Ad8E2A662D1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3abf41cb-6321-5597-a6c3-37c2a54ce91a" + id = "1d969340-de5e-569e-bfed-a80a1623d1b4" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8491-L8504" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_87a70f10a111c4c5d1c3fb5b1c2a9da528f7d484ae6391c91e4052aba5c6bbe0" + logic_hash = "87a70f10a111c4c5d1c3fb5b1c2a9da528f7d484ae6391c91e4052aba5c6bbe0" score = 75 quality = 75 tags = "FILE" @@ -238639,13 +239125,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_B1Bbef3Aba79Ab2Eae5B8015F26B34F8 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4f9702ff-2763-54bc-9391-036b2c0a9bbb" + id = "382952bd-ffb3-5ff7-aff1-cf9fe8f20d1d" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8506-L8519" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_34b00243f0b5e8d09938f1500871797125644f839298427c877801027638fd34" + logic_hash = "34b00243f0b5e8d09938f1500871797125644f839298427c877801027638fd34" score = 75 quality = 75 tags = "FILE" @@ -238663,13 +239149,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_05D50A0E09Bb9A836Ffb90A3 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "cf89003b-0942-5f05-bc6e-1425a77e426f" + id = "f6947bf1-7f20-5be5-a242-c1025be40055" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8521-L8534" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fc38ae0c9d4fc26739deab65ae3669f272e999b76dbc521dae04b9a3e3e7cef0" + logic_hash = "fc38ae0c9d4fc26739deab65ae3669f272e999b76dbc521dae04b9a3e3e7cef0" score = 75 quality = 75 tags = "FILE" @@ -238687,13 +239173,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_623Eae6A66D3A6Ee80Df9Ccebe51181E : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "074f321b-ccbd-5dc2-ac8d-a596b082d8dd" + id = "7c3b85e4-8ce7-5c48-8f3b-e237a5cae9a0" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8536-L8549" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_79fceab5a19025d25abb12a8e6f57f8a930d348d538d9c556b6d4fc461af66f2" + logic_hash = "79fceab5a19025d25abb12a8e6f57f8a930d348d538d9c556b6d4fc461af66f2" score = 75 quality = 75 tags = "FILE" @@ -238711,13 +239197,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0A392F03Ded5D73Cdeeda75052A57176 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "223b271f-6580-5dd8-98a1-637f14bcd7f5" + id = "c0a8cc1c-7427-589b-9e32-8679e9cdf251" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8551-L8564" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ea0159ec1c4670c1e961a87131998fa796cf205eaa8a06bf829c61c9694fa5ef" + logic_hash = "ea0159ec1c4670c1e961a87131998fa796cf205eaa8a06bf829c61c9694fa5ef" score = 75 quality = 75 tags = "FILE" @@ -238735,13 +239221,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_E9268Ed63A7D7E9Dfd40A664Ddfbaf18 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "83747e83-fdc6-597b-8e24-25fb31a27c7f" + id = "59e63c76-1051-5274-b886-fcd75c8b0b38" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8566-L8579" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_62b9ea3c5197635db2101972af951f4afbd9b311b3c8286525bbd5b5baa17c41" + logic_hash = "62b9ea3c5197635db2101972af951f4afbd9b311b3c8286525bbd5b5baa17c41" score = 75 quality = 75 tags = "FILE" @@ -238759,13 +239245,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Da156922F4760E0C5F5Bcf79812A27E1 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d7982bb0-0b74-5a9d-b397-42a7599d22aa" + id = "065bacbc-3004-53c1-ba73-4779743e8221" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8581-L8594" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f6dd0f2373e412a753cbe5e27152f48d6c8980de9b26e5ab212b926e7e41c813" + logic_hash = "f6dd0f2373e412a753cbe5e27152f48d6c8980de9b26e5ab212b926e7e41c813" score = 75 quality = 75 tags = "FILE" @@ -238783,13 +239269,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5226A724Cfa0B4Bc0164Ecda3F02A3Dc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "13daa1c5-441a-5fce-84fb-a0296dbb2121" + id = "37d1061f-80b1-5944-bde3-6279633e321a" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8596-L8609" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8fa1dad2cd4c1406c1346bbe0fef88eba415437d159cf9010dcfaaa7210aef0e" + logic_hash = "8fa1dad2cd4c1406c1346bbe0fef88eba415437d159cf9010dcfaaa7210aef0e" score = 75 quality = 75 tags = "FILE" @@ -238807,13 +239293,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_121070Be1E782F206985543Bc7Bc58B6 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "9882a510-1240-5281-b064-165378b9499a" + id = "8432c7f0-ee2e-5935-8fe8-36b0094a5e1a" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8611-L8624" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_21eb6fed2225d2ab056948603b0990c2eb7dc9289da9a9df16f0d6cd042b3778" + logic_hash = "21eb6fed2225d2ab056948603b0990c2eb7dc9289da9a9df16f0d6cd042b3778" score = 75 quality = 75 tags = "FILE" @@ -238831,13 +239317,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_15C21Dab7F4E644E4B35C4858004D8A9 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "796e7648-0806-5185-95dc-d4ca0261b2fb" + id = "7dac5657-038f-5cbd-a854-cdb12921121e" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8626-L8639" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_646a858b10de89da4e639d3902ada78fad3a45868f0d7782546a865396cf226c" + logic_hash = "646a858b10de89da4e639d3902ada78fad3a45868f0d7782546a865396cf226c" score = 75 quality = 75 tags = "FILE" @@ -238855,13 +239341,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_101D6A5A29D9A77807553Ceac669D853 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "3313354a-0bd4-52f5-b3e5-92efbc79413a" + id = "8554ce79-fd87-54ac-b538-e2899fe95414" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8641-L8654" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be6b5a98d5c218c39d8f10bc2a0e443bc8be8a591ab368ee902de4a45a95c8d2" + logic_hash = "be6b5a98d5c218c39d8f10bc2a0e443bc8be8a591ab368ee902de4a45a95c8d2" score = 75 quality = 75 tags = "FILE" @@ -238879,13 +239365,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_4679C5398A279318365Fd77A84445699 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "c8570757-30da-5147-9edd-4d17ad8467b7" + id = "ff4061e7-5e45-596f-9d40-c33661a18e71" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8656-L8669" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1c591cbb2d35d8dad01ff4ea8c71c8b3a0a5f999f1edfcfc038e47f96d3a3a67" + logic_hash = "1c591cbb2d35d8dad01ff4ea8c71c8b3a0a5f999f1edfcfc038e47f96d3a3a67" score = 75 quality = 75 tags = "FILE" @@ -238903,13 +239389,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_282A8A04073Eced658B9770Bda8C0D28 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8b8b2a99-526c-5f1b-bc84-6b1e56b13f1b" + id = "d735ccfc-3f5e-5858-95ec-f385172ea8e6" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8671-L8684" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4cfebe55887a2a09293678e4dff2f93f22bec151dada7c84a41ac6deb10b7cc3" + logic_hash = "4cfebe55887a2a09293678e4dff2f93f22bec151dada7c84a41ac6deb10b7cc3" score = 75 quality = 75 tags = "FILE" @@ -238927,13 +239413,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0C48732873Ac8Ccebaf8F0E1E8329Cec : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "84842403-533f-59fe-9bbe-93c03177a812" + id = "dacde33d-3925-52c6-87fd-9f3ead6bfab0" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8686-L8699" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_64c61d1bb48d790a2a3da85c6e57b542f0ee8a85296fc3e8c17ea18d8241790d" + logic_hash = "64c61d1bb48d790a2a3da85c6e57b542f0ee8a85296fc3e8c17ea18d8241790d" score = 75 quality = 75 tags = "FILE" @@ -238951,13 +239437,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Da20761Afbb0463C55B1Ea88Bbc7Ec57 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "e8dae21c-ab39-5b6c-a430-80cadc85bbbe" + id = "63e4b8f6-64f1-58a2-920a-e1d4b113380b" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8716-L8729" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a4f6bb9742ab40e8003ea14f9645f0c7f885b461fbeb01164b86ddacbda1113f" + logic_hash = "a4f6bb9742ab40e8003ea14f9645f0c7f885b461fbeb01164b86ddacbda1113f" score = 75 quality = 75 tags = "FILE" @@ -238975,13 +239461,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_C51F4Cf4D82Bc920421E1Ad93E39D490 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ab006b8e-956f-5ade-bae8-a30743de4f18" + id = "cbb6cb90-b0f0-5271-81ae-8639c28a5df1" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8731-L8744" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b9152998eb3c4ba2b6e7571ed03c63ae1ade2f922df6901f8e46b08f41474f7b" + logic_hash = "b9152998eb3c4ba2b6e7571ed03c63ae1ade2f922df6901f8e46b08f41474f7b" score = 75 quality = 75 tags = "FILE" @@ -238999,13 +239485,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_69A72F5591Ad78A0825Fbb9402Ab9543 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "8142b303-c541-5fac-b887-38c95380e75d" + id = "a30ca6aa-3bf4-5fa2-8297-7b983410e5d4" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8746-L8759" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b2a8c08a612f7352a159a9d3f7d9152d9de043db1ec69e4bb2493533453f8f5c" + logic_hash = "b2a8c08a612f7352a159a9d3f7d9152d9de043db1ec69e4bb2493533453f8f5c" score = 75 quality = 75 tags = "FILE" @@ -239023,13 +239509,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_8Cece6Df54Cf6Ad63596546D77Ba3581 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "69fa7e29-f4cd-5c68-9ddc-3af699a6da8f" + id = "c5c19072-5a2f-5851-83bf-25a9e2fd9033" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8761-L8774" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1980b3ef7df1bfa43d401fdd8393cb8ffb5c919d558c23314ffb9e823cf9590d" + logic_hash = "1980b3ef7df1bfa43d401fdd8393cb8ffb5c919d558c23314ffb9e823cf9590d" score = 75 quality = 75 tags = "FILE" @@ -239047,13 +239533,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_Db95B22362D46A73C39E0Ac924883C5B : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4aedba4c-01eb-5a7c-bcdb-617c0a5296f5" + id = "df60473d-da8a-59c1-84d1-717d52d2411d" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8776-L8789" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_29015f6e11f2c93cc12e39cf50a1bda3bd4aa0bb7df0d7374223031361067495" + logic_hash = "29015f6e11f2c93cc12e39cf50a1bda3bd4aa0bb7df0d7374223031361067495" score = 75 quality = 75 tags = "FILE" @@ -239071,13 +239557,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_D3Aee8Abb9948844A3Ac1C04Cc7E6Bdf : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "b254df88-40e1-53b5-bf62-91a19da243f8" + id = "8b17b23f-3296-55b2-8e7b-40e13a14a610" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8791-L8804" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9af0b27e96575298a31b53f6f88cdb20934db75637abdd0acb40bb3c6921542c" + logic_hash = "9af0b27e96575298a31b53f6f88cdb20934db75637abdd0acb40bb3c6921542c" score = 75 quality = 75 tags = "FILE" @@ -239095,13 +239581,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_6000F8C02B0A15B1E53B8399845Faddf : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "458c632e-2c0a-5d06-8c1a-1d8d0e7ac3b1" + id = "6d4224bd-1522-5b0f-b39e-1ba4ec0f1a63" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8806-L8819" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a8687b2aa02909af5fc7c706f31c419c4af48225abe7415bf262de57bb85258f" + logic_hash = "a8687b2aa02909af5fc7c706f31c419c4af48225abe7415bf262de57bb85258f" score = 75 quality = 75 tags = "FILE" @@ -239119,13 +239605,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_F6Ad45188E5566Aa317Be23B4B8B2C2F : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "737e9eff-3536-56a4-8840-f261e43b670b" + id = "d4afb6ed-1cfd-5c49-8959-0cf136d0e9f0" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8821-L8834" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7afafea141727e2ed4c1975a18aa77b282c7d9ece5729dbd96cbb49cc2b393f1" + logic_hash = "7afafea141727e2ed4c1975a18aa77b282c7d9ece5729dbd96cbb49cc2b393f1" score = 75 quality = 75 tags = "FILE" @@ -239143,13 +239629,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_74Fc9257Bc86F8C618501695Ad4B1606 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "351ba635-227b-5e6f-9129-997ceeb7ad18" + id = "c0ed5369-ca51-50b8-941a-580262b4f644" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8836-L8849" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d6a9956d8bcc717186c205d07b94df1df4818bee58f98bdc128ec569331ab5e6" + logic_hash = "d6a9956d8bcc717186c205d07b94df1df4818bee58f98bdc128ec569331ab5e6" score = 75 quality = 75 tags = "FILE" @@ -239167,13 +239653,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3B0914E2982Be8980Aa23F49848555E5 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "4d02c5c6-0bc4-5ba1-8293-481b0e5c11c4" + id = "bda3e8b2-5d1b-5898-a4c3-318fc88506b8" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8851-L8864" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b1ced5176720e0a3bd475172a167675de8211987fbae11b93eab1fba6b3629f5" + logic_hash = "b1ced5176720e0a3bd475172a167675de8211987fbae11b93eab1fba6b3629f5" score = 75 quality = 75 tags = "FILE" @@ -239191,13 +239677,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_029Bf7E1Cb09Fe277564Bd27C267De5A : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "591ee9d6-d734-5ac3-8ed3-f8f9c577660d" + id = "19d1012f-9a9e-5d84-885c-2571bfd1876c" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8866-L8879" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a8c817dc99d55dcbea31334cc10b6a7ae3b5cf831e28cb2daf9d4b06fb4bec60" + logic_hash = "a8c817dc99d55dcbea31334cc10b6a7ae3b5cf831e28cb2daf9d4b06fb4bec60" score = 75 quality = 75 tags = "FILE" @@ -239215,13 +239701,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_984E84Cfe362E278F558E2C70Aaafac2 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "ad4608d5-4a33-54fa-9227-98d2d874eb4c" + id = "3d071d42-b96a-5491-96f5-4605b6b5584e" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8881-L8894" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a3a42c5b6ad094deb2a9f33789b6f7e52f76e65b2336372341f16389cef40f88" + logic_hash = "a3a42c5b6ad094deb2a9f33789b6f7e52f76e65b2336372341f16389cef40f88" score = 75 quality = 75 tags = "FILE" @@ -239239,13 +239725,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_45245Eef53Fcf38169C715Cf68F44452 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "758c3442-b10b-5d94-9020-b1765a0a8af6" + id = "3e92744d-1eb8-511a-b933-6dbe1e74fcfd" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8896-L8909" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7667563aa02be9a85ba286bc16eb37380d5988b32f0ce27b1dbd9ae18b8b9175" + logic_hash = "7667563aa02be9a85ba286bc16eb37380d5988b32f0ce27b1dbd9ae18b8b9175" score = 75 quality = 75 tags = "FILE" @@ -239263,13 +239749,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0406C4A1521A38C8D0C4Aa214388E4Dc : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "aad5ef49-0861-5666-94c5-a9423a360a04" + id = "108dd1b8-110a-5680-bd96-5517392300fa" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8911-L8924" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3db3a4f424d2974b746b8290a461f777eb88e0d8c6048e6e51e561c1f91b7747" + logic_hash = "3db3a4f424d2974b746b8290a461f777eb88e0d8c6048e6e51e561c1f91b7747" score = 75 quality = 75 tags = "FILE" @@ -239287,13 +239773,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_5Ef27Fc51Ee80B30430947C9967Db440 : FILE meta: description = "Detects executables signed with stolen, revoked or invalid certificates" author = "ditekSHen" - id = "d0091626-6584-5221-9833-4425fc172f60" + id = "53f7b334-8feb-5581-a64c-5db6558a6434" date = "2024-10-04" modified = "2024-10-04" reference = "https://bazaar.abuse.ch/faq/#cscb" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8926-L8939" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e282054102d852c0f66435148ce97050b15fb6f60f5d1bfc875b02de9c50c297" + logic_hash = "e282054102d852c0f66435148ce97050b15fb6f60f5d1bfc875b02de9c50c297" score = 75 quality = 75 tags = "FILE" @@ -239311,13 +239797,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_672237253A9B7Ef9D02D7D1Cb27A3Ff4 : FILE meta: description = "No description has been set in the source file - DitekSHen" author = "ditekSHen" - id = "996a2841-63e9-560a-8157-47aba5974a7b" + id = "590b3764-c4e2-59a5-b263-bc3e0d57c85a" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8941-L8952" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b989f8d89c566980f3f7e6490f0271ab0f531fb2717b55e6f3b7ff6fadd9144" + logic_hash = "9b989f8d89c566980f3f7e6490f0271ab0f531fb2717b55e6f3b7ff6fadd9144" score = 75 quality = 75 tags = "FILE" @@ -239334,13 +239820,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_708737C791C878D6Dd7B7C43 : FILE meta: description = "No description has been set in the source file - DitekSHen" author = "ditekSHen" - id = "2ee4f878-1bec-5560-ac72-113b7f35d4f6" + id = "65f3827d-25c4-59bb-8555-508c3e92ed5d" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8954-L8965" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5e47fc7ed52e57aafc5eb2f1d56eb8296080218b65d70879bd75fd1a0ac58f66" + logic_hash = "5e47fc7ed52e57aafc5eb2f1d56eb8296080218b65d70879bd75fd1a0ac58f66" score = 75 quality = 75 tags = "FILE" @@ -239357,13 +239843,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_0Bc777F88Ddf5F3Ce479452F : FILE meta: description = "No description has been set in the source file - DitekSHen" author = "ditekSHen" - id = "0f4711d4-4187-52d2-937d-3f20dfa9b430" + id = "da891fe8-fe9f-53f8-836c-161d13fd5382" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8967-L8978" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_988fd5e652910f7b4388fe5bed91195261ff95d84cc7e53a389432577a114baa" + logic_hash = "988fd5e652910f7b4388fe5bed91195261ff95d84cc7e53a389432577a114baa" score = 75 quality = 75 tags = "FILE" @@ -239380,13 +239866,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_691Ed2236Cca78D180F29Dfd : FILE meta: description = "No description has been set in the source file - DitekSHen" author = "ditekSHen" - id = "8cabc7fd-e9c0-5e6c-be48-2da6dc371983" + id = "f889f1a6-070d-505e-aaa6-0d454f52a876" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8980-L8991" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_94e7c3aea1fca253395eae398176dc9875ca1f1c13002063b5eda8ffb4ad973f" + logic_hash = "94e7c3aea1fca253395eae398176dc9875ca1f1c13002063b5eda8ffb4ad973f" score = 75 quality = 75 tags = "FILE" @@ -239403,13 +239889,13 @@ rule DITEKSHEN_INDICATOR_KB_CERT_3B0E3879266F3Bc98225B390 : FILE meta: description = "No description has been set in the source file - DitekSHen" author = "ditekSHen" - id = "2e37f1ab-1ba9-5ac7-9888-e9864a80cefd" + id = "0b85d4be-678a-51a1-acbc-3e7b94bec804" date = "2024-10-04" modified = "2024-10-04" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_certs.yar#L8993-L9004" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2d480534c046e38fe90ee01dc0fa9abf1ade15f879c3770f3df54c6e2c2e1552" + logic_hash = "2d480534c046e38fe90ee01dc0fa9abf1ade15f879c3770f3df54c6e2c2e1552" score = 75 quality = 75 tags = "FILE" @@ -239426,13 +239912,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Reflectiveloader : FILE meta: description = "Detects Reflective DLL injection artifacts" author = "ditekSHen" - id = "3d4c866d-2d39-56cf-afa4-1a31852e9b55" + id = "b7bd9184-48f8-5ad8-a234-632e4ec9814d" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L29-L43" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_540a48f98652c84b09f1076c2e2fca680781f533c936d602809179469a850ba0" + logic_hash = "540a48f98652c84b09f1076c2e2fca680781f533c936d602809179469a850ba0" score = 40 quality = 45 tags = "FILE" @@ -239450,13 +239936,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_IMG_Embedded_Archive : FILE meta: description = "Detects images embedding archives. Observed in TheRat RAT." author = "ditekSHen" - id = "30ae6066-7690-59e0-b645-676322b201db" + id = "2c8e15dc-2e84-5f9b-b538-cba204a3d38c" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L45-L66" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0e61bc2489a54047c66a659ae2cb6df66683845676e1c02c34d9a0987ddec4bb" + logic_hash = "0e61bc2489a54047c66a659ae2cb6df66683845676e1c02c34d9a0987ddec4bb" score = 40 quality = 37 tags = "FILE" @@ -239485,13 +239971,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Uacbypass_Eventviewer : FILE meta: description = "detects Windows exceutables potentially bypassing UAC using eventvwr.exe" author = "ditekSHen" - id = "f648082e-5137-5ab4-8fb1-38eb483c56bd" + id = "e4e82d5a-a524-5fac-b14c-4e53a95f4f2c" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L68-L77" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4b893db727ea3ef07805058e9a93664dc01590f249158d9b825cc9cece935640" + logic_hash = "4b893db727ea3ef07805058e9a93664dc01590f249158d9b825cc9cece935640" score = 40 quality = 41 tags = "FILE" @@ -239509,13 +239995,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Uacbypass_Cleanmgr : FILE meta: description = "detects Windows exceutables potentially bypassing UAC using cleanmgr.exe" author = "ditekSHen" - id = "bd17410e-037b-5cd7-9fa4-f8c4e1774a5e" + id = "cebbe22d-d54d-5a1e-978a-37ddd96133b7" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L79-L88" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b9e2789bee4f3b54384dabde028a7b6e70b3e0d66090d5141145a72df515db4" + logic_hash = "9b9e2789bee4f3b54384dabde028a7b6e70b3e0d66090d5141145a72df515db4" score = 40 quality = 41 tags = "FILE" @@ -239533,13 +240019,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Enable_Officemacro : FILE meta: description = "Detects Windows executables referencing Office macro registry keys. Observed modifying Office configurations via the registy to enable macros" author = "ditekSHen" - id = "adc9dcdb-24b8-5f5c-b8a0-712461248ad0" + id = "2cd26bc8-33c7-5628-982f-dc59ce158082" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L90-L108" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_18f66cff1fe2ab32366bf385bfe08f4895071c83e26812709eeb334857754c0f" + logic_hash = "18f66cff1fe2ab32366bf385bfe08f4895071c83e26812709eeb334857754c0f" score = 40 quality = 39 tags = "FILE" @@ -239564,13 +240050,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Disable_Officeprotectedview : FILE meta: description = "Detects Windows executables referencing Office ProtectedView registry keys. Observed modifying Office configurations via the registy to disable ProtectedView" author = "ditekSHen" - id = "249714e9-0764-58d6-a0e7-61c489eac15a" + id = "fed81219-d141-5fbf-a7b6-518e3d4de6f6" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L110-L128" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_14b2c19ec1f1ade9285f9e73a8779865c1e09d5ad1df2e0469b5f4a5eb278110" + logic_hash = "14b2c19ec1f1ade9285f9e73a8779865c1e09d5ad1df2e0469b5f4a5eb278110" score = 40 quality = 39 tags = "FILE" @@ -239595,13 +240081,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Sandboxproductid : FILE meta: description = "Detects binaries and memory artifacts referencing sandbox product IDs" author = "ditekSHen" - id = "11b0d6cb-cdd1-5b2b-a185-2e972ceb10b1" + id = "5af0ace7-6ffb-5695-94c5-d8172d326662" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L130-L149" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3a047ef7e70956e1c2222bde47036d7fff6d98cd8a5df81ea85584a3b5006d4a" + logic_hash = "3a047ef7e70956e1c2222bde47036d7fff6d98cd8a5df81ea85584a3b5006d4a" score = 40 quality = 45 tags = "FILE" @@ -239629,13 +240115,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_AHK_Downloader : FILE meta: description = "Detects AutoHotKey binaries acting as second stage droppers" author = "ditekSHen" - id = "2b907699-ea3b-5e04-afb8-c56963004d3c" + id = "ac8320ed-a9e1-5660-a50f-ec010ac162a6" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L184-L196" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8806d8c03adb4ea4cd9b806f8f8c21e561b39b5602c70d09ed193e35e1502d35" + logic_hash = "8806d8c03adb4ea4cd9b806f8f8c21e561b39b5602c70d09ed193e35e1502d35" score = 40 quality = 45 tags = "FILE" @@ -239656,13 +240142,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Uacbypass_CMSTPCOM : T1218 FILE meta: description = "Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)" author = "ditekSHen" - id = "e6d7c077-9032-507a-ae46-e13d1b05c9d8" + id = "cdcf6e29-6ee7-5ac7-bd52-c8d42f3f8bf6" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L198-L213" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d198db97901475c0dd10603875fc339d8a7c6d40c7f9c22cda31bb0b1d6d0f2a" + logic_hash = "d198db97901475c0dd10603875fc339d8a7c6d40c7f9c22cda31bb0b1d6d0f2a" score = 40 quality = 39 tags = "T1218, FILE" @@ -239683,13 +240169,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store : FIL meta: description = "Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers" author = "ditekSHen" - id = "fff47c35-deaf-53d7-a60a-4e87ca7392ea" + id = "07223564-bf4f-5fcd-ad3d-b67eb3baea8e" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L345-L359" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5350f79b01e8e8ae9e0607aa02965cd9ccc52c59a901abcb51e401476cb0fa3a" + logic_hash = "5350f79b01e8e8ae9e0607aa02965cd9ccc52c59a901abcb51e401476cb0fa3a" score = 40 quality = 31 tags = "FILE" @@ -239712,13 +240198,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients : FILE meta: description = "Detects executables referencing many file transfer clients. Observed in information stealers" author = "ditekSHen" - id = "2e9da5c0-e7b7-5c06-904d-ee347ab6dd83" + id = "0967c8d6-fc80-5341-9974-c6f16f024c2c" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L418-L472" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_49daece8c3da43b3dba26ab6f71fa5c27d3a6ab2c0427b3d2613c1feb25458de" + logic_hash = "49daece8c3da43b3dba26ab6f71fa5c27d3a6ab2c0427b3d2613c1feb25458de" score = 40 quality = 20 tags = "FILE" @@ -239781,13 +240267,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Usndeletejournal : FILE meta: description = "Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware" author = "ditekSHen" - id = "dc8be150-f2a0-5768-96c7-ceba3f467d90" + id = "eafc7ed9-d0e7-562d-8215-6f3feddee27a" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L612-L628" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1920fc2bc8c3628016bb91403960f5fbb101b5822f553c1f28d9502841a9832c" + logic_hash = "1920fc2bc8c3628016bb91403960f5fbb101b5822f553c1f28d9502841a9832c" score = 40 quality = 35 tags = "FILE" @@ -239812,13 +240298,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Geninfostealer : FILE meta: description = "Detects executables containing common artifacts observed in infostealers" author = "ditekSHen" - id = "0063a170-c781-5093-a73b-4bce6426c92f" + id = "531d8f7f-dee5-5d05-9293-f1ab5d5ac780" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L630-L657" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f9e6f6b470e010d362db55fcf563f85a3a408ef8331c04a157f2676442b63b1a" + logic_hash = "f9e6f6b470e010d362db55fcf563f85a3a408ef8331c04a157f2676442b63b1a" score = 40 quality = 31 tags = "FILE" @@ -239854,13 +240340,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_PWSH_Asciiencoding_Pattern : FILE meta: description = "Detects PowerShell scripts containing ASCII encoded files" author = "ditekSHen" - id = "ea0c02fe-cb13-511c-8330-0a86f5e2fcaf" + id = "df96d801-1a14-58af-b245-3a4a6ccf22c6" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L710-L724" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_037ce50a6c6d2bf25163e658c5a8c18950715a52fcdf47162fcd288306acbf9c" + logic_hash = "037ce50a6c6d2bf25163e658c5a8c18950715a52fcdf47162fcd288306acbf9c" score = 40 quality = 45 tags = "FILE" @@ -239883,13 +240369,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_JS_Hex_B64Encoded_EXE : FILE meta: description = "Detects JavaScript files hex and base64 encoded executables" author = "ditekSHen" - id = "8e77ccb7-882f-5a99-af60-24baf871d42a" + id = "37516c6b-0a77-5a20-a36f-5f8309b37362" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L726-L740" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_60185e6ec96875085ffb7a6bf6eb8643368bbce42b89290ab987eb32c1e153bd" + logic_hash = "60185e6ec96875085ffb7a6bf6eb8643368bbce42b89290ab987eb32c1e153bd" score = 40 quality = 20 tags = "FILE" @@ -239912,13 +240398,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_WMIC_Downloader : FILE meta: description = "Detects files utilizing WMIC for whitelisting bypass and downloading second stage payloads" author = "ditekSHen" - id = "37a67fc9-6574-542e-829d-e564e17a7a2c" + id = "bdd6deeb-9d43-55ef-9264-652044ba6938" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L765-L776" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0c665f77659b57770f726297b64780764235ba0e72730c985eea62c116fe97e7" + logic_hash = "0c665f77659b57770f726297b64780764235ba0e72730c985eea62c116fe97e7" score = 40 quality = 45 tags = "FILE" @@ -239938,13 +240424,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_AMSI_Bypass : FILE meta: description = "Detects AMSI bypass pattern" author = "ditekSHen" - id = "308f21d0-099d-5cec-b076-13c90295ef5c" + id = "cdb457b3-1f41-5f58-a482-a00d269c1293" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L778-L791" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b398c20a0e7b2dff5fab87575c555b657749d7c3b3e8f1a0f99db7e8f669e3ce" + logic_hash = "b398c20a0e7b2dff5fab87575c555b657749d7c3b3e8f1a0f99db7e8f669e3ce" score = 40 quality = 45 tags = "FILE" @@ -239966,13 +240452,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_PE_Resourcetuner : FILE meta: description = "Detects executables with modified PE resources using the unpaid version of Resource Tuner" author = "ditekSHen" - id = "ab7e8215-9c45-5b99-8505-85557d1c40f2" + id = "2ada52b4-de9e-5b66-a05e-da894ca79e48" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L793-L801" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_25959ba2f974ecdcda624b4b34cd8dac0336af0dd7c88d2e3b17ec94d58b87b8" + logic_hash = "25959ba2f974ecdcda624b4b34cd8dac0336af0dd7c88d2e3b17ec94d58b87b8" score = 40 quality = 45 tags = "FILE" @@ -239989,13 +240475,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_References_Sectools_B64Encoded : FILE meta: description = "Detects executables referencing many base64-encoded IR and analysis tools names" author = "ditekSHen" - id = "d9ff43e5-8cec-59cc-ab4e-0434c1bdf95a" + id = "2d3c994a-5b7c-52c5-a4a1-e67a773b692b" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L897-L941" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_20f889c9c50e8c5e55fd7ebe508015b1e72e6f7ef1b410e5e707d554fb8e8588" + logic_hash = "20f889c9c50e8c5e55fd7ebe508015b1e72e6f7ef1b410e5e707d554fb8e8588" score = 40 quality = 43 tags = "FILE" @@ -240048,13 +240534,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_References_Sandbox_Artifacts : FILE meta: description = "Detects executables referencing sandbox artifacts" author = "ditekSHen" - id = "bc1511a7-cc10-55fc-b978-b863ef97eeee" + id = "2c0e4d38-8d68-5cd2-9f9e-e56f372b67cf" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L943-L976" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3d4a356191ec914eba86e78d3823dd1dc2d18f17074abb9986f3337169821bc6" + logic_hash = "3d4a356191ec914eba86e78d3823dd1dc2d18f17074abb9986f3337169821bc6" score = 40 quality = 43 tags = "FILE" @@ -240096,13 +240582,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File : FILE meta: description = "Detects executables containing bas64 encoded gzip files" author = "ditekSHen" - id = "7dc79522-0104-59c7-a9bb-9bc7b05ec189" + id = "e50f8560-d53b-5388-b94d-d104b7c064f2" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L978-L987" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_431e5a45bf8ed5874b330419675b3d43eb6a563c42873730e823cdd7d6efba97" + logic_hash = "431e5a45bf8ed5874b330419675b3d43eb6a563c42873730e823cdd7d6efba97" score = 40 quality = 45 tags = "FILE" @@ -240120,13 +240606,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_PWSH_Passwordcredential_Retrievepassword meta: description = "Detects PowerShell content designed to retrieve passwords from host" author = "ditekSHen" - id = "29016310-cefe-57bc-80eb-c7193d3c9318" + id = "b34599ab-b874-5ea5-990d-bc7593bb08b5" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1048-L1058" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f09320d9c4734579a535c7fee993fa076974b13ffd25e0d9ab02bc09663595f8" + logic_hash = "f09320d9c4734579a535c7fee993fa076974b13ffd25e0d9ab02bc09663595f8" score = 40 quality = 39 tags = "" @@ -240145,13 +240631,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Uacbypass_Envvarscheduledtasks meta: description = "detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks" author = "ditekSHen" - id = "44267803-1ec9-56f7-b6c6-7f31b10e2d62" + id = "14244310-e524-54bf-8822-9b953378bb75" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1070-L1081" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dacca794aefd66526535a87c8890c0ad65550ff88bc0242f05c84c9452a31fe2" + logic_hash = "dacca794aefd66526535a87c8890c0ad65550ff88bc0242f05c84c9452a31fe2" score = 40 quality = 45 tags = "" @@ -240171,13 +240657,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Uacbypass_Fodhelper meta: description = "detects Windows exceutables potentially bypassing UAC using fodhelper.exe" author = "ditekSHen" - id = "22ed4fb7-9bb5-5c31-8d51-3a1693fab90b" + id = "0651e428-a2ef-508d-ad89-c68ac758808f" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1083-L1094" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ec41ca2185732e418825f7c32095dea361a53e586e498baf4c17eaaf9602ba5e" + logic_hash = "ec41ca2185732e418825f7c32095dea361a53e586e498baf4c17eaaf9602ba5e" score = 40 quality = 43 tags = "" @@ -240197,13 +240683,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Finger_Download_Pattern meta: description = "Detects files embedding and abusing the finger command for download" author = "ditekSHen" - id = "812a9d3a-46b4-558d-89a4-1045a3efe03c" + id = "6647b410-c8f0-596b-95d7-dbc6a951a83f" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1108-L1118" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_04cbb1abc4c3d2990bae798ece052eb8aa1b5104b5712e98aeb80731316b9c57" + logic_hash = "04cbb1abc4c3d2990bae798ece052eb8aa1b5104b5712e98aeb80731316b9c57" score = 40 quality = 45 tags = "" @@ -240222,13 +240708,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Uacbypass_CMSTPCMD : FILE meta: description = "Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF" author = "ditekSHen" - id = "8296afa8-b247-5b85-a01d-6379d4ddd5df" + id = "7bad57dc-ee8b-559d-8b17-af44c5bdf35b" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1120-L1133" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4cb92224d5a520dbd42d00d053aba3da21a49fda9391e5a462fd292d2e87e884" + logic_hash = "4cb92224d5a520dbd42d00d053aba3da21a49fda9391e5a462fd292d2e87e884" score = 40 quality = 41 tags = "FILE" @@ -240250,13 +240736,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_JS_WMI_Execquery meta: description = "Detects JS potentially executing WMI queries" author = "ditekSHen" - id = "a7389187-ed77-57c4-9ef1-af55c27c2024" + id = "28f37b24-8bf3-5f5c-af47-dc6da5f6397a" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1135-L1147" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e5145aa3a7ce54cda84929f6806a1d7b1cb37db729bb932c5c76994fb683250e" + logic_hash = "e5145aa3a7ce54cda84929f6806a1d7b1cb37db729bb932c5c76994fb683250e" score = 40 quality = 45 tags = "" @@ -240277,13 +240763,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_XML_Liverpool_Downlaoder_Userconfig : FILE meta: description = "Detects XML files associated with 'Liverpool' downloader containing encoded executables" author = "ditekSHen" - id = "67d21c0a-ef37-5243-8cd6-40be143f0db3" + id = "b5840af5-a285-53f4-bac7-07821e740089" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1227-L1236" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8140c29eb54d8c8786b268d5241fcd221a5fb95433bc1038a7f23295afe8c9b8" + logic_hash = "8140c29eb54d8c8786b268d5241fcd221a5fb95433bc1038a7f23295afe8c9b8" score = 40 quality = 45 tags = "FILE" @@ -240301,13 +240787,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_B64_Encoded_Useragent : FILE meta: description = "Detects executables containing base64 encoded User Agent" author = "ditekSHen" - id = "22bdf355-203e-59e9-b440-bbb0901a62a7" + id = "e6a6eba2-587f-5b6b-b23d-4e4aa5289d1d" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1238-L1247" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ee06d3d9f2f7a294ce0f117d5838fe86ae77f98da0ba30551b0b42811227b1bd" + logic_hash = "ee06d3d9f2f7a294ce0f117d5838fe86ae77f98da0ba30551b0b42811227b1bd" score = 40 quality = 45 tags = "FILE" @@ -240325,13 +240811,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Winddefender_Antiemaulation : FILE meta: description = "Detects executables containing potential Windows Defender anti-emulation checks" author = "ditekSHen" - id = "3fe9aad7-0494-5355-9338-7ba53a766639" + id = "e7dca0e6-060b-5394-afc5-b3705a51d934" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1249-L1258" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_76f8a532a59c2a7fcd45d9f9aed3ea2020889228c81410445728f42b6b9d891e" + logic_hash = "76f8a532a59c2a7fcd45d9f9aed3ea2020889228c81410445728f42b6b9d891e" score = 40 quality = 45 tags = "FILE" @@ -240349,13 +240835,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Attrib : FILE meta: description = "Detects executables using attrib with suspicious attributes attributes" author = "ditekSHen" - id = "97372b53-f2c0-5f7a-94d3-8fffe5167b61" + id = "69925f45-b8a9-516c-857c-7a687b32e0c6" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1260-L1268" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2d26581037a34f32b3e3aa6df5570f0de0b9e070cbe6190318a99c6f147250d8" + logic_hash = "2d26581037a34f32b3e3aa6df5570f0de0b9e070cbe6190318a99c6f147250d8" score = 40 quality = 45 tags = "FILE" @@ -240372,13 +240858,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Clearmytracksbyprocess : FILE meta: description = "Detects executables calling ClearMyTracksByProcess" author = "ditekSHen" - id = "86f2e783-35cf-5cca-9149-df9ca89beb91" + id = "d548cf61-ffb7-5a21-9b76-246f8ffb6ad4" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1270-L1278" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_970bdf2cfebc5196204087de134b9d2f032d8074cacbb3b9cc2c859aab3a95fc" + logic_hash = "970bdf2cfebc5196204087de134b9d2f032d8074cacbb3b9cc2c859aab3a95fc" score = 40 quality = 43 tags = "FILE" @@ -240395,13 +240881,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Dotnetprochook : FILE meta: description = "Detects executables with potential process hoocking" author = "ditekSHen" - id = "ad3890ef-6991-5913-ba81-aab7eb3a8cdb" + id = "1c32c7ee-0ac6-50ae-892e-73f46902115d" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1280-L1291" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e01147886444f8080b7cf7b423dc70b4b08fae6b88a8875eb075530fdb9f7909" + logic_hash = "e01147886444f8080b7cf7b423dc70b4b08fae6b88a8875eb075530fdb9f7909" score = 40 quality = 45 tags = "FILE" @@ -240421,13 +240907,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Telegramchatbot : FILE meta: description = "Detects executables using Telegram Chat Bot" author = "ditekSHen" - id = "753ae9c6-f833-5540-942a-75b0ce1be023" + id = "bcee52fe-495a-5ea1-bcd9-78b57c992752" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1293-L1308" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_40374d9dda3d1896906f342725425860e83fbe6b5b0ac656a7035094e36340c0" + logic_hash = "40374d9dda3d1896906f342725425860e83fbe6b5b0ac656a7035094e36340c0" score = 40 quality = 45 tags = "FILE" @@ -240451,13 +240937,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_B64_Artifacts : FILE meta: description = "Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc." author = "ditekSHen" - id = "946e27d4-d350-5c47-ae52-1b11da9365e0" + id = "b76ba291-6af5-5800-a280-c04c84cc3f29" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1310-L1321" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_35a7a9c0722d8bd174b272c659e62db3e9f41483dc3a9bf5f339b9066ed06c57" + logic_hash = "35a7a9c0722d8bd174b272c659e62db3e9f41483dc3a9bf5f339b9066ed06c57" score = 40 quality = 45 tags = "FILE" @@ -240477,13 +240963,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Discordurl : FILE meta: description = "Detects executables Discord URL observed in first stage droppers" author = "ditekSHen" - id = "dd0e8800-9b3b-5ca5-8f70-7074c7d559f4" + id = "d7221bb4-48c5-5d80-ace1-95cf25fb585d" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1323-L1338" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7f600215268147f8e18f2b4eb6b2e9ba6dd44ab5603a140d3e1b2bb16ebb29c4" + logic_hash = "7f600215268147f8e18f2b4eb6b2e9ba6dd44ab5603a140d3e1b2bb16ebb29c4" score = 40 quality = 37 tags = "FILE" @@ -240507,13 +240993,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Regkeycomb_Disablewindefender : FILE meta: description = "Detects executables embedding registry key / value combination indicative of disabling Windows Defender features" author = "ditekSHen" - id = "e1cfc4b9-aa1d-5dc3-bb29-6f69d4dc9633" + id = "74c82d78-bdb3-54af-b04a-20d66ff123d7" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1448-L1470" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5a33052ded0823a8528590bd0da0023024db174f6f6a0766284c3195f5d3d41f" + logic_hash = "5a33052ded0823a8528590bd0da0023024db174f6f6a0766284c3195f5d3d41f" score = 40 quality = 33 tags = "FILE" @@ -240544,13 +241030,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Regkeycomb_Iexecutecommandcom : FILE meta: description = "Detects executables embedding command execution via IExecuteCommand COM object" author = "ditekSHen" - id = "3bfe4ba3-ccdc-5928-a3ed-403bdf0ce44b" + id = "4bc7e6aa-1771-5c33-bc62-71072dec04cb" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1472-L1486" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_269109f96f3fca5eacc19664b7b0c7f970131db29c47bfe1e9e67e56604bf1c1" + logic_hash = "269109f96f3fca5eacc19664b7b0c7f970131db29c47bfe1e9e67e56604bf1c1" score = 40 quality = 43 tags = "FILE" @@ -240573,13 +241059,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_WMI_Enumeratevideodevice : FILE meta: description = "Detects executables attemping to enumerate video devices using WMI" author = "ditekSHen" - id = "a66202bc-a7c0-5e67-ae78-3941a4433bc7" + id = "6d4ede5e-4ec5-5753-bd50-8e129ac532a4" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1488-L1502" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8ef63d7a569ee1530a23d151ee394969f4b3b6bac28ed571f48e3f97b87d020a" + logic_hash = "8ef63d7a569ee1530a23d151ee394969f4b3b6bac28ed571f48e3f97b87d020a" score = 40 quality = 41 tags = "FILE" @@ -240602,13 +241088,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Dcratby : FILE meta: description = "Detects executables containing the string DcRatBy" author = "ditekSHen" - id = "08bb7153-a258-55ea-a110-58a853302850" + id = "d8408cc0-0245-59b7-9134-1f4edd811df7" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1504-L1512" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1a0f863fb71c84a9a01c3f07da0fdff9ea06b061f85532ac523d6a5d1e0e1e11" + logic_hash = "1a0f863fb71c84a9a01c3f07da0fdff9ea06b061f85532ac523d6a5d1e0e1e11" score = 40 quality = 45 tags = "FILE" @@ -240625,13 +241111,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Anti_Winjail : FILE meta: description = "Detects executables potentially checking for WinJail sandbox window" author = "ditekSHen" - id = "98a3069a-7f7e-5de5-8d29-3df71dfcb0e4" + id = "f3a3d099-7659-50aa-8dca-3a2b1c18c3b5" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1514-L1522" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ae8080dad4481b6a2e295c29d3ed24e86da83575e1a5aeda8b1317e6caa74707" + logic_hash = "ae8080dad4481b6a2e295c29d3ed24e86da83575e1a5aeda8b1317e6caa74707" score = 40 quality = 45 tags = "FILE" @@ -240648,13 +241134,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Anti_Oldcopypaste : FILE meta: description = "Detects executables potentially checking for WinJail sandbox window" author = "ditekSHen" - id = "5d6f0f68-9c66-545f-bd1b-fcd8e2611d27" + id = "10a70ad3-c37e-5522-ae3f-3f85f89f9394" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1524-L1543" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_084a1613eaf1df4cd54c44e4389b9edc1c44b4b947a8c4416cb7cbdabc186747" + logic_hash = "084a1613eaf1df4cd54c44e4389b9edc1c44b4b947a8c4416cb7cbdabc186747" score = 40 quality = 45 tags = "FILE" @@ -240682,13 +241168,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Go_Golazagne : FILE meta: description = "Detects Go executables using GoLazagne" author = "ditekSHen" - id = "1ffbacc0-e55e-50b8-895f-a5089b049026" + id = "3b54892d-8015-518c-af0b-03ddd65478f6" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1545-L1554" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9618f8a6eb9a5db01b7a58a469309220b1e22afe928006d642e5404380f312f1" + logic_hash = "9618f8a6eb9a5db01b7a58a469309220b1e22afe928006d642e5404380f312f1" score = 40 quality = 45 tags = "FILE" @@ -240706,13 +241192,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_CSPROJ : FILE meta: description = "Detects suspicious .CSPROJ files then compiled with msbuild" author = "ditekSHen" - id = "813e98e9-3382-5c4e-aecd-c2281289f732" + id = "99f9fbd0-9435-511a-b9f5-7ea11e655b79" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1556-L1568" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e41c82ab0da47192463f76192ea7748dfcf59193475871daf1a7a4ff2fda4d52" + logic_hash = "e41c82ab0da47192463f76192ea7748dfcf59193475871daf1a7a4ff2fda4d52" score = 40 quality = 45 tags = "FILE" @@ -240733,13 +241219,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Sandbox_Evasion_Filescomb : FILE meta: description = "Detects executables referencing specific set of files observed in sandob anti-evation, and Emotet" author = "ditekSHen" - id = "81af980c-654e-5705-b8cb-9b35cb8811fc" + id = "04108277-03ac-5479-ac9f-0c7377dc70b8" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1694-L1711" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d9f235e212e75cef51e3321f49968c75523304dc94a2b7cf3965c9f88d039b43" + logic_hash = "d9f235e212e75cef51e3321f49968c75523304dc94a2b7cf3965c9f88d039b43" score = 40 quality = 23 tags = "FILE" @@ -240765,13 +241251,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_VM_Evasion_Virtdrvcomb : FILE meta: description = "Detects executables referencing combination of virtualization drivers" author = "ditekSHen" - id = "707948e8-5d0d-54ac-b671-d24bd4fabffc" + id = "88f271d5-07a3-5ca6-9536-4f68bccf49bc" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1713-L1757" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a7bbd05e17b8a111b841ed2a86b4794cde8972a673acf331d800029e54d8f602" + logic_hash = "a7bbd05e17b8a111b841ed2a86b4794cde8972a673acf331d800029e54d8f602" score = 40 quality = 43 tags = "FILE" @@ -240819,13 +241305,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Nonewindowsua : FILE meta: description = "Detects Windows executables referencing non-Windows User-Agents" author = "ditekSHen" - id = "c444f12c-7eca-5998-8641-7b5cc332f1cc" + id = "3bf62a67-4c21-5bcc-a356-424e798141f1" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1759-L1784" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fb65643fd93ce4dbec0f98259b3dacda748a3f62f71258726073fdb3e354ab42" + logic_hash = "fb65643fd93ce4dbec0f98259b3dacda748a3f62f71258726073fdb3e354ab42" score = 40 quality = 45 tags = "FILE" @@ -240858,13 +241344,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Toomanywindowsua : FILE meta: description = "Detects executables referencing many varying, potentially fake Windows User-Agents" author = "ditekSHen" - id = "ad8ce5b7-7b74-5888-909e-117655a84390" + id = "28dba61e-b2da-5708-b82f-a139d0929a7d" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1786-L1810" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a79ea9b8471148176c210fe834e7b2f0549291956489e2853235a75ea3e4e1db" + logic_hash = "a79ea9b8471148176c210fe834e7b2f0549291956489e2853235a75ea3e4e1db" score = 40 quality = 45 tags = "FILE" @@ -240897,13 +241383,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_VM_Evasion_Macaddrcomb : FILE meta: description = "Detects executables referencing virtualization MAC addresses" author = "ditekSHen" - id = "075d6aa0-1cc4-5037-a7a9-00ffa73b0db9" + id = "7e399d31-090a-57f7-89fa-0a2c4e563283" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1812-L1827" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_53a87bffc327c38545d9f213834726af9a1fbe86f273e189dc355567e6a671bf" + logic_hash = "53a87bffc327c38545d9f213834726af9a1fbe86f273e189dc355567e6a671bf" score = 40 quality = 29 tags = "FILE" @@ -240927,13 +241413,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Discord_Regex : FILE meta: description = "Detects executables referencing Discord tokens regular expressions" author = "ditekSHen" - id = "88be8fc0-ae75-569d-9aee-597a986b41c7" + id = "4c508cae-bb25-549b-8f35-a6a22928a9a3" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1890-L1898" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b6be1dd8e25311442a59ee2afbd99f6e9663dd06919c07269b76238af0bbd5f2" + logic_hash = "b6be1dd8e25311442a59ee2afbd99f6e9663dd06919c07269b76238af0bbd5f2" score = 40 quality = 43 tags = "FILE" @@ -240950,13 +241436,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_References_VPN : FILE meta: description = "Detects executables referencing many VPN software clients. Observed in infosteslers" author = "ditekSHen" - id = "8239f3a0-af57-5d01-887a-7f770cc9649f" + id = "301977a8-0619-50a2-a718-78ff9e039e65" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1900-L1914" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5bef727d3c6fa7ea01c16e7b1fdf146b4cef58c06189bf8540bbfe7915790578" + logic_hash = "5bef727d3c6fa7ea01c16e7b1fdf146b4cef58c06189bf8540bbfe7915790578" score = 40 quality = 31 tags = "FILE" @@ -240979,13 +241465,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Vaultschemaguid : FILE meta: description = "Detects executables referencing Windows vault credential objects. Observed in infostealers" author = "ditekSHen" - id = "529f4cd2-7c70-52b9-9218-344558a4df64" + id = "440ac8a8-19c9-5284-a8e2-e0f2e8892a5e" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1930-L1953" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_121a51bbb749cc86d50fd5f79d7a24fbbb3e589e2fb25c553764a16202ff4065" + logic_hash = "121a51bbb749cc86d50fd5f79d7a24fbbb3e589e2fb25c553764a16202ff4065" score = 40 quality = 45 tags = "FILE" @@ -241009,13 +241495,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Antivm_UNK01 : FILE meta: description = "Detects memory artifacts referencing specific combination of anti-VM checks" author = "ditekSHen" - id = "f6f94144-6faa-50c9-8367-2e76ff475728" + id = "57344ff4-5204-535a-a128-0f9f7eb7c760" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1955-L1977" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c34b23e26df0d33d60cf87e406dfbc90f9fd6df0da4415b6622d477cf38bc024" + logic_hash = "c34b23e26df0d33d60cf87e406dfbc90f9fd6df0da4415b6622d477cf38bc024" score = 40 quality = 45 tags = "FILE" @@ -241046,13 +241532,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Antivm_WMIC : FILE meta: description = "Detects memory artifacts referencing WMIC commands for anti-VM checks" author = "ditekSHen" - id = "a5b7ef6e-4431-5dfd-9e97-f8deba1ca56a" + id = "f7166171-15b7-5e11-bbec-355764e58caa" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1979-L1989" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2c26ea8b008bf9cb4d8e24c909a3c6f5d67783b483747268f949fadc3fa72532" + logic_hash = "2c26ea8b008bf9cb4d8e24c909a3c6f5d67783b483747268f949fadc3fa72532" score = 40 quality = 39 tags = "FILE" @@ -241071,13 +241557,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Enablesmbv1 : FILE meta: description = "Detects binaries with PowerShell command enabling SMBv1" author = "ditekSHen" - id = "64997f2d-c8cd-53d6-8b61-84ad16b4c0ac" + id = "cb3b43f3-8f45-5e4e-8e5e-9bfb89e842d3" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L1991-L1999" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_68eb41d843b39e784d99153607c1deecdb5258cdbf641e2dd177c364847d85b1" + logic_hash = "68eb41d843b39e784d99153607c1deecdb5258cdbf641e2dd177c364847d85b1" score = 40 quality = 43 tags = "FILE" @@ -241094,13 +241580,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Enablenetworkdiscovery : FILE meta: description = "Detects binaries manipulating Windows firewall to enable permissive network discovery" author = "ditekSHen" - id = "a03c5c52-898b-54fd-9ff1-4e9de44e3b44" + id = "b1203e7a-b4f3-587e-aaea-a4cccaedc07d" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2001-L2010" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6c28a33849d1c6c72b65926a81e96f0e3f5b9bb0a48739bf4240a16f6a10dcea" + logic_hash = "6c28a33849d1c6c72b65926a81e96f0e3f5b9bb0a48739bf4240a16f6a10dcea" score = 40 quality = 41 tags = "FILE" @@ -241118,13 +241604,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_References_Authapps : FILE meta: description = "Detects executables referencing many authentication apps. Observed in information stealers" author = "ditekSHen" - id = "a2e7bd7b-d794-5cac-9595-0a8a0f868067" + id = "b2c1307d-ac4a-567f-ab14-7c65e16d984e" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2012-L2021" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9c730ba532dca023821fd9073bffeecf099a2a956b7715421bd0b4e5e5d4b2cf" + logic_hash = "9c730ba532dca023821fd9073bffeecf099a2a956b7715421bd0b4e5e5d4b2cf" score = 40 quality = 41 tags = "FILE" @@ -241142,13 +241628,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Undocumented_Winapi_Kerberos : FILE meta: description = "Detects executables referencing undocumented kerberos Windows APIs and obsereved in malware" author = "ditekSHen" - id = "1f31938f-0cf5-54f6-9da7-1c36c8c41823" + id = "1eb7faab-66b8-5d98-b6a8-75a078c2f6f8" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2054-L2068" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_19f22dcbc63723624d92be22cd69dcbab03a0b46299d43bc50ba73c79e573596" + logic_hash = "19f22dcbc63723624d92be22cd69dcbab03a0b46299d43bc50ba73c79e573596" score = 40 quality = 35 tags = "FILE" @@ -241167,13 +241653,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_NKN_BCP2P : FILE meta: description = "Detects executables referencing NKN Blockchain P2P network" author = "ditekSHen" - id = "b8799f1c-ec63-5be0-83b7-69d13bb2e9c3" + id = "21aa4034-8c8f-515e-b8a4-4ce32ad816a6" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2070-L2086" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_98161fcac130ba758bd9f8c4bc7133b9ba862df61dd86ad7d0ecbb0f18813a5e" + logic_hash = "98161fcac130ba758bd9f8c4bc7133b9ba862df61dd86ad7d0ecbb0f18813a5e" score = 40 quality = 45 tags = "FILE" @@ -241198,13 +241684,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_References_Passwordmanagers : FILE meta: description = "Detects executables referencing many Password Manager software clients. Observed in infostealers" author = "ditekSHen" - id = "834d8506-fd22-5bae-bdd6-5dd17167c6b5" + id = "4da7bf22-fdd7-53b7-bdfc-da7ac5657f6f" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2088-L2099" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6d2f7739282611166a7e06d96345c46df92500b387d9f940169d5ee6664ea5ad" + logic_hash = "6d2f7739282611166a7e06d96345c46df92500b387d9f940169d5ee6664ea5ad" score = 40 quality = 37 tags = "FILE" @@ -241224,13 +241710,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Wirelessnetreccon : FILE meta: description = "Detects executables with interest in wireless interface using netsh" author = "ditekSHen" - id = "7694bcf8-357f-5b45-9a53-8ed8e8143e19" + id = "15515523-fe53-5512-95f3-79d0695e7da0" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2101-L2111" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a8614a8c11e3797e7d7fb7ec2c0705fafc98ce50714e48798594e6fb5bfc1789" + logic_hash = "a8614a8c11e3797e7d7fb7ec2c0705fafc98ce50714e48798594e6fb5bfc1789" score = 40 quality = 39 tags = "FILE" @@ -241249,13 +241735,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_References_Gitconfdata : FILE meta: description = "Detects executables referencing potentially confidential GIT artifacts. Observed in infostealer" author = "ditekSHen" - id = "e43f72cc-7de9-5289-ac9f-725185fa4d77" + id = "5462491b-f1cf-55ae-b120-ed09eb9549bc" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2113-L2125" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d8b370ea31fade4f6f4ae12903e40026d806862f6c4a7b5818e3942b6b849fd2" + logic_hash = "d8b370ea31fade4f6f4ae12903e40026d806862f6c4a7b5818e3942b6b849fd2" score = 40 quality = 41 tags = "FILE" @@ -241276,13 +241762,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Reversed : FILE meta: description = "Detects reversed executables. Observed N-stage drop" author = "ditekSHen" - id = "0819191f-8650-5006-acc8-db21809b1686" + id = "765b1983-8831-5f7d-9cbd-90af0cd452f7" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2127-L2135" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4d031f59b201f5c5c9b69bbbe277cc10c3b5ed8427c5c2f679fdd33c8bc41501" + logic_hash = "4d031f59b201f5c5c9b69bbbe277cc10c3b5ed8427c5c2f679fdd33c8bc41501" score = 40 quality = 45 tags = "FILE" @@ -241299,13 +241785,13 @@ rule DITEKSHEN_INDICATOR_SUSPICOUS_EXE_UNC_Regex : FILE meta: description = "Detects executables with considerable number of regexes often observed in infostealers" author = "ditekSHen" - id = "bd3fbb14-8082-5838-bcfe-7ad5b54daffc" + id = "968ed633-46ed-5efe-84e5-64718f89fb0a" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2279-L2308" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9201469952c2cacebbcbf6801e2c22d018f36742ffbefedc8ee4aa34f413334a" + logic_hash = "9201469952c2cacebbcbf6801e2c22d018f36742ffbefedc8ee4aa34f413334a" score = 75 quality = 73 tags = "FILE" @@ -241343,13 +241829,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Deleterecentitems : FILE meta: description = "Detects executables embedding anti-forensic artifacts of deleting Windows Recent Items" author = "ditekSHen" - id = "83d6b16d-acf1-578c-b076-89712b74a136" + id = "58a14ad6-8f32-54d8-b343-88629af8810b" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2310-L2321" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_01efada47910a345e7bde4e9295754aefec38355193f45c4630f55050d835cd9" + logic_hash = "01efada47910a345e7bde4e9295754aefec38355193f45c4630f55050d835cd9" score = 40 quality = 37 tags = "FILE" @@ -241369,13 +241855,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Deletewindefenderquarantinefiles : FILE meta: description = "Detects executables embedding anti-forensic artifacts of deleting Windows defender quarantine files" author = "ditekSHen" - id = "ca0b8df8-a596-5428-be8f-11467b23f308" + id = "a2b5c531-4e51-5c44-838b-3dffc2ed0263" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2323-L2337" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1cf82a8fb6c878cb3aaeaf36eb346b2f8038e166e8ce7b5c214769e475ae91de" + logic_hash = "1cf82a8fb6c878cb3aaeaf36eb346b2f8038e166e8ce7b5c214769e475ae91de" score = 40 quality = 29 tags = "FILE" @@ -241398,13 +241884,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Deleteshimcache : FILE meta: description = "Detects executables embedding anti-forensic artifacts of deleting shim cache" author = "ditekSHen" - id = "098aa4fe-11d9-5168-83b3-21eed77b3e12" + id = "32b185f2-a11e-522e-822e-7023698975f8" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2339-L2350" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4ecd9e4db082a464735e447f95175ec5b35164d42fce7be862400191c143aa23" + logic_hash = "4ecd9e4db082a464735e447f95175ec5b35164d42fce7be862400191c143aa23" score = 40 quality = 37 tags = "FILE" @@ -241424,13 +241910,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_Shredfilesteps : FILE meta: description = "Detects executables embedding/copying file shredding steps" author = "ditekSHen" - id = "45dc6433-1ec6-5718-a3b5-2dd3ede81613" + id = "2a4ac767-8946-5e58-9087-aa1d3a97b5d5" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2352-L2365" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9e784c1d06b232ac2de7318854a59b237aeb88d8e6670fe4ecc9f3230310088a" + logic_hash = "9e784c1d06b232ac2de7318854a59b237aeb88d8e6670fe4ecc9f3230310088a" score = 40 quality = 45 tags = "FILE" @@ -241452,13 +241938,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_PWS_Capturescreenshot meta: description = "Detects PowerShell script with screenshot capture capability" author = "ditekSHen" - id = "73273c6d-0519-5b0b-a509-86bdd9779798" + id = "d769936a-a81d-5052-8b1b-7bd5a73b41db" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2367-L2379" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_26e02d7dc242fb2c913b3a7c07e92c84becad62a4cdbae781bce948bfe0eb81b" + logic_hash = "26e02d7dc242fb2c913b3a7c07e92c84becad62a4cdbae781bce948bfe0eb81b" score = 40 quality = 45 tags = "" @@ -241479,13 +241965,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_PWS_Capturebrowserplugins meta: description = "Detects PowerShell script with browser plugins capture capability" author = "ditekSHen" - id = "27111039-da0f-550d-92fc-36203f40d070" + id = "9b1bb195-6e32-5f93-ba70-efcb21b26bb0" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2381-L2394" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ac7be8663507e96ecb224f7f09f9092069eab5967598e33c107fa341de86bc77" + logic_hash = "ac7be8663507e96ecb224f7f09f9092069eab5967598e33c107fa341de86bc77" score = 40 quality = 45 tags = "" @@ -241507,13 +241993,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_IMG_Embedded_B64_EXE : FILE meta: description = "Detects images with specific base64 markers and/or embedding (reversed) base64-encoded executables" author = "ditekSHen" - id = "e46eff3e-5caa-5cfa-8591-011d65224932" + id = "c620b461-5ad8-530b-a3e1-f75a9e30534e" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2396-L2413" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0fe1328aba3b30820e3885c87a93e52306bd25abc5912378a12e1213a686cd39" + logic_hash = "0fe1328aba3b30820e3885c87a93e52306bd25abc5912378a12e1213a686cd39" score = 40 quality = 45 tags = "FILE" @@ -241539,13 +242025,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_Transfersh_URL : FILE meta: description = "Detects files referencing the transfer.sh file sharing website" author = "ditekSHen" - id = "9d692ffb-353f-5a84-bd6a-dd93ad9aa033" + id = "15c6ba05-199d-52ba-98bf-7e8a8eda0295" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2415-L2423" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_45b16f853bcd9c492468bc478d0a7eeecd261ae47b5b00bb1e4a79788fdec7a1" + logic_hash = "45b16f853bcd9c492468bc478d0a7eeecd261ae47b5b00bb1e4a79788fdec7a1" score = 40 quality = 43 tags = "FILE" @@ -241562,13 +242048,13 @@ rule DITEKSHEN_INDICATOR_SUSPICIOUS_EXE_References_Publicserviceinterface : FILE meta: description = "Detect executables referencing public and free service interface testing and dev services as means of CnC" author = "ditekSHen" - id = "ea6d9939-1d65-5331-8886-ec5a2b8c36e3" + id = "f6ac752b-0afc-5834-82b4-4dbcfded2f3a" date = "2024-06-08" modified = "2024-06-08" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_suspicious.yar#L2450-L2461" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2a7b4fe7ddb41a7ae895a2ac8e9bb5eda61f5b86ca35575be32d65611e2d0a9e" + logic_hash = "2a7b4fe7ddb41a7ae895a2ac8e9bb5eda61f5b86ca35575be32d65611e2d0a9e" score = 40 quality = 37 tags = "FILE" @@ -241588,13 +242074,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Lazagne : FILE meta: description = "Detects LaZagne post-exploitation password stealing tool. It is typically embedded with malware in the binary resources." author = "ditekSHen" - id = "8e5511e4-5c1f-5bc9-a681-697ee4723809" + id = "68bc50b0-a64f-50b6-bfbf-a26a4d0970ef" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L3-L20" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_af4427174c1026204dc9c71878c5125efdf190328840b65fe4a69277a16fe7d2" + logic_hash = "af4427174c1026204dc9c71878c5125efdf190328840b65fe4a69277a16fe7d2" score = 75 quality = 50 tags = "FILE" @@ -241619,13 +242105,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Credstealer : FILE meta: description = "Detects Python executable for stealing credentials including domain environments. Observed in MuddyWater." author = "ditekSHen" - id = "e9e587ea-dd51-59ad-b44a-805ab12b32e8" + id = "ab587b12-f3e1-5f08-b27c-03ee9752e513" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L22-L41" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e729c8b0b1db642acabbc4590833c05ce81447bb89e5f40aea5f0b8ebdee4438" + logic_hash = "e729c8b0b1db642acabbc4590833c05ce81447bb89e5f40aea5f0b8ebdee4438" score = 75 quality = 75 tags = "FILE" @@ -241652,13 +242138,13 @@ rule DITEKSHEN_INDICATOR_TOOL_CNC_Shootback : FILE meta: description = "detects Python executable for CnC communication via reverse tunnels. Used by MuddyWater group." author = "ditekSHen" - id = "7fda61bc-12a4-548a-8896-901f462a5d72" + id = "fb608115-6d9f-5640-88be-674e53b07126" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L43-L62" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_996cabd4965164cb844cee1ab1e2894fc2b4fac14d4e660c456b494c5cbd0688" + logic_hash = "996cabd4965164cb844cee1ab1e2894fc2b4fac14d4e660c456b494c5cbd0688" score = 75 quality = 50 tags = "FILE" @@ -241685,13 +242171,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Fgdump : FILE meta: description = "detects all versions of the password dumping tool, fgdump. Observed to be used by DustSquad group." author = "ditekSHen" - id = "e6986887-babb-56c8-8ee5-4955ee0c86be" + id = "2759fce2-db2a-5a48-bb37-931fd847a32d" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L64-L81" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fdccd91a84374f7c94843bd9c2191720959416acf2e33d7b28b42d63d7ea4ce3" + logic_hash = "fdccd91a84374f7c94843bd9c2191720959416acf2e33d7b28b42d63d7ea4ce3" score = 75 quality = 75 tags = "FILE" @@ -241716,13 +242202,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Sharpweb : FILE meta: description = "detects all versions of the browser password dumping .NET tool, SharpWeb." author = "ditekSHen" - id = "798bcd72-db02-5d91-b904-248d5a20d053" + id = "f85dd689-c2a9-5cea-9c19-1e66ec942606" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L83-L110" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_036d576eb7acdededda7b31d3dda3a4928e01ff761bf45a1112da6bf7d4e2966" + logic_hash = "036d576eb7acdededda7b31d3dda3a4928e01ff761bf45a1112da6bf7d4e2966" score = 75 quality = 40 tags = "FILE" @@ -241753,13 +242239,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Blackbone : FILE meta: description = "detects Blackbone password dumping tool on Windows 7-10 operating system." author = "ditekSHen" - id = "5958f41f-f2bb-546d-9a3c-c422f11555b6" + id = "a6d9f9d1-75fb-51af-87ad-80b4e135e759" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L112-L129" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e9dacd28accaef8a93ff8d3b5cf9437b3848791711a4a7118ab46d2bb6ca42d3" + logic_hash = "e9dacd28accaef8a93ff8d3b5cf9437b3848791711a4a7118ab46d2bb6ca42d3" score = 75 quality = 75 tags = "FILE" @@ -241784,13 +242270,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Mimikatz : FILE meta: description = "Detects Mimikatz" author = "ditekSHen" - id = "729cbdda-23b6-5786-8258-4058cb8c5b5c" + id = "feb236c0-6e0d-5c2c-a050-cf1d000aaf38" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L131-L164" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_42c9c78c88bb7c427d5f0bf1d3b0113205780142b499eb17858037ded0f2971e" + logic_hash = "42c9c78c88bb7c427d5f0bf1d3b0113205780142b499eb17858037ded0f2971e" score = 75 quality = 73 tags = "FILE" @@ -241828,13 +242314,13 @@ rule DITEKSHEN_INDICATOR_TOOL_SCN_Portscan : FILE meta: description = "Detects a port scanner tool observed as second or third stage post-compromise or dropped by malware." author = "ditekSHen" - id = "003fd6ac-9261-5af7-8f7c-cf0d036ba6df" + id = "f270e098-17a0-5d66-acd0-c946a29919f4" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L166-L180" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ebe5eb045a250ca38a55ac43018548074e9db160d76737c36f8ae5ea268b7b10" + logic_hash = "ebe5eb045a250ca38a55ac43018548074e9db160d76737c36f8ae5ea268b7b10" score = 75 quality = 75 tags = "FILE" @@ -241856,13 +242342,13 @@ rule DITEKSHEN_INDICATOR_TOOL_MEM_Mxtract : FILE meta: description = "Detects mXtract, a linux-based tool that dumps memory for offensive pentration testing and can be used to scan memory for private keys, ips, and passwords using regexes." author = "ditekSHen" - id = "6ca65129-e203-54f4-be08-f1eb3b9d2147" + id = "e8c5e5b3-aa98-5f7f-9410-3efeef725f41" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L182-L195" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8271722c3b8f4458d20cf874d37e87e3b1fde701205ff54f0360fb87f717fc3f" + logic_hash = "8271722c3b8f4458d20cf874d37e87e3b1fde701205ff54f0360fb87f717fc3f" score = 50 quality = 69 tags = "FILE" @@ -241883,13 +242369,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Sniffpass : FILE meta: description = "Detects SniffPass, a password monitoring software that listens on the network and captures passwords over POP3, IMAP4, SMTP, FTP, and HTTP." author = "ditekSHen" - id = "4dac0beb-c211-5d82-a5f6-00382e1bdcaf" + id = "b96498d4-bbe3-5cb8-9c24-91ebb51e078a" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L197-L212" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b56ee4bac39b4220b24e92d00076650ffe84b71a60c0213a84fcf21c6cfe4cf" + logic_hash = "9b56ee4bac39b4220b24e92d00076650ffe84b71a60c0213a84fcf21c6cfe4cf" score = 75 quality = 75 tags = "FILE" @@ -241912,13 +242398,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Avbypass_Aviator : FILE meta: description = "Detects AVIator, which is a backdoor generator utility, which uses cryptographic and injection techniques in order to bypass AV detection. This was observed to bypass Win.Trojan.AZorult. This rule works for binaries and memory." author = "ditekSHen" - id = "0b062338-1564-5757-a8a8-8cfb7edcddd9" + id = "2bddd64e-baca-58cb-ba52-27487cc4ded5" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L214-L240" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1fb497eec2b0cd4051b5ddd53463f1da511c0a7b72d54a0bc68736a99fdc6143" + logic_hash = "1fb497eec2b0cd4051b5ddd53463f1da511c0a7b72d54a0bc68736a99fdc6143" score = 75 quality = 75 tags = "FILE" @@ -241951,13 +242437,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Pwdump7 : FILE meta: description = "Detects Pwdump7 password Dumper" author = "ditekSHen" - id = "2d24d5b2-b31b-5721-942c-4554cd080fac" + id = "dc6ff544-b9de-547b-9fa8-7d0b32e9592d" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L242-L254" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f84ab69ecc6837a826dc8726785165b8135edf51a47fb5bbaf19dc589b3032bd" + logic_hash = "f84ab69ecc6837a826dc8726785165b8135edf51a47fb5bbaf19dc589b3032bd" score = 75 quality = 75 tags = "FILE" @@ -241977,13 +242463,13 @@ rule DITEKSHEN_INDICATOR_TOOL_LTM_Sharpexec : FILE meta: description = "Detects SharpExec lateral movement tool" author = "ditekSHen" - id = "551e4e54-3a93-56d7-abc8-c7128ba178c5" + id = "4373a052-9525-5b24-81a4-65cd68afcb6c" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L256-L275" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_17ae5c9f0b22e8ecbbbcbe052e466d00cb7b62cff423688b5138209c52f0698d" + logic_hash = "17ae5c9f0b22e8ecbbbcbe052e466d00cb7b62cff423688b5138209c52f0698d" score = 75 quality = 73 tags = "FILE" @@ -242010,13 +242496,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PRV_Advancedrun : FILE meta: description = "Detects NirSoft AdvancedRun privialge escalation tool" author = "ditekSHen" - id = "2f291aec-5b25-5a4f-86a7-a5027fa0f81e" + id = "c886951a-7ee9-5d38-a724-3dbba8c6ec31" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L277-L289" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3f39e8f0629647f44a2f473d7b49a8b6adb1acd62de36420b80e7820e63854bb" + logic_hash = "3f39e8f0629647f44a2f473d7b49a8b6adb1acd62de36420b80e7820e63854bb" score = 75 quality = 75 tags = "FILE" @@ -242036,13 +242522,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Amady : FILE meta: description = "Detects password stealer DLL. Dropped by Amadey" author = "ditekSHen" - id = "641e99a7-1d37-5b2a-8373-93e4bbebd204" + id = "6ee4e25b-bf38-5664-a08f-94e3fa92aa29" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L291-L306" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_409374bec5f58abeb7741b41f0fc7ea1c3fdc7bbc3f0c0628db0e3aac82836d1" + logic_hash = "409374bec5f58abeb7741b41f0fc7ea1c3fdc7bbc3f0c0628db0e3aac82836d1" score = 75 quality = 75 tags = "FILE" @@ -242065,13 +242551,13 @@ rule DITEKSHEN_INDICATOR_TOOL_SCR_Amady : FILE meta: description = "Detects screenshot stealer DLL. Dropped by Amadey" author = "ditekSHen" - id = "e951992f-9847-5db3-9242-cf8873014283" + id = "f7660899-ed12-5765-a856-6a1c7bbd8978" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L308-L320" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9e7ab39976e3219f0c6c3ce5341442343cc4baf30757cd1c9d0c2d3845fdda2f" + logic_hash = "9e7ab39976e3219f0c6c3ce5341442343cc4baf30757cd1c9d0c2d3845fdda2f" score = 75 quality = 75 tags = "FILE" @@ -242091,13 +242577,13 @@ rule DITEKSHEN_INDICATOR_TOOL_EXP_Eternalblue : FILE meta: description = "Detects Windows executables containing EternalBlue explitation artifacts" author = "ditekSHen" - id = "838651ac-0e75-5be2-b313-d7341a740b3d" + id = "08173a1e-2e32-5add-864a-d92ffa0a3e44" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L322-L342" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_63e56637118accb8c32c20e52465c027df2dbf83b3b663d316b453ce879572c8" + logic_hash = "63e56637118accb8c32c20e52465c027df2dbf83b3b663d316b453ce879572c8" score = 75 quality = 75 tags = "FILE" @@ -242123,13 +242609,13 @@ rule DITEKSHEN_INDICATOR_TOOL_EXP_Weblogic : FILE meta: description = "Detects Windows executables containing Weblogic exploits commands" author = "ditekSHen" - id = "5c57ff57-9223-574e-9573-9e5d47b2f8ec" + id = "e761a968-35cb-5284-99f2-6d516ad348e3" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L344-L353" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_01855f1125b0ba87dd40f7d460440dbda2d75c8b484e842a2b2e20c089b4ab5e" + logic_hash = "01855f1125b0ba87dd40f7d460440dbda2d75c8b484e842a2b2e20c089b4ab5e" score = 75 quality = 75 tags = "FILE" @@ -242146,13 +242632,13 @@ rule DITEKSHEN_INDICATOR_TOOL_SCN_Smbtouch : FILE meta: description = "Detects SMBTouch scanner EternalBlue, EternalChampion, EternalRomance, EternalSynergy" author = "ditekSHen" - id = "f5d6fb70-3a1e-5b8a-8595-39ebdf1cf719" + id = "4e8176dd-4113-5fa8-a695-77e7169f6975" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L376-L400" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_78c2a435762d3febe927eb15910d5a18c1ffe74604673463543d3c859f5ef8e9" + logic_hash = "78c2a435762d3febe927eb15910d5a18c1ffe74604673463543d3c859f5ef8e9" score = 75 quality = 75 tags = "FILE" @@ -242183,13 +242669,13 @@ rule DITEKSHEN_INDICATOR_TOOL_SCN_Nbtscan : FILE meta: description = "Detects NBTScan scanner for open NETBIOS nameservers on a local or remote TCP/IP network" author = "ditekSHen" - id = "09b7ac03-345e-5e15-9500-1c08e1f9a808" + id = "663c324e-4784-5efe-bbdf-60fa42e13944" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L402-L420" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a81b95ad60aac4d66586ae7dc61f6bcbe2b7185b66b2bb895f45abff3ad3f430" + logic_hash = "a81b95ad60aac4d66586ae7dc61f6bcbe2b7185b66b2bb895f45abff3ad3f430" score = 75 quality = 75 tags = "FILE" @@ -242215,13 +242701,13 @@ rule DITEKSHEN_INDICATOR_TOOL_ENC_Bestcrypt : FILE meta: description = "Detects BestEncrypt commercial disk encryption and wiping software" author = "ditekSHen" - id = "b6fefcd3-556f-5528-82c2-31ad39605c83" + id = "30c3c17c-c951-5b14-80ba-eec7b2195985" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L442-L453" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_77d338c6f3e4b733cb31eb1ae05e4ce8631812f7161bc70074a3fe1dee9df770" + logic_hash = "77d338c6f3e4b733cb31eb1ae05e4ce8631812f7161bc70074a3fe1dee9df770" score = 75 quality = 50 tags = "FILE" @@ -242240,13 +242726,13 @@ rule DITEKSHEN_INDICATOR_TOOL_CNC_Earthworm : FILE meta: description = "Detects Earthworm C&C Windows/macOS tool" author = "ditekSHen" - id = "dabd1a39-5ddb-583e-b38d-672f124394e4" + id = "4a6edcf3-b3c4-5620-8eac-102b1ce425f8" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L455-L471" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5045faaaa9e60d4bd506240d51ff78dad4e89ccee0e824e7e5c309a8d3ae2883" + logic_hash = "5045faaaa9e60d4bd506240d51ff78dad4e89ccee0e824e7e5c309a8d3ae2883" score = 75 quality = 50 tags = "FILE" @@ -242270,13 +242756,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Keychaindumper : FILE meta: description = "Detects macOS certificate/password keychain dumping tool" author = "ditekSHen" - id = "3a6dcb9a-5c46-519d-8acb-f02ef7962ce1" + id = "cec094fa-c651-58a6-a306-f16d8603e536" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L473-L484" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f606bdd5dba2180ffc552c46373b52801a0bd65a538b381fb9f4240efc5bd458" + logic_hash = "f606bdd5dba2180ffc552c46373b52801a0bd65a538b381fb9f4240efc5bd458" score = 75 quality = 71 tags = "FILE" @@ -242295,13 +242781,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_P0Wnedshell : FILE meta: description = "Detects compiled executables of p0wnedShell post-exploitation toolkit" author = "ditekSHen" - id = "0661e07a-c0e8-5927-a438-6992850a7137" + id = "7df8f9b4-48d3-5271-9d60-5dd4bfaed316" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L486-L512" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9745b69573bf695fdada122143fb1889a7b2025250b5fb1e8f1a86b3be6f27d3" + logic_hash = "9745b69573bf695fdada122143fb1889a7b2025250b5fb1e8f1a86b3be6f27d3" score = 75 quality = 75 tags = "FILE" @@ -242335,13 +242821,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Rubeus : FILE meta: description = "Detects Rubeus kerberos defensive/offensive toolset" author = "ditekSHen" - id = "6d9ba40b-ef91-5535-9a9c-cdae4f48050e" + id = "5af8cee0-e664-5dfe-9932-0e74ed41b6b4" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L514-L531" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ee817d23427970d7e77f9ce2a7cbc25c77177d81354fed83e7551cdcbc2d7cd2" + logic_hash = "ee817d23427970d7e77f9ce2a7cbc25c77177d81354fed83e7551cdcbc2d7cd2" score = 75 quality = 75 tags = "FILE" @@ -242366,13 +242852,13 @@ rule DITEKSHEN_INDICATOR_TOOL_RTK_Hiddenrootkit : FILE meta: description = "Detects the Hidden public rootkit" author = "ditekSHen" - id = "76c3213d-0bd8-56e7-8f2b-9527a41feeb3" + id = "c9e9d160-224f-505f-a135-56a9793f99c2" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L533-L554" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_20180fc040c1b988b17b1ca9b61a7dab5180df4961a00f0afcb03e2cbe99b28f" + logic_hash = "20180fc040c1b988b17b1ca9b61a7dab5180df4961a00f0afcb03e2cbe99b28f" score = 75 quality = 50 tags = "FILE" @@ -242401,13 +242887,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Sharphound : FILE meta: description = "Detects BloodHound" author = "ditekSHen" - id = "ed10375c-ef66-5256-ae3d-d0bd987dc50b" + id = "d8f44e15-3e7c-5e5d-9d74-30c61e679fcb" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L556-L573" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bdf10d0aabd6c41e8dd1f87c0fa141f300d785146d059fcd301ec35f65fbe990" + logic_hash = "bdf10d0aabd6c41e8dd1f87c0fa141f300d785146d059fcd301ec35f65fbe990" score = 75 quality = 48 tags = "FILE" @@ -242432,13 +242918,13 @@ rule DITEKSHEN_INDICATOR_TOOL_UAC_NSISUAC : FILE meta: description = "Detects NSIS UAC plugin" author = "ditekSHen" - id = "c16729ff-bcf8-57de-af8b-ff1ba359fa1e" + id = "4a7c20f6-bf0e-55fb-a0b9-7b51e4af7cd3" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L575-L587" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_48c0247c789328a0ff62816f5d6ecac7a0f2a3fe2cb95d99c0e7d988147f7137" + logic_hash = "48c0247c789328a0ff62816f5d6ecac7a0f2a3fe2cb95d99c0e7d988147f7137" score = 75 quality = 75 tags = "FILE" @@ -242458,13 +242944,13 @@ rule DITEKSHEN_INDICATOR_TOOL_REM_Intelliadmin : FILE meta: description = "Detects commerical IntelliAdmin remote tool" author = "ditekSHen" - id = "0685307f-939c-5236-bafd-abbb3ebe347f" + id = "15385e0b-ead4-5614-a04e-55878eb70b34" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L589-L602" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8b601d68eff65bc6cc2fb46630a7021e229764f9a80f6d3278ba3b9f55e5b114" + logic_hash = "8b601d68eff65bc6cc2fb46630a7021e229764f9a80f6d3278ba3b9f55e5b114" score = 75 quality = 75 tags = "FILE" @@ -242485,13 +242971,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Sharpwmi : FILE meta: description = "Detects SharpWMI" author = "ditekSHen" - id = "82eb666f-80e5-56ee-9707-42e6890822c5" + id = "9c58d9fa-04b8-5a9c-8ae9-ff2e7530772f" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L604-L619" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e6c5764d0883e2882e06f07e4729362011a4d65614259b85978e1c6ef5cfadb7" + logic_hash = "e6c5764d0883e2882e06f07e4729362011a4d65614259b85978e1c6ef5cfadb7" score = 75 quality = 73 tags = "FILE" @@ -242514,13 +243000,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Defendercontrol : FILE meta: description = "Detects Defender Control" author = "ditekSHen" - id = "9c11f1e2-d7ba-5767-8a77-88e76d37f529" + id = "7bc1f26e-2432-5642-b1e7-c87683f7d932" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L621-L631" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_826ed0643a07580750eb11c4cf2c2759f53b6c2bda51705476edc4808abccbf8" + logic_hash = "826ed0643a07580750eb11c4cf2c2759f53b6c2bda51705476edc4808abccbf8" score = 75 quality = 75 tags = "FILE" @@ -242538,13 +243024,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Mulit_Venomagent : FILE meta: description = "Detects Venom Proxy Agent" author = "ditekSHen" - id = "25c24d65-0587-5c91-b813-fccb247ef710" + id = "598bc773-cbe9-503b-ba3e-27c2cde8910d" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L633-L645" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5eda23a237404a44dc9eb057adbf6106166374168eb08e55c182da5c05ecb4f1" + logic_hash = "5eda23a237404a44dc9eb057adbf6106166374168eb08e55c182da5c05ecb4f1" score = 75 quality = 75 tags = "FILE" @@ -242564,13 +243050,13 @@ rule DITEKSHEN_INDICATOR_TOOL_HFS_Webserver : FILE meta: description = "Detects HFS Web Server" author = "ditekSHen" - id = "2164532d-1860-5b21-ae79-161c2055ff38" + id = "2c9d9a38-8a6c-5c53-84bc-4eef77933172" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L647-L658" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f5b8947e3858466dae5f476790842500f8184c4676d8c0c4870adb7fd3206652" + logic_hash = "f5b8947e3858466dae5f476790842500f8184c4676d8c0c4870adb7fd3206652" score = 75 quality = 75 tags = "FILE" @@ -242589,13 +243075,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PROX_Lanproxy : FILE meta: description = "Detects lanproxy-go-client" author = "ditekSHen" - id = "9805da55-7a07-5ea8-9b3f-00db42619660" + id = "71fc23d9-9aae-5666-832b-90cf5a86c474" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L660-L675" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_13a5aaea0fb522e3badb4a60d2db8d7dd46e5721bd6dc2e2b2e29d49e197c375" + logic_hash = "13a5aaea0fb522e3badb4a60d2db8d7dd46e5721bd6dc2e2b2e29d49e197c375" score = 75 quality = 75 tags = "FILE" @@ -242618,13 +243104,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Peirates : FILE meta: description = "Detects Kubernetes penetration tool Peirates" author = "ditekSHen" - id = "f2782cf4-b797-5872-a745-b5075f9254b6" + id = "74ce83ed-0d93-5cb0-97e8-6885ae83b336" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L677-L694" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_321f06af098283638f99d027dc3c95a25a72192a25c7afa5081a7dbff8c3acb7" + logic_hash = "321f06af098283638f99d027dc3c95a25a72192a25c7afa5081a7dbff8c3acb7" score = 75 quality = 75 tags = "FILE" @@ -242649,13 +243135,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Botb : FILE meta: description = "Detects Break out the Box (BOtB)" author = "ditekSHen" - id = "16aeb691-ac0d-5542-a6c3-ca0280901f33" + id = "acafa6dd-51b9-5945-b1df-7763a97a424f" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L696-L710" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a01f796b27852f9217d9bfea32f8d9ffb3c88521d4413f6612f7a0544cf44fb3" + logic_hash = "a01f796b27852f9217d9bfea32f8d9ffb3c88521d4413f6612f7a0544cf44fb3" score = 75 quality = 75 tags = "FILE" @@ -242677,13 +243163,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_LSASS_Createminidump : FILE meta: description = "Detects CreateMiniDump tool" author = "ditekSHen" - id = "9be8d928-1892-5e09-9aab-e27a9ec97aa9" + id = "0d8642d1-2ed9-5270-a54a-6ba788026f5f" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L712-L724" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_577ccc783554363c0bed80d9642e8a0f107fc2ec66d84f76b9556aa3506c86c0" + logic_hash = "577ccc783554363c0bed80d9642e8a0f107fc2ec66d84f76b9556aa3506c86c0" score = 75 quality = 75 tags = "FILE" @@ -242703,13 +243189,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Securityxploded_Browserpassworddumper : FILE meta: description = "Detects SecurityXploded Browser Password Dumper tool" author = "ditekSHen" - id = "ffa524ca-a353-5571-a0b4-3b38e8d977f4" + id = "ce90ef96-43c0-5d68-ba7d-21aafb3f754b" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L726-L737" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b3c6e9b393c244c7bf6489f54ebd622a09da050a65d6dbde325d5bcd7d85f39a" + logic_hash = "b3c6e9b393c244c7bf6489f54ebd622a09da050a65d6dbde325d5bcd7d85f39a" score = 75 quality = 75 tags = "FILE" @@ -242728,13 +243214,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Securityxploded_Ftppassworddumper : FILE meta: description = "Detects SecurityXploded FTP Password Dumper tool" author = "ditekSHen" - id = "6513663f-2a9b-5024-8450-1f03a5448871" + id = "d876c201-b527-531c-9563-0b1a1c6334cb" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L739-L750" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_941bfb9b1ce71252c5aa05bd654bdcf1af6cc1d5f720bc2c239e17454f15beda" + logic_hash = "941bfb9b1ce71252c5aa05bd654bdcf1af6cc1d5f720bc2c239e17454f15beda" score = 75 quality = 75 tags = "FILE" @@ -242753,13 +243239,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Securityxploded_Emailpassworddumper : FILE meta: description = "Detects SecurityXploded Email Password Dumper tool" author = "ditekSHen" - id = "1476a57a-7894-534c-aea8-a6e1f1d780bf" + id = "25e140de-4a0a-5d4f-a93f-a414b9879f2b" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L752-L764" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7f07611385d45bf45bfb8ee95e56febfb992fb7b416321c5b590878636a5c1b7" + logic_hash = "7f07611385d45bf45bfb8ee95e56febfb992fb7b416321c5b590878636a5c1b7" score = 75 quality = 75 tags = "FILE" @@ -242779,13 +243265,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Sharpsphere : FILE meta: description = "Detects SharpSphere red teamers tool to interact with the guest operating systems of virtual machines managed by vCenter" author = "ditekSHen" - id = "938bb820-6723-56e2-882a-9c14cb72056c" + id = "878b5174-2368-5fc8-9573-7b2759cab409" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L766-L783" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aae9355fcc7a6b5faf3807c85983032519550e936d5660c823d13731083be512" + logic_hash = "aae9355fcc7a6b5faf3807c85983032519550e936d5660c823d13731083be512" score = 75 quality = 50 tags = "FILE" @@ -242810,13 +243296,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Exchangeexploit : FILE meta: description = "Hunt for executables potentially embedding Exchange Server exploitation artificats" author = "ditekSHen" - id = "d56b3da0-bf1b-5ad0-94dd-b13a9d0e20c3" + id = "429f738a-009a-5326-92e0-bdc907be96f2" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L785-L798" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4b0d22a296cab6591d63568aa44845ef7fcc413d45c368a712928411d11a8177" + logic_hash = "4b0d22a296cab6591d63568aa44845ef7fcc413d45c368a712928411d11a8177" score = 75 quality = 69 tags = "FILE" @@ -242837,13 +243323,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Goclr : FILE meta: description = "Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory" author = "ditekSHen" - id = "d2b91baf-081e-5ae1-8d62-c60072830e46" + id = "21766cad-17dd-525a-9ebe-cd90e892cff1" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L800-L814" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a2a79793b1f530bcf9f79983f29a655f270cf0147606690b19eaeb82d4bd1f0d" + logic_hash = "a2a79793b1f530bcf9f79983f29a655f270cf0147606690b19eaeb82d4bd1f0d" score = 75 quality = 75 tags = "FILE" @@ -242865,13 +243351,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Edgecookiesview : FILE meta: description = "Detects EdgeCookiesView" author = "ditekSHen" - id = "d0ee8d8b-5ecb-5988-9a40-be9a70577618" + id = "42c6eb2e-bf5c-5956-9009-c29551ce715d" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L833-L847" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ba6d416e02c1958806356c67636609dcca758da9f7e3d1fc15244cc5ff038fc" + logic_hash = "9ba6d416e02c1958806356c67636609dcca758da9f7e3d1fc15244cc5ff038fc" score = 75 quality = 75 tags = "FILE" @@ -242893,13 +243379,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Sharpnopsexec : FILE meta: description = "Detects SharpNoPSExec" author = "ditekSHen" - id = "b5803b16-37d4-5772-b5fd-64ced90fd10e" + id = "10898364-6d77-5127-a16b-5fd3b1c652d5" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L849-L864" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c1d76639e7b6464d302729b48bbcd810216132868035904bb9866e7b31ccfac2" + logic_hash = "c1d76639e7b6464d302729b48bbcd810216132868035904bb9866e7b31ccfac2" score = 75 quality = 75 tags = "FILE" @@ -242922,13 +243408,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Chromecookiesview : FILE meta: description = "Detects ChromeCookiesView" author = "ditekSHen" - id = "22c929a2-932f-5f48-ba28-67eb42c00ff3" + id = "c1b89468-edf2-59d1-89b3-5822fa19d6ab" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L866-L880" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_81acd0978fc03525e7092ab51c681b61f9de0252066ce871298e2cd96b1d3024" + logic_hash = "81acd0978fc03525e7092ab51c681b61f9de0252066ce871298e2cd96b1d3024" score = 75 quality = 75 tags = "FILE" @@ -242950,13 +243436,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Sliver : FILE meta: description = "Detects Sliver implant cross-platform adversary emulation/red team" author = "ditekSHen" - id = "ffe8df76-c969-5bcf-bbbd-7ef873c69fc6" + id = "e0c5404b-8e6b-5c3a-9e37-56012c3802dd" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L882-L900" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4f9442b74c84c7b4a8fcf93de2919d12efe2f41d0b4e8514b43822fba0962af2" + logic_hash = "4f9442b74c84c7b4a8fcf93de2919d12efe2f41d0b4e8514b43822fba0962af2" score = 75 quality = 75 tags = "FILE" @@ -242982,13 +243468,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Owlproxy : FILE meta: description = "Hunt for OwlProxy" author = "ditekSHen" - id = "747db016-a7aa-54c1-beb8-b88800e909fe" + id = "86e2144e-c5d3-5bd6-b287-1157066126a3" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L902-L921" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fa7dd5eeb9799fd651317ceecbed6c960f16c387dc18723409053e44cd281582" + logic_hash = "fa7dd5eeb9799fd651317ceecbed6c960f16c387dc18723409053e44cd281582" score = 75 quality = 50 tags = "FILE" @@ -243015,13 +243501,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Backstab : FILE meta: description = "Detect Backstab tool capable of killing antimalware protected processes by leveraging sysinternals Process Explorer (ProcExp) driver" author = "ditekSHen" - id = "3f2d5890-c14f-5256-8ea9-e8c2e9260f84" + id = "1e514d03-9b78-5e75-9a31-02c0413e23a7" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L923-L939" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d25c3ff4d7c120fdf7c275d11da7a321bcbdb275dcfaa699b5bb4bd66167ec92" + logic_hash = "d25c3ff4d7c120fdf7c275d11da7a321bcbdb275dcfaa699b5bb4bd66167ec92" score = 75 quality = 75 tags = "FILE" @@ -243045,13 +243531,13 @@ rule DITEKSHEN_INDICATOR_TOOL_EXP_Sharpprintnightmare : FILE meta: description = "Detect SharpPrintNightmare" author = "ditekSHen" - id = "028fdf5b-b000-507d-878c-0835818e43a9" + id = "15f52fce-27cc-52e7-91d5-7e2f6db5b596" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L941-L961" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_22c890a22ce6b7c1a06068018364f7c5a2afe1bee5b5bc6a8bae3703a11fac26" + logic_hash = "22c890a22ce6b7c1a06068018364f7c5a2afe1bee5b5bc6a8bae3703a11fac26" score = 75 quality = 75 tags = "FILE" @@ -243079,13 +243565,13 @@ rule DITEKSHEN_INDICATOR_TOOL_REC_Adfind : FILE meta: description = "Detect ADFind" author = "ditekSHen" - id = "5988785a-aabd-5c6c-8645-fc431c12494b" + id = "2f0d02a1-7488-5645-aa08-1eadee2862e8" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L963-L974" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_41fb9f72032f76adc6f1fccd25a1364f153eb2430063e9d582f3dcd9fc9ac84a" + logic_hash = "41fb9f72032f76adc6f1fccd25a1364f153eb2430063e9d582f3dcd9fc9ac84a" score = 75 quality = 75 tags = "FILE" @@ -243104,13 +243590,13 @@ rule DITEKSHEN_INDICATOR_TOOL_CNC_Chisel : FILE meta: description = "Detect binaries using Chisel" author = "ditekSHen" - id = "6110b1ed-fc42-5835-a1a3-79b9d7ed2bc6" + id = "d126f2c8-655f-564f-ae46-f6bd6385dcac" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L976-L990" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_08c7b2c4725431c1bf85ae8068f4250c98e58890e3b4c97aa9e419e4f487cada" + logic_hash = "08c7b2c4725431c1bf85ae8068f4250c98e58890e3b4c97aa9e419e4f487cada" score = 75 quality = 75 tags = "FILE" @@ -243132,13 +243618,13 @@ rule DITEKSHEN_INDICATOR_TOOL_ANT_Sharpedrchecker : FILE meta: description = "Detect SharpEDRChecke, C# Implementation of Invoke-EDRChecker" author = "ditekSHen" - id = "10ed763b-fb4c-5711-9064-69e21502e6d4" + id = "c0b41787-b8b4-5aa7-b1f0-0a89dbebe45e" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L992-L1023" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_77a26ff5298dddebc669d9b6c39905a48a86884cf98adebdf935b94c62d36ddc" + logic_hash = "77a26ff5298dddebc669d9b6c39905a48a86884cf98adebdf935b94c62d36ddc" score = 75 quality = 48 tags = "FILE" @@ -243177,13 +243663,13 @@ rule DITEKSHEN_INDICATOR_TOOL_ANT_Invizzzible : FILE meta: description = "Detect InviZzzible" author = "ditekSHen" - id = "3f4be97a-77e8-5a09-a03a-2e31b3594784" + id = "23533d1c-e0d8-51c8-ac18-60c845bff197" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1025-L1059" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bd84015f9fdc160a6ed9010c5a5905fcf13987b1fdec6fdd9535e315dc3617e8" + logic_hash = "bd84015f9fdc160a6ed9010c5a5905fcf13987b1fdec6fdd9535e315dc3617e8" score = 75 quality = 73 tags = "FILE" @@ -243225,13 +243711,13 @@ rule DITEKSHEN_INDICATOR_TOOL_EXFIL_Sharpbox : FILE meta: description = "Detect SharpBox, C# tool for compressing, encrypting, and exfiltrating data to Dropbox using the Dropbox API" author = "ditekSHen" - id = "a6321e91-08b3-58f8-bdfe-d00416a3c177" + id = "cd834fe2-dc77-509d-a8f9-d631f395bcd8" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1061-L1080" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b03ab3786b2a2e6774d94be4edf700a7154d8d400c7b2b31c73c68ce9fe0c08a" + logic_hash = "b03ab3786b2a2e6774d94be4edf700a7154d8d400c7b2b31c73c68ce9fe0c08a" score = 75 quality = 75 tags = "FILE" @@ -243258,13 +243744,13 @@ rule DITEKSHEN_INDICATOR_TOOL_EXP_Serioussam01 : CVE_2021_36934 FILE meta: description = "Detect tool variants potentially exploiting SeriousSAM / HiveNightmare CVE-2021-36934" author = "ditekSHen" - id = "6e10e47d-96e8-53dc-a025-9e2872b6e23a" + id = "e8f24ae4-48fb-5ee7-9e8e-0d144bb3b046" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1082-L1104" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8b9de87dc073e6ba3eb36dd57b31e9749849c2e277f2bcd1c98ffc2d02861e10" + logic_hash = "8b9de87dc073e6ba3eb36dd57b31e9749849c2e277f2bcd1c98ffc2d02861e10" score = 75 quality = 25 tags = "CVE-2021-36934, FILE" @@ -243294,13 +243780,13 @@ rule DITEKSHEN_INDICATOR_TOOL_EXP_Petitpotam01 : FILE meta: description = "Detect tool potentially exploiting/attempting PetitPotam" author = "ditekSHen" - id = "1b8061c0-4996-5676-862e-aca80528ea15" + id = "12d7b533-f477-5fbb-8b1f-1a93c9a63500" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1127-L1143" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_37a9477b41560904e8874ecaf93eb2667b9450b5d42665677abc1442538f9000" + logic_hash = "37a9477b41560904e8874ecaf93eb2667b9450b5d42665677abc1442538f9000" score = 75 quality = 50 tags = "FILE" @@ -243324,13 +243810,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PET_Sharpstrike : FILE meta: description = "Detect SharpStrike post-exploitation tool written in C# that uses either CIM or WMI to query remote systems" author = "ditekSHen" - id = "0dd29874-e1c4-59e3-b294-fa855f9448b4" + id = "00b36fce-3d84-51cf-a800-042d7484d78c" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1145-L1160" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c479d85878d9f9659fc157f0c6706703af3748a8740df6a5090cddc720dd7661" + logic_hash = "c479d85878d9f9659fc157f0c6706703af3748a8740df6a5090cddc720dd7661" score = 75 quality = 75 tags = "FILE" @@ -243353,13 +243839,13 @@ rule DITEKSHEN_INDICATOR_TOOL_LTM_Ladon : FILE meta: description = "Detect Ladon tool that assists in lateral movement across a network" author = "ditekSHen" - id = "1d8d8b27-4803-520c-9988-4c4e24347d5c" + id = "227e63ce-8383-5bb1-870e-6c4e767b402f" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1162-L1178" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f31276bcbcae672966cfddc9af4f5b507d7244360b421de7fe1e811fb954fb7d" + logic_hash = "f31276bcbcae672966cfddc9af4f5b507d7244360b421de7fe1e811fb954fb7d" score = 75 quality = 75 tags = "FILE" @@ -243383,13 +243869,13 @@ rule DITEKSHEN_INDICATOR_TOOL_LTM_Ladonexp : FILE meta: description = "Detect Ladon tool that assists in lateral movement across a network" author = "ditekSHen" - id = "bf2f5178-29e1-57f0-a355-9c40fc5822f2" + id = "bd1e7ef5-ae68-5e0d-8261-0eb765453bae" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1180-L1191" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_22f6a717b8464bddd850bb5ea8b416e99bceb91fe917f188be178f2fff620730" + logic_hash = "22f6a717b8464bddd850bb5ea8b416e99bceb91fe917f188be178f2fff620730" score = 75 quality = 75 tags = "FILE" @@ -243408,13 +243894,13 @@ rule DITEKSHEN_INDICATOR_TOOL_LTM_Ladongo : FILE meta: description = "Detect LadonGo tool that assists in lateral movement across a network" author = "ditekSHen" - id = "5ec4a321-3627-5c71-a5d3-1bb69a1aab6d" + id = "4dbf7f24-b9ab-5629-8e78-667d9623dea9" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1193-L1207" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_606172b8fb251cb4ad75de40b55d74779aef6409832f6edf09068083143ec749" + logic_hash = "606172b8fb251cb4ad75de40b55d74779aef6409832f6edf09068083143ec749" score = 75 quality = 75 tags = "FILE" @@ -243436,13 +243922,13 @@ rule DITEKSHEN_INDICATOR_TOOL_ENC_Diskcryptor : FILE meta: description = "Detect DiskCryptor open encryption solution that offers encryption of all disk partitions" author = "ditekSHen" - id = "34b3cc48-c30e-51ca-a286-a177d2b2bb73" + id = "22b25d5c-d67f-53ac-9ae8-2de077afdda9" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1209-L1232" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7ef0bf3b11f7e4055908518ce5b6a49e04d7002ebc3396fd2da32b4e13cf68e0" + logic_hash = "7ef0bf3b11f7e4055908518ce5b6a49e04d7002ebc3396fd2da32b4e13cf68e0" score = 75 quality = 75 tags = "FILE" @@ -243471,13 +243957,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PRI_Installerfiletakeover : CVE_2021_41379 FILE meta: description = "Detect InstallerFileTakeOver CVE-2021-41379" author = "ditekSHen" - id = "4eece656-288c-535e-902e-dd1d81f242a0" + id = "8581a306-e6d3-5ac1-a778-76c6505ee174" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1234-L1253" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0a9e53138d33494d9b2aa0271b877e405ea2e8accba7c6eeac547caaa7a7c2ea" + logic_hash = "0a9e53138d33494d9b2aa0271b877e405ea2e8accba7c6eeac547caaa7a7c2ea" score = 75 quality = 50 tags = "CVE-2021-41379, FILE" @@ -243504,13 +243990,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PRI_Juicypotato : FILE meta: description = "Detect JuicyPotato" author = "ditekSHen" - id = "93f00ce7-d3fe-50d0-be1d-bacdbeb45d80" + id = "2fb52598-9771-507b-a06d-7b9bc693ffee" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1255-L1270" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_43a7ac16b9633fd2e6c43ca142cd0d0e2166287bb51e1b6344119959fe054c19" + logic_hash = "43a7ac16b9633fd2e6c43ca142cd0d0e2166287bb51e1b6344119959fe054c19" score = 75 quality = 75 tags = "FILE" @@ -243533,13 +244019,13 @@ rule DITEKSHEN_INDICATOR_TOOL_ENUM_Sharpshares : FILE meta: description = "Detects SharpShares multithreaded C# .NET Assembly to enumerate accessible network shares in a domain" author = "ditekSHen" - id = "d89b682a-003b-5199-990b-19f7a3307cd2" + id = "1da53e34-21a3-5b3c-885e-dcc8814ac3c8" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1290-L1305" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8b35d6a692814e1b27ffc1db4ab124bf621c156aaf57f24796c422ec95a85715" + logic_hash = "8b35d6a692814e1b27ffc1db4ab124bf621c156aaf57f24796c422ec95a85715" score = 75 quality = 25 tags = "FILE" @@ -243562,13 +244048,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PROX_Revsocks : FILE meta: description = "Detects revsocks Reverse socks5 tunneler with SSL/TLS and proxy support" author = "ditekSHen" - id = "7226254c-07a7-5a34-a2b8-633f878fe648" + id = "f85bc557-40ab-5533-8a89-a2de9bbc9ad9" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1307-L1321" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4a8e68f25b7ba10b0eb9772ed4ba2b9c6566768f2b5a2859df8bac644d196bf3" + logic_hash = "4a8e68f25b7ba10b0eb9772ed4ba2b9c6566768f2b5a2859df8bac644d196bf3" score = 75 quality = 75 tags = "FILE" @@ -243590,13 +244076,13 @@ rule DITEKSHEN_INDICATOR_TOOL_PWS_Azbelt : FILE meta: description = "Detects azbelt for enumerating Azure related credentials primarily on AAD joined machines" author = "ditekSHen" - id = "b9fd70d4-d4aa-5878-a07d-03b46c4fbf31" + id = "cf9268d2-1928-51e8-9643-ee0a5bada9fa" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1323-L1338" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_71cc2b3418ea5e285adafe03fa80bade67dc3e4073fe58d42bc6190860b48b43" + logic_hash = "71cc2b3418ea5e285adafe03fa80bade67dc3e4073fe58d42bc6190860b48b43" score = 75 quality = 75 tags = "FILE" @@ -243619,13 +244105,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Dontsleep : FILE meta: description = "Detects Keep Host Unlocked (Don't Sleep)" author = "ditekShen" - id = "8e0066b8-947b-5fa4-853a-68d1b2fec1bc" + id = "f71bd0d5-a526-5f1e-8bd3-9e653db610a7" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1340-L1354" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b8e2132d3b36c3e2d2662a586916c7e4fc029f81af08b5c18006833c4e6f772f" + logic_hash = "b8e2132d3b36c3e2d2662a586916c7e4fc029f81af08b5c18006833c4e6f772f" score = 75 quality = 75 tags = "FILE" @@ -243647,13 +244133,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Nsudo : FILE meta: description = "Detects NSudo allowing to run processes as TrustedInstaller or System" author = "ditekShen" - id = "21151857-e0b6-5f32-ae56-2cef8738d39a" + id = "9a21b923-b02e-553b-8f53-026d7034c319" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1356-L1369" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6bcffa79ca06b0b4178d6ea256f98d917c2b19cec0b059889b8d015d226a53f9" + logic_hash = "6bcffa79ca06b0b4178d6ea256f98d917c2b19cec0b059889b8d015d226a53f9" score = 75 quality = 75 tags = "FILE" @@ -243674,13 +244160,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Ligolo : FILE meta: description = "Detects Ligolo tool for establishing SOCKS5 or TCP tunnels from a reverse connection" author = "ditekSHen" - id = "79ae2f07-529a-5496-9b13-59fa6edd698c" + id = "cc461fd1-9a2f-59ce-af74-a0f55b8850b1" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1371-L1385" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b515dc184013c2f67d37e42d7172e2471b3a93c94024be12c7f587296287282d" + logic_hash = "b515dc184013c2f67d37e42d7172e2471b3a93c94024be12c7f587296287282d" score = 75 quality = 73 tags = "FILE" @@ -243702,13 +244188,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Extpassword : FILE meta: description = "Detects ExtPassword External Drive Password Recovery" author = "ditekSHen" - id = "6ea3f284-42cb-524c-a1e8-3e7a8e9fa5fc" + id = "bb06d2c1-964d-5a3d-a741-09b8ef5ac7fa" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1387-L1403" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_525530cb7e9f44be0408fd710306f90056b1b6b9a9e4779d8c1eb1ddef443fb0" + logic_hash = "525530cb7e9f44be0408fd710306f90056b1b6b9a9e4779d8c1eb1ddef443fb0" score = 75 quality = 50 tags = "FILE" @@ -243732,13 +244218,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Ngrok : FILE meta: description = "Detects Ngrok" author = "ditekSHen" - id = "5042f714-3e8b-5129-8cc9-2c474da8a8c0" + id = "fc0a0de8-b68b-5b6b-a222-bbc031ebabd3" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1405-L1418" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f4bba142652aaf77e5b7c123b743cf165ae17210c39cf65b7311f7e7bd91f7e1" + logic_hash = "f4bba142652aaf77e5b7c123b743cf165ae17210c39cf65b7311f7e7bd91f7e1" score = 75 quality = 75 tags = "FILE" @@ -243759,13 +244245,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Sqlrecon : FILE meta: description = "Detects SQLRecon C# MS-SQL toolkit designed for offensive reconnaissance and post-exploitation" author = "ditekSHen" - id = "8c318fc6-a447-599d-97df-708046316426" + id = "ec91285b-690d-5fd3-b0fc-f8d72cbb7e15" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1420-L1436" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_784dbc518cf9492557c9b3536256c4a9b03e4536cf7cee7e764b8009dd4686bb" + logic_hash = "784dbc518cf9492557c9b3536256c4a9b03e4536cf7cee7e764b8009dd4686bb" score = 75 quality = 75 tags = "FILE" @@ -243789,13 +244275,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Atlasreaper : FILE meta: description = "Detects AtlasReaper command-line tool for Confluence and Jira reconnaissance, credential farming and social engineering" author = "ditekSHen" - id = "635a44da-f6b9-5b05-af93-c2ccc62ed470" + id = "a0b4e134-bb05-5cc3-af71-516a0407aa1b" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1438-L1453" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4a0436d5c3f1609d23b2b919bebdc56a7fd63e81b99e72dcda1022487cb88240" + logic_hash = "4a0436d5c3f1609d23b2b919bebdc56a7fd63e81b99e72dcda1022487cb88240" score = 75 quality = 50 tags = "FILE" @@ -243818,13 +244304,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Ngroksharp : FILE meta: description = "Detects NgrokSharp .NET library for Ngrok" author = "ditekSHen" - id = "f55aaffd-a369-5526-ad3c-87a39a6c88f0" + id = "7c335021-4afd-5878-83c3-9bb2c81f3586" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1455-L1471" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c60637177114d369af9c3e96689811845ce1c1dfde8f7f971c4de21439564b4b" + logic_hash = "c60637177114d369af9c3e96689811845ce1c1dfde8f7f971c4de21439564b4b" score = 75 quality = 50 tags = "FILE" @@ -243848,13 +244334,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Ngrokgo : FILE meta: description = "Detects Go implementation variant for Ngrok" author = "ditekSHen" - id = "c4e9695d-9a7d-5b95-bcaf-232f4ef5daa4" + id = "b11f67c5-846d-57b2-8edc-521b2dc77503" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1473-L1488" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4ec151661e3af922aba202c68392a2af17e2c4ed25a71a0b5aacc13fbfcc5c53" + logic_hash = "4ec151661e3af922aba202c68392a2af17e2c4ed25a71a0b5aacc13fbfcc5c53" score = 75 quality = 75 tags = "FILE" @@ -243877,13 +244363,13 @@ rule DITEKSHEN_INDICATOR_Tool_Forensia : FILE meta: description = "Detects Forensia anti-forensics tool used for erasing footprints" author = "ditekSHen" - id = "03732cfb-31dd-5acd-9ea2-b36a0500d3cb" + id = "bcd05c2e-7ddd-5ce7-a6a7-0659bed38744" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1490-L1523" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7147eee62df10cd8a6c00ec80c4d1bdb8234a181dd6af81d0580d847f05bd0b6" + logic_hash = "7147eee62df10cd8a6c00ec80c4d1bdb8234a181dd6af81d0580d847f05bd0b6" score = 75 quality = 73 tags = "FILE" @@ -243924,13 +244410,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Dogzproxy : FILE meta: description = "Detects Dogz proxy tool" author = "ditekSHen" - id = "25dd0f2c-5fab-5e90-9366-55389e5ae6f0" + id = "de2a8d26-0e8e-5999-baca-1e43933af866" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1525-L1537" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_575cfed9cb7979216fd8fd2a05efe5dfece3a9120b4f185c015918337829ed63" + logic_hash = "575cfed9cb7979216fd8fd2a05efe5dfece3a9120b4f185c015918337829ed63" score = 75 quality = 75 tags = "FILE" @@ -243950,13 +244436,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Fastreverseproxy : FILE meta: description = "Detects Fast Reverse Proxy (FRP) tool" author = "ditekSHen" - id = "9ec552a3-2cb7-5013-afbb-aba9969b1b2c" + id = "d643cc38-a96c-5353-bb46-ca46ea740e3b" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1539-L1555" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c26d9e8833c7055a03a446eb983c7f70f1f18669d009ebc204dda3f0bb6048f7" + logic_hash = "c26d9e8833c7055a03a446eb983c7f70f1f18669d009ebc204dda3f0bb6048f7" score = 75 quality = 75 tags = "FILE" @@ -243980,13 +244466,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Gogoscan : FILE meta: description = "Detects GoGo scan tool" author = "ditekSHen" - id = "e178f7fd-0772-5e9b-87b3-15fb218d13a9" + id = "c24ede04-2971-55f8-8b60-ec3bdca844d7" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1557-L1571" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c9fbc98a28c74bf920f5f7d62713834d18b33b5c65483a1bd42e4555764c8346" + logic_hash = "c9fbc98a28c74bf920f5f7d62713834d18b33b5c65483a1bd42e4555764c8346" score = 75 quality = 75 tags = "FILE" @@ -244008,13 +244494,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Gogoprocdump : FILE meta: description = "Detects GoGo (lsass) process dump tool" author = "ditekSHen" - id = "dad827b9-9c5f-5d14-b40b-83c1e7e037b4" + id = "f92845c6-f8ae-50d0-97ea-cfa72051c2de" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1573-L1586" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f410882e4c6c8b65e7d3c192cf94bf99d61cf54dc21d80cdf17193b34752c576" + logic_hash = "f410882e4c6c8b65e7d3c192cf94bf99d61cf54dc21d80cdf17193b34752c576" score = 75 quality = 75 tags = "FILE" @@ -244035,13 +244521,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Fscan : FILE meta: description = "Detects GoGo scan tool" author = "ditekSHen" - id = "5d38c2c6-b2d2-5c3d-8d28-6cdac15af096" + id = "3bf73853-15c1-54f7-866a-6a7632e39f19" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1588-L1602" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b107eb767454c4c084a7237c107c8414bdb03c324902769ac544c5903e346e17" + logic_hash = "b107eb767454c4c084a7237c107c8414bdb03c324902769ac544c5903e346e17" score = 75 quality = 75 tags = "FILE" @@ -244063,13 +244549,13 @@ rule DITEKSHEN_INDICATOR_TOOL_BURTNCIGAR : FILE meta: description = "Detects BURNTCIGAR a utility which terminates processes associated with endpoint security software" author = "ditekSHen" - id = "4dbb2cc1-5abc-54a7-b284-0b8fa8fcd1f0" + id = "b5260d7e-07ac-5633-b450-e2124cbba65b" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1604-L1616" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4977332a0b20b300a5fc34f0f8d56221f55b66783853306d803e91701cb7e6ec" + logic_hash = "4977332a0b20b300a5fc34f0f8d56221f55b66783853306d803e91701cb7e6ec" score = 75 quality = 75 tags = "FILE" @@ -244089,13 +244575,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Pplblade : FILE meta: description = "Detects PPLBlade Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk" author = "ditekSHen" - id = "c729531e-5fce-58fa-b47a-a3b51dfa2003" + id = "60c9b036-51a0-5e08-83de-1f69f62245c3" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1634-L1658" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_da21402b07fcd0358ba630e48ab35956cb7ed8c12836a339c85b2ee5e414543e" + logic_hash = "da21402b07fcd0358ba630e48ab35956cb7ed8c12836a339c85b2ee5e414543e" score = 75 quality = 75 tags = "FILE" @@ -244127,13 +244613,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Sharpldap : FILE meta: description = "Detects SharpLDAP tool written in C# that aims to do enumeration via LDAP queries" author = "ditekSHen" - id = "6c623d22-d143-5c79-ba97-47ad9812a91a" + id = "597e578d-41f0-595e-b92c-0c3676d8b47a" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1660-L1675" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_da5db3f2907229dc68e3c6f3351361a4b1fb9fe8afc597c9dfe611f9725c6181" + logic_hash = "da5db3f2907229dc68e3c6f3351361a4b1fb9fe8afc597c9dfe611f9725c6181" score = 75 quality = 75 tags = "FILE" @@ -244156,13 +244642,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Pandora : FILE meta: description = "Detects Pandora tool to extract credentials from password managers" author = "ditekSHen" - id = "e75d5578-3676-5546-8214-3cd33f6dc164" + id = "3f71f24b-755f-5967-afbf-04a512bd0a19" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1677-L1691" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dd5be3b99b62ec40c242225d9420b9ce299c4f348882b0380289309dfedbc1e8" + logic_hash = "dd5be3b99b62ec40c242225d9420b9ce299c4f348882b0380289309dfedbc1e8" score = 75 quality = 75 tags = "FILE" @@ -244186,13 +244672,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Havoc : FILE meta: description = "Detects Havoc Demon" author = "ditekSHen" - id = "8a5a1bd2-ca9c-5fd4-9ab4-c5d2cd6f55a6" + id = "71ad145c-4017-597a-837e-5d11ba64d7c0" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1693-L1710" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c5806deaa57590ebe1923608b9b085460e0edd024721e6e9d7073765a79bf22b" + logic_hash = "c5806deaa57590ebe1923608b9b085460e0edd024721e6e9d7073765a79bf22b" score = 75 quality = 75 tags = "FILE" @@ -244211,13 +244697,13 @@ rule DITEKSHEN_INDICATOR_TOOLS_Localpotato : FILE meta: description = "Detects LocalPotato" author = "ditekShen" - id = "21fe774d-dbb2-5775-9dba-f9531a4b30be" + id = "65f8305b-b830-58e7-970b-da1df9a06e9b" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1712-L1743" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_88fba16a6eec6d2c23331642041c6adfddddeb21ba8e74b6959bd48c90f73cbb" + logic_hash = "88fba16a6eec6d2c23331642041c6adfddddeb21ba8e74b6959bd48c90f73cbb" score = 75 quality = 73 tags = "FILE" @@ -244256,13 +244742,13 @@ rule DITEKSHEN_INDICATOR_TOOLS_Edrsandblast : FILE meta: description = "Detects EDRSandBlast" author = "ditekShen" - id = "5236e8cb-fdd6-5e36-b82c-c4dd29437497" + id = "85d6d82b-a30e-5c79-93e7-8a3bbbf4a403" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1745-L1767" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b801f053e42fbd646cf62fecf6cbf5f2cceeec82bed93ecd8625984eccb08c6" + logic_hash = "9b801f053e42fbd646cf62fecf6cbf5f2cceeec82bed93ecd8625984eccb08c6" score = 75 quality = 75 tags = "FILE" @@ -244292,13 +244778,13 @@ rule DITEKSHEN_INDICATOR_TOOLS_Rsockstun : FILE meta: description = "Detects rsockstun" author = "ditekShen" - id = "06504398-5aca-5a0c-bbf7-405c91313d72" + id = "a284a607-abea-5914-ad3a-84eaff733ee0" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1769-L1781" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4ad0ac389bf8961b0dd987a72d5dd534e5e3cc673f0e07aa49d39d1fd3f5f53e" + logic_hash = "4ad0ac389bf8961b0dd987a72d5dd534e5e3cc673f0e07aa49d39d1fd3f5f53e" score = 75 quality = 75 tags = "FILE" @@ -244318,13 +244804,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Scmaldevinj_Go : FILE meta: description = "Detects Go shell/malware dev injector" author = "ditekShen" - id = "7911ee72-c18c-5805-b992-b07d53eb9adc" + id = "56ec114f-8e16-5ab6-ae3b-a182cb381b4a" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1783-L1793" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_48c3c759283c63a0c439cfba0194da89f402189e4c3cd831c22b5078ccae47b1" + logic_hash = "48c3c759283c63a0c439cfba0194da89f402189e4c3cd831c22b5078ccae47b1" score = 75 quality = 75 tags = "FILE" @@ -244342,13 +244828,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Reversessh_Go : FILE meta: description = "Detects golang reverse ssh tool" author = "ditekShen" - id = "b929cd95-7c6c-55d9-9f14-3f82fba67ea0" + id = "4fb671aa-ad42-5f7e-bd5a-c19f018088c9" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1795-L1804" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4f9899aacc09c7da05fb5d412cfe8e91ee0d8e922189a6f921410d73ae8b3a9c" + logic_hash = "4f9899aacc09c7da05fb5d412cfe8e91ee0d8e922189a6f921410d73ae8b3a9c" score = 75 quality = 75 tags = "FILE" @@ -244365,13 +244851,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Sharpghosttask : FILE meta: description = "Detects SharpGhostTask" author = "ditekSHen" - id = "1f957a3f-e1c8-57e9-9ef1-e9bf497ebcef" + id = "84d71179-0cfd-5389-b6bd-92c292361b3c" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1806-L1817" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3de8d9fe7804e208ff556b6bedbd80eebfda1a730626403418a555ad9fbbb820" + logic_hash = "3de8d9fe7804e208ff556b6bedbd80eebfda1a730626403418a555ad9fbbb820" score = 75 quality = 75 tags = "FILE" @@ -244390,13 +244876,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Krbrelay : FILE meta: description = "Detects KrbRelay" author = "ditekshen" - id = "70cc7c1a-5754-57e2-b379-1199bf14c855" + id = "c8baac8a-54f3-5f53-93f8-daabeaaaff44" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1819-L1836" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f76b585cd2d741eab9d91ffd5a34c38696ac573cba1a3752d21c4b8b6681ad7b" + logic_hash = "f76b585cd2d741eab9d91ffd5a34c38696ac573cba1a3752d21c4b8b6681ad7b" score = 75 quality = 75 tags = "FILE" @@ -244421,13 +244907,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Edrsilencer : FILE meta: description = "Detects EDRSilencer" author = "ditekshen" - id = "80e0ab29-c9c7-5f68-84e9-c17dcd88cede" + id = "29b6da1e-9138-5ee6-b9fd-d7b3c7f48626" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1838-L1857" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_da00aced2608fd5e192397ef2346ac247f29f993995fb90189e05da60be15d13" + logic_hash = "da00aced2608fd5e192397ef2346ac247f29f993995fb90189e05da60be15d13" score = 75 quality = 75 tags = "FILE" @@ -244454,13 +244940,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Edrprison : FILE meta: description = "Detects EDRPrison" author = "ditekshen" - id = "500f7d4e-4139-5afc-9914-92fb940018cb" + id = "85831265-fd9e-5e0e-b5d9-22bf1c89b3f2" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1859-L1872" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e1ef9e9c6bd0d2efa7b0b617fb52100075658221559f92a61c672807ab5a4d77" + logic_hash = "e1ef9e9c6bd0d2efa7b0b617fb52100075658221559f92a61c672807ab5a4d77" score = 75 quality = 75 tags = "FILE" @@ -244481,13 +244967,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Sharpsqlpwn : FILE meta: description = "Detects SharpSQLPwn" author = "ditekshen" - id = "7c6ace5b-03db-5a9f-aae2-fdda7ffb2c4e" + id = "f99c0ddb-a073-5c15-9a7c-60f6766cd0a2" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1874-L1891" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c811d4926c433c6521f4bbe03a1abf4a5b27b56931a18a8bb672f37fe4fccfb8" + logic_hash = "c811d4926c433c6521f4bbe03a1abf4a5b27b56931a18a8bb672f37fe4fccfb8" score = 75 quality = 75 tags = "FILE" @@ -244512,13 +244998,13 @@ rule DITEKSHEN_INDICATOR_TOOL_Chromekatz : FILE meta: description = "Detects ChromeKatz: CookieKatz and CredentialKatz" author = "ditekshen" - id = "0fd1862a-fb17-5423-9d67-74c806d114db" + id = "9dd706c8-552c-5c96-9b81-cfd50157ac34" date = "2024-09-25" modified = "2024-09-25" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_tools.yar#L1893-L1908" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4f1bdbb7f8c4893444baac287c8fcefaca80a4301845706b56e9f9628c9f116f" + logic_hash = "4f1bdbb7f8c4893444baac287c8fcefaca80a4301845706b56e9f9628c9f116f" score = 75 quality = 75 tags = "FILE" @@ -244541,13 +245027,13 @@ rule DITEKSHEN_MALWARE_Win_Laturo : FILE meta: description = "Laturo information stealer payload" author = "ditekSHen" - id = "7df7d1bf-c5ec-540d-a834-1a082468a4d4" + id = "221a1ee8-e1ae-558c-919c-e3f55c1500f0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3-L26" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bfb0c5676c926f58a4395a56dad09b37e8ac1cf0bf6b5521767c16698644b73a" + logic_hash = "bfb0c5676c926f58a4395a56dad09b37e8ac1cf0bf6b5521767c16698644b73a" score = 75 quality = 61 tags = "FILE" @@ -244578,13 +245064,13 @@ rule DITEKSHEN_MALWARE_Win_Xpertrat : FILE meta: description = "XpertRAT payload" author = "ditekSHen" - id = "fad23c2e-017f-5192-9464-8542d03b4014" + id = "cea7de47-b47c-5fea-96ee-5858b16cca8d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L28-L56" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2a521bd1d6ce16fa16aa7757db2657dcab15e6802454ad899906d4ed17401feb" + logic_hash = "2a521bd1d6ce16fa16aa7757db2657dcab15e6802454ad899906d4ed17401feb" score = 75 quality = 63 tags = "FILE" @@ -244618,13 +245104,13 @@ rule DITEKSHEN_MALWARE_Win_Isrstealer : FILE meta: description = "ISRStealer payload" author = "ditekSHen" - id = "fe04ea8f-cd49-5b27-996d-65132d7bf537" + id = "d6c3acdd-e881-5f97-8856-b7b60f56a1c2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L112-L128" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5dd030ab8122b5dd432168647c7a3465cb3593a326f68b4863a91d16587641e5" + logic_hash = "5dd030ab8122b5dd432168647c7a3465cb3593a326f68b4863a91d16587641e5" score = 75 quality = 75 tags = "FILE" @@ -244648,13 +245134,13 @@ rule DITEKSHEN_MALWARE_Win_Limerat : FILE meta: description = "LimeRAT payload" author = "ditekSHen" - id = "011d78ee-c399-5a47-8ec0-7c4e62fc9732" + id = "a4b85cad-97a8-514c-9380-f3e8ec95a44d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L152-L168" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8ae35c5fa48773b93da0b76b238fc8dbaf19fdeb6fd81bf23842c5121d620116" + logic_hash = "8ae35c5fa48773b93da0b76b238fc8dbaf19fdeb6fd81bf23842c5121d620116" score = 75 quality = 75 tags = "FILE" @@ -244678,13 +245164,13 @@ rule DITEKSHEN_MALWARE_Win_Arkei : FILE meta: description = "Detect Arkei infostealer variants" author = "ditekSHen" - id = "bf411356-d4f1-5226-ac32-302412d1865f" + id = "d32a27bf-abb9-553c-9913-d675c340a5c5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L210-L226" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8a79bcc6ac94900c8a8913b2e81424bf900bbac416f44a91db6f208f23980155" + logic_hash = "8a79bcc6ac94900c8a8913b2e81424bf900bbac416f44a91db6f208f23980155" score = 75 quality = 75 tags = "FILE" @@ -244708,13 +245194,13 @@ rule DITEKSHEN_MALWARE_Win_Firebirdrat : FILE meta: description = "Firebird/Hive RAT payload" author = "ditekSHen" - id = "890242e9-5c73-5d9e-928e-4055a5212ae1" + id = "456ae70e-8004-5fb0-a4fd-ce7c0f4704f9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L316-L339" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1c24e924171db1b99a3b03764f4551b6f4b6b1c9c6147b49dbc0651e85e9040c" + logic_hash = "1c24e924171db1b99a3b03764f4551b6f4b6b1c9c6147b49dbc0651e85e9040c" score = 75 quality = 73 tags = "FILE" @@ -244745,13 +245231,13 @@ rule DITEKSHEN_MALWARE_Win_Phoenix : FILE meta: description = "Phoenix/404KeyLogger keylogger payload" author = "ditekSHen" - id = "a8ba591a-fd1d-5ba8-b8e2-25e7981758db" + id = "62101881-9b5e-586d-8e1b-184787f25d6b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L341-L367" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b2c2a4ffc36d708a121853fb0268e6dc85b3fe2cd58e05c8124cbef18e03ec0b" + logic_hash = "b2c2a4ffc36d708a121853fb0268e6dc85b3fe2cd58e05c8124cbef18e03ec0b" score = 75 quality = 75 tags = "FILE" @@ -244784,13 +245270,13 @@ rule DITEKSHEN_MALWARE_Win_Backnet : FILE meta: description = "BackNet payload" author = "ditekSHen" - id = "30ec29cf-ad4e-50ed-9f61-8a890e1b3e43" + id = "c53ef72f-4957-5ddb-b096-dcdb69cf900d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L369-L386" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c276f2b809caad680455fc4ca0a021887d4ff2c9114f05737542a1d3c5cca848" + logic_hash = "c276f2b809caad680455fc4ca0a021887d4ff2c9114f05737542a1d3c5cca848" score = 75 quality = 75 tags = "FILE" @@ -244815,13 +245301,13 @@ rule DITEKSHEN_MALWARE_Win_Acridrain : FILE meta: description = "AcidRain stealer payload" author = "ditekSHen" - id = "5ba582b8-9eca-56c7-a538-34bbe16fe94f" + id = "9890c9e0-ce53-5f08-9077-c73a9e4ba29c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L388-L401" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_11884073f4bf466503b07f297ae7fad188f79df148fcc7ca48827c7dbd07e211" + logic_hash = "11884073f4bf466503b07f297ae7fad188f79df148fcc7ca48827c7dbd07e211" score = 75 quality = 75 tags = "FILE" @@ -244842,13 +245328,13 @@ rule DITEKSHEN_MALWARE_Linux_Chachaddos : FILE meta: description = "ChaChaDDoS variant of XorDDoS payload" author = "ditekSHen" - id = "8633d62d-cdad-51e0-b1b2-3aeef4d4ab87" + id = "78a5cf3a-0e84-59bd-a936-bd335647e3d0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L403-L418" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2bf99771046650820f02a24d5bd825afeacd03d1e865b05d8563a3ef74d521fb" + logic_hash = "2bf99771046650820f02a24d5bd825afeacd03d1e865b05d8563a3ef74d521fb" score = 75 quality = 75 tags = "FILE" @@ -244871,13 +245357,13 @@ rule DITEKSHEN_MALWARE_Multi_Exaramel : FILE meta: description = "Exaramel Windows/Linux backdoor payload" author = "ditekSHen" - id = "991ebe6e-cebc-569c-9644-fe82d8e94069" + id = "014f10f3-4502-5719-93f6-4b2940f53876" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L420-L459" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e64383304bc913b07a2e63d61c81354b996c01171357005f4a28957d4d889599" + logic_hash = "e64383304bc913b07a2e63d61c81354b996c01171357005f4a28957d4d889599" score = 75 quality = 73 tags = "FILE" @@ -244922,13 +245408,13 @@ rule DITEKSHEN_MALWARE_Linux_Hiddenwasp : FILE meta: description = "HiddenWasp backdoor payload" author = "ditekSHen" - id = "7d7f1350-79e5-5e2a-8d25-0c87fca0c8b2" + id = "220e5e6e-7c5c-5f70-b3eb-50d9c5ec636d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L461-L486" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a2aad022de41ba2633fc92a7dc5a5fa2efde9da2211cfc01fb2999e33365d6c9" + logic_hash = "a2aad022de41ba2633fc92a7dc5a5fa2efde9da2211cfc01fb2999e33365d6c9" score = 75 quality = 71 tags = "FILE" @@ -244961,13 +245447,13 @@ rule DITEKSHEN_MALWARE_Multi_Wellmess : FILE meta: description = "WellMess Windows/Linux backdoor payload" author = "ditekSHen" - id = "a82e4c84-f041-5e1d-9812-800ac25dffc6" + id = "cfa0f077-9d45-5796-b888-66fb397e74f8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L488-L510" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9cbbca609fd289d7406d9073237688d250dc68c450676b9b755509540d8f76a5" + logic_hash = "9cbbca609fd289d7406d9073237688d250dc68c450676b9b755509540d8f76a5" score = 75 quality = 75 tags = "FILE" @@ -244994,13 +245480,13 @@ rule DITEKSHEN_MALWARE_Win_Konni : FILE meta: description = "Konni payload" author = "ditekSHen" - id = "c2148d06-fa84-5d58-bcfd-b9829106fd0c" + id = "86eae9f6-60b0-5720-8528-ddbe32b6d4a6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L512-L530" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d57c51f7ede28b74395e5e0fbcc5fd9247b3353330f3e549d5abf99bbd7a1b93" + logic_hash = "d57c51f7ede28b74395e5e0fbcc5fd9247b3353330f3e549d5abf99bbd7a1b93" score = 75 quality = 75 tags = "FILE" @@ -245026,13 +245512,13 @@ rule DITEKSHEN_MALWARE_Win_Bitterrat : FILE meta: description = "BitterRAT payload" author = "ditekSHen" - id = "e115492b-21de-526f-9c46-3bd86a0462d1" + id = "cccb2102-b78a-59ce-98e6-c702c4bec4d4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L532-L551" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f9dec388af6ddc767f82d7de7ba47754e76058022e6e55bbafd846ca8655a03b" + logic_hash = "f9dec388af6ddc767f82d7de7ba47754e76058022e6e55bbafd846ca8655a03b" score = 75 quality = 50 tags = "FILE" @@ -245059,13 +245545,13 @@ rule DITEKSHEN_MALWARE_Win_Tjkeylogger : FILE meta: description = "TJKeylogger payload" author = "ditekSHen" - id = "1cdd86f1-0c46-5379-b2f4-88288792a336" + id = "6aaa11b2-3734-5538-b593-f5276f3acc72" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L553-L567" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_52d98a6f5a2cfc6717b7097b4e70c1e813851222f9f06ae74be4e5703b0b0dde" + logic_hash = "52d98a6f5a2cfc6717b7097b4e70c1e813851222f9f06ae74be4e5703b0b0dde" score = 75 quality = 75 tags = "FILE" @@ -245087,13 +245573,13 @@ rule DITEKSHEN_MALWARE_Win_W1RAT : FILE meta: description = "W1 RAT payload" author = "ditekSHen" - id = "6bab5b1d-5778-5181-a169-b7d5b5c2ee5b" + id = "d5841bc0-97e7-575e-91f6-d264f507a8b5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L569-L585" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_84b9a2e309ed9ab0fb8343d941585356d23348683073d0a37fc7194f58a43a0e" + logic_hash = "84b9a2e309ed9ab0fb8343d941585356d23348683073d0a37fc7194f58a43a0e" score = 75 quality = 75 tags = "FILE" @@ -245117,13 +245603,13 @@ rule DITEKSHEN_MALWARE_Win_Raccoon : FILE meta: description = "Raccoon stealer payload" author = "ditekSHen" - id = "aa561e60-6462-516e-94d3-0df2576277db" + id = "5ebef663-623c-592e-b69a-f620492f0cc1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L587-L606" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_258481982d20d229506f442a5a205fdc05f6ac4399f3a0665860e6529c30943b" + logic_hash = "258481982d20d229506f442a5a205fdc05f6ac4399f3a0665860e6529c30943b" score = 75 quality = 50 tags = "FILE" @@ -245150,13 +245636,13 @@ rule DITEKSHEN_MALWARE_Win_Tefosteal : FILE meta: description = "Tefosteal payload" author = "ditekSHen" - id = "0e203279-8009-5d06-b2f9-099e7ef48dd0" + id = "56646933-3ed3-5b77-9135-993b57603490" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L653-L674" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a350863270cbe3349f271e55d66a2ebdd6406e8d122c11071de74a774eb77ebf" + logic_hash = "a350863270cbe3349f271e55d66a2ebdd6406e8d122c11071de74a774eb77ebf" score = 75 quality = 71 tags = "FILE" @@ -245185,13 +245671,13 @@ rule DITEKSHEN_MALWARE_Win_Cryptostealergo : FILE meta: description = "CryptoStealerGo payload" author = "ditekSHen" - id = "e32a89c7-6f39-5143-9e73-dbf7bde89f91" + id = "83886aeb-af7e-564c-989a-fb7d955814e2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L676-L692" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0050be7522e7d89cb9688e63fdca11d24baa74aa858e8c19ee7b4658518536b6" + logic_hash = "0050be7522e7d89cb9688e63fdca11d24baa74aa858e8c19ee7b4658518536b6" score = 75 quality = 75 tags = "FILE" @@ -245215,13 +245701,13 @@ rule DITEKSHEN_MALWARE_Win_M00Nd3V : FILE meta: description = "M00nD3v keylogger payload" author = "ditekSHen" - id = "55a71c32-1351-5fc4-80a2-9da973b3e51b" + id = "4000f55d-e072-50b6-b6ee-72cefc0ec53f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L694-L715" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_68a0888da3b114dc895fe18a3d03b2b88d140fbf82b888f7a031b9364d01aabf" + logic_hash = "68a0888da3b114dc895fe18a3d03b2b88d140fbf82b888f7a031b9364d01aabf" score = 75 quality = 75 tags = "FILE" @@ -245250,13 +245736,13 @@ rule DITEKSHEN_MALWARE_Win_Vssdestroy : FILE meta: description = "VSSDestroy/Matrix ransomware payload" author = "ditekSHen" - id = "e8190086-3119-52cb-83cb-f3db0ce22171" + id = "734ece56-b993-5b44-ae15-f673fabfe8ad" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L717-L740" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_24bfd32580f784440252d629a7ab86b84a570ded34409940616be2a89bf73088" + logic_hash = "24bfd32580f784440252d629a7ab86b84a570ded34409940616be2a89bf73088" score = 75 quality = 75 tags = "FILE" @@ -245287,13 +245773,13 @@ rule DITEKSHEN_MALWARE_Win_Goldenaxe : FILE meta: description = "GoldenAxe ransomware payload" author = "ditekSHen" - id = "78f22bce-c6a6-5991-b148-a1a01d186812" + id = "23874106-dbbb-5cb2-b61a-1661d8e2d868" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L742-L763" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6dfd88ce65acdfed4749e3b817b317c3c514ea42f892a7f5f95853c148507918" + logic_hash = "6dfd88ce65acdfed4749e3b817b317c3c514ea42f892a7f5f95853c148507918" score = 75 quality = 75 tags = "FILE" @@ -245322,13 +245808,13 @@ rule DITEKSHEN_MALWARE_Win_Robbinhood : FILE meta: description = "Robbinhood ransomware payload" author = "ditekSHen" - id = "feb8d843-d04d-51cf-b28d-91f39e1ae51b" + id = "a5066a22-3c87-5e9f-a94f-5a44af2f96fd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L765-L787" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f1c4226ed5cb1583418d5ef0efc2c2b5bc3cfe7f148f359c5d432fd660331a46" + logic_hash = "f1c4226ed5cb1583418d5ef0efc2c2b5bc3cfe7f148f359c5d432fd660331a46" score = 75 quality = 75 tags = "FILE" @@ -245358,13 +245844,13 @@ rule DITEKSHEN_MALWARE_Win_Getcrypt : FILE meta: description = "GetCrypt ransomware payload" author = "ditekSHen" - id = "33c15da8-0a7f-5505-9525-1da25eac9609" + id = "fb6db807-372f-59e6-96c6-54dd4ece336d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L789-L825" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fd7ee98757c3ac1f2b2a4dd9041c78d33273d7a7d596c3d99c6b8d79988f29f1" + logic_hash = "fd7ee98757c3ac1f2b2a4dd9041c78d33273d7a7d596c3d99c6b8d79988f29f1" score = 75 quality = 73 tags = "FILE" @@ -245406,13 +245892,13 @@ rule DITEKSHEN_MALWARE_Joego : FILE meta: description = "JoeGo ransomware payload" author = "ditekSHen" - id = "7cb69adf-0b78-54db-8639-b4b109b8b609" + id = "23d38bcd-e66d-5ff1-ad6a-3e6432d83562" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L827-L847" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ddf3506aefb3cd1845f9daa689848a02a2422ca98c5c984bc918cc7ea2b2677" + logic_hash = "3ddf3506aefb3cd1845f9daa689848a02a2422ca98c5c984bc918cc7ea2b2677" score = 75 quality = 75 tags = "FILE" @@ -245440,13 +245926,13 @@ rule DITEKSHEN_MALWARE_Win_Aurora : FILE meta: description = "Aurora ransomware payload" author = "ditekSHen" - id = "56e18950-fa90-562f-9b43-ed3c88eb5893" + id = "d3eafe9c-c8d9-5744-ba5d-4eb0249cceea" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L849-L869" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_056bb11e8b947ef90462503db82b2001e4a5d4847fad9c0d5d771384a80d779a" + logic_hash = "056bb11e8b947ef90462503db82b2001e4a5d4847fad9c0d5d771384a80d779a" score = 75 quality = 75 tags = "FILE" @@ -245474,13 +245960,13 @@ rule DITEKSHEN_MALWARE_Win_Buran : FILE meta: description = "Buran ransomware payload" author = "ditekSHen" - id = "e2a616bc-fc50-5fc7-b829-605139e0aa11" + id = "1433bac5-2ece-54bb-8e57-b5834fffc719" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L871-L903" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eaf50d824dbade0ca63fafc5b4a376553039de9b51a0f6387cb28c8f91a7e0b9" + logic_hash = "eaf50d824dbade0ca63fafc5b4a376553039de9b51a0f6387cb28c8f91a7e0b9" score = 75 quality = 73 tags = "FILE" @@ -245518,13 +246004,13 @@ rule DITEKSHEN_MALWARE_Win_Masslogger : FILE meta: description = "MassLogger keylogger payload" author = "ditekSHen" - id = "1de77bf2-9026-5227-b739-dbaf0e61bbcf" + id = "9181b89a-2ce8-59b6-9703-c01a8471b8d6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L905-L934" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7d8bbefa71a1eb20cd9d029bd516d6c37e39cfa053ed0617eace200d210d9b58" + logic_hash = "7d8bbefa71a1eb20cd9d029bd516d6c37e39cfa053ed0617eace200d210d9b58" score = 75 quality = 73 tags = "FILE" @@ -245561,13 +246047,13 @@ rule DITEKSHEN_MALWARE_Win_Echelon : FILE meta: description = "Echelon information stealer payload" author = "ditekSHen" - id = "8b60b548-5f5d-538e-884a-fab9170ff9a7" + id = "e13d2003-c755-5dd3-bb16-8e41dd19a151" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L936-L957" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c070bf52cc51dd334ea24614e33eaa2b7b1a17e7790e586cbbb8c7e33ba1bd76" + logic_hash = "c070bf52cc51dd334ea24614e33eaa2b7b1a17e7790e586cbbb8c7e33ba1bd76" score = 75 quality = 75 tags = "FILE" @@ -245596,13 +246082,13 @@ rule DITEKSHEN_MALWARE_Win_Qulab meta: description = "Qulab information stealer payload or artifacts" author = "ditekSHen" - id = "fd3e6412-5bff-5ca3-a9da-6e0762ceb853" + id = "6ae24c67-5700-5330-a3bd-d542162faebb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L959-L983" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_659d828cbef38c6362b612be9bdc05ae820f49c23684e77af6462ea677133284" + logic_hash = "659d828cbef38c6362b612be9bdc05ae820f49c23684e77af6462ea677133284" score = 75 quality = 75 tags = "" @@ -245634,13 +246120,13 @@ rule DITEKSHEN_MALWARE_Win_Orion : FILE meta: description = "Orion Keylogger payload" author = "ditekSHen" - id = "035db397-11f8-5357-a783-2322b0f2c215" + id = "b380b93b-6ceb-5244-aeca-b1f8f9a5b553" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L985-L1005" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9e5521ebaf9bdef6dadd2a2a093bd6f87ded023d9a74db126ac8ec9a5f1f9744" + logic_hash = "9e5521ebaf9bdef6dadd2a2a093bd6f87ded023d9a74db126ac8ec9a5f1f9744" score = 75 quality = 73 tags = "FILE" @@ -245668,13 +246154,13 @@ rule DITEKSHEN_MALWARE_Win_Aspire : FILE meta: description = "Aspire Keylogger payload" author = "ditekSHen" - id = "150b9259-3cb0-5ff2-90bf-cf4db92672b0" + id = "25724975-f373-553e-b27e-43168e956c16" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1007-L1022" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ea0136dbacb79e4c7556f562d17b26b84ac3e4c967b117021e2399ded0a0fdf" + logic_hash = "3ea0136dbacb79e4c7556f562d17b26b84ac3e4c967b117021e2399ded0a0fdf" score = 75 quality = 75 tags = "FILE" @@ -245697,13 +246183,13 @@ rule DITEKSHEN_MALWARE_Win_S05Kitty : FILE meta: description = "Sector05 Kitty RAT payload" author = "ditekSHen" - id = "0bdb3536-72c4-54ac-ae82-d14f8d59c6bb" + id = "3261f6b6-21e7-5195-98db-9607ba530572" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1024-L1045" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_df2930694671c9ca16f2afeb799704647c9acf32be118706c342347ffe8ceb36" + logic_hash = "df2930694671c9ca16f2afeb799704647c9acf32be118706c342347ffe8ceb36" score = 75 quality = 75 tags = "FILE" @@ -245732,13 +246218,13 @@ rule DITEKSHEN_MALWARE_Win_Fakewmi : FILE meta: description = "FakeWMI payload" author = "ditekSHen" - id = "36587520-4223-5cad-a78d-b64d4c38109e" + id = "689bc207-2bc6-50de-80d6-d1ba0a26b264" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1047-L1064" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_627886cdd01f5f02e454ef284c77c87eb027ee33f6a51536758fb7f095271a40" + logic_hash = "627886cdd01f5f02e454ef284c77c87eb027ee33f6a51536758fb7f095271a40" score = 75 quality = 75 tags = "FILE" @@ -245763,13 +246249,13 @@ rule DITEKSHEN_MALWARE_Win_Baldr : FILE meta: description = "Baldr payload" author = "ditekSHen" - id = "151bac1b-5d6f-5a7b-ac9e-100c10624061" + id = "cdc35a11-a97b-5e21-929e-01fed5172b55" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1066-L1083" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f8e97fd618209bc6ce609b60b1e1f1e359be7678474fad3b18a529487c64cd99" + logic_hash = "f8e97fd618209bc6ce609b60b1e1f1e359be7678474fad3b18a529487c64cd99" score = 75 quality = 73 tags = "FILE" @@ -245794,13 +246280,13 @@ rule DITEKSHEN_MALWARE_Win_Megumin : FILE meta: description = "Megumin payload" author = "ditekSHen" - id = "fa301ed6-3d2e-5672-ba8b-783f80200405" + id = "bb1743f7-0bd8-5c0a-ad78-c4747904204f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1085-L1108" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fb4934814c45d2465b6e1589c3b489116343ca0c17ebb916b5c9247fc676c74d" + logic_hash = "fb4934814c45d2465b6e1589c3b489116343ca0c17ebb916b5c9247fc676c74d" score = 75 quality = 50 tags = "FILE" @@ -245829,13 +246315,13 @@ rule DITEKSHEN_MALWARE_Win_Rietspoof : FILE meta: description = "Rietspoof payload" author = "ditekSHen" - id = "17a97fa9-09cc-50c5-ae6b-b91604ef8ae4" + id = "b2d94705-ca59-56ae-8471-2c6895d355dc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1110-L1140" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d1d9baab83c904d1e8dcd7aeacdabfc79c1acee67006793c2240a42ebf9c62b2" + logic_hash = "d1d9baab83c904d1e8dcd7aeacdabfc79c1acee67006793c2240a42ebf9c62b2" score = 75 quality = 73 tags = "FILE" @@ -245870,13 +246356,13 @@ rule DITEKSHEN_MALWARE_Win_Modirat : FILE meta: description = "MoDiRAT payload" author = "ditekSHen" - id = "00af938a-978d-582c-93cf-e4cca27ea25a" + id = "8b641c7a-5ebd-50e7-83cb-e408683c456b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1142-L1158" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d0760e9dab7e9c0affb2193ea249feea8bb58e519522ca2a562f015059ad5590" + logic_hash = "d0760e9dab7e9c0affb2193ea249feea8bb58e519522ca2a562f015059ad5590" score = 75 quality = 75 tags = "FILE" @@ -245900,13 +246386,13 @@ rule DITEKSHEN_MALWARE_DOC_Koadicdoc : FILE meta: description = "Koadic post-exploitation framework document payload" author = "ditekSHen" - id = "b195e780-519c-511e-82fa-176a0aaa4d0d" + id = "76d6c8df-4e42-5c0a-8344-f8848e7ac945" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1160-L1174" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9f0538e1faee737a08d403a7f321ce45bdc70b390accfe378ba0d26292509fd7" + logic_hash = "9f0538e1faee737a08d403a7f321ce45bdc70b390accfe378ba0d26292509fd7" score = 75 quality = 50 tags = "FILE" @@ -245928,13 +246414,13 @@ rule DITEKSHEN_MALWARE_BAT_Koadicbat : FILE meta: description = "Koadic post-exploitation framework BAT payload" author = "ditekSHen" - id = "abcfb61c-b425-5151-9074-03e400546411" + id = "dad7bb32-b1f1-5c6d-89b2-77cc49b5f020" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1176-L1186" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1ee6c0189a5111c61af1dbe571524427bff95a7e3907f97ce51d272a8f701cf5" + logic_hash = "1ee6c0189a5111c61af1dbe571524427bff95a7e3907f97ce51d272a8f701cf5" score = 75 quality = 50 tags = "FILE" @@ -245952,13 +246438,13 @@ rule DITEKSHEN_MALWARE_JS_Koadicjs meta: description = "Koadic post-exploitation framework JS payload" author = "ditekSHen" - id = "7f8e5c49-eedc-5dc3-91f1-7effe6578678" + id = "8598d5cb-0486-52b0-a686-6bd014f35c44" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1188-L1208" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_689116f74996fecf4c16c224e8cd842ad5b5e989de2dfdf0debeb9a26d8a12fa" + logic_hash = "689116f74996fecf4c16c224e8cd842ad5b5e989de2dfdf0debeb9a26d8a12fa" score = 75 quality = 75 tags = "" @@ -245986,13 +246472,13 @@ rule DITEKSHEN_MALWARE_Win_NETEAGLE : FILE meta: description = "NETEAGLE backdoor payload" author = "ditekSHen" - id = "b77d32d3-3fc2-521d-b836-40709aff7161" + id = "89d1304a-63a0-50fc-855a-2e36cde1c5e7" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1210-L1225" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_148de0ca332d3885d94eae8d15eb4aaa2bc4950c691c0e8817c816b7d4c55510" + logic_hash = "148de0ca332d3885d94eae8d15eb4aaa2bc4950c691c0e8817c816b7d4c55510" score = 75 quality = 75 tags = "FILE" @@ -246015,13 +246501,13 @@ rule DITEKSHEN_MALWARE_WIN_BACKSPACE : FILE meta: description = "BACKSPACE backdoor payload" author = "ditekSHen" - id = "514d9371-d790-51da-8d97-d50eb03de443" + id = "ff9b1c2e-66a1-5e09-8bc2-a7543161e518" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1227-L1247" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3d366327c2272761349687b11e4d6baada5000936dc7f81665e0303f7d1e5121" + logic_hash = "3d366327c2272761349687b11e4d6baada5000936dc7f81665e0303f7d1e5121" score = 75 quality = 75 tags = "FILE" @@ -246049,13 +246535,13 @@ rule DITEKSHEN_MALWARE_Win_Rhttpctrl : FILE meta: description = "RHttpCtrl backdoor payload" author = "ditekSHen" - id = "905f9daa-1f4f-5833-a2c5-911b16af7ac7" + id = "fa80db13-90af-5d6a-bcc2-ad1f6808268e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1249-L1265" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a8b27fcc4636c2fe02a0e006295ece7f705cc9a042921f66ef1f9b6a88aaf9a1" + logic_hash = "a8b27fcc4636c2fe02a0e006295ece7f705cc9a042921f66ef1f9b6a88aaf9a1" score = 75 quality = 75 tags = "FILE" @@ -246079,13 +246565,13 @@ rule DITEKSHEN_MALWARE_Win_Pillowmint : FILE meta: description = "PillowMint POS payload" author = "ditekSHen" - id = "35c540af-c3ad-5807-8c3b-e49d3cf4dc93" + id = "e3d26a12-45aa-5f5d-997a-f350bc1bea97" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1267-L1283" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ed2597fce1c56d2e110790e0eb89834b1bb9f6f52d39105157c9ffe2ede6cc7a" + logic_hash = "ed2597fce1c56d2e110790e0eb89834b1bb9f6f52d39105157c9ffe2ede6cc7a" score = 75 quality = 75 tags = "FILE" @@ -246109,13 +246595,13 @@ rule DITEKSHEN_MALWARE_Win_Blackshadesrat : FILE meta: description = "BlackshadesRAT / Cambot POS payload" author = "ditekSHen" - id = "b398a340-f151-54bf-8fa4-e70ad71fda7f" + id = "bd0ad920-109a-50b5-94af-6580684bff52" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1285-L1300" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c2a76ce52bce9c37a3518ff459011acb733c2c5abac74786e41a1c169459ce2" + logic_hash = "5c2a76ce52bce9c37a3518ff459011acb733c2c5abac74786e41a1c169459ce2" score = 75 quality = 75 tags = "FILE" @@ -246138,13 +246624,13 @@ rule DITEKSHEN_MALWARE_Win_Goldenspy : FILE meta: description = "GoldenSpy dropper payload" author = "SpiderLabs Trustwave" - id = "b488bdc8-b8fb-5483-9b6c-b3307924646a" + id = "01d3f14a-fefb-5cea-b055-d7e9f4c7d13b" date = "2024-11-01" modified = "2024-11-01" reference = "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1302-L1314" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_908047db2167733da0089375dbfd636881e721cc219da110755b81581d438cfa" + logic_hash = "908047db2167733da0089375dbfd636881e721cc219da110755b81581d438cfa" score = 75 quality = 67 tags = "FILE" @@ -246163,13 +246649,13 @@ rule DITEKSHEN_MALWARE_Win_Plurox : FILE meta: description = "Plurox backdoor payload" author = "ditekSHen" - id = "7dc1e7a7-22f5-5b70-a72b-a39457c762bc" + id = "c8a97132-c1d5-5456-a055-d46a9399dbdd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1316-L1328" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c2ec2ce7a9210d8eebb06c755eab51cab93fe6d48d737fd1756ffe42d46b35d1" + logic_hash = "c2ec2ce7a9210d8eebb06c755eab51cab93fe6d48d737fd1756ffe42d46b35d1" score = 75 quality = 75 tags = "FILE" @@ -246189,13 +246675,13 @@ rule DITEKSHEN_MALWARE_Win_Avalon : FILE meta: description = "Avalon infostealer payload" author = "ditekSHen" - id = "85d0d6f9-74a9-57ec-8f51-887d09a40f66" + id = "3de01419-9f45-5d82-8391-2e1e41df2b34" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1330-L1359" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1aa9dc09ec4c8962dee0455dd367e32139e4c03f1b306f17ac6e82d71aacf713" + logic_hash = "1aa9dc09ec4c8962dee0455dd367e32139e4c03f1b306f17ac6e82d71aacf713" score = 75 quality = 75 tags = "FILE" @@ -246229,13 +246715,13 @@ rule DITEKSHEN_MALWARE_Linux_Kinsing : FILE meta: description = "Kinsing RAT payload" author = "ditekSHen" - id = "4b53220d-6857-5420-bf57-0bc9f7b78e46" + id = "b13d2c36-c8d3-5138-9e9a-8b5390a93c8d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1361-L1376" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_566eb7d1864e3a8088ad4f5d032d6d62a33080bbfc5c20c2520315cfc8146afc" + logic_hash = "566eb7d1864e3a8088ad4f5d032d6d62a33080bbfc5c20c2520315cfc8146afc" score = 75 quality = 75 tags = "FILE" @@ -246258,13 +246744,13 @@ rule DITEKSHEN_MALWARE_Win_Avaddon : FILE meta: description = "Avaddon ransomware payload" author = "ditekSHen" - id = "545a762f-f970-5036-9e5a-5fd57faafd36" + id = "d5618c8a-17b7-5009-9947-a6462ad2a4af" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1378-L1395" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fc3032572d2ab2550d3dde738a3d403459da9b5b640acc814596d958b83620bf" + logic_hash = "fc3032572d2ab2550d3dde738a3d403459da9b5b640acc814596d958b83620bf" score = 75 quality = 75 tags = "FILE" @@ -246289,13 +246775,13 @@ rule DITEKSHEN_MALWARE_Win_Prolock : FILE meta: description = "ProLock ransomware payload" author = "ditekSHen" - id = "d4134e62-e431-50a3-8fb4-a6aec88a81eb" + id = "88fa19ba-238c-5d4d-bf0c-d421ee2ecf1d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1397-L1413" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b7d2cc71acc4f643a86781d957afcf5203a2f4034b9ca7da93e8227ddee79f3b" + logic_hash = "b7d2cc71acc4f643a86781d957afcf5203a2f4034b9ca7da93e8227ddee79f3b" score = 75 quality = 75 tags = "FILE" @@ -246319,13 +246805,13 @@ rule DITEKSHEN_MALWARE_Win_Purplewave : FILE meta: description = "PurpleWave infostealer payload" author = "ditekSHen" - id = "f57350ca-4f63-5fc8-a1c9-fbb65c30e399" + id = "6f978190-4b4d-5346-9218-0c9104254b45" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1415-L1432" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_98dca005d2fdf7eea89661e162292451b544847a7f8b63c8c25c82241ec8e04a" + logic_hash = "98dca005d2fdf7eea89661e162292451b544847a7f8b63c8c25c82241ec8e04a" score = 75 quality = 25 tags = "FILE" @@ -246350,13 +246836,13 @@ rule DITEKSHEN_MALWARE_Java_Pyrogenic meta: description = "Pyrogenic/Qealler infostealer payload" author = "ditekSHen" - id = "65b1d2d8-be2c-591d-9d51-bbd57cbe2852" + id = "2b9268f0-2f73-51ad-ab72-9289e42e5bb1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1434-L1446" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bb8cb939f06a376f72dcbbb1f04ec34526f72c3bcc3b146b905a8466826d2c24" + logic_hash = "bb8cb939f06a376f72dcbbb1f04ec34526f72c3bcc3b146b905a8466826d2c24" score = 75 quality = 75 tags = "" @@ -246376,13 +246862,13 @@ rule DITEKSHEN_MALWARE_Win_Agentteslav3 : FILE meta: description = "AgentTeslaV3 infostealer payload" author = "ditekSHen" - id = "6d5a62ec-c982-5aab-8b40-8db85500e22c" + id = "c44c69dd-5e95-595c-88c7-89e243648198" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1448-L1481" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6c62b2f601eba3c83b60f7f6dbd3d0ec3c01af30f4312df897bb5e902c36fdac" + logic_hash = "6c62b2f601eba3c83b60f7f6dbd3d0ec3c01af30f4312df897bb5e902c36fdac" score = 75 quality = 73 tags = "FILE" @@ -246421,13 +246907,13 @@ rule DITEKSHEN_MALWARE_Win_Taurus : FILE meta: description = "Taurus infostealer payload" author = "ditekSHen" - id = "3c9f20ee-c4cc-5dff-91fc-57b66b7688ed" + id = "c02114c1-9c97-5d0c-b7ce-1bd6a00a9e9a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1483-L1519" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6039c27e69b47dfcc1327c34306627d2d9bd57f6bd365bb80b47ad21f892ae8a" + logic_hash = "6039c27e69b47dfcc1327c34306627d2d9bd57f6bd365bb80b47ad21f892ae8a" score = 75 quality = 73 tags = "FILE" @@ -246470,13 +246956,13 @@ rule DITEKSHEN_MALWARE_Win_Remoteutilitiesrat : FILE meta: description = "RemoteUtilitiesRAT RAT payload" author = "ditekSHen" - id = "8febc60c-4158-5e16-b75d-1de85deedc07" + id = "1cf3ece1-e723-5302-9673-273381ba7a8b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1521-L1537" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_179a559f6a6ffbce31595bd613d338bb6ac40b8a083ed0169cde754b6ed756c7" + logic_hash = "179a559f6a6ffbce31595bd613d338bb6ac40b8a083ed0169cde754b6ed756c7" score = 75 quality = 75 tags = "FILE" @@ -246500,13 +246986,13 @@ rule DITEKSHEN_MALWARE_Win_Slothfulmedia : FILE meta: description = "SlothfulMedia backdoor payload" author = "ditekSHen" - id = "74def1f9-a521-525c-af81-bc1ef79474a1" + id = "e94b6d67-137c-5cfb-9c59-fbeb6cd85f0a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1539-L1565" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6f742e8d9d555b44daaa09835f599c99e16cd39bb106c8f43fbbca7093de462e" + logic_hash = "6f742e8d9d555b44daaa09835f599c99e16cd39bb106c8f43fbbca7093de462e" score = 75 quality = 73 tags = "FILE" @@ -246538,13 +247024,13 @@ rule DITEKSHEN_MALWARE_Win_Ircbot : FILE meta: description = "IRCBot payload" author = "ditekSHen" - id = "cb02d22b-4863-5bf3-9b83-6c9d00f5e5fb" + id = "69739d82-9760-5c4e-bf9e-60c60617a12a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1567-L1596" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1ea640202cfbd0c3425a192c45938f632dc644f41c7974118e7491b026122818" + logic_hash = "1ea640202cfbd0c3425a192c45938f632dc644f41c7974118e7491b026122818" score = 75 quality = 67 tags = "FILE" @@ -246579,13 +247065,13 @@ rule DITEKSHEN_MALWARE_Win_Apocalypse : FILE meta: description = "Apocalypse infostealer payload" author = "ditekSHen" - id = "5c2dc4f9-b6e2-5728-ac91-88de15aa8f88" + id = "f1fa6642-fe42-57e7-a1bc-0f59815049f8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1598-L1615" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d18ac492ad57cf390f20693cb47ae2c6e3dbdd921fa846130a4bc20047e1aa27" + logic_hash = "d18ac492ad57cf390f20693cb47ae2c6e3dbdd921fa846130a4bc20047e1aa27" score = 75 quality = 75 tags = "FILE" @@ -246610,13 +247096,13 @@ rule DITEKSHEN_MALWARE_Win_Osno : FILE meta: description = "Osno ransomware and infostealer payload" author = "ditekSHen" - id = "840398d4-548f-5be6-9bc1-2b10d15ca4d6" + id = "25ed5ad4-804a-5608-b6fe-a811ca6744d8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1617-L1652" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3df59c306017001467a5f237db2ab37d97c34116558e18420a6a1f01f08f520f" + logic_hash = "3df59c306017001467a5f237db2ab37d97c34116558e18420a6a1f01f08f520f" score = 75 quality = 73 tags = "FILE" @@ -246657,13 +247143,13 @@ rule DITEKSHEN_MALWARE_Win_Betabot : FILE meta: description = "BetaBot payload" author = "ditekSHen" - id = "27b87200-f5cc-5e62-96cb-d44726ba3f84" + id = "377c500c-5727-5bea-ac46-cb69c868a607" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1654-L1666" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e594d01874ee622169d6708ddc6cfde7f1d26d2bea1604961dc860700e8a1d5d" + logic_hash = "e594d01874ee622169d6708ddc6cfde7f1d26d2bea1604961dc860700e8a1d5d" score = 75 quality = 73 tags = "FILE" @@ -246683,13 +247169,13 @@ rule DITEKSHEN_MALWARE_Win_Wshratplugin : FILE meta: description = "WSHRAT keylogger plugin payload" author = "ditekSHen" - id = "97031035-8bd9-557c-afbf-dc2491bf01d1" + id = "45c4fc87-6c45-5cd7-9fc4-7d3ea664a740" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1668-L1685" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3feeab43b58b533b7d2d41a71f2107e6f05b9c54ff805607843d253cadbe9384" + logic_hash = "3feeab43b58b533b7d2d41a71f2107e6f05b9c54ff805607843d253cadbe9384" score = 75 quality = 75 tags = "FILE" @@ -246714,13 +247200,13 @@ rule DITEKSHEN_MALWARE_Win_Revengerat : FILE meta: description = "RevengeRAT and variants payload" author = "ditekSHen" - id = "b1daf31e-1a12-545a-b682-479a39d783a7" + id = "7d725050-108c-54b5-978e-2dd2124f5b0f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1687-L1713" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be9e50052f45b94d5995db723dd64d16a91c5ba0d3f589c018155c0cce45124f" + logic_hash = "be9e50052f45b94d5995db723dd64d16a91c5ba0d3f589c018155c0cce45124f" score = 75 quality = 75 tags = "FILE" @@ -246752,13 +247238,13 @@ rule DITEKSHEN_MALWARE_Win_TRAT : FILE meta: description = "TRAT payload" author = "ditekSHen" - id = "175b89e5-fa7b-55dc-982c-e76394a3a3e2" + id = "15f80970-6bc7-5e29-86d6-f7529a10d227" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1715-L1730" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b8474c74cd9f21fcb3a8ae1c7a7a0a801f0f117782e9803cdae39daf7f0f8b2f" + logic_hash = "b8474c74cd9f21fcb3a8ae1c7a7a0a801f0f117782e9803cdae39daf7f0f8b2f" score = 75 quality = 75 tags = "FILE" @@ -246781,13 +247267,13 @@ rule DITEKSHEN_MALWARE_Win_Cryptbot : FILE meta: description = "CryptBot/Fugrafa stealer payload" author = "ditekSHen" - id = "7c31d3f8-cb1c-582f-8781-974d45b1476f" + id = "248961dd-b98d-509b-92a0-1670b7687e25" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1732-L1766" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6322b8b1ad210fac4475c194e060046538d4174f69a7c0e3618646d262cd33bd" + logic_hash = "6322b8b1ad210fac4475c194e060046538d4174f69a7c0e3618646d262cd33bd" score = 75 quality = 69 tags = "FILE" @@ -246829,13 +247315,13 @@ rule DITEKSHEN_MALWARE_Win_Matiex : FILE meta: description = "Matiex/XetimaLogger keylogger payload" author = "ditekSHen" - id = "57187d9a-c30e-53d3-b818-190a8768da50" + id = "61803e0c-8f6a-5ded-855a-ff26eed1384f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1768-L1788" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_62b45c43d99bef93a6c0e72200b869fdce331f8fa325640df7d8b72af56a3ef2" + logic_hash = "62b45c43d99bef93a6c0e72200b869fdce331f8fa325640df7d8b72af56a3ef2" score = 75 quality = 73 tags = "FILE" @@ -246861,13 +247347,13 @@ rule DITEKSHEN_MALWARE_Win_Iamthekingkeylogger : FILE meta: description = "IAmTheKing Keylogger payload" author = "ditekSHen" - id = "07d5c4e4-f72c-5427-a3fc-78b0c2fcb2b7" + id = "f9c84241-6db2-5243-9bea-2165104cb0c3" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1790-L1805" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_80d8cabfd02cd73e19e6cf1c2a8a5f06c5b3b502fe4f07289e92b448425aaa6d" + logic_hash = "80d8cabfd02cd73e19e6cf1c2a8a5f06c5b3b502fe4f07289e92b448425aaa6d" score = 75 quality = 75 tags = "FILE" @@ -246890,13 +247376,13 @@ rule DITEKSHEN_MALWARE_Win_Iamthekingscrcap : FILE meta: description = "IAmTheKing screen capture payload" author = "ditekSHen" - id = "9bd12131-5b4f-51c1-b371-25f8d10b8c65" + id = "ba385194-9578-568c-b908-bc4fc742e52e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1807-L1821" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_594ddad4e08bad51f90de1c4299e28b4800b4fa686bd4176e406ba401a1242ba" + logic_hash = "594ddad4e08bad51f90de1c4299e28b4800b4fa686bd4176e406ba401a1242ba" score = 75 quality = 75 tags = "FILE" @@ -246918,13 +247404,13 @@ rule DITEKSHEN_MALWARE_Win_Iamthekingkingofhearts : FILE meta: description = "IAmTheKing King Of Hearts payload" author = "ditekSHen" - id = "3d3da2e6-d90c-59ee-a6e2-313bf382db0a" + id = "95c73ec0-75b0-5d46-87da-b30feb170716" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1823-L1843" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_75b6dd0ebb90fd04f9e4a0b1fc6a1bbf417fc66daad24c8b01f0390f6155ec55" + logic_hash = "75b6dd0ebb90fd04f9e4a0b1fc6a1bbf417fc66daad24c8b01f0390f6155ec55" score = 75 quality = 75 tags = "FILE" @@ -246951,13 +247437,13 @@ rule DITEKSHEN_MALWARE_Win_Cobaltstrike : FILE meta: description = "CobaltStrike payload" author = "ditekSHen" - id = "14c7689e-39b5-5f2b-9383-d1d665392747" + id = "140e16d0-0102-5650-a371-c95013d7f021" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1845-L1864" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_43513aef0ed715f0c214d7a14e465350f9c1bcadf87535e1c12561e976398bb3" + logic_hash = "43513aef0ed715f0c214d7a14e465350f9c1bcadf87535e1c12561e976398bb3" score = 75 quality = 50 tags = "FILE" @@ -246983,13 +247469,13 @@ rule DITEKSHEN_MALWARE_Win_Redlinedropperahk : FILE meta: description = "Detects AutoIt/AutoHotKey executables dropping RedLine infostealer" author = "ditekSHen" - id = "6aa7511a-0106-579d-a630-0791f3fc8382" + id = "16eee826-f1fd-5a6f-b6f3-e02ccd889614" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1866-L1878" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0950fe9daa02f3a8fd527f75275766111be7e8774578963b0bdb455800dfc4f9" + logic_hash = "0950fe9daa02f3a8fd527f75275766111be7e8774578963b0bdb455800dfc4f9" score = 75 quality = 75 tags = "FILE" @@ -247009,13 +247495,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent01 : FILE meta: description = "Detects known downloader agent" author = "ditekSHen" - id = "36fd70df-eefd-59aa-85a7-7baa9a1684a7" + id = "85ead6fd-b56e-5e78-8fb4-7c9ecb4c0b58" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1880-L1894" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7aec81655af9b779a314c3e2cff933aa6426fcfe21b5a87e60e159c7e7f5238a" + logic_hash = "7aec81655af9b779a314c3e2cff933aa6426fcfe21b5a87e60e159c7e7f5238a" score = 75 quality = 75 tags = "FILE" @@ -247037,13 +247523,13 @@ rule DITEKSHEN_MALWARE_Linux_PLEAD : FILE meta: description = "PLEAD Linux payload" author = "ditekSHen" - id = "377dd43f-8f1e-5977-b25a-cb370e2da878" + id = "07aa0561-d6d9-53b6-97ac-670cdf04335d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1896-L1920" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_539998248ded0eb8ea1702c527804f89cfd55412f17ec699bd0af801f4fba673" + logic_hash = "539998248ded0eb8ea1702c527804f89cfd55412f17ec699bd0af801f4fba673" score = 75 quality = 75 tags = "FILE" @@ -247074,13 +247560,13 @@ rule DITEKSHEN_MALWARE_Win_CRAT : FILE meta: description = "Detects CRAT main DLL" author = "ditekSHen" - id = "7de68105-d9cf-5027-8668-2828df9f4fba" + id = "9757a8de-61ea-55c0-b64c-055798450985" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1922-L1944" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5a9fef68e110a1564dd5956408abcc3736cfa6853e1ac5510a089cc68f6bdc35" + logic_hash = "5a9fef68e110a1564dd5956408abcc3736cfa6853e1ac5510a089cc68f6bdc35" score = 75 quality = 75 tags = "FILE" @@ -247110,13 +247596,13 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginkeylogger : FILE meta: description = "Detects CRAT keylogger plugin DLL" author = "ditekSHen" - id = "362e56ed-a5a9-54f0-8b32-529e72b5d16a" + id = "a8682786-7704-56f0-a6df-b4e2ab4d7536" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1946-L1962" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_58ef1f7466fcc871be2e74aa447c76970fd90c9d9d345a896fb8e6335114d189" + logic_hash = "58ef1f7466fcc871be2e74aa447c76970fd90c9d9d345a896fb8e6335114d189" score = 75 quality = 75 tags = "FILE" @@ -247140,13 +247626,13 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginclipboardmonitor : FILE meta: description = "Detects CRAT Clipboad Monitor plugin DLL" author = "ditekSHen" - id = "0d81e693-4f7c-515d-9475-d5a38732b044" + id = "587487c7-f00b-5d4a-8b18-e46d6c6560e2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1964-L1979" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c3e692a06388e143a8e1053e75a6eb6a82da5bdf26d38e3a0e339bc20d8312a1" + logic_hash = "c3e692a06388e143a8e1053e75a6eb6a82da5bdf26d38e3a0e339bc20d8312a1" score = 75 quality = 75 tags = "FILE" @@ -247169,13 +247655,13 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginscreencapture : FILE meta: description = "Detects CRAT Screen Capture plugin DLL" author = "ditekSHen" - id = "0ffa3eda-c0f8-5630-b203-ea53d8c0839a" + id = "ef0b6b88-8b1b-5ab5-ad81-276eaff0411f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L1981-L2000" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7b4378ae883d01338fabe2eb50a5509b722c661e63afc287afa07b263a0ebc42" + logic_hash = "7b4378ae883d01338fabe2eb50a5509b722c661e63afc287afa07b263a0ebc42" score = 75 quality = 75 tags = "FILE" @@ -247202,13 +247688,13 @@ rule DITEKSHEN_MALWARE_Win_Cratpluginransomhansom : FILE meta: description = "Detects CRAT Hansom Ransomware plugin DLL" author = "ditekSHen" - id = "01aaca59-c6b7-5952-bace-536d37490102" + id = "0bfc97df-545f-5453-afe0-5777dc1c95b4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2002-L2020" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b22f6d22630f311241634513eb051df2b36af84a938c1ae1f5284e5a5d7d3077" + logic_hash = "b22f6d22630f311241634513eb051df2b36af84a938c1ae1f5284e5a5d7d3077" score = 75 quality = 73 tags = "FILE" @@ -247234,13 +247720,13 @@ rule DITEKSHEN_MALWARE_Win_Aliencrypter : FILE meta: description = "Detects AlienCrypter injector/downloader/obfuscator" author = "ditekSHen" - id = "36bfaf16-24a7-5ec4-83a8-f8434a9767c5" + id = "af9e785a-bdec-5d3e-9a50-56f7f1a0507e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2022-L2036" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_28a2a6e6d58fd6efbb5753a7be5b621a3eac546d45f9481b9dd2641cbe70b547" + logic_hash = "28a2a6e6d58fd6efbb5753a7be5b621a3eac546d45f9481b9dd2641cbe70b547" score = 75 quality = 75 tags = "FILE" @@ -247262,13 +247748,13 @@ rule DITEKSHEN_MALWARE_Win_Ficker : FILE meta: description = "Detects Ficker infostealer" author = "ditekSHen" - id = "ce56206e-f496-5daa-9042-209bcae35a00" + id = "1cfeea86-e8bf-50fb-ba08-435d7a14a913" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2038-L2055" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_adcc0ffc0e1ded36dc41c22d10d2ea293d5740484203892bcecf89a5f4001452" + logic_hash = "adcc0ffc0e1ded36dc41c22d10d2ea293d5740484203892bcecf89a5f4001452" score = 75 quality = 75 tags = "FILE" @@ -247293,13 +247779,13 @@ rule DITEKSHEN_MALWARE_Win_Xorist : FILE meta: description = "Detects Xorist ransomware" author = "ditekSHen" - id = "96e27290-c602-5eeb-babf-8579536121c0" + id = "76119441-343d-51c3-90eb-9d54c80a983d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2057-L2078" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b34e3fa065cabcd8d26908866e53ff599631128e1da884e42a2e63d890879eaa" + logic_hash = "b34e3fa065cabcd8d26908866e53ff599631128e1da884e42a2e63d890879eaa" score = 75 quality = 75 tags = "FILE" @@ -247328,13 +247814,13 @@ rule DITEKSHEN_MALWARE_Win_PYSA : FILE meta: description = "Detects PYSA/Mespinoza ransomware" author = "ditekSHen" - id = "dcd9f0b9-1da0-522a-90ef-b30949fa7ac1" + id = "3a3fad6a-46bc-51dc-9723-4412034ca442" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2080-L2100" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e614b827bd8d065e94852fed01497c785bf90c52c3624aff9939b3f40ecf96a4" + logic_hash = "e614b827bd8d065e94852fed01497c785bf90c52c3624aff9939b3f40ecf96a4" score = 75 quality = 75 tags = "FILE" @@ -247362,13 +247848,13 @@ rule DITEKSHEN_MALWARE_Win_Polar : FILE meta: description = "Detects Polar ransomware" author = "ditekSHen" - id = "36d3357f-2e8a-5922-939d-2f3138964eeb" + id = "ab4e4478-5417-5918-b5df-5b6ffe7438a9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2102-L2123" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4f05a8ace9a03d02f54f0ebdd5349d1d1b23db8e34aa71edd44eebf02b88745c" + logic_hash = "4f05a8ace9a03d02f54f0ebdd5349d1d1b23db8e34aa71edd44eebf02b88745c" score = 75 quality = 75 tags = "FILE" @@ -247397,13 +247883,13 @@ rule DITEKSHEN_MALWARE_Win_Bitrat : FILE meta: description = "Detects BitRAT RAT" author = "ditekSHen" - id = "668605cd-e47c-546e-bed1-624562ce5814" + id = "9041a21f-0f27-5e90-8429-863e361381bf" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2125-L2153" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_128c3c8cea0439f272de241c77fc9ed46e64419e497091e444e98123dad059cb" + logic_hash = "128c3c8cea0439f272de241c77fc9ed46e64419e497091e444e98123dad059cb" score = 75 quality = 25 tags = "FILE" @@ -247439,13 +247925,13 @@ rule DITEKSHEN_MALWARE_Win_Poullight : FILE meta: description = "Detects Poullight infostealer" author = "ditekSHen" - id = "f7386727-7997-5e5f-8525-d21246b1f0a1" + id = "c80143f8-9c44-5e96-b1ff-2adb4bf031e4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2155-L2176" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e60ffb10892d35664a088d69c965e130f87bb1a59c257d484bdfe5085074bccd" + logic_hash = "e60ffb10892d35664a088d69c965e130f87bb1a59c257d484bdfe5085074bccd" score = 75 quality = 75 tags = "FILE" @@ -247474,13 +247960,13 @@ rule DITEKSHEN_MALWARE_Win_Snakekeylogger : FILE meta: description = "Detects Snake Keylogger" author = "ditekSHen" - id = "712849ed-ae40-586d-985d-c631c6bee979" + id = "e44bf33c-916d-5dc3-ba2a-89e13f1511a2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2178-L2207" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7d787026b290c3c6a43c7de83233f22980733e7401260ff2f763e6f1b534ecba" + logic_hash = "7d787026b290c3c6a43c7de83233f22980733e7401260ff2f763e6f1b534ecba" score = 75 quality = 67 tags = "FILE" @@ -247516,13 +248002,13 @@ rule DITEKSHEN_MALWARE_Linux_Xorddos : FILE meta: description = "Detects XORDDoS" author = "ditekSHen" - id = "3e9fa52a-4497-5457-a49d-93839335ec0f" + id = "0ca581c3-bce2-5b4f-8146-9aeb49b88813" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2209-L2220" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_192378d903316c1d80b064e78feb6ed9d2ffc9e6c7dc0c8df223d83d17e4e8d9" + logic_hash = "192378d903316c1d80b064e78feb6ed9d2ffc9e6c7dc0c8df223d83d17e4e8d9" score = 75 quality = 75 tags = "FILE" @@ -247541,13 +248027,13 @@ rule DITEKSHEN_MALWARE_Win_Blacknet : FILE meta: description = "Detects BlackNET RAT" author = "ditekSHen" - id = "b60183d8-6b2a-523f-83c5-f7031dfd93f3" + id = "c1ece46a-3cd9-54aa-a105-1c5b19357a7e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2222-L2250" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_64e00325a5a6a595067c6133800e73d943f45e2783475c24ed4a9bd9937fe0d6" + logic_hash = "64e00325a5a6a595067c6133800e73d943f45e2783475c24ed4a9bd9937fe0d6" score = 75 quality = 75 tags = "FILE" @@ -247583,13 +248069,13 @@ rule DITEKSHEN_MALWARE_Win_Stormkitty : FILE meta: description = "Detects StormKitty infostealer" author = "ditekSHen" - id = "67b37080-96a4-5d1c-b8d4-369540643827" + id = "a061a1c0-9ed5-5048-85df-4d7ed6995e92" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2252-L2269" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5d139aad6932f177cd14e0356f822ad68ddc659ea4fabd2fd2fbcbc8bad58888" + logic_hash = "5d139aad6932f177cd14e0356f822ad68ddc659ea4fabd2fd2fbcbc8bad58888" score = 75 quality = 75 tags = "FILE" @@ -247616,13 +248102,13 @@ rule DITEKSHEN_MALWARE_Win_Bulz01 : FILE meta: description = "Detects trojan loader" author = "ditekSHen" - id = "c114b884-b3d3-5781-b5ba-8fe0560d49b0" + id = "4ac4125b-70f5-5cda-ae45-fd5713e25a6e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2271-L2281" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_29884dda4936016660f5d1e33ffcf97a20c7d3116483a5895a5e2a1dd4ac9e9f" + logic_hash = "29884dda4936016660f5d1e33ffcf97a20c7d3116483a5895a5e2a1dd4ac9e9f" score = 75 quality = 75 tags = "FILE" @@ -247638,13 +248124,13 @@ rule DITEKSHEN_MALWARE_Win_Revcoderat : FILE meta: description = "Detects RevCode/WebMonitor RAT" author = "ditekSHen" - id = "d9b7f77d-7788-5fd4-a156-27c7ad2a0f56" + id = "4acf6742-7f5c-5126-89cc-b39b1acd922e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2283-L2332" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e5bf1ce79b7955f597df1a9e361a3be892de55cd3db767278d4ccc02ace9e9f5" + logic_hash = "e5bf1ce79b7955f597df1a9e361a3be892de55cd3db767278d4ccc02ace9e9f5" score = 75 quality = 48 tags = "FILE" @@ -247699,13 +248185,13 @@ rule DITEKSHEN_MALWARE_Win_Powerpool_STG1 : FILE meta: description = "Detects first stage PowerPool backdoor" author = "ditekSHen" - id = "b52e9c4f-c1f7-54fd-8d7a-a4814910381c" + id = "8531c22d-8d71-5794-b9c8-0a4cd81bb2b0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2334-L2361" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ab00d6e3007743a8bb30fbcdb435ac49101b52face55549ae454c64345caff9" + logic_hash = "9ab00d6e3007743a8bb30fbcdb435ac49101b52face55549ae454c64345caff9" score = 75 quality = 75 tags = "FILE" @@ -247740,13 +248226,13 @@ rule DITEKSHEN_MALWARE_Win_Powerpool_STG2 : FILE meta: description = "Detects second stage PowerPool backdoor" author = "ditekSHen" - id = "192e49cc-0665-54ce-b414-0294843e435d" + id = "1a059900-3292-5419-a143-caea3e710191" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2363-L2395" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b80712bab281dbde816e2eda6ab1b4a9e21be26578fb755a1e1e1635675aa911" + logic_hash = "b80712bab281dbde816e2eda6ab1b4a9e21be26578fb755a1e1e1635675aa911" score = 75 quality = 73 tags = "FILE" @@ -247788,13 +248274,13 @@ rule DITEKSHEN_MALWARE_Win_Egregor : FILE meta: description = "Detects Egregor ransomware variants" author = "ditekSHen" - id = "1879259d-9e72-5807-a421-679e309107f4" + id = "2e24d4ec-39c2-5148-80a1-04f96bc8b477" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2397-L2434" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d39a7bf89a7574f7dfe56db78c8cdbbee97782f829805d4ee87fd9f1635154cd" + logic_hash = "d39a7bf89a7574f7dfe56db78c8cdbbee97782f829805d4ee87fd9f1635154cd" score = 75 quality = 75 tags = "FILE" @@ -247831,13 +248317,13 @@ rule DITEKSHEN_MALWARE_Win_Redlinedropperexe : FILE meta: description = "Detects executables dropping RedLine infostealer" author = "ditekSHen" - id = "bbeed423-2ffb-5ba4-984c-849a8cf82fa8" + id = "364ba540-60a5-5e1b-bb21-505a442eabb6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2461-L2484" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cd1fb4a1d0883221dbdcc519db7f54b0f7285e8a19201dbc586c2520e8086bc2" + logic_hash = "cd1fb4a1d0883221dbdcc519db7f54b0f7285e8a19201dbc586c2520e8086bc2" score = 75 quality = 75 tags = "FILE" @@ -247860,13 +248346,13 @@ rule DITEKSHEN_MALWARE_Win_Nibiru : FILE meta: description = "Detects Nibiru ransomware" author = "ditekSHen" - id = "1e58fb50-300b-59ae-bb00-4169d5b49963" + id = "78c3bf75-1ab3-5f88-ba4b-d5a0a906d57c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2486-L2504" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f3718e9091b09e0f47ecd6715a3a2c160ede6ab9fb144e7ed115dd5a25c8e379" + logic_hash = "f3718e9091b09e0f47ecd6715a3a2c160ede6ab9fb144e7ed115dd5a25c8e379" score = 75 quality = 75 tags = "FILE" @@ -247892,13 +248378,13 @@ rule DITEKSHEN_MALWARE_Win_Medusalocker : FILE meta: description = "Detects MedusaLocker ransomware" author = "ditekshen" - id = "2f2df686-afba-5c4d-bc05-0f4eb84c2603" + id = "06b7645f-228d-5ec1-9b82-88caee447a5c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2506-L2537" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0e2a0a9f12f550a5c6a11731710e0dc2c2e26d17f43d2385bf6e298518631771" + logic_hash = "0e2a0a9f12f550a5c6a11731710e0dc2c2e26d17f43d2385bf6e298518631771" score = 75 quality = 73 tags = "FILE" @@ -247937,13 +248423,13 @@ rule DITEKSHEN_MALWARE_Win_Ransomexx : FILE meta: description = "Detects RansomEXX ransomware" author = "ditekshen" - id = "f589b237-ad04-5942-9e4e-6a91890b8877" + id = "4d1294de-d73c-5f9c-adb7-18ce5b5aca9f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2539-L2555" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_351398d89b847b3439fa58b7aab50f3c6e48be27877d3f8b85cc78e994413ecc" + logic_hash = "351398d89b847b3439fa58b7aab50f3c6e48be27877d3f8b85cc78e994413ecc" score = 75 quality = 75 tags = "FILE" @@ -247967,13 +248453,13 @@ rule DITEKSHEN_MALWARE_Win_Quasarstealer : FILE meta: description = "Detects Quasar infostealer" author = "ditekshen" - id = "13a995f1-e2bb-59d7-af01-c2904143e235" + id = "d0d532fe-bd0a-560a-8570-f6038d694338" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2557-L2572" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4b6ab49992db4d7bf4404d51b0ef1773249de89545ec31176ad45d00803ba703" + logic_hash = "4b6ab49992db4d7bf4404d51b0ef1773249de89545ec31176ad45d00803ba703" score = 75 quality = 75 tags = "FILE" @@ -247996,13 +248482,13 @@ rule DITEKSHEN_MALWARE_Win_Bandook : FILE meta: description = "Detects Bandook backdoor" author = "ditekshen" - id = "dfe3d465-a35c-5a88-99d2-3244efd6b687" + id = "c74bd688-c79e-5939-93a8-c2cd9f2cd60e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2676-L2705" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bff09f769aae890d81efe9926cc8ce85c1caa4eeeb6bc7d2321d2d906ac8d6cf" + logic_hash = "bff09f769aae890d81efe9926cc8ce85c1caa4eeeb6bc7d2321d2d906ac8d6cf" score = 75 quality = 75 tags = "FILE" @@ -248037,13 +248523,13 @@ rule DITEKSHEN_MALWARE_Win_Kimsuky : FILE meta: description = "Detects Kimsuky backdoor" author = "ditekshen" - id = "83eda82f-053c-5993-902e-40f4eee36dfb" + id = "6216b874-13f1-5283-9d17-90b7ca6996f8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2707-L2730" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9f9e64a9cfb3f61bc6b355035c5f0644e4750b740e05cb557c6183c7acfc5a19" + logic_hash = "9f9e64a9cfb3f61bc6b355035c5f0644e4750b740e05cb557c6183c7acfc5a19" score = 75 quality = 75 tags = "FILE" @@ -248074,13 +248560,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent03 : FILE meta: description = "Detects known Delphi downloader agent downloading second stage payload, notably from discord" author = "ditekSHen" - id = "94e58461-0753-5d56-8fd6-90364b2ffb5e" + id = "18493e3d-224f-5000-8e44-9ffda9c65cf0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2732-L2753" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dea63edd48759fd04875e2eb8ac8b00ff801767f071337c667e31c15f0925cdc" + logic_hash = "dea63edd48759fd04875e2eb8ac8b00ff801767f071337c667e31c15f0925cdc" score = 75 quality = 50 tags = "FILE" @@ -248106,13 +248592,13 @@ rule DITEKSHEN_MALWARE_Win_Salfram : FILE meta: description = "Detects Salfram executables" author = "ditekSHen" - id = "ec0f197b-5ca8-5709-a9e9-17700867a1ec" + id = "323e1c8e-2184-5831-9af5-a460c55fbf7c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2755-L2766" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_19d7934727baa870dcd3ec77ba596cd64e49763477ba3feb7baec5ab6d3866d3" + logic_hash = "19d7934727baa870dcd3ec77ba596cd64e49763477ba3feb7baec5ab6d3866d3" score = 75 quality = 75 tags = "FILE" @@ -248131,13 +248617,13 @@ rule DITEKSHEN_MALWARE_Win_Hawkeyev9 meta: description = "Detects HawkEyeV9 payload" author = "ditekshen" - id = "d84893ad-fcf4-594c-a000-1ab1fe6ea94c" + id = "ca59aa45-fb55-5f9a-a224-8bd2b72ce5ac" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2768-L2793" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d24111930dd0230c01963a90c9fbbc0a0a71df170c2ca116bb329e6158cb681c" + logic_hash = "d24111930dd0230c01963a90c9fbbc0a0a71df170c2ca116bb329e6158cb681c" score = 75 quality = 75 tags = "" @@ -248170,13 +248656,13 @@ rule DITEKSHEN_MALWARE_Win_Hyperbro : FILE meta: description = "Detects HyperBro (class names) payload" author = "ditekSHen" - id = "1709d554-1f1b-5db1-be45-d01536242806" + id = "539b796d-297b-5e2f-84df-282ceaa57bd4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2795-L2813" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f6e86ef963de885e0bf92ead075e265618c0745104d223302edd824d409c45cd" + logic_hash = "f6e86ef963de885e0bf92ead075e265618c0745104d223302edd824d409c45cd" score = 75 quality = 75 tags = "FILE" @@ -248202,13 +248688,13 @@ rule DITEKSHEN_MALWARE_Linux_UNK01 : FILE meta: description = "Detects unknown/unidentified Linux malware" author = "ditekSHen" - id = "d0f4a500-9cfe-5959-967d-edbf467e1250" + id = "24c6ff35-9378-5a6b-90d1-9740917b1b72" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2815-L2836" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8bb4822c1c7e0f52726ecafafa696d83c741257587f351360c5295163c245450" + logic_hash = "8bb4822c1c7e0f52726ecafafa696d83c741257587f351360c5295163c245450" score = 75 quality = 75 tags = "FILE" @@ -248237,13 +248723,13 @@ rule DITEKSHEN_MALWARE_Linux_UNK02 : FILE meta: description = "Detects unknown/unidentified Linux malware" author = "ditekSHen" - id = "78786459-ac9f-5c07-baf1-7b0cbb019646" + id = "6e62df0d-d329-5e52-af74-2a1f19dc4cca" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2838-L2852" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4cde21932c27fe3c08495f557b5e086b1fb668d8b5508249891828b9ed48edd4" + logic_hash = "4cde21932c27fe3c08495f557b5e086b1fb668d8b5508249891828b9ed48edd4" score = 75 quality = 75 tags = "FILE" @@ -248265,13 +248751,13 @@ rule DITEKSHEN_MALWARE_Win_Itranslatorexe : FILE meta: description = "Detects iTranslator EXE payload" author = "ditekSHen" - id = "53c4ef66-c889-58b1-b0b8-3620fda3887b" + id = "763e8fa4-cf5c-54bc-9310-4e4171bf5a71" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2854-L2874" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3c796d58cdf2d4dc4c838d05fb862640c7f9de6c7e8ebb5fb0002821354208d9" + logic_hash = "3c796d58cdf2d4dc4c838d05fb862640c7f9de6c7e8ebb5fb0002821354208d9" score = 75 quality = 50 tags = "FILE" @@ -248299,13 +248785,13 @@ rule DITEKSHEN_MALWARE_Win_Itranslatordll : FILE meta: description = "Detects iTranslator DLL payload" author = "ditekSHen" - id = "0a58eb2f-293b-599a-9d78-d01deb69d11e" + id = "df05da78-3626-5eb5-81a2-a93fba844484" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2876-L2892" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ca0479efd241058f358553b6382a1987a5b4c069965f4adb88cd2f3fc4bef21a" + logic_hash = "ca0479efd241058f358553b6382a1987a5b4c069965f4adb88cd2f3fc4bef21a" score = 75 quality = 75 tags = "FILE" @@ -248329,13 +248815,13 @@ rule DITEKSHEN_MALWWARE_Win_Octopus : FILE meta: description = "Detects Octopus trojan payload" author = "ditekSHen" - id = "7a10e86b-c15b-5f9a-a65b-c83f414eef05" + id = "eb092e23-864f-52f3-bfa4-7e3c616d3984" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2894-L2917" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_012b75c94be3021dbcc5b8e8bd62f807c9aa8bc0df94f830a5294aaf0d21b9fc" + logic_hash = "012b75c94be3021dbcc5b8e8bd62f807c9aa8bc0df94f830a5294aaf0d21b9fc" score = 75 quality = 23 tags = "FILE" @@ -248366,13 +248852,13 @@ rule DITEKSHEN_MALWARE_Win_Caspertroy : FILE meta: description = "Detects CasperTroy payload" author = "ditekSHen" - id = "7f3db099-d102-53e0-9d30-bd1354b1fd14" + id = "822c3231-60ba-5e60-8df8-06dea80b318a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2919-L2931" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ce070b1e6279ef9fa47f84da7c5166cd93b3e7a0f95541ae14c048b2af9bc431" + logic_hash = "ce070b1e6279ef9fa47f84da7c5166cd93b3e7a0f95541ae14c048b2af9bc431" score = 75 quality = 75 tags = "FILE" @@ -248392,13 +248878,13 @@ rule DITEKSHEN_MALWARE_Win_Rasftuby : FILE meta: description = "Detects Rasftuby/DarkCrystal" author = "ditekSHen" - id = "538b4094-4248-5812-a6be-33dab5d47f78" + id = "908624a8-0068-5512-a5d0-77ce1f4efd80" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2933-L2950" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b769c1986d23173cf8a8a3c8a14d388a7c0327e46d936fc97c449dc55f2a5575" + logic_hash = "b769c1986d23173cf8a8a3c8a14d388a7c0327e46d936fc97c449dc55f2a5575" score = 75 quality = 75 tags = "FILE" @@ -248423,13 +248909,13 @@ rule DITEKSHEN_MALWARE_Win_Protonbot : FILE meta: description = "Detects ProtonBot loader" author = "ditekSHen" - id = "330c9d1d-7042-57d8-8892-e7cd9f44d2fe" + id = "b0d08378-0297-5e70-99f1-1dc0fec6fa01" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2952-L2969" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b511dfd47109d36ffc7fcb23b49779e1164d50a28061ab724d7a2c744ac23ac8" + logic_hash = "b511dfd47109d36ffc7fcb23b49779e1164d50a28061ab724d7a2c744ac23ac8" score = 75 quality = 75 tags = "FILE" @@ -248454,13 +248940,13 @@ rule DITEKSHEN_MALWARE_Win_Imminentrat : FILE meta: description = "Detects ImminentRAT" author = "ditekSHen" - id = "a8faa399-b7b4-5f76-811b-01797e30e690" + id = "99831b32-d8a0-5814-bf41-491f607ee825" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2971-L2994" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f959fd28e818b17c962fcd5bb99fa5ac0058f22494950e0200f139703f3e756a" + logic_hash = "f959fd28e818b17c962fcd5bb99fa5ac0058f22494950e0200f139703f3e756a" score = 75 quality = 75 tags = "FILE" @@ -248491,13 +248977,13 @@ rule DITEKSHEN_MALWARE_Win_Warzonerat : FILE meta: description = "Detects AveMaria/WarzoneRAT" author = "ditekSHen" - id = "db74554d-fa95-551c-b116-bd679c394e8b" + id = "4f3df696-280c-5f2b-9511-8cc7c9dff1d6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L2996-L3011" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1af8b0f90b0de3287499082a6d6d9da6ed62a3110018e0c0f7149353693060b2" + logic_hash = "1af8b0f90b0de3287499082a6d6d9da6ed62a3110018e0c0f7149353693060b2" score = 75 quality = 75 tags = "FILE" @@ -248520,13 +249006,13 @@ rule DITEKSHEN_MALWARE_Win_Karaganycore : FILE meta: description = "Detects Karagany/xFrost core plugin" author = "ditekSHen" - id = "c39607c1-185a-5e5b-92c5-c71537e9818c" + id = "c066805b-9373-5524-aff9-d16cd59f5a24" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3013-L3027" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cde96ac6477fda1312ce4f7532018c9f11df7d39c40155d10bdde0e3d84c6d57" + logic_hash = "cde96ac6477fda1312ce4f7532018c9f11df7d39c40155d10bdde0e3d84c6d57" score = 75 quality = 75 tags = "FILE" @@ -248548,13 +249034,13 @@ rule DITEKSHEN_MALWARE_Win_Karaganykeylogger : FILE meta: description = "Detects Karagany/xFrost keylogger plugin" author = "ditekSHen" - id = "7f0db4f0-4b2b-5bae-99dc-05a2173304fd" + id = "dd14ede0-7132-5b7f-872a-d96d5275a8e4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3029-L3041" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7f1f5b2ca67e62380c8a8095fed4a4fd76d7bc15c9fe2d76e780ad85f886ef7b" + logic_hash = "7f1f5b2ca67e62380c8a8095fed4a4fd76d7bc15c9fe2d76e780ad85f886ef7b" score = 75 quality = 23 tags = "FILE" @@ -248574,13 +249060,13 @@ rule DITEKSHEN_MALWARE_Win_Karaganyscreenutil : FILE meta: description = "Detects Karagany/xFrost ScreenUtil module" author = "ditekSHen" - id = "b39a2a10-7faf-506d-b7dc-73da7c6a567f" + id = "5eab1bb9-a433-54e6-963b-4aca863dc73f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3043-L3055" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d10230d94adfdddd604e2569ae3323efa1d5722647b9c704fceefe9446ccebd1" + logic_hash = "d10230d94adfdddd604e2569ae3323efa1d5722647b9c704fceefe9446ccebd1" score = 75 quality = 75 tags = "FILE" @@ -248600,13 +249086,13 @@ rule DITEKSHEN_MALWARE_Win_Karaganylistrix : FILE meta: description = "Detects Karagany/xFrost Listrix module" author = "ditekSHen" - id = "b790a0f5-41da-57d6-9aff-61e1c9188e35" + id = "837cc9e7-eefb-530c-854b-51bb4444ae78" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3057-L3069" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_02216061dbe93b7bea108f4b27c052d87c14cfe9395c6c5d4eed46ed7819e7ae" + logic_hash = "02216061dbe93b7bea108f4b27c052d87c14cfe9395c6c5d4eed46ed7819e7ae" score = 75 quality = 75 tags = "FILE" @@ -248626,13 +249112,13 @@ rule DITEKSHEN_MALWARE_Osx_Macsearch : FILE meta: description = "Detects MacSearch adware" author = "ditekSHen" - id = "92ec8a7d-df57-52ae-a823-431fab6d67af" + id = "facdf05c-5ee4-54c6-9ca3-01978af2b6e6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3071-L3092" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_973b7215fc8d04685a46d05b53b4092e7b81ed0d64d6982b534f2b89d0a59443" + logic_hash = "973b7215fc8d04685a46d05b53b4092e7b81ed0d64d6982b534f2b89d0a59443" score = 75 quality = 71 tags = "FILE" @@ -248661,13 +249147,13 @@ rule DITEKSHEN_MALWARE_Osx_Genieo : FILE meta: description = "Detects LinqurySearch/Genieo adware" author = "ditekSHen" - id = "3694ef5c-a58f-5dc1-8437-b0395178eed4" + id = "ac44eefd-bf1c-5d4b-bcd4-9a5d394ac1d3" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3094-L3112" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_951dc8539435a52d9eea00b3fdaf98cf618c03867066819f2f9244165e57c675" + logic_hash = "951dc8539435a52d9eea00b3fdaf98cf618c03867066819f2f9244165e57c675" score = 75 quality = 75 tags = "FILE" @@ -248693,13 +249179,13 @@ rule DITEKSHEN_MALWARE_Osx_AMCPCVARK : FILE meta: description = "Detects OSX TechyUtils/PCVARK adware" author = "ditekSHen" - id = "4875c144-1da2-5cb8-8659-b40e01f204a1" + id = "1378364b-db10-5194-98f8-5347504a92e6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3114-L3139" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b18a9f578af98feb5107d9ef85850457ba5921ab58af7b097a815e3af74f05f7" + logic_hash = "b18a9f578af98feb5107d9ef85850457ba5921ab58af7b097a815e3af74f05f7" score = 75 quality = 75 tags = "FILE" @@ -248729,13 +249215,13 @@ rule DITEKSHEN_MALWARE_Osx_Realtimespy : FILE meta: description = "Detects macOS RealtimeSpy monitoring app" author = "ditekSHen" - id = "53afca5a-0604-51b2-b289-f53abeba414f" + id = "6485abf3-896c-54cd-ad84-7bd86456e47b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3141-L3166" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4ef2e1b8d34962cd3eab23f401b764b38b8332233aa2ae91b218af499d8ab8ff" + logic_hash = "4ef2e1b8d34962cd3eab23f401b764b38b8332233aa2ae91b218af499d8ab8ff" score = 75 quality = 57 tags = "FILE" @@ -248767,13 +249253,13 @@ rule DITEKSHEN_MALWARE_Osx_Maxofferdeal : FILE meta: description = "Detects macOS MaxOfferDeal adware" author = "ditekSHen" - id = "4fcd4a0b-4dd4-57b3-85f5-e8a93b7858a0" + id = "aec4ab77-7025-5856-99fb-aa7b86413c00" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3168-L3187" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a9788b2049ae7f345760a078b2932e79fe8fc0dd71e0446c213df64480c3e3d6" + logic_hash = "a9788b2049ae7f345760a078b2932e79fe8fc0dd71e0446c213df64480c3e3d6" score = 75 quality = 46 tags = "FILE" @@ -248800,13 +249286,13 @@ rule DITEKSHEN_MALWARE_Osx_Windtrail : FILE meta: description = "Detects WindTrail OSX trojan" author = "ditekSHen" - id = "a0caca3f-6500-5345-9508-74094f7b5266" + id = "abf7cd20-b37d-5d0a-8f3f-f4e491965713" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3189-L3206" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_291f919cb1e8c4b33960dd3f2c842b9efec04852bd5661543e3ee60bc0fc5ba6" + logic_hash = "291f919cb1e8c4b33960dd3f2c842b9efec04852bd5661543e3ee60bc0fc5ba6" score = 75 quality = 73 tags = "FILE" @@ -248831,13 +249317,13 @@ rule DITEKSHEN_MALWARE_Osx_Techyutils : FILE meta: description = "Detects TechyUtils OSX packages" author = "ditekSHen" - id = "d50971ad-5fc9-5f0c-900e-176a2be142c0" + id = "59fd4165-987f-5b68-9341-d78184b25a1c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3208-L3224" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_071c67cace09dd66233bd4c4dd78c32d0f39f7e38dc06ec62e09fef67762d098" + logic_hash = "071c67cace09dd66233bd4c4dd78c32d0f39f7e38dc06ec62e09fef67762d098" score = 75 quality = 73 tags = "FILE" @@ -248861,13 +249347,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent04 : FILE meta: description = "Detects known downloader agent downloading encoded binaries in patches from paste-like websites, most notably hastebin" author = "ditekSHen" - id = "c6860e61-80b3-5ff7-bc9b-3aadd32901c9" + id = "d591c591-aecc-557e-85b4-1e2589fbfbf9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3247-L3263" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_73e6af7c32d38ec5d1d2bc9f2517860367b46779b53e0faff8885b655561ab01" + logic_hash = "73e6af7c32d38ec5d1d2bc9f2517860367b46779b53e0faff8885b655561ab01" score = 75 quality = 75 tags = "FILE" @@ -248891,13 +249377,13 @@ rule DITEKSHEN_MALWARE_Win_Gdriverat : FILE meta: description = "Detects GDriveRAT" author = "ditekSHen" - id = "e080fa41-2df8-5033-97f9-a5ee07cc58e4" + id = "29e46280-39d1-5d49-ab0d-0a32398b30f0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3265-L3284" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_134e66d0afc90e7fbab2c9dd034f85eb504903481e12c1ab8d7bab9321da817a" + logic_hash = "134e66d0afc90e7fbab2c9dd034f85eb504903481e12c1ab8d7bab9321da817a" score = 75 quality = 50 tags = "FILE" @@ -248924,13 +249410,13 @@ rule DITEKSHEN_MALWARE_Win_STOP : FILE meta: description = "Detects STOP ransomware" author = "ditekSHen" - id = "679440b9-ac6c-550b-ac04-a9b6cfc1277c" + id = "e928d917-a9d9-5830-938a-59b62608e84c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3286-L3309" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_61f7e7c1139c56088b2f58b78ae132ffcfef0f931c15b67ea775b0d5e51d189d" + logic_hash = "61f7e7c1139c56088b2f58b78ae132ffcfef0f931c15b67ea775b0d5e51d189d" score = 75 quality = 73 tags = "FILE" @@ -248961,13 +249447,13 @@ rule DITEKSHEN_MALWARE_Win_Parallaxrat : FILE meta: description = "Detects ParallaxRAT" author = "ditekSHen" - id = "73ada978-3f7e-5043-bd09-51551d95dd2f" + id = "e602b28f-ae5d-52af-b1c5-5c41776dd4c5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3311-L3328" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7fd94dee44079b595b906f1687f44b51b8cebabbeb0900563b8d4fcc0e46bdd0" + logic_hash = "7fd94dee44079b595b906f1687f44b51b8cebabbeb0900563b8d4fcc0e46bdd0" score = 75 quality = 75 tags = "FILE" @@ -248992,13 +249478,13 @@ rule DITEKSHEN_MALWARE_Win_Meterpreter : FILE meta: description = "Detects Meterpreter payload" author = "ditekSHen" - id = "0738aa4c-8fe0-50ee-b670-cbf4ef989205" + id = "d72fef80-d624-5e39-963a-8d7c12eb2d9c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3330-L3343" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5226cd7bb2344b822ee94d75f81a523ff701778de97a32ae52c604a4855e960c" + logic_hash = "5226cd7bb2344b822ee94d75f81a523ff701778de97a32ae52c604a4855e960c" score = 75 quality = 75 tags = "FILE" @@ -249018,13 +249504,13 @@ rule DITEKSHEN_MALWARE_Win_Trojan_Expresscms : FILE meta: description = "Detects ExpressCMS" author = "ditekSHen" - id = "258511ea-a95b-5e85-bd0b-15f0e6257b07" + id = "d096db0c-05f6-5b69-9d84-0105f2182ff3" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3366-L3382" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_64d551e0c11b6394f9ae2b8fa749c36cb1b5c3f498592f95dc19fdea23c53160" + logic_hash = "64d551e0c11b6394f9ae2b8fa749c36cb1b5c3f498592f95dc19fdea23c53160" score = 75 quality = 75 tags = "FILE" @@ -249048,13 +249534,13 @@ rule DITEKSHEN_MALWARE_Win_Meterpreterstager : FILE meta: description = "Detects Meterpreter stager payload" author = "ditekSHen" - id = "5dcd66f4-a246-536d-a710-30480d1a7d54" + id = "dfbc37e9-13e0-55e2-a501-1005eea52b63" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3384-L3395" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0ac53a10abb1e4dd7da57872cd1779851d953127a912c31a5e411d8eb9bd07f4" + logic_hash = "0ac53a10abb1e4dd7da57872cd1779851d953127a912c31a5e411d8eb9bd07f4" score = 75 quality = 75 tags = "FILE" @@ -249073,13 +249559,13 @@ rule DITEKSHEN_MALWARE_Win_Ziggy : FILE meta: description = "Detects Ziggy ransomware" author = "ditekSHen" - id = "7a102277-0ebd-54ca-be4b-1052a3efdb48" + id = "6d2d316a-cf19-5001-bf94-842346229d76" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3397-L3421" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_103a50511971161ca673e0c8378aeca2fa7d0f6309966bbb2b70e0d039e0f196" + logic_hash = "103a50511971161ca673e0c8378aeca2fa7d0f6309966bbb2b70e0d039e0f196" score = 75 quality = 75 tags = "FILE" @@ -249111,13 +249597,13 @@ rule DITEKSHEN_MALWARE_Win_Nworm : FILE meta: description = "Detects NWorm/N-W0rm payload" author = "ditekSHen" - id = "37da5fc0-8da1-5581-9457-c6541fcc718b" + id = "06546ccf-8914-5b1c-942f-99664b9ecf44" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3423-L3443" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a1397a057422be260b5bdf1eb58571e95c259c132cc2518b39e1524a0eda9c66" + logic_hash = "a1397a057422be260b5bdf1eb58571e95c259c132cc2518b39e1524a0eda9c66" score = 75 quality = 75 tags = "FILE" @@ -249145,13 +249631,13 @@ rule DITEKSHEN_MALWARE_Win_Qakbot : FILE meta: description = "Detects variants of QakBot payload" author = "ditekSHen" - id = "ffa5d267-211e-523c-a7c2-7597c4487f53" + id = "3a3b3b6c-0969-584e-a184-7acfca3cdd42" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3445-L3457" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b64c05eb7ac03b2b4709f9979d117e4cacc617f21d0b3bf1c1be42aa18cc44cc" + logic_hash = "b64c05eb7ac03b2b4709f9979d117e4cacc617f21d0b3bf1c1be42aa18cc44cc" score = 75 quality = 73 tags = "FILE" @@ -249171,13 +249657,13 @@ rule DITEKSHEN_MALWARE_Win_Fonix : FILE meta: description = "Detects Fonix ransomware" author = "ditekSHen" - id = "0ef152e1-e219-5252-b944-eb9f50a37be0" + id = "d67cce49-5f4f-59f6-b2a9-9c4dd1c6c0f6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3459-L3481" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_159b8946f7772c76271de821eb12897689bf73d96fc6a1d7c4a65cdc50b877c7" + logic_hash = "159b8946f7772c76271de821eb12897689bf73d96fc6a1d7c4a65cdc50b877c7" score = 75 quality = 75 tags = "FILE" @@ -249207,13 +249693,13 @@ rule DITEKSHEN_MALWARE_Win_Bobik : FILE meta: description = "Detects Bobik infostealer" author = "ditekSHen" - id = "cd8f62ef-0cc2-5a94-a5b7-94ed4ca9bb47" + id = "12f14151-0c89-519d-85d3-4b4b82a950a3" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3483-L3498" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_735dcb9e04956863305ca89a43686b8e48e3b20784ae9292cfc40d1c2c09d467" + logic_hash = "735dcb9e04956863305ca89a43686b8e48e3b20784ae9292cfc40d1c2c09d467" score = 75 quality = 75 tags = "FILE" @@ -249236,13 +249722,13 @@ rule DITEKSHEN_MALWARE_Win_Runningrat : FILE meta: description = "Detects RunningRAT" author = "ditekSHen" - id = "a849d464-3a39-5ffc-9d9a-a05c9ef06870" + id = "161faa8c-614e-5102-bb6d-c1ed4abf8274" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3500-L3536" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e3cddec792ad95d823190f12970b8e0515b73be4a91f89cbb2bbde2fa1cfde63" + logic_hash = "e3cddec792ad95d823190f12970b8e0515b73be4a91f89cbb2bbde2fa1cfde63" score = 75 quality = 23 tags = "FILE" @@ -249285,13 +249771,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent05 : FILE meta: description = "Detects an unknown dropper. Typically exisys as a DLL in base64-encoded gzip-compressed file embedded within another executable" author = "ditekSHen" - id = "33a146b9-8eb6-500d-881b-d9b772944d3e" + id = "a8a72484-42be-5c5c-962b-75bed8acdf39" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3538-L3551" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e8c7c03451bbfcba7a1ab02f8c1320ad50d17d2e990f0e2f89942faea2a1e531" + logic_hash = "e8c7c03451bbfcba7a1ab02f8c1320ad50d17d2e990f0e2f89942faea2a1e531" score = 75 quality = 75 tags = "FILE" @@ -249312,13 +249798,13 @@ rule DITEKSHEN_MALWARE_Win_Nemty : FILE meta: description = "Detects Nemty/Nefilim ransomware" author = "ditekSHen" - id = "1677d2c5-13fa-5070-a3aa-a0bc81534dd7" + id = "361269c6-5215-5ecf-869c-3c55ff8387e1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3553-L3577" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dcebcddc472f4fb3bb34c35fc5a5424e54bfc3a262fdae10b189d210217b9b37" + logic_hash = "dcebcddc472f4fb3bb34c35fc5a5424e54bfc3a262fdae10b189d210217b9b37" score = 75 quality = 75 tags = "FILE" @@ -249350,13 +249836,13 @@ rule DITEKSHEN_MALWARE_Win_Qnapcrypt : FILE meta: description = "Detects QnapCrypt/Lockedv1/Cryptfile2 ransomware" author = "ditekSHen" - id = "db5267f7-7af5-5f20-8fc4-2cdff0a2ef5d" + id = "3ef5643a-f2af-5d62-8927-e46679e069c2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3579-L3607" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_68fc3f0503d82295ffa5bfb49bda8b790142913217775a2812e3965a6c9a1fe1" + logic_hash = "68fc3f0503d82295ffa5bfb49bda8b790142913217775a2812e3965a6c9a1fe1" score = 75 quality = 73 tags = "FILE" @@ -249392,13 +249878,13 @@ rule DITEKSHEN_MALWARE_Win_Alfonoso : FILE meta: description = "Detects Alfonoso / Shurk / HunterStealer infostealer" author = "ditekSHen" - id = "89154c62-ca45-5590-af60-21134cc35f24" + id = "2766e74e-c13a-5ce4-8f62-de9cc11e3cf0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3609-L3638" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_18e5731ffd70abf2ab70852d54dacc3588dd90cfb4f2ceaee66dfce750535b26" + logic_hash = "18e5731ffd70abf2ab70852d54dacc3588dd90cfb4f2ceaee66dfce750535b26" score = 75 quality = 50 tags = "FILE" @@ -249435,13 +249921,13 @@ rule DITEKSHEN_MALWARE_Win_Vidar : FILE meta: description = "Detects Vidar / ArkeiStealer" author = "ditekSHen" - id = "b9c5fd96-bbc9-515a-b05c-de1df1276a3a" + id = "d858c463-26d7-5f96-ad9a-cb261a8c61c6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3640-L3650" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c95c8694c05ff0e8d28f098e668a8ae8fa70130e31af6c0e540c4e5596007e41" + logic_hash = "c95c8694c05ff0e8d28f098e668a8ae8fa70130e31af6c0e540c4e5596007e41" score = 75 quality = 75 tags = "FILE" @@ -249459,13 +249945,13 @@ rule DITEKSHEN_MALWARE_Win_Babuk : FILE meta: description = "Detects Babuk ransomware" author = "ditekSHen" - id = "195011c7-613f-5879-8c9c-eacfc0f16701" + id = "6bb7093f-bbef-5b43-b4f9-be72ae4ef319" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3652-L3674" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5ca5c5106747cf8f4ccd5df4ddbc78321fea3c8f533cb807a704d270eb956007" + logic_hash = "5ca5c5106747cf8f4ccd5df4ddbc78321fea3c8f533cb807a704d270eb956007" score = 75 quality = 75 tags = "FILE" @@ -249495,13 +249981,13 @@ rule DITEKSHEN_MALWARE_Win_Nitol : FILE meta: description = "Detects Nitol backdoor" author = "ditekSHen" - id = "1a771b2a-797c-5705-ace4-a80bb505187d" + id = "d545f826-11ff-5d0f-9a95-8232b19d35b6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3676-L3704" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c0ddcd6179bea2f3af77ae198e07f55f62884e07a975623ae41bcec163060f89" + logic_hash = "c0ddcd6179bea2f3af77ae198e07f55f62884e07a975623ae41bcec163060f89" score = 75 quality = 73 tags = "FILE" @@ -249537,13 +250023,13 @@ rule DITEKSHEN_MALWARE_Win_Strongpity : FILE meta: description = "Detects StrongPity" author = "ditekSHen" - id = "b99302dd-e983-541a-9548-e8f55245e607" + id = "9dcc5edb-5c86-5412-af63-f88d488d5829" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3706-L3720" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e92147966cd68152eb536b805c4918462f72f64280d1b3df800bb41266aa232f" + logic_hash = "e92147966cd68152eb536b805c4918462f72f64280d1b3df800bb41266aa232f" score = 75 quality = 75 tags = "FILE" @@ -249565,13 +250051,13 @@ rule DITEKSHEN_MALWARE_Win_Jssloader : FILE meta: description = "Detects JSSLoader RAT/backdoor" author = "ditekSHen" - id = "5cc3aab6-2ca2-547b-91fd-97ce74823f82" + id = "ef710c21-5c64-513e-b882-b5768478976e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3722-L3752" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_91764dabfb40cb51914110de229ddb00cd565078fef83c825f7a86fa502fda37" + logic_hash = "91764dabfb40cb51914110de229ddb00cd565078fef83c825f7a86fa502fda37" score = 75 quality = 73 tags = "FILE" @@ -249609,13 +250095,13 @@ rule DITEKSHEN_MALWARE_Win_CHUWI_Seth : FILE meta: description = "First sighting on 2020-01-05 didn't include ransomware artificats. Second sighting on 2020-01-24 with several correlations between the two samples now include ransomware artifacts." author = "ditekSHen" - id = "2df12fb5-b1ae-5dd1-9eab-1fe60c15f076" + id = "62af3cd3-59c3-580b-9d66-71fd4acfaf17" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3754-L3801" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e6e3f5e9af093268667f67fec2176a943b35721e9f220804e176c6b5a3bb24e1" + logic_hash = "e6e3f5e9af093268667f67fec2176a943b35721e9f220804e176c6b5a3bb24e1" score = 75 quality = 73 tags = "FILE" @@ -249664,13 +250150,13 @@ rule DITEKSHEN_MALWARE_Win_Gulpix : FILE meta: description = "Detects Gulpix/HyperPlus backddor" author = "ditekSHen" - id = "8efc5bed-ec71-54bf-9ec6-4a607fa8a50d" + id = "b3dfd1d9-42fe-57d4-8047-135103689be7" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3803-L3832" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5026726f093b31b444fc934ac1446b6c25f182b8714a37da05f4498f32a9a65f" + logic_hash = "5026726f093b31b444fc934ac1446b6c25f182b8714a37da05f4498f32a9a65f" score = 75 quality = 50 tags = "FILE" @@ -249698,13 +250184,13 @@ rule DITEKSHEN_MALWARE_Linux_Ransomexx : FILE meta: description = "Detects RansomEXX ransomware" author = "ditekshen" - id = "d39f50e1-2cb1-57f8-aabc-a80783ec78ca" + id = "b449afc7-9055-55ed-a876-316d1aea8fee" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3834-L3858" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c233ccc3e741cb2c53f182c48093e41595a82a3f4e5bdb1dc0204f1f57b96c2a" + logic_hash = "c233ccc3e741cb2c53f182c48093e41595a82a3f4e5bdb1dc0204f1f57b96c2a" score = 75 quality = 75 tags = "FILE" @@ -249735,13 +250221,13 @@ rule DITEKSHEN_MALWARE_Win_Trickbotmodule : FILE meta: description = "Detects Trickbot modules" author = "ditekshen" - id = "c66ec9c4-8484-51f8-8169-6c48c2b12d8c" + id = "c56c664f-5928-5e2e-ab06-0b9d504981be" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3860-L3881" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4d06653dad5f8a18598855212548364b3c3d2b68b99784846b494fcb1d1c8df9" + logic_hash = "4d06653dad5f8a18598855212548364b3c3d2b68b99784846b494fcb1d1c8df9" score = 75 quality = 75 tags = "FILE" @@ -249770,13 +250256,13 @@ rule DITEKSHEN_MALWARE_Win_Gaudox : FILE meta: description = "Detects Gaudox RAT" author = "ditekshen" - id = "5098ec6b-b502-549f-8e1a-fe6938b63093" + id = "c60ac433-20a1-5f01-9447-fa99621bd9e2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3883-L3893" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_117ee89e264067ab3e695688872bbe7d83963731e877d04ac7e2505e64f6e793" + logic_hash = "117ee89e264067ab3e695688872bbe7d83963731e877d04ac7e2505e64f6e793" score = 75 quality = 75 tags = "FILE" @@ -249793,13 +250279,13 @@ rule DITEKSHEN_MALWARE_Win_Phobos : FILE meta: description = "Detects Phobos ransomware" author = "ditekshen" - id = "cae2e4c9-849c-5ac0-937d-ea11d96ff37a" + id = "7bf659ef-f2a1-5ee2-a334-c233e26a2526" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3895-L3908" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bbf8eef0863e9d6423b3b0f938561b2be486b92b4f59b5d0b67f52dba536a582" + logic_hash = "bbf8eef0863e9d6423b3b0f938561b2be486b92b4f59b5d0b67f52dba536a582" score = 75 quality = 25 tags = "FILE" @@ -249820,13 +250306,13 @@ rule DITEKSHEN_MALWARE_Win_Ratty : FILE meta: description = "Detects Ratty Java RAT" author = "ditekshen" - id = "f49f083e-39b1-5445-ad20-1e596ecfd19a" + id = "87719e28-dfe7-5366-8d90-65e6c0c6fb4f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3910-L3929" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d90bca1b18023da8e60cb6ca86d1c562bff3867c6d5cf893dce605ebb92b9637" + logic_hash = "d90bca1b18023da8e60cb6ca86d1c562bff3867c6d5cf893dce605ebb92b9637" score = 75 quality = 75 tags = "FILE" @@ -249853,13 +250339,13 @@ rule DITEKSHEN_MALWARE_Win_Fatduke : FILE meta: description = "Detects FatDuke" author = "ditekSHen" - id = "3a12eed2-61d8-5632-9837-a893f35ebde4" + id = "dc80c0f0-c61c-5f0c-841b-3a75e8a1cef3" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3931-L3946" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a7923d15b10098e9402614fe7107a6ba1d71512efa6e462d522ef64e13f82b47" + logic_hash = "a7923d15b10098e9402614fe7107a6ba1d71512efa6e462d522ef64e13f82b47" score = 75 quality = 75 tags = "FILE" @@ -249880,13 +250366,13 @@ rule DITEKSHEN_MALWARE_Win_Miniduke : FILE meta: description = "Detects MiniDuke" author = "ditekSHen" - id = "4e94a11b-f97f-56cb-95ee-33cb5943b8b3" + id = "947cd414-d19d-5543-8961-94aef69cc94e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3948-L3969" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c3ab139b4fda2ff9678ceecbdf5ac0c57536bd658f62aa9d19610028b0a5f92c" + logic_hash = "c3ab139b4fda2ff9678ceecbdf5ac0c57536bd658f62aa9d19610028b0a5f92c" score = 75 quality = 75 tags = "FILE" @@ -249916,13 +250402,13 @@ rule DITEKSHEN_MALWARE_Win_Polyglotduke : FILE meta: description = "Detects PolyGlotDuke" author = "ditekSHen" - id = "b59bb95c-8fc3-5b23-9c63-68952ca41e30" + id = "01ac90db-35f6-5192-8630-81000573b4f9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3971-L3986" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c1fb8ea1d21768cbd65bd7b91e3f817fa97a0a933b511dff2ae4d5db49bdb2ec" + logic_hash = "c1fb8ea1d21768cbd65bd7b91e3f817fa97a0a933b511dff2ae4d5db49bdb2ec" score = 75 quality = 75 tags = "FILE" @@ -249940,13 +250426,13 @@ rule DITEKSHEN_MALWARE_Win_Guidlma : FILE meta: description = "Detects Guildma" author = "ditekSHen" - id = "428c0f7e-944d-507c-a8b6-3c7b3e6e3319" + id = "135ddc6a-5001-54c0-a66c-3e0e5fe6319f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L3988-L4006" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_11a0d9c67139627b6820c928840d816ed22b48452ce0b2f856c86c183cdfc8ab" + logic_hash = "11a0d9c67139627b6820c928840d816ed22b48452ce0b2f856c86c183cdfc8ab" score = 75 quality = 25 tags = "FILE" @@ -249972,13 +250458,13 @@ rule DITEKSHEN_MALWARE_Win_Cybergate : FILE meta: description = "Detects CyberGate/Spyrat/Rebhip RTA" author = "ditekSHen" - id = "db58f189-2c10-5eca-8fbc-b27928a7cf9f" + id = "3b50ccfb-6603-5002-8ceb-e9252d4c7dff" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4008-L4026" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b4a3c07533c2b251e1a714b28fb0b654c76881fb6ce970f6586c5908ee65609b" + logic_hash = "b4a3c07533c2b251e1a714b28fb0b654c76881fb6ce970f6586c5908ee65609b" score = 75 quality = 46 tags = "FILE" @@ -250004,13 +250490,13 @@ rule DITEKSHEN_MALWARE_Win_WSHRATJS : FILE meta: description = "Detects WSHRAT JS variants" author = "ditekSHen" - id = "e1057f58-1fe5-586a-aff1-0b27c6298ce6" + id = "7dbaea67-48dc-5fb8-ba58-b0d6eeca207b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4028-L4045" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9956ed4613ac403360ab0222a7ed62350fcd998710843bd6700717f8bbb5052e" + logic_hash = "9956ed4613ac403360ab0222a7ed62350fcd998710843bd6700717f8bbb5052e" score = 75 quality = 75 tags = "FILE" @@ -250035,13 +250521,13 @@ rule DITEKSHEN_MALWARE_Win_Asyncrat : FILE meta: description = "Detects AsyncRAT" author = "ditekSHen" - id = "9407d0ce-2423-5937-834e-ee781161629e" + id = "6465b50d-8f1a-5c09-84fd-cd1e5994e68f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4047-L4074" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_073d4a8667fb1a48bf2bd503a551d7f78e38a6066feedc646d92c27fb7201fca" + logic_hash = "073d4a8667fb1a48bf2bd503a551d7f78e38a6066feedc646d92c27fb7201fca" score = 60 quality = 35 tags = "FILE" @@ -250074,13 +250560,13 @@ rule DITEKSHEN_MALWARE_Win_Quilclipper meta: description = "Detects QuilClipper variants mostly in memory or extracted AutoIt script" author = "ditekSHen" - id = "eff4257d-0210-5e92-a3f5-328258d25067" + id = "bd23ec5a-f21a-5133-a77a-de2615933b82" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4076-L4094" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dcac93806a438b188ae70a679301cb6630b9eb6849bf8fbbb1cea5fed5e7cf75" + logic_hash = "dcac93806a438b188ae70a679301cb6630b9eb6849bf8fbbb1cea5fed5e7cf75" score = 75 quality = 75 tags = "" @@ -250106,13 +250592,13 @@ rule DITEKSHEN_MALWARE_Win_Spyeye : FILE meta: description = "Detects SpyEye" author = "ditekSHen" - id = "9794931c-d0b7-5619-bdaf-0ef15ae7bc4e" + id = "aa15220a-6fd4-5c5e-8287-957fc3c3fe52" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4096-L4111" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_352853d600d1f4fbc09e58b783eb4e13b335fefbfe89842873710f0a9085d107" + logic_hash = "352853d600d1f4fbc09e58b783eb4e13b335fefbfe89842873710f0a9085d107" score = 75 quality = 75 tags = "FILE" @@ -250137,13 +250623,13 @@ rule DITEKSHEN_MALWARE_Win_Renamer : FILE meta: description = "Detects Renamer/Tainp variants" author = "ditekSHen" - id = "efdafb82-485b-585f-8fe3-6381edd95231" + id = "9e701bbe-d698-510a-b63d-3c1575dac7b0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4114-L4135" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_df80657631f072bc1627e1cf503881a2c065396f8798d7f347259672f600198d" + logic_hash = "df80657631f072bc1627e1cf503881a2c065396f8798d7f347259672f600198d" score = 75 quality = 75 tags = "FILE" @@ -250164,13 +250650,13 @@ rule DITEKSHEN_MALWARE_Win_Epsilon : FILE meta: description = "Detects Epsilon ransomware" author = "ditekSHen" - id = "0f0a7202-3ccb-5c92-a5e8-9165536cf466" + id = "c5561a0d-85ac-5137-a97e-310aa03eb787" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4137-L4169" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cc4481ddb6f5fd52a0bc901dde4c34ccf79024cd68605245df0dcbea22d0adee" + logic_hash = "cc4481ddb6f5fd52a0bc901dde4c34ccf79024cd68605245df0dcbea22d0adee" score = 75 quality = 75 tags = "FILE" @@ -250210,13 +250696,13 @@ rule DITEKSHEN_MALWARE_Win_Corebot : FILE meta: description = "Detects CoreBot" author = "ditekSHen" - id = "b34c5e8c-49cf-5ab9-ac0a-baaab3a89ee3" + id = "f0351bdb-34ff-5b6d-bc4b-61fc491401ef" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4171-L4226" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_518209458fc8912d47b0b99896178fda823c3174c37f21d5e9331349a69322d7" + logic_hash = "518209458fc8912d47b0b99896178fda823c3174c37f21d5e9331349a69322d7" score = 75 quality = 50 tags = "FILE" @@ -250278,13 +250764,13 @@ rule DITEKSHEN_MALWARE_Win_Dllloader : FILE meta: description = "Detects unknown DLL Loader" author = "ditekSHen" - id = "11bb02a8-afab-5e3d-b561-1d995690ceaf" + id = "164967b8-d0f5-543d-82ac-bb2465b85c2a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4228-L4239" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aaf1ff0f93d1fe6cf189c9f30403c226e64146178150dff8dfd3a9e3ed84bcc2" + logic_hash = "aaf1ff0f93d1fe6cf189c9f30403c226e64146178150dff8dfd3a9e3ed84bcc2" score = 75 quality = 75 tags = "FILE" @@ -250303,13 +250789,13 @@ rule DITEKSHEN_MALWARE_Win_Farfli : FILE meta: description = "Detects Farfli backdoor" author = "ditekSHen" - id = "f54d82d3-53a7-51f7-9922-2b167d90ae99" + id = "4c3c86f4-5493-5e8a-9618-b0c3d55e2b86" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4241-L4253" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cb1856b32c66d6d070b8ec2d9feea25d6d6748057ceaa342be2ddc589f9a89d6" + logic_hash = "cb1856b32c66d6d070b8ec2d9feea25d6d6748057ceaa342be2ddc589f9a89d6" score = 75 quality = 50 tags = "FILE" @@ -250329,13 +250815,13 @@ rule DITEKSHEN_MALWARE_Win_Warezov : FILE meta: description = "Detects Warezov worm/downloader" author = "ditekSHen" - id = "2f0bb3b6-c66a-5e01-9f15-3639ac8acb86" + id = "8cb1dcb1-981d-5ff2-b0d9-aa18dfbfc795" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4255-L4269" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e65922902fd18175a3ce7b600d46535e92b92240fa3ca83dced6f9ce14f3e815" + logic_hash = "e65922902fd18175a3ce7b600d46535e92b92240fa3ca83dced6f9ce14f3e815" score = 75 quality = 75 tags = "FILE" @@ -250357,13 +250843,13 @@ rule DITEKSHEN_MALWARE_Win_Arechclient2 : FILE meta: description = "Detects Arechclient2 RAT" author = "ditekSHen" - id = "281b19b5-1bbc-5278-b0c2-12b0e5ce5ea4" + id = "c12858ea-5e06-5303-9df0-0f59ba83b5e5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4271-L4303" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0d841f4d4664fb09801c51f7b65e897e4e698753ad67fc20e2b81d98c0b3d07d" + logic_hash = "0d841f4d4664fb09801c51f7b65e897e4e698753ad67fc20e2b81d98c0b3d07d" score = 75 quality = 73 tags = "FILE" @@ -250403,13 +250889,13 @@ rule DITEKSHEN_MALWARE_Win_Killmbr : FILE meta: description = "Detects KillMBR" author = "ditekSHen" - id = "831e9b27-fc74-59b2-8079-79cc005a83d7" + id = "b109865f-e268-5633-bb8e-f390dd050d99" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4305-L4316" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1ed9206f90052df7e533be4612afa373e5e69fba8f5b5ae4df1c09a9d98958cf" + logic_hash = "1ed9206f90052df7e533be4612afa373e5e69fba8f5b5ae4df1c09a9d98958cf" score = 75 quality = 75 tags = "FILE" @@ -250428,13 +250914,13 @@ rule DITEKSHEN_MALWARE_Win_Lcpdot : FILE meta: description = "Detects LCPDot" author = "ditekSHen" - id = "ad5129a7-f017-59ec-a85e-2573cb3766a6" + id = "e4db3784-7fb0-58bd-997e-788f409445cd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4318-L4337" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b0f77f17976c38a69c2ff0d84002f2db29a4d25873309259519115b5f2b210ff" + logic_hash = "b0f77f17976c38a69c2ff0d84002f2db29a4d25873309259519115b5f2b210ff" score = 75 quality = 75 tags = "FILE" @@ -250461,13 +250947,13 @@ rule DITEKSHEN_MALWARE_Win_Torisma : FILE meta: description = "Detects Torisma" author = "ditekSHen" - id = "a5ef0441-e9c8-5e37-a97d-5b82ee65facb" + id = "e62a0f1c-4404-5da1-9c43-4cb58e735827" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4339-L4355" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bd3823f8a91fdfc443e20bcb299a5103b7176a694f0d5328e7986de83f677a31" + logic_hash = "bd3823f8a91fdfc443e20bcb299a5103b7176a694f0d5328e7986de83f677a31" score = 75 quality = 75 tags = "FILE" @@ -250491,13 +250977,13 @@ rule DITEKSHEN_MALWARE_Win_Thanos : FILE meta: description = "Detects Thanos / Prometheus / Spook ransomware" author = "ditekSHen" - id = "3f112513-2f5f-5e11-9023-a2890c16be6c" + id = "f523906e-ef5e-57be-82ed-06e75c393f42" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4357-L4389" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8ce7cdfe4bca31e21d6fa31a75c46737a41fae3b5b0fda818e3a4709ceaf9bf5" + logic_hash = "8ce7cdfe4bca31e21d6fa31a75c46737a41fae3b5b0fda818e3a4709ceaf9bf5" score = 75 quality = 73 tags = "FILE" @@ -250537,13 +251023,13 @@ rule DITEKSHEN_MALWARE_Win_Tmanager : FILE meta: description = "Detects TManager RAT. Associated with TA428" author = "ditekSHen" - id = "6a8d1317-669a-5b2b-af73-ed473b7409a6" + id = "391b72bd-ddf5-5251-b566-c75c1cc16b74" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4391-L4410" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cdbcc00ae67c9161f6db89cfa658c8bc8fb7fab3915ac5ae99bdd34c42ee2abb" + logic_hash = "cdbcc00ae67c9161f6db89cfa658c8bc8fb7fab3915ac5ae99bdd34c42ee2abb" score = 75 quality = 75 tags = "FILE" @@ -250570,13 +251056,13 @@ rule DITEKSHEN_MALWARE_Win_Sn0Wlogger : FILE meta: description = "Detects Sn0w Logger" author = "ditekSHen" - id = "0e1865c8-4488-5a5c-bce1-0c01449d47c9" + id = "cdb70164-3f72-553f-a6c5-190f699e0743" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4412-L4428" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ea4b2281f906271dc249b5036b22eadfc5add94def4f8e4f8a40c384618465d8" + logic_hash = "ea4b2281f906271dc249b5036b22eadfc5add94def4f8e4f8a40c384618465d8" score = 75 quality = 75 tags = "FILE" @@ -250600,13 +251086,13 @@ rule DITEKSHEN_MALWARE_Win_Danabot : FILE meta: description = "Detects DanaBot variants" author = "ditekSHen" - id = "a7a38cf6-90c5-5d04-a8df-be221dca858e" + id = "a49e21b9-d40a-5273-a9a2-322a1ec9bbbc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4430-L4459" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8d037b46d719159dc3e60f0c7143022ce8745cfd753c3754ae80a220a838567d" + logic_hash = "8d037b46d719159dc3e60f0c7143022ce8745cfd753c3754ae80a220a838567d" score = 75 quality = 50 tags = "FILE" @@ -250637,13 +251123,13 @@ rule DITEKSHEN_MALWARE_Win_Klackring : FILE meta: description = "Detects Klackring variants. Associated with ZINC / Lazarus" author = "ditekSHen" - id = "6bae395b-8924-5834-a6dc-cedb1cecb216" + id = "7bd9a68f-d58b-5437-a28b-5a7f1a11038e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4461-L4475" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b894e89de720affadd80966d726a44ffce75d71095b0530edb6bfddb76660c54" + logic_hash = "b894e89de720affadd80966d726a44ffce75d71095b0530edb6bfddb76660c54" score = 75 quality = 75 tags = "FILE" @@ -250665,13 +251151,13 @@ rule DITEKSHEN_MALWARE_Win_Comebacker : FILE meta: description = "Detects ComeBacker variants. Associated with ZINC / Lazarus" author = "ditekSHen" - id = "5b5bf65c-ef19-5228-952b-ee7728ad5571" + id = "d0454d09-4a15-5251-aa7a-cb00604715ca" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4477-L4492" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0d806fd199f0e8e3576ca837781c2fa06f1a09d75ea16602effb72754d8e4940" + logic_hash = "0d806fd199f0e8e3576ca837781c2fa06f1a09d75ea16602effb72754d8e4940" score = 75 quality = 50 tags = "FILE" @@ -250694,13 +251180,13 @@ rule DITEKSHEN_MALWARE_Win_Suncrypt : FILE meta: description = "Detects SunCrypt ransomware" author = "ditekSHen" - id = "f33d435b-d69d-5f21-81d9-a1413cbc6e38" + id = "1a28fcbf-1fc0-5f18-ae71-2e813ed0f958" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4494-L4532" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_abde9bbf2577304ff059972a38e803ba17de7a1f0346efe880a710f2ad79db37" + logic_hash = "abde9bbf2577304ff059972a38e803ba17de7a1f0346efe880a710f2ad79db37" score = 75 quality = 73 tags = "FILE" @@ -250746,13 +251232,13 @@ rule DITEKSHEN_MALWARE_Win_Zegost : FILE meta: description = "Detects Zegost" author = "ditekSHen" - id = "06c09b76-4d2c-51b1-a232-f3a892cccd7b" + id = "cce29602-c096-53df-a99b-16f18ed43b80" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4534-L4560" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_96727a0f5c113e5cdfe871f104553fd1c04a8f63ecbb8db7223afb71fcdd4087" + logic_hash = "96727a0f5c113e5cdfe871f104553fd1c04a8f63ecbb8db7223afb71fcdd4087" score = 75 quality = 75 tags = "FILE" @@ -250786,13 +251272,13 @@ rule DITEKSHEN_MALWARE_Win_GENERIC01 : FILE meta: description = "Detects known unamed malicious executables, mostly DLLs" author = "ditekSHen" - id = "3734c145-10fe-506f-859b-5fb266ff386f" + id = "3c16df71-f2e2-591c-b377-7e5ed697d43f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4562-L4575" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ddae979db5ddda772ca66a3d50e4b5479b16052ea002fd04fdbf295ce784e291" + logic_hash = "ddae979db5ddda772ca66a3d50e4b5479b16052ea002fd04fdbf295ce784e291" score = 75 quality = 75 tags = "FILE" @@ -250813,13 +251299,13 @@ rule DITEKSHEN_MALWARE_Win_GENERIC02 : FILE meta: description = "Detects known unamed malicious executables" author = "ditekSHen" - id = "dbeb20db-c1aa-5e36-be33-c20f2b2043b9" + id = "d0d24e69-0e99-5766-8e8e-9cdce902fa8f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4577-L4591" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4f750c871ee061ed2d5d1f68e6ac1f56b8127321cfc207e2dd1dbed9d9848ce5" + logic_hash = "4f750c871ee061ed2d5d1f68e6ac1f56b8127321cfc207e2dd1dbed9d9848ce5" score = 75 quality = 25 tags = "FILE" @@ -250841,13 +251327,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent06 : FILE meta: description = "Detects known downloader agent downloading encoded binaries in patches" author = "ditekSHen" - id = "0c2781c0-d79b-5a62-8142-f8f6f4a0073e" + id = "00cb5184-b12d-5014-bee8-116cc72dfa47" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4593-L4610" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9188804ad0e08f3e0cd09eb8815abea14da5aa28aef9084d19108a24f49f65c7" + logic_hash = "9188804ad0e08f3e0cd09eb8815abea14da5aa28aef9084d19108a24f49f65c7" score = 75 quality = 75 tags = "FILE" @@ -250872,13 +251358,13 @@ rule DITEKSHEN_MALWARE_Win_PWSH_Poshkeylogger meta: description = "Detects PowerShell PoshKeylogger" author = "ditekSHen" - id = "8d7f55ad-7ef0-545d-8691-9bea3b4066c8" + id = "a816d716-caeb-5f08-9043-29db531f9e7c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4612-L4627" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_20bde87ded7e3b68bc554c4b9a6c2ef08514f0d47b6b144763927bede81ea540" + logic_hash = "20bde87ded7e3b68bc554c4b9a6c2ef08514f0d47b6b144763927bede81ea540" score = 75 quality = 75 tags = "" @@ -250901,13 +251387,13 @@ rule DITEKSHEN_MALWARE_Win_Fujinamarat : FILE meta: description = "Detects FujinamaRAT" author = "ditekSHen" - id = "200b3809-b70b-502b-b9e8-498b39b5e071" + id = "f6b08713-1c03-5914-b0a2-ea9164a3f2cb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4629-L4645" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_42557094afe67196442f46d76f156c09852d694bcc5f03eac51e79ad247c2fdd" + logic_hash = "42557094afe67196442f46d76f156c09852d694bcc5f03eac51e79ad247c2fdd" score = 75 quality = 75 tags = "FILE" @@ -250931,13 +251417,13 @@ rule DITEKSHEN_MALWARE_Win_Phorpiex : FILE meta: description = "Detects Phorpiex variants" author = "ditekSHen" - id = "408001b9-7604-5c3e-9448-a5b9f1e265d8" + id = "e2d26c5f-939e-53e3-8730-622341d26273" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4647-L4666" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4c48a20aaf37d65471710181238d2c39c1cb0fc5a37b9c411e8d4dcfd7a9e26e" + logic_hash = "4c48a20aaf37d65471710181238d2c39c1cb0fc5a37b9c411e8d4dcfd7a9e26e" score = 75 quality = 75 tags = "FILE" @@ -250964,13 +251450,13 @@ rule DITEKSHEN_MALWARE_Win_EXEPWSH_Dlagent : FILE meta: description = "Detects SystemBC" author = "ditekSHen" - id = "fcd99d6e-8601-5a7b-a51e-d08a49f6cbe1" + id = "f5e7490f-806c-52d2-8f1c-9e00ab3e2780" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4668-L4687" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6380359db1ac775cea3ebb93f7cf22a92d2f2e634c6aa724e2814c10d4ed42f5" + logic_hash = "6380359db1ac775cea3ebb93f7cf22a92d2f2e634c6aa724e2814c10d4ed42f5" score = 75 quality = 75 tags = "FILE" @@ -250997,13 +251483,13 @@ rule DITEKSHEN_MALWARE_Win_Hdlocker : FILE meta: description = "Detects HDLocker ransomware" author = "ditekSHen" - id = "0c2432ba-2a47-5363-bb2e-d391b23e7cf6" + id = "03ada32b-6ef5-5600-954b-e9f430c6ff2d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4689-L4703" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_337678a4a780947841a19c401601f1be7218276c8d4161229567dc4d6026b16a" + logic_hash = "337678a4a780947841a19c401601f1be7218276c8d4161229567dc4d6026b16a" score = 75 quality = 50 tags = "FILE" @@ -251025,13 +251511,13 @@ rule DITEKSHEN_MALWARE_Win_Vovalex : FILE meta: description = "Detects Vovalex ransomware" author = "ditekSHen" - id = "3c49bed5-4e9c-5134-b436-60ce39396fee" + id = "967af585-8a91-5ed0-8400-a8a24d95fd12" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4705-L4718" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ea695521981f4b007eee50e95f7989dda1f07cc411c59450489bb17391ff29dc" + logic_hash = "ea695521981f4b007eee50e95f7989dda1f07cc411c59450489bb17391ff29dc" score = 75 quality = 75 tags = "FILE" @@ -251052,13 +251538,13 @@ rule DITEKSHEN_MALWARE_Win_Dharma : FILE meta: description = "Detects Dharma ransomware" author = "ditekSHen" - id = "fdee834c-0c69-5694-8ff6-bcc916270406" + id = "070be95e-8d9c-5c4d-9d46-cddea6dbb682" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4720-L4728" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2727b2c0295e32699e08c3c79d7ac6fd52f1520358ac23290d40df428c969f4b" + logic_hash = "2727b2c0295e32699e08c3c79d7ac6fd52f1520358ac23290d40df428c969f4b" score = 75 quality = 75 tags = "FILE" @@ -251074,13 +251560,13 @@ rule DITEKSHEN_MALWARE_Win_Cryptolocker : FILE meta: description = "Detects Cryptolocker ransomware variants (Betarasite)" author = "ditekSHen" - id = "4da1b961-cd06-586d-8c3e-6d22005e3e68" + id = "4c6d714d-1fb1-55ce-8022-40f6f634e2cd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4730-L4752" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e1700e8ace338c25119305878e8bc52210506bd42183007985ba9601abdab87b" + logic_hash = "e1700e8ace338c25119305878e8bc52210506bd42183007985ba9601abdab87b" score = 75 quality = 73 tags = "FILE" @@ -251110,13 +251596,13 @@ rule DITEKSHEN_MALWARE_Win_PWSH_Poshwifistealer meta: description = "Detects PowerShell PoshWiFiStealer" author = "ditekSHen" - id = "21e47fe4-2891-5aaf-9c28-984a0236bb7a" + id = "69ac123d-b746-57f1-a488-547f9a9cdd86" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4754-L4765" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_769349360b5d22226a5339a9e8471d06731dc522475c9385c1c145a0488e0ad1" + logic_hash = "769349360b5d22226a5339a9e8471d06731dc522475c9385c1c145a0488e0ad1" score = 75 quality = 75 tags = "" @@ -251135,13 +251621,13 @@ rule DITEKSHEN_MALWARE_Win_Steamhook : FILE meta: description = "Detects potential Steam stealer" author = "ditekSHen" - id = "f6ba7648-a108-5e02-a55a-7e40b2464a74" + id = "7533fb83-d721-54e6-8ae1-1c840dd5a13d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4767-L4781" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_da743ca99fd19828e3938875acaf6544f17d884587a59623c8361f5905af4a57" + logic_hash = "da743ca99fd19828e3938875acaf6544f17d884587a59623c8361f5905af4a57" score = 75 quality = 73 tags = "FILE" @@ -251163,13 +251649,13 @@ rule DITEKSHEN_MALWARE_Win_Netwire : FILE meta: description = "Detects NetWire RAT" author = "ditekSHen" - id = "c6280032-8a7f-5c69-82bd-0ecde4b479ec" + id = "c215f449-c725-51da-8f5b-2619bc282b22" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4783-L4805" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bae4f0cd7a431336bd784ba95f6ba3396e6f0f12c081e62482ad37ff859c1f1c" + logic_hash = "bae4f0cd7a431336bd784ba95f6ba3396e6f0f12c081e62482ad37ff859c1f1c" score = 75 quality = 75 tags = "FILE" @@ -251199,13 +251685,13 @@ rule DITEKSHEN_MALWARE_Win_Breakstaf : FILE meta: description = "Detects BreakStaf ransomware" author = "ditekSHen" - id = "d5b41579-77a1-5191-93a2-8a629c9b8fe4" + id = "3c8ca485-2cb4-56fd-a1f5-16b43515cec9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4807-L4827" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_56078b797c64ce77398f9b92e5677f7159d8357eafb03cf62bb30f06d4f3b2e3" + logic_hash = "56078b797c64ce77398f9b92e5677f7159d8357eafb03cf62bb30f06d4f3b2e3" score = 75 quality = 73 tags = "FILE" @@ -251233,13 +251719,13 @@ rule DITEKSHEN_MALWARE_Win_Kitty : FILE meta: description = "Detects HelloKitty ransomware, triggers on FIVEHANDS" author = "ditekSHen" - id = "822c3e24-950e-5bdd-98c7-22f221577580" + id = "4147294a-7eff-595a-ad4f-8a84ffff960f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4829-L4847" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3a36755c81ec70c127bb73448fc29325444b85b5f0704327fc81975c2af2e99e" + logic_hash = "3a36755c81ec70c127bb73448fc29325444b85b5f0704327fc81975c2af2e99e" score = 75 quality = 75 tags = "FILE" @@ -251265,13 +251751,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent07 : FILE meta: description = "Detects delf downloader agent" author = "ditekSHen" - id = "6e1955d7-9458-565f-b927-aad743610ff1" + id = "a45afe84-15ae-528a-ad7e-ab9f03045789" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4849-L4867" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1e0001d18524d0d34ad876e67e2c4dc0495ee18a73c34f53f97367876e27b406" + logic_hash = "1e0001d18524d0d34ad876e67e2c4dc0495ee18a73c34f53f97367876e27b406" score = 75 quality = 75 tags = "FILE" @@ -251297,13 +251783,13 @@ rule DITEKSHEN_MALWARE_Win_Clop : FILE meta: description = "Detects Clop ransomware variants" author = "ditekSHen" - id = "dded6042-60b2-5dfa-82e8-0d44c1fa7639" + id = "d3c9e950-8b03-5d19-8448-9cf208813df2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4869-L4889" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a1a21100c468c4db147f97b0724b7a3aefbb92b157071bfe6f61d02768573b44" + logic_hash = "a1a21100c468c4db147f97b0724b7a3aefbb92b157071bfe6f61d02768573b44" score = 75 quality = 75 tags = "FILE" @@ -251331,13 +251817,13 @@ rule DITEKSHEN_MALWARE_Win_Maktub : FILE meta: description = "Detects Maktub ransomware" author = "ditekSHen" - id = "0cc944f5-3579-5fe9-ba50-c90c978bb308" + id = "be47d858-8497-593f-865b-c3d3a5db6c2e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4891-L4905" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c11d04fc3088eb8a0132b9ed83748ddb7e1bbe9d03b9e884d4003181cbb6d69" + logic_hash = "5c11d04fc3088eb8a0132b9ed83748ddb7e1bbe9d03b9e884d4003181cbb6d69" score = 75 quality = 75 tags = "FILE" @@ -251359,13 +251845,13 @@ rule DITEKSHEN_MALWARE_Win_Pwshloader_Runpe01 meta: description = "Detects PowerShell PE loader / executer. Observed Gorgon TTPs" author = "ditekSHen" - id = "e13638db-fb70-5821-84b1-7c3db141cdbf" + id = "fd44f48c-7a24-512b-8375-c9f978a8b5bd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4907-L4920" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7dd377f6a1cc48ef8ab9d53989755fb967c89d3798b721781bc09043ba3d86f4" + logic_hash = "7dd377f6a1cc48ef8ab9d53989755fb967c89d3798b721781bc09043ba3d86f4" score = 75 quality = 75 tags = "" @@ -251386,13 +251872,13 @@ rule DITEKSHEN_MALWARE_Win_Pwshloader_Runpe02 meta: description = "Detects PowerShell PE loader / executer. Observed Gorgon TTPs" author = "ditekSHen" - id = "0012e59a-a2ad-5565-9523-881fbf5f5e1c" + id = "08261054-bebc-58fe-949a-27f6e817003a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4922-L4934" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d7677689938d3e3eb6b59b99b7e347c60214f6edf8e5f83bf85da5a5f1ad33bb" + logic_hash = "d7677689938d3e3eb6b59b99b7e347c60214f6edf8e5f83bf85da5a5f1ad33bb" score = 75 quality = 75 tags = "" @@ -251412,13 +251898,13 @@ rule DITEKSHEN_MALWARE_Win_Peloader_Runpe : FILE meta: description = "Detects PE loader / injector. Observed Gorgon TTPs" author = "ditekSHen" - id = "f61b07e9-32ff-593a-8182-2b3bc1dedffc" + id = "262dedee-05d2-5783-b0ff-24470d310ab8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4936-L4950" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0369c3e2f83a0265c81e5dcd10b4d88753bd6ce3da4bb893a364486712a2b80d" + logic_hash = "0369c3e2f83a0265c81e5dcd10b4d88753bd6ce3da4bb893a364486712a2b80d" score = 75 quality = 75 tags = "FILE" @@ -251440,13 +251926,13 @@ rule DITEKSHEN_MALWARE_Win_Peloader_INF : FILE meta: description = "Detects PE loader / injector. Potentical HCrypt. Observed Gorgon TTPs" author = "ditekSHen" - id = "335a0baa-f048-5ee8-a9ed-87eaf5b05a29" + id = "09823302-34e0-5283-9740-1475ab8077be" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4952-L4963" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_758f7b465b8f9dab5c1194bee266392efe143ac219a5307e6886845b3c862700" + logic_hash = "758f7b465b8f9dab5c1194bee266392efe143ac219a5307e6886845b3c862700" score = 75 quality = 75 tags = "FILE" @@ -251465,13 +251951,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent08 : FILE meta: description = "Detects known downloader agent downloading encoded binaries in patches" author = "ditekSHen" - id = "1065a92e-9b80-5f39-ad90-bd0bc96eafc8" + id = "e3450f93-7c57-5386-a901-bc5e710657a4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4965-L4975" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0238c13b00e5778ef216b4e8576c321803da6e269c96c3051b9cc45a3ac6e567" + logic_hash = "0238c13b00e5778ef216b4e8576c321803da6e269c96c3051b9cc45a3ac6e567" score = 75 quality = 75 tags = "FILE" @@ -251489,13 +251975,13 @@ rule DITEKSHEN_MALWARE_Win_Doejocrypt : FILE meta: description = "Detects DoejoCrypt / DearCry ransomware" author = "ditekSHen" - id = "f008c94a-30e0-5923-a155-623132edbe0f" + id = "2c90f8e7-ced4-56da-ab8d-61b5ba63dacd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4977-L4993" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f8a3897de9522340799a59e3e755c323b0defaab73a9030b6b69a1a82c05dcd0" + logic_hash = "f8a3897de9522340799a59e3e755c323b0defaab73a9030b6b69a1a82c05dcd0" score = 75 quality = 75 tags = "FILE" @@ -251519,13 +252005,13 @@ rule DITEKSHEN_MALWARE_Win_Sunshuttle : FILE meta: description = "Detects SunShuttle / GoldMax" author = "ditekSHen" - id = "f10231f9-8bdc-576b-aeae-bae350f422b7" + id = "1618d0bc-6e72-5f1e-81e7-56611bfd7f8b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L4995-L5017" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fa8feb069e73aa0a7fcb4daecc1fdf8edeff65e5aeefef161626647fe989e5c0" + logic_hash = "fa8feb069e73aa0a7fcb4daecc1fdf8edeff65e5aeefef161626647fe989e5c0" score = 75 quality = 75 tags = "FILE" @@ -251555,13 +252041,13 @@ rule DITEKSHEN_MALWARE_Win_Ranzylocker : FILE meta: description = "Detects RanzyLocker / REntS ransomware" author = "ditekSHen" - id = "a352d72b-7fc6-56f0-a9dc-f9c7f33dbb8f" + id = "0d74f6fd-e1d2-5939-991e-7fdd2ca3310b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5019-L5042" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_15897144843acf49b81c5428fd1bb56d7a2acf16047a6e5d3ca4f2aaa8891577" + logic_hash = "15897144843acf49b81c5428fd1bb56d7a2acf16047a6e5d3ca4f2aaa8891577" score = 75 quality = 75 tags = "FILE" @@ -251592,13 +252078,13 @@ rule DITEKSHEN_MALWARE_Win_Wobbychipmbr : FILE meta: description = "Detects WobbyChipMBR / Covid-21 ransomware" author = "ditekSHen" - id = "21cb3ae6-f5f3-561c-b906-11dccb7777b3" + id = "581fbce1-128d-5323-a259-14d9bfdf09b1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5044-L5060" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_168c7f610625131c9552252d2b824a90918d2961996ee0f783497dff5cf17351" + logic_hash = "168c7f610625131c9552252d2b824a90918d2961996ee0f783497dff5cf17351" score = 75 quality = 75 tags = "FILE" @@ -251622,13 +252108,13 @@ rule DITEKSHEN_MALWARE_Win_Snatch : FILE meta: description = "Detects Snatch / GoRansome / MauriGo ransomware" author = "ditekSHen" - id = "fd2cca15-d837-5e2f-ae54-8ac183b368ff" + id = "00dce673-b909-571f-8117-c5d4ce73fb31" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5062-L5091" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bf8c33a7203458c80a43944c3117bb897b1702f0024271904d9be682cbd695fc" + logic_hash = "bf8c33a7203458c80a43944c3117bb897b1702f0024271904d9be682cbd695fc" score = 75 quality = 73 tags = "FILE" @@ -251665,13 +252151,13 @@ rule DITEKSHEN_MALWARE_Win_Meteorite : FILE meta: description = "Detects Meteorite downloader" author = "ditekSHen" - id = "0309e8e9-1fa1-5ac6-b4da-1d1d6676139c" + id = "ce7a72ce-56a8-5def-a952-f0b08efe8a4a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5093-L5109" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0ae8183d949046be4257b48571a266f2501d60dd302f511ca1a2d518884e6a7f" + logic_hash = "0ae8183d949046be4257b48571a266f2501d60dd302f511ca1a2d518884e6a7f" score = 75 quality = 75 tags = "FILE" @@ -251695,13 +252181,13 @@ rule DITEKSHEN_MALWARE_Win_Legionlocker : FILE meta: description = "Detects LegionLocker ransomware" author = "ditekSHen" - id = "91f95506-a8d6-51f8-9229-4d1a81b76335" + id = "4e5c50d0-808e-5adb-bce9-804ddf66ca61" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5111-L5129" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2da897b5603415f14fff134b3a94d77e6963da79e117d26ba16e6b04e45f4045" + logic_hash = "2da897b5603415f14fff134b3a94d77e6963da79e117d26ba16e6b04e45f4045" score = 75 quality = 75 tags = "FILE" @@ -251727,13 +252213,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagentgo : FILE meta: description = "Detects Go-based downloader" author = "ditekSHen" - id = "eb868b46-b69c-5d90-bea6-29170499891c" + id = "e16ccb89-2eb6-5457-a88e-f802f3c35764" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5131-L5144" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b9dd2446eddff18be00feb34d8911600feb395a9ce2566786d42b48b444230d0" + logic_hash = "b9dd2446eddff18be00feb34d8911600feb395a9ce2566786d42b48b444230d0" score = 75 quality = 75 tags = "FILE" @@ -251754,13 +252240,13 @@ rule DITEKSHEN_MALWARE_Win_Blackmoon : FILE meta: description = "Detects executables using BlackMoon RunTime" author = "ditekSHen" - id = "4d1045bd-8c8b-5d15-bed6-4a090d375c5f" + id = "76071d36-3d2d-589c-8c3f-0ae60e69996e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5146-L5155" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_05bfde8ec3a469df5707c195e25995ac6af730e8a1595b1a598276c024420be2" + logic_hash = "05bfde8ec3a469df5707c195e25995ac6af730e8a1595b1a598276c024420be2" score = 75 quality = 75 tags = "FILE" @@ -251777,13 +252263,13 @@ rule DITEKSHEN_MALWARE_Win_Iceid : FILE meta: description = "Detects IceID / Bokbot variants" author = "ditekSHen" - id = "ee8e7567-b2a9-507b-bcdd-cd6067855172" + id = "0da94737-0f82-5892-a0eb-f9f3c0a114cc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5157-L5176" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_204b4c297806a36ca14bb3e659824f4eb49b18308af7090f0db1194705f1e2c9" + logic_hash = "204b4c297806a36ca14bb3e659824f4eb49b18308af7090f0db1194705f1e2c9" score = 75 quality = 75 tags = "FILE" @@ -251810,13 +252296,13 @@ rule DITEKSHEN_MALWARE_Win_Purge : FILE meta: description = "Detects Purge ransomware" author = "ditekSHen" - id = "87b5a4a9-02cd-5f5f-95bc-5b8b9fdfc8ed" + id = "b3fb9f38-ce12-5e0e-8908-3379b5da3497" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5178-L5201" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_83d13eca69bc99539e47d6d29689edf2a4fcd2260c6e909582126a490eef8115" + logic_hash = "83d13eca69bc99539e47d6d29689edf2a4fcd2260c6e909582126a490eef8115" score = 75 quality = 75 tags = "FILE" @@ -251847,13 +252333,13 @@ rule DITEKSHEN_MALWARE_Win_Njrat : FILE meta: description = "Detects NjRAT / Bladabindi / NjRAT Golden" author = "ditekSHen" - id = "1437a9fd-00e5-5b6c-9438-3a74df55d5a8" + id = "078dea64-8f95-5939-a1fb-c0a888adcf0d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5203-L5220" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_92d535a7c7f361b7a0901d0b99427ebc82a69577bfea73c04a7f9d51d2054b36" + logic_hash = "92d535a7c7f361b7a0901d0b99427ebc82a69577bfea73c04a7f9d51d2054b36" score = 75 quality = 75 tags = "FILE" @@ -251878,13 +252364,13 @@ rule DITEKSHEN_MALWARE_Win_Darktrackrat : FILE meta: description = "Detects OzoneRAT / DarkTrack / DarkSky" author = "ditekSHen" - id = "a0a127cd-0346-512c-8481-49093a076ee2" + id = "ef8675f8-f643-5948-a967-e4a9ce5ab89e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5222-L5245" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2a831c0f7707864d8c9e9fa338085a52933869d8cfbdbe0d12715da301c12646" + logic_hash = "2a831c0f7707864d8c9e9fa338085a52933869d8cfbdbe0d12715da301c12646" score = 75 quality = 75 tags = "FILE" @@ -251915,13 +252401,13 @@ rule DITEKSHEN_MALWARE_Win_Godzilla : FILE meta: description = "Detects Godzilla loader" author = "ditekSHen" - id = "8088fc71-a3c0-547f-8dc2-b9fc3735498c" + id = "3384b844-6abf-5f94-a62b-7ebbdfe321bd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5247-L5265" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ff87fbaaf488ac69e06a03a7f8e5305ec114caa6271c25fa130033f50f0d9095" + logic_hash = "ff87fbaaf488ac69e06a03a7f8e5305ec114caa6271c25fa130033f50f0d9095" score = 75 quality = 75 tags = "FILE" @@ -251947,13 +252433,13 @@ rule DITEKSHEN_MALWARE_Win_UNK03 : FILE meta: description = "Detects unknown malware" author = "ditekSHen" - id = "0377c36d-739c-5640-922e-dc5fc6182393" + id = "b0711427-b6bf-5e4b-af36-9c752ead4d6c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5267-L5280" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f1a4be68206628c3addbce8b6bbc1f801e67632d4e6a6af1d45cdad833e9a991" + logic_hash = "f1a4be68206628c3addbce8b6bbc1f801e67632d4e6a6af1d45cdad833e9a991" score = 75 quality = 75 tags = "FILE" @@ -251974,13 +252460,13 @@ rule DITEKSHEN_MALWARE_Win_UNK04 : FILE meta: description = "Detects unknown malware (proxy tool)" author = "ditekSHen" - id = "9831104d-6c43-542b-88b6-224683c83659" + id = "6a178f37-a9fd-5a83-a550-c6333342ac9b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5282-L5296" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ba6e5bbc1d094b23e3870af963503d1ccbcd56adc24126b4a38b77d4b88b4b67" + logic_hash = "ba6e5bbc1d094b23e3870af963503d1ccbcd56adc24126b4a38b77d4b88b4b67" score = 75 quality = 75 tags = "FILE" @@ -252002,13 +252488,13 @@ rule DITEKSHEN_MALWARE_Win_Karkoff : FILE meta: description = "Detects Karkoff" author = "ditekSHen" - id = "724eadea-0279-5e02-b0ef-71fe6f7f6d53" + id = "7d2fe783-18b3-5d84-a9b5-e8e0b5a0db98" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5298-L5313" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e9b6ba5be2b3cd0faa898347e57cee5a57b80b19842c3a1ddb42d620307c8b39" + logic_hash = "e9b6ba5be2b3cd0faa898347e57cee5a57b80b19842c3a1ddb42d620307c8b39" score = 75 quality = 75 tags = "FILE" @@ -252031,13 +252517,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent09 : FILE meta: description = "Detects known downloader agent" author = "ditekSHen" - id = "3e82b7ea-f6e6-5dc8-b8b5-2ebc545e666d" + id = "90f71ac7-19d9-5a8e-9830-df2f16e12c9b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5315-L5328" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9336507fa4bb9d3a6325d5e9caafc8c4e816a0166fded7d4e53e09a87628bc89" + logic_hash = "9336507fa4bb9d3a6325d5e9caafc8c4e816a0166fded7d4e53e09a87628bc89" score = 75 quality = 71 tags = "FILE" @@ -252058,13 +252544,13 @@ rule DITEKSHEN_MALWARE_Win_Coinminingbot : FILE meta: description = "Detects coinmining bot" author = "ditekSHen" - id = "9f1308d4-d0e0-519a-a0f7-f88e23924339" + id = "df15bfbd-f531-5eaa-b160-ad8a1fbe992f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5330-L5343" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a307a6c9184e8f4068cfa89a8432ae017c8aab10b706ba065051f8749860c15c" + logic_hash = "a307a6c9184e8f4068cfa89a8432ae017c8aab10b706ba065051f8749860c15c" score = 75 quality = 75 tags = "FILE" @@ -252087,13 +252573,13 @@ rule DITEKSHEN_MALWARE_Win_Fyanti : FILE meta: description = "Hunt for FYAnti third-stage loader DLLs" author = "ditekSHen" - id = "86d4de8e-f1ac-5dc7-99c2-e960cc647054" + id = "7a1f913c-d83f-50e9-943c-246c4c71c654" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5345-L5351" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_baaeef0b1452d7ea41ffaaff592cac2c5e16f921dbbfb3a300a63e69f134e9d0" + logic_hash = "baaeef0b1452d7ea41ffaaff592cac2c5e16f921dbbfb3a300a63e69f134e9d0" score = 75 quality = 75 tags = "FILE" @@ -252106,13 +252592,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent10 : FILE meta: description = "Detects known downloader agent" author = "ditekSHen" - id = "0c85eb89-af38-50d2-8fc5-209c151edbf3" + id = "b5807adf-9d15-5e08-97fb-a529acb1c1eb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5353-L5364" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_74647b39331727000608bc89b30189d802e62d59876659d4477deb4da2fcfe13" + logic_hash = "74647b39331727000608bc89b30189d802e62d59876659d4477deb4da2fcfe13" score = 75 quality = 67 tags = "FILE" @@ -252131,13 +252617,13 @@ rule DITEKSHEN_MALWARE_Win_Pureloader : FILE meta: description = "Detects Pure loader / injector" author = "ditekSHen" - id = "ec57b47e-2af8-5d50-9ca7-2593073ec508" + id = "ad44a12a-4ac7-5cc7-92ab-13c23514de69" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5366-L5382" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1f0bd20e769ea79d28d6e60ca06aa8aa2b3436426cfe0cd4f2023a08236875cd" + logic_hash = "1f0bd20e769ea79d28d6e60ca06aa8aa2b3436426cfe0cd4f2023a08236875cd" score = 75 quality = 75 tags = "FILE" @@ -252161,13 +252647,13 @@ rule DITEKSHEN_MALWARE_Win_VBS_Dlagent01 meta: description = "Detects VBS MSHTA downloader" author = "ditekSHen" - id = "d591b203-82c5-56ca-b2dc-cf347e0bb6b1" + id = "447ea323-ecab-5f6b-b13e-0690254c754e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5384-L5395" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0e47839a55773764aca0aebcf1078c06c729b86d1e2f18d7d64e3bb11e87f3eb" + logic_hash = "0e47839a55773764aca0aebcf1078c06c729b86d1e2f18d7d64e3bb11e87f3eb" score = 75 quality = 75 tags = "" @@ -252186,13 +252672,13 @@ rule DITEKSHEN_MALWARE_Win_Ranumbot : FILE meta: description = "Detects RanumBot / Windigo / GoStealer" author = "ditekSHen" - id = "dd0ff9c0-6064-5159-b0e4-1856adee9854" + id = "26a0832e-8a39-5a0e-bd39-710744212c16" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5397-L5430" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a9c32445e62d072e4184d25497696ef6225edb176dc7a9743a54194d4ddb4b0c" + logic_hash = "a9c32445e62d072e4184d25497696ef6225edb176dc7a9743a54194d4ddb4b0c" score = 75 quality = 73 tags = "FILE" @@ -252231,13 +252717,13 @@ rule DITEKSHEN_MALWARE_Win_Dllhijacker01 : FILE meta: description = "Hunt for VSNTAR21 / DllHijacker01 IronTiger / LuckyMouse / APT27 malware" author = "ditekSHen" - id = "1dbab1bc-a665-5b63-9686-51c154672b70" + id = "0a858058-310a-5b1c-a6fe-abdec7b25abe" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5432-L5448" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_48535c0bb5342e2f91ac9d015c761d8d543b122dd3cc08b7029631fcf3037bfb" + logic_hash = "48535c0bb5342e2f91ac9d015c761d8d543b122dd3cc08b7029631fcf3037bfb" score = 75 quality = 75 tags = "FILE" @@ -252261,13 +252747,13 @@ rule DITEKSHEN_MALWARE_Win_Hyperbro02 : FILE meta: description = "Detects HyperBro IronTiger / LuckyMouse / APT27 malware" author = "ditekSHen" - id = "c113c81b-6eba-5a14-8f3c-69851bde269e" + id = "1880afd7-ca06-5b43-af8f-e791ded0d7d8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5450-L5474" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ca4ee116516549fc42f7e32b3c24d631b7f2c638efbde5c07227358e78fd6f35" + logic_hash = "ca4ee116516549fc42f7e32b3c24d631b7f2c638efbde5c07227358e78fd6f35" score = 75 quality = 75 tags = "FILE" @@ -252299,13 +252785,13 @@ rule DITEKSHEN_MALWARE_Win_Dllhijacker02 : FILE meta: description = "Detects ServiceCrt / DllHijacker03 IronTiger / LuckyMouse / APT27 malware" author = "ditekSHen" - id = "ffe970be-0dd1-5700-900b-4f31b7fa9dca" + id = "de5eee06-570a-5ec3-9e1b-13de4c4f260f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5512-L5527" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d4eb236256c413d4d3223cc897783f5631c7798c0f3280e72d8c8504438fcaf9" + logic_hash = "d4eb236256c413d4d3223cc897783f5631c7798c0f3280e72d8c8504438fcaf9" score = 75 quality = 75 tags = "FILE" @@ -252328,13 +252814,13 @@ rule DITEKSHEN_MALWARE_Win_Zeoticus : FILE meta: description = "Detects Zeoticus ransomware" author = "ditekSHen" - id = "12f72c06-2146-5aab-9c85-b9162469e6b9" + id = "6d1096dd-d075-54eb-ade9-48e2f945145d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5529-L5549" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_588c140c141e82dae56758550549dfb96410db50521ac546477e1adc5575b4a0" + logic_hash = "588c140c141e82dae56758550549dfb96410db50521ac546477e1adc5575b4a0" score = 75 quality = 75 tags = "FILE" @@ -252362,13 +252848,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent11 : FILE meta: description = "Detects downloader agent" author = "ditekSHen" - id = "0a0e45bc-1ac4-58b6-8353-1a3d37074b82" + id = "c8bf9b1a-4ec1-5291-a334-82c79980ef53" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5551-L5564" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_61df4855766050237c0b67bf70684020beb5d88f5928fa2814077e505be938a6" + logic_hash = "61df4855766050237c0b67bf70684020beb5d88f5928fa2814077e505be938a6" score = 75 quality = 75 tags = "FILE" @@ -252389,13 +252875,13 @@ rule DITEKSHEN_MALWARE_Win_Softcnapp : FILE meta: description = "Detects SoftCNApp" author = "ditekSHen" - id = "789b781b-89a3-57e3-8c84-5a95bafda87b" + id = "473442e2-d411-5e2b-948e-c7ce034a5810" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5566-L5583" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2d7f4320282218842fa2e82906bcaf691610ad1a6ea257a2a9fc9e062229a2e8" + logic_hash = "2d7f4320282218842fa2e82906bcaf691610ad1a6ea257a2a9fc9e062229a2e8" score = 75 quality = 75 tags = "FILE" @@ -252420,13 +252906,13 @@ rule DITEKSHEN_MALWARE_Win_Covenantgruntstager : FILE meta: description = "Detects Covenant Grunt Stager" author = "ditekSHen" - id = "65ec129c-248e-5911-9e7a-0c582d19365c" + id = "61495541-ed9c-5227-aa50-cbaeacfb20a2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5585-L5606" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_638f63f605b21154f062b0f4d0659cd6cd87aee319debb2c1a991a679fec087a" + logic_hash = "638f63f605b21154f062b0f4d0659cd6cd87aee319debb2c1a991a679fec087a" score = 75 quality = 75 tags = "FILE" @@ -252455,13 +252941,13 @@ rule DITEKSHEN_MALWARE_Win_Fabookie : FILE meta: description = "Detects Fabookie / ElysiumStealer" author = "ditekSHen" - id = "709bb150-5cc2-5f03-bb6d-fb0e50974d16" + id = "dfa653c4-37d9-5e31-9c47-23adf751e4aa" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5608-L5624" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bbe10323817d501a361a33abf61a49ad59fcac69d78d9d9ec1744ee99a4b4629" + logic_hash = "bbe10323817d501a361a33abf61a49ad59fcac69d78d9d9ec1744ee99a4b4629" score = 75 quality = 73 tags = "FILE" @@ -252485,13 +252971,13 @@ rule DITEKSHEN_MALWARE_Win_Cobianrat : FILE meta: description = "Detects CobianRAT, a fork of Njrat" author = "ditekSHen" - id = "31900ba2-63d3-581a-a290-38810747618a" + id = "5a9b6f04-fc52-52a9-b72f-d24dd093e886" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5626-L5640" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c8f55e5328b61c3591c876797b4521f8e98af7a6c53bab918f10d5c3c2b5013" + logic_hash = "5c8f55e5328b61c3591c876797b4521f8e98af7a6c53bab918f10d5c3c2b5013" score = 75 quality = 75 tags = "FILE" @@ -252513,13 +252999,13 @@ rule DITEKSHEN_MALWARE_Win_Leivion : FILE meta: description = "Detects Leivion" author = "ditekSHen" - id = "af25b45e-9881-5843-8dfe-1c2ae572240a" + id = "77800add-8fff-5657-9ed6-a23517bce0b1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5660-L5673" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a0cda23df4301b66feedad7c04b4d051c07474ccaa07c05598dd0b47bb6fc7e6" + logic_hash = "a0cda23df4301b66feedad7c04b4d051c07474ccaa07c05598dd0b47bb6fc7e6" score = 75 quality = 75 tags = "FILE" @@ -252540,13 +253026,13 @@ rule DITEKSHEN_MALWARE_Win_Banload : FILE meta: description = "Detects Banload" author = "ditekSHen" - id = "ee5fe587-191d-52af-a0a6-a6fba31fdc98" + id = "4672bce1-1280-576d-b7df-f0181a854058" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5675-L5688" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5cbc69d11b73f60d6eee3f23ed6cc217ba37a3408cb69e396e0394b5a1e20b75" + logic_hash = "5cbc69d11b73f60d6eee3f23ed6cc217ba37a3408cb69e396e0394b5a1e20b75" score = 75 quality = 75 tags = "FILE" @@ -252567,13 +253053,13 @@ rule DITEKSHEN_MALWARE_Win_TYRAT : FILE meta: description = "Detects TYRAT" author = "ditekSHen" - id = "39fa7646-cbb3-5987-9a98-29ff18cda824" + id = "316c50cc-964e-5d24-b169-7a09fdf61638" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5690-L5703" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b733b7aa3ba1195807fb728453c0f3f4df2177836054af6f7a863e14058884cb" + logic_hash = "b733b7aa3ba1195807fb728453c0f3f4df2177836054af6f7a863e14058884cb" score = 75 quality = 25 tags = "FILE" @@ -252594,13 +253080,13 @@ rule DITEKSHEN_MALWARE_Win_Infinitylock : FILE meta: description = "Detects InfinityLock ransomware" author = "ditekSHen" - id = "56fda489-f69a-54ff-a22d-a254c5ff6002" + id = "7a66cc19-c635-580b-abc2-b58bd48673bd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5705-L5723" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_634759f1c2d48becebc9c87e146e898524071738f74b7001b112dc793bcb581c" + logic_hash = "634759f1c2d48becebc9c87e146e898524071738f74b7001b112dc793bcb581c" score = 75 quality = 73 tags = "FILE" @@ -252626,13 +253112,13 @@ rule DITEKSHEN_MALWARE_Win_Mountlocker : FILE meta: description = "Detects MountLocker ransomware" author = "ditekSHen" - id = "246d8d1e-e9fa-5828-935c-db2fe723b9e9" + id = "0590d08d-1ee8-5dfe-af12-15b149acd2d6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5725-L5740" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_30bc601fef60cc1c9d8bff5dd3f8a53214f088b74eb24fe2369f5664613e0eaf" + logic_hash = "30bc601fef60cc1c9d8bff5dd3f8a53214f088b74eb24fe2369f5664613e0eaf" score = 75 quality = 75 tags = "FILE" @@ -252655,13 +253141,13 @@ rule DITEKSHEN_MALWARE_Win_Pingback : FILE meta: description = "Detects PingBack ICMP backdoor" author = "ditekSHen" - id = "378df4d8-1749-59c5-af95-7db4a8f83767" + id = "ecb313b6-f923-5b6d-a4d7-a4650817ed84" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5742-L5761" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c5fa9ecefca1188ba5e81c0518f74023884ad0f66718fc030601cb458bdf2f12" + logic_hash = "c5fa9ecefca1188ba5e81c0518f74023884ad0f66718fc030601cb458bdf2f12" score = 75 quality = 75 tags = "FILE" @@ -252688,13 +253174,13 @@ rule DITEKSHEN_MALWARE_Win_Bazarloader : FILE meta: description = "Detects BazarLoader variants" author = "ditekSHen" - id = "de6b094c-32aa-5d00-9649-259115cffe6c" + id = "6282df59-7244-501f-bb60-09a2a519bd47" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5763-L5776" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8febd1355bc03f71794ffb8d51cbb112e8acd2d26fec5bb736a388d5384e7747" + logic_hash = "8febd1355bc03f71794ffb8d51cbb112e8acd2d26fec5bb736a388d5384e7747" score = 75 quality = 75 tags = "FILE" @@ -252715,13 +253201,13 @@ rule DITEKSHEN_MALWARE_Win_Coinminer01 : FILE meta: description = "Detects coinmining malware" author = "ditekSHen" - id = "6110ef59-9c4c-5bbf-9329-cd4fb173f09d" + id = "739e7cea-c6b6-5add-86d4-382b00e2b645" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5778-L5790" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_31a7531ecc7b8a35ba882c17d15bd3581e65b4b99dd3a7cb8bca8f6edf204114" + logic_hash = "31a7531ecc7b8a35ba882c17d15bd3581e65b4b99dd3a7cb8bca8f6edf204114" score = 75 quality = 75 tags = "FILE" @@ -252741,13 +253227,13 @@ rule DITEKSHEN_PUA_Win_Ultrasurf : FILE meta: description = "Detects UltraSurf / Ultrareach PUA" author = "ditekSHen" - id = "c3dcdec6-4e3c-5596-8ee2-894d0c6d641c" + id = "ba0f6867-bddc-5e72-978c-8e29b1b6b709" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5792-L5807" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d8d17b1bf20c12f864697d3dd66f345a8b93e2a75f0489b58b23b7f5264b6be3" + logic_hash = "d8d17b1bf20c12f864697d3dd66f345a8b93e2a75f0489b58b23b7f5264b6be3" score = 75 quality = 75 tags = "FILE" @@ -252770,13 +253256,13 @@ rule DITEKSHEN_MALWARE_Win_Hello : FILE meta: description = "Hunt for Hello / WickrMe ransomware" author = "ditekSHen" - id = "0c1e4f77-eb14-5f65-94b3-f254734b36b0" + id = "99c11aab-8a3a-5e10-9af0-542e55129d51" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5809-L5820" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f52f12eb38613f5afd5258b5263c6e6e2d9db6c9659a769f896a2bb66564fa69" + logic_hash = "f52f12eb38613f5afd5258b5263c6e6e2d9db6c9659a769f896a2bb66564fa69" score = 75 quality = 75 tags = "FILE" @@ -252795,13 +253281,13 @@ rule DITEKSHEN_MALWARE_Win_Buterat : FILE meta: description = "Detects ButeRAT" author = "ditekSHen" - id = "6fab0acf-6179-523c-a4b0-8af78389fdfd" + id = "74f63d61-6589-5fb1-864a-3a02ddd57ebc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5822-L5839" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c3d93e8dc1bde8e77c11586c8d8b67d137ef2c4791e12269f1af310fbe14832b" + logic_hash = "c3d93e8dc1bde8e77c11586c8d8b67d137ef2c4791e12269f1af310fbe14832b" score = 75 quality = 73 tags = "FILE" @@ -252826,13 +253312,13 @@ rule DITEKSHEN_MALWARE_Win_Cookiestealer : FILE meta: description = "Detects generic cookie stealer" author = "ditekSHen" - id = "603abdb1-71a3-58fb-b001-f8a0b46bd233" + id = "64c6c59d-4046-5949-bf71-22a5f6bfa209" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5841-L5857" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9cc406ae078e37430b3cf10954c02014b9760bc887344842e724df735d1d9808" + logic_hash = "9cc406ae078e37430b3cf10954c02014b9760bc887344842e724df735d1d9808" score = 75 quality = 75 tags = "FILE" @@ -252856,13 +253342,13 @@ rule DITEKSHEN_MALWARE_Win_Bitcoingrabber : FILE meta: description = "Detects generic bitcoin stealer" author = "ditekSHen" - id = "50197a55-a450-51d4-9f07-509f7c02d22e" + id = "f73b58da-1db5-5767-ae0a-074648e30966" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5859-L5875" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2dc762525c1fbf25517df52f0561d96d7469bf1367eada31c236fc313001c6cb" + logic_hash = "2dc762525c1fbf25517df52f0561d96d7469bf1367eada31c236fc313001c6cb" score = 75 quality = 75 tags = "FILE" @@ -252886,13 +253372,13 @@ rule DITEKSHEN_MALWARE_Win_FOXGRABBER : FILE meta: description = "Detects FOXGRABBER utility" author = "ditekSHen" - id = "29650f11-df6c-5276-a9a4-8104ff9491f2" + id = "b98e501c-e9c6-5fcc-bfa0-9475ce32864c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5877-L5890" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5ecba516f1155bdcccf83b0a034b11d8eac8619d4c3326fdbc76082fbe4daf02" + logic_hash = "5ecba516f1155bdcccf83b0a034b11d8eac8619d4c3326fdbc76082fbe4daf02" score = 75 quality = 75 tags = "FILE" @@ -252913,13 +253399,13 @@ rule DITEKSHEN_MALWARE_Win_Browsergrabber : FILE meta: description = "Hunt for FOXGRABBER-like samples but for various browsers" author = "ditekSHen" - id = "f58b1b2b-5790-55f9-924b-7c3e33efc7b0" + id = "a50a60cf-5ab8-5e4e-be00-aa0306f4d84f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5892-L5906" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c96a63566280758d8c32542bfab3c6faa7d21329430345f51ea4c2f0a6809dc2" + logic_hash = "c96a63566280758d8c32542bfab3c6faa7d21329430345f51ea4c2f0a6809dc2" score = 75 quality = 25 tags = "FILE" @@ -252941,13 +253427,13 @@ rule DITEKSHEN_MALWARE_Win_Deathransom : FILE meta: description = "Detects known DeathRansom ransomware" author = "ditekSHen" - id = "4e902b25-8a17-5492-8e43-251e27159184" + id = "a6eeb607-8b5c-5982-8b5a-aa2b3c6a65e6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5908-L5925" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3c87364a7ecc403262056eeccaa16bf230fbbe684e21d35099d0d572abba9eda" + logic_hash = "3c87364a7ecc403262056eeccaa16bf230fbbe684e21d35099d0d572abba9eda" score = 75 quality = 75 tags = "FILE" @@ -252972,13 +253458,13 @@ rule DITEKSHEN_MALWARE_Win_Unlockyourfiles : FILE meta: description = "Detects UnlockYourFiles ransomware" author = "ditekSHen" - id = "24437eaa-e647-51ab-adda-89900eeaeb9b" + id = "265f2a48-143a-56c9-9cd4-b5137799a9e8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5927-L5946" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_05f549467fac03d4aa2248a9c6c87e4c4273ed6ad727ebb77a4dd115032e454b" + logic_hash = "05f549467fac03d4aa2248a9c6c87e4c4273ed6ad727ebb77a4dd115032e454b" score = 75 quality = 75 tags = "FILE" @@ -253005,13 +253491,13 @@ rule DITEKSHEN_MALWARE_Win_Decryptmyfiles : FILE meta: description = "Detects DecryptMyFiles ransomware" author = "ditekSHen" - id = "3e16af1e-64ad-5483-95e4-779d545e4a17" + id = "dab518f2-3fac-5492-88fb-35cd0000ec47" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5948-L5964" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5b7f74569700e2ad3f31388571dad5ffda45f5ab3dd36806f7514aff0367d5ba" + logic_hash = "5b7f74569700e2ad3f31388571dad5ffda45f5ab3dd36806f7514aff0367d5ba" score = 75 quality = 73 tags = "FILE" @@ -253035,13 +253521,13 @@ rule DITEKSHEN_MALWARE_Win_Motocos : FILE meta: description = "Detects Motocos ransomware" author = "ditekSHen" - id = "ecbd5610-2a1c-55fc-b779-e0f9a6ee2fef" + id = "be7284be-b57d-5a2c-9a84-37d76445cd0d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5966-L5981" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_99ac365c277058503874313e3a74ab016d6d279b47c754c3df950e3ce60e29f1" + logic_hash = "99ac365c277058503874313e3a74ab016d6d279b47c754c3df950e3ce60e29f1" score = 75 quality = 75 tags = "FILE" @@ -253064,13 +253550,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent12 : FILE meta: description = "Detects downloader agent" author = "ditekSHen" - id = "d9e43122-ac99-578f-b892-b7fba6b4f11c" + id = "841b998b-99d1-50d8-bc7b-75b2a8e690bf" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5983-L5993" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b9845414f4ce4cc25b75a8de7569c4135bbb7ba9098fd4c50d7ac80302e99b8f" + logic_hash = "b9845414f4ce4cc25b75a8de7569c4135bbb7ba9098fd4c50d7ac80302e99b8f" score = 75 quality = 75 tags = "FILE" @@ -253088,13 +253574,13 @@ rule DITEKSHEN_MALWARE_Win_Dlinjector01 : FILE meta: description = "Detects specific downloader injector shellcode" author = "ditekSHen" - id = "65119c35-b308-516d-aba5-3c3cbf59b23b" + id = "c5e0946c-3e15-5ebc-b1b5-3f00566dc5cd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L5995-L6015" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5c13af5fdbb2e8a27103d9502126a82d0bff15d9a269b22e4279b5b459d50e2d" + logic_hash = "5c13af5fdbb2e8a27103d9502126a82d0bff15d9a269b22e4279b5b459d50e2d" score = 75 quality = 75 tags = "FILE" @@ -253122,13 +253608,13 @@ rule DITEKSHEN_MALWARE_Win_Dlinjector02 : FILE meta: description = "Detects downloader injector" author = "ditekSHen" - id = "1b19e74c-2fd0-56a1-98d9-6074050b69d8" + id = "ce2c418d-18e4-579c-9828-94e294385846" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6017-L6034" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_76d185cfcbc7f4996c2fb5c7c1ba4eb20b32d322d8ff47594283a4ca3e573a0b" + logic_hash = "76d185cfcbc7f4996c2fb5c7c1ba4eb20b32d322d8ff47594283a4ca3e573a0b" score = 75 quality = 75 tags = "FILE" @@ -253153,13 +253639,13 @@ rule DITEKSHEN_MALWARE_Win_Nermer : FILE meta: description = "Detects Nermer ransomware" author = "ditekSHen" - id = "313131b0-257f-5129-9c3f-4ca0245105d6" + id = "fce4f178-8e98-53b0-ae09-2ce876ad524e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6036-L6062" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e885b1b908b256ee07f5cb144d63f5ad65e5bf746b70efe168b0ac742a246ab3" + logic_hash = "e885b1b908b256ee07f5cb144d63f5ad65e5bf746b70efe168b0ac742a246ab3" score = 75 quality = 75 tags = "FILE" @@ -253193,13 +253679,13 @@ rule DITEKSHEN_MALWARE_Win_Beastdoor : FILE meta: description = "Detects Beastdoor backdoor" author = "ditekSHen" - id = "e1dd22a9-185e-559f-ab30-63c5ac7945e2" + id = "b271d53e-2693-5a93-825a-ef32f72a4b01" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6064-L6084" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d9a72717d124bcf1e3b95850cd524e577abe96a094586a5555faadba78fcb9ad" + logic_hash = "d9a72717d124bcf1e3b95850cd524e577abe96a094586a5555faadba78fcb9ad" score = 75 quality = 75 tags = "FILE" @@ -253227,13 +253713,13 @@ rule DITEKSHEN_MALWARE_Win_Gravityrat : FILE meta: description = "Detects GravityRAT" author = "ditekSHen" - id = "854b799c-d96d-5970-b348-53d6fa00e1d6" + id = "cb581dd6-15b2-54ae-9f27-30ec21554fb9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6086-L6108" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a6b049dbf21f22f751c15da98536e9ef2a4ced7755ade0cc9904afddef1d3ae6" + logic_hash = "a6b049dbf21f22f751c15da98536e9ef2a4ced7755ade0cc9904afddef1d3ae6" score = 75 quality = 75 tags = "FILE" @@ -253263,13 +253749,13 @@ rule DITEKSHEN_MALWARE_Win_Fatalrat : FILE meta: description = "Detects FatalRAT" author = "ditekSHen" - id = "1eea8168-edf0-50a8-abf5-76af1aa65403" + id = "f9d0c5dd-ae69-512d-a260-01b9765e10eb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6110-L6128" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fb7f6822aa4ef98e77670d276d06c9a37718bce38d32ce5b53fe67513b107fbe" + logic_hash = "fb7f6822aa4ef98e77670d276d06c9a37718bce38d32ce5b53fe67513b107fbe" score = 75 quality = 75 tags = "FILE" @@ -253295,13 +253781,13 @@ rule DITEKSHEN_MALWARE_Win_Wingo : FILE meta: description = "Detects malicious Golang executables" author = "ditekSHen" - id = "d3f41352-8257-59e6-98b2-2e1b1249cc88" + id = "bc0c84d6-7ea1-5234-89f6-98337900e044" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6130-L6141" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_423b1631ad625fd46a9d10f0ecdf24931cf62a2c1694da3ebdd38daad0a4f724" + logic_hash = "423b1631ad625fd46a9d10f0ecdf24931cf62a2c1694da3ebdd38daad0a4f724" score = 75 quality = 73 tags = "FILE" @@ -253320,13 +253806,13 @@ rule DITEKSHEN_MALWARE_Win_GENERIC03 : FILE meta: description = "Detects unknown malicious executables" author = "ditekSHen" - id = "1cc4a80b-c0cc-566e-ab01-4815b8a32aa1" + id = "aa0a720d-8215-58d8-b3ce-98d50318cbf9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6143-L6154" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9166808a3dab80d9d85b3b976ae658160c8389c7d0e05a46d553b5bb9d41a1cb" + logic_hash = "9166808a3dab80d9d85b3b976ae658160c8389c7d0e05a46d553b5bb9d41a1cb" score = 75 quality = 50 tags = "FILE" @@ -253345,13 +253831,13 @@ rule DITEKSHEN_MALWARE_Win_Pandastealer : FILE meta: description = "Detects Panda Stealer" author = "ditekSHen" - id = "0c0d5696-d097-5a7f-87f5-7766df603487" + id = "099f0a03-6dfd-5ae5-baaf-fe2b66de759d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6156-L6172" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_23a911bfe14defe8f961068d43bb349b66ee73f8b2f281f2bec1c0ecb8f37b25" + logic_hash = "23a911bfe14defe8f961068d43bb349b66ee73f8b2f281f2bec1c0ecb8f37b25" score = 75 quality = 50 tags = "FILE" @@ -253375,13 +253861,13 @@ rule DITEKSHEN_MALWARE_Win_Gelsemine : FILE meta: description = "Detects Gelsemine" author = "ditekSHen" - id = "866eab1d-3cc4-55b3-87bf-5b174eb06d98" + id = "f7e9ca53-fc52-5da0-a760-cb09c2544f4f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6174-L6194" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8c20efa6f34ee9165fac9f1f2e5eb20830a02016309dfaa5681977e1a8ac6068" + logic_hash = "8c20efa6f34ee9165fac9f1f2e5eb20830a02016309dfaa5681977e1a8ac6068" score = 75 quality = 75 tags = "FILE" @@ -253409,13 +253895,13 @@ rule DITEKSHEN_MALWARE_Win_Gelsevirine : FILE meta: description = "Detects Gelsevirine" author = "ditekSHen" - id = "10912bb0-29c9-5785-bf8e-0612c47b17b7" + id = "70f0ed08-4e07-5ab3-968e-95059d20a8e9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6224-L6254" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_60d41d6d789f1cd2a7040d6535f13c69ea58a489035838f047b886e8f1f37f63" + logic_hash = "60d41d6d789f1cd2a7040d6535f13c69ea58a489035838f047b886e8f1f37f63" score = 75 quality = 73 tags = "FILE" @@ -253453,13 +253939,13 @@ rule DITEKSHEN_MALWARE_Win_Ipsechelper : FILE meta: description = "Detects IPsecHelper backdoor" author = "ditekSHen" - id = "3190bfdc-6406-5ce6-bbfd-7c5629183fa2" + id = "f848ac2a-95ad-596a-b193-5cfb424e33a2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6256-L6279" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be0ecf8a97d289b15b902420d769925b7b22ab835bd7d10d10b059119f41e540" + logic_hash = "be0ecf8a97d289b15b902420d769925b7b22ab835bd7d10d10b059119f41e540" score = 75 quality = 75 tags = "FILE" @@ -253490,13 +253976,13 @@ rule DITEKSHEN_MALWARE_Win_Apostle : FILE meta: description = "Detects Apsotle" author = "ditekSHen" - id = "8ecb6519-832d-5ca8-a44e-90ead7ffc2dd" + id = "6e6d2ef0-b709-5915-b644-db86d9d3f26a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6281-L6295" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aa5a522383cbb7e2fdb90f4c4395c7f92f546aa1dbda8f44090225861f011630" + logic_hash = "aa5a522383cbb7e2fdb90f4c4395c7f92f546aa1dbda8f44090225861f011630" score = 75 quality = 75 tags = "FILE" @@ -253518,13 +254004,13 @@ rule DITEKSHEN_MALWARE_Win_DEADWOOD : FILE meta: description = "Detects DEADWOOD" author = "ditekSHen" - id = "645dff7c-fe37-5668-9098-5f6d8cef358f" + id = "a75e30d8-75ec-5eaf-94f5-5556a3b947ae" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6297-L6313" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bf53abc801971b294e0a23bb0162ceb7c56a563a16e73c317f6a890ba545b67d" + logic_hash = "bf53abc801971b294e0a23bb0162ceb7c56a563a16e73c317f6a890ba545b67d" score = 75 quality = 75 tags = "FILE" @@ -253548,13 +254034,13 @@ rule DITEKSHEN_MALWARE_Win_Turian : FILE meta: description = "Hunt for Turian / Qurian" author = "ditekSHen" - id = "13f7a450-c004-5d9b-810e-5275384108e9" + id = "eafa9442-a01b-5044-bc47-634297a3efcc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6315-L6343" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_87f4263381c5e93fcba0873aa3bb9a1db4b21225141cd7f06be30f5777a47806" + logic_hash = "87f4263381c5e93fcba0873aa3bb9a1db4b21225141cd7f06be30f5777a47806" score = 75 quality = 75 tags = "FILE" @@ -253590,13 +254076,13 @@ rule DITEKSHEN_MALWARE_Win_Dlagent14 : FILE meta: description = "Detects downloader injector" author = "ditekSHen" - id = "6095ac4a-94b4-5682-86d9-6f8bb57918ab" + id = "6f80567e-b89a-557d-a282-b61c0b99625e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6365-L6378" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2806b553635dbf96e9c00d3554dd5732df64200b3ae2c4845a2675218bd56387" + logic_hash = "2806b553635dbf96e9c00d3554dd5732df64200b3ae2c4845a2675218bd56387" score = 75 quality = 75 tags = "FILE" @@ -253617,13 +254103,13 @@ rule DITEKSHEN_MALWARE_Win_Markirat : FILE meta: description = "Detects MarkiRAT" author = "ditekSHen" - id = "7cc3d54a-f2cf-58dd-ab6b-c84592917f74" + id = "6cfa276c-a64e-532a-a1ae-11a9e00867bd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6380-L6403" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_17b8bcfe8d2b4c87ff8e0bddb436e18029a3b28a5ad3994fe9bef359588d9cad" + logic_hash = "17b8bcfe8d2b4c87ff8e0bddb436e18029a3b28a5ad3994fe9bef359588d9cad" score = 75 quality = 75 tags = "FILE" @@ -253654,13 +254140,13 @@ rule DITEKSHEN_MALWARE_Win_Klingonrat : FILE meta: description = "Detects KlingonRAT" author = "ditekSHen" - id = "d069fe34-360e-577a-b23d-4565cf5156f3" + id = "bea50bce-b38c-50a0-902a-1014615bd9b8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6405-L6427" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2abfbfc1b67f931f15bfdfd2cd4ba7821e62eb8c518bbc04629c0dd694bbd9c1" + logic_hash = "2abfbfc1b67f931f15bfdfd2cd4ba7821e62eb8c518bbc04629c0dd694bbd9c1" score = 75 quality = 75 tags = "FILE" @@ -253690,13 +254176,13 @@ rule DITEKSHEN_MALWARE_Win_Xfiles : FILE meta: description = "Detects X-Files infostealer (formerly BotSh1zoid)" author = "ditekSHen" - id = "193dacd7-6443-5d5c-ba34-d4c5e2e1dc0b" + id = "3f8b2f9b-aa6a-5ffc-95b8-5e44de0d1a49" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6429-L6460" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0c04a8f019aea36f4bba3ce8289c2d608c69d76bbf321052560b4ca2214be057" + logic_hash = "0c04a8f019aea36f4bba3ce8289c2d608c69d76bbf321052560b4ca2214be057" score = 75 quality = 73 tags = "FILE" @@ -253735,13 +254221,13 @@ rule DITEKSHEN_MALWARE_Win_Allakore : FILE meta: description = "Detects AllaKore" author = "ditekSHen" - id = "081b10ce-077d-5c8a-8d3d-8d2c2e50dd41" + id = "371663c1-6faf-5ca3-a79e-e4340d44660b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6462-L6493" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0e93682787e27246cdddbd67ca5360728c65049a2e97e71809b5902854aa4bef" + logic_hash = "0e93682787e27246cdddbd67ca5360728c65049a2e97e71809b5902854aa4bef" score = 75 quality = 73 tags = "FILE" @@ -253780,13 +254266,13 @@ rule DITEKSHEN_MALWARE_Win_Reverserat : FILE meta: description = "Detects ReverseRAT" author = "ditekSHen" - id = "90b87ec7-bdba-5b47-ae15-aa754fc8502c" + id = "df13fc6c-025a-54db-809d-4f3c27b8aa7a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6495-L6514" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_87ab00a5588bfce04ec47a07b184fffe359e472ac8bf561b02a8b070edf2e014" + logic_hash = "87ab00a5588bfce04ec47a07b184fffe359e472ac8bf561b02a8b070edf2e014" score = 75 quality = 75 tags = "FILE" @@ -253813,13 +254299,13 @@ rule DITEKSHEN_MALWARE_Win_Smokeloader : FILE meta: description = "Detects SmokeLoader variants" author = "ditekSHen" - id = "43f1f782-38f0-5c12-91a4-b31f3c2304db" + id = "e8f28f89-3a79-5d78-8c0a-bad16a57df84" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6516-L6539" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_65c56ed11a3cb4e4bcf8fd2a6be097545cb96e84ba4c4202969d1d163a2a36ed" + logic_hash = "65c56ed11a3cb4e4bcf8fd2a6be097545cb96e84ba4c4202969d1d163a2a36ed" score = 75 quality = 75 tags = "FILE" @@ -253846,13 +254332,13 @@ rule DITEKSHEN_MALWARE_Win_Dlinjector03 : FILE meta: description = "Detects unknown loader / injector" author = "ditekSHen" - id = "4a35736c-ef1e-59aa-97cc-8e191bb02846" + id = "2d0df2d8-5b1c-5408-b8c7-8ca14d57da0f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6541-L6551" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_10092e7916775fe0a39baa5714fdda89f443ceabdcc610cc1fcd5a0fb0e68d0c" + logic_hash = "10092e7916775fe0a39baa5714fdda89f443ceabdcc610cc1fcd5a0fb0e68d0c" score = 75 quality = 73 tags = "FILE" @@ -253870,13 +254356,13 @@ rule DITEKSHEN_MALWARE_Win_Coinminer02 : FILE meta: description = "Detects coinmining malware" author = "ditekSHen" - id = "ceeae5a1-8f6e-571e-b87c-926450e10239" + id = "1878a1b5-4e97-5575-802e-573caded2b3a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6553-L6571" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_83760aef667819923a2ac67c006e03bb6d4260b7a4aedd691dd5b145fb50d5c1" + logic_hash = "83760aef667819923a2ac67c006e03bb6d4260b7a4aedd691dd5b145fb50d5c1" score = 75 quality = 75 tags = "FILE" @@ -253902,13 +254388,13 @@ rule DITEKSHEN_MALWARE_Win_Mercurial : FILE meta: description = "Detects Mercurial infostealer" author = "ditekSHen" - id = "2479804d-876c-5bd5-affe-2334d1fb0987" + id = "c262ada2-01ca-5fc1-adef-987908514019" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6573-L6593" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_400f8f717a4e07bf4de508c02bbcd9e82bf21f3df84c989fc622378f33e192f0" + logic_hash = "400f8f717a4e07bf4de508c02bbcd9e82bf21f3df84c989fc622378f33e192f0" score = 75 quality = 75 tags = "FILE" @@ -253936,13 +254422,13 @@ rule DITEKSHEN_MALWARE_Win_Phonzy : FILE meta: description = "Detects specific downloader agent" author = "ditekSHen" - id = "024d6db3-6adf-53d2-a0ef-b07d8d3123af" + id = "d35f41e4-4633-5482-9ae4-79354463f1b9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6595-L6608" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_924e7674d76594314df1a32d38f19cee12a3ed49cdf5e153f98bb08a7634055c" + logic_hash = "924e7674d76594314df1a32d38f19cee12a3ed49cdf5e153f98bb08a7634055c" score = 75 quality = 75 tags = "FILE" @@ -253963,13 +254449,13 @@ rule DITEKSHEN_MALWARE_Win_Hive : FILE meta: description = "Detects Hive ransomware" author = "ditekSHen" - id = "02566b6d-926d-5771-8698-ff14481b90e2" + id = "7b79dc54-01c7-5667-acf5-a32cd7a45b54" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6610-L6647" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_14c20ff2fa62d80eed0f4f364e24d93d493d4f3b47f664983714940afa74046f" + logic_hash = "14c20ff2fa62d80eed0f4f364e24d93d493d4f3b47f664983714940afa74046f" score = 75 quality = 73 tags = "FILE" @@ -254014,13 +254500,13 @@ rule DITEKSHEN_MALWARE_Win_Spyro : FILE meta: description = "Detects Spyro / VoidCrypt / Limbozar ransomware" author = "ditekSHen" - id = "1b3ed7b4-7520-5279-98cd-e9ce3c684da8" + id = "8b3273c4-827e-50ce-983e-a5843f6b5a78" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6649-L6675" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2e3be361f6d4283fd312a4486eaa39d6594813937cc3f62dbb603babeff17929" + logic_hash = "2e3be361f6d4283fd312a4486eaa39d6594813937cc3f62dbb603babeff17929" score = 75 quality = 75 tags = "FILE" @@ -254054,13 +254540,13 @@ rule DITEKSHEN_MALWARE_Win_Darkvnc : FILE meta: description = "Detects DarkVNC" author = "ditekSHen" - id = "4a1ff649-769c-5090-a3eb-c150225ce8b3" + id = "3c7d215c-fcca-5a0f-b59c-d84fd894677a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6677-L6696" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b0dbde04c0a05e476d505b92cf7dbf3b4ef0dd9e88eafcd21b7a7d0e3623abbd" + logic_hash = "b0dbde04c0a05e476d505b92cf7dbf3b4ef0dd9e88eafcd21b7a7d0e3623abbd" score = 75 quality = 75 tags = "FILE" @@ -254087,13 +254573,13 @@ rule DITEKSHEN_MALWARE_Win_RSJON : FILE meta: description = "Detects RSJON / Ryzerlo / HiddenTear ransomware" author = "ditekSHen" - id = "e3b755e4-80b3-54de-b86c-a50d6be39457" + id = "7cc3e863-b594-51a9-9d41-68021ce3b97c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6698-L6727" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_abfea2955bf0d0b0511ea820582cc15fbcfc38dbed71fb2a0050cd98a9311cda" + logic_hash = "abfea2955bf0d0b0511ea820582cc15fbcfc38dbed71fb2a0050cd98a9311cda" score = 75 quality = 48 tags = "FILE" @@ -254130,13 +254616,13 @@ rule DITEKSHEN_MALWARE_Win_Boxcaon : FILE meta: description = "Detects IndigoZebra BoxCaon" author = "ditekSHen" - id = "6f5a9311-4398-5904-967b-621a6eaa9296" + id = "becbde73-8b72-5e98-8684-87068ffff71b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6729-L6746" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4f2f26e6678d49bfa5937511b1788a059ee10e1b5f19e53d6386199738a925a5" + logic_hash = "4f2f26e6678d49bfa5937511b1788a059ee10e1b5f19e53d6386199738a925a5" score = 75 quality = 50 tags = "FILE" @@ -254161,13 +254647,13 @@ rule DITEKSHEN_MALWARE_Win_Avoslocker : FILE meta: description = "Hunt for AvosLocker ransomware" author = "ditekSHen" - id = "237713dd-877a-55ac-8958-ae6730aa60b0" + id = "390e57b2-207e-5013-899a-0b04aa63a56f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6748-L6757" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_85601fdd13ddeb1fc0b8b98eb68e324046d60c1ae9467d083a75abebcb50e3a0" + logic_hash = "85601fdd13ddeb1fc0b8b98eb68e324046d60c1ae9467d083a75abebcb50e3a0" score = 75 quality = 75 tags = "FILE" @@ -254184,13 +254670,13 @@ rule DITEKSHEN_MALWARE_Win_Diavol : FILE meta: description = "Detects Diavol ransomware" author = "ditekSHen" - id = "a370a7e0-d743-5642-8d12-22d2fa4e65e9" + id = "df5cea04-505e-5009-b247-ba71b6d81ecc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6759-L6784" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bcc7a9dc2dcb12ded75af9d79ab0f46f0e69da9e9fe72539be6351306ed11c18" + logic_hash = "bcc7a9dc2dcb12ded75af9d79ab0f46f0e69da9e9fe72539be6351306ed11c18" score = 75 quality = 48 tags = "FILE" @@ -254223,13 +254709,13 @@ rule DITEKSHEN_MALWARE_Win_Margulasrat : FILE meta: description = "Detects MargulasRAT" author = "ditekSHen" - id = "31fabc11-d249-532c-9350-7c57d9c8dcfd" + id = "6efabf80-9194-542d-afd2-9bf9c8e26e55" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6786-L6810" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dd5b94c947d97cdc34032f2cb84b4975a1e8f510638857fb6dbe553bcff7d16e" + logic_hash = "dd5b94c947d97cdc34032f2cb84b4975a1e8f510638857fb6dbe553bcff7d16e" score = 75 quality = 75 tags = "FILE" @@ -254261,13 +254747,13 @@ rule DITEKSHEN_MALWARE_Win_Lilithrat : FILE meta: description = "Detects LilithRAT" author = "ditekSHen" - id = "87ae9249-df0f-5535-8871-296ffa49e88f" + id = "87e56524-f557-5662-86bc-2b26e7c74aee" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6812-L6839" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1e8ac8a329ff99318e12666ea1d90d21bb9b0dff656a5eb1ce741b940c99afd5" + logic_hash = "1e8ac8a329ff99318e12666ea1d90d21bb9b0dff656a5eb1ce741b940c99afd5" score = 75 quality = 75 tags = "FILE" @@ -254302,13 +254788,13 @@ rule DITEKSHEN_MALWARE_Win_Epicenterrat : FILE meta: description = "Detects EpicenterRAT" author = "ditekSHen" - id = "32aa7463-79a3-52cd-a420-2cadbb2ad5ef" + id = "6abe6e94-d7f5-5f88-96a6-a8fad599ef6a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6841-L6863" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e9086dff22e301f57c6a9bdb38fbed8e902d5b8ca20a5e5b3cda56db08d5582e" + logic_hash = "e9086dff22e301f57c6a9bdb38fbed8e902d5b8ca20a5e5b3cda56db08d5582e" score = 75 quality = 75 tags = "FILE" @@ -254338,13 +254824,13 @@ rule DITEKSHEN_MALWARE_Win_Lastconn : FILE meta: description = "Detects LastConn" author = "ditekSHen" - id = "88e12084-a310-5425-8a0e-93cecbebc3ae" + id = "18727c30-d84d-5ffa-acd4-2cc54e553604" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6865-L6894" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_94f5874353d0fb475595373c06a0de91603cad9b435d35dc00febf90608d6b5a" + logic_hash = "94f5874353d0fb475595373c06a0de91603cad9b435d35dc00febf90608d6b5a" score = 75 quality = 75 tags = "FILE" @@ -254381,13 +254867,13 @@ rule DITEKSHEN_MALWARE_Win_Crimsonrat : FILE meta: description = "Detects CrimsonRAT" author = "ditekSHen" - id = "786f2872-33e8-55c6-8690-1e745fb2a3a2" + id = "54c9bbb2-9fa6-5c1f-9272-13255357ddbf" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6896-L6920" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a40cf09dbaafb2e7b9130af1b40e46b4c38fed6185b16435ad4c118f9e6d56c7" + logic_hash = "a40cf09dbaafb2e7b9130af1b40e46b4c38fed6185b16435ad4c118f9e6d56c7" score = 75 quality = 75 tags = "FILE" @@ -254419,13 +254905,13 @@ rule DITEKSHEN_MALWARE_Win_Actionrat : FILE meta: description = "Detects ActionRAT, CSharp and Delfi variants" author = "ditekSHen" - id = "7ca153d4-4394-571c-a8c9-b44d87dd9934" + id = "ceb4bd65-85c0-5614-a7cb-8f3f2f849eae" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6922-L6955" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1552cda3f02c08582e3dd97df98416635a25005081627097df181bfc6aac4665" + logic_hash = "1552cda3f02c08582e3dd97df98416635a25005081627097df181bfc6aac4665" score = 75 quality = 71 tags = "FILE" @@ -254466,13 +254952,13 @@ rule DITEKSHEN_MALWARE_Win_Nodachi : FILE meta: description = "Detects Nodachi infostealer" author = "ditekSHen" - id = "efd933e7-22cc-561b-b5bc-6a0c1fcbf808" + id = "bce0c44d-7e75-5c51-ba93-75bd81896921" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6957-L6972" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c8a262b862a47d5c0c9bd76b722aa4ceb55dd365b5dca35a61318d8a1c53269d" + logic_hash = "c8a262b862a47d5c0c9bd76b722aa4ceb55dd365b5dca35a61318d8a1c53269d" score = 75 quality = 75 tags = "FILE" @@ -254495,13 +254981,13 @@ rule DITEKSHEN_MALWARE_Win_Iamthekingqueenofhearts : FILE meta: description = "IAmTheKing Queen Of Hearts payload" author = "ditekSHen" - id = "5210d52a-ba6d-5728-809b-d5d627c425e7" + id = "b8d222f0-b3ce-5143-816b-4bbcde645672" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6974-L6991" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0aafeb1dce380ebe6cccc3c7f9564022e1a4cdcf20091943d2bfcc845129152d" + logic_hash = "0aafeb1dce380ebe6cccc3c7f9564022e1a4cdcf20091943d2bfcc845129152d" score = 75 quality = 75 tags = "FILE" @@ -254526,13 +255012,13 @@ rule DITEKSHEN_MALWARE_Win_Iamthekingqueenofclubs : FILE meta: description = "IAmTheKing Queen Of Clubs payload" author = "ditekSHen" - id = "8dd3e682-d936-5f83-bb6e-d4f6b4bdd591" + id = "4d19a484-0483-5b3e-a9ad-1cd8ca263a04" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L6993-L7007" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_28d7d3e9a3b7c104fc5b0fa38ce33b34596f16f6987c34a0e2e3fd93a8a908bd" + logic_hash = "28d7d3e9a3b7c104fc5b0fa38ce33b34596f16f6987c34a0e2e3fd93a8a908bd" score = 75 quality = 75 tags = "FILE" @@ -254554,13 +255040,13 @@ rule DITEKSHEN_MALWARE_Win_Iamtheking : FILE meta: description = "IAmTheKing payload" author = "ditekSHen" - id = "9ffb3dac-94d4-5052-b5b1-a9afad7075bb" + id = "cf0d7c8d-0ac3-542d-b42e-f215af36044b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7009-L7029" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1cc2aa9b672b8519a3e8a22e31403fb7adace0d430f9cab160e9a7d52e56e875" + logic_hash = "1cc2aa9b672b8519a3e8a22e31403fb7adace0d430f9cab160e9a7d52e56e875" score = 75 quality = 50 tags = "FILE" @@ -254588,13 +255074,13 @@ rule DITEKSHEN_MALWARE_Win_Gobrut : FILE meta: description = "Detects unknown Go multi-bruteforcer bot (StealthWorker / GoBrut) against multiple systems: QNAP, MagOcart, WordPress, Opencart, Bitrix, Postgers, MySQL, Drupal, Joomla, SSH, FTP, Magneto, CPanel" author = "ditekSHen" - id = "660c5a3d-d754-5d5b-9d82-163610b366bc" + id = "f5605123-12d9-55d1-8a32-acebf16834f8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7031-L7086" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fb93d0dcf7f38294444ac6d2e1a7a126027ce07f0305af9ae0f8aa8f4b806c5c" + logic_hash = "fb93d0dcf7f38294444ac6d2e1a7a126027ce07f0305af9ae0f8aa8f4b806c5c" score = 75 quality = 50 tags = "FILE" @@ -254657,13 +255143,13 @@ rule DITEKSHEN_MALWARE_Win_Biopass_Dropper : FILE meta: description = "Detects Go BioPass dropper" author = "ditekSHen" - id = "903b93d3-db9b-5117-a851-c30588b38854" + id = "56037c79-59f7-587c-8f54-c9618e871f34" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7088-L7111" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_06f3b3ee38349ddcf9be7cbb7627d60fa673962409dde6e4badd112841a3ed19" + logic_hash = "06f3b3ee38349ddcf9be7cbb7627d60fa673962409dde6e4badd112841a3ed19" score = 75 quality = 75 tags = "FILE" @@ -254694,13 +255180,13 @@ rule DITEKSHEN_MALWARE_Win_A310Logger : FILE meta: description = "Detects A310Logger" author = "ditekSHen" - id = "7f372295-77fd-5a0e-af48-c19dd98e1154" + id = "d2cf2f7b-5710-56ab-b13d-97a70fe7f618" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7113-L7149" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8205169c9c78eb784b9d07a5fd85ad3a54763452e1e315f7e7911b8ac49a6c01" + logic_hash = "8205169c9c78eb784b9d07a5fd85ad3a54763452e1e315f7e7911b8ac49a6c01" score = 75 quality = 73 tags = "FILE" @@ -254743,13 +255229,13 @@ rule DITEKSHEN_MALWARE_Win_Crylock : FILE meta: description = "Detects CryLock ransomware" author = "ditekSHen" - id = "d9569d75-46e5-5f59-bad8-4c0f9e406d6e" + id = "296288d8-2fdd-592a-aef9-7d4853885594" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7151-L7186" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dde35dd2c7e89212c4562f2dcf6a78d06fbb3d31150d49e6c48f758b07f1834f" + logic_hash = "dde35dd2c7e89212c4562f2dcf6a78d06fbb3d31150d49e6c48f758b07f1834f" score = 75 quality = 73 tags = "FILE" @@ -254792,13 +255278,13 @@ rule DITEKSHEN_MALWARE_Win_Deeprats : FILE meta: description = "Detects DeepRats (" author = "ditekSHen" - id = "78f247d9-d140-5101-bbb7-5d49fa9c1bdc" + id = "5b774e24-3864-519f-9cfd-d729d7d567a0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7188-L7218" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_511264c0b6932f90069a5206cd142ca7210b0bc40c51ef5aa9c41a161fb57aab" + logic_hash = "511264c0b6932f90069a5206cd142ca7210b0bc40c51ef5aa9c41a161fb57aab" score = 75 quality = 73 tags = "FILE" @@ -254836,13 +255322,13 @@ rule DITEKSHEN_MALWARE_Win_Gasket : FILE meta: description = "Detects Gasket" author = "ditekSHen" - id = "7813e6b0-5817-5e53-82e8-169ad836d8f8" + id = "3afa131d-9c88-50df-a3b4-552db4a84e69" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7220-L7250" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0279979915891fc8c813ba555120ee5705b53b234a808b5ca77bff35a082e376" + logic_hash = "0279979915891fc8c813ba555120ee5705b53b234a808b5ca77bff35a082e376" score = 75 quality = 73 tags = "FILE" @@ -254880,13 +255366,13 @@ rule DITEKSHEN_MALWARE_Win_Silentmoon : FILE meta: description = "Detects SilentMoon" author = "ditekSHen" - id = "41355c88-cda7-5f6e-a851-57074b5984a5" + id = "0b41a07b-0e2a-5bbf-8789-3b46460d2c09" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7252-L7272" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1aa61e83d0003ef41d16fd40698485fdf41a957639ac3c3f2770994a43bd502a" + logic_hash = "1aa61e83d0003ef41d16fd40698485fdf41a957639ac3c3f2770994a43bd502a" score = 75 quality = 25 tags = "FILE" @@ -254914,13 +255400,13 @@ rule DITEKSHEN_MALWARE_Win_Lu0Bot : FILE meta: description = "Detects Lu0Bot" author = "ditekSHen" - id = "843359fc-3c7a-580b-a85f-2aaa9de4ba58" + id = "f8595553-b911-5e30-9ece-cad7d5913f19" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7274-L7285" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b4822248230a804b1dc75f8d517af28a621dab1746c9ef45eaa4754149ce0cba" + logic_hash = "b4822248230a804b1dc75f8d517af28a621dab1746c9ef45eaa4754149ce0cba" score = 75 quality = 75 tags = "FILE" @@ -254939,13 +255425,13 @@ rule DITEKSHEN_MALWARE_Win_Shellcodedlei : FILE meta: description = "Detects shellcode downloader, executer, injector" author = "ditekSHen" - id = "0a4b1cae-0821-5968-9380-d99c3634b71e" + id = "62a4f141-87f8-596a-adf6-5bf9a50c9e91" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7287-L7304" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_064c17427ae6b33ffb09a14abcb924d20ead44250e8bd03070bf40869f1c812e" + logic_hash = "064c17427ae6b33ffb09a14abcb924d20ead44250e8bd03070bf40869f1c812e" score = 75 quality = 75 tags = "FILE" @@ -254970,13 +255456,13 @@ rule DITEKSHEN_MALWARE_Win_Bluebot : FILE meta: description = "Detects BlueBot" author = "ditekSHen" - id = "74978be6-fb0a-56f3-bcaa-1c5610d56cf3" + id = "cddd40bb-c3c6-5c44-9cb1-480571375be8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7306-L7333" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_04a19f649eb2fff7a5bc59ccead80cd0a04c4e5418cbc83e850045dba75b03e0" + logic_hash = "04a19f649eb2fff7a5bc59ccead80cd0a04c4e5418cbc83e850045dba75b03e0" score = 75 quality = 75 tags = "FILE" @@ -255011,13 +255497,13 @@ rule DITEKSHEN_MALWARE_Win_Unkcobaltstrike : FILE meta: description = "Detects unknown malware, potentially CobaltStrike related" author = "ditekSHen" - id = "501b8dde-e759-55eb-bb87-7073f8da78b7" + id = "24ddccc7-3700-57a1-999c-ddefae6911bb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7335-L7354" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2fb4e87eec3b56773b812ce6a5c28143183087e0f93d92d76c1103563f8e0891" + logic_hash = "2fb4e87eec3b56773b812ce6a5c28143183087e0f93d92d76c1103563f8e0891" score = 75 quality = 75 tags = "FILE" @@ -255044,13 +255530,13 @@ rule DITEKSHEN_MALWARE_Win_EXEPWSHDL : FILE meta: description = "Detects executable downloaders using PowerShell" author = "ditekSHen" - id = "db6f7b44-a49c-556e-890a-f0095a3bc8cb" + id = "1e5a414b-e81e-5915-b00b-75edbfcc32d2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7356-L7374" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_58fbd27758ecd435eb30b7c34f4cf142db8e31edee0838175992923a51706508" + logic_hash = "58fbd27758ecd435eb30b7c34f4cf142db8e31edee0838175992923a51706508" score = 75 quality = 50 tags = "FILE" @@ -255076,13 +255562,13 @@ rule DITEKSHEN_MALWARE_Win_MB150 : FILE meta: description = "Detects MB150? Go ransomware" author = "ditekSHen" - id = "e65abc79-0d84-5969-925b-15e38240cae0" + id = "9688974b-ccf9-59ea-bb31-e46c63f021bf" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7376-L7402" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a07535fc53912ddde6a0bed187c21ecdb2701d317d7de0cbdd2db37071bc9a21" + logic_hash = "a07535fc53912ddde6a0bed187c21ecdb2701d317d7de0cbdd2db37071bc9a21" score = 75 quality = 75 tags = "FILE" @@ -255116,13 +255602,13 @@ rule DITEKSHEN_MALWARE_Win_Chaos : FILE meta: description = "Detects Chaos ransomware" author = "ditekSHen" - id = "7570a28e-196c-5ec0-9f49-3d2585c2c35f" + id = "59d43cfb-72d8-5c17-87bf-f1f364d23bed" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7404-L7433" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6203ab09745db817b9e909d70cf1d5be9769c414461ee5f7bb344b6959986537" + logic_hash = "6203ab09745db817b9e909d70cf1d5be9769c414461ee5f7bb344b6959986537" score = 75 quality = 44 tags = "FILE" @@ -255159,13 +255645,13 @@ rule DITEKSHEN_MALWARE_Win_Horuseyesrat : FILE meta: description = "Detects HorusEyesRAT" author = "ditekSHen" - id = "7c9694cf-ac7b-5ae2-83f3-130ee1c33950" + id = "80b2fd11-f8b4-5aee-b55a-4f7ee9fad6cf" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7435-L7451" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c0f499e3a17923b391ed6b7fa723525a9d4aef0ce04a2c7abec60d5eda15888f" + logic_hash = "c0f499e3a17923b391ed6b7fa723525a9d4aef0ce04a2c7abec60d5eda15888f" score = 75 quality = 73 tags = "FILE" @@ -255189,13 +255675,13 @@ rule DITEKSHEN_MALWARE_Win_Breakwin : FILE meta: description = "Detects BreakWin Wiper" author = "ditekSHen" - id = "9302db17-7176-54cb-bbba-a2b76030ffff" + id = "4ffadbfa-c1cc-59e6-a9ba-7a34eca6c3fe" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7453-L7471" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_86fc89e28fc107c2d4fe98dc16048d9e076b1fef53a3df0814f80a88bbe09c48" + logic_hash = "86fc89e28fc107c2d4fe98dc16048d9e076b1fef53a3df0814f80a88bbe09c48" score = 75 quality = 75 tags = "FILE" @@ -255221,13 +255707,13 @@ rule DITEKSHEN_MALWARE_Win_Coinminer03 : FILE meta: description = "Detects coinmining malware" author = "ditekSHen" - id = "1a9f8146-905b-5b82-ae27-376d5d6dcb5b" + id = "e0e57557-7c46-5336-b904-c4c1f142bd81" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7506-L7528" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f22e1af955a0d132dda820fe5e5e1ae2f077b7264ce1f0125a2f37c0da6b6508" + logic_hash = "f22e1af955a0d132dda820fe5e5e1ae2f077b7264ce1f0125a2f37c0da6b6508" score = 75 quality = 75 tags = "FILE" @@ -255257,13 +255743,13 @@ rule DITEKSHEN_MALWARE_Win_Zeppelin : FILE meta: description = "Detects Zeppelin (Delphi) ransomware" author = "ditekSHen" - id = "ef2197a4-bed3-585b-9fa9-2a584cdab20f" + id = "368d0c31-745d-50ad-a265-50561fdc822a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7530-L7545" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f6c8420756b562662985dd26eaad58500a24cae786a47b788c953e86276116a1" + logic_hash = "f6c8420756b562662985dd26eaad58500a24cae786a47b788c953e86276116a1" score = 75 quality = 75 tags = "FILE" @@ -255286,13 +255772,13 @@ rule DITEKSHEN_MALWARE_Win_Slackbot : FILE meta: description = "Detects SlackBot" author = "ditekSHen" - id = "b1520459-709c-5550-a21b-2b3f77c4a75a" + id = "cd540aa2-dc8f-5ccc-b66c-a8d72b73c896" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7547-L7588" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_919839883c437b69cf7f380830f2499be24415f96f1e42424e4859114f958581" + logic_hash = "919839883c437b69cf7f380830f2499be24415f96f1e42424e4859114f958581" score = 75 quality = 73 tags = "FILE" @@ -255341,13 +255827,13 @@ rule DITEKSHEN_MALWARE_Win_Sweetystealer : FILE meta: description = "Detects SweetyStealer" author = "ditekSHen" - id = "f1691f4a-fc1d-53e2-9e5d-d47497357a0e" + id = "21dd1706-2cb5-5b27-ad3a-c3de8e6fb333" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7590-L7608" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ecf22240b47af077055260faba0406721f1b4cc5ed04180285df0de86c4e1241" + logic_hash = "ecf22240b47af077055260faba0406721f1b4cc5ed04180285df0de86c4e1241" score = 75 quality = 75 tags = "FILE" @@ -255373,13 +255859,13 @@ rule DITEKSHEN_MALWARE_Win_Genircbot : FILE meta: description = "Detects generic IRCBots" author = "ditekSHen" - id = "64db5bfe-27da-526e-a86f-c5238559713e" + id = "e1faa1dd-bbf5-5208-97d6-a6e8597d39bc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7610-L7626" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cc7f4599148c45fdf755c07530ae4846b7e283b5c1001c121f9ea05279997dc1" + logic_hash = "cc7f4599148c45fdf755c07530ae4846b7e283b5c1001c121f9ea05279997dc1" score = 75 quality = 73 tags = "FILE" @@ -255403,13 +255889,13 @@ rule DITEKSHEN_MALWARE_Win_Nitro : FILE meta: description = "Detects Nitro Ransomware" author = "ditekSHen" - id = "b9242e11-5ba2-58a8-be07-7259b4d298da" + id = "3edb62e0-0544-5291-a949-a45fdf881c7e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7628-L7652" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_03da21ece2de530a9c2ba08a9e44c9a92bc9ca0a6d4ac9507899d1f3dcd03e37" + logic_hash = "03da21ece2de530a9c2ba08a9e44c9a92bc9ca0a6d4ac9507899d1f3dcd03e37" score = 75 quality = 69 tags = "FILE" @@ -255441,13 +255927,13 @@ rule DITEKSHEN_MALWARE_Win_Nanocore : FILE meta: description = "Detects NanoCore" author = "ditekSHen" - id = "f692f02e-053c-5209-9b42-d2ee8f453c23" + id = "931b98f6-df2b-538b-bc49-ecbbd24334da" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7654-L7681" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6336260e0af2b4b51338ee066f41b7c58aa134a6c03ca110db7e088edf2b65a7" + logic_hash = "6336260e0af2b4b51338ee066f41b7c58aa134a6c03ca110db7e088edf2b65a7" score = 75 quality = 75 tags = "FILE" @@ -255482,13 +255968,13 @@ rule DITEKSHEN_MALWARE_Win_Satan : FILE meta: description = "Detects Satan ransomware" author = "ditekSHen" - id = "866a20ef-6932-5bfe-a41b-94f3656bb98d" + id = "f0a9369e-a3d7-5770-b490-4c9a919abb82" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7683-L7709" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e50daa88e0067a0f00329c6369c0334bd282fb102c91ba5ca770da97851d6d2e" + logic_hash = "e50daa88e0067a0f00329c6369c0334bd282fb102c91ba5ca770da97851d6d2e" score = 75 quality = 50 tags = "FILE" @@ -255522,13 +256008,13 @@ rule DITEKSHEN_MALWARE_Win_Neshta : FILE meta: description = "Detects Neshta" author = "ditekSHen" - id = "534a4e11-5fb0-5fdd-a194-bfc83a1518a8" + id = "b96ee19e-b631-57fd-bf8a-67d790202c46" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7711-L7720" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7967c1154f652e28e541058a7b7f61aa077cfaf6be58282e1de68d9a6088c1ac" + logic_hash = "7967c1154f652e28e541058a7b7f61aa077cfaf6be58282e1de68d9a6088c1ac" score = 75 quality = 75 tags = "FILE" @@ -255545,13 +256031,13 @@ rule DITEKSHEN_MALWARE_Linux_Hellokitty : FILE meta: description = "Detects Linux version of HelloKitty ransomware" author = "ditekSHen" - id = "cd4c863e-a8d3-5af4-873b-00f4f1e5dfdb" + id = "bb228937-8cd8-5fb8-aaed-3bd539ae96f2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7722-L7746" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bcb1188d616b29fa535e757a37476435a3061d27e143339413f6829876701868" + logic_hash = "bcb1188d616b29fa535e757a37476435a3061d27e143339413f6829876701868" score = 75 quality = 73 tags = "FILE" @@ -255583,13 +256069,13 @@ rule DITEKSHEN_MALWARE_Win_Blackmatter : FILE meta: description = "Detects BlackMatter ransomware" author = "ditekSHen" - id = "8d7deacf-58b8-5ba3-84f6-f0e175a7bec4" + id = "8883e652-edab-5cbf-a4fa-963b437447d9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7748-L7767" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4558002b424f7102f67fc44dfc37ac20f6013e25ae827c6aee0fc37231e2fa72" + logic_hash = "4558002b424f7102f67fc44dfc37ac20f6013e25ae827c6aee0fc37231e2fa72" score = 75 quality = 75 tags = "FILE" @@ -255613,13 +256099,13 @@ rule DITEKSHEN_MALWARE_Win_Dlinjector04 : FILE meta: description = "Detects downloader / injector" author = "ditekSHen" - id = "08922a79-04bc-5c1b-8282-f754c1af811e" + id = "fe423aee-6ff4-5fd0-9fa2-51dd0c27f54b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7769-L7790" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ab9a047e53dec2cc5986522636783b5cb8aae7fc0297292d017ec22ee5750cce" + logic_hash = "ab9a047e53dec2cc5986522636783b5cb8aae7fc0297292d017ec22ee5750cce" score = 75 quality = 75 tags = "FILE" @@ -255648,13 +256134,13 @@ rule DITEKSHEN_MALWARE_Win_Darkcomet : FILE meta: description = "Detects DarkComet" author = "ditekSHen" - id = "4513bfa8-1ca0-55be-a516-28e754c14980" + id = "ae2412df-adae-5640-9404-7b093c5095b4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7792-L7812" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_444df3c914c47500018614af10036864b459e7873daf079b684352dbe52f0486" + logic_hash = "444df3c914c47500018614af10036864b459e7873daf079b684352dbe52f0486" score = 75 quality = 50 tags = "FILE" @@ -255682,13 +256168,13 @@ rule DITEKSHEN_MALWARE_Win_Macoute : FILE meta: description = "Detects Macoute" author = "ditekSHen" - id = "c587fe17-60fb-5a2c-a490-aedf23c224bc" + id = "0ecfb923-2e51-544e-984d-efdeeb175727" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7814-L7836" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1dffa48fe6c0ac053509b5f5994d323fd72d090da0f077b52c9bc33df6997964" + logic_hash = "1dffa48fe6c0ac053509b5f5994d323fd72d090da0f077b52c9bc33df6997964" score = 75 quality = 75 tags = "FILE" @@ -255718,13 +256204,13 @@ rule DITEKSHEN_MALWARE_Win_Coinminer04 : FILE meta: description = "Detects coinmining malware" author = "ditekSHen" - id = "8de0285f-1ca6-5783-bed9-e6ec233ccb88" + id = "d90d8ad3-20b7-5bb4-8c58-3488c60ed9a2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7838-L7858" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2ef60dbf0bac3d5910635bb011a45e5ebc1392094b10425604fa9dd290198f8b" + logic_hash = "2ef60dbf0bac3d5910635bb011a45e5ebc1392094b10425604fa9dd290198f8b" score = 75 quality = 75 tags = "FILE" @@ -255752,13 +256238,13 @@ rule DITEKSHEN_MALWARE_Win_Sidewalk : FILE meta: description = "Detects SideWalk" author = "ditekSHen" - id = "c58b7a5d-c65e-58a4-bb9b-c7e761f39318" + id = "ab82b83a-a279-555a-83c2-6340431b10da" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7860-L7880" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6885a1ad69d61fa5875ee0db949071e84390fc2db4307c412b32cd17c0806f6a" + logic_hash = "6885a1ad69d61fa5875ee0db949071e84390fc2db4307c412b32cd17c0806f6a" score = 75 quality = 75 tags = "FILE" @@ -255786,13 +256272,13 @@ rule DITEKSHEN_MALWARE_Win_Vanillarat : FILE meta: description = "Detects VanillaRAT" author = "ditekSHen" - id = "55cb51d2-1fea-50ce-a791-df84a502ade0" + id = "70c2cd1a-a6d4-562e-a6fc-c16a9e87c6b7" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7882-L7902" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d7b90ac88a50693ec4bb0676c04f5d161f04f67970ea60d80e79d774da75bfdc" + logic_hash = "d7b90ac88a50693ec4bb0676c04f5d161f04f67970ea60d80e79d774da75bfdc" score = 75 quality = 75 tags = "FILE" @@ -255820,13 +256306,13 @@ rule DITEKSHEN_MALWARE_Win_Sectoprat : FILE meta: description = "Detects SectopRAT" author = "ditekSHen" - id = "06aa845c-0647-5fa8-8fc0-04f3f443a49f" + id = "d6594834-24d7-5e86-84b5-5a7920e7bc89" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7904-L7929" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b4048f837c02560a8b650247173be25893b466e5cec8f2784eea58172f973822" + logic_hash = "b4048f837c02560a8b650247173be25893b466e5cec8f2784eea58172f973822" score = 75 quality = 75 tags = "FILE" @@ -255859,13 +256345,13 @@ rule DITEKSHEN_MALWARE_Win_Neptune : FILE meta: description = "Detects Neptune keylogger / infostealer" author = "ditekSHen" - id = "0186f846-e3c4-5751-bb42-a496c81ae973" + id = "0f619bea-f00b-5078-95a4-83306e3e87b4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7931-L7953" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e3298bf55f89180ed7e9f7ad35b59d39284a5143fd69fa2a4fbc27d91fb2fbd3" + logic_hash = "e3298bf55f89180ed7e9f7ad35b59d39284a5143fd69fa2a4fbc27d91fb2fbd3" score = 75 quality = 75 tags = "FILE" @@ -255895,13 +256381,13 @@ rule DITEKSHEN_MALWARE_Win_Tomiris : FILE meta: description = "Detects Tomiris" author = "ditekSHen" - id = "41b33c03-8a6b-5377-bac5-3506e81181e0" + id = "86efd4fb-3c76-504e-b367-132aee59e09a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7955-L7978" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1d9baeb6db2e849dd053c3fc735984e23b9cead39cf166f8a544ee5a439185d1" + logic_hash = "1d9baeb6db2e849dd053c3fc735984e23b9cead39cf166f8a544ee5a439185d1" score = 75 quality = 75 tags = "FILE" @@ -255932,13 +256418,13 @@ rule DITEKSHEN_MALWARE_Win_Jennlog : FILE meta: description = "Detects JennLog loader" author = "ditekSHen" - id = "2894f8a4-0355-5868-ab49-40553916fb13" + id = "38f8cd13-f157-5cce-bf04-80c29d254144" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7980-L7996" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_085a4783c7c01ec95491d9999d1835ad9ab3dc70d77b944578e097b3ffe3a627" + logic_hash = "085a4783c7c01ec95491d9999d1835ad9ab3dc70d77b944578e097b3ffe3a627" score = 75 quality = 75 tags = "FILE" @@ -255962,13 +256448,13 @@ rule DITEKSHEN_MALWARE_Win_Lockfile : FILE meta: description = "Detects LockFile ransomware" author = "ditekSHen" - id = "47b56f97-4f4c-55dc-a6ed-6821f14f1c32" + id = "762ac376-43ff-56d2-b279-2879ce6d8542" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L7998-L8014" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_28c8aa8931d599e5a1860fe2ed0b8172e709dad1a48a319858a907fa775af293" + logic_hash = "28c8aa8931d599e5a1860fe2ed0b8172e709dad1a48a319858a907fa775af293" score = 75 quality = 71 tags = "FILE" @@ -255992,13 +256478,13 @@ rule DITEKSHEN_MALWARE_Win_HUNT_Foggyweb : FILE meta: description = "Attempt on hunting FoggyWeb" author = "ditekSHen" - id = "282ac457-4f50-54fd-89e2-10b930422999" + id = "429827f7-2ccf-5c13-ac0d-1fd8b35a6740" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8016-L8032" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d868501bc52ad7787d9e99927dd61e9ad9e2132f02348fc71e64666bfc0c9e15" + logic_hash = "d868501bc52ad7787d9e99927dd61e9ad9e2132f02348fc71e64666bfc0c9e15" score = 50 quality = 75 tags = "FILE" @@ -256022,13 +256508,13 @@ rule DITEKSHEN_MALWARE_Win_HUNT_Apostle meta: description = "Attempt on hunting new variants of Apostle" author = "ditekSHen" - id = "3aacbb57-08f0-5247-b898-412d47d93be0" + id = "31d15111-6935-5a77-ae9a-6bee16c1d2f6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8034-L8043" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9acab5dadee0760431376075450f54bbb32ebed10dc928db91a44d069afc1576" + logic_hash = "9acab5dadee0760431376075450f54bbb32ebed10dc928db91a44d069afc1576" score = 50 quality = 73 tags = "" @@ -256047,13 +256533,13 @@ rule DITEKSHEN_MALWARE_Win_HUNT_Ghostemperor_Remotecontrolpayload : FILE meta: description = "Attempt on hunting GhostEmperor Stage 4 Remote Control Payload" author = "ditekSHen" - id = "06762844-5a23-599d-820e-c2f666a8fa9c" + id = "d30a2aad-8bd6-5291-a31d-7dade250e57e" date = "2024-11-01" modified = "2024-11-01" reference = "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8045-L8052" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dabce4e0add0d05b4efd8e7540e4f14767c7b5fab361bd731234dd9dd844c658" + logic_hash = "dabce4e0add0d05b4efd8e7540e4f14767c7b5fab361bd731234dd9dd844c658" score = 50 quality = 75 tags = "FILE" @@ -256066,13 +256552,13 @@ rule DITEKSHEN_MALWARE_Win_Unicorn : FILE meta: description = "Detects Unicorn infostealer" author = "ditekSHen" - id = "d493a66a-1094-5aa8-9f3a-4a0e4b0cf2fe" + id = "7cc8298d-abbd-5dda-bbd4-8b061095c367" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8077-L8107" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c4150b213c0dd88c87eb81e3ad455d8f658a57b0998bc6e394c5afac9423d9f2" + logic_hash = "c4150b213c0dd88c87eb81e3ad455d8f658a57b0998bc6e394c5afac9423d9f2" score = 75 quality = 75 tags = "FILE" @@ -256110,13 +256596,13 @@ rule DITEKSHEN_MALWARE_Win_Spectre : FILE meta: description = "Detects Spectre infostealer" author = "ditekSHen" - id = "c7fe56d8-3958-555c-8edd-0c477816dd37" + id = "43b32900-8dff-5a95-bcff-d6bd17703476" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8109-L8124" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ee041928ab5010fd5a06538f9a7cf9c72e44903fdb05f13b12362af0b326fd6f" + logic_hash = "ee041928ab5010fd5a06538f9a7cf9c72e44903fdb05f13b12362af0b326fd6f" score = 75 quality = 75 tags = "FILE" @@ -256139,13 +256625,13 @@ rule DITEKSHEN_MALWARE_Win_HUNT_Blackbyte : FILE meta: description = "Attempt on hunting BlackByte ransomware" author = "ditekSHen" - id = "1220f115-880f-5494-a7ee-e69e21556bde" + id = "c07e9b83-3bbf-52c9-b9fa-ca03f285a906" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8126-L8139" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4ceb71e42b888522c183af7e180bae47510fc7aa60a713aa83ffc2c98c03466f" + logic_hash = "4ceb71e42b888522c183af7e180bae47510fc7aa60a713aa83ffc2c98c03466f" score = 50 quality = 57 tags = "FILE" @@ -256166,13 +256652,13 @@ rule DITEKSHEN_MALWARE_Win_Dlinjector05 : FILE meta: description = "Detects downloader / injector (NiceProcess)" author = "ditekSHen" - id = "e89c385f-c55e-5c26-b61b-2b167c20ce29" + id = "857eb13b-a882-5326-b7aa-4d2fcd0b6425" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8141-L8158" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5345c2b03e14b7324a13bac0da783eec8c30da18043c1b2d46162e5b511fae63" + logic_hash = "5345c2b03e14b7324a13bac0da783eec8c30da18043c1b2d46162e5b511fae63" score = 75 quality = 75 tags = "FILE" @@ -256197,13 +256683,13 @@ rule DITEKSHEN_MALWARE_Win_Kutaki : FILE meta: description = "Detects Kutaki" author = "ditekSHen" - id = "8bc8adb1-728d-5354-b383-3f0d77c2acfc" + id = "d91812bb-4564-56b5-9757-81255b5233fb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8160-L8173" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_24fbc9ca6de421275813c285a8fca91cfcede48f4b4de9feda010c644f0c251f" + logic_hash = "24fbc9ca6de421275813c285a8fca91cfcede48f4b4de9feda010c644f0c251f" score = 75 quality = 75 tags = "FILE" @@ -256224,13 +256710,13 @@ rule DITEKSHEN_MALWARE_Win_Dlinjector06 : FILE meta: description = "Detects downloader / injector" author = "ditekSHen" - id = "83502a12-305f-5a14-9bc7-bb4710ab0cc8" + id = "9d8164ee-49b3-5eb1-bd1d-9437fc6f1392" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8175-L8189" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e44ea8dbb94c6cd3b63d66eac3e9b3d6d5ff7d561410b8328e6c24630645305b" + logic_hash = "e44ea8dbb94c6cd3b63d66eac3e9b3d6d5ff7d561410b8328e6c24630645305b" score = 75 quality = 75 tags = "FILE" @@ -256252,13 +256738,13 @@ rule DITEKSHEN_MALWARE_Win_Crown : FILE meta: description = "Detects Crown Tech Support Scam" author = "ditekSHen" - id = "1c5ef5c6-6c62-5d16-928f-7326e2bf1e12" + id = "ac4551d0-a574-5287-9b37-899c736db792" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8191-L8211" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eeb36993c93d76ed118643ee417f15e1768015f72464dbabca7ae001f64a0aef" + logic_hash = "eeb36993c93d76ed118643ee417f15e1768015f72464dbabca7ae001f64a0aef" score = 75 quality = 75 tags = "FILE" @@ -256288,13 +256774,13 @@ rule DITEKSHEN_MALWARE_Win_Floodfix : FILE meta: description = "Detects FloodFix" author = "ditekSHen" - id = "a6778a05-dc7e-53b3-9234-2232ab80f570" + id = "b05b0b40-0de8-58a0-889e-44a12d346de4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8213-L8219" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d7da820b00ef5ee2e943b012cfa57421a39f8a7bfc627cc1909151a47092a26d" + logic_hash = "d7da820b00ef5ee2e943b012cfa57421a39f8a7bfc627cc1909151a47092a26d" score = 75 quality = 75 tags = "FILE" @@ -256307,13 +256793,13 @@ rule DITEKSHEN_MALWARE_Win_UNK_Infostealer : FILE meta: description = "Detects unknown information stealer" author = "ditekSHen" - id = "276ac287-3c2d-5315-b0ff-fc43c41e1075" + id = "f6f9816f-79bd-527c-9c0f-24e09c95ae35" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8221-L8246" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ca57ebf4b56020d278ec8a7e721c72de7a1f925a8e7f1f3a9edc8a70b88ff9d1" + logic_hash = "ca57ebf4b56020d278ec8a7e721c72de7a1f925a8e7f1f3a9edc8a70b88ff9d1" score = 75 quality = 75 tags = "FILE" @@ -256346,13 +256832,13 @@ rule DITEKSHEN_MALWARE_Win_DECAF : FILE meta: description = "Detects DECAF ransomware" author = "ditekSHen" - id = "b4687ba4-47a9-5cb5-a652-7873c032fd07" + id = "c6e4ce00-0be9-572d-987c-c47d699002f0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8248-L8268" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5d79a4f310fb00022eb9d636f161227e84a7e15517c4d2c39acafa7d81af5c2a" + logic_hash = "5d79a4f310fb00022eb9d636f161227e84a7e15517c4d2c39acafa7d81af5c2a" score = 75 quality = 75 tags = "FILE" @@ -256382,13 +256868,13 @@ rule DITEKSHEN_MALWARE_Win_Windealer : FILE meta: description = "Detects WinDealer" author = "ditekSHen" - id = "eb0fa010-5342-5bfa-a001-57a2e197545c" + id = "d4f3b0cc-121e-5032-9721-1e2a86842fa5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8270-L8301" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eabc41ea69f142ee7c243cbc75ceda909a722be382ad91a01c805aef637be915" + logic_hash = "eabc41ea69f142ee7c243cbc75ceda909a722be382ad91a01c805aef637be915" score = 75 quality = 73 tags = "FILE" @@ -256427,13 +256913,13 @@ rule DITEKSHEN_MALWARE_Win_Exmatter : FILE meta: description = "Detects BlackMatter data exfiltration tool" author = "ditekSHen" - id = "a03e82f6-5925-52a0-bf4d-de948b46b324" + id = "93df7a68-1e19-5db3-95d4-39d77d1036d8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8303-L8325" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_25a35c82919f96bdba00558616f574e901b83785713ed1a63a6f06df576777cd" + logic_hash = "25a35c82919f96bdba00558616f574e901b83785713ed1a63a6f06df576777cd" score = 75 quality = 75 tags = "FILE" @@ -256463,13 +256949,13 @@ rule DITEKSHEN_MALWARE_Win_Brbbot : FILE meta: description = "Detects BrbBot" author = "ditekSHen" - id = "41f7709a-e85d-5c9b-9a01-f4cc67fb084e" + id = "d77dfdcf-4cd5-578e-99eb-c987e7b5b706" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8327-L8345" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_64df5bba698fbba1baf27eedb9a2eb46c5e0752996ea91900f8377200d54eeeb" + logic_hash = "64df5bba698fbba1baf27eedb9a2eb46c5e0752996ea91900f8377200d54eeeb" score = 75 quality = 75 tags = "FILE" @@ -256495,13 +256981,13 @@ rule DITEKSHEN_MALWARE_Win_Babylonrat : FILE meta: description = "Detects BabylonRAT / CollectorStealer / ParadoxRAT" author = "ditekSHen" - id = "094ce0ec-f0d8-5136-8a8d-85cd844988d1" + id = "7352e0cf-64ab-5ba4-afaf-04067a0046e8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8347-L8373" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_352efb98e298e9f0ce17c20d44d193f2565ec559923210d80dec1a0988545a30" + logic_hash = "352efb98e298e9f0ce17c20d44d193f2565ec559923210d80dec1a0988545a30" score = 75 quality = 50 tags = "FILE" @@ -256535,13 +257021,13 @@ rule DITEKSHEN_MALWARE_Win_Netsupport : FILE meta: description = "Detects NetSupport client" author = "ditekSHen" - id = "416a5059-b59f-546d-a6b8-b6d49e58981c" + id = "958e82c5-aeac-58f4-b214-a9382b598cd9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8375-L8386" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4e8120d902fdee2a3f87c85bb6bb7d3bba79e3828500f297c2dc57d5213cf6a8" + logic_hash = "4e8120d902fdee2a3f87c85bb6bb7d3bba79e3828500f297c2dc57d5213cf6a8" score = 75 quality = 50 tags = "FILE" @@ -256562,13 +257048,13 @@ rule DITEKSHEN_MALWARE_Win_Gobrutloader : FILE meta: description = "Detects GoBrut StealthWorker laoder" author = "ditekSHen" - id = "88765b16-27a7-56d6-a0b0-d04439ca8641" + id = "748f8055-71d9-5757-8eb0-90dc3ee35c74" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8388-L8394" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6241117cffb147763ace41b36cd1524f48bfc7cb06d56a82d7b30bec9e1baf5b" + logic_hash = "6241117cffb147763ace41b36cd1524f48bfc7cb06d56a82d7b30bec9e1baf5b" score = 75 quality = 75 tags = "FILE" @@ -256581,13 +257067,13 @@ rule DITEKSHEN_MALWARE_Win_Milan : FILE meta: description = "Detects Milan Lyceum backdoor" author = "ditekSHen" - id = "c62b7f63-8c29-5d9c-86d2-927aad3701f5" + id = "2ea0775b-65d4-58b9-9af9-c07f29742627" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8396-L8467" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_102af43be7cc3d873fbce78c95c767ebb6aadb2e7084b48f3cf48c11071d7a71" + logic_hash = "102af43be7cc3d873fbce78c95c767ebb6aadb2e7084b48f3cf48c11071d7a71" score = 75 quality = 50 tags = "FILE" @@ -256666,13 +257152,13 @@ rule DITEKSHEN_MALWARE_Win_UNK05 : FILE meta: description = "Detects potential BazarLoader" author = "ditekSHen" - id = "7e1d879e-66c1-5ac7-9d0e-ff1eb72915b0" + id = "12f66315-f381-5910-b1d4-2cbf21c889a4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8469-L8486" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b3074f237fbaf449a53dcc219f48509db6af4c0d0859e6590563c3412be30aa8" + logic_hash = "b3074f237fbaf449a53dcc219f48509db6af4c0d0859e6590563c3412be30aa8" score = 75 quality = 75 tags = "FILE" @@ -256697,13 +257183,13 @@ rule DITEKSHEN_MALWARE_Win_Clipbanker01 : FILE meta: description = "Detects ClipBanker infostealer" author = "ditekSHen" - id = "03c50476-3d0a-5165-bfbb-29293da9382c" + id = "b56514f4-8362-5698-8142-be836b70a11a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8488-L8521" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8ef90e22299a1009468761a4cdb8e2a92920d721f1a7ebceeb81a07e14f9156f" + logic_hash = "8ef90e22299a1009468761a4cdb8e2a92920d721f1a7ebceeb81a07e14f9156f" score = 75 quality = 73 tags = "FILE" @@ -256744,13 +257230,13 @@ rule DITEKSHEN_MALWARE_Win_Zombieboy : FILE meta: description = "Detects ZombieBoy Downloader" author = "ditekSHen" - id = "83ccfe37-21aa-5b37-a932-15322bfc6819" + id = "c1345196-1686-534c-ab4c-557113c83411" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8523-L8532" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0840367c1b56c4c266f22400df95411ba7784b98919a922380e1ec789783bb65" + logic_hash = "0840367c1b56c4c266f22400df95411ba7784b98919a922380e1ec789783bb65" score = 75 quality = 75 tags = "FILE" @@ -256767,13 +257253,13 @@ rule DITEKSHEN_MALWARE_Win_Pcrat : FILE meta: description = "Detects PCRat / Gh0st" author = "ditekSHen" - id = "ec7cc7ee-2274-5c3f-9ab1-289205395e59" + id = "de5b3e08-16da-56e2-a0a4-d8bed5840804" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8534-L8561" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ad56d7d6a2bb6d09bc4530c31b51456b6bbca5def1810449fd2a31973cce18f8" + logic_hash = "ad56d7d6a2bb6d09bc4530c31b51456b6bbca5def1810449fd2a31973cce18f8" score = 75 quality = 75 tags = "FILE" @@ -256808,13 +257294,13 @@ rule DITEKSHEN_MALWARE_Win_Rapid : FILE meta: description = "Detects Rapid ransomware" author = "ditekSHen" - id = "4dcfba90-6b6f-5433-a1cf-d46190e5a6dd" + id = "3a23f344-8345-5ae8-aacb-f2f422d3fc9d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8563-L8585" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c3f1bffeb402951da8bcccc899b2cdeb3c218b342d8338c750b9ff275537b4b5" + logic_hash = "c3f1bffeb402951da8bcccc899b2cdeb3c218b342d8338c750b9ff275537b4b5" score = 75 quality = 75 tags = "FILE" @@ -256844,13 +257330,13 @@ rule DITEKSHEN_MALWARE_Win_Satana : FILE meta: description = "Detects Satana ransomware" author = "ditekSHen" - id = "ed3fc9ca-59d4-5f72-90c0-30246d8c5a46" + id = "f3cb7cc4-3c63-50b2-8e19-d675abbb33f8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8587-L8604" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b2946e8c37be4a57237999aaa0c0a760a181306320162e04bc6fc12a542b81d5" + logic_hash = "b2946e8c37be4a57237999aaa0c0a760a181306320162e04bc6fc12a542b81d5" score = 75 quality = 73 tags = "FILE" @@ -256875,13 +257361,13 @@ rule DITEKSHEN_MALWARE_Win_Virlock : FILE meta: description = "Detects VirLock ransomware" author = "ditekSHen" - id = "ea6db8bb-2a14-5e58-a5c7-5ecb2b3602c8" + id = "dbf46963-3e74-54a0-8f7d-b24436c3ea2c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8606-L8624" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8d516a0d771d7134c0f917f010b3973ed53b4ee7e4a2cf0bb5daecf9867b0081" + logic_hash = "8d516a0d771d7134c0f917f010b3973ed53b4ee7e4a2cf0bb5daecf9867b0081" score = 75 quality = 75 tags = "FILE" @@ -256907,13 +257393,13 @@ rule DITEKSHEN_MALWARE_Win_Piratestealer : FILE meta: description = "Detects PirateStealer" author = "ditekSHen" - id = "c6e797f1-b219-5d48-b4cf-1523290d6014" + id = "07278b99-b990-5016-8389-fbd27538a722" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8626-L8644" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c29fbc6cfa9e529218fa7315481e0922dc10b2da729931b8580bdd76ecdf6b68" + logic_hash = "c29fbc6cfa9e529218fa7315481e0922dc10b2da729931b8580bdd76ecdf6b68" score = 50 quality = 75 tags = "FILE" @@ -256939,13 +257425,13 @@ rule DITEKSHEN_MALWARE_Win_Nglite : FILE meta: description = "Detects NGLite" author = "ditekSHen" - id = "0a05526c-78c9-5233-9b25-220c402d3749" + id = "b014ed4f-57b1-597e-befc-6e7f80855201" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8646-L8668" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d83663908949f69018461c73cf7137cf4ab16cc057cfe47942e6de0415ab5447" + logic_hash = "d83663908949f69018461c73cf7137cf4ab16cc057cfe47942e6de0415ab5447" score = 75 quality = 75 tags = "FILE" @@ -256977,13 +257463,13 @@ rule DITEKSHEN_MALWARE_Win_Kdcsponge : FILE meta: description = "Detects KdcSponge" author = "ditekSHen" - id = "7a2e33e8-82d6-5438-8094-4df6c0f72c3c" + id = "8832a141-a85d-5604-992e-7e9bd892d410" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8670-L8700" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c891db94df9cde9eaa6096ad68d96c7b85a9c03e255ce43ccb8543a016bd3853" + logic_hash = "c891db94df9cde9eaa6096ad68d96c7b85a9c03e255ce43ccb8543a016bd3853" score = 75 quality = 65 tags = "FILE" @@ -257009,13 +257495,13 @@ rule DITEKSHEN_MALWARE_Win_Chinotto : FILE meta: description = "Detects Chinotto" author = "ditekSHen" - id = "26463703-4fb4-5340-acac-2ad349aaed19" + id = "e66703d4-c9c6-5bb4-9e07-11dc89b0a034" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8702-L8754" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_92f37bdc4cf17e07bb556c60e3bde4547c34f67a2fb5c806000d9cb2446adff1" + logic_hash = "92f37bdc4cf17e07bb556c60e3bde4547c34f67a2fb5c806000d9cb2446adff1" score = 75 quality = 73 tags = "FILE" @@ -257077,13 +257563,13 @@ rule DITEKSHEN_MALWARE_Win_Tardigrade : FILE meta: description = "Detects Tardigrade" author = "ditekSHen" - id = "57821a6d-9075-572c-ba9d-fad901251b7b" + id = "a46caaaa-2954-552a-a20f-952c47370393" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8756-L8787" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2bd4f23f66844a320b6bed6242ba39096f66a08affb84abd78c342d433ed9fe6" + logic_hash = "2bd4f23f66844a320b6bed6242ba39096f66a08affb84abd78c342d433ed9fe6" score = 75 quality = 75 tags = "FILE" @@ -257113,13 +257599,13 @@ rule DITEKSHEN_MALWARE_Win_Clipbanker02 : FILE meta: description = "Detects ClipBanker infostealer" author = "ditekSHen" - id = "0466c034-8152-51bd-a048-57914aef21b8" + id = "c2a480cf-e81b-53a2-999a-80209050e0cf" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8789-L8814" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_51a43245b1e0b6fea874302b73bf552012c54c3f7c12b8c447c96c2ffdcc1dcb" + logic_hash = "51a43245b1e0b6fea874302b73bf552012c54c3f7c12b8c447c96c2ffdcc1dcb" score = 75 quality = 75 tags = "FILE" @@ -257152,13 +257638,13 @@ rule DITEKSHEN_MALWARE_Win_Badjoke : FILE meta: description = "Detects BadJoke / Witch" author = "ditekSHen" - id = "31d003e8-bcc3-5e5b-b31d-3656de4a4e26" + id = "082727d5-618f-542d-93ca-ba93be16cd80" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8816-L8831" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4699a772bcd50d2fe43740df59a4c56598ba43ebcc18acbf8ec401b6f5a01fe6" + logic_hash = "4699a772bcd50d2fe43740df59a4c56598ba43ebcc18acbf8ec401b6f5a01fe6" score = 75 quality = 75 tags = "FILE" @@ -257181,13 +257667,13 @@ rule DITEKSHEN_MALWARE_Win_Heracles : FILE meta: description = "Detects Heracles infostealer" author = "ditekSHen" - id = "16b68220-3799-5b27-8654-3f35dde693fd" + id = "36cb9366-c70b-5117-955f-402f87f3a88c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8833-L8861" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1d5c80c084f9d6e4692a18f74574179095ecdd5eaadd70b5d16c19702761d74f" + logic_hash = "1d5c80c084f9d6e4692a18f74574179095ecdd5eaadd70b5d16c19702761d74f" score = 75 quality = 73 tags = "FILE" @@ -257223,13 +257709,13 @@ rule DITEKSHEN_MALWARE_Win_Onlylogger : FILE meta: description = "Detects OnlyLogger loader variants" author = "ditekSHen" - id = "e33c897e-b1f5-5aaa-8d23-a59d472c4d5b" + id = "525aa2a0-5090-5f96-999b-67ca4379f897" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8863-L8882" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1b39a4d2a6d3a2633cfa98adc1dfe99d10d2493fd06c9f875c56ec7689b7a561" + logic_hash = "1b39a4d2a6d3a2633cfa98adc1dfe99d10d2493fd06c9f875c56ec7689b7a561" score = 75 quality = 50 tags = "FILE" @@ -257256,13 +257742,13 @@ rule DITEKSHEN_MALWARE_Win_Blackbytego : FILE meta: description = "Detects BlackByte ransomware Go variants" author = "ditekSHen" - id = "b143cc1c-0e39-5bd1-b290-ea018357b5b4" + id = "25431446-8cce-54cc-925d-5d9147344c6d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8884-L8904" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b3e6a4a2f043293e8693cfbe1515681ce0616d98e2492732fc06a01a96309883" + logic_hash = "b3e6a4a2f043293e8693cfbe1515681ce0616d98e2492732fc06a01a96309883" score = 75 quality = 75 tags = "FILE" @@ -257288,13 +257774,13 @@ rule DITEKSHEN_MALWARE_Win_Vulturi : FILE meta: description = "Detects Vulturi infostealer" author = "ditekSHen" - id = "2d2566c1-fd08-55c6-a029-330835f0992e" + id = "dca814d6-ca26-5315-9f80-628ee50e8dfa" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8906-L8931" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4d1d88764dd72ae78a74b802e11c2f28899b7b9f45c54cf3bf7aaac49dd48d7f" + logic_hash = "4d1d88764dd72ae78a74b802e11c2f28899b7b9f45c54cf3bf7aaac49dd48d7f" score = 75 quality = 75 tags = "FILE" @@ -257327,13 +257813,13 @@ rule DITEKSHEN_MALWARE_Win_Tofsee : FILE meta: description = "Detects Tofsee" author = "ditekSHen" - id = "1d01a42b-65ef-5698-bd64-24931e733a8e" + id = "86371c0b-72f9-56c0-9f34-f14d2a069c91" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8933-L8949" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9ef06643173c70c5b06b19200cb5b5efa7db7eb3516b67621f0b1975f1c80781" + logic_hash = "9ef06643173c70c5b06b19200cb5b5efa7db7eb3516b67621f0b1975f1c80781" score = 75 quality = 75 tags = "FILE" @@ -257357,13 +257843,13 @@ rule DITEKSHEN_MALWARE_Win_Khonsari : FILE meta: description = "Detects Khonsari ransomware" author = "ditekSHen" - id = "2ee82a64-83e5-5918-9b70-65e7c5a30042" + id = "2d562e62-a948-570d-8ff2-cc4835b91573" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8951-L8963" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2a78f36259481fccb31b2e6248fed19699b6eb05bacfd08905414764c3045943" + logic_hash = "2a78f36259481fccb31b2e6248fed19699b6eb05bacfd08905414764c3045943" score = 75 quality = 73 tags = "FILE" @@ -257385,13 +257871,13 @@ rule DITEKSHEN_MALWARE_Win_Quantum : FILE meta: description = "Detects Quantum locker / ransomware" author = "ditekSHen" - id = "c1a9fb46-9df2-5d5e-8c5a-5557ce41fafd" + id = "76a9240e-5b4f-5a1e-9841-e5ba855fb06f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8965-L8987" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f35422d1f52f1f9f55a5e38c782d2cf621cd84da028358ab250584334d41249c" + logic_hash = "f35422d1f52f1f9f55a5e38c782d2cf621cd84da028358ab250584334d41249c" score = 75 quality = 75 tags = "FILE" @@ -257421,13 +257907,13 @@ rule DITEKSHEN_MALWARE_Win_Owowa : FILE meta: description = "Detects Owowa" author = "ditekSHen" - id = "f0884657-6ba7-53a9-ba30-db76a60e9688" + id = "c0a61601-e810-5acc-91a3-fa70db6d94da" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L8989-L9007" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_afdeb30845ed4ef7b79e733e05d3e1ee53a8c441db74519577893d75c1249a41" + logic_hash = "afdeb30845ed4ef7b79e733e05d3e1ee53a8c441db74519577893d75c1249a41" score = 75 quality = 75 tags = "FILE" @@ -257453,13 +257939,13 @@ rule DITEKSHEN_MALWARE_Win_Chebka : FILE meta: description = "Detects Chebka" author = "ditekSHen" - id = "5b78d482-5cab-5508-b4cb-646ccd622e5f" + id = "df486522-695c-56f5-b93a-6f16829a3a3e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9009-L9030" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cc8123a5d20fac51d4dfc225e743539456efb4d649060d078c3ed93e7724da01" + logic_hash = "cc8123a5d20fac51d4dfc225e743539456efb4d649060d078c3ed93e7724da01" score = 75 quality = 75 tags = "FILE" @@ -257488,13 +257974,13 @@ rule DITEKSHEN_MALWARE_Win_Flagpro : FILE meta: description = "Detects Flagpro" author = "ditekSHen" - id = "604c3b18-f4f8-5033-959d-7360b961ebde" + id = "da1bf899-feb5-5ed0-956e-c20bc3565a6e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9032-L9049" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c5e5944426b7be690ad62dd0d98a8fc6f8135cab0dbdd8a5aaf1670491eda59d" + logic_hash = "c5e5944426b7be690ad62dd0d98a8fc6f8135cab0dbdd8a5aaf1670491eda59d" score = 75 quality = 75 tags = "FILE" @@ -257519,13 +258005,13 @@ rule DITEKSHEN_MALWARE_Win_Nplusminer meta: description = "Detects PowerShell based NPlusMiner" author = "ditekSHen" - id = "e1820843-4465-5c1f-9ac8-7af76ac11d93" + id = "a16b504f-e69a-5abb-8e37-01bf7c2df6ef" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9051-L9064" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f6b81c2276765455d46e20ed81e19caa3ae36a31827568486a09bc1619ec478c" + logic_hash = "f6b81c2276765455d46e20ed81e19caa3ae36a31827568486a09bc1619ec478c" score = 75 quality = 75 tags = "" @@ -257546,13 +258032,13 @@ rule DITEKSHEN_MALWARE_Win_PWSH_Poshcookiestealer meta: description = "Detects PowerShell PoshCookieStealer" author = "ditekSHen" - id = "f7b454c4-2691-53e9-b786-920947db72d0" + id = "7326a056-288b-534b-811d-172bd6936d7b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9066-L9080" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_234958098d09732675dd539e8d25c6754ba50bf92b3a19e7fef8c68d70503ec4" + logic_hash = "234958098d09732675dd539e8d25c6754ba50bf92b3a19e7fef8c68d70503ec4" score = 75 quality = 75 tags = "" @@ -257574,13 +258060,13 @@ rule DITEKSHEN_MALWARE_Win_Garrantdecrypt : FILE meta: description = "Detects GarrantDecrypt ransomware" author = "ditekSHen" - id = "703e3acf-42a1-5fd8-bd6c-ad3f29d6a4a1" + id = "e3be3663-9978-5b8e-b6b2-0f44f269adb2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9082-L9096" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_84b139e51f0ef0389c641d62409d702b0ae7ec6ecd2fa54baf2cf0c0078a8f5a" + logic_hash = "84b139e51f0ef0389c641d62409d702b0ae7ec6ecd2fa54baf2cf0c0078a8f5a" score = 75 quality = 75 tags = "FILE" @@ -257602,13 +258088,13 @@ rule DITEKSHEN_MALWARE_Win_Locked : FILE meta: description = "Detects Locked ransomware" author = "ditekSHen" - id = "9cec2f47-6db8-56f7-aaa9-da88079e43f6" + id = "ad2f91ab-9bbb-5d47-a5c3-5a38dbab2ebe" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9098-L9114" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b838b996946fb268c66bac68d5e326ff3049340dfb08f2e0a77492df49915d5a" + logic_hash = "b838b996946fb268c66bac68d5e326ff3049340dfb08f2e0a77492df49915d5a" score = 75 quality = 73 tags = "FILE" @@ -257632,13 +258118,13 @@ rule DITEKSHEN_MALWARE_Win_Maze : FILE meta: description = "Detects Maze ransomware" author = "ditekSHen" - id = "1e06d277-973e-5552-8293-3456473cbaa1" + id = "f5d1d3e2-1ffe-5ec6-b1ee-bded81867fb8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9116-L9145" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d3ce3b43c65dfd9f59ba3c6b64e8d7687db175673cc62068caa1e1da023390c0" + logic_hash = "d3ce3b43c65dfd9f59ba3c6b64e8d7687db175673cc62068caa1e1da023390c0" score = 75 quality = 75 tags = "FILE" @@ -257675,13 +258161,13 @@ rule DITEKSHEN_MALWARE_Win_Teslarevenge : FILE meta: description = "Detects TeslaRevenge ransomware" author = "ditekSHen" - id = "5e2b13a9-5ce0-5c65-9262-fd172ce882b2" + id = "13e5bb15-47eb-5e49-a1a5-3d51cacede2f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9147-L9167" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0f68eae8a076d00c8d058ec148d3557f5770dc827d4690b931faf98797426dbc" + logic_hash = "0f68eae8a076d00c8d058ec148d3557f5770dc827d4690b931faf98797426dbc" score = 75 quality = 65 tags = "FILE" @@ -257709,13 +258195,13 @@ rule DITEKSHEN_MALWARE_Win_Lokilocker : FILE meta: description = "Detects LokiLocker ransomware" author = "ditekSHen" - id = "6da8f594-463c-5c1c-a64e-cd27a1c047b0" + id = "4f4927c5-79e6-5c5a-b84d-c4728affe9e1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9169-L9194" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bf78f5e8f40c1a19f6b078a85854e95d5ef1f321393a831edda17b0d65515da7" + logic_hash = "bf78f5e8f40c1a19f6b078a85854e95d5ef1f321393a831edda17b0d65515da7" score = 75 quality = 75 tags = "FILE" @@ -257748,13 +258234,13 @@ rule DITEKSHEN_MALWARE_Osx_Dazzlespy : FILE meta: description = "Attemp at hunting for DazzleSpy" author = "ditekSHen" - id = "67ed9be0-51cd-562e-ad4a-c4ca554036ad" + id = "8c5f6605-13d2-578e-9e0b-6a8226991ac5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9196-L9210" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_61305384055f71d92ce2ac3d427a1b6f85ce21f502e759f3af952127b1413470" + logic_hash = "61305384055f71d92ce2ac3d427a1b6f85ce21f502e759f3af952127b1413470" score = 50 quality = 71 tags = "FILE" @@ -257776,13 +258262,13 @@ rule DITEKSHEN_MALWARE_Win_Bhunt : FILE meta: description = "Detects BHunt infostealer" author = "ditekSHen" - id = "0400e653-759e-5ae1-a551-56cbbc6c599c" + id = "4c699f10-64a0-5e3c-af00-e08ebe1c6830" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9212-L9233" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ca0a7e6898047fa3b369125a4402e2beffd328a5db47b1d5dd5914a86d6f0073" + logic_hash = "ca0a7e6898047fa3b369125a4402e2beffd328a5db47b1d5dd5914a86d6f0073" score = 75 quality = 75 tags = "FILE" @@ -257811,13 +258297,13 @@ rule DITEKSHEN_MALWARE_Win_Lorenz : FILE meta: description = "Detects Lorenz ransomware" author = "ditekSHen" - id = "41b00f10-71b5-5755-8fcd-eeefacb12445" + id = "9c11cfbc-aa77-5138-81e4-3a5f4f21a470" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9235-L9265" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e9fc9d405b955c379ae40b1804d43b19999f6ea264fc645c897080fb020e8ae8" + logic_hash = "e9fc9d405b955c379ae40b1804d43b19999f6ea264fc645c897080fb020e8ae8" score = 75 quality = 73 tags = "FILE" @@ -257855,13 +258341,13 @@ rule DITEKSHEN_MALWARE_Win_Blackcat : FILE meta: description = "Detects BlackCat ransomware" author = "ditekSHen" - id = "beaffcae-8cc2-55c6-8096-cef5dd6cdbe7" + id = "b6831d84-40d7-52ae-8c4d-30b087b0007b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9267-L9289" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cd76e5b87f33d91c17fd032417583c3f68d0e310aaf6f08e26ec5d53844ed9d2" + logic_hash = "cd76e5b87f33d91c17fd032417583c3f68d0e310aaf6f08e26ec5d53844ed9d2" score = 75 quality = 75 tags = "FILE" @@ -257889,13 +258375,13 @@ rule DITEKSHEN_MALWARE_Win_Koxic : FILE meta: description = "Detects Koxic ransomware" author = "ditekSHen" - id = "62b8fb51-fa4f-57a8-94a4-7bca14d31a3f" + id = "6a82bf44-b155-5746-b798-20a13623a14a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9291-L9309" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d874c8ebf330814e52d159cbf71f8bc05ebeb4a9fb93d96c3f861b51e57925a3" + logic_hash = "d874c8ebf330814e52d159cbf71f8bc05ebeb4a9fb93d96c3f861b51e57925a3" score = 75 quality = 25 tags = "FILE" @@ -257921,13 +258407,13 @@ rule DITEKSHEN_MALWARE_Win_Timetime : FILE meta: description = "Detects TimeTime ransomware" author = "ditekSHen" - id = "93c59d1f-f5ef-5f64-b2dc-1cac74caa363" + id = "4d6a31b5-b5a5-58e2-bfce-c40c72cda391" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9311-L9327" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c75ca595ff25f8c79bfe8e5c6af29349be8f07c2de79fd24f09b02afffb7168b" + logic_hash = "c75ca595ff25f8c79bfe8e5c6af29349be8f07c2de79fd24f09b02afffb7168b" score = 75 quality = 75 tags = "FILE" @@ -257951,13 +258437,13 @@ rule DITEKSHEN_MALWARE_Win_Strifewater : FILE meta: description = "Detects StrifeWater RAT" author = "ditekSHen" - id = "c7e2c948-6af8-5747-aa95-b1eb4b239aa9" + id = "69f0bd07-3e4e-5245-9c42-c3f8199b566e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9329-L9354" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ddb189dfe58af08d2c0682239551a5b9d82db94eedcefc02895316bcbbaca3f2" + logic_hash = "ddb189dfe58af08d2c0682239551a5b9d82db94eedcefc02895316bcbbaca3f2" score = 75 quality = 75 tags = "FILE" @@ -257990,13 +258476,13 @@ rule DITEKSHEN_MALWARE_Win_Surtr : FILE meta: description = "Detects Surtr ransomware. Ransom note is similar to LockFile" author = "ditekSHen" - id = "9c1eedf3-56fa-55e4-a3f7-10fd3c59f614" + id = "7a31415d-5c03-5537-9adb-65e637f9fa0e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9356-L9378" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a8db5588079d471d8904f0444973973a0c01dbec1ccbe3d43a34d41a0dde495d" + logic_hash = "a8db5588079d471d8904f0444973973a0c01dbec1ccbe3d43a34d41a0dde495d" score = 75 quality = 75 tags = "FILE" @@ -258022,13 +258508,13 @@ rule DITEKSHEN_MALWARE_Win_Udprat : FILE meta: description = "Detects UDPRat" author = "ditekSHen" - id = "40baf759-358c-599f-a86d-94fad092678f" + id = "938fc9fd-4f08-5c23-8583-06083d2efe59" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9380-L9395" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4606b304d179148c6e44a0a8329675f2823f862a0944284cb646e5910659ea7c" + logic_hash = "4606b304d179148c6e44a0a8329675f2823f862a0944284cb646e5910659ea7c" score = 75 quality = 75 tags = "FILE" @@ -258051,13 +258537,13 @@ rule DITEKSHEN_MALWARE_Win_Jesterstealer : FILE meta: description = "Detects JesterStealer" author = "ditekSHen" - id = "a1a8ccc3-1347-57e8-8962-5843e681b33a" + id = "7b07061f-97a4-5158-8084-46ccf212f6be" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9397-L9417" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c84df5d3ad2bc7a75a11c07995cc034c2a92b2f6f6f6943288add9c44c57bf6d" + logic_hash = "c84df5d3ad2bc7a75a11c07995cc034c2a92b2f6f6f6943288add9c44c57bf6d" score = 75 quality = 75 tags = "FILE" @@ -258085,13 +258571,13 @@ rule DITEKSHEN_MALWARE_Win_Soranostealer : FILE meta: description = "Detects SoranoStealer / HogGrabber. Available on Github: /Alexuiop1337/SoranoStealer" author = "ditekSHen" - id = "533aa078-faaf-5515-9e68-044eb2af5781" + id = "2fc40a73-5f28-5b5c-938a-35e8336e1d11" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9419-L9443" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_27c9d6bf3f40f3d41c35975e856671fafcd4a0a8143b3bcbdff61c1fb28a37ab" + logic_hash = "27c9d6bf3f40f3d41c35975e856671fafcd4a0a8143b3bcbdff61c1fb28a37ab" score = 75 quality = 75 tags = "FILE" @@ -258123,13 +258609,13 @@ rule DITEKSHEN_MALWARE_Win_Gloomanestealer : FILE meta: description = "Detects GloomaneStealer" author = "ditekSHen" - id = "56109579-5842-539c-a1c8-3819aea861e4" + id = "6e3c7e8f-4b75-5198-aa41-076f29aac227" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9445-L9461" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_36aa9f863efb8172ed6449932169e6cb26cdeedd84bc734e09a8116a9c7774ac" + logic_hash = "36aa9f863efb8172ed6449932169e6cb26cdeedd84bc734e09a8116a9c7774ac" score = 75 quality = 75 tags = "FILE" @@ -258153,13 +258639,13 @@ rule DITEKSHEN_MALWARE_Win_Lockdown : FILE meta: description = "Detects Lockdown / cantopen ransomware" author = "ditekSHen" - id = "31a2473f-3c5d-5ed1-8566-37f64b9bf2cd" + id = "793df99d-016a-5f96-9ff9-76d3f08e0dd2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9463-L9476" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a9bc2f514730703f3edf78a61f1bc357eee12b3289fc7491197c3b885286ca7e" + logic_hash = "a9bc2f514730703f3edf78a61f1bc357eee12b3289fc7491197c3b885286ca7e" score = 75 quality = 73 tags = "FILE" @@ -258180,13 +258666,13 @@ rule DITEKSHEN_MALWARE_Win_Unamedstealer : FILE meta: description = "Detects unknown infostealer. Observed as 2nd stage and injects into .NET AppLaunch.exe" author = "ditekSHen" - id = "d8874018-eb91-5241-bb30-169f7b09582e" + id = "cb3d575b-3d53-5b89-abc1-3b3857ec9f46" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9478-L9494" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_84f4ac7489a0d522763f69ce55f816642a8511dc4b9698ce47c983020a2b7bea" + logic_hash = "84f4ac7489a0d522763f69ce55f816642a8511dc4b9698ce47c983020a2b7bea" score = 75 quality = 75 tags = "FILE" @@ -258212,13 +258698,13 @@ rule DITEKSHEN_MALWARE_Win_Zxshell_Loader : FILE meta: description = "Detects ZXShell kernel driver loader" author = "ditekSHen" - id = "a6b99f3e-8178-5b12-bc70-8d90374912e9" + id = "c55c718b-6af3-5d3b-aa1c-369319fca603" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9496-L9544" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b20350af231e0c329423c71d8f099305ed447d2ffcb7a533b7531dc9f5357b93" + logic_hash = "b20350af231e0c329423c71d8f099305ed447d2ffcb7a533b7531dc9f5357b93" score = 75 quality = 57 tags = "FILE" @@ -258259,13 +258745,13 @@ rule DITEKSHEN_MALWARE_Win_Bandit : FILE meta: description = "Detects Bandit Infostealer" author = "ditekSHen" - id = "795621a8-514c-5a5c-9806-7fc83318f3cd" + id = "06866232-bd40-5bbc-9f08-3892193b5f36" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9546-L9582" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e557f5a928b5da90f3ec878d6d8615a2d8b5f33e97954cd3278044f76b543386" + logic_hash = "e557f5a928b5da90f3ec878d6d8615a2d8b5f33e97954cd3278044f76b543386" score = 75 quality = 57 tags = "FILE" @@ -258309,13 +258795,13 @@ rule DITEKSHEN_MALWARE_Win_Laplas : FILE meta: description = "Detects LapLas Infostealer" author = "ditekSHen" - id = "cec2b1dd-a28b-5fba-8c73-809c2abc23b7" + id = "bf2b0183-2b21-535a-896c-250fa448d090" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9584-L9612" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e4a1f39a539782118db9c4ab89d03e359420397ef970165389cc79e7ea0952b3" + logic_hash = "e4a1f39a539782118db9c4ab89d03e359420397ef970165389cc79e7ea0952b3" score = 75 quality = 50 tags = "FILE" @@ -258349,13 +258835,13 @@ rule DITEKSHEN_MALWARE_Win_Mystic : FILE meta: description = "Hunt for Mystic Infostealer" author = "ditekSHen" - id = "ebdcba26-3c04-5321-a82f-382a1d2670fe" + id = "959eceab-0a2c-5361-b8f4-6739033ffae5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9614-L9628" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_26e0b85141df818d70124c0b19b5b6a05ac24ae679724d7a8ad94415a6462d17" + logic_hash = "26e0b85141df818d70124c0b19b5b6a05ac24ae679724d7a8ad94415a6462d17" score = 75 quality = 75 tags = "FILE" @@ -258377,13 +258863,13 @@ rule DITEKSHEN_MALWARE_Linux_Buhti : FILE meta: description = "Detects Buhti Ransomware" author = "ditekSHen" - id = "1ca43e8d-9390-5821-a769-7df27f520b7e" + id = "a50b8c34-e9e2-5466-80a1-b0ab805c68be" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9630-L9643" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1bab3202dbeaf088b233c3ab1056c357d156b7eef3111bea997b1c610a27f561" + logic_hash = "1bab3202dbeaf088b233c3ab1056c357d156b7eef3111bea997b1c610a27f561" score = 75 quality = 75 tags = "FILE" @@ -258404,13 +258890,13 @@ rule DITEKSHEN_MALWARE_Win_Commonmagic : FILE meta: description = "Detects CommonMagic and Modules" author = "ditekSHen" - id = "68bf7d44-0465-5f88-bfb3-d6526b8065f2" + id = "cbebe334-9b66-5931-8f92-25d080f7fd6a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9645-L9660" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e94ba53f31f3effe12b1fbaca19fea59c0e12f742f6fc0af2a0a679bf4299cbe" + logic_hash = "e94ba53f31f3effe12b1fbaca19fea59c0e12f742f6fc0af2a0a679bf4299cbe" score = 75 quality = 75 tags = "FILE" @@ -258433,13 +258919,13 @@ rule DITEKSHEN_MALWARE_Win_Greetingghoul : FILE meta: description = "Detects GreetingGhoul Cryptocurrency Infostealer" author = "ditekSHen" - id = "f8343072-f053-5511-a6cf-6bbe07bc004a" + id = "42791b26-1cda-5bf3-b955-9de2dda1d63b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9662-L9679" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5a2635066df031ba6e291c3ba14f9ed85bf3247c82c66eb1b3d3618fdebb47a6" + logic_hash = "5a2635066df031ba6e291c3ba14f9ed85bf3247c82c66eb1b3d3618fdebb47a6" score = 75 quality = 75 tags = "FILE" @@ -258464,13 +258950,13 @@ rule DITEKSHEN_MALWARE_Win_Multi_Family_Infostealer : FILE meta: description = "Detects Prynt, WorldWind, DarkEye, Stealerium and ToxicEye / TelegramRAT infostealers" author = "ditekSHen" - id = "6efb664a-867a-5ac5-acbd-d0b25bf61444" + id = "960830ba-df0d-539d-be2a-7778229f79bd" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9681-L9703" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0fdd1cdc4f2e5bee6c763e6e6b2e79d85285e44e2b5e3168a56d7d360252ee99" + logic_hash = "0fdd1cdc4f2e5bee6c763e6e6b2e79d85285e44e2b5e3168a56d7d360252ee99" score = 75 quality = 73 tags = "FILE" @@ -258500,13 +258986,13 @@ rule DITEKSHEN_MALWARE_Win_Worldwind : FILE meta: description = "Detects WorldWind infostealer" author = "ditekSHen" - id = "382f9037-e024-5ab0-ba48-2f5714b09a32" + id = "226f591a-dc06-54f5-96ae-d142f624ff71" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9705-L9726" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9bb04fad460193cd877ea7f2de9337f69aadda01aee6c79f0a23cdf564b1e6c8" + logic_hash = "9bb04fad460193cd877ea7f2de9337f69aadda01aee6c79f0a23cdf564b1e6c8" score = 75 quality = 75 tags = "FILE" @@ -258535,13 +259021,13 @@ rule DITEKSHEN_MALWARE_Win_Prynt : FILE meta: description = "Detects Prynt infostealer" author = "ditekSHen" - id = "7b699f87-47e6-5caf-8117-e15fceeb1cac" + id = "844fd100-b04e-5ff0-9fab-d45f48b55bcc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9728-L9749" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_84f2b33285ab1d129a62940a02990639cc8f7c92d490d7257e6aed9170d1e34e" + logic_hash = "84f2b33285ab1d129a62940a02990639cc8f7c92d490d7257e6aed9170d1e34e" score = 75 quality = 75 tags = "FILE" @@ -258570,13 +259056,13 @@ rule DITEKSHEN_MALWARE_Win_Darkeye : FILE meta: description = "Detects DarkEye infostealer" author = "ditekSHen" - id = "b5007fea-f65e-51ef-93a2-97a6acd52622" + id = "5296fe28-b54e-5d0f-aa2f-2050db585d82" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9751-L9770" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5496dcbfe075a4030a446027765186e9dd1931561a29a481139281e1708ce87d" + logic_hash = "5496dcbfe075a4030a446027765186e9dd1931561a29a481139281e1708ce87d" score = 75 quality = 75 tags = "FILE" @@ -258603,13 +259089,13 @@ rule DITEKSHEN_MALWARE_Win_Invalidprinter : FILE meta: description = "Invalid Printer (in2al5d p3in4er) Loader" author = "ditekSHen" - id = "0f900ea5-6616-5985-b529-55f048c94c73" + id = "9b0a59e1-8105-5687-83b2-fb96229f59f9" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9772-L9782" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d14d53b2a73952244641f4e68a3dd5af8cb1e2bfc5936f300f9347b4881ceeb8" + logic_hash = "d14d53b2a73952244641f4e68a3dd5af8cb1e2bfc5936f300f9347b4881ceeb8" score = 75 quality = 75 tags = "FILE" @@ -258627,13 +259113,13 @@ rule DITEKSHEN_MALWARE_Win_Raccoonv2 : FILE meta: description = "Detects Raccoon Stealer 2.0, also referred to as RecordBreaker" author = "ditekSHen" - id = "91e1d4d4-c564-5399-bedb-bb415e7c4fdb" + id = "2fc8313f-42f4-5b7e-8ae6-20455f736064" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9784-L9805" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d47bb9051923147010452bcd6e7c370c2ff9ea9095bcb920b64f69873b15ec16" + logic_hash = "d47bb9051923147010452bcd6e7c370c2ff9ea9095bcb920b64f69873b15ec16" score = 75 quality = 25 tags = "FILE" @@ -258662,13 +259148,13 @@ rule DITEKSHEN_MALWARE_Win_Truebot : FILE meta: description = "Detects TrueBot" author = "ditekSHen" - id = "d6678818-42b9-57fc-b162-ea41cb0ecde6" + id = "7210a0bd-d310-55bf-bb0c-14cadb59bd67" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9807-L9827" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a92141ef0aa7d68b3594a0f56c0370498fe5751a472c9011ac8b92ae46e88e53" + logic_hash = "a92141ef0aa7d68b3594a0f56c0370498fe5751a472c9011ac8b92ae46e88e53" score = 75 quality = 75 tags = "FILE" @@ -258696,14 +259182,14 @@ rule DITEKSHEN_MALWARE_Win_Lummastealer : FILE meta: description = "Detects Lumma Stealer" author = "ditekSHen" - id = "d873fbfd-074c-5e29-9d2c-cd5c80ad525f" + id = "b54521ab-4a31-5c1c-8ef2-b08b0f713693" date = "2034-02-17" date = "2034-02-17" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9829-L9854" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_74014c5bcc85977b90faed93b348c34e47ee033b06c2f145348ca9c54c27bda5" + logic_hash = "74014c5bcc85977b90faed93b348c34e47ee033b06c2f145348ca9c54c27bda5" score = 75 quality = 73 tags = "FILE" @@ -258734,13 +259220,13 @@ rule DITEKSHEN_MALWARE_Win_Clipbanker03 : FILE meta: description = "Detects ClipBanker" author = "ditekSHen" - id = "30a83628-6c02-5719-86d5-a7a6b8442501" + id = "57ba7d33-eba4-5bc1-9893-5441e439b900" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9884-L9904" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_29bbb833c9aecc18b398b8c0d80649994f4992277d1aa2ee4ae8e319b59125d5" + logic_hash = "29bbb833c9aecc18b398b8c0d80649994f4992277d1aa2ee4ae8e319b59125d5" score = 75 quality = 50 tags = "FILE" @@ -258768,13 +259254,13 @@ rule DITEKSHEN_MALWARE_Win_Dotrunpex : FILE meta: description = "Detects dotRunpeX injector" author = "ditekSHen" - id = "b71b4d4f-3461-5e60-abd0-b53d352c494c" + id = "4845edc1-110c-59a2-ace0-57a62b1e69e8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9906-L9918" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d7f802f233b2b4ff2c250bb8e96649f307bbb3457c78004751401b3ea7f531a0" + logic_hash = "d7f802f233b2b4ff2c250bb8e96649f307bbb3457c78004751401b3ea7f531a0" score = 75 quality = 75 tags = "FILE" @@ -258794,13 +259280,13 @@ rule DITEKSHEN_MALWARE_Win_Cyberstealer : FILE meta: description = "Detects CyberStealer infostealer" author = "ditekSHen" - id = "b3649f3a-b507-5c05-b130-c2aec64ecc88" + id = "cb02013f-ffb2-5a17-9d6e-1d19b0e98fb8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9920-L9941" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_72413b68fa1381656202165dcd878761727e7caf0f15ccd65f3f2f842243a1f6" + logic_hash = "72413b68fa1381656202165dcd878761727e7caf0f15ccd65f3f2f842243a1f6" score = 75 quality = 71 tags = "FILE" @@ -258829,13 +259315,13 @@ rule DITEKSHEN_MALWARE_Win_Arrowrat : FILE meta: description = "Detects ArrowRAT" author = "ditekSHen" - id = "6f99047c-5979-5901-aa47-3ea5875fa1a1" + id = "14d3aabe-1ef5-599f-adbd-61b580099447" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9943-L9961" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_13e6d4fd274f75c50aa4110276812d02885c03cfc269dde480db66955e5f703a" + logic_hash = "13e6d4fd274f75c50aa4110276812d02885c03cfc269dde480db66955e5f703a" score = 75 quality = 75 tags = "FILE" @@ -258861,13 +259347,13 @@ rule DITEKSHEN_MALWARE_Win_Ducktail : FILE meta: description = "Detects DuckTail" author = "ditekSHen" - id = "23e179fc-3ee7-564a-aae3-7cbd5c02e1fb" + id = "2d1a8f9e-ed5f-53fa-8ba8-b6d1344f6d39" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9963-L9991" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a416212e5f87b33fdc14590c3d6d6ebc2915c2b383adf78d660c9408beb2323f" + logic_hash = "a416212e5f87b33fdc14590c3d6d6ebc2915c2b383adf78d660c9408beb2323f" score = 75 quality = 75 tags = "FILE" @@ -258903,13 +259389,13 @@ rule DITEKSHEN_MALWARE_Win_Grum : FILE meta: description = "Detect Grum spam bot" author = "ditekSHen" - id = "dd4cbad0-2f2b-5354-bd86-e59cb95069ad" + id = "e9abaed1-f462-5099-b310-9f9244c0c8a2" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L9993-L10007" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_42a1d57dcddda4a24037af136caace6110b90ee5702c7c01d2a77d2676048c74" + logic_hash = "42a1d57dcddda4a24037af136caace6110b90ee5702c7c01d2a77d2676048c74" score = 75 quality = 50 tags = "FILE" @@ -258931,13 +259417,13 @@ rule DITEKSHEN_MALWARE_Win_Dlinjector07 : FILE meta: description = "Detects downloader injector" author = "ditekSHen" - id = "b1ed6a3c-e448-560c-be36-c3a70bd57d7e" + id = "244ad6fb-8769-5b57-84e2-66f51fccb32a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10009-L10025" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aef43b59ef7d0d62a853280ec1588a48d6c21da5218b7fd7e6ab1aa0f048896b" + logic_hash = "aef43b59ef7d0d62a853280ec1588a48d6c21da5218b7fd7e6ab1aa0f048896b" score = 75 quality = 73 tags = "FILE" @@ -258961,13 +259447,13 @@ rule DITEKSHEN_MALWARE_Win_Stealerium : FILE meta: description = "Detects Stealerium infostealer" author = "ditekSHen" - id = "abd128ee-1dcd-58d9-aa48-4ad0e80149c3" + id = "ea137900-3add-54b4-9ce9-bc7e98f86d41" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10027-L10042" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a2834e7fe26ad0197a9e490ab517029ceed2e09506fcc37e6ddf0c1804fa6cb9" + logic_hash = "a2834e7fe26ad0197a9e490ab517029ceed2e09506fcc37e6ddf0c1804fa6cb9" score = 75 quality = 73 tags = "FILE" @@ -258990,13 +259476,13 @@ rule DITEKSHEN_MALWARE_Linux_Gobrat : FILE meta: description = "Detects GobRAT" author = "ditekSHen" - id = "ffd2548b-2ad4-5a7c-8686-11eb1fde7604" + id = "0561fa99-24ee-5e02-ba54-17a1dd81daa4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10044-L10062" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_070687c909b066e38f72b6421b77670e87476d7e1eb1ed8d41d027836629eb71" + logic_hash = "070687c909b066e38f72b6421b77670e87476d7e1eb1ed8d41d027836629eb71" score = 75 quality = 75 tags = "FILE" @@ -259022,13 +259508,13 @@ rule DITEKSHEN_MALWARE_Win_Hakunamatata : FILE meta: description = "Detects HakunaMatata ransomware" author = "ditekSHen" - id = "e4690b4b-2dc1-5a1c-b10a-66c61d8b430c" + id = "43ca40bb-9eb6-558e-977d-f1fff5659565" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10064-L10084" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b49705845e5440c3c1e47e196592ca2b31319d1af5265f2f954d3367e3d39d5c" + logic_hash = "b49705845e5440c3c1e47e196592ca2b31319d1af5265f2f954d3367e3d39d5c" score = 75 quality = 75 tags = "FILE" @@ -259056,13 +259542,13 @@ rule DITEKSHEN_MALWARE_Win_Hakunamatata_Builder : FILE meta: description = "Detects HakunaMatata ransomware builder" author = "ditekSHen" - id = "30aa1fae-21a2-5ede-a140-c9276fa49395" + id = "dbf3490f-418c-5d3b-9f9e-e9fb29d8b652" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10086-L10104" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ac258851de38504cf63ba51fd06f8a9a3dfbe0096d199ba702e9763b5ecc43e4" + logic_hash = "ac258851de38504cf63ba51fd06f8a9a3dfbe0096d199ba702e9763b5ecc43e4" score = 75 quality = 73 tags = "FILE" @@ -259088,13 +259574,13 @@ rule DITEKSHEN_MALWARE_Win_Twarbot : FILE meta: description = "Detect TWarBot IRC Bot" author = "ditekSHen" - id = "44371e45-0e2a-578b-a2e6-23cfa141ef78" + id = "3acae103-c8d8-5959-83fd-f47d33da350b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10106-L10121" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6b1b0b92d2ea7adec58a4b0ac712384542d96dc8707b6f1f13df2d8150a03a7a" + logic_hash = "6b1b0b92d2ea7adec58a4b0ac712384542d96dc8707b6f1f13df2d8150a03a7a" score = 75 quality = 75 tags = "FILE" @@ -259117,13 +259603,13 @@ rule DITEKSHEN_MALWARE_Win_G0Crypt : FILE meta: description = "Detects G0Crypt / BRG0SNet / NovaGP ransomware" author = "ditekSHen" - id = "5a39fcdf-16bb-54dc-809b-e5d4270ed9d8" + id = "c0dd8a1b-1aa6-50be-92c4-125eabaf3f9f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10123-L10156" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a678bbb02b82c34fb5e7bdce2e60b0da88f12b094e7ca3b74345814d0da5ce42" + logic_hash = "a678bbb02b82c34fb5e7bdce2e60b0da88f12b094e7ca3b74345814d0da5ce42" score = 75 quality = 73 tags = "FILE" @@ -259164,13 +259650,13 @@ rule DITEKSHEN_MALWARE_Win_Akira : FILE meta: description = "Detects Akira Ransomware Windows" author = "ditekSHen" - id = "faff6fc2-d96f-55c6-8b78-f56e0f16ccd5" + id = "350ecf81-7926-5cd2-b0c8-2dd748775e74" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10220-L10243" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_73dd0a1b21be8ff7362536f6b6255cd19510632782effd67a56d7656bebf04ff" + logic_hash = "73dd0a1b21be8ff7362536f6b6255cd19510632782effd67a56d7656bebf04ff" score = 75 quality = 75 tags = "FILE" @@ -259201,13 +259687,13 @@ rule DITEKSHEN_MALWARE_Linux_Akira : FILE meta: description = "Detects Akira Ransomware Linux" author = "ditekSHen" - id = "4d223613-28cb-5bcc-84ba-c8944356073b" + id = "3ac144b3-c747-58e5-bc75-b3f90786f404" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10245-L10264" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3a00154e1cfc442718e753641d3706ffd4dd8465525d0bb2854f74dfb1cf5dd0" + logic_hash = "3a00154e1cfc442718e753641d3706ffd4dd8465525d0bb2854f74dfb1cf5dd0" score = 75 quality = 75 tags = "FILE" @@ -259236,13 +259722,13 @@ rule DITEKSHEN_MALWARE_Win_Romcom_Loader : FILE meta: description = "Hunt for RomCom loader" author = "ditekShen" - id = "0795798f-b44d-5fb8-8ac4-0bd3fc1abc91" + id = "49a5398a-e28d-51e2-90d5-479d815f9967" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10291-L10307" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7aef88aa9f201c3a1852d63b17c14e44c7c2a7dfe94a9bc77897a4aa0eb97486" + logic_hash = "7aef88aa9f201c3a1852d63b17c14e44c7c2a7dfe94a9bc77897a4aa0eb97486" score = 75 quality = 75 tags = "FILE" @@ -259257,13 +259743,13 @@ rule DITEKSHEN_MALWARE_Win_Romcom_Worker : FILE meta: description = "Hunt for RomCom worker" author = "ditekShen" - id = "acddee72-6df8-562f-b109-f789460a7931" + id = "ce545a33-731c-5ecd-b02e-cedf24f75cc7" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10309-L10322" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_488db046458585882a4709438042b57e02d7dbc06483fdfdfc463a64ee8db203" + logic_hash = "488db046458585882a4709438042b57e02d7dbc06483fdfdfc463a64ee8db203" score = 75 quality = 73 tags = "FILE" @@ -259286,13 +259772,13 @@ rule DITEKSHEN_MALWARE_Win_Romcom_Dropper : FILE meta: description = "Hunt for RomCom worker" author = "ditekShen" - id = "0426a1ef-0e13-5dad-8fa3-54b945c3e826" + id = "1b77122d-95d7-535d-897e-b542da17f499" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10324-L10335" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_89f62f71e5870c1e5d14bc32dd3508da620f5fa85494251c69682eb09d630029" + logic_hash = "89f62f71e5870c1e5d14bc32dd3508da620f5fa85494251c69682eb09d630029" score = 75 quality = 75 tags = "FILE" @@ -259313,13 +259799,13 @@ rule DITEKSHEN_MALWARE_Win_STEALDEAL : FILE meta: description = "Hunt for STEALDEAL stealer" author = "ditekShen" - id = "c1f24dc3-807c-5a35-8968-9a3fd4a164ed" + id = "4685fea3-4050-5395-af2b-cb0ba4104b47" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10337-L10348" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_366c33b06ed9403b2b840d98e25287333eb52f2588f747981b3c0c3baf4fd27a" + logic_hash = "366c33b06ed9403b2b840d98e25287333eb52f2588f747981b3c0c3baf4fd27a" score = 75 quality = 50 tags = "FILE" @@ -259338,13 +259824,13 @@ rule DITEKSHEN_MALWARE_Win_Darkcloud : FILE meta: description = "Detects DarkCloud infostealer" author = "ditekSHen" - id = "e20841f2-deda-5d9c-8650-d107205cbd90" + id = "e29e1dc7-87b8-5d6b-b73b-460dc2530875" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10350-L10371" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7826cc4185d6edb760d062019e0fa30f800c34e5fb4b0eedcfb17081e6c7643d" + logic_hash = "7826cc4185d6edb760d062019e0fa30f800c34e5fb4b0eedcfb17081e6c7643d" score = 75 quality = 48 tags = "FILE" @@ -259373,13 +259859,13 @@ rule DITEKSHEN_MALWARE_Win_Arcrypt : FILE meta: description = "Detects ARCrypt / ChileLocker ransomware" author = "ditekSHen" - id = "b4f3a9f8-ee79-519a-9a8f-089f992073d4" + id = "a53bbae6-a321-549d-9d45-e1a408d08740" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10373-L10399" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cc9fa68d093fdf9745a06beb28e29108cb2ba846122ce097ad892213b1edba25" + logic_hash = "cc9fa68d093fdf9745a06beb28e29108cb2ba846122ce097ad892213b1edba25" score = 75 quality = 75 tags = "FILE" @@ -259413,13 +259899,13 @@ rule DITEKSHEN_MALWARE_Win_Rootteamstealer : FILE meta: description = "Detects RootTeam infostealer" author = "ditekSHen" - id = "6f09eaac-1992-5249-be7b-58efc0f78f85" + id = "3b57ff3e-09cf-52be-ac7f-45ee832d70ab" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10401-L10417" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d1693865253067527d58c980653d550b55d022d5a394b88090a958e5d5818143" + logic_hash = "d1693865253067527d58c980653d550b55d022d5a394b88090a958e5d5818143" score = 75 quality = 75 tags = "FILE" @@ -259443,13 +259929,13 @@ rule DITEKSHEN_MALWARE_Win_Espioloader : FILE meta: description = "Detects Espio loader and obfuscator" author = "ditekSHen" - id = "a095b81d-4ce2-5a63-83ff-6bc4ee1e561d" + id = "fb2be984-abd6-5f71-b448-d41c9c3e35c5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10438-L10451" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8ad77a50db48f12e6f6465652b24fc1daa56375bb27e37e0eead1bea55b89e0c" + logic_hash = "8ad77a50db48f12e6f6465652b24fc1daa56375bb27e37e0eead1bea55b89e0c" score = 75 quality = 75 tags = "FILE" @@ -259470,13 +259956,13 @@ rule DITEKSHEN_MALWARE_Win_Celestybinderloader : FILE meta: description = "Detects Celesty Binder loader" author = "ditekSHen" - id = "f2cc6c9c-dc47-5499-b192-cec4c9877883" + id = "9c3404b7-311c-565d-b0fa-cfa80ba97289" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10453-L10466" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8c9ffd48c9c8cd345dccfb48bcb345282f9978f7cf906a61e2ea81c48486b16d" + logic_hash = "8c9ffd48c9c8cd345dccfb48bcb345282f9978f7cf906a61e2ea81c48486b16d" score = 75 quality = 75 tags = "FILE" @@ -259497,13 +259983,13 @@ rule DITEKSHEN_MALWARE_Win_Blitzgrabber : FILE meta: description = "Detects BlitzGrabber infostealer" author = "ditekSHen" - id = "176415eb-58fd-5e6d-8029-bd24eb849f7a" + id = "4240527e-c2f8-5424-986a-c1616fafb9bb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10468-L10487" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8baceacf3c2af61e00b31e8106820b6f1ce2e7a9d98eaed965e698109ae08314" + logic_hash = "8baceacf3c2af61e00b31e8106820b6f1ce2e7a9d98eaed965e698109ae08314" score = 75 quality = 71 tags = "FILE" @@ -259530,13 +260016,13 @@ rule DITEKSHEN_MALWARE_Win_Bagle : FILE meta: description = "Detect Bagle / Beagle email worm" author = "ditekSHen" - id = "34e0cdbe-930b-5ef2-8b6d-be517682c1a1" + id = "32632bdf-6cf5-5542-8e1f-70686139a465" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10489-L10505" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4c3a09f10c792de1ab25001da29ea2fee84c583d49d9a5225817644aabde2dea" + logic_hash = "4c3a09f10c792de1ab25001da29ea2fee84c583d49d9a5225817644aabde2dea" score = 75 quality = 75 tags = "FILE" @@ -259560,13 +260046,13 @@ rule DITEKSHEN_MALWARE_Win_Ragestealer : FILE meta: description = "Detect Rage / Priv8 infostealer" author = "ditekShen" - id = "915ab3c4-a79c-536a-bf25-0c2352838d44" + id = "dfc1abaa-d975-5e6a-ad4d-344031b0c40c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10507-L10522" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a26b86845bcd62d4a360a8dae9cfa56b5d96ebc521f224c18a01cc0a2bd958e9" + logic_hash = "a26b86845bcd62d4a360a8dae9cfa56b5d96ebc521f224c18a01cc0a2bd958e9" score = 75 quality = 75 tags = "FILE" @@ -259589,13 +260075,13 @@ rule DITEKSHEN_MALWARE_Win_Abubasbanditbot : FILE meta: description = "Detects Abubasbandit Bot. Observed to drop cryptocurrency miner detected by MALWARE_Win_CoinMiner02" author = "ditekSHen" - id = "1afe52bc-a9b7-5003-82ef-ae3671deb01f" + id = "8bedd1f7-bd77-5f26-8665-1d23fe56100f" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10524-L10541" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aae40178dadff720b42d211a025fd696eabdcc91761c6a91809f5f088c588c31" + logic_hash = "aae40178dadff720b42d211a025fd696eabdcc91761c6a91809f5f088c588c31" score = 75 quality = 75 tags = "FILE" @@ -259620,13 +260106,13 @@ rule DITEKSHEN_MALWARE_Win_Oracrat : FILE meta: description = "Detects OracRAT / Comfoo / Babar" author = "ditekSHen" - id = "f015118e-8356-5713-938d-f9285592cce1" + id = "53f3778e-56d5-5390-8ce7-82d4ede46be4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10543-L10557" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_078a5df9f3d0bb8213ea2fe28eefdb453ef186e6c1f62d3ba10cb04fca047700" + logic_hash = "078a5df9f3d0bb8213ea2fe28eefdb453ef186e6c1f62d3ba10cb04fca047700" score = 75 quality = 75 tags = "FILE" @@ -259648,13 +260134,13 @@ rule DITEKSHEN_MALWARE_Win_Phemedronestealer : FILE meta: description = "Detects Phemedrone Stealer infostealer" author = "ditekSHen" - id = "84eb7a18-ac4e-596e-9271-02e9d4307b46" + id = "297aab1f-351c-5955-8a19-9aa2b7c94748" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10559-L10580" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_74e150cc971f5648f9e3f6146afba162b1a29cf2744c862b2320db52c2efa930" + logic_hash = "74e150cc971f5648f9e3f6146afba162b1a29cf2744c862b2320db52c2efa930" score = 75 quality = 75 tags = "FILE" @@ -259683,13 +260169,13 @@ rule DITEKSHEN_MALWARE_Win_WSHRAT : FILE meta: description = "Detects WASHRAT" author = "ditekSHen" - id = "5e49a1d7-6ac2-585c-9447-96d95a19097b" + id = "e7940b7f-51dd-5a32-899b-64310f27bf3e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10582-L10600" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_297bfe65815637a464e2a8fc23570c6e79694ffe0467d5898b7c845f1450de95" + logic_hash = "297bfe65815637a464e2a8fc23570c6e79694ffe0467d5898b7c845f1450de95" score = 75 quality = 73 tags = "FILE" @@ -259715,13 +260201,13 @@ rule DITEKSHEN_MALWARE_Win_Rustystealer : FILE meta: description = "Detect Rusty / Luca stealer" author = "ditekSHen" - id = "bc02845d-ee99-5c0a-8ffe-2b0b708f3eac" + id = "af39f88c-e0df-51f6-bb11-f3a7231180d0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10602-L10625" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e60e66360c8f97a31e75cd90a12519f75f3a672874fc985a8da1d4d02e185b4d" + logic_hash = "e60e66360c8f97a31e75cd90a12519f75f3a672874fc985a8da1d4d02e185b4d" score = 75 quality = 75 tags = "FILE" @@ -259752,13 +260238,13 @@ rule DITEKSHEN_MALWARE_Win_Simplepacker : FILE meta: description = "Detects Hydrochasma packer / dropper" author = "ditekSHen" - id = "42b711f1-9e9e-5ed4-ae42-77d04e43bd5f" + id = "449f7531-408f-5bda-aa64-d148c363c3e5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10627-L10638" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e2c07947fdf53814669250052f6cceb7412aa302422f3a0b430879da638c7e6a" + logic_hash = "e2c07947fdf53814669250052f6cceb7412aa302422f3a0b430879da638c7e6a" score = 75 quality = 75 tags = "FILE" @@ -259777,13 +260263,13 @@ rule DITEKSHEN_MALWARE_Multi_Golangbypassav : FILE meta: description = "Detect Go executables using GolangBypassAV" author = "ditekSHen" - id = "20c38022-fa20-5caf-89ae-2948a810ff38" + id = "bd41ff7e-ce57-5bee-b6ca-9341b4c1c1fa" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10679-L10689" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_842dfc7c04cbd19bbbc8b6fbf9d9925f81a21dfb713af4542ca4157d64fa5b51" + logic_hash = "842dfc7c04cbd19bbbc8b6fbf9d9925f81a21dfb713af4542ca4157d64fa5b51" score = 75 quality = 75 tags = "FILE" @@ -259801,13 +260287,13 @@ rule DITEKSHEN_MALWARE_Win_Blankstealer : FILE meta: description = "Detects BlankStealer / BlankGrabber / Blank-c Stealer" author = "ditekSHen" - id = "ef756d6c-d327-5d92-904f-573a8f97c759" + id = "19686781-4be8-56c1-b606-d8fe14dbdc48" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10691-L10703" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cc0c8d3e0061d192e445ef661387360644ab428a9e9fc2480e966db96bc8264c" + logic_hash = "cc0c8d3e0061d192e445ef661387360644ab428a9e9fc2480e966db96bc8264c" score = 75 quality = 75 tags = "FILE" @@ -259827,13 +260313,13 @@ rule DITEKSHEN_MALWARE_Linux_Getshell : FILE meta: description = "Detect GetShell Linux backdoor" author = "ditekSHen" - id = "121e1b29-f3e7-5d4d-ae48-5f2969b0ff6f" + id = "cccad93d-cd49-5237-96ac-66c9ac6ef532" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10705-L10725" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9d44ad2a3c270eed0e905402e8c32dcca54da90f4229d9d59874ee09b3b47277" + logic_hash = "9d44ad2a3c270eed0e905402e8c32dcca54da90f4229d9d59874ee09b3b47277" score = 75 quality = 75 tags = "FILE" @@ -259861,13 +260347,13 @@ rule DITEKSHEN_MALWARE_Win_Solarmarker : FILE meta: description = "Detects SolarMarker" author = "ditekSHen" - id = "5aaa7877-d6e8-59c7-9125-80eeb35e026b" + id = "78c2f739-76b2-5a80-8b9a-6c677d578eaa" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10727-L10745" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_84182c8948c2f40439cd932885ae8b88bb677ecc9fba366f22d30e13dc4ffb68" + logic_hash = "84182c8948c2f40439cd932885ae8b88bb677ecc9fba366f22d30e13dc4ffb68" score = 75 quality = 75 tags = "FILE" @@ -259893,13 +260379,13 @@ rule DITEKSHEN_MALWRE_Win_Darkgate : FILE meta: description = "Detects DarkGate infostealer and coinminer" author = "ditekSHen" - id = "7cca6074-8aaf-5e91-8c5b-364879a57b30" + id = "4488e1e6-daac-5832-8326-3151c834daf1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10747-L10771" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_805a04bbb3915d539e76927393384a2786c25490e8b9fc151d5b12415247578b" + logic_hash = "805a04bbb3915d539e76927393384a2786c25490e8b9fc151d5b12415247578b" score = 75 quality = 75 tags = "FILE" @@ -259931,13 +260417,13 @@ rule DITEKSHEN_MALWARE_Win_Rookie_Downloader : FILE meta: description = "Detect malware downlaoder, variant of ZombieBoy downloader" author = "ditekSHen" - id = "cc287ec0-4d5d-515b-9888-115400af433c" + id = "a991eecb-5275-5e33-bea4-e709590474a8" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10773-L10786" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6d5625c2cd7e3a51c2fce9948e691ff2d1b7cf85083708790f89e15c6522059b" + logic_hash = "6d5625c2cd7e3a51c2fce9948e691ff2d1b7cf85083708790f89e15c6522059b" score = 75 quality = 75 tags = "FILE" @@ -259958,13 +260444,13 @@ rule DITEKSHEN_MALWARE_Win_Fiber : FILE meta: description = "Detects Fiber .NET injector" author = "ditekSHen" - id = "3c0295ff-b7aa-5940-b1dd-7fca01e37c11" + id = "0e562e2e-cb91-5acf-bb8f-5e7e7d971a3d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10788-L10824" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bd6c2c02272fe59c8d7de533197f15d94b5532d32875f01e3e4bd52506456a34" + logic_hash = "bd6c2c02272fe59c8d7de533197f15d94b5532d32875f01e3e4bd52506456a34" score = 75 quality = 75 tags = "FILE" @@ -260008,13 +260494,13 @@ rule DITEKSHEN_MALWARE_Win_Unknown_Packedloader_01 : FILE meta: description = "Detects unknown loader / packer. Observed running LummaStealer" author = "ditekShen" - id = "d34ec7d7-ecd2-59ba-a1b4-e8a48b24067a" + id = "2969090f-dff9-5745-b87d-a031741dd2e0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10826-L10845" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6fd9075793b55e04c68bb13d21b88741889a9c37a0a9d1a19d895c7b68af4506" + logic_hash = "6fd9075793b55e04c68bb13d21b88741889a9c37a0a9d1a19d895c7b68af4506" score = 75 quality = 75 tags = "FILE" @@ -260041,13 +260527,13 @@ rule DITEKSHEN_MALWARE_Win_LOLKEK : FILE meta: description = "Detects LOLKEK / GlobeImposter ransowmare" author = "ditekShen" - id = "f438ea67-fa7a-579a-a507-8776390d1a31" + id = "96374c8d-2ef7-5706-a96f-27d60f73f8c1" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10847-L10864" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_047492f8b7b56c75cfdcc4359de2b02a76cf9591b902171785806987e552995a" + logic_hash = "047492f8b7b56c75cfdcc4359de2b02a76cf9591b902171785806987e552995a" score = 75 quality = 75 tags = "FILE" @@ -260072,13 +260558,13 @@ rule DITEKSHEN_MALWARE_Win_Spacecolon : FILE meta: description = "Detects Spacecolon ransomware" author = "ditekSHen" - id = "67a4d881-d02c-5c78-90e9-777ab14c0349" + id = "38bde0b6-96a3-5081-b152-c251d7a2ffac" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10866-L10886" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d6e55c45f9df98bc152dadc1ba0953b4b89b5a503af0fc5ba53e12a1aa4f6d28" + logic_hash = "d6e55c45f9df98bc152dadc1ba0953b4b89b5a503af0fc5ba53e12a1aa4f6d28" score = 75 quality = 48 tags = "FILE" @@ -260106,13 +260592,13 @@ rule DITEKSHEN_MALWARE_Win_Rhysida : FILE meta: description = "Detects Rhysida ransomware" author = "ditekSHen" - id = "ce65ee97-0638-5846-b557-92ee73b27120" + id = "a70bdf19-3b56-5dc0-be74-20a2e85099cc" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10888-L10902" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fb15f497cdee40b237dfc2aafcde2da95ff2a6f9c162273862ec1a0053269932" + logic_hash = "fb15f497cdee40b237dfc2aafcde2da95ff2a6f9c162273862ec1a0053269932" score = 75 quality = 75 tags = "FILE" @@ -260134,13 +260620,13 @@ rule DITEKSHEN_MALWARE_Win_Povertystealer : FILE meta: description = "Detects PovertyStealer" author = "ditekSHen" - id = "5db1e646-f0ca-523e-a020-3ec71d5be5c6" + id = "a431b82a-81cb-51a9-b3a8-61d71f36a60e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10904-L10917" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0d8a4dd1f3a9935935878840d19e16d91d240da776f99eb2dd3f12df96efa1d9" + logic_hash = "0d8a4dd1f3a9935935878840d19e16d91d240da776f99eb2dd3f12df96efa1d9" score = 75 quality = 75 tags = "FILE" @@ -260161,13 +260647,13 @@ rule DITEKSHEN_MALWARE_Win_Janelarat : FILE meta: description = "Detects JanelaRAT" author = "ditekSHen" - id = "774871a2-e71d-5253-899a-41045344235f" + id = "6a49eeda-307f-5429-aa24-658223360239" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10919-L10939" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9f10112b6ffa382b03511e7b6c8757438d5910ee2c24d650d05bb53abfff3860" + logic_hash = "9f10112b6ffa382b03511e7b6c8757438d5910ee2c24d650d05bb53abfff3860" score = 75 quality = 75 tags = "FILE" @@ -260195,13 +260681,13 @@ rule DITEKSHEN_MALWARE_Win_Qwixxrat : FILE meta: description = "Detects QwixxRAT. Uses ToxicEye / TelegramRAT as base (MALWARE_Win_TelegramRAT)" author = "ditekSHen" - id = "3cb717a4-9db3-51ac-a68a-82a939739bf9" + id = "0a8f2f6f-aa78-56c2-aca0-d575fbf0b91e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10941-L10953" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e6e44697e393da35215f7835f122cb74b05dbeebb558345d5110d6fbc809f4dd" + logic_hash = "e6e44697e393da35215f7835f122cb74b05dbeebb558345d5110d6fbc809f4dd" score = 75 quality = 75 tags = "FILE" @@ -260221,13 +260707,13 @@ rule DITEKSHEN_MALWARE_Win_Toxiceye : FILE meta: description = "Detects ToxicEye / TelegramRAT. Observed used as the basis for many infostealers" author = "ditekSHen" - id = "affb766f-c711-56e8-b89a-548fdebf6081" + id = "99304f11-2444-5864-b174-514bb5bef0f7" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10955-L10973" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ee01c107dd295b923801c0d1a77b1534d3a5f2abf8d2cfa93c6786a1b0553504" + logic_hash = "ee01c107dd295b923801c0d1a77b1534d3a5f2abf8d2cfa93c6786a1b0553504" score = 75 quality = 75 tags = "FILE" @@ -260253,13 +260739,13 @@ rule DITEKSHEN_MALWARE_Win_Rdpcredsstealerinjector : FILE meta: description = "Detects RDP Credentials Stealer injector" author = "ditekSHen" - id = "5f3fc017-6dd7-564e-843c-993014ebb25e" + id = "221b7d64-6585-5f3a-bffa-bde05390db73" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L10994-L11007" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0dfade8dde987f5134158b7c4abc3eaf8dcece86e1ff2ab1da4466da316939a2" + logic_hash = "0dfade8dde987f5134158b7c4abc3eaf8dcece86e1ff2ab1da4466da316939a2" score = 75 quality = 75 tags = "FILE" @@ -260280,13 +260766,13 @@ rule DITEKSHEN_MALWARE_Win_Krakenstealer : FILE meta: description = "Detect Kraken infostealer" author = "ditekSHen" - id = "f94cf0ce-6570-5345-bf7c-192556540a26" + id = "460eb574-99c9-5f78-9efa-7a8808aaaae7" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11009-L11030" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7f15823db706e6e51d8ea58fb026efb49f42234255d2f448614dc645d12648bb" + logic_hash = "7f15823db706e6e51d8ea58fb026efb49f42234255d2f448614dc645d12648bb" score = 75 quality = 73 tags = "FILE" @@ -260315,13 +260801,13 @@ rule DITEKSHEN_MALWARE_Win_Whiffyrecon : FILE meta: description = "Detects Whiffy Recon" author = "ditekSHen" - id = "c6e9ef90-5233-5117-8345-fde3d799ec6f" + id = "19b0f327-06ee-5f78-abac-9c4fbcad98ac" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11032-L11052" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_58df9f47f5890c5e31d352be682c6164a940dad206ad29c54c43f70d3afb9543" + logic_hash = "58df9f47f5890c5e31d352be682c6164a940dad206ad29c54c43f70d3afb9543" score = 75 quality = 75 tags = "FILE" @@ -260349,13 +260835,13 @@ rule DITEKSHEN_MALWARE_Win_Quiterat : FILE meta: description = "Detects QuiteRAT" author = "ditekSHen" - id = "8795ed26-7970-579d-b99a-e3efbe1f5ede" + id = "54f7b899-3418-5074-8138-38cf073cda8c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11054-L11068" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_257f9151294254e3e86979f184963f0396587438393b11bad068ba0f386cfc4a" + logic_hash = "257f9151294254e3e86979f184963f0396587438393b11bad068ba0f386cfc4a" score = 75 quality = 75 tags = "FILE" @@ -260377,13 +260863,13 @@ rule DITEKSHEN_MALWARE_PWSH_CUMII meta: description = "Detects multi-dropper PowerShell" author = "ditekSHen" - id = "3cd3672a-bc42-577c-8389-db3baf788c24" + id = "07b77251-1d79-5521-8c05-ecfc662f45cb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11070-L11086" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ab9e59b0552718928d170a988d129b38352700076847f2f409976016858864eb" + logic_hash = "ab9e59b0552718928d170a988d129b38352700076847f2f409976016858864eb" score = 75 quality = 75 tags = "" @@ -260407,13 +260893,13 @@ rule DITEKSHEN_MALWARE_Win_Agnianestealer : FILE meta: description = "Detects Agniane infostealer" author = "ditekSHen" - id = "49db56d2-6ede-5e39-84f6-7ebf93912531" + id = "fcbbf748-dc01-579f-a6f8-37e0f3dea35e" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11088-L11114" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0031fbe6d76868819cbcfc638433d60a50e8f5cfd14ff25af88ed3dffefd7d62" + logic_hash = "0031fbe6d76868819cbcfc638433d60a50e8f5cfd14ff25af88ed3dffefd7d62" score = 75 quality = 75 tags = "FILE" @@ -260447,13 +260933,13 @@ rule DITEKSHEN_MALWARE_Win_TOITOIN_Kritaloader : FILE meta: description = "Detects TOITOIN KritaLoader" author = "ditekSHen" - id = "e0dcdcec-4da2-5e7f-b5de-d4f99c00a102" + id = "5ff002fc-1108-554e-9de6-92d568826d1d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11116-L11127" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9629a4cfa606812d2579c0c0d486dec5971854e5133f0594a4638db5b89c3135" + logic_hash = "9629a4cfa606812d2579c0c0d486dec5971854e5133f0594a4638db5b89c3135" score = 75 quality = 75 tags = "FILE" @@ -260472,13 +260958,13 @@ rule DITEKSHEN_MALWARE_Win_TOITOIN_Injectordll : FILE meta: description = "Detects TOITOIN InjectorDLL" author = "ditekSHen" - id = "76d324fb-692f-5f41-94e7-270195bc4981" + id = "40776e0a-29df-52ea-8486-35027ab31a1b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11129-L11141" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fc80c702305657ba1058ca7f55579d1d5254dd0f619c5f7fda7886a868b65c93" + logic_hash = "fc80c702305657ba1058ca7f55579d1d5254dd0f619c5f7fda7886a868b65c93" score = 75 quality = 25 tags = "FILE" @@ -260498,13 +260984,13 @@ rule DITEKSHEN_MALWARE_Win_TOITOIN_Downloader : FILE meta: description = "Detects TOITOIN Downloader" author = "ditekSHen" - id = "dd9e622c-675d-5f0b-81bb-343a8b9bbead" + id = "0282ea26-e381-5c9a-9dad-c90246d8add0" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11143-L11154" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d7e5e99c9266ec144152c3d1066e0e1a862f48ded17fab8f504192ca48219826" + logic_hash = "d7e5e99c9266ec144152c3d1066e0e1a862f48ded17fab8f504192ca48219826" score = 75 quality = 75 tags = "FILE" @@ -260523,13 +261009,13 @@ rule DITEKSHEN_MALWARE_Win_Venomrat : FILE meta: description = "Detects VenomRAT" author = "ditekSHen" - id = "1fb2e85b-8bb5-55fc-a058-cffd531cba93" + id = "93cd5ae3-c222-51a2-bbb9-bdd3254006e5" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11156-L11170" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_47d343def76a323c66db4ba6fb1c0d119f45323f9b7f36695e4aeb7b070819d7" + logic_hash = "47d343def76a323c66db4ba6fb1c0d119f45323f9b7f36695e4aeb7b070819d7" score = 75 quality = 75 tags = "FILE" @@ -260551,13 +261037,13 @@ rule DITEKSHEN_MALWARE_Win_Sapphirestealer : FILE meta: description = "Detects SapphireStealer" author = "ditekSHen" - id = "15ac911d-f3ef-5cfe-9410-1bfcb438bcd2" + id = "ed6cffe4-23f1-5791-b07d-75abb698c899" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11172-L11190" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_97088c0decf158d45a02571bd50b5f370c139339c19b8071f38c0f9816232d1f" + logic_hash = "97088c0decf158d45a02571bd50b5f370c139339c19b8071f38c0f9816232d1f" score = 75 quality = 75 tags = "FILE" @@ -260585,13 +261071,13 @@ rule DITEKSHEN_MALWARE_Win_R77 : FILE meta: description = "Detects r77 rootkit" author = "ditekSHen" - id = "b577a165-e4a9-56ee-97a6-bd72fcbb387e" + id = "813d207e-c6d9-5fea-8387-19da33bc3317" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11192-L11217" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e3ec6e88a3a77b7dc69eb51a528e6417f6b8695c7cb01d699cf248cebd9b84e2" + logic_hash = "e3ec6e88a3a77b7dc69eb51a528e6417f6b8695c7cb01d699cf248cebd9b84e2" score = 75 quality = 75 tags = "FILE" @@ -260614,13 +261100,13 @@ rule DITEKSHEN_MALWARE_Win_Disco_Nightclub : FILE meta: description = "Hunts for Disco NightClub" author = "ditekSHen" - id = "eb026c40-ea39-5be4-98da-ad5d289e3130" + id = "79cbd351-e5d9-5f1f-8e73-71e0acca2707" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11219-L11237" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ee0bd110ea1a3182284c4b3d6dd7eff48ca809a35a925147c716b18a88c0a233" + logic_hash = "ee0bd110ea1a3182284c4b3d6dd7eff48ca809a35a925147c716b18a88c0a233" score = 75 quality = 51 tags = "FILE" @@ -260646,13 +261132,13 @@ rule DITEKSHEN_MALWARE_Win_Risepro : FILE meta: description = "Detects RisePro infostealer" author = "ditekShen" - id = "e453482f-a1e7-54fc-a09b-b0079e462910" + id = "77bc8791-cbe8-53b5-86f4-bc918454a6a6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11239-L11269" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f6f1832f316df51ca108a3c75034bd53c3823cd3d9b16da120e12e252dbf90ff" + logic_hash = "f6f1832f316df51ca108a3c75034bd53c3823cd3d9b16da120e12e252dbf90ff" score = 75 quality = 71 tags = "FILE" @@ -260690,13 +261176,13 @@ rule DITEKSHEN_MALWARE_Win_Graphicalproton_Rsockstun : FILE meta: description = "Detects GraphicalProton custom rsockstun" author = "ditekShen" - id = "b1f68fef-f9d3-50a1-acd8-306c882a9d18" + id = "5efa85f6-7e73-53a1-92df-4cb975e62345" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11271-L11286" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ca4d18160b89d82106310237cf81bba57a7f51be77a31d2f18ca8c2987972c2c" + logic_hash = "ca4d18160b89d82106310237cf81bba57a7f51be77a31d2f18ca8c2987972c2c" score = 75 quality = 75 tags = "FILE" @@ -260721,13 +261207,13 @@ rule DITEKSHEN_MALWARE_Win_PWSHDLLDL : FILE meta: description = "Detects downloader" author = "ditekShen" - id = "11547455-21e1-5aec-815d-0c42d06a147c" + id = "553ed216-c8c2-504f-b689-0e8d21a00eaa" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11288-L11303" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7acef81f0e6e282650c161963599dcbe2b3975d482eb7c330581901b0fe85655" + logic_hash = "7acef81f0e6e282650c161963599dcbe2b3975d482eb7c330581901b0fe85655" score = 75 quality = 75 tags = "FILE" @@ -260752,13 +261238,13 @@ rule DITEKSHEN_MALWARE_Win_Nppspy : FILE meta: description = "Detects NPPSpy / Ntospy" author = "ditekShen" - id = "bfaca421-05d9-5311-bfc4-390450419375" + id = "3867ba96-1162-5693-b58e-fc6fa04d880a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11305-L11325" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_53e929b52dddd5e3d060d2dd9937411f1ff215be4d3c67f5935c2a3fbab006d6" + logic_hash = "53e929b52dddd5e3d060d2dd9937411f1ff215be4d3c67f5935c2a3fbab006d6" score = 75 quality = 75 tags = "FILE" @@ -260784,13 +261270,13 @@ rule DITEKSHEN_MALWARE_Win_Agentracoon : FILE meta: description = "Detects AgentRacoon. Not Raccoon" author = "ditekShen" - id = "7c46c811-0487-518e-98bb-03cd4a226d79" + id = "cc31bd71-da96-5a3d-b2f1-40f9745d8d46" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11327-L11343" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7ed17a1bc161855f2bdc432952086f3b86b58ae9ea6c0d541544f4b63a8e08e8" + logic_hash = "7ed17a1bc161855f2bdc432952086f3b86b58ae9ea6c0d541544f4b63a8e08e8" score = 75 quality = 75 tags = "FILE" @@ -260814,13 +261300,13 @@ rule DITEKSHEN_MALWARE_Win_Simda : FILE meta: description = "Detects Simda / Shifu infostealer" author = "ditekShen" - id = "0cb5f124-afd6-5363-b717-4889a9149863" + id = "892a5ffe-ea1a-5df3-9c36-0198fa61b8b6" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11345-L11361" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3f06e86033e8f9534f9904a2a63c4717a9532eb235f6f4405ef1db7d9b93f036" + logic_hash = "3f06e86033e8f9534f9904a2a63c4717a9532eb235f6f4405ef1db7d9b93f036" score = 75 quality = 75 tags = "FILE" @@ -260844,13 +261330,13 @@ rule DITEKSHEN_MALWARE_Win_Vbsdownloader : FILE meta: description = "Detects second stage VBS downloader of third stage VBS" author = "ditekShen" - id = "3b8339db-95be-55a9-9639-b0cc93e9208f" + id = "480e6872-3a8c-58c5-a455-02342ec7918c" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11363-L11375" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fee9a78e60d02ff2f03035812af2bf36fe350c70d3e4e094713791833f8ba4d6" + logic_hash = "fee9a78e60d02ff2f03035812af2bf36fe350c70d3e4e094713791833f8ba4d6" score = 75 quality = 75 tags = "FILE" @@ -260870,13 +261356,13 @@ rule DITEKSHEN_MALWARE_Win_Umbralstealer : FILE meta: description = "Detects Umbral infostealer" author = "ditekShen" - id = "6690bd83-75b7-595a-89c9-baeac3406af6" + id = "695a350b-3d8e-5244-a275-a60202a8e956" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11377-L11398" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1686e4626e4d6335f028d6cb6471c32dac747a77fc95d97b4c9dfd043ba975e9" + logic_hash = "1686e4626e4d6335f028d6cb6471c32dac747a77fc95d97b4c9dfd043ba975e9" score = 75 quality = 75 tags = "FILE" @@ -260905,13 +261391,13 @@ rule DITEKSHEN_MALWARE_Win_Metastealer : FILE meta: description = "Detects MetaStealer infostealer" author = "ditekSHen" - id = "e426c440-cc9b-5e80-93fc-f395d0193d6b" + id = "46aa30c1-12c2-56df-8c65-0b96147f9051" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11400-L11423" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_260c6d90a89ddb6219a5cbad18058e41611ae2dc68a8d4e589fa6ca81853752f" + logic_hash = "260c6d90a89ddb6219a5cbad18058e41611ae2dc68a8d4e589fa6ca81853752f" score = 75 quality = 75 tags = "FILE" @@ -260944,13 +261430,13 @@ rule DITEKSHEN_MALWARE_Win_Mediapi : FILE meta: description = "Detects MediaPI" author = "ditekSHen" - id = "cf66f7b0-0260-58e0-9d60-6d3157a63066" + id = "95db8772-1bcd-5eea-956c-c9578b8e1329" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11425-L11439" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2bce0a96b45e46c0cbd913dacb3dfe7ae1b519102d637e0fd9dabe2008037d94" + logic_hash = "2bce0a96b45e46c0cbd913dacb3dfe7ae1b519102d637e0fd9dabe2008037d94" score = 75 quality = 75 tags = "FILE" @@ -260972,13 +261458,13 @@ rule DITEKSHEN_MALWARE_Win_Blackhunt : FILE meta: description = "Detects BlackHunt ransomware" author = "ditekSHen" - id = "c42bb10a-a055-5947-ad85-be32b814cea5" + id = "4bdb26dd-a424-54a6-b313-e98bdf18cfce" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11441-L11456" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_62e9bc505eff3e19ff0cdaf180e45e6d7917f0bec7cd9b007bee9fe1d9d09b66" + logic_hash = "62e9bc505eff3e19ff0cdaf180e45e6d7917f0bec7cd9b007bee9fe1d9d09b66" score = 75 quality = 75 tags = "FILE" @@ -261003,13 +261489,13 @@ rule DITEKSHEN_MALWARE_Win_Scoutelite : FILE meta: description = "Detects ScoutElite" author = "ditekSHen" - id = "d75618c8-68bd-5700-a9db-e742b6b10fd5" + id = "989f558b-f84c-5f64-b85d-618d83f96782" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/back-in-2017" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11458-L11531" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_935bd891a9b68cb6ddad86db843de624f3a7ec0824f2b4c6ff0da56422b79668" + logic_hash = "935bd891a9b68cb6ddad86db843de624f3a7ec0824f2b4c6ff0da56422b79668" score = 75 quality = 50 tags = "FILE" @@ -261087,13 +261573,13 @@ rule DITEKSHEN_MALWARE_Win_Scouteliteps meta: description = "Detects actor PowerShell tool designed to steal browsers session cookie and passwords on-disk and in-memory" author = "ditekshen" - id = "8fa657fd-bae5-57db-951b-47d509403901" + id = "d2c04d55-9bf7-54f5-8053-835fa60f19cb" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/back-in-2017" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11534-L11569" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9b1047b8b485fcfa29225f53674050703d32498cfa99654c8ac5f8bfac29878e" + logic_hash = "9b1047b8b485fcfa29225f53674050703d32498cfa99654c8ac5f8bfac29878e" score = 75 quality = 37 tags = "" @@ -261135,13 +261621,13 @@ rule DITEKSHEN_MALWARE_Win_Houdiniconfig : FILE meta: description = "Detects Houdini Trojan configurations" author = "ditekshen" - id = "14cb51b6-d84d-5187-a997-839092a6f540" + id = "e4f974fe-731e-55a8-aa5f-068a1e62f54d" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/back-in-2017" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11600-L11616" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_70a67c9a91d2f82184f1d7a5ea51de911a054dd4e38e2cc36f495ed59219afab" + logic_hash = "70a67c9a91d2f82184f1d7a5ea51de911a054dd4e38e2cc36f495ed59219afab" score = 75 quality = 75 tags = "FILE" @@ -261164,13 +261650,13 @@ rule DITEKSHEN_MALWARE_Win_Houdini : FILE meta: description = "Detects the raw binary of the Houdini Trojan Delphi variant" author = "ditekshen" - id = "6e4fc458-c746-5813-abe4-001c300ef1bd" + id = "79681ca3-b956-52d4-81b8-b3bd4c86872a" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/back-in-2017" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11618-L11689" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0580d2525d9d989f98e815dd98b9258724b6e31f058092132c0fbd67cbc5c63c" + logic_hash = "0580d2525d9d989f98e815dd98b9258724b6e31f058092132c0fbd67cbc5c63c" score = 75 quality = 46 tags = "FILE" @@ -261242,13 +261728,13 @@ rule DITEKSHEN_MALWARE_Win_Lighthand : FILE meta: description = "Detects LightHand" author = "ditekshen" - id = "35c6d25f-e403-5dbc-9118-3c93dd8a5cfe" + id = "2b644dfb-f09a-50a5-8260-7b7022bce1f4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11691-L11718" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4f06467a522b786045839e6b22b888cecc554b0f63cc20dc43dc0f8ec80f5654" + logic_hash = "4f06467a522b786045839e6b22b888cecc554b0f63cc20dc43dc0f8ec80f5654" score = 75 quality = 75 tags = "FILE" @@ -261283,13 +261769,13 @@ rule DITEKSHEN_MALWARE_Win_Validalpha : FILE meta: description = "Detects ValidApha / BlackRAT" author = "ditekshen" - id = "fdd90d48-7043-54b0-8be5-4a10edc11d86" + id = "3162eb5f-6e2d-598a-b199-22b70ec8a773" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11720-L11736" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_54d170076d1b32cee6f6252d40548acc7e23b467d692c59d6146a8aadf431211" + logic_hash = "54d170076d1b32cee6f6252d40548acc7e23b467d692c59d6146a8aadf431211" score = 75 quality = 75 tags = "FILE" @@ -261313,13 +261799,13 @@ rule DITEKSHEN_MALWARE_Win_Tigerrat : FILE meta: description = "Detects TigerRAT" author = "ditekshen" - id = "2a78d7a6-bbac-5928-a846-df7a0a8b6a26" + id = "37192fc8-1932-5f33-994a-bb319b131c58" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11738-L11756" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_38a238339db7e7f573e0c7362af5a08654a9e134f902c0ecae441250a0364c64" + logic_hash = "38a238339db7e7f573e0c7362af5a08654a9e134f902c0ecae441250a0364c64" score = 75 quality = 75 tags = "FILE" @@ -261345,13 +261831,13 @@ rule DITEKSHEN_MALWARE_Win_Ktlvdoor : FILE meta: description = "Detects KTLVdoor" author = "ditekshen" - id = "44249db4-32ef-54e4-9503-64d9c266dc2b" + id = "f63ebd05-fb4b-50fb-887b-dacd379594a4" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11758-L11791" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3ced9b558c7e17acd015cd2c9dd0c5d024bf9c31c7f2e7c9b7b937124109cf8b" + logic_hash = "3ced9b558c7e17acd015cd2c9dd0c5d024bf9c31c7f2e7c9b7b937124109cf8b" score = 75 quality = 73 tags = "FILE" @@ -261392,13 +261878,13 @@ rule DITEKSHEN_MALWARE_Win_Fakecaptcha_Downloader : FILE meta: description = "Detects downloader executables dropped by fake captcha" author = "ditekshen" - id = "8d5bcc64-cb14-5c37-b474-66337bcaae18" + id = "d577e8ef-11df-565c-9925-63b8768a7115" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11793-L11803" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_57c39ce93f74d03767e7fde53281983a8462e4f3705d1bb9084bc169a08a0f83" + logic_hash = "57c39ce93f74d03767e7fde53281983a8462e4f3705d1bb9084bc169a08a0f83" score = 75 quality = 75 tags = "FILE" @@ -261416,13 +261902,13 @@ rule DITEKSHEN_MALWARE_Win_Xenorat : FILE meta: description = "Detects Blacksuit" author = "ditekshen" - id = "66c91f2b-adeb-567d-a407-807eb4bb5727" + id = "7f27ebef-8a0e-591a-a926-ac950db86053" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11805-L11820" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_487046464f545fb9e4a1d6e277cdc010eac6886583f0b388555a483d9021191b" + logic_hash = "487046464f545fb9e4a1d6e277cdc010eac6886583f0b388555a483d9021191b" score = 75 quality = 75 tags = "FILE" @@ -261445,13 +261931,13 @@ rule DITEKSHEN_MALWARE_Multi_POOLRAT : FILE meta: description = "Detects POOLRAT" author = "ditekshen" - id = "4cfd2d0b-1833-5cc5-87f5-9826d633225f" + id = "5831b479-592d-591b-88b4-73102fe4b6ec" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11822-L11839" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_efc5881975e97583188d43a8a6b0eb59bb7103664897cc0f88ddc4d2376bd842" + logic_hash = "efc5881975e97583188d43a8a6b0eb59bb7103664897cc0f88ddc4d2376bd842" score = 75 quality = 75 tags = "FILE" @@ -261476,13 +261962,13 @@ rule DITEKSHEN_MALWARE_Multi_Pondrat : FILE meta: description = "Detects PondRAT" author = "ditekshen" - id = "395bdc6e-e392-5cb5-870d-c73f2b7a25ef" + id = "cb8cca87-6b5e-5984-8a73-9f800b262d77" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11841-L11858" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_affa35f789725d3a8cea8dc95744c4e771690fde5f73936d0806a8c9f72fdb2e" + logic_hash = "affa35f789725d3a8cea8dc95744c4e771690fde5f73936d0806a8c9f72fdb2e" score = 75 quality = 75 tags = "FILE" @@ -261507,13 +261993,13 @@ rule DITEKSHEN_MALWARE_Win_Cicada3301 : FILE meta: description = "Detects Cicada3301" author = "ditekshen" - id = "a980faba-fde1-5e4b-ba58-6fcb80c7e513" + id = "0aebee9f-177d-5a1b-87e0-8797fb6f6823" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11860-L11885" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b8b7596bc8ae01b89742e17bd3dbfcc1e2fad486cc6ea19c8de813fc677509f4" + logic_hash = "b8b7596bc8ae01b89742e17bd3dbfcc1e2fad486cc6ea19c8de813fc677509f4" score = 75 quality = 75 tags = "FILE" @@ -261548,13 +262034,13 @@ rule DITEKSHEN_MALWARE_Win_Fpspy : FILE meta: description = "FPSpy" author = "ditekshen" - id = "d9ec2129-a741-5346-b7cc-9ec023275caf" + id = "39d3be12-1b06-57b1-b3c2-2cbd13a17b03" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11887-L11916" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c26736c7f056f3d13c58e724fda601e88468e2386852b072a37c6646fb5ef8f9" + logic_hash = "c26736c7f056f3d13c58e724fda601e88468e2386852b072a37c6646fb5ef8f9" score = 75 quality = 73 tags = "FILE" @@ -261591,13 +262077,13 @@ rule DITEKSHEN_MALWARE_Win_Klogexe : FILE meta: description = "Detects KLogExe" author = "ditekshen" - id = "5a331120-e255-5671-b4ac-f3009f848dcf" + id = "8c3ebc2c-717b-5c42-9233-274006d4331b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11918-L11937" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1f1809b83dc468122022b68d63734ba1597c6fede01582c31d1700ca0b9e1e22" + logic_hash = "1f1809b83dc468122022b68d63734ba1597c6fede01582c31d1700ca0b9e1e22" score = 75 quality = 73 tags = "FILE" @@ -261624,13 +262110,13 @@ rule DITEKSHEN_MALWARE_Win_Babylockerkz : FILE meta: description = "Detects BabyLockerKZ" author = "ditekshen" - id = "979ddc9d-cba2-5ff3-933d-f7fae6cbc8f8" + id = "faa35818-2bed-528f-a6f0-5356a723ef5b" date = "2024-11-01" modified = "2024-11-01" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/malware.yar#L11939-L11957" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_423bbd3b23591608a32e4e724c156fbaa5d1d087515137a82a0aeb8c4865d1ca" + logic_hash = "423bbd3b23591608a32e4e724c156fbaa5d1d087515137a82a0aeb8c4865d1ca" score = 75 quality = 75 tags = "FILE" @@ -261656,13 +262142,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Bazarloader : FILE meta: description = "Detects Bazar executables with specific email addresses found in the code signing certificate" author = "ditekShen" - id = "cc4a6c80-7a7e-5ace-8d77-43f267252c80" + id = "94b814e3-56c2-5cdb-9335-c92eea8ec668" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L11-L21" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fd47a1d996c78a6efc144f0fe0a28951c34becab3101e7d25acc980bb6b9f8ce" + logic_hash = "fd47a1d996c78a6efc144f0fe0a28951c34becab3101e7d25acc980bb6b9f8ce" score = 75 quality = 71 tags = "FILE" @@ -261680,13 +262166,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Qakbot : FILE meta: description = "Detects QakBot executables with specific email addresses found in the code signing certificate" author = "ditekShen" - id = "3caa4b2f-a244-5197-9df0-e8489607ec61" + id = "24ad36b2-5022-5f72-b01c-fbb64da20f34" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L23-L37" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7a38069b3b553cba1a789dac706638382dae5bb748b0c10ef50138879767b6dd" + logic_hash = "7a38069b3b553cba1a789dac706638382dae5bb748b0c10ef50138879767b6dd" score = 75 quality = 61 tags = "FILE" @@ -261708,13 +262194,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Amadey : FILE meta: description = "Detects Amadey executables with specific email addresses found in the code signing certificate" author = "ditekShen" - id = "e32b616f-0a56-5112-8745-8b7ddf6506de" + id = "f9abbf1d-2077-52a8-bfb0-df3732649624" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L39-L47" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3df3fe67835f76e51743b1b4fa2cbc48277d82689c2fc27457b4d7d820e56e43" + logic_hash = "3df3fe67835f76e51743b1b4fa2cbc48277d82689c2fc27457b4d7d820e56e43" score = 75 quality = 73 tags = "FILE" @@ -261730,13 +262216,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_UNK01 : FILE meta: description = "Detects Amadey executables with specific email addresses found in the code signing certificate" author = "ditekShen" - id = "d86ed85c-4bd7-5e07-a3af-d7644c2b5cea" + id = "56e83bfb-e17d-5d27-87fa-e275cc540148" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L49-L58" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d85461f74186fcabcbf7f2bc1dce06b0012c504cf3235a6fc3e1499dc6f8a3ee" + logic_hash = "d85461f74186fcabcbf7f2bc1dce06b0012c504cf3235a6fc3e1499dc6f8a3ee" score = 75 quality = 73 tags = "FILE" @@ -261753,13 +262239,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Lockergoga meta: description = "Detects files referencing identities associated with LockerGoga ransomware" author = "ditekShen" - id = "80e50e79-42f5-5674-ac80-234def18b2af" + id = "ff257dae-d09b-52b3-93ca-68a560231b0d" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L60-L80" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f3474f92d935dda0d4c3b11b6934aede69ed949c8ba4d196bfe320476d39ac36" + logic_hash = "f3474f92d935dda0d4c3b11b6934aede69ed949c8ba4d196bfe320476d39ac36" score = 75 quality = 49 tags = "" @@ -261787,13 +262273,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Goldenaxe meta: description = "Detects files referencing identities associated with GoldenAxe ransomware" author = "ditekShen" - id = "129b803b-e60b-5e75-9e21-a73a1e0493fe" + id = "cd6486eb-742f-50fb-bd99-c5d778886477" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L82-L91" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2540da85880dc08b51a2d096cefd8ed3cb14ccd171b71b434ccf26e7c5f1b54b" + logic_hash = "2540da85880dc08b51a2d096cefd8ed3cb14ccd171b71b434ccf26e7c5f1b54b" score = 75 quality = 71 tags = "" @@ -261810,13 +262296,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Getcrypt meta: description = "Detects files referencing identities associated with GetCrypt ransomware" author = "ditekShen" - id = "b4c47700-db7d-5f72-a737-3e7b693be999" + id = "b5e31968-e626-5fbb-8bfe-942b48737367" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L93-L106" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_401f4e69235873adc271f8861912ec17daaa71a798c83df8cc3a9b88520708c9" + logic_hash = "401f4e69235873adc271f8861912ec17daaa71a798c83df8cc3a9b88520708c9" score = 75 quality = 63 tags = "" @@ -261837,13 +262323,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Cryptomix meta: description = "Detects files referencing identities associated with CryptoMix ransomware" author = "ditekShen" - id = "35b9c48e-150e-5ecb-b8ff-18ac07d24e72" + id = "7e623d06-36e8-576d-b261-d562eccf549b" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L108-L123" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_27b75a476229fc877c316f7a61d1ed647f5a67ac44a174d86c084063f039b20c" + logic_hash = "27b75a476229fc877c316f7a61d1ed647f5a67ac44a174d86c084063f039b20c" score = 75 quality = 34 tags = "" @@ -261866,13 +262352,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Buran meta: description = "Detects files referencing identities associated with Buran ransomware" author = "ditekShen" - id = "6f6c6af4-7661-51a7-adef-8e90b796f464" + id = "63cdda3f-78ed-5ce5-a8e0-e0893f2c314e" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L125-L140" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_685126efa7f90ce296fc616bd8d5d89a5b4b9aba8b60601b29534de21a0d0015" + logic_hash = "685126efa7f90ce296fc616bd8d5d89a5b4b9aba8b60601b29534de21a0d0015" score = 75 quality = 59 tags = "" @@ -261895,13 +262381,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Ransomwareexx meta: description = "Detects files referencing identities associated with RansomwareEXX Linux ransomware" author = "ditekShen" - id = "0158595b-c049-5857-a545-b4a3666c4f4b" + id = "dfcff8cb-c50c-559e-b5b9-8c2cdac7a3dc" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L142-L150" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a83ada5d29c6d62a292c4b3a1379558cddcaf63d97dbdfc6afd27cc52f6f656d" + logic_hash = "a83ada5d29c6d62a292c4b3a1379558cddcaf63d97dbdfc6afd27cc52f6f656d" score = 75 quality = 73 tags = "" @@ -261917,13 +262403,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Phobos meta: description = "Detects files referencing identities associated with Phobos ransomware" author = "ditekShen" - id = "52314937-4f3b-5cee-b00b-fb9a1c0faa55" + id = "cee09220-4038-5190-b595-28f67c845588" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L152-L161" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cf9e163d2315d465afb47bf83f30d5d27e14c4cbbc1c235dcb15b75fb509ba7d" + logic_hash = "cf9e163d2315d465afb47bf83f30d5d27e14c4cbbc1c235dcb15b75fb509ba7d" score = 75 quality = 71 tags = "" @@ -261940,13 +262426,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Epsilon meta: description = "Detects files referencing identities associated with Epsilon ransomware" author = "ditekShen" - id = "d295df58-7a48-5873-8fd5-324ed9acd5d1" + id = "acdeb3b1-872b-5892-9dfe-2e506f767da2" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L163-L171" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_163694ed2ae181764fc6e62027487d183114be35a689dd44d4d9761149df244b" + logic_hash = "163694ed2ae181764fc6e62027487d183114be35a689dd44d4d9761149df244b" score = 75 quality = 73 tags = "" @@ -261962,13 +262448,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Thanos meta: description = "Detects files referencing identities associated with Thanos ransomware" author = "ditekShen" - id = "a540c805-fede-5e07-908c-6f1d483ee74f" + id = "22ffb4c9-f113-5d3e-a466-6c384c0c6e8a" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L173-L182" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_039ea384136a1aaa261702ed75ab9358aaa1ec2d5a8d35fe4789647f39490c7c" + logic_hash = "039ea384136a1aaa261702ed75ab9358aaa1ec2d5a8d35fe4789647f39490c7c" score = 75 quality = 71 tags = "" @@ -261985,13 +262471,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Vovalex meta: description = "Detects files referencing identities associated with Vovalex ransomware" author = "ditekShen" - id = "22286d1c-dab6-518d-aa34-212de6ea63b7" + id = "95e9ddce-8a19-59f1-baf4-bdac61c9c396" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L184-L192" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0e8b426e55c1efaf59e5f255f1da9cdfbb509561d3f7ea5baa2815c3131866eb" + logic_hash = "0e8b426e55c1efaf59e5f255f1da9cdfbb509561d3f7ea5baa2815c3131866eb" score = 75 quality = 73 tags = "" @@ -262007,13 +262493,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Alumnilocker meta: description = "Detects files referencing identities associated with AlumniLocker ransomware" author = "ditekShen" - id = "099718eb-cb3c-5504-b97c-4bf671da916f" + id = "64b6aff8-3758-5837-b814-e2505a9c12a3" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L194-L202" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_aeab9cb2b2da246e1863cd1102d901d322017d0b309e852d83e4f66f6e4bdd22" + logic_hash = "aeab9cb2b2da246e1863cd1102d901d322017d0b309e852d83e4f66f6e4bdd22" score = 75 quality = 73 tags = "" @@ -262029,13 +262515,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Doejocrypt meta: description = "Detects files referencing identities associated with DoejoCrypt ransomware" author = "ditekShen" - id = "941001f1-9a2a-5265-9711-1280981a00d9" + id = "bdf67fd3-8614-52f0-8804-9905f067a848" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L204-L213" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b76996ef413d017fa571115f7331154c808fed0f1b1e0c97241cadbbef260a00" + logic_hash = "b76996ef413d017fa571115f7331154c808fed0f1b1e0c97241cadbbef260a00" score = 75 quality = 71 tags = "" @@ -262052,13 +262538,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Purge meta: description = "Detects files referencing identities associated with Purge ransomware" author = "ditekShen" - id = "375a9540-d12f-5aa4-9873-a0582de2bc78" + id = "2a0f2c69-b179-5e48-9db6-be25e329f72b" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L215-L224" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_49f3f5a88212d4bed1f0237a4437fb537e84cd6dd26c5fe224250f3b6e39d384" + logic_hash = "49f3f5a88212d4bed1f0237a4437fb537e84cd6dd26c5fe224250f3b6e39d384" score = 75 quality = 71 tags = "" @@ -262075,13 +262561,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Zeoticus meta: description = "Detects files referencing identities associated with Zeoticus ransomware" author = "ditekShen" - id = "58e9acbe-0451-5581-9a03-bdebf4c7b6a0" + id = "4d5f0d6d-f792-563d-9a9b-1986f5af8743" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L226-L235" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_7a83b15b0c8e81f67d11f8b5d9a43ba4e1e3a0f6741ddd0daafe4e742dd91cd8" + logic_hash = "7a83b15b0c8e81f67d11f8b5d9a43ba4e1e3a0f6741ddd0daafe4e742dd91cd8" score = 75 quality = 71 tags = "" @@ -262098,13 +262584,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Jobcryptor meta: description = "Detects files referencing identities associated with JobCryptor ransomware" author = "ditekShen" - id = "81b46856-5533-550e-a777-029ecd683a4e" + id = "406f5638-883b-57a4-a2ba-532d2bd3ae83" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L237-L247" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c8c5dcc0d7484a3ac6e702cca8bd0907f9e4f4aea5e99c4c3f988389e0d803a7" + logic_hash = "c8c5dcc0d7484a3ac6e702cca8bd0907f9e4f4aea5e99c4c3f988389e0d803a7" score = 75 quality = 69 tags = "" @@ -262122,13 +262608,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Cuba meta: description = "Detects files referencing identities associated with JobCryptor ransomware" author = "ditekShen" - id = "5a0de502-95b6-578b-840e-d22819aff035" + id = "5eea027d-2164-54f2-a2bf-74b5d532e610" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L249-L261" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b734199c8593c338c803518b2729e9d9ceaaed5d21585a3d299885433d8f796e" + logic_hash = "b734199c8593c338c803518b2729e9d9ceaaed5d21585a3d299885433d8f796e" score = 75 quality = 65 tags = "" @@ -262148,13 +262634,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Hello meta: description = "Detects files referencing identities associated with Hello / WickrMe ransomware" author = "ditekShen" - id = "7df6e4d4-b049-5638-ab77-06061945d237" + id = "02bbaa61-7ea3-5edd-8b38-27ef1f6ee1e2" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L263-L277" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dfafb0323a50891c03c4b706d4f3a6a511cecdee2448c1f554b416ba1e3d3df9" + logic_hash = "dfafb0323a50891c03c4b706d4f3a6a511cecdee2448c1f554b416ba1e3d3df9" score = 75 quality = 61 tags = "" @@ -262176,13 +262662,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Unlockyourfiles meta: description = "Detects files referencing identities associated with UnlockYourFiles ransomware" author = "ditekShen" - id = "3aefe7c3-4d06-53c2-9c3b-8d1516161d09" + id = "fdc3ec49-66cc-5a0b-87a6-3660dd6f3b72" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L279-L288" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a33dae7f08eb0c2415fbfdadf2cbbf90c68bc802352277422c6d0a2dbd62cd82" + logic_hash = "a33dae7f08eb0c2415fbfdadf2cbbf90c68bc802352277422c6d0a2dbd62cd82" score = 75 quality = 71 tags = "" @@ -262199,13 +262685,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Darkside meta: description = "Detects files referencing identities associated with DarkSide ransomware" author = "ditekShen" - id = "1775ce25-5820-50d6-bf63-bd0f74da20c9" + id = "7b29b9b9-4657-551e-b770-880a2278ef60" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L290-L299" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3c6cdb15cad19f1db38c0fe03ecb24d5cd4861a699aa2bee0f99b8dddacc8bd1" + logic_hash = "3c6cdb15cad19f1db38c0fe03ecb24d5cd4861a699aa2bee0f99b8dddacc8bd1" score = 75 quality = 73 tags = "" @@ -262222,13 +262708,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Spyro meta: description = "Detects files referencing identities associated with Spyro ransomware" author = "ditekShen" - id = "43d26de5-0886-5b06-96ac-ec024d3a35c4" + id = "9a42a9fd-dfaf-5719-acae-e7c3b92ecdc9" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L301-L310" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b12b24b7b1b9800d249fd322532d957ddfc020c495ca89414d8d7e9fa7d58eb7" + logic_hash = "b12b24b7b1b9800d249fd322532d957ddfc020c495ca89414d8d7e9fa7d58eb7" score = 75 quality = 71 tags = "" @@ -262245,13 +262731,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Ryzerlo meta: description = "Detects files referencing identities associated with Ryzerlo / HiddenTear / RSJON ransomware" author = "ditekShen" - id = "af383865-51e3-5441-a7dd-906263e4a186" + id = "1e8b79dc-4a81-5126-a7a3-ad7a2e8f62bf" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L312-L320" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_2d925cac74411c3e408d674e27a27ae029d39977026a79df8f90edae345a31db" + logic_hash = "2d925cac74411c3e408d674e27a27ae029d39977026a79df8f90edae345a31db" score = 75 quality = 73 tags = "" @@ -262267,13 +262753,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_PYSA meta: description = "Detects files referencing identities associated with PYSA / Mespinoza ransomware" author = "ditekShen" - id = "e74b206c-85eb-566b-9724-bc23bfd9a737" + id = "b26d472b-c94e-576d-b168-6f273bb8fca5" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L322-L340" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cf0fbc0160f1d21efdb4a6935ae0d2206107042e3d020722f50d2c302aff246c" + logic_hash = "cf0fbc0160f1d21efdb4a6935ae0d2206107042e3d020722f50d2c302aff246c" score = 75 quality = 55 tags = "" @@ -262299,13 +262785,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Ranzylocker meta: description = "Detects files referencing identities associated with RanzyLocker ransomware" author = "ditekShen" - id = "1247731b-2647-5c74-a863-13bbb4f55c4f" + id = "33478dc4-c0ec-5cc8-8620-79e770f6a773" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L354-L363" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_dc345257a3cca82a95e20505c94e90d8ac42240e1491ea1f34be121871673e26" + logic_hash = "dc345257a3cca82a95e20505c94e90d8ac42240e1491ea1f34be121871673e26" score = 75 quality = 71 tags = "" @@ -262322,13 +262808,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Alkhal meta: description = "Detects files referencing identities associated with AlKhal ransomware" author = "ditekShen" - id = "966ac616-4379-5ad3-b0c9-758e0347cace" + id = "32e14a6e-fc2e-5c0a-b8e3-33e219923d90" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L365-L374" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bd2d66a9cd33ab15b451158cd6c0e6579735653611ee2e6c8045a5807091938d" + logic_hash = "bd2d66a9cd33ab15b451158cd6c0e6579735653611ee2e6c8045a5807091938d" score = 75 quality = 71 tags = "" @@ -262345,13 +262831,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_DECAF meta: description = "Detects files referencing identities associated with DECAF ransomware" author = "ditekShen" - id = "d0beb40c-aa83-5608-b8ef-0158b660ea9e" + id = "24422015-56f3-503e-a902-0183eb601b22" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L376-L408" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_8fca3a6564cd11e625b65e7f0f278b79678368dd0c77440e9f8d46035e0c3426" + logic_hash = "8fca3a6564cd11e625b65e7f0f278b79678368dd0c77440e9f8d46035e0c3426" score = 75 quality = 73 tags = "" @@ -262390,13 +262876,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Babuk meta: description = "Detects files referencing identities associated with Babuk ransomware" author = "ditekShen" - id = "3f693e79-74c2-5227-9f82-1e1dde465000" + id = "139cea69-9661-5cb7-bf74-a14e3556c759" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L410-L426" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_129b1364bb59423aab1f5f67a4c2d2a76a9c4f55aa6aa1e59bcebc717a14ee19" + logic_hash = "129b1364bb59423aab1f5f67a4c2d2a76a9c4f55aa6aa1e59bcebc717a14ee19" score = 75 quality = 61 tags = "" @@ -262420,13 +262906,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Rapid meta: description = "Detects files referencing identities associated with Rapid ransomware" author = "ditekShen" - id = "5dd46687-2fbb-530e-9b4b-87fece5421c8" + id = "a1c6f3c0-2fec-5d96-9965-8129a843ae90" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L428-L436" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ea82a3fcb1d836e1c250e9a576064e1babdb82b4970555260af2eb68726cfd16" + logic_hash = "ea82a3fcb1d836e1c250e9a576064e1babdb82b4970555260af2eb68726cfd16" score = 75 quality = 73 tags = "" @@ -262442,13 +262928,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Satana meta: description = "Detects files referencing identities associated with Satana ransomware" author = "ditekShen" - id = "95cdd756-fe8d-5032-9bff-85d199fffad3" + id = "a362d4ca-d475-5392-a3ac-45337425d8e7" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L438-L447" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6d82e2497044518cee1b56da85f1ad6ac7934eec9ca68501932d55add4236d45" + logic_hash = "6d82e2497044518cee1b56da85f1ad6ac7934eec9ca68501932d55add4236d45" score = 75 quality = 73 tags = "" @@ -262465,13 +262951,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Zeppelin meta: description = "Detects files referencing identities associated with Zeppelin ransomware" author = "ditekShen" - id = "80459e8d-9e41-560b-856b-03ed62eae9ea" + id = "f3bbfcd0-c66c-589e-ae04-904314d6a869" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L449-L462" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_66dd92423cfac32de4bea95ad0c9594cb449dc897cc6315d782c1db6de7dc5b1" + logic_hash = "66dd92423cfac32de4bea95ad0c9594cb449dc897cc6315d782c1db6de7dc5b1" score = 75 quality = 63 tags = "" @@ -262492,13 +262978,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_STOP meta: description = "Detects files referencing identities associated with STOP ransomware" author = "ditekShen" - id = "0d63efff-7903-5595-8a8f-b363e90e9b71" + id = "b2279a7f-a187-5a44-bf1f-87c21b3ffa4f" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L464-L480" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f0d902edbcbe8ff8f3a751b649554499933b06471920c86a9eea3de23890b4bc" + logic_hash = "f0d902edbcbe8ff8f3a751b649554499933b06471920c86a9eea3de23890b4bc" score = 75 quality = 57 tags = "" @@ -262522,13 +263008,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Diavol meta: description = "Detects files referencing identities associated with Diavol ransomware" author = "ditekShen" - id = "d48783d5-2dd5-58f7-8d19-74e96bef50aa" + id = "ea499318-ed5b-5597-8f9f-4ece7942cf4b" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L482-L491" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c72f4d7854f7ba813c4872d47aad69edb8c2927f380b9213ced1aca52454eee5" + logic_hash = "c72f4d7854f7ba813c4872d47aad69edb8c2927f380b9213ced1aca52454eee5" score = 75 quality = 71 tags = "" @@ -262545,13 +263031,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Chaos meta: description = "Detects files referencing identities associated with Chaos ransomware" author = "ditekShen" - id = "a8ab8e5c-147b-5d4d-93ef-632625fccf17" + id = "18476655-1468-569e-b518-ebeaf289fbd6" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L493-L511" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6e8dce1622dbccca6aa15040b49fc9ea05ec7192f8a79409fd7414690102d09a" + logic_hash = "6e8dce1622dbccca6aa15040b49fc9ea05ec7192f8a79409fd7414690102d09a" score = 75 quality = 67 tags = "" @@ -262576,13 +263062,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Maze meta: description = "Detects files referencing identities associated with Maze ransomware" author = "ditekShen" - id = "76bcee57-e862-5413-a6d1-e0be7cd8ba93" + id = "7cc11912-e5d2-5477-ab9b-0c470bb5e1d6" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L513-L521" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_46070d46c502837e5fb87d0fb75244a1a21e90b4e0ce4b73c408b8dc67fe1bcb" + logic_hash = "46070d46c502837e5fb87d0fb75244a1a21e90b4e0ce4b73c408b8dc67fe1bcb" score = 75 quality = 73 tags = "" @@ -262598,13 +263084,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Lokilocker meta: description = "Detects files referencing identities associated with LokiLocker ransomware" author = "ditekShen" - id = "22a8eeb5-251a-5130-bf8e-2b5409472a1e" + id = "ab2cf390-4544-54ed-913c-d463d0f1bdb0" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L523-L531" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_1ab9a2ce7e39d916b389e2adb975e3558ddb7d87f7e9494e6b20cb25edd3cb84" + logic_hash = "1ab9a2ce7e39d916b389e2adb975e3558ddb7d87f7e9494e6b20cb25edd3cb84" score = 75 quality = 73 tags = "" @@ -262620,13 +263106,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Blackcat meta: description = "Detects files referencing identities associated with BlackCat ransomware" author = "ditekShen" - id = "0a67a0c1-9679-596d-bceb-f4863645032c" + id = "21038f8e-73cd-59d2-9eb3-6947d263ab79" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L533-L569" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_eb0a4d26170f030775f778cc524749ca283dfa983f84bd364e4df6321eb96cf1" + logic_hash = "eb0a4d26170f030775f778cc524749ca283dfa983f84bd364e4df6321eb96cf1" score = 75 quality = 73 tags = "" @@ -262667,13 +263153,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Koxic meta: description = "Detects files referencing identities associated with LokiLocker ransomware" author = "ditekShen" - id = "4e9b3e5e-6fee-505f-abd4-cb9554df27bd" + id = "4c4ff722-cac1-5967-9e79-681f47566e96" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L571-L580" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ca4d0e85cf4c7a134609262e21d5cef98100ba0a046d17ffe51bf3975dc7cae9" + logic_hash = "ca4d0e85cf4c7a134609262e21d5cef98100ba0a046d17ffe51bf3975dc7cae9" score = 75 quality = 73 tags = "" @@ -262690,13 +263176,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Ryuk meta: description = "Detects files referencing identities associated with Ryuk ransomware" author = "ditekShen" - id = "bec876ba-e1b8-5e36-a051-11148086aa5e" + id = "00cf99da-ff3c-5c91-8966-69a8afc8613a" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L582-L592" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a2b6106fc49dd254ca936e285fa0c2a3aee7110832686638d20d369d77f6c48f" + logic_hash = "a2b6106fc49dd254ca936e285fa0c2a3aee7110832686638d20d369d77f6c48f" score = 75 quality = 71 tags = "" @@ -262714,13 +263200,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Lockdown meta: description = "Detects files referencing identities associated with LockDown / cantopen ransomware" author = "ditekShen" - id = "bb07492e-fc83-5507-ba5f-d46a658b06f6" + id = "603f0113-d77b-590c-b2a0-804c6d1fbfbc" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L594-L603" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cb17bb92d6e8189a08508481b75d301a1227906815c684753859914d77d7b3e7" + logic_hash = "cb17bb92d6e8189a08508481b75d301a1227906815c684753859914d77d7b3e7" score = 75 quality = 73 tags = "" @@ -262737,13 +263223,13 @@ rule DITEKSHEN_INDICATOR_KB_LNK_BOI_MAC : FILE meta: description = "Detects Windows Shortcut .lnk files with previously known bad Birth Object ID and MAC address combination" author = "ditekSHen" - id = "f793dad0-9ff4-53fe-baf7-25652cddd5fa" + id = "bfef07dc-a368-5119-82dd-de2096b17dd1" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L605-L637" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_31a7966a0ea0fca363d2b926b06c8acbdae0c24dd2156389196255dbbf4ed662" + logic_hash = "31a7966a0ea0fca363d2b926b06c8acbdae0c24dd2156389196255dbbf4ed662" score = 75 quality = 73 tags = "FILE" @@ -262781,13 +263267,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Powershellwifistealer meta: description = "Detects email accounts used for exfiltration observed in PowerShellWiFiStealer" author = "ditekShen" - id = "83bfacc1-1a84-53d0-a8e7-5cd2745cbabe" + id = "fa19e422-c682-5464-b034-330942daf3bd" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L691-L704" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f119b54032e2a6ca35819e811e6479b00936115d98ef6e928f4c819d04a8321f" + logic_hash = "f119b54032e2a6ca35819e811e6479b00936115d98ef6e928f4c819d04a8321f" score = 75 quality = 63 tags = "" @@ -262808,13 +263294,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Powershellcookiestealer meta: description = "Detects email accounts used for exfiltration observed in PowerShellCookieStealer" author = "ditekShen" - id = "3e0dc1e6-6c69-5978-8b97-81d416c35cca" + id = "c2bbb9a8-3e4c-5676-9676-2708a196ef8d" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L706-L715" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_bd404e94939acb92dd56a7d2a1f7536bcb3f520ca1e9dc614b53828afbc6dac8" + logic_hash = "bd404e94939acb92dd56a7d2a1f7536bcb3f520ca1e9dc614b53828afbc6dac8" score = 75 quality = 71 tags = "" @@ -262831,13 +263317,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Zebrocy : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "61da25a2-12ae-54a0-83a7-b611b0853e24" + id = "fc805e9d-47a0-5fcb-9b21-4806c13ab7b4" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1541-L1550" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_16b88460896012b42ca576995f5de98a7a9d2fcc53f8e148427bca31a883d19b" + logic_hash = "16b88460896012b42ca576995f5de98a7a9d2fcc53f8e148427bca31a883d19b" score = 75 quality = 75 tags = "FILE" @@ -262854,13 +263340,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Gostealer : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "0b3b9779-1a9a-5a3b-9895-1ce8c4a592d4" + id = "25c0eb8b-c69c-5f50-b622-daaa3c8c62a4" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1552-L1562" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d548bc2580c8e8233a5fcdf85b947547c10f2c4d0056d14e990f30dd7b9a0672" + logic_hash = "d548bc2580c8e8233a5fcdf85b947547c10f2c4d0056d14e990f30dd7b9a0672" score = 75 quality = 75 tags = "FILE" @@ -262878,13 +263364,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Goldenaxe : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "1dd52af6-e93b-5b13-b328-f28b45e54dd6" + id = "e734d5b4-2332-5b46-a05e-fb35134ea070" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1564-L1573" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4ab9aeaa74530de4a62ddfa8d7e8607e455d0ba4330260037327bec6d8d7abab" + logic_hash = "4ab9aeaa74530de4a62ddfa8d7e8607e455d0ba4330260037327bec6d8d7abab" score = 75 quality = 75 tags = "FILE" @@ -262901,13 +263387,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Nemty : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "9e15c5c6-3342-5389-9535-b60683c37829" + id = "512fe910-e38c-513c-b678-a0592bdc4ae2" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1575-L1588" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_246766ab1d2871b5c22323f622d39ce9fa9b46a2d43bace122ed5549484f3aac" + logic_hash = "246766ab1d2871b5c22323f622d39ce9fa9b46a2d43bace122ed5549484f3aac" score = 75 quality = 75 tags = "FILE" @@ -262928,13 +263414,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Qnapcrypt : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "b5c590c4-2813-5b5f-8024-94c4534f505c" + id = "4cdea15f-d8fd-5720-ba25-eb60e9b0f9ce" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1590-L1598" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b3ee583c395701350c091041a72f988d1b5ae607b642b42152fcda29f9be63e2" + logic_hash = "b3ee583c395701350c091041a72f988d1b5ae607b642b42152fcda29f9be63e2" score = 75 quality = 75 tags = "FILE" @@ -262950,13 +263436,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Snatch : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "82e0156a-977e-52d4-8a07-4a688955e64b" + id = "6ab6b7bc-c905-5ff9-8059-a2d512ba13b3" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1600-L1610" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5a19c791ed0d829c4c97e35cfa604a8716bad3f02632712903d765db95ba87f6" + logic_hash = "5a19c791ed0d829c4c97e35cfa604a8716bad3f02632712903d765db95ba87f6" score = 75 quality = 75 tags = "FILE" @@ -262974,13 +263460,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Godownloader : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "b344caa1-31b0-5db0-a61f-c34b3f7854ae" + id = "da53c062-4a55-543d-b2b6-52acdf13febc" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1612-L1622" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e0f5ee6ade4608a8b5c5bd02bf5aef0fcb9cb1fe1cc3a9d00b1ace91e5d0d33f" + logic_hash = "e0f5ee6ade4608a8b5c5bd02bf5aef0fcb9cb1fe1cc3a9d00b1ace91e5d0d33f" score = 75 quality = 75 tags = "FILE" @@ -262998,13 +263484,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Ranumbot : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "6e68ee27-d1cb-5550-8307-5898507a7041" + id = "f368cd9d-f974-56cf-a2b5-bd300f30cedc" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1624-L1633" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c3d0ba55ca2be1b11ebf1b82490c5d26f2b35958b31a7e55892e27f24bf4118f" + logic_hash = "c3d0ba55ca2be1b11ebf1b82490c5d26f2b35958b31a7e55892e27f24bf4118f" score = 75 quality = 75 tags = "FILE" @@ -263021,13 +263507,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Banload : FILE meta: description = "Detects Golang Build IDs in known bad samples" author = "ditekSHen" - id = "f00fa107-172f-51cf-8498-5b6b8871a5eb" + id = "5955afd5-f26f-5df1-b355-b8f168b694b0" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1635-L1643" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_534de1ce161e5e27f380f96b83630aa75031f268658aa7e8ff8ecce82ed5d4cd" + logic_hash = "534de1ce161e5e27f380f96b83630aa75031f268658aa7e8ff8ecce82ed5d4cd" score = 75 quality = 75 tags = "FILE" @@ -263043,13 +263529,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Hive : FILE meta: description = "Detects Golang Build IDs in Hive ransomware" author = "ditekSHen" - id = "59d892f3-9fe4-5e89-98aa-2cb7515c51b0" + id = "7d7f7757-de7b-52a7-aab0-8fda38a86fd1" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1645-L1653" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f311a3661ea3a26ebca6cd283d1e219011acfdfbb13fa8b919ca2724b9f4aae7" + logic_hash = "f311a3661ea3a26ebca6cd283d1e219011acfdfbb13fa8b919ca2724b9f4aae7" score = 75 quality = 75 tags = "FILE" @@ -263065,13 +263551,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Nodachi : FILE meta: description = "Detects Golang Build IDs in Nodachi" author = "ditekSHen" - id = "1bb12adb-17d4-544f-8bea-4e20f1cb5e23" + id = "9d578768-7995-5fb0-8bf1-9c2221cdef80" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1655-L1666" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_177269623e0f3850c37c6b203d9a637fa92c0ed3fa823cc8d885f28cb383bf7d" + logic_hash = "177269623e0f3850c37c6b203d9a637fa92c0ed3fa823cc8d885f28cb383bf7d" score = 75 quality = 75 tags = "FILE" @@ -263090,13 +263576,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Gobrut : FILE meta: description = "Detects Golang Build IDs in GoBrut" author = "ditekSHen" - id = "38bad9e5-7d19-52e7-8ec7-e893aff03ac8" + id = "65953012-fc84-50d0-b769-64df66d8a54b" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1668-L1676" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_40c305f019cb31222fa75a24315764cb5e5356afaa72aefb59916d615a8fca28" + logic_hash = "40c305f019cb31222fa75a24315764cb5e5356afaa72aefb59916d615a8fca28" score = 75 quality = 75 tags = "FILE" @@ -263112,13 +263598,13 @@ rule DITEKSHEN_INDICATOR_KB_Gobuildid_Biopassdropper : FILE meta: description = "Detects Golang Build IDs in BioPass dropper" author = "ditekSHen" - id = "f69349a0-d3d4-5d09-aaf4-31efc1ea2b74" + id = "b82d34d9-7774-5f99-9d76-b5426e015981" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1678-L1686" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3b586e886b9f901dde1c73aa07ce0d45e4ff417459f298094359ec1c1e02e522" + logic_hash = "3b586e886b9f901dde1c73aa07ce0d45e4ff417459f298094359ec1c1e02e522" score = 75 quality = 75 tags = "FILE" @@ -263134,13 +263620,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Rhysida meta: description = "Detects files referencing identities associated with Rhysida ransomware" author = "ditekShen" - id = "4c30fe6f-7379-5af7-941c-2d7f1004c154" + id = "7ee0fb41-9267-5b65-ada3-229f2e390da6" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1688-L1697" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e3e07bab2982a30a5372e6708ede6707d132d410aa5b5b1a29bdb5d06910a88e" + logic_hash = "e3e07bab2982a30a5372e6708ede6707d132d410aa5b5b1a29bdb5d06910a88e" score = 75 quality = 71 tags = "" @@ -263157,13 +263643,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Payola meta: description = "Detects files referencing identities associated with Payola ransomware" author = "ditekShen" - id = "db39d8f2-21d7-5013-bdbe-d19f03539186" + id = "7c1fc06b-fc71-5679-befd-686b2e05e3a4" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1699-L1708" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_568141c03d14faef0cfc4f5fbdec45a5109a1ad5cbbe99e76a1db86e7ef4dc5d" + logic_hash = "568141c03d14faef0cfc4f5fbdec45a5109a1ad5cbbe99e76a1db86e7ef4dc5d" score = 75 quality = 71 tags = "" @@ -263180,13 +263666,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Xorist meta: description = "Detects files referencing identities associated with Xorist ransomware" author = "ditekShen" - id = "d95a280c-ee85-55c9-a988-20c8c136cf81" + id = "151d182c-c60a-54dd-a3d2-b32d27521b57" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1710-L1723" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5975a730ad1a1f7e54e95ec5897aa2940ccc3ed1aa8e83b38cb7ac836c233208" + logic_hash = "5975a730ad1a1f7e54e95ec5897aa2940ccc3ed1aa8e83b38cb7ac836c233208" score = 75 quality = 67 tags = "" @@ -263207,13 +263693,13 @@ rule DITEKSHEN_INDICATOR_KB_ID_Ransomware_Blackhunt meta: description = "Detects files referencing identities associated with BlackHunt ransomware" author = "ditekShen" - id = "6c158ed8-6a61-5a40-9e92-80ae8c523e30" + id = "87613fcc-7d9a-57ba-9653-c48760dd5ef0" date = "2024-01-23" modified = "2024-01-23" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_knownbad_id.yar#L1725-L1739" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_6b875d4abdedc8032f89ab3cbdf4acdc855d83b5bcc08f96b2fbc38b4a5daa7f" + logic_hash = "6b875d4abdedc8032f89ab3cbdf4acdc855d83b5bcc08f96b2fbc38b4a5daa7f" score = 75 quality = 61 tags = "" @@ -263235,13 +263721,13 @@ rule DITEKSHEN_INDICATOR_JAVA_Packed_Allatori meta: description = "Detects files packed with Allatori Java Obfuscator" author = "ditekSHen" - id = "aad2336b-b0c1-5db3-85c4-1e81e0239a89" + id = "16b9f455-ba73-5f09-9822-8349c53fa965" date = "2023-08-29" modified = "2023-08-29" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_packed.yar#L113-L121" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ac48a573eb9d9fffe38d09993ff062f308edb07b8a7498e332cc3eb501d48db7" + logic_hash = "ac48a573eb9d9fffe38d09993ff062f308edb07b8a7498e332cc3eb501d48db7" score = 75 quality = 75 tags = "" @@ -263258,13 +263744,13 @@ rule DITEKSHEN_INDICATOR_EXE_Python_Byte_Compiled : FILE meta: description = "Detects python-byte compiled executables" author = "ditekSHen" - id = "327718ed-cf7d-5658-b4aa-592d9f9d7c54" + id = "04ae604c-6176-54cf-98e9-4386e52420f8" date = "2023-08-29" modified = "2023-08-29" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_packed.yar#L211-L220" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_212d525509a4d8fb7f1b5efa929526c8758549bfdb8591c88ce602315e6b3147" + logic_hash = "212d525509a4d8fb7f1b5efa929526c8758549bfdb8591c88ce602315e6b3147" score = 75 quality = 75 tags = "FILE" @@ -263282,13 +263768,13 @@ rule DITEKSHEN_INDICATOR_MSI_EXE2MSI : FILE meta: description = "Detects executables converted to .MSI packages using a free online converter." author = "ditekSHen" - id = "9aec32aa-93e0-5983-ade4-4a5214d88ae7" + id = "039df7b6-e4bf-5537-ae5b-f2168044e77e" date = "2023-08-29" modified = "2023-08-29" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_packed.yar#L222-L233" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_afd48b54766600805ae1aeef13b11de4ca160ea1f96419a4090ab9dae55fa4cd" + logic_hash = "afd48b54766600805ae1aeef13b11de4ca160ea1f96419a4090ab9dae55fa4cd" score = 75 quality = 75 tags = "FILE" @@ -263308,13 +263794,13 @@ rule DITEKSHEN_INDICATOR_PY_Packed_Pyminifier : FILE meta: description = "Detects python code potentially obfuscated using PyMinifier" author = "ditekSHen" - id = "e71ab35e-8abf-5740-9b66-d61144cff712" + id = "a111c116-a2b3-5689-8d44-221adf37e932" date = "2023-08-29" modified = "2023-08-29" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_packed.yar#L331-L339" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_c7e916906d4654215de6d12e1bff790f24bcf69e97a7e5314a2a057a91b135a3" + logic_hash = "c7e916906d4654215de6d12e1bff790f24bcf69e97a7e5314a2a057a91b135a3" score = 75 quality = 75 tags = "FILE" @@ -263331,13 +263817,13 @@ rule DITEKSHEN_INDICATOR_RTF_EXPLOIT_CVE_2017_0199_1 : CVE_2017_0199 FILE meta: description = "Detects RTF documents potentially exploiting CVE-2017-0199" author = "ditekSHen" - id = "c61403a9-043e-53c0-a843-efed9fd9b31f" + id = "74b3702a-7b4d-58be-ad2c-c2b1cf0ebc50" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L1-L69" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_06b75267f00b775a6c1cd7a2022a9cfa0ea2c976f969c2c066be51449f197f58" + logic_hash = "06b75267f00b775a6c1cd7a2022a9cfa0ea2c976f969c2c066be51449f197f58" score = 75 quality = 75 tags = "CVE-2017-0199, FILE" @@ -263384,13 +263870,13 @@ rule DITEKSHEN_INDICATOR_RTF_EXPLOIT_CVE_2017_8759_1 : CVE_2017_8759 FILE meta: description = "detects CVE-2017-8759 weaponized RTF documents." author = "ditekSHen" - id = "149bfbc0-57fe-5351-a47c-a2e8471e521e" + id = "8f873145-b909-5185-9f85-07c820d1f38e" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L215-L238" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_595dc0153a2349fbd4f92dd544a3dfd05715059dd639653e7c7e6ac80624360e" + logic_hash = "595dc0153a2349fbd4f92dd544a3dfd05715059dd639653e7c7e6ac80624360e" score = 75 quality = 75 tags = "CVE-2017-8759, FILE" @@ -263418,13 +263904,13 @@ rule DITEKSHEN_INDICATOR_RTF_EXPLOIT_CVE_2017_8759_2 : CVE_2017_8759 FILE meta: description = "detects CVE-2017-8759 weaponized RTF documents." author = "ditekSHen" - id = "8f616717-1bb1-57d6-bf31-fa05b9b0a723" + id = "92c8f45e-3792-51b3-bda4-7e9eae0e9a80" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L240-L268" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_15c9a5cfce5d1a797bab049352d8506b8bc112cabe2f510019f5d203690419e8" + logic_hash = "15c9a5cfce5d1a797bab049352d8506b8bc112cabe2f510019f5d203690419e8" score = 75 quality = 75 tags = "CVE-2017-8759, FILE" @@ -263455,13 +263941,13 @@ rule DITEKSHEN_INDICATOR_RTF_Exploit_Scripting : CVE_2017_8759 CVE_2017_8570 FIL meta: description = "detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents." author = "ditekSHen" - id = "b5a09bfb-d6ec-56c6-a93b-aaa1bc6a301b" + id = "e8fd1231-3ef5-5b0b-987c-f55337804da3" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L270-L302" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a1f4c833f0132dcbe2b3677d6ac0f3597c152702515375d60d4332c21183bd76" + logic_hash = "a1f4c833f0132dcbe2b3677d6ac0f3597c152702515375d60d4332c21183bd76" score = 75 quality = 75 tags = "CVE-2017-8759, CVE-2017-8570, FILE" @@ -263496,13 +263982,13 @@ rule DITEKSHEN_INDICATOR_RTF_Embedded_Excel_Sheetmacroenabled : FILE meta: description = "Detects RTF documents embedding an Excel sheet with macros enabled. Observed in exploit followed by dropper behavior" author = "ditekSHen" - id = "7eb0f19f-877a-5ce4-b51b-799ccca35f86" + id = "342d10b3-61d2-5fcb-8f4f-1fe45049257b" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L304-L328" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cc3b52e549c2697c6e0a2fea365d193311d90d26854bd2fe321aa26c118975a0" + logic_hash = "cc3b52e549c2697c6e0a2fea365d193311d90d26854bd2fe321aa26c118975a0" score = 75 quality = 75 tags = "FILE" @@ -263531,13 +264017,13 @@ rule DITEKSHEN_INDICATOR_OLE_Metadatacmd : FILE meta: description = "Detects OLE documents with Windows command-line utilities commands (certutil, powershell, etc.) stored in the metadata (author, last modified by, etc.)." author = "ditekSHen" - id = "6045b583-8794-511a-ab45-d5aeac9adf5b" + id = "63b23630-b344-5fba-95f4-950d072beaff" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L330-L349" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0562d026a1ad4510310ebff5da154064f92afc7bf714973f7de362435476772c" + logic_hash = "0562d026a1ad4510310ebff5da154064f92afc7bf714973f7de362435476772c" score = 75 quality = 75 tags = "FILE" @@ -263558,13 +264044,13 @@ rule DITEKSHEN_INDICATOR_RTF_Equation_Bitsadmin_Downloader : FILE meta: description = "Detects RTF documents that references both Microsoft Equation Editor and BITSAdmin. Common exploit + dropper behavior." author = "ditekSHen" - id = "c18ddbf1-7087-5345-acfe-8527c10fbbbc" + id = "e96a6f18-9a5e-58ca-829e-c82b444ad403" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L428-L451" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_39a07a0af243e929a6b3df48b6cf8a9d30bc8ef9e7deac494348945427b015e7" + logic_hash = "39a07a0af243e929a6b3df48b6cf8a9d30bc8ef9e7deac494348945427b015e7" score = 75 quality = 75 tags = "FILE" @@ -263591,13 +264077,13 @@ rule DITEKSHEN_INDICATOR_RTF_Equation_Certutil_Downloader : FILE meta: description = "Detects RTF documents that references both Microsoft Equation Editor and CertUtil. Common exploit + dropper behavior." author = "ditekSHen" - id = "b1d36f9e-f272-5013-9501-7e08f568d2d0" + id = "a47f31f9-91fc-5009-8aff-2b9e334c3139" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L453-L476" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d6c62957ce40ed755a84bd9aa8900e4990c466097d6df55c539b289bf50fe94e" + logic_hash = "d6c62957ce40ed755a84bd9aa8900e4990c466097d6df55c539b289bf50fe94e" score = 75 quality = 75 tags = "FILE" @@ -263624,13 +264110,13 @@ rule DITEKSHEN_INDICATOR_RTF_Equation_Powershell_Downloader : FILE meta: description = "Detects RTF documents that references both Microsoft Equation Editor and PowerShell. Common exploit + dropper behavior." author = "ditekSHen" - id = "df0520ef-163f-5a39-85e0-29dc664aff4e" + id = "5d1d65ef-e183-5a0d-a0fa-d0d5f09f21a1" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L478-L501" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_0b8b9b7b40f8b4d659de9e025a65d5c6b64c6066bb618a3e7ed3c318f70befe5" + logic_hash = "0b8b9b7b40f8b4d659de9e025a65d5c6b64c6066bb618a3e7ed3c318f70befe5" score = 75 quality = 75 tags = "FILE" @@ -263657,13 +264143,13 @@ rule DITEKSHEN_INDICATOR_RTF_LNK_Shell_Explorer_Execution : FILE meta: description = "detects RTF files with Shell.Explorer.1 OLE objects with embedded LNK files referencing an executable." author = "ditekSHen" - id = "62a964d9-61c9-5a66-825f-635b594d6e12" + id = "2cac4dd8-086a-5220-a658-94cedd9cf7c3" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L503-L517" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_4c11a37425e260692e11dc8fca317611106245d1590081a7038036ad568702f8" + logic_hash = "4c11a37425e260692e11dc8fca317611106245d1590081a7038036ad568702f8" score = 75 quality = 75 tags = "FILE" @@ -263682,13 +264168,13 @@ rule DITEKSHEN_INDICATOR_RTF_Forms_HTML_Execution : FILE meta: description = "detects RTF files with Forms.HTML:Image.1 or Forms.HTML:Submitbutton.1 OLE objects referencing file or HTTP URLs." author = "ditekSHen" - id = "5456fe04-3b5e-5819-9429-459d8e7bb7b8" + id = "26b21c94-9192-53be-808b-b553f87769e1" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L519-L533" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_5e8a2072971c40d6fbc0e0265a9adfbe4faa04d0f3c6962fda443da33aa06906" + logic_hash = "5e8a2072971c40d6fbc0e0265a9adfbe4faa04d0f3c6962fda443da33aa06906" score = 75 quality = 75 tags = "FILE" @@ -263707,13 +264193,13 @@ rule DITEKSHEN_INDICATOR_PUB_MSIEXEC_Remote : FILE meta: description = "detects VB-enable Microsoft Publisher files utilizing Microsoft Installer to retrieve remote files and execute them" author = "ditekSHen" - id = "cd529d04-793b-5637-9628-46ec54be67de" + id = "518db2bb-174b-54c4-b330-1e8a8e36265d" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L535-L549" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be5407e6e6e21e77f6de1d3a378996bfc6ce4326986aa03eb152e772bb495184" + logic_hash = "be5407e6e6e21e77f6de1d3a378996bfc6ce4326986aa03eb152e772bb495184" score = 75 quality = 75 tags = "FILE" @@ -263735,13 +264221,13 @@ rule DITEKSHEN_INDICATOR_RTF_Ancalog_Exploit_Builder_Document : FILE meta: description = "Detects documents generated by Phantom Crypter/Ancalog" author = "ditekSHen" - id = "c138bca6-d792-5993-9d38-51f6fc6e5be4" + id = "01e7f949-8ced-5355-978c-34d6e639e61a" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L551-L563" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_e458be78ca8975d067110dc38119437b3ffe55afdbfdab47468c9ed74bba9f9d" + logic_hash = "e458be78ca8975d067110dc38119437b3ffe55afdbfdab47468c9ed74bba9f9d" score = 75 quality = 75 tags = "FILE" @@ -263761,13 +264247,13 @@ rule DITEKSHEN_INDICATOR_RTF_Threadkit_Exploit_Builder_Document : FILE meta: description = "Detects vaiations of RTF documents generated by ThreadKit builder." author = "ditekSHen" - id = "0ccedd91-af38-5e0c-aaed-5379a54d749a" + id = "f4a4e7f0-ea2f-523f-9634-a939dc90706e" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L565-L582" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f2308ac6ae5345e0c783871dd6b471397ec83ba7194db5cc74c8984d84c2c0c2" + logic_hash = "f2308ac6ae5345e0c783871dd6b471397ec83ba7194db5cc74c8984d84c2c0c2" score = 75 quality = 75 tags = "FILE" @@ -263790,13 +264276,13 @@ rule DITEKSHEN_INDICATOR_XML_Legacydrawing_Autoload_Document : FILE meta: description = "detects AutoLoad documents using LegacyDrawing" author = "ditekSHen" - id = "be48164b-037d-59f0-a2bd-26504ae71f23" + id = "ce116601-7048-5a3f-9b73-5127ca3b359e" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L584-L594" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a038636f5e8e7837c2209072f1659b921c8a9a48d4ed153e735915cf1f7f3fcc" + logic_hash = "a038636f5e8e7837c2209072f1659b921c8a9a48d4ed153e735915cf1f7f3fcc" score = 75 quality = 75 tags = "FILE" @@ -263814,13 +264300,13 @@ rule DITEKSHEN_INDICATOR_XML_OLE_Autoload_Document : FILE meta: description = "detects AutoLoad documents using OLE Object" author = "ditekSHen" - id = "e1e02fe1-d583-52f7-8263-cbff12407f40" + id = "b3d682c3-641a-554a-8607-e99d07e9a57d" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L596-L606" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b262a9f8e82dea55afc26acac731827b64f52069a2bf314f716832b3dfc2c04f" + logic_hash = "b262a9f8e82dea55afc26acac731827b64f52069a2bf314f716832b3dfc2c04f" score = 75 quality = 75 tags = "FILE" @@ -263838,13 +264324,13 @@ rule DITEKSHEN_INDICATOR_XML_Squiblydoo_1 : FILE meta: description = "detects Squiblydoo variants extracted from exploit RTF documents." author = "ditekSHen" - id = "4dddd68b-293c-5552-8937-aa4b78282b3e" + id = "cac326ab-cc31-59c1-bd12-285db1675695" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L608-L622" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_b52ebd76dd4e60f6bd5cb19fed3a72b6aeb90dea95f0d1be61dcfff39ea674ae" + logic_hash = "b52ebd76dd4e60f6bd5cb19fed3a72b6aeb90dea95f0d1be61dcfff39ea674ae" score = 75 quality = 75 tags = "FILE" @@ -263866,13 +264352,13 @@ rule DITEKSHEN_INDICATOR_OLE_Suspicious_Reverse : FILE meta: description = "detects OLE documents containing VB scripts with reversed suspicious strings" author = "ditekSHen" - id = "8ec28f09-aa84-5799-b493-fa2035d684d4" + id = "a7f4d18d-add6-5df2-9a8c-f88d8e3766da" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L624-L644" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_04950549eede23b7006103539f20437713a54138c073d9805048392ea0a3df2a" + logic_hash = "04950549eede23b7006103539f20437713a54138c073d9805048392ea0a3df2a" score = 65 quality = 71 tags = "FILE" @@ -263897,13 +264383,13 @@ rule DITEKSHEN_INDICATOR_OLE_Suspicious_Activex : FILE meta: description = "detects OLE documents with suspicious ActiveX content" author = "ditekSHen" - id = "13bc3e82-ed25-532e-8b97-665ff54333c4" + id = "e4a74955-8519-561d-bb23-6469e7ae5aaa" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L646-L676" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_d9a672b0eeccd93b4ae98fef45560490171f8fc16b712d1e0141fc0ef1d0e342" + logic_hash = "d9a672b0eeccd93b4ae98fef45560490171f8fc16b712d1e0141fc0ef1d0e342" score = 65 quality = 73 tags = "FILE" @@ -263938,13 +264424,13 @@ rule DITEKSHEN_INDICATOR_OLE_Suspicious_MITRE_T1117 : T1117 FILE meta: description = "Detects MITRE technique T1117 in OLE documents" author = "ditekSHen" - id = "88694a38-bdba-5321-aa4c-b01803b12df4" + id = "0f41b011-2b63-581f-aa10-9560f27d0a27" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L678-L689" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f0d97f4de8bde18299ee0caee680a15070a1faa99fc318d144a7b7918c8cbb1f" + logic_hash = "f0d97f4de8bde18299ee0caee680a15070a1faa99fc318d144a7b7918c8cbb1f" score = 65 quality = 75 tags = "T1117, FILE" @@ -263963,13 +264449,13 @@ rule DITEKSHEN_INDICATOR_OLE_Remotetemplate meta: description = "Detects XML relations where an OLE object is refrencing an external target in dropper OOXML documents" author = "ditekSHen" - id = "7ace8581-e087-58e0-ad4e-793ff361c7b7" + id = "fbf40436-fc0a-5e55-89ac-5e1dd93e1833" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L691-L702" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_80cc5b1a8a8899f632401956055374d265c734449e56ffeee5f0ba4911050f36" + logic_hash = "80cc5b1a8a8899f632401956055374d265c734449e56ffeee5f0ba4911050f36" score = 75 quality = 75 tags = "" @@ -263988,13 +264474,13 @@ rule DITEKSHEN_INDICATOR_RTF_Malver_Objects : FILE meta: description = "Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents." author = "ditekSHen" - id = "1df08d1e-9753-566a-9a58-5d5879debb07" + id = "2d9d80e0-473e-5aac-a576-8f0002e120e2" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L704-L718" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_69136fb8ba180f6f86e569471bcefe8f55c61af73c66ebd6062ba7369aee9a72" + logic_hash = "69136fb8ba180f6f86e569471bcefe8f55c61af73c66ebd6062ba7369aee9a72" score = 75 quality = 75 tags = "FILE" @@ -264015,13 +264501,13 @@ rule DITEKSHEN_INDICATOR_PPT_Mastermana : FILE meta: description = "Detects known malicious pattern (MasterMana) in PowerPoint documents." author = "ditekSHen" - id = "993e0369-1853-539a-8a50-b2947a0810d9" + id = "8e9b8185-6211-54c6-946d-b16f2226312a" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L720-L740" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_f8169e63b22fbbd48de9a63ff228d9d9fb105e95d2ea8a37c0993493515e8b2e" + logic_hash = "f8169e63b22fbbd48de9a63ff228d9d9fb105e95d2ea8a37c0993493515e8b2e" score = 75 quality = 71 tags = "FILE" @@ -264049,13 +264535,13 @@ rule DITEKSHEN_INDICATOR_XML_Webrelframe_Remotetemplate : FILE meta: description = "Detects XML web frame relations refrencing an external target in dropper OOXML documents" author = "ditekSHen" - id = "cf7bb8e1-a8bc-5e33-b92b-6c9d1dd6eba9" + id = "724650db-8d58-5e73-92e7-287890babc3b" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L742-L752" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_fbe209e31ddb4369de02b6e91bf65f0588089c7b838dcf80f182248790b59e20" + logic_hash = "fbe209e31ddb4369de02b6e91bf65f0588089c7b838dcf80f182248790b59e20" score = 75 quality = 75 tags = "FILE" @@ -264073,13 +264559,13 @@ rule DITEKSHEN_INDICATOR_PDF_Ipdropper : FILE meta: description = "Detects PDF documents with Action and URL pointing to direct IP address" author = "ditekSHen" - id = "55cf6968-5704-5cc8-bb7f-e1514632ab35" + id = "83368671-f1ec-5b09-9d55-6e45e576ebdb" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L754-L763" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_be37ee7ef5d8c980483f31bf5667c2dad4321d662be05c495ec6755362d33fd6" + logic_hash = "be37ee7ef5d8c980483f31bf5667c2dad4321d662be05c495ec6755362d33fd6" score = 60 quality = 35 tags = "FILE" @@ -264096,13 +264582,13 @@ rule DITEKSHEN_INDICATOR_OLE_Excel4Macros_DL1 : FILE meta: description = "Detects OLE Excel 4 Macros documents acting as downloaders" author = "ditekSHen" - id = "a08a3833-4622-5e8e-90c2-49ad799ce875" + id = "4212d762-ea49-5884-b697-9313f43140d5" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L765-L789" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a3248027b83b982cccf235267aa27def4f640987d41c5f11509bde3e27b82fee" + logic_hash = "a3248027b83b982cccf235267aa27def4f640987d41c5f11509bde3e27b82fee" score = 75 quality = 25 tags = "FILE" @@ -264131,13 +264617,13 @@ rule DITEKSHEN_INDICATOR_OLE_Excel4Macros_DL2 : FILE meta: description = "Detects OLE Excel 4 Macros documents acting as downloaders" author = "ditekSHen" - id = "f752b909-b632-5241-8bd6-957687bebd6a" + id = "ea331976-6e5d-5377-a100-0f265e97177f" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L791-L812" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_48ab27a2f81934f6f2f034ebcd40fc083b0d90850d12a951f03dab3a4c396ec6" + logic_hash = "48ab27a2f81934f6f2f034ebcd40fc083b0d90850d12a951f03dab3a4c396ec6" score = 75 quality = 75 tags = "FILE" @@ -264166,13 +264652,13 @@ rule DITEKSHEN_INDICATOR_RTF_Embedded_Excel_Urldownloadtofile : FILE meta: description = "Detects RTF documents that embed Excel documents for detection evation." author = "ditekSHen" - id = "883f92e4-ab64-59f3-8b77-4deb432bef50" + id = "39b8723c-1755-5e2f-8fb2-cca5e9eef915" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L814-L840" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_9416664683c249a9dc2b3d506d9dea7067a638cc4ee5ef7138e5b33a8fcd2b96" + logic_hash = "9416664683c249a9dc2b3d506d9dea7067a638cc4ee5ef7138e5b33a8fcd2b96" score = 75 quality = 75 tags = "FILE" @@ -264202,13 +264688,13 @@ rule DITEKSHEN_INDICATOR_OLE_Excel4Macros_DL3 : FILE meta: description = "Detects OLE Excel 4 Macros documents acting as downloaders" author = "ditekSHen" - id = "33cf3576-e6f9-589a-9f37-99ddbcd79911" + id = "794cac49-e917-5282-8cbd-8ecf91a2dc9e" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L842-L860" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_83eaf60b900119b9fcd458e9e9dda119fd71785821bf282e9385031368ff9891" + logic_hash = "83eaf60b900119b9fcd458e9e9dda119fd71785821bf282e9385031368ff9891" score = 75 quality = 75 tags = "FILE" @@ -264234,13 +264720,13 @@ rule DITEKSHEN_INDICATOR_DOC_Phishingpatterns : FILE meta: description = "Detects OLE, RTF, PDF and OOXML (decompressed) documents with common phishing strings" author = "ditekSHen" - id = "125cd004-546f-5257-ac49-22154f9c0a95" + id = "67372eb5-ed07-5062-a12e-9ad8c7070f0f" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L862-L883" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_50b6566cb18512f887c07576391eb492101f7534da3460d5f7740ee6f4cf707d" + logic_hash = "50b6566cb18512f887c07576391eb492101f7534da3460d5f7740ee6f4cf707d" score = 75 quality = 75 tags = "FILE" @@ -264269,13 +264755,13 @@ rule DITEKSHEN_INDICATOR_OOXML_Excel4Macros_EXEC : FILE meta: description = "Detects OOXML (decompressed) documents with Excel 4 Macros XLM macrosheet" author = "ditekSHen" - id = "fe89616e-613e-56b0-a00d-12f9080a495d" + id = "674ef310-d3bc-5e15-862f-29aa111becb3" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L885-L898" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_ab3994e4082390f65d030db0b898a20df1d7e4b0ca2fdedc7a9d0f1480fd0334" + logic_hash = "ab3994e4082390f65d030db0b898a20df1d7e4b0ca2fdedc7a9d0f1480fd0334" score = 75 quality = 75 tags = "FILE" @@ -264296,13 +264782,13 @@ rule DITEKSHEN_INDICATOR_OOXML_Excel4Macros_Autoopenhidden : FILE meta: description = "Detects OOXML (decompressed) documents with Excel 4 Macros XLM macrosheet auto_open and state hidden" author = "ditekSHen" - id = "3ed60f98-34ef-5af1-806b-bd4b84925a55" + id = "c5aab620-5254-5fc6-b236-4fe0f69cbd8e" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L900-L910" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_a93d8aa7ac025a0c2e8a9ac833f6d4c3cd3769ffca3f87455f43411d0021e828" + logic_hash = "a93d8aa7ac025a0c2e8a9ac833f6d4c3cd3769ffca3f87455f43411d0021e828" score = 75 quality = 75 tags = "FILE" @@ -264320,13 +264806,13 @@ rule DITEKSHEN_INDICATOR_SUSPICOIUS_RTF_Encodedurl : FILE meta: description = "Detects executables calling ClearMyTracksByProcess" author = "ditekSHen" - id = "f8e3608f-f223-57fd-bd52-038c20deffdd" + id = "6b3f0434-24b2-5ae8-a6fc-c0fdded4996f" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L930-L941" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_cb791bb5e2af46ff9f1f07cef33bbd51edc44b2394d6f3eff31d39eaa5ff2a33" + logic_hash = "cb791bb5e2af46ff9f1f07cef33bbd51edc44b2394d6f3eff31d39eaa5ff2a33" score = 75 quality = 75 tags = "FILE" @@ -264345,13 +264831,13 @@ rule DITEKSHEN_INDICATOR_RTF_Remotetemplate : CVE_2017_11882 FILE meta: description = "Detects RTF documents potentially exploiting CVE-2017-11882" author = "ditekSHen" - id = "66cd46ff-5c9d-511d-a8da-a2dbf7be44bc" + id = "59b31243-a360-531f-99ea-32b54d19ab52" date = "2024-09-06" modified = "2024-09-06" reference = "https://github.com/ditekshen/detection" source_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/yara/indicator_office.yar#L943-L953" license_url = "https://github.com/ditekshen/detection/blob/e76c93dcdedff04076380ffc60ea54e45b313635/LICENSE.txt" - logic_hash = "v1_sha256_3a75072bc4d9c7dc53220afe359911c04cd3267c142058352de80ec430a53517" + logic_hash = "3a75072bc4d9c7dc53220afe359911c04cd3267c142058352de80ec430a53517" score = 60 quality = 35 tags = "CVE-2017-11882, FILE" @@ -264368,7 +264854,7 @@ rule DITEKSHEN_INDICATOR_RTF_Remotetemplate : CVE_2017_11882 FILE * YARA Rule Set * Repository Name: WithSecureLabs * Repository: https://github.com/WithSecureLabs/iocs - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c * Number of Rules: 5 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -264408,13 +264894,13 @@ rule WITHSECURELABS_SILKLOADER meta: description = "Detects SILKLOADER samples" author = "WithSecure" - id = "e2282d83-3112-57ad-9841-482cf973a77e" + id = "bb8a543e-fdbf-5be1-901e-3e2a9965fd62" date = "2023-03-15" modified = "2023-03-15" reference = "https://labs.withsecure.com/publications/silkloader" source_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/SILKLOADER/silkloader.yar#L2-L20" license_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/LICENSE" - logic_hash = "v1_sha256_48aa249ea78e5a3bfe9934fd0dfa26b79f9e6cbe1e5b1426b84f8d8a3d77d742" + logic_hash = "48aa249ea78e5a3bfe9934fd0dfa26b79f9e6cbe1e5b1426b84f8d8a3d77d742" score = 75 quality = 75 tags = "" @@ -264437,13 +264923,13 @@ rule WITHSECURELABS_Ducktail_Nativeaot : FILE meta: description = "Detects NativeAOT variants of DUCKTAIL malware" author = "WithSecure" - id = "bfe6cacd-5b88-5c64-86a1-6273cb8d8d64" + id = "1961d3e1-987b-588b-bfc2-8239797cd049" date = "2022-11-17" modified = "2022-11-22" reference = "https://labs.withsecure.com/publications/ducktail_returns" source_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/DUCKTAIL/ducktail_nativeaot.yara#L2-L22" license_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/LICENSE" - logic_hash = "v1_sha256_976b28ac45e5a13d4ce900b857e6bd3afc82b65b0235791fd698b762287cd60e" + logic_hash = "976b28ac45e5a13d4ce900b857e6bd3afc82b65b0235791fd698b762287cd60e" score = 75 quality = 75 tags = "FILE" @@ -264460,13 +264946,13 @@ rule WITHSECURELABS_Ducktail_Artifacts : FILE meta: description = "Detects artifacts found in files associated to DUCKTAIL malware" author = "WithSecure" - id = "69ea6739-d743-5e62-8242-4aab51320c4f" + id = "937c9688-b74f-5e02-838f-ab6757a8d2a1" date = "2022-07-18" modified = "2022-07-26" reference = "https://labs.withsecure.com/publications/ducktail" source_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/DUCKTAIL/ducktail_artifacts.yar#L1-L20" license_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/LICENSE" - logic_hash = "v1_sha256_1daa5e654058c802826b6a306b5bfc9d0c05c4ee54607e94e618a8d409ce74d9" + logic_hash = "1daa5e654058c802826b6a306b5bfc9d0c05c4ee54607e94e618a8d409ce74d9" score = 75 quality = 75 tags = "FILE" @@ -264489,13 +264975,13 @@ rule WITHSECURELABS_Ducktail_Dotnet_Core_Infostealer : FILE meta: description = "Detects DUCKTAIL malware written in .NET Core" author = "WithSecure" - id = "edddfd83-7d75-5cd9-959a-bfcd02a7d1d6" + id = "22eef7ce-9e11-55ec-9f0b-00a6776f8eee" date = "2022-07-18" modified = "2022-07-25" reference = "https://labs.withsecure.com/publications/ducktail" source_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/DUCKTAIL/ducktail_dotnet_core_infostealer.yar#L1-L103" license_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/LICENSE" - logic_hash = "v1_sha256_81b4da5860894397e9cd416e451c3098f8560407cd79f070f8edd5a3ba91512a" + logic_hash = "81b4da5860894397e9cd416e451c3098f8560407cd79f070f8edd5a3ba91512a" score = 75 quality = 50 tags = "FILE" @@ -264594,13 +265080,13 @@ rule WITHSECURELABS_Kapeka_Backdoor : FILE meta: description = "Detects Kapeka backdoor based on common strings." author = "WithSecure" - id = "5290a735-9ffe-5a79-9e0e-bf6ea762cbfc" + id = "7b874a4a-a009-5365-9c31-ca61bf5ab491" date = "2024-04-17" modified = "2024-04-17" reference = "https://labs.withsecure.com/publications/kapeka" source_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/Kapeka/kapeka_backdoor.yar#L2-L21" license_url = "https://github.com/WithSecureLabs/iocs/blob/29adc4b6c2c2850f0f385aec77ab6fc0d7a8f20c/LICENSE" - logic_hash = "v1_sha256_49795c6e3f3690eeccd731a9ba0c6bd8d5840d9171939e71d3a4d6f0d1834f05" + logic_hash = "49795c6e3f3690eeccd731a9ba0c6bd8d5840d9171939e71d3a4d6f0d1834f05" score = 75 quality = 25 tags = "FILE" @@ -264623,7 +265109,7 @@ rule WITHSECURELABS_Kapeka_Backdoor : FILE * YARA Rule Set * Repository Name: HarfangLab * Repository: https://github.com/HarfangLab/iocs - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 8dd8e9296b110ce3fb13bc557a0295dff8c4c357 * Number of Rules: 18 * Skipped: 0 (age), 1 (quality), 0 (score), 0 (importance) @@ -264638,14 +265124,14 @@ rule HARFANGLAB_Masepie_Campaign_Htmlstarter : FILE meta: description = "Detect Malicious Web page HTML file from CERT-UA#8399" author = "HarfangLab" - id = "84611cb9-494f-51dc-8f44-d30a4f5f70c2" + id = "0cca485c-7941-5760-8c24-d993dcbf376d" date = "2024-01-24" modified = "2024-09-05" reference = "TRR240101;https://cert.gov.ua/article/6276894" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L1-L16" license_url = "N/A" hash = "628bc9f4aa71a015ec415d5d7d8cb168359886a231e17ecac2e5664760ee8eba" - logic_hash = "v1_sha256_d131372c6ad01ae77e5630bae0c0a04ce311718eb1bcf423e6575f3b0ecdba5d" + logic_hash = "d131372c6ad01ae77e5630bae0c0a04ce311718eb1bcf423e6575f3b0ecdba5d" score = 75 quality = 80 tags = "FILE" @@ -264663,14 +265149,14 @@ rule HARFANGLAB_Masepie_Campaign_Webdavlnk : FILE meta: description = "Detect Malicious LNK from CERT-UA#8399" author = "HarfangLab" - id = "0bc10990-c6df-5398-9b15-657629e23f4a" + id = "de7fd592-e733-52d0-af9b-55adf37eaf74" date = "2024-01-24" modified = "2024-09-05" reference = "TRR240101;https://cert.gov.ua/article/6276894" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L17-L39" license_url = "N/A" hash = "19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc" - logic_hash = "v1_sha256_26075e47b54404c55f4ca5eb757efa2b1711d919de0ffbfbdf6935e2e4dd3f3d" + logic_hash = "26075e47b54404c55f4ca5eb757efa2b1711d919de0ffbfbdf6935e2e4dd3f3d" score = 75 quality = 80 tags = "FILE" @@ -264691,14 +265177,14 @@ rule HARFANGLAB_Masepie_Campaign_Masepie : FILE meta: description = "Detect MASEPIE from CERT-UA#8399" author = "HarfangLab" - id = "238a8d03-fd62-5642-b19a-207c6b91fcf9" + id = "f0a034fa-38d4-5c54-b865-f830f85e245e" date = "2024-01-24" modified = "2024-09-05" reference = "TRR240101;https://cert.gov.ua/article/6276894" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L40-L60" license_url = "N/A" hash = "18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6" - logic_hash = "v1_sha256_02da8119267978e63e3ee5ecdefb52285718f8875ec64d320f2752460c05588d" + logic_hash = "02da8119267978e63e3ee5ecdefb52285718f8875ec64d320f2752460c05588d" score = 75 quality = 78 tags = "FILE" @@ -264721,14 +265207,14 @@ rule HARFANGLAB_Masepie_Campaign_Oceanmap : FILE meta: description = "Detect OCEANMAP from CERT-UA#8399" author = "HarfangLab" - id = "a2e4e5b9-1bf8-51f8-9aed-6c6338dcd444" + id = "7dcbce01-ab91-56ae-8789-e2e25ba1bf8c" date = "2024-01-24" modified = "2024-01-31" reference = "TRR240101;https://cert.gov.ua/article/6276894" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L61-L95" license_url = "N/A" hash = "24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04" - logic_hash = "v1_sha256_5fe244025f49358b4285e1272489378a46363ae915881dece26691d971aa93f3" + logic_hash = "5fe244025f49358b4285e1272489378a46363ae915881dece26691d971aa93f3" score = 75 quality = 78 tags = "FILE" @@ -264761,13 +265247,13 @@ rule HARFANGLAB_Allasenhamaycampaign_Executorloader meta: description = "Detects Delphi ExecutorLoader DLLs and executables." author = "HarfangLab" - id = "fd1c5669-23f4-5594-9a02-2d0bf07674bb" + id = "0a09414d-cd86-54a4-99e4-121a7df7624b" date = "2024-05-28" modified = "2024-09-05" reference = "TRR240501" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L96-L114" license_url = "N/A" - logic_hash = "v1_sha256_61aa0bf180574856e57d0b26442bfa6f4b1e25844611d6eadaed529e1bb86625" + logic_hash = "61aa0bf180574856e57d0b26442bfa6f4b1e25844611d6eadaed529e1bb86625" score = 75 quality = 55 tags = "" @@ -264789,13 +265275,13 @@ rule HARFANGLAB_Allasenhamaycampaign_Allasenha meta: description = "Detects AllaSenha banking trojan DLLs." author = "HarfangLab" - id = "886530c9-d4d4-5b01-a483-8c9fe8d3f6be" + id = "787c4e66-2053-5f14-a52e-6b0415700e8c" date = "2024-05-28" modified = "2024-09-05" reference = "TRR240501" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L115-L137" license_url = "N/A" - logic_hash = "v1_sha256_affe75ade6c8d9eeba00006f78678a48b1cfc5ffa9f9675fdea6ffd6cb3a02bd" + logic_hash = "affe75ade6c8d9eeba00006f78678a48b1cfc5ffa9f9675fdea6ffd6cb3a02bd" score = 75 quality = 80 tags = "" @@ -264822,14 +265308,14 @@ rule HARFANGLAB_Charmingkitten_Cyclops : FILE meta: description = "Detects Cyclops Golang Malware" author = "HarfangLab" - id = "4323493e-771e-50a3-a158-82922983a945" + id = "2cc7b2ff-25ca-5eac-a607-c3ee5136e0aa" date = "2024-08-05" modified = "2024-09-05" reference = "TRR240801" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L254-L274" license_url = "N/A" hash = "fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69" - logic_hash = "v1_sha256_70ab3f44b6889d478a94dc6aefcd30f0e82e0b80bcf26921167b72f35bdb7fa8" + logic_hash = "70ab3f44b6889d478a94dc6aefcd30f0e82e0b80bcf26921167b72f35bdb7fa8" score = 75 quality = 80 tags = "FILE" @@ -264850,14 +265336,14 @@ rule HARFANGLAB_Samecoin_Campaign_Loader : FILE meta: description = "Matches the loader used in the SameCoin campaign" author = "HarfangLab" - id = "1d7849d6-b91a-57e2-b726-d83ac16e32a2" + id = "ab4d59f6-300d-5cdf-b91f-87f8cc1f0eac" date = "2024-02-13" modified = "2024-09-05" reference = "TRR240201" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L275-L295" license_url = "N/A" hash = "cff976d15ba6c14c501150c63b69e6c06971c07f8fa048a9974ecf68ab88a5b6" - logic_hash = "v1_sha256_7df04ab208d2caa5a137b1c3481ef734df54bbe8330979f524b16e9ba8cf48d5" + logic_hash = "7df04ab208d2caa5a137b1c3481ef734df54bbe8330979f524b16e9ba8cf48d5" score = 75 quality = 80 tags = "FILE" @@ -264881,14 +265367,14 @@ rule HARFANGLAB_Samecoin_Campaign_Wiper : FILE meta: description = "Matches the wiper used in the SameCoin campaign" author = "HarfangLab" - id = "47dd5d28-275f-55a5-87b6-d176a59f45be" + id = "695e9181-cc96-5212-b33c-4d55065b7b85" date = "2024-02-13" modified = "2024-09-05" reference = "TRR240201" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L296-L314" license_url = "N/A" hash = "e6d2f43622e3ecdce80939eec9fffb47e6eb7fc0b9aa036e9e4e07d7360f2b89" - logic_hash = "v1_sha256_ebe7c90398464ecf74ede17551c2ebc58b851ba6502092320934d1f5353581a2" + logic_hash = "ebe7c90398464ecf74ede17551c2ebc58b851ba6502092320934d1f5353581a2" score = 75 quality = 80 tags = "FILE" @@ -264910,14 +265396,14 @@ rule HARFANGLAB_Samecoin_Campaign_Tasksspreader : FILE meta: description = "Detect .NET Task Scheduler that is dropper by SameCoin Loader" author = "HarfangLab" - id = "eca68933-6e47-5978-8b5a-30bc6ba8022b" + id = "7dcfdecd-00c3-502a-b29e-a10a1fd9543f" date = "2024-02-13" modified = "2024-09-05" reference = "TRR240201" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L315-L352" license_url = "N/A" hash = "b447ba4370d9becef9ad084e7cdf8e1395bafde1d15e82e23ca1b9808fef13a7" - logic_hash = "v1_sha256_61d602c343365608e5bc587ee9c7898e256f2411d78c7fe74c211e68bf4ab707" + logic_hash = "61d602c343365608e5bc587ee9c7898e256f2411d78c7fe74c211e68bf4ab707" score = 75 quality = 78 tags = "FILE" @@ -264951,14 +265437,14 @@ rule HARFANGLAB_Samecoin_Campaign_Nativewiper : FILE meta: description = "Matches the native Android library used in the SameCoin campaign" author = "HarfangLab" - id = "4d090fa1-0c9f-5c06-a9ff-4577ba94b8e1" + id = "9c77c26e-50f7-5ee4-bc6b-c0333e268b2c" date = "2024-02-13" modified = "2024-09-05" reference = "TRR240201" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L353-L373" license_url = "N/A" hash = "248054658277e6971eb0b29e2f44d7c3c8d7c5abc7eafd16a3df6c4ca555e817" - logic_hash = "v1_sha256_2779664830df3b5be72b7fe7d4da3d27e2a86b289ee3974596abf1df12317cd8" + logic_hash = "2779664830df3b5be72b7fe7d4da3d27e2a86b289ee3974596abf1df12317cd8" score = 75 quality = 80 tags = "FILE" @@ -264982,13 +265468,13 @@ rule HARFANGLAB_Supposed_Grasshopper_Downloader : FILE meta: description = "Detects the Nim downloader from the Supposed Grasshopper campaign." author = "HarfangLab" - id = "5065f9b3-09b8-535d-9f2a-9973a1940f06" + id = "e53656b5-a1be-53f0-a4d4-908f24e08bd6" date = "2024-06-20" modified = "2024-09-05" reference = "TRR240601" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L374-L389" license_url = "N/A" - logic_hash = "v1_sha256_93509319ab8028b0215fcfb81d1ff5d3d810922999f1dd8359b706a965221b2f" + logic_hash = "93509319ab8028b0215fcfb81d1ff5d3d810922999f1dd8359b706a965221b2f" score = 75 quality = 80 tags = "FILE" @@ -265008,13 +265494,13 @@ rule HARFANGLAB_Donut_Shellcode : FILE meta: description = "Detects Donut shellcode in memory." author = "HarfangLab" - id = "25c9a234-cd43-545f-a059-acc7bd9bf6b0" + id = "54facb12-3f33-5430-b4bf-0d223dc2a413" date = "2024-06-20" modified = "2024-09-05" reference = "TRR240601" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L390-L438" license_url = "N/A" - logic_hash = "v1_sha256_1bf4e253195e39cc0b3cf45797c35a9f06078350aa35e65d9d36adbcc09a150b" + logic_hash = "1bf4e253195e39cc0b3cf45797c35a9f06078350aa35e65d9d36adbcc09a150b" score = 75 quality = 80 tags = "FILE" @@ -265039,14 +265525,14 @@ rule HARFANGLAB_Muddywater_Ateraagent_Operators : FILE meta: description = "Detect Atera Agent abused by MuddyWater" author = "HarfangLab" - id = "c35ac6e1-6f61-5983-a62d-2494e299d640" + id = "1494a0da-92de-5cfb-a870-325d02e2cdfb" date = "2024-04-17" modified = "2024-09-05" reference = "TRR240402" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L439-L469" license_url = "N/A" hash = "9b49d6640f5f0f1d68f649252a96052f1d2e0822feadd7ebe3ab6a3cadd75985" - logic_hash = "v1_sha256_63d5d3a6723191dccd20c8d9f25607df512b91f57ac891ef8c87b2dd107ee5a2" + logic_hash = "63d5d3a6723191dccd20c8d9f25607df512b91f57ac891ef8c87b2dd107ee5a2" score = 75 quality = 80 tags = "FILE" @@ -265078,14 +265564,14 @@ rule HARFANGLAB_Apt31_Rawdoor_Dropper : FILE meta: description = "Matches the RawDoor dropper" author = "HarfangLab" - id = "e16c61c8-7b17-5ea7-b8f2-00dd35f2ea82" + id = "b278a157-20e2-5271-aca0-0692929b881d" date = "2024-04-12" modified = "2024-09-05" reference = "TRR240401" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L470-L491" license_url = "N/A" hash = "c3056e39f894ff73bba528faac04a1fc86deeec57641ad882000d7d40e5874be" - logic_hash = "v1_sha256_d0cbe02c4fafb4895bd0126d2496802a3fee6a0362e55bfa91cfd1c75043d94a" + logic_hash = "d0cbe02c4fafb4895bd0126d2496802a3fee6a0362e55bfa91cfd1c75043d94a" score = 75 quality = 80 tags = "FILE" @@ -265109,14 +265595,14 @@ rule HARFANGLAB_Apt31_Rawdoor_Payload : FILE meta: description = "Matches the RawDoor payload" author = "HarfangLab" - id = "706bf2a4-6bdd-5f60-a8fd-32ae57a71625" + id = "5fef27fe-a2ea-56b4-8cf6-8f6c4bf85d80" date = "2024-04-12" modified = "2024-09-05" reference = "TRR240401" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L492-L516" license_url = "N/A" hash = "fade96ec359474962f2167744ca8c55ab4e6d0700faa142b3d95ec3f4765023b" - logic_hash = "v1_sha256_51bd04603419d5bc77f12618df986f6b31ea8ddea553c6bc7580698fa236b3ed" + logic_hash = "51bd04603419d5bc77f12618df986f6b31ea8ddea553c6bc7580698fa236b3ed" score = 75 quality = 80 tags = "FILE" @@ -265143,14 +265629,14 @@ rule HARFANGLAB_Packxor : FILE meta: description = "Detection rule for PackXOR" author = "Harfanglab" - id = "bb0f92c2-8c5e-56ec-9e3e-b411ca9d8dcb" + id = "6b4b6d61-b698-5e15-90b1-de2bdb76e425" date = "2024-08-05" modified = "2024-09-05" reference = "https://harfanglab.io/insidethelab/unpacking-packxor/" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/hl_public_reports_master.yar#L517-L656" license_url = "N/A" hash = "0506372e2c2b6646c539ac5a08265dd66d0da58a25545e444c25b9a02f8d9a44" - logic_hash = "v1_sha256_ecc7e241f98da8bcd248493f6443676e4c1e516f1fd19f488a62acd314be1898" + logic_hash = "ecc7e241f98da8bcd248493f6443676e4c1e516f1fd19f488a62acd314be1898" score = 75 quality = 80 tags = "FILE" @@ -265290,13 +265776,13 @@ rule HARFANGLAB_Custom_Ateraagent_Operator : FILE meta: description = "Detect Atera Agent configured to certain email addresses, or email domains" author = "HarfangLab" - id = "c2450339-d798-5c69-8300-4cad1f482f7b" + id = "af0fae1d-2d25-5551-8720-ff1172ff4eea" date = "2024-04-17" modified = "2024-04-22" reference = "TRR240402" source_url = "https://github.com/HarfangLab/iocs/blob/8dd8e9296b110ce3fb13bc557a0295dff8c4c357/TRR240402/trr240402_yara-template.yar#L1-L20" license_url = "N/A" - logic_hash = "v1_sha256_71622b61c5f645dd846327b79bf6dddefef458b73a82caa34d086da2ba48cd8c" + logic_hash = "71622b61c5f645dd846327b79bf6dddefef458b73a82caa34d086da2ba48cd8c" score = 75 quality = 80 tags = "FILE" @@ -265316,7 +265802,7 @@ rule HARFANGLAB_Custom_Ateraagent_Operator : FILE * YARA Rule Set * Repository Name: LOLDrivers * Repository: https://github.com/magicsword-io/LOLDrivers/ - * Retrieval Date: 2024-12-22 + * Retrieval Date: 2024-12-23 * Git Commit: 23108d3a3a01afb30b93e1fd32d8f0a750159f4c * Number of Rules: 529 * Skipped: 0 (age), 0 (quality), 0 (score), 0 (importance) @@ -265532,7 +266018,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "0266f778-a997-52aa-9c67-d669fe369f1f" + id = "eacc5085-aa34-5f46-977d-84761649bd6d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265547,7 +266033,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_34BE : FILE hash = "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4" hash = "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa" hash = "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb" - logic_hash = "v1_sha256_99bb403a6a21e02d2c100267f008feaf6cafd8eb5209d26adc249bf113f87d42" + logic_hash = "99bb403a6a21e02d2c100267f008feaf6cafd8eb5209d26adc249bf113f87d42" score = 40 quality = 80 tags = "FILE" @@ -265570,7 +266056,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "07a626d8-db9c-51ad-9576-d626a5950af2" + id = "caf170d7-172f-56eb-beae-0c40e7ac78fa" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265586,7 +266072,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0E85 : FILE hash = "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1" hash = "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d" hash = "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663" - logic_hash = "v1_sha256_2e3f7c31d7bad9d21c921e2cebe38c717909cbbc44f60fb2da2623f2d1f3ce88" + logic_hash = "2e3f7c31d7bad9d21c921e2cebe38c717909cbbc44f60fb2da2623f2d1f3ce88" score = 40 quality = 80 tags = "FILE" @@ -265609,7 +266095,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" - id = "ccee2f15-b503-58b4-af41-9cfa2c2dedbc" + id = "78b84e8a-1f92-5954-a1da-19d7208279db" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265620,7 +266106,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_786F : FILE hash = "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5" hash = "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548" hash = "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69" - logic_hash = "v1_sha256_b2d462b62be6d3300a514d6d21dad64162bb43ae7775730d65068ea180f3115f" + logic_hash = "b2d462b62be6d3300a514d6d21dad64162bb43ae7775730d65068ea180f3115f" score = 40 quality = 80 tags = "FILE" @@ -265643,7 +266129,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "61de93b8-fe71-5e70-8ee1-c45cf1b35d49" + id = "957addda-818b-504f-98b4-63fdfed768b4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265664,7 +266150,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_A397 : FILE hash = "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578" hash = "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad" hash = "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585" - logic_hash = "v1_sha256_bf47bed12e7e3677190ab26b8384597e297fef0dc6bd654c30b8f787d9fc5573" + logic_hash = "bf47bed12e7e3677190ab26b8384597e297fef0dc6bd654c30b8f787d9fc5573" score = 40 quality = 80 tags = "FILE" @@ -265687,14 +266173,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_D7E0 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "1e120f01-c78d-5e3a-908a-a32ec58c6c53" + id = "62c2caf4-0f8e-5873-bc77-ea5a6b390e29" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L125-L142" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0" - logic_hash = "v1_sha256_229c98a4e55486cde122edd3a846c6cec6b242ee9e0269bf25e92d1e00e63d67" + logic_hash = "229c98a4e55486cde122edd3a846c6cec6b242ee9e0269bf25e92d1e00e63d67" score = 40 quality = 80 tags = "FILE" @@ -265715,7 +266201,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "1e5b01f2-4338-5d73-a41b-4d243b50850b" + id = "85b7f3f1-6324-543f-8855-8cb13096b367" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265728,7 +266214,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_2298 : FILE hash = "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248" hash = "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5" hash = "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399" - logic_hash = "v1_sha256_81287d89ca576746e6a896bd07fbe5170da2360d614164940621d709c439ca8e" + logic_hash = "81287d89ca576746e6a896bd07fbe5170da2360d614164940621d709c439ca8e" score = 40 quality = 80 tags = "FILE" @@ -265751,7 +266237,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D0 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrDrv.sys" author = "Florian Roth" - id = "66932d39-375e-58fc-bed2-18f9fdcdec42" + id = "b35951c3-d0df-5a4d-8c81-333adee6310e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265768,7 +266254,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asrockincorporation_Asrdrvsys_Asrockiodriver_4D0 hash = "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854" hash = "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b" hash = "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc" - logic_hash = "v1_sha256_d0008f29063c14f41a9f433521ef2851b233760d90dc171f9a80247377431035" + logic_hash = "d0008f29063c14f41a9f433521ef2851b233760d90dc171f9a80247377431035" score = 40 quality = 80 tags = "FILE" @@ -265791,14 +266277,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystem meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" - id = "9e389461-9ab7-5388-8432-bf57264b8fb4" + id = "c321b01f-a328-5fba-81d9-fa55af63ce5c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L205-L224" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664" - logic_hash = "v1_sha256_5c46f095f8329b4dab225ff3b15eb102ecfa9f25f0f86f1d18ea3a6690e267b8" + logic_hash = "5c46f095f8329b4dab225ff3b15eb102ecfa9f25f0f86f1d18ea3a6690e267b8" score = 40 quality = 80 tags = "FILE" @@ -265821,7 +266307,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" - id = "496f27ea-77ad-5382-96fb-3dde9c9194c5" + id = "d9aab490-9368-54fa-8fc2-711c0446b19c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265831,7 +266317,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_D7B7 : FILE hash = "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270" hash = "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63" hash = "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266" - logic_hash = "v1_sha256_90f4fe8425b1fe8cf7c820566d6b943bc070f33cdf1b42e691ecd6127c17d549" + logic_hash = "90f4fe8425b1fe8cf7c820566d6b943bc070f33cdf1b42e691ecd6127c17d549" score = 40 quality = 80 tags = "FILE" @@ -265854,7 +266340,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwind meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" - id = "32c964a7-4fb7-5747-871d-f63086a9c71e" + id = "8fb3920a-b0bf-57b3-bf15-24f323efde31" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265867,7 +266353,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwind hash = "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090" hash = "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176" hash = "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e" - logic_hash = "v1_sha256_47b59ba788b51c8b9a94ecddd486fad5aeb9266e406b14b963ac69800ebd5e6d" + logic_hash = "47b59ba788b51c8b9a94ecddd486fad5aeb9266e406b14b963ac69800ebd5e6d" score = 40 quality = 80 tags = "FILE" @@ -265890,7 +266376,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDataCatcher.sys" author = "Florian Roth" - id = "8e20a5a5-429b-5bca-88d4-ab3319449009" + id = "4d2f4d82-aa28-5be1-8e0a-9db164a4bb50" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265899,7 +266385,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Lgdatacatchersys_Gameacc_ hash = "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756" hash = "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13" hash = "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837" - logic_hash = "v1_sha256_a41af54c12aae5c2c95f6ed4754dcb4e17265abdb763f6be29a5a1ba1fcfdacd" + logic_hash = "a41af54c12aae5c2c95f6ed4754dcb4e17265abdb763f6be29a5a1ba1fcfdacd" score = 40 quality = 80 tags = "FILE" @@ -265922,14 +266408,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_D meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" author = "Florian Roth" - id = "f6d8e346-ecb1-517d-bae9-25ae968b869d" + id = "f3412abe-99c6-5ced-823c-1c681f446bab" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L304-L323" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055" - logic_hash = "v1_sha256_06994b6e75aefad03b1346e1bcaf68dca8464526bf182557257c4f5635bb93ce" + logic_hash = "06994b6e75aefad03b1346e1bcaf68dca8464526bf182557257c4f5635bb93ce" score = 40 quality = 80 tags = "FILE" @@ -265952,7 +266438,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elrawdsk.sys" author = "Florian Roth" - id = "730d3ada-a2b9-5ead-b59c-aec7e4456f20" + id = "13de286c-92f2-5677-86ee-99c70a338c8e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -265960,7 +266446,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Eldoscorporation_Elrawdsksys_Rawdisk_4744 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6" hash = "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a" - logic_hash = "v1_sha256_01faeb5fe7618ce1135a8532c76357cfea1dfb0932e3d7c4cf9ff7d1c8c1d8fb" + logic_hash = "01faeb5fe7618ce1135a8532c76357cfea1dfb0932e3d7c4cf9ff7d1c8c1d8fb" score = 40 quality = 80 tags = "FILE" @@ -265983,14 +266469,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftware meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "30fa0ea4-8ed3-5d8f-bf4d-c201298ea59d" + id = "03cc80bd-699d-5c23-9acc-a523fa3110f3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L349-L368" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0" - logic_hash = "v1_sha256_8be18437fb165bab491d1d63b01d744f14df8594288bf0d447b76913de934aa9" + logic_hash = "8be18437fb165bab491d1d63b01d744f14df8594288bf0d447b76913de934aa9" score = 40 quality = 80 tags = "FILE" @@ -266013,14 +266499,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" - id = "37d17010-b6ba-5cd8-b0a6-70f9ef00770c" + id = "40d54ac5-209a-5f0e-b799-f492b7fcc973" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L371-L390" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f" - logic_hash = "v1_sha256_1f489ec71f92390aeb4137ba72cb88a950ed91f8e67bb82cf176a8c2fb4ef50f" + logic_hash = "1f489ec71f92390aeb4137ba72cb88a950ed91f8e67bb82cf176a8c2fb4ef50f" score = 40 quality = 80 tags = "FILE" @@ -266043,14 +266529,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "cb773518-749f-5058-aa59-95519a2b38a6" + id = "3d265316-2b94-581a-b44a-fe015d316eff" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L393-L412" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2" - logic_hash = "v1_sha256_ef0e7b48aaee9dc6251120a879a192993d86043dbfd11e2be1f6e675aaa4d2e4" + logic_hash = "ef0e7b48aaee9dc6251120a879a192993d86043dbfd11e2be1f6e675aaa4d2e4" score = 40 quality = 80 tags = "FILE" @@ -266073,7 +266559,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_8473 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" - id = "79b5f7e7-0e91-5ab3-946f-c3182bd93c08" + id = "730567f0-ae1e-5d8d-a9e6-df176faf4878" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266084,7 +266570,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_8473 : FILE hash = "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f" hash = "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0" hash = "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7" - logic_hash = "v1_sha256_62c957b30267a5f34ff98f36170473d042ccd30686b2e178513957126cde194c" + logic_hash = "62c957b30267a5f34ff98f36170473d042ccd30686b2e178513957126cde194c" score = 40 quality = 80 tags = "FILE" @@ -266106,7 +266592,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsy meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpout32.sys" author = "Florian Roth" - id = "87a2b35c-b41d-5c9e-97df-d1d7d1974147" + id = "0ce7b65a-8472-5964-88cf-879cdd3c15a2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266117,7 +266603,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutsy hash = "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d" hash = "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251" hash = "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2" - logic_hash = "v1_sha256_5e5c8949d41009360058f6af3ef374708ebf45e9eede873297afbfd26de8874c" + logic_hash = "5e5c8949d41009360058f6af3ef374708ebf45e9eede873297afbfd26de8874c" score = 40 quality = 80 tags = "FILE" @@ -266140,7 +266626,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_4CD8 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "352f1876-7970-5029-89f0-2e82e05a7444" + id = "62e8e5f9-be64-5989-ace0-71a5910cef95" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266149,7 +266635,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_4CD8 : FILE hash = "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4" hash = "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922" hash = "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796" - logic_hash = "v1_sha256_822a064ed95de5c44932b3ba5d0f89c16ee12f9fb5201b99344a74461eef932c" + logic_hash = "822a064ed95de5c44932b3ba5d0f89c16ee12f9fb5201b99344a74461eef932c" score = 40 quality = 80 tags = "FILE" @@ -266171,14 +266657,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Innotekgmbh_Vboxguest_Virtualboxguestadditions_9 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxguest.sys" author = "Florian Roth" - id = "730ad164-3654-5bd6-841a-5b9919ee0c20" + id = "b569d61f-4b07-50f7-8e3f-a63631a060a0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L489-L508" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd" - logic_hash = "v1_sha256_8d2323bd83c70339f41fc8f90c67729f57ee1e54dc4f7d05dfded438c7bc419a" + logic_hash = "8d2323bd83c70339f41fc8f90c67729f57ee1e54dc4f7d05dfded438c7bc419a" score = 40 quality = 80 tags = "FILE" @@ -266201,7 +266687,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RwDrv.sys" author = "Florian Roth" - id = "3db7fa39-b92a-5daf-922f-c24115afbcf5" + id = "c9279259-59ab-5816-aa59-4d8d53f95793" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266215,7 +266701,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rweverything_Rwdrvsys_Rwdrvdriver_45BA : FILE hash = "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe" hash = "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4" hash = "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3" - logic_hash = "v1_sha256_773f6985a98adffe12b087c7e8e37c5fe0dba3040440d2300316464e7fa961e4" + logic_hash = "773f6985a98adffe12b087c7e8e37c5fe0dba3040440d2300316464e7fa961e4" score = 40 quality = 80 tags = "FILE" @@ -266238,7 +266724,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdr meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vmdrv.sys" author = "Florian Roth" - id = "0d4ec65b-32a5-5341-8805-37dcb03047d2" + id = "20989ad0-08b4-5fe0-b4cc-9846bdf4bb89" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266247,7 +266733,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Vmdrvsys_Windowsrwinddkdr hash = "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921" hash = "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351" hash = "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3" - logic_hash = "v1_sha256_11d62a2a3de4eafb1a523876ce2bc34f96f43e2a228ad9cb5da6c5cb452c3838" + logic_hash = "11d62a2a3de4eafb1a523876ce2bc34f96f43e2a228ad9cb5da6c5cb452c3838" score = 40 quality = 80 tags = "FILE" @@ -266270,7 +266756,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" - id = "80cfa017-9373-5af9-a622-b575a1e5bde7" + id = "c810bb03-5e0d-501a-af32-66a5f73b410e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266278,7 +266764,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amd license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433" hash = "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d" - logic_hash = "v1_sha256_46c2abfe24d092b974e0916f7ccf53b71c12f3d438dff3e0ef9ffd1c253b0144" + logic_hash = "46c2abfe24d092b974e0916f7ccf53b71c12f3d438dff3e0ef9ffd1c253b0144" score = 40 quality = 80 tags = "FILE" @@ -266301,14 +266787,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfoisys_Hwinfoiakerneldriver_33C6 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO64I.SYS" author = "Florian Roth" - id = "bcfd7fe6-3298-52a8-8989-94b05b9f9339" + id = "04f7cd8f-1716-5b97-861c-0c8601774332" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L587-L606" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc" - logic_hash = "v1_sha256_b9ec2a1a569f6972c9713a8e1512b0de974b4536bc92bd5466ee808d7574fada" + logic_hash = "b9ec2a1a569f6972c9713a8e1512b0de974b4536bc92bd5466ee808d7574fada" score = 40 quality = 80 tags = "FILE" @@ -266331,14 +266817,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdel meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" - id = "a00af327-f872-5acb-bc20-64296cd61ccf" + id = "84e31b9f-a36a-51c8-8f71-59748c8e9765" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L609-L628" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402" - logic_hash = "v1_sha256_06b458c2f8c6eb5dadf2a05c69225fdc4cbd6bd48e4380fa224573139de6a466" + logic_hash = "06b458c2f8c6eb5dadf2a05c69225fdc4cbd6bd48e4380fa224573139de6a466" score = 40 quality = 80 tags = "FILE" @@ -266361,7 +266847,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" author = "Florian Roth" - id = "a399f23d-c297-5722-8fca-7311a39e1fd9" + id = "61ea6f89-2dc0-525c-919a-8b47b85f0240" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266370,7 +266856,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Fintekcorp_Fintekcorpfintekpcieuart_32BD : FILE hash = "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e" hash = "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d" hash = "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe" - logic_hash = "v1_sha256_5ff39e43789f0d6b39dd02caeeff027d3c117628113113897e6abc70c30e277a" + logic_hash = "5ff39e43789f0d6b39dd02caeeff027d3c117628113113897e6abc70c30e277a" score = 40 quality = 80 tags = "FILE" @@ -266392,7 +266878,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "0508fc5c-8be0-5dab-ad97-7b4cf5312fcc" + id = "613560d6-26ea-5a38-8d88-95988af8371f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266400,7 +266886,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_42B3 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180" hash = "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b" - logic_hash = "v1_sha256_d9437369dd7a913176a1351f991216f3190b608f3a3182e891bdb7778835b815" + logic_hash = "d9437369dd7a913176a1351f991216f3190b608f3a3182e891bdb7778835b815" score = 40 quality = 80 tags = "FILE" @@ -266423,14 +266909,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecurit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "7cc677c8-9b25-55e1-b776-acb65806548f" + id = "0cf3d047-c497-5957-b0d3-717220393501" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L677-L696" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c" - logic_hash = "v1_sha256_69948e6d3cc375d78ba95a51c7a78e5a3f17e0ca07cf1e3e53d54f350d9ac0a9" + logic_hash = "69948e6d3cc375d78ba95a51c7a78e5a3f17e0ca07cf1e3e53d54f350d9ac0a9" score = 40 quality = 80 tags = "FILE" @@ -266453,14 +266939,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Innotekgmbh_Vboxusbsys_Virtualboxusbdriver_C509 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" - id = "4a243132-d0ce-5655-9651-0f772db80142" + id = "85270071-0faf-5672-9c20-1f8244bf18eb" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L699-L718" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa" - logic_hash = "v1_sha256_5bf3a4f5e3f674c4f32de55abd9d1981ad0b1fd48fb460905d017096b30ae10e" + logic_hash = "5bf3a4f5e3f674c4f32de55abd9d1981ad0b1fd48fb460905d017096b30ae10e" score = 40 quality = 80 tags = "FILE" @@ -266483,14 +266969,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersys_F171 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" - id = "972e7e2b-0157-5e35-8df1-8c63fc2f219c" + id = "7572033b-bb49-531f-a14a-decf9a50aab3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L721-L740" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71" - logic_hash = "v1_sha256_2879360aef7b25e7d5ea9e4cbdce9f60a33ca4181ef35e18117e69832589cc73" + logic_hash = "2879360aef7b25e7d5ea9e4cbdce9f60a33ca4181ef35e18117e69832589cc73" score = 40 quality = 80 tags = "FILE" @@ -266513,7 +266999,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_DD4F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NICM.sys" author = "Florian Roth" - id = "a1e8c3bb-de2f-52b6-be04-5e51cfe1019e" + id = "e9506ae9-b5ea-5ed7-a126-1b6070df89d0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266524,7 +267010,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_DD4F : FILE hash = "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b" hash = "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190" hash = "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7" - logic_hash = "v1_sha256_731f87935b48d5fb208b94671a94bed5dfea3f7f6f433fef32cb72c73ce4f8f9" + logic_hash = "731f87935b48d5fb208b94671a94bed5dfea3f7f6f433fef32cb72c73ce4f8f9" score = 40 quality = 80 tags = "FILE" @@ -266546,7 +267032,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_7627 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" - id = "6a2e93db-1e0c-50f5-aae9-c6e40016f506" + id = "ccce2f4d-4cdc-5ea5-a8dd-271f7d7b5482" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266554,7 +267040,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_7627 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb" hash = "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7" - logic_hash = "v1_sha256_eba1a04dc1de06122a8bad80399c4233b9c3101f4fcbc805ec7615010da76833" + logic_hash = "eba1a04dc1de06122a8bad80399c4233b9c3101f4fcbc805ec7615010da76833" score = 40 quality = 80 tags = "FILE" @@ -266576,7 +267062,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "db3cd5a9-ad68-5495-a235-573df45ad2d5" + id = "0c0b8367-fb93-5f0c-8fac-28bd19c20166" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266584,7 +267070,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c" hash = "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c" - logic_hash = "v1_sha256_4c4359af17cfc03947722c644064fa2e2bacc5adcbd66499bfba4aa483ac56f6" + logic_hash = "4c4359af17cfc03947722c644064fa2e2bacc5adcbd66499bfba4aa483ac56f6" score = 40 quality = 80 tags = "FILE" @@ -266607,14 +267093,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerz_Computerzsys_Computerzsystemdriver_61F meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "95a5a388-f8ed-59aa-800a-6899756867df" + id = "ca51c99d-79fe-57b3-9832-adfb2d1d59d4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L813-L832" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874" - logic_hash = "v1_sha256_73d2e39a2e1d9810f5f0999a8f79a238a36305d36db731a3e84859e6d15bfdd8" + logic_hash = "73d2e39a2e1d9810f5f0999a8f79a238a36305d36db731a3e84859e6d15bfdd8" score = 40 quality = 80 tags = "FILE" @@ -266637,7 +267123,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "05a8adef-6a8b-53b8-a7d7-68d26322369e" + id = "e6f3c13e-0cec-5430-beeb-fc980dd29887" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266654,7 +267140,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces hash = "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879" hash = "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd" hash = "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2" - logic_hash = "v1_sha256_bd5ecf74e339330abb48c31bf14ea7cdfbacc93fa6c60debb435249f88a4408a" + logic_hash = "bd5ecf74e339330abb48c31bf14ea7cdfbacc93fa6c60debb435249f88a4408a" score = 40 quality = 80 tags = "FILE" @@ -266677,7 +267163,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdri meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "3eeeba79-ebfa-5050-88b1-933156b40c72" + id = "145b846a-8721-5a56-aa76-6d7d5dd16562" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266695,7 +267181,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Cpuzsys_Windowsrwinddkdri hash = "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5" hash = "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377" hash = "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289" - logic_hash = "v1_sha256_2ca64f822a558d25fc885da4fc79c80d4ed9c473179db3343958af0e1f21e0e8" + logic_hash = "2ca64f822a558d25fc885da4fc79c80d4ed9c473179db3343958af0e1f21e0e8" score = 40 quality = 80 tags = "FILE" @@ -266718,14 +267204,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Mitactechnologycorporation_Vdbsvsys_Mitacsystems meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VdBSv64.sys" author = "Florian Roth" - id = "d8e723e2-c4a9-5c4a-862e-c69cae7bec61" + id = "513c1b59-e721-5bbf-979a-31c25c4d566e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L900-L919" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4" - logic_hash = "v1_sha256_e93e2620e452d0d6d834057921ed0de35309098130b47e98da7c1e87b31b86ee" + logic_hash = "e93e2620e452d0d6d834057921ed0de35309098130b47e98da7c1e87b31b86ee" score = 40 quality = 80 tags = "FILE" @@ -266748,7 +267234,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_00B3 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" - id = "e51869fe-45ef-5d9d-b5e2-6bfaae33a2a1" + id = "638c6150-1380-57d7-b2a2-acfd4302e2b5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266759,7 +267245,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_00B3 : FILE hash = "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7" hash = "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915" hash = "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746" - logic_hash = "v1_sha256_6a7f2670ea396bb3401fdfae3ccc6ca90d8f82e92c386ef5f63959d75e6df296" + logic_hash = "6a7f2670ea396bb3401fdfae3ccc6ca90d8f82e92c386ef5f63959d75e6df296" score = 40 quality = 80 tags = "FILE" @@ -266781,7 +267267,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_B50F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "fcbccbaa-6e77-554a-84ef-f1135f1334d6" + id = "fc6032d2-ef08-5fdb-be73-39dd42185b13" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266792,7 +267278,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_B50F : FILE hash = "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b" hash = "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49" hash = "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee" - logic_hash = "v1_sha256_662af5d505b5fee483356c1b5bcf2767c594bd690d5367a7b9f7ac9bea6b3c9d" + logic_hash = "662af5d505b5fee483356c1b5bcf2767c594bd690d5367a7b9f7ac9bea6b3c9d" score = 40 quality = 80 tags = "FILE" @@ -266814,7 +267300,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" - id = "4bb89ba2-b70d-50ad-a39c-4b130dc9cccc" + id = "370f3fc6-6199-5c19-a0b5-8c02fb89f30a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266822,7 +267308,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_11BD : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5" hash = "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062" - logic_hash = "v1_sha256_e5777a3a1e71f287c18434a48c2990abd3e202c919378a9473541abe2b8f0ba5" + logic_hash = "e5777a3a1e71f287c18434a48c2990abd3e202c919378a9473541abe2b8f0ba5" score = 40 quality = 80 tags = "FILE" @@ -266845,14 +267331,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowswinowsdriverkitsprovider_Hwrwdrvsys_Hardw meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwRwDrv.sys" author = "Florian Roth" - id = "87f01ec9-f4a2-5338-ad61-4e110ff3a7bf" + id = "fa8e9fd9-7d07-5e05-a8d0-3769b9dd9157" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L995-L1014" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21" - logic_hash = "v1_sha256_da6f9de9c0529ef274b989f63d9d6308ea78a0f7f91d81caaafb5478412c33eb" + logic_hash = "da6f9de9c0529ef274b989f63d9d6308ea78a0f7f91d81caaafb5478412c33eb" score = 40 quality = 80 tags = "FILE" @@ -266875,14 +267361,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_AD8F : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "31513bd3-1094-5e6c-a733-74e7cc515234" + id = "25dc4405-52ae-51f9-9afd-49f2a9fcaa08" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1017-L1036" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833" - logic_hash = "v1_sha256_fba0440ab68b148f26224cce5d2b8bdb684a2d185502fb3b920fe12288e6d775" + logic_hash = "fba0440ab68b148f26224cce5d2b8bdb684a2d185502fb3b920fe12288e6d775" score = 40 quality = 80 tags = "FILE" @@ -266905,14 +267391,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3124 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "5747ba77-5ab3-5eb3-a7ea-b8ada0553c8e" + id = "25893130-a0b5-5c5c-b7d2-e22bf8eec311" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1039-L1058" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5" - logic_hash = "v1_sha256_4e22250223e272624f9608e7981ba91c1fb0e00eaf6d8388b81ad91fd8dbcc5c" + logic_hash = "4e22250223e272624f9608e7981ba91c1fb0e00eaf6d8388b81ad91fd8dbcc5c" score = 40 quality = 80 tags = "FILE" @@ -266935,14 +267421,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "7d4344f3-b327-515d-9e6b-5dbff43df77d" + id = "4b402b27-36ca-5e2c-bb00-64ab93b8720f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1061-L1080" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8" - logic_hash = "v1_sha256_298b509c736082f651b32be6ff3ba8b2044d48e8d1ac5c411449524750794d4f" + logic_hash = "298b509c736082f651b32be6ff3ba8b2044d48e8d1ac5c411449524750794d4f" score = 40 quality = 80 tags = "FILE" @@ -266965,7 +267451,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_A855 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "f3ab5c90-0e77-59c0-94a4-6b1977058257" + id = "8cc90fa3-6be0-5b67-a555-0c922947fa60" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -266974,7 +267460,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_A855 : FILE hash = "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6" hash = "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94" hash = "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d" - logic_hash = "v1_sha256_8ea1eeb7ddc8fbda767ab5fb5aaad6eecd83361f90685d904bbb4e524c4d64c9" + logic_hash = "8ea1eeb7ddc8fbda767ab5fb5aaad6eecd83361f90685d904bbb4e524c4d64c9" score = 40 quality = 80 tags = "FILE" @@ -266996,14 +267482,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_DB71 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "5ee9afa8-b054-5b20-aa33-d34fad2a7701" + id = "85b1e297-b9f8-5147-93e3-a084ec658782" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1106-L1125" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7" - logic_hash = "v1_sha256_c62675b8ae01311a74bd0b0717219dde73badf621f2b6af1d5d6ff12317048f0" + logic_hash = "c62675b8ae01311a74bd0b0717219dde73badf621f2b6af1d5d6ff12317048f0" score = 40 quality = 80 tags = "FILE" @@ -267026,14 +267512,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Iobit_Monitorsys_Advancedsystemcare_E4A7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Monitor_win10_x64.sys" author = "Florian Roth" - id = "019d2c3b-7821-5de7-9c36-c1062b1665a6" + id = "65b75be5-98a2-56ca-bb4a-cfd0c6871c0e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1128-L1147" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb" - logic_hash = "v1_sha256_798dad45f7ac1267da440c3ca7aba1da1dbd2bdead9b6979379902e009bbd2a2" + logic_hash = "798dad45f7ac1267da440c3ca7aba1da1dbd2bdead9b6979379902e009bbd2a2" score = 40 quality = 80 tags = "FILE" @@ -267056,7 +267542,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" - id = "fa23d3bb-9577-5e1d-8160-076f2da80430" + id = "ce40dddf-a58e-542b-b2d9-45f55c502d35" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267075,7 +267561,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_2B33 : FILE hash = "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7" hash = "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09" hash = "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47" - logic_hash = "v1_sha256_dd77671686a88736713d59771eef44d47b8acb18454dc3e6f229282aa534dcd3" + logic_hash = "dd77671686a88736713d59771eef44d47b8acb18454dc3e6f229282aa534dcd3" score = 40 quality = 80 tags = "FILE" @@ -267098,14 +267584,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Phoenixtechnologiesltd_Phlashnt_Winphlash_65DB : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PhlashNT.sys" author = "Florian Roth" - id = "49600fee-8ad4-5bd6-9887-2d9935654c7a" + id = "7c0b1c20-b3ef-56e9-b2e2-e2542c7a85e3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1184-L1203" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890" - logic_hash = "v1_sha256_52b33a82d9835242e397f693094494508a9a1e17ab7125ad6818130f4b2dc2de" + logic_hash = "52b33a82d9835242e397f693094494508a9a1e17ab7125ad6818130f4b2dc2de" score = 40 quality = 80 tags = "FILE" @@ -267128,14 +267614,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7196 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" - id = "a7eeac7d-8cbe-54aa-bbf7-77a015e95dad" + id = "3b631d10-d727-53f8-8f56-87695e305198" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1206-L1225" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d" - logic_hash = "v1_sha256_c69a031ad9d7eff41358cd2ae9404c25c48ca747ac5fc9b806e48be2fe59aee8" + logic_hash = "c69a031ad9d7eff41358cd2ae9404c25c48ca747ac5fc9b806e48be2fe59aee8" score = 40 quality = 80 tags = "FILE" @@ -267158,7 +267644,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdrivese meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" - id = "ab5c1471-b604-58ff-ac1a-88b13effb541" + id = "200fe944-ea33-52ad-9729-a42319b169a8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267166,7 +267652,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdrivese license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2" hash = "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103" - logic_hash = "v1_sha256_6d49bcb5159d3be15ec42748089baff846ce661446a73d7986deb945e379a45f" + logic_hash = "6d49bcb5159d3be15ec42748089baff846ce661446a73d7986deb945e379a45f" score = 40 quality = 80 tags = "FILE" @@ -267189,7 +267675,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovide meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" - id = "8fee7e19-e8ab-5538-85e3-de5174692931" + id = "85e60907-b5da-5c9a-811e-0ddb0c850087" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267197,7 +267683,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovide license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65" hash = "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5" - logic_hash = "v1_sha256_c768c1592586c6a053f69d8f64c66ba213dc054113d98f3144610fdb5978a0f1" + logic_hash = "c768c1592586c6a053f69d8f64c66ba213dc054113d98f3144610fdb5978a0f1" score = 40 quality = 80 tags = "FILE" @@ -267220,14 +267706,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Anticheatexpertcom_Acebase_Anticheatexpert_7326 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ACE-BASE.sys" author = "Florian Roth" - id = "d86247a9-d200-551f-b74d-127f27f8677b" + id = "5a93b810-f40c-56eb-a3da-8075fb9b15a9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1274-L1292" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11" - logic_hash = "v1_sha256_c309c294def3fb6601ab76b4b67bdda0d38db398a8a56b0ced0d4ce8cafc8602" + logic_hash = "c309c294def3fb6601ab76b4b67bdda0d38db398a8a56b0ced0d4ce8cafc8602" score = 40 quality = 80 tags = "FILE" @@ -267249,14 +267735,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftware meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "8114d3b4-0ea6-5228-83d2-964bb84743b0" + id = "f1f06952-1500-57af-8486-eb127a90b110" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1295-L1314" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743" - logic_hash = "v1_sha256_8294e9a9d7bf9e4471d494ca78db936c69b2b2ee495207cde79aeabff9910463" + logic_hash = "8294e9a9d7bf9e4471d494ca78db936c69b2b2ee495207cde79aeabff9910463" score = 40 quality = 80 tags = "FILE" @@ -267279,7 +267765,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "239261fd-2723-5d1a-ad01-d9deb9bd5568" + id = "8604d594-f5ab-5015-907a-4424cd2e62b8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267287,7 +267773,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1072 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a" hash = "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994" - logic_hash = "v1_sha256_99645f9bf3c3ba88788ad609ee067cdda808effac07990db725b9be5fca32658" + logic_hash = "99645f9bf3c3ba88788ad609ee067cdda808effac07990db725b9be5fca32658" score = 40 quality = 80 tags = "FILE" @@ -267310,7 +267796,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "758a2526-b10d-5dd9-9df9-e6d14b9485d4" + id = "6820d35b-66a3-512f-a734-0adefbf6a183" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267327,7 +267813,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_8A07 : FILE hash = "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26" hash = "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6" hash = "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7" - logic_hash = "v1_sha256_b1abafa69f65ebde217ebc1fbde8d19c00054aeb37f111bf82be07cf08525235" + logic_hash = "b1abafa69f65ebde217ebc1fbde8d19c00054aeb37f111bf82be07cf08525235" score = 40 quality = 80 tags = "FILE" @@ -267350,7 +267836,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "77ee8129-de3f-59d9-a21d-04323e6d98a5" + id = "46f31bf7-9e9f-5fe2-95cc-1b0be823c41b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267375,7 +267861,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_0D37 : FILE hash = "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758" hash = "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90" hash = "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b" - logic_hash = "v1_sha256_b1f0e78bd40da89202a98d2a74d47af7f28092832dc1b063f1d4c4ef04e1cef1" + logic_hash = "b1f0e78bd40da89202a98d2a74d47af7f28092832dc1b063f1d4c4ef04e1cef1" score = 40 quality = 80 tags = "FILE" @@ -267398,14 +267884,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Proxydrvsys_Nn_C0E7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" - id = "6e73adae-b388-5cf1-b455-83a0cb3ae97c" + id = "e50ded09-0134-5c76-85e5-9fed8302e1e8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1412-L1431" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99" - logic_hash = "v1_sha256_b4248d60006efcf3f489cfad8a68bbf594bd45f75e8b9c8d7b9f727c6ee05042" + logic_hash = "b4248d60006efcf3f489cfad8a68bbf594bd45f75e8b9c8d7b9f727c6ee05042" score = 40 quality = 80 tags = "FILE" @@ -267428,7 +267914,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_5381 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "d3db434d-dd24-56d5-8d0f-ed930d0914e7" + id = "29276926-535b-55f9-a882-845fc9561513" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267437,7 +267923,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_5381 : FILE hash = "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b" hash = "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c" hash = "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4" - logic_hash = "v1_sha256_3803b2f85576fc0bad1a8e3dbfc3c5bee7ba7146560be9d60d685b40adf91838" + logic_hash = "3803b2f85576fc0bad1a8e3dbfc3c5bee7ba7146560be9d60d685b40adf91838" score = 40 quality = 80 tags = "FILE" @@ -267459,7 +267945,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersys_26D6 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" - id = "a12c787e-13d9-5b1e-9212-7bd59ad69803" + id = "906cd223-3c34-5e3b-8a04-97b87e9e1752" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267468,7 +267954,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersys_26D6 : FILE hash = "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe" hash = "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660" hash = "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3" - logic_hash = "v1_sha256_66f4b6bb594702e2bbc813988f048170277f5dd06f840b9c9bf7269a774654d7" + logic_hash = "66f4b6bb594702e2bbc813988f048170277f5dd06f840b9c9bf7269a774654d7" score = 40 quality = 80 tags = "FILE" @@ -267491,7 +267977,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustek_Driversys_Ectool_927C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - driver7-x86-withoutdbg.sys" author = "Florian Roth" - id = "68183932-66b9-51ca-a963-efeb3ec2ea96" + id = "4513216a-2654-5743-8550-01e82743f67a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267501,7 +267987,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustek_Driversys_Ectool_927C : FILE hash = "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0" hash = "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb" hash = "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd" - logic_hash = "v1_sha256_edb698ba1d60e24a41c683a8c0a36548d01c4abd09f5a6cd2358ccf0d8e234ba" + logic_hash = "edb698ba1d60e24a41c683a8c0a36548d01c4abd09f5a6cd2358ccf0d8e234ba" score = 40 quality = 80 tags = "FILE" @@ -267524,14 +268010,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantim meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" - id = "b8e96e68-813e-587e-83d6-fc279a61d33c" + id = "31dc7b9b-b8bd-5af5-be43-ad3bfdc2a5b3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1506-L1525" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96" - logic_hash = "v1_sha256_f0bf2e418bed091c1d9f1d604f284586f27d2d28b277c29f241aeaee9b9bdccf" + logic_hash = "f0bf2e418bed091c1d9f1d604f284586f27d2d28b277c29f241aeaee9b9bdccf" score = 40 quality = 80 tags = "FILE" @@ -267554,14 +268040,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorp_Stdcdrvwssys_Selftestdatacollectordriv meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrvws64.sys" author = "Florian Roth" - id = "dd5132d4-104b-55c1-b61b-7fa5c8fcd2a4" + id = "8915229e-1b50-5c66-b20c-7221e3645c17" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1528-L1547" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505" - logic_hash = "v1_sha256_06aae42f1cfaaa5d797ef384786a8cdb54685465240d324216d8832be82c5db0" + logic_hash = "06aae42f1cfaaa5d797ef384786a8cdb54685465240d324216d8832be82c5db0" score = 40 quality = 80 tags = "FILE" @@ -267584,14 +268070,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realteksemiconductorcorp_Rtportsys_Realtekportio meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" - id = "7a7914f4-862a-5221-a8d3-3ade50c79540" + id = "4f6b5de0-26e8-50f8-b4a1-948b6acebb62" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1550-L1569" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1" - logic_hash = "v1_sha256_814b2a2bc284623f620341ec841cd080eb04ef9c9f4a11387d0b79c5010e70e8" + logic_hash = "814b2a2bc284623f620341ec841cd080eb04ef9c9f4a11387d0b79c5010e70e8" score = 40 quality = 80 tags = "FILE" @@ -267614,14 +268100,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_A6F7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "38bc421a-5ce9-5558-8f6d-8e4986ef9097" + id = "f8f7041b-7141-5f0e-9bec-aaf2b54e5c94" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1572-L1591" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af" - logic_hash = "v1_sha256_e6b52b789ba1f5bf60722a7b4ec2f94e650b186605ea558780018edaa74090b4" + logic_hash = "e6b52b789ba1f5bf60722a7b4ec2f94e650b186605ea558780018edaa74090b4" score = 40 quality = 80 tags = "FILE" @@ -267644,7 +268130,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_834A : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "ba31dfea-3184-5835-9102-c3346741ccfb" + id = "e37497ee-2ee8-5517-8cbe-8aa218770816" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267652,7 +268138,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_834A : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78" hash = "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21" - logic_hash = "v1_sha256_54a915ecbb2fb9f77603a19628d8130cf9896bc649618e3448442e1408b1f8a4" + logic_hash = "54a915ecbb2fb9f77603a19628d8130cf9896bc649618e3448442e1408b1f8a4" score = 40 quality = 80 tags = "FILE" @@ -267674,7 +268160,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" - id = "b2b89549-0422-5ee4-8351-daf5d7a4a036" + id = "609554bc-0f2f-5861-ad56-fc7a772459a6" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267683,7 +268169,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedrive hash = "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de" hash = "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb" hash = "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718" - logic_hash = "v1_sha256_e2af00ec7cb87e1fe02844a4f26a73c0276f5620f63a59903e4283e4be4b8c72" + logic_hash = "e2af00ec7cb87e1fe02844a4f26a73c0276f5620f63a59903e4283e4be4b8c72" score = 40 quality = 80 tags = "FILE" @@ -267706,14 +268192,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F42E : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "e1f6eb8e-205a-5264-9965-0eb49b8d06be" + id = "8368db29-0a16-5a24-9053-ec5b079c1afc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1640-L1659" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad" - logic_hash = "v1_sha256_2bbf7257a20468f12ffa8e8dc70c126a41124043acfcae776cda173ed68788c3" + logic_hash = "2bbf7257a20468f12ffa8e8dc70c126a41124043acfcae776cda173ed68788c3" score = 40 quality = 80 tags = "FILE" @@ -267736,14 +268222,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CF4B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "a7d1508c-fc2c-5494-94a7-72cce8dd13cc" + id = "61555f9e-6caf-5c8c-b4ee-01046e04f744" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1662-L1681" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b" - logic_hash = "v1_sha256_50f8cbf8834910e3560b3d092ae897977db2c9cb26107219e1604b2c26bba2ae" + logic_hash = "50f8cbf8834910e3560b3d092ae897977db2c9cb26107219e1604b2c26bba2ae" score = 40 quality = 80 tags = "FILE" @@ -267766,7 +268252,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "24f33944-f18f-5e68-87f7-7f64454c397c" + id = "759c6fa4-abce-5dfc-924c-9fbe2ab5d6ff" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267774,7 +268260,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_3867 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8" hash = "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c" - logic_hash = "v1_sha256_f911813c40d65c443b01e00635da122cd1969817c6d3842eca7a5a20ff57513e" + logic_hash = "f911813c40d65c443b01e00635da122cd1969817c6d3842eca7a5a20ff57513e" score = 40 quality = 80 tags = "FILE" @@ -267797,14 +268283,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_D783 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "854c9721-2e53-5ec0-b16d-d25a4e0d55d2" + id = "12d08eab-49f0-5d40-bd2d-1a4834deaef1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1707-L1726" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f" - logic_hash = "v1_sha256_f92c013f7c10a9c63b2f630b198d9ef360e944182b9760e8c268dc7145f82e95" + logic_hash = "f92c013f7c10a9c63b2f630b198d9ef360e944182b9760e8c268dc7145f82e95" score = 40 quality = 80 tags = "FILE" @@ -267827,14 +268313,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_4B52 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys" author = "Florian Roth" - id = "62f921b6-a4e4-5ead-87dd-868bb9480887" + id = "06a605d6-893e-5ee7-a3d7-bfb128363b81" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1729-L1748" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1" - logic_hash = "v1_sha256_c1df652b20d7bbea94d71bdef159c26b59180b736859bb4a16d03880a99d2841" + logic_hash = "c1df652b20d7bbea94d71bdef159c26b59180b736859bb4a16d03880a99d2841" score = 40 quality = 80 tags = "FILE" @@ -267857,14 +268343,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" - id = "a8c0ba65-bde0-5f2a-8dfa-11dd643807c3" + id = "8ac8f353-494f-5940-a0f2-3f4ee61655e6" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1751-L1770" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8" - logic_hash = "v1_sha256_d1cc4c2d1335784f723849ab37131f3b5384628652594fe8e3a1ab4b0729eacd" + logic_hash = "d1cc4c2d1335784f723849ab37131f3b5384628652594fe8e3a1ab4b0729eacd" score = 40 quality = 80 tags = "FILE" @@ -267887,7 +268373,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_I2cIo.sys" author = "Florian Roth" - id = "938544b5-06b9-5547-be42-b58c8677a18c" + id = "eb5f5339-f11a-5502-8feb-4bfbd4698a31" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -267896,7 +268382,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriverfle_42E1 : hash = "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb" hash = "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65" hash = "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a" - logic_hash = "v1_sha256_cfdf34c33d78aebf592047ecc9f15b50d6c33c8d59e5d7684e9a862f440fa1ce" + logic_hash = "cfdf34c33d78aebf592047ecc9f15b50d6c33c8d59e5d7684e9a862f440fa1ce" score = 40 quality = 80 tags = "FILE" @@ -267919,14 +268405,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_07AF : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "dc51ccdb-731f-5aa5-a274-4a3a6e67e212" + id = "3e0bd3b4-4a9f-5d06-ae16-f0c3acf8643a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1797-L1816" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88" - logic_hash = "v1_sha256_832d90cd437cb6912630943fcae9e103341c0bc6770a4515525cf42f72812faa" + logic_hash = "832d90cd437cb6912630943fcae9e103341c0bc6770a4515525cf42f72812faa" score = 40 quality = 80 tags = "FILE" @@ -267949,14 +268435,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Mitactechnologycorporation_Mtcbsvsys_Mitacsystem meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mtcBSv64.sys" author = "Florian Roth" - id = "4d661c9d-d628-5c26-97b2-650ff02a952c" + id = "36fcbeca-f19e-54b8-9687-121bd9809e9d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1819-L1838" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8" - logic_hash = "v1_sha256_402e0a50c61722ffbbf6778df2483750fae17d6a18d8b247d65df8302d725c14" + logic_hash = "402e0a50c61722ffbbf6778df2483750fae17d6a18d8b247d65df8302d725c14" score = 40 quality = 80 tags = "FILE" @@ -267979,14 +268465,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7125 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "c30bd393-b133-5631-b04e-b1dc2558ff0e" + id = "0a115fe0-135b-5087-97ef-c5631b50d13f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1841-L1860" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730" - logic_hash = "v1_sha256_b91987339120b171bf8059bd06c95b25ec8124a902d53c0d05558e95bdfa588b" + logic_hash = "b91987339120b171bf8059bd06c95b25ec8124a902d53c0d05558e95bdfa588b" score = 40 quality = 80 tags = "FILE" @@ -268009,14 +268495,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F65 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "da266799-1477-53f9-8dde-05659df1ead2" + id = "7b5d5036-d7ec-5722-a18c-9ccaeea8088e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1863-L1882" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0" - logic_hash = "v1_sha256_66fa3b5461eb9cf7c9f0eba976ac1546338ac11b937cc9753340042a0dc49066" + logic_hash = "66fa3b5461eb9cf7c9f0eba976ac1546338ac11b937cc9753340042a0dc49066" score = 40 quality = 80 tags = "FILE" @@ -268039,14 +268525,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_58A7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viraglt64.sys, viragt64.sys" author = "Florian Roth" - id = "86103b36-9496-59e5-bdbc-359496d6da9f" + id = "5ea684cc-982c-5056-9e80-26fe74cb3a64" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1885-L1904" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495" - logic_hash = "v1_sha256_f1f16f31db7cd1249b3a76eddf0091a1b89d158da5c3beb1e3ed5ec18a3a7d72" + logic_hash = "f1f16f31db7cd1249b3a76eddf0091a1b89d158da5c3beb1e3ed5ec18a3a7d72" score = 40 quality = 80 tags = "FILE" @@ -268069,14 +268555,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfl meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFltX64.sys" author = "Florian Roth" - id = "b4f66e18-3daf-50d1-b41e-858639b731d9" + id = "bc354ed5-befe-5421-9dbe-a5faef0cfa4a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1907-L1926" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf" - logic_hash = "v1_sha256_ad7595823bec8291999096f6249051d51741761c09e5a00ed72b01beeb13389b" + logic_hash = "ad7595823bec8291999096f6249051d51741761c09e5a00ed72b01beeb13389b" score = 40 quality = 80 tags = "FILE" @@ -268099,7 +268585,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "66d223d2-be83-55d8-a287-30f83bcb27d3" + id = "e99866a4-4787-5813-835f-0c9570f80eda" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268107,7 +268593,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b" hash = "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36" - logic_hash = "v1_sha256_40d935ad81305da16adadabbbb18376bb0af64df5ce164625ec1e223ee01ceba" + logic_hash = "40d935ad81305da16adadabbbb18376bb0af64df5ce164625ec1e223ee01ceba" score = 40 quality = 80 tags = "FILE" @@ -268130,14 +268616,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_0F17 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "f0adffec-1bf4-5f4a-a599-9ae807137dd6" + id = "a54ff7bf-30a8-5cfc-aaca-a172bee2062b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L1952-L1971" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf" - logic_hash = "v1_sha256_3e9d3d998c97ac3491211c231552ee36be1428ca8ec61e89e9c1c1b7ff4ccf22" + logic_hash = "3e9d3d998c97ac3491211c231552ee36be1428ca8ec61e89e9c1c1b7ff4ccf22" score = 40 quality = 80 tags = "FILE" @@ -268160,7 +268646,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Bsmisys_5962 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BSMI.sys, BSMIXP64.sys" author = "Florian Roth" - id = "de87c165-b963-5f0b-aead-0c22c225a297" + id = "86a0715c-4f0b-52ba-b6dc-44bd4499a222" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268168,7 +268654,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Bsmisys_5962 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347" hash = "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9" - logic_hash = "v1_sha256_2ddfc5fea50425403654a8c60b372e2416cb0e0424ab26a8812e0b1fb35d399d" + logic_hash = "2ddfc5fea50425403654a8c60b372e2416cb0e0424ab26a8812e0b1fb35d399d" score = 40 quality = 80 tags = "FILE" @@ -268189,7 +268675,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_C6FE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "74309e74-e5ec-50c4-9841-52064b3a9c00" + id = "4472b910-a043-5c2b-ab57-2a5f6d19f5f0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268199,7 +268685,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_C6FE : FILE hash = "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe" hash = "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e" hash = "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd" - logic_hash = "v1_sha256_15258a5e43b0728b4ab93211fa636f90bdf53c4547733c1ef68ef82f8f26839c" + logic_hash = "15258a5e43b0728b4ab93211fa636f90bdf53c4547733c1ef68ef82f8f26839c" score = 40 quality = 80 tags = "FILE" @@ -268221,14 +268707,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_AF16 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "1f5e809e-e308-5fa2-bfce-58e5641ca5d6" + id = "7863f53e-e2eb-5302-8a28-91966f3d8482" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2019-L2038" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1" - logic_hash = "v1_sha256_390b48999576261d87a970dee3dd1da4d82f45bdcf4db37be180c464bacfa488" + logic_hash = "390b48999576261d87a970dee3dd1da4d82f45bdcf4db37be180c464bacfa488" score = 40 quality = 80 tags = "FILE" @@ -268251,7 +268737,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "2895a0a4-0eee-5950-87b4-3d9a79dac925" + id = "b1168895-eef9-5dfc-9b19-b3e0e302586d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268288,7 +268774,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_99F4 : FILE hash = "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005" hash = "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a" hash = "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0" - logic_hash = "v1_sha256_762965fc7a01b572f1eee45df3f84a13ac185b7a9cbba9b04c285c2e798353e0" + logic_hash = "762965fc7a01b572f1eee45df3f84a13ac185b7a9cbba9b04c285c2e798353e0" score = 40 quality = 80 tags = "FILE" @@ -268311,14 +268797,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwar meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" - id = "a34c6a0c-2284-507b-979e-3e69f137ee5a" + id = "4d44aa9c-4f6d-5d70-886d-43a602c1d6d0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2093-L2112" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc" - logic_hash = "v1_sha256_cc7c365f36d9c7fc0367b57f9d5b24004c8c4453e0ed227941623c6057fce39a" + logic_hash = "cc7c365f36d9c7fc0367b57f9d5b24004c8c4453e0ed227941623c6057fce39a" score = 40 quality = 80 tags = "FILE" @@ -268341,7 +268827,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - avalueio.sys" author = "Florian Roth" - id = "f6da25c9-6988-5394-ac7f-acc6c35d630d" + id = "e0e5d6b9-6e7e-5955-b7f0-a4c331fb19fc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268349,7 +268835,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avaluetechnologyinc_Avalueio_Avalueio_A5A4 : FIL license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec" hash = "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd" - logic_hash = "v1_sha256_ec187ba5aadc7b9395008155d4b6331b099b3ae9e3ab738568a9980b3d0ce448" + logic_hash = "ec187ba5aadc7b9395008155d4b6331b099b3ae9e3ab738568a9980b3d0ce448" score = 40 quality = 80 tags = "FILE" @@ -268372,7 +268858,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatf meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Bs_Def.sys" author = "Florian Roth" - id = "7c6cd75f-1c5f-5819-9a04-6d2257a749d9" + id = "e4e1fc9a-b453-5996-8675-7accb0de023e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268382,7 +268868,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Bsdefsys_Supportsstsfssteeatf hash = "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5" hash = "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3" hash = "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb" - logic_hash = "v1_sha256_bc91d83188674f0b81615a983aa92e905c878afa3040b4895778222249db8929" + logic_hash = "bc91d83188674f0b81615a983aa92e905c878afa3040b4895778222249db8929" score = 40 quality = 80 tags = "FILE" @@ -268405,7 +268891,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_F27F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "71954321-8e0f-559b-8491-df914d0b3f57" + id = "73d525b8-d109-5872-8841-b1c5149f732e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268417,7 +268903,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_F27F : FILE hash = "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790" hash = "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a" hash = "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d" - logic_hash = "v1_sha256_0395f7d17d51104b09a35065dcebf608ae8a60fde71c22c1f6d414c2fd0c7cc9" + logic_hash = "0395f7d17d51104b09a35065dcebf608ae8a60fde71c22c1f6d414c2fd0c7cc9" score = 40 quality = 80 tags = "FILE" @@ -268439,14 +268925,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_965D : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" - id = "aed407b8-3b57-5af6-bbf8-281913801cc4" + id = "74533a7c-1b5b-5840-843c-455fc73c4e19" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2189-L2208" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb" - logic_hash = "v1_sha256_e5ba23bf3914d121647d6b7aef5ec81d9d62af56397e152fb39179349f1f6146" + logic_hash = "e5ba23bf3914d121647d6b7aef5ec81d9d62af56397e152fb39179349f1f6146" score = 40 quality = 80 tags = "FILE" @@ -268469,7 +268955,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_5A66 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "eea8a6f3-eab8-5823-a9f6-dd0a56cccdab" + id = "ba5a060c-e889-5f23-9938-7fbfceaae7af" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268481,7 +268967,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_5A66 : FILE hash = "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22" hash = "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0" hash = "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763" - logic_hash = "v1_sha256_ebc8dd2d213b0ff084b8537cc50d7bc2ba692b103251dfc976cad1d2767fc5e3" + logic_hash = "ebc8dd2d213b0ff084b8537cc50d7bc2ba692b103251dfc976cad1d2767fc5e3" score = 40 quality = 80 tags = "FILE" @@ -268503,14 +268989,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panioxsy meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIOx64.sys" author = "Florian Roth" - id = "ecb2e423-2b6e-5a72-9779-fec47ec22829" + id = "c5eec4c9-0210-5e0e-b819-96a6943f270d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2237-L2256" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74" - logic_hash = "v1_sha256_d6d95fe0d738012ca0643f478c59accd2d1e47742a502f5fea65040e59e9f42a" + logic_hash = "d6d95fe0d738012ca0643f478c59accd2d1e47742a502f5fea65040e59e9f42a" score = 40 quality = 80 tags = "FILE" @@ -268533,14 +269019,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_82FB : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "f79a78fa-4766-5459-a9b5-2b013998c598" + id = "db7c877e-4b76-5b66-8a4f-a33cb7c76d5a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2259-L2278" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989" - logic_hash = "v1_sha256_38df982e74818094d0aa508b6b0ad94b885e6554760b4678de833fcc86e8bb13" + logic_hash = "38df982e74818094d0aa508b6b0ad94b885e6554760b4678de833fcc86e8bb13" score = 40 quality = 80 tags = "FILE" @@ -268563,14 +269049,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Entechtaiwan_Seasys_Softenginex_6CB5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Se64a.sys" author = "Florian Roth" - id = "3939bbeb-e276-51ba-aa00-b67bf9042988" + id = "c6298a6f-761c-5e78-b97c-9713b29b0e00" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2281-L2300" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc" - logic_hash = "v1_sha256_aa425e95a0b920bf68c0221d8fb1cc16f00755b626f496b758cf50d26949c27b" + logic_hash = "aa425e95a0b920bf68c0221d8fb1cc16f00755b626f496b758cf50d26949c27b" score = 40 quality = 80 tags = "FILE" @@ -268593,14 +269079,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecurit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "b8dba457-68f6-5ed8-83c7-c52e034d233f" + id = "87caf882-a59a-55ca-89ce-a2c2115a1e50" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2303-L2322" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917" - logic_hash = "v1_sha256_264c22a6b54b47962561ea3d8400aab606dd2d28f5d288ba4777ff2ca290c38e" + logic_hash = "264c22a6b54b47962561ea3d8400aab606dd2d28f5d288ba4777ff2ca290c38e" score = 40 quality = 80 tags = "FILE" @@ -268623,7 +269109,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_F159 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" - id = "e61aabde-51b8-5ab7-9bf9-364983e19f6a" + id = "8b50ddd6-40b2-5d3e-b9b9-c166e241e611" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268633,7 +269119,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_F159 : FILE hash = "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01" hash = "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182" hash = "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95" - logic_hash = "v1_sha256_070d055353bb978e4d8bd82ea4eed3291b747414423cb9ab45676e692defa7bb" + logic_hash = "070d055353bb978e4d8bd82ea4eed3291b747414423cb9ab45676e692defa7bb" score = 40 quality = 80 tags = "FILE" @@ -268656,14 +269142,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1273 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "8f20848b-fa91-520b-958f-ddec5fc81b02" + id = "323e0a63-c74c-5d9c-b3af-c64d2bceb724" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2350-L2369" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1" - logic_hash = "v1_sha256_1bf31b51302ade1b65e6c24a0dfcc6e144a2f0104e687cef4a14e6307c27c9e1" + logic_hash = "1bf31b51302ade1b65e6c24a0dfcc6e144a2f0104e687cef4a14e6307c27c9e1" score = 40 quality = 80 tags = "FILE" @@ -268686,7 +269172,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "d341cdf9-582e-586a-b93e-af9bd1814836" + id = "2c945052-bb7b-52be-9c11-18eedac5a28e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268694,7 +269180,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3854 : FI license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039" hash = "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3" - logic_hash = "v1_sha256_0cdfef6284465ea9f5509cb4e0ad6efb531d60150fb355a388f8152b322e3da9" + logic_hash = "0cdfef6284465ea9f5509cb4e0ad6efb531d60150fb355a388f8152b322e3da9" score = 40 quality = 80 tags = "FILE" @@ -268717,7 +269203,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdrivese meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" - id = "cbeb32ae-45ec-542b-9751-e009c8a2abd2" + id = "64eea295-1181-5364-a30a-3ee0e329a04d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268726,7 +269212,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdrivese hash = "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d" hash = "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9" hash = "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca" - logic_hash = "v1_sha256_76740f37a63b7fcf52dc77db4384bc2d232c993ba3553dbfbdd897413b3d1306" + logic_hash = "76740f37a63b7fcf52dc77db4384bc2d232c993ba3553dbfbdd897413b3d1306" score = 40 quality = 80 tags = "FILE" @@ -268749,14 +269235,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Wind meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "1598e576-7ffe-5335-9f1e-d3ec40aec3ab" + id = "d7e481c0-695e-5536-8b06-b66d0f711f86" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2419-L2438" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd" - logic_hash = "v1_sha256_9149c106ff7ea0326b9e010ef7ae32c25f57c3b9b2e738f4915eda205a512888" + logic_hash = "9149c106ff7ea0326b9e010ef7ae32c25f57c3b9b2e738f4915eda205a512888" score = 40 quality = 80 tags = "FILE" @@ -268779,14 +269265,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_8FE9 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "0759994a-d607-5952-94d0-a4beab741688" + id = "45ac5fe9-25e2-5ee9-a410-95d19ec75e33" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2441-L2457" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a" - logic_hash = "v1_sha256_f293cb0a8bbc710428a7a4ae582f9d6ed60954afeb84efe8b74da38ff41732c1" + logic_hash = "f293cb0a8bbc710428a7a4ae582f9d6ed60954afeb84efe8b74da38ff41732c1" score = 40 quality = 80 tags = "FILE" @@ -268806,7 +269292,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Wind meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "48b4a03c-e34e-596f-bd63-50adf2ce3a4f" + id = "6fa00211-cb55-5870-92ec-18a6e2c7eb89" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268821,7 +269307,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpuzsys_Wind hash = "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126" hash = "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd" hash = "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097" - logic_hash = "v1_sha256_683d1c1b912190afc4933e285a335257039356935354a851faa4cdc31f59a144" + logic_hash = "683d1c1b912190afc4933e285a335257039356935354a851faa4cdc31f59a144" score = 40 quality = 80 tags = "FILE" @@ -268844,14 +269330,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3D9E : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "7c95ec6a-5f0e-543d-ba20-4312303c84e0" + id = "023a5c66-aae0-5583-95aa-0a62f3f27352" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2490-L2509" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3" - logic_hash = "v1_sha256_fdb944988945780b774d73f3d729d2468b0c9006aca100fa8bbf913a9c5402c6" + logic_hash = "fdb944988945780b774d73f3d729d2468b0c9006aca100fa8bbf913a9c5402c6" score = 40 quality = 80 tags = "FILE" @@ -268874,14 +269360,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Logitech_Lgcoretempsys_Lgcoretemp_E0CB : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgCoreTemp.sys" author = "Florian Roth" - id = "67470dce-783d-5c7d-b6a6-b41ba1ff5303" + id = "148a795b-926c-50eb-8da4-bbf8d1ceb3bb" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2512-L2531" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef" - logic_hash = "v1_sha256_f3162a80eb6ab357766aaafbf62aec608291873980c81c6d21d835bc349cda76" + logic_hash = "f3162a80eb6ab357766aaafbf62aec608291873980c81c6d21d835bc349cda76" score = 40 quality = 80 tags = "FILE" @@ -268904,14 +269390,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Stdcdrvsys_Selftestdatacollecto meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - stdcdrv64.sys" author = "Florian Roth" - id = "e311f361-fc9d-5ebf-b5ff-99571fdf70a1" + id = "e9509179-09c1-58e7-a08c-ceffd1c6c05c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2534-L2553" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20" - logic_hash = "v1_sha256_dfc77d3461c57240baea160b35e9174aa370fc533d08a9331dd8ce53a0048ad4" + logic_hash = "dfc77d3461c57240baea160b35e9174aa370fc533d08a9331dd8ce53a0048ad4" score = 40 quality = 80 tags = "FILE" @@ -268934,7 +269420,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "b01feacf-494a-554e-afa1-c6faf6d30d6f" + id = "fbe65027-5e7a-5944-bd8a-c0673cd165a1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268942,7 +269428,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_2BBE : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250" hash = "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a" - logic_hash = "v1_sha256_23365c52fd3ce5d9c113c0779072b82325632c75f27cbfde9037b7ffc543a209" + logic_hash = "23365c52fd3ce5d9c113c0779072b82325632c75f27cbfde9037b7ffc543a209" score = 40 quality = 80 tags = "FILE" @@ -268965,7 +269451,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftware meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "f714a71a-47dc-550c-a719-ae4833bf6e93" + id = "89160c3c-ff81-5425-a205-09be7fd5a412" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -268973,7 +269459,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftware license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0" hash = "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c" - logic_hash = "v1_sha256_771400b6e3f2d216fd38db681bf78fbc4e764a45ff9e11d2e33b62f93ac4a8e2" + logic_hash = "771400b6e3f2d216fd38db681bf78fbc4e764a45ff9e11d2e33b62f93ac4a8e2" score = 40 quality = 80 tags = "FILE" @@ -268996,14 +269482,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkprovide meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" - id = "7c9731c9-8bc8-54a4-8958-a8625bd43fa2" + id = "41080479-633a-5f9b-88c9-fba696c3205a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2602-L2621" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8" - logic_hash = "v1_sha256_0460def7e251adf398560c0f05cac2d161951339eb2bcc2b2f4840edbd0d6991" + logic_hash = "0460def7e251adf398560c0f05cac2d161951339eb2bcc2b2f4840edbd0d6991" score = 40 quality = 80 tags = "FILE" @@ -269026,14 +269512,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5FAE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "ff2e0e7f-67aa-5fdc-be72-96d59f14a05b" + id = "f80d2c53-58e9-5e76-94fc-9a86ea80cfc9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2624-L2643" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879" - logic_hash = "v1_sha256_7dfbd2e11b8a37a8b276a2279f19f57064f3d561cf2555680c71679206ec1452" + logic_hash = "7dfbd2e11b8a37a8b276a2279f19f57064f3d561cf2555680c71679206ec1452" score = 40 quality = 80 tags = "FILE" @@ -269056,14 +269542,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Innotekgmbh_Vboxusbmonsys_Virtualboxusbmonitordr meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" - id = "a8fe9891-8925-5180-ade5-6a80d4f079c5" + id = "b765649a-a926-50cd-9772-86ed7538dd2e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2646-L2665" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40" - logic_hash = "v1_sha256_ca021b6b3c733e75d33996652ca9602541e4c9eb9e74f2a995d1b2c2989ca68b" + logic_hash = "ca021b6b3c733e75d33996652ca9602541e4c9eb9e74f2a995d1b2c2989ca68b" score = 40 quality = 80 tags = "FILE" @@ -269086,14 +269572,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_1A45 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "1c6336d7-564c-5a82-be35-787cb21ebb52" + id = "a9aae6dc-3328-5541-a437-509b5ac81261" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2668-L2687" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67" - logic_hash = "v1_sha256_51f72d08bd6f0b0e683a9af729e16e08e8d652d9ea5f43872aa402ec3da65cfe" + logic_hash = "51f72d08bd6f0b0e683a9af729e16e08e8d652d9ea5f43872aa402ec3da65cfe" score = 40 quality = 80 tags = "FILE" @@ -269116,7 +269602,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "b1ba11e1-1064-53ac-a4e2-305c79ee96ef" + id = "e66960f5-d39e-5b0b-b573-77ffeb276925" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269124,7 +269610,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_62F5 : FI license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0" hash = "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7" - logic_hash = "v1_sha256_13b9c0f468e8ce5a9ff8938879d6d22a56c0d7e01b3a72969ecff55954a07b89" + logic_hash = "13b9c0f468e8ce5a9ff8938879d6d22a56c0d7e01b3a72969ecff55954a07b89" score = 40 quality = 80 tags = "FILE" @@ -269147,7 +269633,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Yyinc_Dianhu_80CB : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Dh_Kernel_10.sys" author = "Florian Roth" - id = "8c003722-17b9-55d9-beca-eb92d70022cd" + id = "166a402d-9679-54b8-9703-3e3b2b001236" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269155,7 +269641,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Yyinc_Dianhu_80CB : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3" hash = "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955" - logic_hash = "v1_sha256_fb1f5f8687f1673585ee2652b9dde20ae925ee33d527d2052707b2370a5df1fc" + logic_hash = "fb1f5f8687f1673585ee2652b9dde20ae925ee33d527d2052707b2370a5df1fc" score = 40 quality = 80 tags = "FILE" @@ -269176,7 +269662,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "4569aa88-e10c-59ea-83e5-040e22d9e8ed" + id = "6a773b61-ac40-5cdd-ad93-0b16061587f7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269186,7 +269672,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8F68 : FILE hash = "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96" hash = "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9" hash = "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027" - logic_hash = "v1_sha256_7be41a2e50b883e4e8196b37a35c5b1fd4169b3bc1975832baa4b8983bcfb051" + logic_hash = "7be41a2e50b883e4e8196b37a35c5b1fd4169b3bc1975832baa4b8983bcfb051" score = 40 quality = 80 tags = "FILE" @@ -269209,14 +269695,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_A5A5 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "2e8da3b4-1e95-5ead-9d89-70adaf48421d" + id = "b68851b2-66b6-5b8a-9aaa-918a34934a92" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2759-L2778" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad" - logic_hash = "v1_sha256_38048706f3e5bd4248779dc8890d14a31daafa177c51953c31f2e7a81c6871a0" + logic_hash = "38048706f3e5bd4248779dc8890d14a31daafa177c51953c31f2e7a81c6871a0" score = 40 quality = 80 tags = "FILE" @@ -269239,14 +269725,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Wnbiossys_Windowsrwinddkd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wnbios.sys" author = "Florian Roth" - id = "26567246-e710-56a7-a1d4-ce88ca685aff" + id = "98c36c7b-603b-5fe4-8774-7ea9ecf84ef9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2781-L2800" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb" - logic_hash = "v1_sha256_73e496811ab4097aa8311e510fa913a10691a00e314944d509df05084d373379" + logic_hash = "73e496811ab4097aa8311e510fa913a10691a00e314944d509df05084d373379" score = 40 quality = 80 tags = "FILE" @@ -269269,14 +269755,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytes_Elbycdio_Cdrtools_98EC : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "a2c08ac0-9eed-5728-bd9b-e718987b6ff2" + id = "67443d8d-b463-51f0-96fa-8ed06833286f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2803-L2822" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e" - logic_hash = "v1_sha256_27e4fb74a63ee1fe3b3bcf97e2ed01b02d05339cce2f18c2f010577d80dbb243" + logic_hash = "27e4fb74a63ee1fe3b3bcf97e2ed01b02d05339cce2f18c2f010577d80dbb243" score = 40 quality = 80 tags = "FILE" @@ -269299,14 +269785,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_591B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "46b0ba03-276e-579e-92a6-dbb33cf91106" + id = "b4f581f6-66e5-5b85-9b2d-b1532dd2defe" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2825-L2844" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52" - logic_hash = "v1_sha256_471fab20146586dacf37b9bb3f43ee578339c73f204487556987803d12a64f95" + logic_hash = "471fab20146586dacf37b9bb3f43ee578339c73f204487556987803d12a64f95" score = 40 quality = 80 tags = "FILE" @@ -269329,7 +269815,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinRing0.sys, WinRing0x64" author = "Florian Roth" - id = "611d71f1-436f-5a97-89c6-5ececeda340e" + id = "b14e5697-a0f7-5af0-a0da-0f5ca2d88c1c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269337,7 +269823,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Openlibsysorg_Winringsys_Winring_47EA : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84" hash = "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8" - logic_hash = "v1_sha256_e6bea09a04b7f043d9a8cef4c8dc3e2f087fdf1a981f6d23dee728ea6d15d792" + logic_hash = "e6bea09a04b7f043d9a8cef4c8dc3e2f087fdf1a981f6d23dee728ea6d15d792" score = 40 quality = 80 tags = "FILE" @@ -269360,14 +269846,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" - id = "a5ca2a78-9be6-5496-b5e4-45d1a9ce9ee7" + id = "b9a6e1e6-1bc5-587f-a31f-8dc55568ad9e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2870-L2889" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd" - logic_hash = "v1_sha256_b4f90f50b2e90fd8dc57778ba8f650ed201fe2f11f145e981d13021f87746d1f" + logic_hash = "b4f90f50b2e90fd8dc57778ba8f650ed201fe2f11f145e981d13021f87746d1f" score = 40 quality = 80 tags = "FILE" @@ -269390,14 +269876,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" - id = "23ddc2aa-b674-576c-a4a1-37c420120c32" + id = "8dcbf930-ae97-5389-9b68-793dc82b042b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2892-L2911" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880" - logic_hash = "v1_sha256_669972137fad6a5cc701ea56cf8ae85e08d2131f026e8cf1bd5c85ca1754d3cb" + logic_hash = "669972137fad6a5cc701ea56cf8ae85e08d2131f026e8cf1bd5c85ca1754d3cb" score = 40 quality = 80 tags = "FILE" @@ -269420,7 +269906,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" - id = "b9441942-84a2-5a15-8752-198ecac9bbb1" + id = "f5e53c71-1c12-5df8-a2cc-563473190c87" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269432,7 +269918,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Atitechnologiesinc_Atillksys_Atidiagnostics_AD40 hash = "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad" hash = "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0" hash = "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a" - logic_hash = "v1_sha256_929e467d52a19dfba2c8ca6c4124881d76c239a4d04ce10c195665bf4bfea373" + logic_hash = "929e467d52a19dfba2c8ca6c4124881d76c239a4d04ce10c195665bf4bfea373" score = 40 quality = 80 tags = "FILE" @@ -269455,7 +269941,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_E502 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "6f4f7c16-e476-5ed1-ba03-145868277261" + id = "b0f9239b-2acb-5164-8b21-791f69d4e047" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269465,7 +269951,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_E502 : FILE hash = "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab" hash = "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7" hash = "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e" - logic_hash = "v1_sha256_f1e88064cf1a4902da5ee870a605219943740e557845b1f4e99f1cea2c28b77c" + logic_hash = "f1e88064cf1a4902da5ee870a605219943740e557845b1f4e99f1cea2c28b77c" score = 40 quality = 80 tags = "FILE" @@ -269488,14 +269974,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecurit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "17543626-9047-511e-a907-788060577f48" + id = "6ee8fb67-896d-534f-9602-a0f46a43e5cd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2966-L2985" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c" - logic_hash = "v1_sha256_b0ef81e3a05326390a7d2f00499cf3aaf0610b03f3df2313d5a1f2dddff3555f" + logic_hash = "b0ef81e3a05326390a7d2f00499cf3aaf0610b03f3df2313d5a1f2dddff3555f" score = 40 quality = 80 tags = "FILE" @@ -269518,14 +270004,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_3FA6 : F meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "8b559566-a604-5642-a114-005c927ade96" + id = "25f27f08-3aab-5b8f-bf59-37a40de4fb44" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L2988-L3007" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e" - logic_hash = "v1_sha256_c1d75b4073f212403f3e7b50cd8c1ea2a8a979bca7cf2dd4cd05bfca03d49c48" + logic_hash = "c1d75b4073f212403f3e7b50cd8c1ea2a8a979bca7cf2dd4cd05bfca03d49c48" score = 40 quality = 80 tags = "FILE" @@ -269548,14 +270034,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3E1D : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "cf999d1b-962f-53b7-bff3-57a0e9d4bc4f" + id = "d8d61d0b-d859-5e7e-9ef6-b232ab499560" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3010-L3029" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272" - logic_hash = "v1_sha256_29f4dbbd8dd749a9ccf94cd59010c8c8b63ce1d33c93f05b1f24b1e6a216aff6" + logic_hash = "29f4dbbd8dd749a9ccf94cd59010c8c8b63ce1d33c93f05b1f24b1e6a216aff6" score = 40 quality = 80 tags = "FILE" @@ -269578,14 +270064,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "e293f23b-5f32-5c97-a65d-09a72d2e8bd5" + id = "a9926e8c-f504-5926-8be0-e4e9ccf3b971" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3032-L3051" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d" - logic_hash = "v1_sha256_108670db45ff60bd5d31187755019cd7530f29da12d36c96be06880c23d5e7f9" + logic_hash = "108670db45ff60bd5d31187755019cd7530f29da12d36c96be06880c23d5e7f9" score = 40 quality = 80 tags = "FILE" @@ -269608,7 +270094,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_3B71 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "0c7bf23e-9da9-5245-ae0e-75e8e37f0b11" + id = "da77918c-29d1-57f2-bf66-63f2759dc350" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269618,7 +270104,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_3B71 : FILE hash = "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35" hash = "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4" hash = "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5" - logic_hash = "v1_sha256_cbd39f2f901a1d5f1929331659fbad14e82a7e69cacc1b0c4ee2f8137e3613aa" + logic_hash = "cbd39f2f901a1d5f1929331659fbad14e82a7e69cacc1b0c4ee2f8137e3613aa" score = 40 quality = 80 tags = "FILE" @@ -269640,14 +270126,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_0BD1 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" - id = "422d01a9-3ab7-53f8-a44f-fc0d6093afb5" + id = "6710f3a1-8cec-57be-a854-f848e693290a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3078-L3097" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e" - logic_hash = "v1_sha256_c5fa94fee1260b2c8f188c996ed4ce2095ad8c72fcf6a03b6985303209f17a3a" + logic_hash = "c5fa94fee1260b2c8f188c996ed4ce2095ad8c72fcf6a03b6985303209f17a3a" score = 40 quality = 80 tags = "FILE" @@ -269670,14 +270156,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_1E94 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" - id = "245cb69b-4f3c-57f0-881a-6c3898a6b497" + id = "a869389f-4b07-5f15-8157-f8880a8c4bbf" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3100-L3119" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb" - logic_hash = "v1_sha256_86cbd2762bb8bf050343f4e738216a33764997046a9b59bbb6a435afa2859f0e" + logic_hash = "86cbd2762bb8bf050343f4e738216a33764997046a9b59bbb6a435afa2859f0e" score = 40 quality = 80 tags = "FILE" @@ -269700,14 +270186,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Hpdevelopmentcompany_Etdsuppsys_Hpetdidriverdll_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - etdsupp.sys" author = "Florian Roth" - id = "cd8550b4-6345-50a5-98b7-b843ee4569ca" + id = "cfc5dca9-7ccc-590e-a79e-07f13cbbb080" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3122-L3141" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145" - logic_hash = "v1_sha256_9fcdfda30bb8fb16c5112c22b34be1c42f9ce1a32d21a7554ba0aff2a7696aa1" + logic_hash = "9fcdfda30bb8fb16c5112c22b34be1c42f9ce1a32d21a7554ba0aff2a7696aa1" score = 40 quality = 80 tags = "FILE" @@ -269730,7 +270216,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwind meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" - id = "cc27a3c0-46f7-5266-aab4-6478091a94c7" + id = "cca75a99-2482-54a2-8891-2cd23c8836e9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269744,7 +270230,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwind hash = "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b" hash = "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9" hash = "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59" - logic_hash = "v1_sha256_c8ed6d101a45f797156391f2fa31ecdd66a21bff557a53e8af35838c8ab3d469" + logic_hash = "c8ed6d101a45f797156391f2fa31ecdd66a21bff557a53e8af35838c8ab3d469" score = 40 quality = 80 tags = "FILE" @@ -269767,14 +270253,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_4ED2 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "9a7339d7-d401-5510-ba88-42f2004379b8" + id = "a9729999-5b31-5b09-bdd1-9d47e4227ab5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3173-L3192" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7" - logic_hash = "v1_sha256_07981841e989bc762fbce94915e29595b1e6db881ed57064c03b126019538fca" + logic_hash = "07981841e989bc762fbce94915e29595b1e6db881ed57064c03b126019538fca" score = 40 quality = 80 tags = "FILE" @@ -269797,7 +270283,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersys_1265 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" - id = "d6dd69fe-ba0a-5864-bfcc-68f553b2fe57" + id = "fde7c85f-96f3-536f-b0b5-0d12424c16a3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269806,7 +270292,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersys_1265 : FILE hash = "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df" hash = "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4" hash = "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af" - logic_hash = "v1_sha256_894e7a4baa9287019f06e0dc91eccd11e2d3043f60be53efd2240879eb8d2772" + logic_hash = "894e7a4baa9287019f06e0dc91eccd11e2d3043f60be53efd2240879eb8d2772" score = 40 quality = 80 tags = "FILE" @@ -269829,14 +270315,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_1F81 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "32fd2f38-fcd3-58ac-9905-1b4d55ad7316" + id = "9610cbd7-8521-54ea-a4db-c6d26048fb4b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3219-L3238" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501" - logic_hash = "v1_sha256_e5b9e4c1559e91b575933d2dd5574a6c374fe967256f65243122c22efbc666ce" + logic_hash = "e5b9e4c1559e91b575933d2dd5574a6c374fe967256f65243122c22efbc666ce" score = 40 quality = 80 tags = "FILE" @@ -269859,14 +270345,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Iobit_Iobitunlockersys_Iobitunlocker_C79A : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" - id = "82eed543-f35e-586d-bed5-8ff245ed64cc" + id = "f81ad3f3-755f-546b-8246-2ee9dd885813" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3241-L3260" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66" - logic_hash = "v1_sha256_b711978610592c579a05d332b72c294a5b960a18033264d6a75b8b482dbe8903" + logic_hash = "b711978610592c579a05d332b72c294a5b960a18033264d6a75b8b482dbe8903" score = 40 quality = 80 tags = "FILE" @@ -269889,14 +270375,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_16B5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "e5c85934-b629-5a42-831e-d13cacd0d674" + id = "82c31b8b-46ae-5202-9ea5-d243063f8522" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3263-L3282" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1" - logic_hash = "v1_sha256_57f379da59234cd2e83802180faecd15784a28fcd09f2eb0a5944f494972c9fc" + logic_hash = "57f379da59234cd2e83802180faecd15784a28fcd09f2eb0a5944f494972c9fc" score = 40 quality = 80 tags = "FILE" @@ -269919,7 +270405,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Agent64.sys" author = "Florian Roth" - id = "6b00a372-e3f8-500c-8ffd-fa9fe9c7fb6a" + id = "41ccdc0b-ec41-51b3-9039-bf5206f9a79f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269931,7 +270417,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Phoenixtechnologies_Agentsys_Driveragent_4045 : hash = "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414" hash = "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748" hash = "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb" - logic_hash = "v1_sha256_1902f186f263eaeaf3de6712a8fe2c01f2225f7ba051f4020de27832e197e256" + logic_hash = "1902f186f263eaeaf3de6712a8fe2c01f2225f7ba051f4020de27832e197e256" score = 40 quality = 80 tags = "FILE" @@ -269954,7 +270440,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "33e4f420-9807-5001-93fa-257f331de8ee" + id = "b092767e-5f04-59f9-b653-c4ab28860de0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -269962,7 +270448,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_FA77 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a" hash = "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18" - logic_hash = "v1_sha256_e59a975ce22fb83623ae84000e07bcc0f2060b7e16cfc3e2b538138246ef296a" + logic_hash = "e59a975ce22fb83623ae84000e07bcc0f2060b7e16cfc3e2b538138246ef296a" score = 40 quality = 80 tags = "FILE" @@ -269985,14 +270471,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_D0E2 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "ee6dba8c-9b76-55bb-abb7-89e4b8f9ad84" + id = "1ee0136e-73bc-5b88-ae0b-74f3f53fe93f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3335-L3354" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605" - logic_hash = "v1_sha256_c265c6c89ea9bf09b9dcf47e1ce60f3531d76521a0ef1bbdc07d401a7b4164ed" + logic_hash = "c265c6c89ea9bf09b9dcf47e1ce60f3531d76521a0ef1bbdc07d401a7b4164ed" score = 40 quality = 80 tags = "FILE" @@ -270015,14 +270501,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_F060 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" - id = "4f9646d0-1f3b-5b96-936a-8cffaa46b8fd" + id = "b6ebdc92-1ca5-5f13-beef-d6adf037e732" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3357-L3376" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008" - logic_hash = "v1_sha256_c73f19c87d63e9986e5f44a368f4b8305b7bff17ebdeb85f309751f54f76db48" + logic_hash = "c73f19c87d63e9986e5f44a368f4b8305b7bff17ebdeb85f309751f54f76db48" score = 40 quality = 80 tags = "FILE" @@ -270045,14 +270531,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4AC0 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "0855f6ad-bd70-5f54-b090-ddead1319f42" + id = "8839157b-8e6c-5929-8041-443ecccbb688" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3379-L3398" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173" - logic_hash = "v1_sha256_b3a6dc1e2b7e806eb56133af99e995139dccddb2cba897f54144203ea3558f29" + logic_hash = "b3a6dc1e2b7e806eb56133af99e995139dccddb2cba897f54144203ea3558f29" score = 40 quality = 80 tags = "FILE" @@ -270075,7 +270561,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrIbDrv.sys" author = "Florian Roth" - id = "fff64e9e-40e4-51e8-9c26-00a0da62c0d0" + id = "f98969ca-e570-5f95-93d8-5b73fc3221fd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270087,7 +270573,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rweverything_Rwdrvsys_Rweverythingreadwritedrive hash = "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc" hash = "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb" hash = "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14" - logic_hash = "v1_sha256_818a6a8b09db442f8abf2c466339d01665220768dfebc6faf6c74d3f9855542b" + logic_hash = "818a6a8b09db442f8abf2c466339d01665220768dfebc6faf6c74d3f9855542b" score = 40 quality = 80 tags = "FILE" @@ -270110,14 +270596,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5027 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "5476d5e0-a0b2-5fb9-a944-5ceb728f9a31" + id = "e46d3ca0-a605-503d-86ac-67ac7ac8c7cc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3428-L3447" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48" - logic_hash = "v1_sha256_f2f0788448e15b372c67c310a411c9533fad7e03b24c24a1a1da7eeb595b6e75" + logic_hash = "f2f0788448e15b372c67c310a411c9533fad7e03b24c24a1a1da7eeb595b6e75" score = 40 quality = 80 tags = "FILE" @@ -270140,14 +270626,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "edf50a59-3be7-5041-b98d-2759df5f54b2" + id = "1c940da3-7e22-54eb-822b-8dad331e410e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3450-L3469" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958" - logic_hash = "v1_sha256_30602a4c8f91277805e82cdcd5ccae77b22e77644baf59d9ab2235e575ed9f25" + logic_hash = "30602a4c8f91277805e82cdcd5ccae77b22e77644baf59d9ab2235e575ed9f25" score = 40 quality = 80 tags = "FILE" @@ -270170,7 +270656,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "9d21da12-b1f8-527c-b309-2602b355a915" + id = "213d1f7e-f283-5551-a942-c7b5b12014e6" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270178,7 +270664,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_442C : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c" hash = "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1" - logic_hash = "v1_sha256_b44ece633deccb00cea884422a24053616bf92a71a7f0a0264102d548ce02bb7" + logic_hash = "b44ece633deccb00cea884422a24053616bf92a71a7f0a0264102d548ce02bb7" score = 40 quality = 80 tags = "FILE" @@ -270201,7 +270687,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_468B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "e423b47a-bef6-5187-a8ba-94625ca4b8aa" + id = "e13ecd37-8ec8-5cc1-8a3a-c53fb10bf2dc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270209,7 +270695,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_468B : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5" hash = "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1" - logic_hash = "v1_sha256_b286d189f5709b74d0da658841a1a626408db584696c467b07b4c341ec6d6748" + logic_hash = "b286d189f5709b74d0da658841a1a626408db584696c467b07b4c341ec6d6748" score = 40 quality = 80 tags = "FILE" @@ -270232,14 +270718,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecurit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "4deec140-7466-5037-a921-abb3ce65ed9f" + id = "9d4595ab-29a2-5b71-b03b-9730db4eadca" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3518-L3537" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0" - logic_hash = "v1_sha256_0d4f44ece27db1def197e6353d59677915f7f58eb5ff4661d2b8e024eb07acb7" + logic_hash = "0d4f44ece27db1def197e6353d59677915f7f58eb5ff4661d2b8e024eb07acb7" score = 40 quality = 80 tags = "FILE" @@ -270262,14 +270748,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" - id = "79a34c39-782a-58db-b765-9027e9a78b78" + id = "9dd62c3a-8f3c-5df0-a6a2-fcaa72c4ed16" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3540-L3559" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194" - logic_hash = "v1_sha256_fcef672d2e2c24f4b1323554ca206f3bd67657af96ad774056e5fd0181cc7ac7" + logic_hash = "fcef672d2e2c24f4b1323554ca206f3bd67657af96ad774056e5fd0181cc7ac7" score = 40 quality = 80 tags = "FILE" @@ -270292,14 +270778,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Panmonfl meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanMonFlt.sys" author = "Florian Roth" - id = "8382e8e5-8492-5ab2-a8fb-d8bed0af04ce" + id = "1d9363a1-e32e-5989-8777-6e530efa6a55" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3562-L3581" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7" - logic_hash = "v1_sha256_6f9a951d64947f6930614206f10eb51a5f43566fdc6425821608e0f847818f75" + logic_hash = "6f9a951d64947f6930614206f10eb51a5f43566fdc6425821608e0f847818f75" score = 40 quality = 80 tags = "FILE" @@ -270322,7 +270808,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "ca1adebb-a06b-5d1e-8518-bd85ec25a0e8" + id = "f939adf6-310c-5d8a-bfb5-4ebcbd6bccfe" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270330,7 +270816,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114" hash = "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54" - logic_hash = "v1_sha256_a787fd5e5b62f39a19222a8167382966dd707e2aba99f4c08ad839b221a17e75" + logic_hash = "a787fd5e5b62f39a19222a8167382966dd707e2aba99f4c08ad839b221a17e75" score = 40 quality = 80 tags = "FILE" @@ -270353,14 +270839,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Lenovogrouplimitedr_Lenovodiagnosticsdriversys_L meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LenovoDiagnosticsDriver.sys" author = "Florian Roth" - id = "cdf3be90-736d-5746-b15d-ec3765ccdf4a" + id = "791da32a-272c-5bde-9722-cc4c68321ad7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3607-L3626" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe" - logic_hash = "v1_sha256_22098d721c4814786834b3ea781283f53d195ba35f51fc8fd75b45f7781d39d4" + logic_hash = "22098d721c4814786834b3ea781283f53d195ba35f51fc8fd75b45f7781d39d4" score = 40 quality = 80 tags = "FILE" @@ -270383,14 +270869,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_3F20 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - pchunter.sys" author = "Florian Roth" - id = "2e148761-3180-5577-a036-0c02fb7cb772" + id = "ab0247c7-eb20-5481-9fed-f9608dd4cb93" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3629-L3645" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc" - logic_hash = "v1_sha256_6265acf1ebd52e5efe41774f35b3b01ede27f18c04975ac57afbd62b7d6d7600" + logic_hash = "6265acf1ebd52e5efe41774f35b3b01ede27f18c04975ac57afbd62b7d6d7600" score = 40 quality = 80 tags = "FILE" @@ -270410,14 +270896,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospacka meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" - id = "996cd953-b6bf-50b7-9182-12f6316e8e91" + id = "f3c02bcb-2c9e-5319-a0ac-3773a81d68f6" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3648-L3667" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8" - logic_hash = "v1_sha256_a724598247e27cca91bd76f60ebbad471d199ae290c8ec100bcf1efc02b74963" + logic_hash = "a724598247e27cca91bd76f60ebbad471d199ae290c8ec100bcf1efc02b74963" score = 40 quality = 80 tags = "FILE" @@ -270440,14 +270926,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Dell_Dbutil_71FE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DBUtilDrv2.sys" author = "Florian Roth" - id = "f07d4e31-dca8-584a-9ff3-0273437f270c" + id = "172e8e13-e1ff-5caf-9759-d607ef072215" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3670-L3686" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009" - logic_hash = "v1_sha256_dad7c23d78176f31a2a324998e3170a5096a50389ff83af590503fac69791890" + logic_hash = "dad7c23d78176f31a2a324998e3170a5096a50389ff83af590503fac69791890" score = 40 quality = 80 tags = "FILE" @@ -270467,7 +270953,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_6D2C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "60d20ac2-1a65-5434-b043-4bdd67635e30" + id = "3a685339-ca77-557e-ad5d-94943d9b3ee1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270475,7 +270961,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_6D2C : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d" hash = "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250" - logic_hash = "v1_sha256_c2c74038259bec413bbacf0957449d1da5291b84c6f6848e5573ca50bbea006f" + logic_hash = "c2c74038259bec413bbacf0957449d1da5291b84c6f6848e5573ca50bbea006f" score = 40 quality = 80 tags = "FILE" @@ -270498,7 +270984,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Atszio_Atsziodriver_673B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" - id = "aee197ee-a355-5cf8-afce-a8ef783509fa" + id = "bcd5bc05-5e71-5491-be7d-94cdbebddd9f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270506,7 +270992,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Atszio_Atsziodriver_673B : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b" hash = "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a" - logic_hash = "v1_sha256_d3f753b1bd9dc99cece28a3da9a87e9d211207204f05f573f01391f2c1a08f07" + logic_hash = "d3f753b1bd9dc99cece28a3da9a87e9d211207204f05f573f01391f2c1a08f07" score = 40 quality = 80 tags = "FILE" @@ -270528,14 +271014,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asus_Asmmapsys_Atkgenericfunctionservice_025E : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - asmmap64.sys" author = "Florian Roth" - id = "1427a5ba-8579-5c8d-96d4-d73aab0919b7" + id = "68572e19-5b92-57fb-b301-0224e00139cd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3734-L3753" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4" - logic_hash = "v1_sha256_81100a6b0917bd9d6641c1f3db32353d1fe02b34feb5136c3f316f5deaa32f7d" + logic_hash = "81100a6b0917bd9d6641c1f3db32353d1fe02b34feb5136c3f316f5deaa32f7d" score = 40 quality = 80 tags = "FILE" @@ -270558,7 +271044,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9724 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" - id = "68c69b6c-a783-54d7-bb06-4d16cd704bfd" + id = "a0be3cf9-193d-5bee-ac83-a5701ad9e4e9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270568,7 +271054,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9724 : FILE hash = "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512" hash = "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21" hash = "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047" - logic_hash = "v1_sha256_f48f9cb6cc160c9fd749a73001a904ab727e33704064f4220a56671b89ce0f5a" + logic_hash = "f48f9cb6cc160c9fd749a73001a904ab727e33704064f4220a56671b89ce0f5a" score = 40 quality = 80 tags = "FILE" @@ -270591,14 +271077,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_7133 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "3588d3d4-abcc-52e2-a2a8-70fbefd236f0" + id = "1d9df905-34d9-5503-b08d-ea4ff2cd826a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3781-L3800" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129" - logic_hash = "v1_sha256_7abc5f0325fa8552b38499b061dd10f6a4cdb56ba1071446ce6ca91e42b8c9f7" + logic_hash = "7abc5f0325fa8552b38499b061dd10f6a4cdb56ba1071446ce6ca91e42b8c9f7" score = 40 quality = 80 tags = "FILE" @@ -270621,7 +271107,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatin meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LHA.sys" author = "Florian Roth" - id = "e41cb82f-af68-5676-ae50-adbacd746c37" + id = "8af33121-526d-5f4c-8cde-6e427f36ad97" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270629,7 +271115,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Lgelectronicsinc_Lhasys_Microsoftwindowsoperatin license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade" hash = "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf" - logic_hash = "v1_sha256_fcc57907a8653acc1175b486f719f029ba3c982dbc73ab0cd878f08b2fcb0aad" + logic_hash = "fcc57907a8653acc1175b486f719f029ba3c982dbc73ab0cd878f08b2fcb0aad" score = 40 quality = 80 tags = "FILE" @@ -270652,14 +271138,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elitegroupcomputersystems_Ecsiodriversys_Ecsiodr meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ecsiodriverx64.sys" author = "Florian Roth" - id = "bde96b61-87fa-5be3-a050-658ac0c2fd0a" + id = "08f5ad86-8243-5591-9cc4-88bc0a0160fa" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3826-L3845" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc" - logic_hash = "v1_sha256_899c58fe4793270c3e314e2c3f04c1341b6fefedba37d53200e5477f1108a5cf" + logic_hash = "899c58fe4793270c3e314e2c3f04c1341b6fefedba37d53200e5477f1108a5cf" score = 40 quality = 80 tags = "FILE" @@ -270682,7 +271168,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_8D33 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "e7119ed2-2dc9-5918-b440-46ddf0de22ac" + id = "f7b27f03-ea78-5f2c-8b48-ea62c495cb89" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270690,7 +271176,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_8D33 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409" hash = "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5" - logic_hash = "v1_sha256_9868c2b401562623484d7bc00700332a754380b25b05cb95f38a8b242e7f59fa" + logic_hash = "9868c2b401562623484d7bc00700332a754380b25b05cb95f38a8b242e7f59fa" score = 40 quality = 80 tags = "FILE" @@ -270713,7 +271199,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "e27dddea-55c2-52bb-b932-28e9d589261c" + id = "a407037f-0b6e-56a9-9562-592a2e0954c7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270721,7 +271207,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_C586 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65" hash = "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d" - logic_hash = "v1_sha256_761661cb4ab100aad58ca83f20dd3eb25173bb6c987a7643ca93b91e90f25409" + logic_hash = "761661cb4ab100aad58ca83f20dd3eb25173bb6c987a7643ca93b91e90f25409" score = 40 quality = 80 tags = "FILE" @@ -270744,14 +271230,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Logmeininc_Lmiinfosys_Logmein_453B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LMIinfo.sys" author = "Florian Roth" - id = "6d9761fb-e7b2-5385-88e8-ff15f86627ba" + id = "50e671ec-752c-5494-97bc-bd29cd7452f1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3894-L3913" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233" - logic_hash = "v1_sha256_1940aec392f250b22b8480d7b75f0c1a21c7bad13c0e83a4eb6065b3d045e4cd" + logic_hash = "1940aec392f250b22b8480d7b75f0c1a21c7bad13c0e83a4eb6065b3d045e4cd" score = 40 quality = 80 tags = "FILE" @@ -270774,14 +271260,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_76AF : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "b5d65ba3-489b-5c14-9c0a-cfed244a0dc7" + id = "f89b7e66-c5d6-576b-8487-1530a3e37121" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3916-L3935" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc" - logic_hash = "v1_sha256_d4031de065552af6807677430ee6aa17fb754052f6fdeb147db0105bd235acd8" + logic_hash = "d4031de065552af6807677430ee6aa17fb754052f6fdeb147db0105bd235acd8" score = 40 quality = 80 tags = "FILE" @@ -270804,14 +271290,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1284 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" - id = "715011dd-8d8c-5990-ba67-a293fb458c5c" + id = "673660ad-6d19-5b50-b467-ea6a5a00fa76" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L3938-L3957" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590" - logic_hash = "v1_sha256_2453f457e43fd2dade465a33189f8ae41ca5ebd16d9a9c42d8edaf22ca990916" + logic_hash = "2453f457e43fd2dade465a33189f8ae41ca5ebd16d9a9c42d8edaf22ca990916" score = 40 quality = 80 tags = "FILE" @@ -270834,7 +271320,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrSetupDrv103.sys" author = "Florian Roth" - id = "241884b4-cfbf-5f80-86ae-688074b942e6" + id = "cfb5259e-deef-57db-ab34-fa909845043c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270842,7 +271328,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rweverything_Asrsetupdrvsys_Asrsetupdrvdriver_9D license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3" hash = "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f" - logic_hash = "v1_sha256_875be865b5c6a924c48aada4c97ae39552a9944d9efb4e419dd754ce3f7ec217" + logic_hash = "875be865b5c6a924c48aada4c97ae39552a9944d9efb4e419dd754ce3f7ec217" score = 40 quality = 80 tags = "FILE" @@ -270865,7 +271351,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" - id = "18765492-6f3a-590a-a528-30d5de38842c" + id = "35330a4b-841a-5e61-b8c1-5e02f61ec021" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270874,7 +271360,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdrive hash = "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2" hash = "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5" hash = "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75" - logic_hash = "v1_sha256_e7bff1c9a45ea37c1d26aeaa0946bd55387ef6adf318d04196ad6aa55950765a" + logic_hash = "e7bff1c9a45ea37c1d26aeaa0946bd55387ef6adf318d04196ad6aa55950765a" score = 40 quality = 80 tags = "FILE" @@ -270897,14 +271383,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantim meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" - id = "1360670c-0380-5827-9715-5f5071be27ae" + id = "f5251fdb-8e6e-5ea7-abdd-3a85dfbda449" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4007-L4026" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11" - logic_hash = "v1_sha256_434964576b56367bc1ef4a198b6d6315c00c3fea0af9f1e0f08da6b7bd2cd0d1" + logic_hash = "434964576b56367bc1ef4a198b6d6315c00c3fea0af9f1e0f08da6b7bd2cd0d1" score = 40 quality = 80 tags = "FILE" @@ -270927,7 +271413,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystem meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" - id = "a9bef13a-2a8f-53b1-a28f-50bd6e9077ad" + id = "242dd7a2-f959-5394-aa81-9984a80fe634" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -270935,7 +271421,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystem license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5" hash = "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51" - logic_hash = "v1_sha256_0a729463c077e67113c7aeb1347b6ff2374fa8e4e5524b05c0a5ed2194b605b6" + logic_hash = "0a729463c077e67113c7aeb1347b6ff2374fa8e4e5524b05c0a5ed2194b605b6" score = 40 quality = 80 tags = "FILE" @@ -270958,14 +271444,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2FBB : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "485ac263-38db-5978-8af1-1eb0fc123ac5" + id = "a688139a-c44f-5a93-933d-73369facec6c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4052-L4071" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445" - logic_hash = "v1_sha256_b25969777810ff75d8cc35ae042a58e35f268c09aaa6f7fd6e10b1a1741898b4" + logic_hash = "b25969777810ff75d8cc35ae042a58e35f268c09aaa6f7fd6e10b1a1741898b4" score = 40 quality = 80 tags = "FILE" @@ -270988,14 +271474,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "7bead0f3-77e7-5d55-941e-b5ce9a8f1ee2" + id = "25dd8cda-6aa3-595c-8502-cc83e04b8235" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4074-L4093" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f" - logic_hash = "v1_sha256_21a234179b5f2ae97262100f990587238339777bf919f8a9f04e84e64c77fb1d" + logic_hash = "21a234179b5f2ae97262100f990587238339777bf919f8a9f04e84e64c77fb1d" score = 40 quality = 80 tags = "FILE" @@ -271018,14 +271504,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_082C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "0e96e09c-7e9d-51cd-a0bf-267ab0535585" + id = "48446c71-f353-5f4f-a158-20bc7dec694f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4096-L4115" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d" - logic_hash = "v1_sha256_805a4da51dd1a85c46b830b747ed15f5cfb7539b42fd598987d3cd879d93cc97" + logic_hash = "805a4da51dd1a85c46b830b747ed15f5cfb7539b42fd598987d3cd879d93cc97" score = 40 quality = 80 tags = "FILE" @@ -271048,7 +271534,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_1493 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "d0382fa0-4ce5-510f-866a-d177ed2a260d" + id = "f1b0bccc-950b-5039-b181-fe4cee4e84b1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271060,7 +271546,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_1493 : FILE hash = "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53" hash = "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce" hash = "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2" - logic_hash = "v1_sha256_cc5f7ae21d2025a266f826b65146f88ba439a63ebd868f663b7dd69c4b3be468" + logic_hash = "cc5f7ae21d2025a266f826b65146f88ba439a63ebd868f663b7dd69c4b3be468" score = 40 quality = 80 tags = "FILE" @@ -271082,7 +271568,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7C0F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kEvP64.sys" author = "Florian Roth" - id = "9407835f-ea1f-537e-8c7f-0785386ddd06" + id = "b4eb0239-e787-50d8-bac9-78178e245bb8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271097,7 +271583,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Powertool_Kevpsys_Powertool_7C0F : FILE hash = "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f" hash = "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56" hash = "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c" - logic_hash = "v1_sha256_3eeba224179a144483bbb9222579539f58857449173a55e331a98152ba4df7a8" + logic_hash = "3eeba224179a144483bbb9222579539f58857449173a55e331a98152ba4df7a8" score = 40 quality = 80 tags = "FILE" @@ -271120,14 +271606,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_D1F4 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "37aa2537-743e-5de6-9e44-bd06d2b6b721" + id = "c1e8abd1-14c1-5ddd-87cb-647dfcc652fd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4174-L4193" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f" - logic_hash = "v1_sha256_8152947116f7cb31e716db449c855255c30f5034d065e8287cf480157274ba9b" + logic_hash = "8152947116f7cb31e716db449c855255c30f5034d065e8287cf480157274ba9b" score = 40 quality = 80 tags = "FILE" @@ -271150,7 +271636,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_BC45 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "de4a878a-d60a-518c-897c-3fecdbf24963" + id = "1abef091-37a1-53ee-9de8-c59a79b3775f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271158,7 +271644,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_BC45 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e" hash = "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714" - logic_hash = "v1_sha256_283d6d71ba7ace25c248949d232d2ce0c86fa87115304b8d6c07e7564e6757a3" + logic_hash = "283d6d71ba7ace25c248949d232d2ce0c86fa87115304b8d6c07e7564e6757a3" score = 40 quality = 80 tags = "FILE" @@ -271181,14 +271667,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_7CB4 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "ea0b30e1-ff83-51dd-b5f7-25f619ec193f" + id = "b578c798-3923-51b7-80c7-b4e123dc8747" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4219-L4238" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7" - logic_hash = "v1_sha256_bec5e91150c9c0760c91f8a2b4b83867af030ede236c8596c3558e0f8fca1004" + logic_hash = "bec5e91150c9c0760c91f8a2b4b83867af030ede236c8596c3558e0f8fca1004" score = 40 quality = 80 tags = "FILE" @@ -271211,14 +271697,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Safenetinc_Hostnt_Hostnt_07B6 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HOSTNT.sys" author = "Florian Roth" - id = "d07bf1c2-9378-52a6-8227-7ba5995ee7f1" + id = "a1210220-529b-5103-888f-aaa707040eee" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4241-L4260" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357" - logic_hash = "v1_sha256_b07f335b6941ef2095903cb8841358bff6b09518a96512d69fdf90bf328888e7" + logic_hash = "b07f335b6941ef2095903cb8841358bff6b09518a96512d69fdf90bf328888e7" score = 40 quality = 80 tags = "FILE" @@ -271241,14 +271727,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontro meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo11X64.sys" author = "Florian Roth" - id = "e997935c-89e4-5e69-a1ee-25fa3b703cae" + id = "a8c05c92-a133-5f8f-bc4e-ff7e21f262e0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4263-L4282" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba" - logic_hash = "v1_sha256_29ba3734f177a3ca166a3c02d066da4b9e4cbd146724f037ac82e3ced1d7951e" + logic_hash = "29ba3734f177a3ca166a3c02d066da4b9e4cbd146724f037ac82e3ced1d7951e" score = 40 quality = 80 tags = "FILE" @@ -271271,14 +271757,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "d9a39720-5ef9-5d5f-9aa9-e693e4b28186" + id = "efe27764-9166-5ed5-8d08-1944e9fead43" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4285-L4304" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891" - logic_hash = "v1_sha256_e56d5221962e4fe353c0e37cc3bbebf68d785d86f49269d7e6d935ef6cff6f38" + logic_hash = "e56d5221962e4fe353c0e37cc3bbebf68d785d86f49269d7e6d935ef6cff6f38" score = 40 quality = 80 tags = "FILE" @@ -271301,14 +271787,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_7CB5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "e7eec5ef-b9b8-5ef7-9f31-c60fec810469" + id = "4af76d57-3f28-5d80-b72a-796f65942488" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4307-L4324" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21" - logic_hash = "v1_sha256_df3e79bf8db29cb712ac4fe3670954a0793d7d839f3368ad52e5f826afd18b7f" + logic_hash = "df3e79bf8db29cb712ac4fe3670954a0793d7d839f3368ad52e5f826afd18b7f" score = 40 quality = 80 tags = "FILE" @@ -271329,14 +271815,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautoc meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv.sys" author = "Florian Roth" - id = "e21c4f11-4abe-5ca5-a5f5-3ebd19679172" + id = "78768248-afa1-5e3c-a9cd-c9ab73ea4f74" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4327-L4346" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4" - logic_hash = "v1_sha256_87c0e6a3d0ff8f88e8f190c6b643adde45dc7d4c2aa73b79ba0f38a13bd86f1c" + logic_hash = "87c0e6a3d0ff8f88e8f190c6b643adde45dc7d4c2aa73b79ba0f38a13bd86f1c" score = 40 quality = 80 tags = "FILE" @@ -271359,7 +271845,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "c292f202-f998-500f-8e48-6c88ca2bfb47" + id = "ef15eec0-caf8-58e9-9c63-cfee3275253d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271367,7 +271853,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_97B3 : FI license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd" hash = "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10" - logic_hash = "v1_sha256_800b43309abd2921378c28cace1ccfb2f7d3420c0f7059c9cbd7422095cbba43" + logic_hash = "800b43309abd2921378c28cace1ccfb2f7d3420c0f7059c9cbd7422095cbba43" score = 40 quality = 80 tags = "FILE" @@ -271390,14 +271876,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_0EAB : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" - id = "20b7ab6a-35c0-59a0-9413-254acfba30bf" + id = "ca020c04-c1b4-5496-bbac-beb1ea4537aa" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4372-L4391" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502" - logic_hash = "v1_sha256_a4b1e73c5706e29fc31722f82bdf03c705a03821feb22da48c8c5d0d0f7f2dbb" + logic_hash = "a4b1e73c5706e29fc31722f82bdf03c705a03821feb22da48c8c5d0d0f7f2dbb" score = 40 quality = 80 tags = "FILE" @@ -271420,14 +271906,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_8EF5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "ecd4c79d-4076-5570-9d65-af5ec447de1d" + id = "ccd6832d-72d2-599d-9eba-7616e59120e2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4394-L4413" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c" - logic_hash = "v1_sha256_d0b94553fb03576dea69fd13042db119825009c0a90ba111560102fed8bb3154" + logic_hash = "d0b94553fb03576dea69fd13042db119825009c0a90ba111560102fed8bb3154" score = 40 quality = 80 tags = "FILE" @@ -271450,14 +271936,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1F15 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "acbc2d70-e9cf-57af-94ff-7689256e4921" + id = "f24de207-322f-596a-94c0-ec3ef3f2b907" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4416-L4435" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441" - logic_hash = "v1_sha256_5eebc2d90e6d17134c100e4f04271f4e1f6546a6c74ef4737e60ec76d4fa8227" + logic_hash = "5eebc2d90e6d17134c100e4f04271f4e1f6546a6c74ef4737e60ec76d4fa8227" score = 40 quality = 80 tags = "FILE" @@ -271480,14 +271966,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" - id = "d6a85ea6-4679-56e2-89de-26994b1fbdd2" + id = "2cd9eb8f-25c1-5bd2-a5be-ae295ee7179f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4438-L4457" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec" - logic_hash = "v1_sha256_3e5eddf984eb85a304bd19a444238850dc2d153f8e59bb215a08f781efc270c6" + logic_hash = "3e5eddf984eb85a304bd19a444238850dc2d153f8e59bb215a08f781efc270c6" score = 40 quality = 80 tags = "FILE" @@ -271510,14 +271996,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_818E : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "73860626-398c-5801-b528-3f465ccc63e9" + id = "534b26bd-7298-5e16-ba49-f48b1bc405d7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4460-L4479" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01" - logic_hash = "v1_sha256_de48cb605c339f13f94451361531ea2661d79311aacbb87878b24866766b6e3f" + logic_hash = "de48cb605c339f13f94451361531ea2661d79311aacbb87878b24866766b6e3f" score = 40 quality = 80 tags = "FILE" @@ -271540,14 +272026,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_6FFD : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "26d16e37-cee5-5c9d-8239-fb7f4b41ce92" + id = "b0799b63-2938-586a-8a10-c3d9916b3d01" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4482-L4501" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc" - logic_hash = "v1_sha256_f8d629b1c9b785204c61c95ac83dc7516db14aa8abd68dc8cb5250d53408f20d" + logic_hash = "f8d629b1c9b785204c61c95ac83dc7516db14aa8abd68dc8cb5250d53408f20d" score = 40 quality = 80 tags = "FILE" @@ -271570,7 +272056,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "2a8b5c79-e71d-5095-8530-66e289195247" + id = "9b4f6fc7-e597-5efd-9a85-6fd63fa9844b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271582,7 +272068,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cpuid_Cpuzsys_Cpuidservice_7710 : FILE hash = "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88" hash = "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c" hash = "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a" - logic_hash = "v1_sha256_3c281f5381de85adcfba468cfced2fa0b400d90bb2a14494da37bd9b21e60e36" + logic_hash = "3c281f5381de85adcfba468cfced2fa0b400d90bb2a14494da37bd9b21e60e36" score = 40 quality = 80 tags = "FILE" @@ -271605,7 +272091,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" - id = "034f652b-ef53-54d6-81d4-12470fd4ff8f" + id = "f811136f-64db-5a3e-b4f3-e4c92c43b888" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271613,7 +272099,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_AD8F : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7" hash = "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d" - logic_hash = "v1_sha256_2cbeb5784c1f074b8d76d8f884e7529b8c137ff6b9df0320db677927766fcc70" + logic_hash = "2cbeb5784c1f074b8d76d8f884e7529b8c137ff6b9df0320db677927766fcc70" score = 40 quality = 80 tags = "FILE" @@ -271636,7 +272122,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_71C0 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "f4ee3d3b-3964-52cb-9a14-6d04740e505b" + id = "f25a60ba-cfb0-5287-97b7-3a17b0aceca9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271648,7 +272134,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_71C0 : FILE hash = "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc" hash = "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91" hash = "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3" - logic_hash = "v1_sha256_b25f9b0fcc34bd25d77bb0bbdc383f6f03e104c9d275caa61c53366855c10312" + logic_hash = "b25f9b0fcc34bd25d77bb0bbdc383f6f03e104c9d275caa61c53366855c10312" score = 40 quality = 80 tags = "FILE" @@ -271671,14 +272157,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrserverddkprovider_Speedfansys_Windowsrse meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - speedfan.sys" author = "Florian Roth" - id = "4e13cf1b-eef3-5f6a-8da7-4b4f944bc8b8" + id = "c683be43-e577-5248-8a28-b13dbefd7f91" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4581-L4600" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c" - logic_hash = "v1_sha256_ce5fb5f559f97130403f8f4c22a2f223892ba46b1df9fd6a99624e879a3fcea3" + logic_hash = "ce5fb5f559f97130403f8f4c22a2f223892ba46b1df9fd6a99624e879a3fcea3" score = 40 quality = 80 tags = "FILE" @@ -271701,14 +272187,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Openlibsysorg_Openlibsyssys_Openlibsys_9131 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - OpenLibSys.sys" author = "Florian Roth" - id = "b828481d-b7d1-5108-a523-1690d4db2b7c" + id = "94026bd4-e66c-551c-b054-b3b5191a5bb2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4603-L4622" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c" - logic_hash = "v1_sha256_e61f4452ecae438072b37ae00ca67401541db0e8f6d5b0f1d697190fdff16d23" + logic_hash = "e61f4452ecae438072b37ae00ca67401541db0e8f6d5b0f1d697190fdff16d23" score = 40 quality = 80 tags = "FILE" @@ -271731,14 +272217,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E4EC : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "fa913303-a4c1-5445-95dc-361006948a8b" + id = "888a2b05-46c1-54b2-a996-14fb9fae5779" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4625-L4644" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148" - logic_hash = "v1_sha256_08fa3c764599e1f0cb4e76b38b9d577a2fd70fb3f6f3e8e70eea65f0cf16d93a" + logic_hash = "08fa3c764599e1f0cb4e76b38b9d577a2fd70fb3f6f3e8e70eea65f0cf16d93a" score = 40 quality = 80 tags = "FILE" @@ -271761,14 +272247,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_FB6B : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" - id = "58ce80f9-7cf8-5e7d-9087-119216516e11" + id = "106afe18-1312-559d-87f5-319d67d36435" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4647-L4666" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22" - logic_hash = "v1_sha256_f62cc8ddd443bf196d36d5a3a2724aff4858fcc78abcdbb3cf7362228fde7a7b" + logic_hash = "f62cc8ddd443bf196d36d5a3a2724aff4858fcc78abcdbb3cf7362228fde7a7b" score = 40 quality = 80 tags = "FILE" @@ -271791,7 +272277,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "31116b8c-8c91-52bb-90fe-b4b3194c39a8" + id = "e58174ba-c931-549b-bf5d-bdc9aeb362cc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271799,7 +272285,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85" hash = "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc" - logic_hash = "v1_sha256_467c47d2a64332dc3b94a3b55655f0e0c4f10b19e8724718b8f2ccf97ffe6446" + logic_hash = "467c47d2a64332dc3b94a3b55655f0e0c4f10b19e8724718b8f2ccf97ffe6446" score = 40 quality = 80 tags = "FILE" @@ -271822,7 +272308,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" - id = "a473521a-9d39-5469-b94d-03e59de8ac2c" + id = "65c75c41-8edb-526b-b0e8-73eea5cb7502" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271831,7 +272317,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_ hash = "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471" hash = "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2" hash = "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff" - logic_hash = "v1_sha256_04c6c306d589c72ca5315bc2c931ae06d1e229bb355d4fba7b987ffb3e599b58" + logic_hash = "04c6c306d589c72ca5315bc2c931ae06d1e229bb355d4fba7b987ffb3e599b58" score = 40 quality = 80 tags = "FILE" @@ -271854,14 +272340,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" - id = "89a4e871-13be-5f7b-a86b-be99809415e7" + id = "1305b627-146c-5ec6-9e27-abac84f5a2f4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4716-L4735" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b" - logic_hash = "v1_sha256_6c2a12c5866686cde0e621bd35b73079d7d37d5b5d4b42bb962435a73682c32b" + logic_hash = "6c2a12c5866686cde0e621bd35b73079d7d37d5b5d4b42bb962435a73682c32b" score = 40 quality = 80 tags = "FILE" @@ -271884,14 +272370,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_2380 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "6ca33dd4-dd3c-5dab-81a8-db60d69c6f0b" + id = "24415567-6904-52b1-964d-1a0a4aefe08e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4738-L4757" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4" - logic_hash = "v1_sha256_7ac9c6ae541d6689a986d884e96f2f024a18736a59b02a1103e44538d725bb52" + logic_hash = "7ac9c6ae541d6689a986d884e96f2f024a18736a59b02a1103e44538d725bb52" score = 40 quality = 80 tags = "FILE" @@ -271914,7 +272400,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "c4c432ca-c5b8-5784-bdd1-4fc5e3683b8b" + id = "6ffeb0f5-e438-5187-8cbb-53f3fec6ab06" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271922,7 +272408,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8" hash = "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5" - logic_hash = "v1_sha256_1e5669c7c79c027bdef5dbd135b35ea4e9af8c164b6b8f027490e2fa49ebf904" + logic_hash = "1e5669c7c79c027bdef5dbd135b35ea4e9af8c164b6b8f027490e2fa49ebf904" score = 40 quality = 80 tags = "FILE" @@ -271945,7 +272431,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_A97B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "beca5fe1-ba2b-53b6-8368-595a283199b1" + id = "2644da4b-8a15-5b41-b92c-6e4cd2e2d696" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271953,7 +272439,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_A97B : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67" hash = "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d" - logic_hash = "v1_sha256_1b7961c9c0e0812fa68f330f45ba1834a246f3571e9086280b03c155865746e9" + logic_hash = "1b7961c9c0e0812fa68f330f45ba1834a246f3571e9086280b03c155865746e9" score = 40 quality = 80 tags = "FILE" @@ -271976,7 +272462,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "16dc5951-27e1-53aa-9d8c-d3a8d7e9c66c" + id = "208dd67e-2d2d-5104-a497-1311cea9e223" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -271984,7 +272470,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolibx_1E8B : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee" hash = "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3" - logic_hash = "v1_sha256_673d993f0ad7800551cfc11d73a38aa37b306902f2d28db4d5ec5f33bc51f21f" + logic_hash = "673d993f0ad7800551cfc11d73a38aa37b306902f2d28db4d5ec5f33bc51f21f" score = 40 quality = 80 tags = "FILE" @@ -272007,7 +272493,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FPCIE2COM.sys" author = "Florian Roth" - id = "17face9d-31ad-5a95-b91a-8738393ad2d8" + id = "d741c03b-0ad5-5cf7-8fcd-3267c3f40d64" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272015,7 +272501,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Featureintegrationtechnologyinc_Fintekpciecom_81 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d" hash = "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1" - logic_hash = "v1_sha256_24ae9365e55b29c55f83f944154f8fd4643c733f33cfb6542e9159b52acdb9c3" + logic_hash = "24ae9365e55b29c55f83f944154f8fd4643c733f33cfb6542e9159b52acdb9c3" score = 40 quality = 80 tags = "FILE" @@ -272037,7 +272523,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "f68eb21f-3151-591c-b132-72f4ebba3948" + id = "c5104fcb-7d6a-54dc-a79e-366f16ecd8a0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272046,7 +272532,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces hash = "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e" hash = "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc" hash = "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7" - logic_hash = "v1_sha256_bc754dc4c4a916691f3d32e8cfad99f1a426d9d6d59d9d6f3c93cabfd581d8a9" + logic_hash = "bc754dc4c4a916691f3d32e8cfad99f1a426d9d6d59d9d6f3c93cabfd581d8a9" score = 40 quality = 80 tags = "FILE" @@ -272069,14 +272555,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "d46cd6c6-d02b-5680-9978-d435d775feeb" + id = "7c796850-8413-53b0-bbbd-4991c1af6626" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4875-L4894" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf" - logic_hash = "v1_sha256_3827cad3f54342cba5e6cfc98b2e30522feb79ea8917d882b95dcc66863e389d" + logic_hash = "3827cad3f54342cba5e6cfc98b2e30522feb79ea8917d882b95dcc66863e389d" score = 40 quality = 80 tags = "FILE" @@ -272099,14 +272585,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_45F4 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "8814d080-85af-548f-aedc-8272a30e3375" + id = "56dc2fa5-c19c-5a77-9590-e7a957ccb27f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4897-L4913" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef" - logic_hash = "v1_sha256_539d1795ae819c2705e77cb41ec4248c7239ffa8cd805addbb9e5da5e98a83e2" + logic_hash = "539d1795ae819c2705e77cb41ec4248c7239ffa8cd805addbb9e5da5e98a83e2" score = 40 quality = 80 tags = "FILE" @@ -272126,7 +272612,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "37b5a867-bf94-5456-ad8e-241ae44d51d4" + id = "e52c22aa-347f-5618-93b8-b4dab3f04b35" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272140,7 +272626,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4D05 : FI hash = "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5" hash = "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572" hash = "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1" - logic_hash = "v1_sha256_4e043c30e6b74d21ef14aec63454c6a48c0ac3e770b39114dc6ba988023ebabf" + logic_hash = "4e043c30e6b74d21ef14aec63454c6a48c0ac3e770b39114dc6ba988023ebabf" score = 40 quality = 80 tags = "FILE" @@ -272163,14 +272649,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_86A1 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "d1b7d350-4da2-5c3c-821f-ea8acf1a0c48" + id = "57b41ebc-6c75-5ba3-b2fc-0bb50e92207b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4945-L4964" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882" - logic_hash = "v1_sha256_ed28688de49b089def60861ffe53f4e3a7f714b255035fdb19122375c83ebac2" + logic_hash = "ed28688de49b089def60861ffe53f4e3a7f714b255035fdb19122375c83ebac2" score = 40 quality = 80 tags = "FILE" @@ -272193,14 +272679,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_61BE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "cbf52192-15d0-52b1-8060-5f0ed78ae045" + id = "8242879f-ce39-5f05-b43e-ec2c6b185e82" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L4967-L4986" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf" - logic_hash = "v1_sha256_70969db52d4e88e1662902634e0cb21c44ab694928e15e4bdaa9a1b2604146dd" + logic_hash = "70969db52d4e88e1662902634e0cb21c44ab694928e15e4bdaa9a1b2604146dd" score = 40 quality = 80 tags = "FILE" @@ -272223,7 +272709,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "8e948117-01b5-529f-91d3-bb43645964bc" + id = "e7728971-efb9-5c8b-8600-8f2b393d966e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272233,7 +272719,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrserverddkprovider_Gdrvsys_Windowsrserver hash = "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427" hash = "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38" hash = "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229" - logic_hash = "v1_sha256_9e28e5d1a7003e9911b2c5a7597d1c45c304bdb18cb9177d459f2b35c0da9658" + logic_hash = "9e28e5d1a7003e9911b2c5a7597d1c45c304bdb18cb9177d459f2b35c0da9658" score = 40 quality = 80 tags = "FILE" @@ -272256,14 +272742,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Filseclabcorporation_Fildds_Filseclabdynamicdefe meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - fildds.sys" author = "Florian Roth" - id = "bb3ee17e-1c7c-57da-8ce3-c04bb599d5f4" + id = "6a9cf1b0-8d2c-522b-8fca-7f81f2aead8d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5014-L5033" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22" - logic_hash = "v1_sha256_5eb7f097384c0e4b418611a37d6a03dc7a6ff21814716489bf35e0bd43f390cf" + logic_hash = "5eb7f097384c0e4b418611a37d6a03dc7a6ff21814716489bf35e0bd43f390cf" score = 40 quality = 80 tags = "FILE" @@ -272286,14 +272772,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_BE8D : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "734ed672-7491-5e1f-9e35-7b38105f650f" + id = "e655289a-61d1-5908-b495-ce2c00caae3c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5036-L5055" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2" - logic_hash = "v1_sha256_98be6af9aa551ba153413f75d4038b2840181418e0b8eba2cfcac2aa29a4460e" + logic_hash = "98be6af9aa551ba153413f75d4038b2840181418e0b8eba2cfcac2aa29a4460e" score = 40 quality = 80 tags = "FILE" @@ -272316,14 +272802,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_3E85 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "13b89fd1-58ba-5c4e-a0a6-b1520aef4dc6" + id = "fde3f78e-f20e-5172-bede-b089c0851680" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5058-L5077" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb" - logic_hash = "v1_sha256_23d11200a9d5ad71d8578e3ec3ac40ad6f7d9971177aa59a1ea6bac3de4f0b04" + logic_hash = "23d11200a9d5ad71d8578e3ec3ac40ad6f7d9971177aa59a1ea6bac3de4f0b04" score = 40 quality = 80 tags = "FILE" @@ -272346,14 +272832,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_3070 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "e9d263d4-9060-52e9-9725-0e7b7eb4f653" + id = "38ae805f-4be8-526f-b3b3-d644b05c2b25" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5080-L5099" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab" - logic_hash = "v1_sha256_05e9f35f83489d262ffece0c406eebf1b81514ea60278415fbc53adc0bc365fb" + logic_hash = "05e9f35f83489d262ffece0c406eebf1b81514ea60278415fbc53adc0bc365fb" score = 40 quality = 80 tags = "FILE" @@ -272376,14 +272862,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_CC58 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "94fd2e86-9027-543e-8007-310521f003f3" + id = "cfb96174-106f-5ad0-875b-1be75f70ce51" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5102-L5121" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b" - logic_hash = "v1_sha256_8eb46633cce7959cfefbc65ede889c748a077cddc59fb79d87b54ddcd42ca524" + logic_hash = "8eb46633cce7959cfefbc65ede889c748a077cddc59fb79d87b54ddcd42ca524" score = 40 quality = 80 tags = "FILE" @@ -272406,7 +272892,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Win meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "fb9b4c84-fed4-58ab-aae9-c5cafdbf4316" + id = "346488b2-5390-528e-8d54-5ed3dbc6e322" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272415,7 +272901,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Rtkiosys_Win hash = "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677" hash = "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab" hash = "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82" - logic_hash = "v1_sha256_e4834bc67ef64766852404f06631941fa3475b55718e4f79c53f121a9809dc5e" + logic_hash = "e4834bc67ef64766852404f06631941fa3475b55718e4f79c53f121a9809dc5e" score = 40 quality = 80 tags = "FILE" @@ -272438,14 +272924,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nmscommunications_Cgkwinksys_Ctaccess_223F : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cg6kwin2k.sys" author = "Florian Roth" - id = "2f28951f-ecc6-5816-b7df-02612f4cbf62" + id = "0de735b8-bbaf-551c-91f0-245740c1c78b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5148-L5167" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1" - logic_hash = "v1_sha256_2ec82ad1a839ff65d3e8288ed161650bd678f8a201bb513bd869d1e9bcfb2a65" + logic_hash = "2ec82ad1a839ff65d3e8288ed161650bd678f8a201bb513bd869d1e9bcfb2a65" score = 40 quality = 80 tags = "FILE" @@ -272468,14 +272954,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E4D9 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "4af3ccae-1109-5861-9f9f-24d935bd347c" + id = "b0ef62c7-b223-5d70-883d-1a6a3d28dc0d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5170-L5189" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036" - logic_hash = "v1_sha256_e17c01d291e60fff225ee60e296450ab2d4a293084dc4c07de7347f55566d7ee" + logic_hash = "e17c01d291e60fff225ee60e296450ab2d4a293084dc4c07de7347f55566d7ee" score = 40 quality = 80 tags = "FILE" @@ -272498,14 +272984,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Insydesoftwarecorp_Segwindrvxsys_Segwindowsdrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - segwindrvx64.sys" author = "Florian Roth" - id = "7e97187a-241d-5219-9852-ad8440e8ccfd" + id = "33a0b3ee-4ea1-54ba-95ef-cebfcaa7945d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5192-L5211" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c" - logic_hash = "v1_sha256_dac574b12f72b99fe66500edb6447802f95ad8d6c787ddbea69b36a1c0dfdab7" + logic_hash = "dac574b12f72b99fe66500edb6447802f95ad8d6c787ddbea69b36a1c0dfdab7" score = 40 quality = 80 tags = "FILE" @@ -272528,14 +273014,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Cupfixerxsys_Windowsrwind meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CupFixerx64.sys" author = "Florian Roth" - id = "23266563-15b0-5d34-90b5-171408a59f53" + id = "32559d4c-eef4-5b67-a74c-f89589bc446b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5214-L5233" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9" - logic_hash = "v1_sha256_d0eb0738da64ce1a94278a422e829f01d1514ac4536fc2187aa5f4112b70f6e0" + logic_hash = "d0eb0738da64ce1a94278a422e829f01d1514ac4536fc2187aa5f4112b70f6e0" score = 40 quality = 80 tags = "FILE" @@ -272558,7 +273044,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdel meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" - id = "47451309-01f2-5eee-8a1d-0e996f12cb1e" + id = "2eb54e4c-3e7b-5b75-895e-5985c8536282" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272566,7 +273052,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdel license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0" hash = "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2" - logic_hash = "v1_sha256_6497a69a7fd7502a78ec6d373a2b0bdc1da73bca4590a256f7094463e0f0b363" + logic_hash = "6497a69a7fd7502a78ec6d373a2b0bdc1da73bca4590a256f7094463e0f0b363" score = 40 quality = 80 tags = "FILE" @@ -272589,14 +273075,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Eiosys_Asusvgakernelmodedrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - EIO.sys" author = "Florian Roth" - id = "7f72423f-e0f1-55c3-a862-45246df1afe7" + id = "1c0669aa-b156-580f-9bb0-d69502af6a7f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5259-L5278" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0" - logic_hash = "v1_sha256_bfcaa037bc06303a0de6a0372cd9dd49bd9801610989df46ca19fd844b22560e" + logic_hash = "bfcaa037bc06303a0de6a0372cd9dd49bd9801610989df46ca19fd844b22560e" score = 40 quality = 80 tags = "FILE" @@ -272619,14 +273105,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "ee74cb1d-2426-588a-8724-4565289eb577" + id = "5edd8373-0756-59cf-8079-8cfd5b1fd454" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5281-L5300" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d" - logic_hash = "v1_sha256_bed34d3bcb856628a688bb189f5bc1a0adf2384698ac28196fc5313e57387a1e" + logic_hash = "bed34d3bcb856628a688bb189f5bc1a0adf2384698ac28196fc5313e57387a1e" score = 40 quality = 80 tags = "FILE" @@ -272649,14 +273135,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_2AFD : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "7a9a0dbf-d402-582e-9fb4-d605800b8c1c" + id = "4dc89f62-c0e0-5abf-9774-3ca21f8a1d8e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5303-L5322" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30" - logic_hash = "v1_sha256_a687639311529ca919f90d478ddbb39e441ce24a58be056af7a7108db3f11f25" + logic_hash = "a687639311529ca919f90d478ddbb39e441ce24a58be056af7a7108db3f11f25" score = 40 quality = 80 tags = "FILE" @@ -272679,14 +273165,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_00D9 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "40a53cd9-2f7e-5d15-8994-0149463846da" + id = "608b2435-4923-5979-9fbd-1a4cff95a450" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5325-L5344" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03" - logic_hash = "v1_sha256_dd1b181f975ada1e7d1def32be88e41df2f994c698e794dc0fade119b0eabf2d" + logic_hash = "dd1b181f975ada1e7d1def32be88e41df2f994c698e794dc0fade119b0eabf2d" score = 40 quality = 80 tags = "FILE" @@ -272709,14 +273195,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "adab94be-f7b6-5dbe-9141-f07c2f2a3ef6" + id = "52742e0b-0e2f-5a83-9993-b3cde1a5cb5e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5347-L5366" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633" - logic_hash = "v1_sha256_f9010e0f70eb1c94a1e41e5999623f5eeb6aff155c36cb7b17c196eb363a62c4" + logic_hash = "f9010e0f70eb1c94a1e41e5999623f5eeb6aff155c36cb7b17c196eb363a62c4" score = 40 quality = 80 tags = "FILE" @@ -272739,14 +273225,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Iomapsys_Asuskernelmodedriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - IOMap64.sys" author = "Florian Roth" - id = "158eb557-e8c0-5a66-9860-14a1f033bb72" + id = "8b2fbab4-4b54-57dc-9591-1d993e844dc0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5369-L5388" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41" - logic_hash = "v1_sha256_f9ffedd3761c0cf68d5f862ceb8e22a61a5da73e757cf92317085b714656e139" + logic_hash = "f9ffedd3761c0cf68d5f862ceb8e22a61a5da73e757cf92317085b714656e139" score = 40 quality = 80 tags = "FILE" @@ -272769,14 +273255,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_E05E : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" - id = "2d9200bd-503c-5ed8-9c0a-7a5410931a88" + id = "71c7a688-d20a-57c3-b4c5-b8344e936900" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5391-L5410" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53" - logic_hash = "v1_sha256_94ee30a5cbd1ff47cddf35ec2205d9008857e87c457dce025501132231a146e4" + logic_hash = "94ee30a5cbd1ff47cddf35ec2205d9008857e87c457dce025501132231a146e4" score = 40 quality = 80 tags = "FILE" @@ -272799,14 +273285,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "fac915cd-2f42-59ae-91ce-e3feda85495f" + id = "15332784-229c-5b5e-b06c-2ea6cff64113" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5413-L5432" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9" - logic_hash = "v1_sha256_0a35b3e88bb078e61c2769267fdba624d171492b0e4d1c57ecf7ea770fa2f44d" + logic_hash = "0a35b3e88bb078e61c2769267fdba624d171492b0e4d1c57ecf7ea770fa2f44d" score = 40 quality = 80 tags = "FILE" @@ -272829,7 +273315,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hw.sys" author = "Florian Roth" - id = "5c9e60bd-5c72-580c-84c6-24d756b70623" + id = "2a470258-2ec1-5d80-8ce8-d8f83a27c365" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272837,7 +273323,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_5596 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa" hash = "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8" - logic_hash = "v1_sha256_fcfc255a20b512b38057022c05a694e757b08950d6d35b3c361b0559da51a689" + logic_hash = "fcfc255a20b512b38057022c05a694e757b08950d6d35b3c361b0559da51a689" score = 40 quality = 80 tags = "FILE" @@ -272860,14 +273346,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystem meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" - id = "22ff4a67-35f3-53b8-a279-c87d7ecd9327" + id = "b8357662-5966-55fc-801f-a82f137edcd4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5458-L5477" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822" - logic_hash = "v1_sha256_6e220e39e765c6af5d2e80cce4a4a07b587ccd559e0cb455d56046cf4c2ff447" + logic_hash = "6e220e39e765c6af5d2e80cce4a4a07b587ccd559e0cb455d56046cf4c2ff447" score = 40 quality = 80 tags = "FILE" @@ -272890,14 +273376,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Genitlkiwibenjaminxxxxx_Titidrv_Titidrvtiticatz_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - titidrv.sys" author = "Florian Roth" - id = "dbcd1f16-2548-5dc4-a407-0722544313e1" + id = "06cdecba-e002-5354-ac4a-09bd8178ae37" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5480-L5499" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85" - logic_hash = "v1_sha256_c1a57d6f66fd8818dd72813a3bac78eab44b2b546f65a78864739cb55a258d39" + logic_hash = "c1a57d6f66fd8818dd72813a3bac78eab44b2b546f65a78864739cb55a258d39" score = 40 quality = 80 tags = "FILE" @@ -272920,14 +273406,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevicesinc_Pdfwkrnlsys_Usbcpowerdel meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PDFWKRNL.sys" author = "Florian Roth" - id = "08ba4156-82b8-51b4-b176-bc1384a6da85" + id = "c43c80e9-64c4-553a-8c2e-1b32cee12673" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5502-L5521" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00" - logic_hash = "v1_sha256_b560682fe9ed95a19df7dcc6ea823545d2303a51aaa06dc14e48c73f2e6fe8b7" + logic_hash = "b560682fe9ed95a19df7dcc6ea823545d2303a51aaa06dc14e48c73f2e6fe8b7" score = 40 quality = 80 tags = "FILE" @@ -272950,14 +273436,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_B9AD : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "f2c690a7-e2a1-548b-a1e7-2d5fbf806372" + id = "b5b42779-0d81-5133-864f-f36337593c81" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5524-L5543" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890" - logic_hash = "v1_sha256_c8efd23f9fb60831cede71737c5d1e62d94f3b44a2b3da7f29db06ca4599821d" + logic_hash = "c8efd23f9fb60831cede71737c5d1e62d94f3b44a2b3da7f29db06ca4599821d" score = 40 quality = 80 tags = "FILE" @@ -272980,7 +273466,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_348D : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "ea262b71-2536-5d5a-b892-99d5bf0e74a2" + id = "4856e997-d5de-5bae-a35b-88ab55b77ae7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -272988,7 +273474,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_348D : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1" hash = "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778" - logic_hash = "v1_sha256_435219f0b49a009eb42ffa096c4acefc48f85d03a8656d5142df20deee19cf08" + logic_hash = "435219f0b49a009eb42ffa096c4acefc48f85d03a8656d5142df20deee19cf08" score = 40 quality = 80 tags = "FILE" @@ -273011,14 +273497,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Mydriverscom_Hwm_Drivergenius_08EB : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mydrivers.sys" author = "Florian Roth" - id = "de8cf1ae-4210-5fa1-8017-d755db46dcb6" + id = "a944a7a1-f938-548e-8788-a4733d777850" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5569-L5588" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6" - logic_hash = "v1_sha256_2371de5547217734226420bbbee12dee897206bd2419387d2c2fc2ae07df7fec" + logic_hash = "2371de5547217734226420bbbee12dee897206bd2419387d2c2fc2ae07df7fec" score = 40 quality = 80 tags = "FILE" @@ -273041,14 +273527,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_3E27 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" - id = "78fc2846-7dab-5308-8390-11d93ca7dd2f" + id = "5e116c70-6da1-5397-9b73-32955086c886" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5591-L5610" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75" - logic_hash = "v1_sha256_18affdea7f982e47ca4852d9a4a28797a1ca3175c404c8e5c316ee3a610cf858" + logic_hash = "18affdea7f982e47ca4852d9a4a28797a1ca3175c404c8e5c316ee3a610cf858" score = 40 quality = 80 tags = "FILE" @@ -273071,14 +273557,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Evgatechnologyinc_Windowsvistasmartiodevice_Wind meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SMARTEIO64.SYS" author = "Florian Roth" - id = "f3cbe812-aa34-5fa8-8f3e-4188b284ba0b" + id = "a5b9f906-4250-52f7-84ba-ad8f6a5ebabc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5613-L5632" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50" - logic_hash = "v1_sha256_e0bf6bd64e91baa27e1181223cba6f4975b5b5a9fd9918d4c65180ed584b319b" + logic_hash = "e0bf6bd64e91baa27e1181223cba6f4975b5b5a9fd9918d4c65180ed584b319b" score = 40 quality = 80 tags = "FILE" @@ -273101,14 +273587,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_033C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "ece585cb-779a-5d47-81c5-780b52c58ded" + id = "13af3aa3-b338-57ac-b803-f811b695717e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5635-L5654" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7" - logic_hash = "v1_sha256_fea547a999db61dd4c87d648d8e0e1a50f9c677439d514cfdd0a75a5a6da4c8f" + logic_hash = "fea547a999db61dd4c87d648d8e0e1a50f9c677439d514cfdd0a75a5a6da4c8f" score = 40 quality = 80 tags = "FILE" @@ -273131,14 +273617,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbsys_Virtualboxusbdrive meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSB.Sys" author = "Florian Roth" - id = "1deb4725-57ba-5430-8b8b-0c0774014710" + id = "66da7fa1-1387-5a73-858f-05a877f810a9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5657-L5676" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291" - logic_hash = "v1_sha256_49554df6ecdbfafbb3cf8f78cdece896830dd842cf1cae1129f11eb69a3588c4" + logic_hash = "49554df6ecdbfafbb3cf8f78cdece896830dd842cf1cae1129f11eb69a3588c4" score = 40 quality = 80 tags = "FILE" @@ -273161,14 +273647,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_3B6E : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "c3e4fb00-2b3b-512e-8e40-75ed5eec785c" + id = "d2e411b6-da38-5ff0-a24a-78064a5fafcf" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5679-L5698" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b" - logic_hash = "v1_sha256_f3736282399849376632ee9392bf679779cecbb76fa7bd8ccaff0b787a3370f5" + logic_hash = "f3736282399849376632ee9392bf679779cecbb76fa7bd8ccaff0b787a3370f5" score = 40 quality = 80 tags = "FILE" @@ -273191,7 +273677,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "36fdf67b-91f0-5268-acc6-150f08729c46" + id = "ab7574a5-acba-5e3d-9259-e5833d43d195" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -273199,7 +273685,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7C73 : FI license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b" hash = "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c" - logic_hash = "v1_sha256_9e024ac35be2fe02ecaae96f3cfbbae60b4032986f22710809699049456e979c" + logic_hash = "9e024ac35be2fe02ecaae96f3cfbbae60b4032986f22710809699049456e979c" score = 40 quality = 80 tags = "FILE" @@ -273222,14 +273708,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Wistroncorporation_Wirwadrvsys_Wistronrwadriver_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiRwaDrv.sys" author = "Florian Roth" - id = "e76e017b-f5b3-5cf8-91b5-d92a09b551be" + id = "67b74d38-f26d-56b9-8a92-c923ad1f797e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5724-L5743" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e" - logic_hash = "v1_sha256_e991957205079fb282f9fb248637d4723c940a7e9ab708e68082e99adbed647c" + logic_hash = "e991957205079fb282f9fb248637d4723c940a7e9ab708e68082e99adbed647c" score = 40 quality = 80 tags = "FILE" @@ -273252,14 +273738,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_1A42 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "39a64555-7e08-5626-821d-327917888181" + id = "d776ad80-318f-5e3c-b006-daa70a14aff4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5746-L5765" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0" - logic_hash = "v1_sha256_bfd4ff6c58d83e8d09d43d75e655993319283d0a41407d20417011d663791fd3" + logic_hash = "bfd4ff6c58d83e8d09d43d75e655993319283d0a41407d20417011d663791fd3" score = 40 quality = 80 tags = "FILE" @@ -273282,7 +273768,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_F14D : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "5503d7d8-0c71-5169-af5e-261110a2f214" + id = "ffc28a07-9de8-5b22-88eb-1fd7e71db360" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -273290,7 +273776,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_F14D : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d" hash = "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413" - logic_hash = "v1_sha256_6d1a98e8b5ab416446cf15cf15a2bad93dfbe9b984b40f5fae523e17e6eb5caa" + logic_hash = "6d1a98e8b5ab416446cf15cf15a2bad93dfbe9b984b40f5fae523e17e6eb5caa" score = 40 quality = 80 tags = "FILE" @@ -273313,14 +273799,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_EC5F : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "633feb59-f8da-50d1-8c20-ef4d539fe5b1" + id = "1d73baba-017c-527d-9eb8-0eb9865656b6" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5791-L5810" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5" - logic_hash = "v1_sha256_74fad50be13de00367a5cecb25f7e3feb53f5e8553fac8cd32edc500a91aad88" + logic_hash = "74fad50be13de00367a5cecb25f7e3feb53f5e8553fac8cd32edc500a91aad88" score = 40 quality = 80 tags = "FILE" @@ -273343,14 +273829,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecurit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "7834e9a9-5745-5e42-af49-7ae06b72778e" + id = "11164331-fdba-5e7d-a2ea-4621b438060a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5813-L5832" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf" - logic_hash = "v1_sha256_a2f304406595b6cad63dbc83f32f1a35477d022fe5cad1c11ac9746d3775199d" + logic_hash = "a2f304406595b6cad63dbc83f32f1a35477d022fe5cad1c11ac9746d3775199d" score = 40 quality = 80 tags = "FILE" @@ -273373,14 +273859,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_D0BD : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "0c08ad20-f651-5798-9a9a-3de48270b01c" + id = "81712338-7518-565a-8004-4708808d93ee" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5835-L5854" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889" - logic_hash = "v1_sha256_c285e87a94025916ed6d3fac65761d1ca4bef13102a0a37b256525bf651bd16c" + logic_hash = "c285e87a94025916ed6d3fac65761d1ca4bef13102a0a37b256525bf651bd16c" score = 40 quality = 80 tags = "FILE" @@ -273403,14 +273889,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Atlaccesssys_Windowsrwind meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atlAccess.sys" author = "Florian Roth" - id = "0e77db79-f35a-5b4b-a3be-fc75b362e343" + id = "1c6be4ef-90f7-5b77-8490-0362233c02d9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5857-L5876" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57" - logic_hash = "v1_sha256_93d5121da2037ffcc961550b6859bff4257f56b783d7c49e442dc97a3f9257ae" + logic_hash = "93d5121da2037ffcc961550b6859bff4257f56b783d7c49e442dc97a3f9257ae" score = 40 quality = 80 tags = "FILE" @@ -273433,14 +273919,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "d2b1ea82-b759-58d4-a80a-7060ecc896a1" + id = "f6ca1049-6a11-5bdb-a9b7-79200c57e339" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5879-L5898" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77" - logic_hash = "v1_sha256_4e4a093fcdd97298aa6ead7c4412263837a7403f87b4d8f72e6ea27bc6f4d15f" + logic_hash = "4e4a093fcdd97298aa6ead7c4412263837a7403f87b4d8f72e6ea27bc6f4d15f" score = 40 quality = 80 tags = "FILE" @@ -273463,14 +273949,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_3C18 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "9563528e-4251-5d67-8558-37fb5a27a916" + id = "94b7a58c-0092-5d81-985f-330599efe25a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5901-L5917" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b" - logic_hash = "v1_sha256_4f958ccb21b5cbd28c25a9c2e1a08fcf00e24bfa9e7814b9e68b87814dd04f4c" + logic_hash = "4f958ccb21b5cbd28c25a9c2e1a08fcf00e24bfa9e7814b9e68b87814dd04f4c" score = 40 quality = 80 tags = "FILE" @@ -273490,14 +273976,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2B4C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "185eb8b8-904b-5ef9-8a18-dc9ad9de5d3f" + id = "a337e8f1-1473-51a4-9098-69719f0c48e4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5920-L5939" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a" - logic_hash = "v1_sha256_3db68ef927d373e7774d52bbf1dccfa2960b4bb1b42a32a181ad9e1f00458f23" + logic_hash = "3db68ef927d373e7774d52bbf1dccfa2960b4bb1b42a32a181ad9e1f00458f23" score = 40 quality = 80 tags = "FILE" @@ -273520,14 +274006,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Innotekgmbh_Iprt_Virtualboxguestadditions_BBF5 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxMouseNT.sys" author = "Florian Roth" - id = "bbfd3183-0ed7-5f74-b2c5-4b7c77c33839" + id = "a1a4e7d1-5a54-5265-8911-117e50071c7e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5942-L5961" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec" - logic_hash = "v1_sha256_7f5480d84195854bdc5c7554495e0ecd9b69b9c527152def1e85fd61084fd22d" + logic_hash = "7f5480d84195854bdc5c7554495e0ecd9b69b9c527152def1e85fd61084fd22d" score = 40 quality = 80 tags = "FILE" @@ -273550,7 +274036,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_9399 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" - id = "413fb6f4-eab0-567e-b654-553ec60a871a" + id = "30c2cc30-6613-5158-8cd1-b80eac8d6fbc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -273558,7 +274044,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_9399 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727" hash = "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e" - logic_hash = "v1_sha256_92139b7123c13dc80c1671b92ad6d1c6d6f4d02e1a3bc07e95cac27c7d43df66" + logic_hash = "92139b7123c13dc80c1671b92ad6d1c6d6f4d02e1a3bc07e95cac27c7d43df66" score = 40 quality = 80 tags = "FILE" @@ -273581,14 +274067,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_3D23 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" - id = "78b62971-23d4-52c2-9bba-4ee05d4bd73a" + id = "b29e4411-a408-5bd5-a763-73c18b85e2b2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L5987-L6006" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4" - logic_hash = "v1_sha256_4f494f3f2367bbc5751a09b79775ea61f62986b82375c8c98bf6a77203174be1" + logic_hash = "4f494f3f2367bbc5751a09b79775ea61f62986b82375c8c98bf6a77203174be1" score = 40 quality = 80 tags = "FILE" @@ -273611,14 +274097,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_496F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" - id = "a562eec6-edb0-509d-b4b7-6f30002ffe02" + id = "7754e086-1936-5e47-9576-ee940453c5e7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6009-L6028" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b" - logic_hash = "v1_sha256_405e7a16f8290d1d5462227ccf7d42e137bc98f084c9d5763b000d101e615c6a" + logic_hash = "405e7a16f8290d1d5462227ccf7d42e137bc98f084c9d5763b000d101e615c6a" score = 40 quality = 80 tags = "FILE" @@ -273641,7 +274127,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "182b10a1-8974-54bc-abdf-ba02239e91b0" + id = "d29981ff-6c7b-55fb-a77e-c16755e988ab" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -273649,7 +274135,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e" hash = "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5" - logic_hash = "v1_sha256_191ef735b2fa7cf3c1e0ae1a28e7996580ed2094d214f2ce7b42d856b119eb5e" + logic_hash = "191ef735b2fa7cf3c1e0ae1a28e7996580ed2094d214f2ce7b42d856b119eb5e" score = 40 quality = 80 tags = "FILE" @@ -273672,14 +274158,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Multitheftauto_Mtasanandreas_9F4C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - FairplayKD.sys" author = "Florian Roth" - id = "62d025ba-8790-5698-a01c-469ba2d4c281" + id = "a7059f0e-ae46-506f-a3c0-8ecb6911cd1d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6054-L6071" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5" - logic_hash = "v1_sha256_b8c423a00732d4e0fb4c45c64a6794a466e604feb9d455bc110cf5169f95ab55" + logic_hash = "b8c423a00732d4e0fb4c45c64a6794a466e604feb9d455bc110cf5169f95ab55" score = 40 quality = 80 tags = "FILE" @@ -273700,14 +274186,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_2732 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "cf1be476-7dde-534b-bc9b-c48e2d6630f3" + id = "ec2c7c9f-d4cd-5497-9de5-4948767ba125" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6074-L6093" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c" - logic_hash = "v1_sha256_17723afb429fe90b2e49d61676c6564ce94547b55be45ea6a66cf8d2edcdc49b" + logic_hash = "17723afb429fe90b2e49d61676c6564ce94547b55be45ea6a66cf8d2edcdc49b" score = 40 quality = 80 tags = "FILE" @@ -273730,7 +274216,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_A153 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" - id = "31db76f1-fd85-5882-abc2-f5900e4cd016" + id = "fde5a9a5-38d3-5ce4-b18d-11fd6a48687d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -273739,7 +274225,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_A153 : FILE hash = "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00" hash = "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717" hash = "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4" - logic_hash = "v1_sha256_6f5ca89515d8e224288c81dc941a5e4589fd111b4f2b8e519d272bf5efac76dc" + logic_hash = "6f5ca89515d8e224288c81dc941a5e4589fd111b4f2b8e519d272bf5efac76dc" score = 40 quality = 80 tags = "FILE" @@ -273761,7 +274247,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "1b3dfd70-6c1c-5f84-9b31-b119bbe391fb" + id = "9b7d79c3-549b-549f-ab67-b091798154f5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -273769,7 +274255,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_3F36 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f" hash = "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60" - logic_hash = "v1_sha256_c82730df0e7b53c67478f3fa01728841eb3794354c3233b87fe342e652fadb2e" + logic_hash = "c82730df0e7b53c67478f3fa01728841eb3794354c3233b87fe342e652fadb2e" score = 40 quality = 80 tags = "FILE" @@ -273792,14 +274278,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_7702 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "cad8ca69-3764-50dd-8ea7-3f91d58f6598" + id = "2388fb25-1e77-5225-864e-ef38c9b52007" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6142-L6161" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398" - logic_hash = "v1_sha256_c2f1170c6fc0353b99f0c0487937d05cba9a79c3b70eafa1895999074c6c4972" + logic_hash = "c2f1170c6fc0353b99f0c0487937d05cba9a79c3b70eafa1895999074c6c4972" score = 40 quality = 80 tags = "FILE" @@ -273822,14 +274308,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_EF6D : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "760435e1-f6e7-5f54-b706-1b7da0330b31" + id = "28e934c7-1705-5dd7-967f-ac259af3809e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6164-L6183" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850" - logic_hash = "v1_sha256_aff0eae9976189fe89534f7c3f1a35f093627f71d2c65aa446da85185f972bea" + logic_hash = "aff0eae9976189fe89534f7c3f1a35f093627f71d2c65aa446da85185f972bea" score = 40 quality = 80 tags = "FILE" @@ -273852,14 +274338,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Microfocus_Microfocusxtier_95D5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "a090115c-968e-56dd-9ec7-d4af5fb6ac45" + id = "394be6fa-5c49-5af2-ac20-d0da0ffe7624" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6186-L6204" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3" - logic_hash = "v1_sha256_070ce1aff2ca552a049602c694e77bd89caa4f6712d86671e21745d9d88f3bc3" + logic_hash = "070ce1aff2ca552a049602c694e77bd89caa4f6712d86671e21745d9d88f3bc3" score = 40 quality = 80 tags = "FILE" @@ -273881,14 +274367,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Z_Computerzsys_Zwuqisystemdriver_61E7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "d3cc6f64-27d7-592d-9479-7210c5f7400a" + id = "c691fecf-9556-5b70-9a84-b645b053cfc0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6207-L6226" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629" - logic_hash = "v1_sha256_891a11f7f82c6aaa05801bdf0fd82d9786ec1e35c6d699119a801d5cc8e1fe24" + logic_hash = "891a11f7f82c6aaa05801bdf0fd82d9786ec1e35c6d699119a801d5cc8e1fe24" score = 40 quality = 80 tags = "FILE" @@ -273911,14 +274397,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_8DCE : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "19100907-b47b-5cba-9bb4-8199f78fa153" + id = "176b70cc-3b8c-57f2-82be-42d9a9b9069f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6229-L6248" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37" - logic_hash = "v1_sha256_4900c684a248338e686b0da0288fe2937cf5d0f5e453419b6f8091c2fc7fc061" + logic_hash = "4900c684a248338e686b0da0288fe2937cf5d0f5e453419b6f8091c2fc7fc061" score = 40 quality = 80 tags = "FILE" @@ -273941,14 +274427,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_E3EF : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "e64a729c-4b68-5766-8522-a347569508f4" + id = "3778fe25-a5d5-5cb0-8f03-9ceed5d71aa9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6251-L6270" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918" - logic_hash = "v1_sha256_50c225f42f3b7ac785d01cc9ad5542ac2e12d26e707d0ed5b8c5415d981479bc" + logic_hash = "50c225f42f3b7ac785d01cc9ad5542ac2e12d26e707d0ed5b8c5415d981479bc" score = 40 quality = 80 tags = "FILE" @@ -273971,14 +274457,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_7F37 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" - id = "39167c72-796e-568e-8db4-9f08b77d19c2" + id = "f523949b-aff9-532a-9f13-983f4a47635d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6273-L6292" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa" - logic_hash = "v1_sha256_5e796e1ebc587faf2f8255e6229fe4f97f781fd66100398561703320d34728c1" + logic_hash = "5e796e1ebc587faf2f8255e6229fe4f97f781fd66100398561703320d34728c1" score = 40 quality = 80 tags = "FILE" @@ -274001,14 +274487,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Panyazilimbilisimteknolojileriticltdsti_Paniosys meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PanIO.sys" author = "Florian Roth" - id = "f75d3cd5-9b61-55d9-8699-cea3cac75638" + id = "098abff0-1471-5793-8366-89df85dc216c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6295-L6314" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960" - logic_hash = "v1_sha256_5694c7f1a74ffd5cdaa143bc563939589305450c3ee24c758fb7379b79f73764" + logic_hash = "5694c7f1a74ffd5cdaa143bc563939589305450c3ee24c758fb7379b79f73764" score = 40 quality = 80 tags = "FILE" @@ -274031,7 +274517,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_6C5A : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" - id = "1f8a30a5-e40d-50f3-8f3d-9dd54cd5c343" + id = "eb1ea3d1-6435-5ca6-b16a-111befaf2000" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274039,7 +274525,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_6C5A : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d" hash = "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613" - logic_hash = "v1_sha256_02155af4ab432fbbec1bf582fa8161eb2e39c258bb0f67fcc7054d2f3c8a46be" + logic_hash = "02155af4ab432fbbec1bf582fa8161eb2e39c258bb0f67fcc7054d2f3c8a46be" score = 40 quality = 80 tags = "FILE" @@ -274061,14 +274547,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_1768 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "5f906307-da5b-5bc6-a9c9-4d8b7c2d449b" + id = "4d79b72a-0848-5fe4-89fe-b16ab03d18d3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6339-L6358" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca" - logic_hash = "v1_sha256_5fb10d691fda963001b9a3c07b22db5e63beef984f26bc7d31ad98a1524ce5ff" + logic_hash = "5fb10d691fda963001b9a3c07b22db5e63beef984f26bc7d31ad98a1524ce5ff" score = 40 quality = 80 tags = "FILE" @@ -274091,7 +274577,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_3913 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "1422a0c8-07d9-5b88-a9ac-c8a25a1bab4b" + id = "26b781e0-c148-5506-b135-9b0b8fbf7cf3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274100,7 +274586,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_3913 : FILE hash = "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d" hash = "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1" hash = "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9" - logic_hash = "v1_sha256_3750522328a703bfff3a782a9470848875ac679f2a4a4bcabc148f0d8d89697d" + logic_hash = "3750522328a703bfff3a782a9470848875ac679f2a4a4bcabc148f0d8d89697d" score = 40 quality = 80 tags = "FILE" @@ -274123,7 +274609,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_767E : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "b53efcab-4bca-5b66-ba71-c4fe0b603677" + id = "b4b9dbcc-b5bd-5a9b-b190-10e20afc5220" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274131,7 +274617,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_767E : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b" hash = "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23" - logic_hash = "v1_sha256_624a88bcb301508151c2afdd1d5f076d04e2941dc2178b931f9dcfe3d63ab47d" + logic_hash = "624a88bcb301508151c2afdd1d5f076d04e2941dc2178b931f9dcfe3d63ab47d" score = 40 quality = 80 tags = "FILE" @@ -274154,14 +274640,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "8836a02a-407b-57af-b012-faa08f721e80" + id = "17496639-ec11-519b-8143-2d43568e09cd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6408-L6427" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7" - logic_hash = "v1_sha256_a520f2236b800f2dd2b8ac9963b8e9ba3ce782cca2c1b2835540899da65168b5" + logic_hash = "a520f2236b800f2dd2b8ac9963b8e9ba3ce782cca2c1b2835540899da65168b5" score = 40 quality = 80 tags = "FILE" @@ -274184,14 +274670,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Oti_Otipcibussys_Kernelmodedrivertoaccessphysica meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - otipcibus.sys" author = "Florian Roth" - id = "c622317a-3193-5f9e-b862-ce0b066e4bb9" + id = "71052609-e8a3-5611-ad92-8cf43a0fddf0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6430-L6448" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80" - logic_hash = "v1_sha256_ef5cb96dc4f6eaaf24fe9d0a65ccb5efe54cb672a9328b9dc2bbc36af82d96e2" + logic_hash = "ef5cb96dc4f6eaaf24fe9d0a65ccb5efe54cb672a9328b9dc2bbc36af82d96e2" score = 40 quality = 80 tags = "FILE" @@ -274213,14 +274699,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_DCB8 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "da6ef035-8d92-5517-a627-81869d0c98f5" + id = "72ff75ea-c085-51bc-806e-1a43127d1c64" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6451-L6470" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258" - logic_hash = "v1_sha256_80b8d0833d2e3675c5a1105725ef61e6914774019d4499c752a25b628a985274" + logic_hash = "80b8d0833d2e3675c5a1105725ef61e6914774019d4499c752a25b628a985274" score = 40 quality = 80 tags = "FILE" @@ -274243,14 +274729,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" - id = "ed7c2797-fa9e-5eb7-a692-b034db5d10c3" + id = "a4c49dca-e35c-5326-9b30-729ecf65653c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6473-L6492" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab" - logic_hash = "v1_sha256_2dd35edfdf8b82b650278186df087c5ae103f3b807faf30c72278521ff56224b" + logic_hash = "2dd35edfdf8b82b650278186df087c5ae103f3b807faf30c72278521ff56224b" score = 40 quality = 80 tags = "FILE" @@ -274273,14 +274759,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "95abe26a-a0d1-5b53-80e3-36b7290b3754" + id = "2de9949d-830d-5540-8b4f-1d1262b8b76c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6495-L6514" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6" - logic_hash = "v1_sha256_522145d0081891d18a0c1e657ca6228962e97325697b556d97a4fe311efa3aee" + logic_hash = "522145d0081891d18a0c1e657ca6228962e97325697b556d97a4fe311efa3aee" score = 40 quality = 80 tags = "FILE" @@ -274303,7 +274789,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "b5ce1228-3711-5058-b183-847922fc9459" + id = "a85c77e3-b898-568a-afae-39452ba4b84a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274311,7 +274797,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_D0E4 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb" hash = "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9" - logic_hash = "v1_sha256_6a29c44686032d2367b1b4b9ef342239b9490e48ba1cc5f862b66f3de6a3f4b2" + logic_hash = "6a29c44686032d2367b1b4b9ef342239b9490e48ba1cc5f862b66f3de6a3f4b2" score = 40 quality = 80 tags = "FILE" @@ -274334,7 +274820,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "4c5a8705-7880-59b4-8828-2fef573af816" + id = "5a49351a-0d32-55e6-acb8-f55a861a7da2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274342,7 +274828,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f" hash = "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2" - logic_hash = "v1_sha256_a2918e4ffce0affe25aa7b8793c19dfa61da8321b35cb91600d0a5552e14fef6" + logic_hash = "a2918e4ffce0affe25aa7b8793c19dfa61da8321b35cb91600d0a5552e14fef6" score = 40 quality = 80 tags = "FILE" @@ -274365,7 +274851,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_0368 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "635cbd42-1193-507c-8015-d561a046b848" + id = "eda7e3e6-6fbe-59cd-af4d-159113c685b1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274373,7 +274859,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_0368 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d" hash = "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea" - logic_hash = "v1_sha256_67626089334102cf852d0863b58a29562dda673b6601a90b13d97a2380a4295c" + logic_hash = "67626089334102cf852d0863b58a29562dda673b6601a90b13d97a2380a4295c" score = 40 quality = 80 tags = "FILE" @@ -274396,14 +274882,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvaudio.sys" author = "Florian Roth" - id = "3144e7fb-65d1-5132-87f6-2d5ebd8e88c1" + id = "225ebe9f-c453-5d4b-89af-d6fcffa254cc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6586-L6605" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f" - logic_hash = "v1_sha256_13f4cfb57115eab4850771248b479f523f3c6d9a25a21b16ce224ab783dd4abc" + logic_hash = "13f4cfb57115eab4850771248b479f523f3c6d9a25a21b16ce224ab783dd4abc" score = 40 quality = 80 tags = "FILE" @@ -274426,14 +274912,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinch meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" - id = "1ee64233-8f22-5bf1-a443-54b5f7e85d88" + id = "6d37a9e4-e1b3-5e4a-bc33-1621c32b82dc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6608-L6627" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f" - logic_hash = "v1_sha256_1e60cfe82a13e311e8dc98cb4da82f0f1aecc606aaa5c57cda445228e78acd6b" + logic_hash = "1e60cfe82a13e311e8dc98cb4da82f0f1aecc606aaa5c57cda445228e78acd6b" score = 40 quality = 80 tags = "FILE" @@ -274456,14 +274942,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Dtresearchinc_Iomemsys_Iomemsys_DD4A : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iomem64.sys" author = "Florian Roth" - id = "6845b817-d964-59b2-8611-b65eedc83ff0" + id = "65abda74-40d3-57c2-ade1-463b3e1ad1ef" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6630-L6649" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097" - logic_hash = "v1_sha256_f04d75e5ff735d30d5bb3959722a5162b1ab7ce4db8d05a2007f98fc901b2179" + logic_hash = "f04d75e5ff735d30d5bb3959722a5162b1ab7ce4db8d05a2007f98fc901b2179" score = 40 quality = 80 tags = "FILE" @@ -274486,14 +274972,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Pchuntersys_Pchunter_1B7F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PCHunter.sys" author = "Florian Roth" - id = "0a4ee062-ba25-56ea-8ef5-d53301906c4f" + id = "229e07ae-2358-5b7e-843d-a0038c57dcd0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6652-L6671" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa" - logic_hash = "v1_sha256_54232c91f0f6d119ece865269eec9d5ea885c8dd0119a0eecd889a405af828a0" + logic_hash = "54232c91f0f6d119ece865269eec9d5ea885c8dd0119a0eecd889a405af828a0" score = 40 quality = 80 tags = "FILE" @@ -274516,14 +275002,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_6500 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "2d061d87-3fde-52fa-9e8e-f522d32c0f07" + id = "87ed66d7-4903-5334-9bdb-90ba882c3e98" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6674-L6693" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3" - logic_hash = "v1_sha256_a3a2b21c9a58fee77857f3074fe6b69506eecb2627d93f1ea3a51c4cccdd2bab" + logic_hash = "a3a2b21c9a58fee77857f3074fe6b69506eecb2627d93f1ea3a51c4cccdd2bab" score = 40 quality = 80 tags = "FILE" @@ -274546,7 +275032,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_0FC3 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "c0b1703b-1035-54ee-aa60-d453d644cb25" + id = "df483112-63ae-51a2-9ebe-795c8ede056f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274554,7 +275040,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_0FC3 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7" hash = "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554" - logic_hash = "v1_sha256_56d3b62717fae240ed7c6becfd6523962bb536fe4f7746e7c80f97851fe30501" + logic_hash = "56d3b62717fae240ed7c6becfd6523962bb536fe4f7746e7c80f97851fe30501" score = 40 quality = 80 tags = "FILE" @@ -274577,7 +275063,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersys_EDC6 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - netfilter2.sys" author = "Florian Roth" - id = "fd418690-b6f3-5535-8421-658efc530475" + id = "382202e4-66c5-574b-a16f-1ce4f6e10f24" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274586,7 +275072,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersys_EDC6 : FILE hash = "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed" hash = "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617" hash = "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1" - logic_hash = "v1_sha256_e55f801255f5962479d0f69a162490ef45acd014d157118b6808c100583cafa3" + logic_hash = "e55f801255f5962479d0f69a162490ef45acd014d157118b6808c100583cafa3" score = 40 quality = 80 tags = "FILE" @@ -274609,14 +275095,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_E428 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "ae44f119-9492-5806-b0ea-c6bb13e75192" + id = "3a87403b-9df1-566b-af2d-e22732584b63" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6743-L6759" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f" - logic_hash = "v1_sha256_8bd47884d13cfc03ececb849688a1c843c4de684a6d32923493f9d0af3d33b7b" + logic_hash = "8bd47884d13cfc03ececb849688a1c843c4de684a6d32923493f9d0af3d33b7b" score = 40 quality = 80 tags = "FILE" @@ -274636,14 +275122,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz.sys" author = "Florian Roth" - id = "e6c367fc-e591-51ff-aadf-a597d0b5ac04" + id = "5eede083-38a6-50f5-b31e-a4880d4b4304" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6762-L6781" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7" - logic_hash = "v1_sha256_6fc3676bace692d3c83f0ccebe39be7d9dec3965935a8cf8971594fd6c206b90" + logic_hash = "6fc3676bace692d3c83f0ccebe39be7d9dec3965935a8cf8971594fd6c206b90" score = 40 quality = 80 tags = "FILE" @@ -274666,14 +275152,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_0909 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "36bc2cdf-4e6e-50bb-8716-457224e01f3e" + id = "e1be6d99-bee6-5208-976b-04a2fde0602b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6784-L6803" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06" - logic_hash = "v1_sha256_f224ce42de29a91805c38c230c5b311878339c20d18bcd482b5738f246b12cbc" + logic_hash = "f224ce42de29a91805c38c230c5b311878339c20d18bcd482b5738f246b12cbc" score = 40 quality = 80 tags = "FILE" @@ -274696,7 +275182,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "ddad007e-2af0-5cf3-ae86-b7e708371443" + id = "0f9615f9-4cb9-5be7-bc88-4965e143da3e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274704,7 +275190,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284" hash = "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91" - logic_hash = "v1_sha256_cb6f7a26f4564d7a60a8dee25f5018fd4f3b4decfef6dfdb0d0b2f1df982adf7" + logic_hash = "cb6f7a26f4564d7a60a8dee25f5018fd4f3b4decfef6dfdb0d0b2f1df982adf7" score = 40 quality = 80 tags = "FILE" @@ -274727,14 +275213,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Watchdogdevelopmentcomllc_Wsdkdsys_Wsdkd_6278 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wsdkd.sys" author = "Florian Roth" - id = "7d5a51ed-ad60-5c78-903e-2847aad2a07f" + id = "4beb5c5a-5bdf-513e-9d43-00c30289eddb" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6829-L6848" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440" - logic_hash = "v1_sha256_3df6c8424981c50e765d8730f702b2a541b4e7312eea2ae27518d0958531f3e0" + logic_hash = "3df6c8424981c50e765d8730f702b2a541b4e7312eea2ae27518d0958531f3e0" score = 40 quality = 80 tags = "FILE" @@ -274757,7 +275243,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HwOs2Ec7x64.sys" author = "Florian Roth" - id = "3939f8dd-5678-5727-9d61-043b274f44ec" + id = "7fdaa5bb-7874-51cc-90a0-d718b5ad7ac8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274765,7 +275251,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Huawei_Hwosec_Huaweimatebook_B179 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de" hash = "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc" - logic_hash = "v1_sha256_6c35f9cdd6d48a5804a95bbfd15564e1b9d145b121a72df7fe345ede0c2eed26" + logic_hash = "6c35f9cdd6d48a5804a95bbfd15564e1b9d145b121a72df7fe345ede0c2eed26" score = 40 quality = 80 tags = "FILE" @@ -274788,14 +275274,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_A468 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" - id = "44f792c4-2364-5aed-b0c7-324b8eb3b27f" + id = "ee20509d-fdf5-5c5a-8f49-5392c6f015ad" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6874-L6892" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9" - logic_hash = "v1_sha256_a1e7828c2e39afe4279e6c9b5d34263478919336ed6b7d01bb45b1fdb2032878" + logic_hash = "a1e7828c2e39afe4279e6c9b5d34263478919336ed6b7d01bb45b1fdb2032878" score = 40 quality = 80 tags = "FILE" @@ -274817,14 +275303,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_7661 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "ae51f6f7-e792-5b6b-ae55-3a0221d0bf93" + id = "cf60dd6e-f13e-5498-b3e1-b28c4b469f10" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6895-L6911" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a" - logic_hash = "v1_sha256_8428303996166eb968534f192a1e15cc374ed412b8915b41a323fcf6d8bd238c" + logic_hash = "8428303996166eb968534f192a1e15cc374ed412b8915b41a323fcf6d8bd238c" score = 40 quality = 80 tags = "FILE" @@ -274844,14 +275330,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftware meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "b0044384-fba9-5545-a636-b4260112c4eb" + id = "158dd78f-3665-59d6-8528-f4489791d55e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6914-L6933" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2" - logic_hash = "v1_sha256_565bd93231c1cffbb52efc9fedae7c41593ba93a2540dadf199806793359f67d" + logic_hash = "565bd93231c1cffbb52efc9fedae7c41593ba93a2540dadf199806793359f67d" score = 40 quality = 80 tags = "FILE" @@ -274874,14 +275360,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_881B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" - id = "20a097de-ec32-55af-8ad3-24c4ad6724b3" + id = "926f0aef-ede3-554e-874d-7b617efbf2bd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6936-L6955" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461" - logic_hash = "v1_sha256_0d1427a94c21e7055a8d3d1e23e0ee3c513030530c15778eed40283979dba6f9" + logic_hash = "0d1427a94c21e7055a8d3d1e23e0ee3c513030530c15778eed40283979dba6f9" score = 40 quality = 80 tags = "FILE" @@ -274904,14 +275390,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_5192 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "2b3f308b-a637-5e17-97aa-7e2e060b9a55" + id = "63cc2959-9cfa-575d-894f-fbb63349a4e7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L6958-L6977" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b" - logic_hash = "v1_sha256_39194a4e7085e17fef079075949360155d6ce279e3bc1a92f1b3a12b70e7f15c" + logic_hash = "39194a4e7085e17fef079075949360155d6ce279e3bc1a92f1b3a12b70e7f15c" score = 40 quality = 80 tags = "FILE" @@ -274934,7 +275420,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinch meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" - id = "486e0beb-c0ba-580e-a648-e33b2e570e66" + id = "17bc5473-e539-503d-8805-957c4384a0d7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -274942,7 +275428,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinch license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0" hash = "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b" - logic_hash = "v1_sha256_09782a4b713c385896e9793c7fe4771ad00b8736e44c2639f94239751cf17222" + logic_hash = "09782a4b713c385896e9793c7fe4771ad00b8736e44c2639f94239751cf17222" score = 40 quality = 80 tags = "FILE" @@ -274965,14 +275451,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Insydesoftware_Insydeflash_Insydeflashutilitybit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iscflashx64.sys" author = "Florian Roth" - id = "d73850b6-f6cf-517f-b401-b25e4e8a4974" + id = "76578c75-a19c-54b1-b956-c26b8fe6e4ad" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7003-L7022" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9" - logic_hash = "v1_sha256_ba20c0a151a7e6ef4c2e70426cf4132d9c30f40b6a91e4402e20d15201b6c56e" + logic_hash = "ba20c0a151a7e6ef4c2e70426cf4132d9c30f40b6a91e4402e20d15201b6c56e" score = 40 quality = 80 tags = "FILE" @@ -274995,14 +275481,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_80A5 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "c18d296b-8023-5832-9fd4-5afc7f5c7fb9" + id = "80e3827b-44e7-5b59-a7db-c7daf0e38664" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7025-L7044" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085" - logic_hash = "v1_sha256_f736ac96f1efde446400aaa49fba7cc84a0a10b3425561f67811da86dbee14a8" + logic_hash = "f736ac96f1efde446400aaa49fba7cc84a0a10b3425561f67811da86dbee14a8" score = 40 quality = 80 tags = "FILE" @@ -275025,14 +275511,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Microfocus_Microfocusxtier_5351 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "a1ecee9f-c5f5-5199-8af8-0a94c47623cb" + id = "e2d580c9-79e6-53f1-ab4a-77e2715b6f91" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7047-L7065" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c" - logic_hash = "v1_sha256_efbf3fd36c3ca5c2b95796cdaefb175ad1957866649e73366a1d6810cbcb5e81" + logic_hash = "efbf3fd36c3ca5c2b95796cdaefb175ad1957866649e73366a1d6810cbcb5e81" score = 40 quality = 80 tags = "FILE" @@ -275054,7 +275540,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_78 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - vboxdrv.sys" author = "Florian Roth" - id = "836b1204-c005-555e-8b6c-8b9fd2e10eea" + id = "c367a41e-58e4-59cd-a3f4-dfcd001e7040" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275062,7 +275548,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_78 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f" hash = "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924" - logic_hash = "v1_sha256_5e95853e7a2013132a6565b5908475e6369a56ff6c58f0e10c875b72b15b2523" + logic_hash = "5e95853e7a2013132a6565b5908475e6369a56ff6c58f0e10c875b72b15b2523" score = 40 quality = 80 tags = "FILE" @@ -275085,7 +275571,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" - id = "eaf24cf2-7b4f-5643-982a-0b29019ebd4a" + id = "95bb049c-cef2-5235-8e3d-ebe9591b7e27" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275093,7 +275579,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36" hash = "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6" - logic_hash = "v1_sha256_5dc9ec007f318b16034b43248be9807c024780aa58eb714982130656e7f2b6a6" + logic_hash = "5dc9ec007f318b16034b43248be9807c024780aa58eb714982130656e7f2b6a6" score = 40 quality = 80 tags = "FILE" @@ -275116,7 +275602,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_16E2 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" - id = "5a452c01-7f13-5861-8017-e846ffb64e2f" + id = "8c1ee58c-e03e-55dd-a1ff-bc03594778ae" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275124,7 +275610,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_16E2 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23" hash = "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901" - logic_hash = "v1_sha256_162cf712c505520635388ec61c69165a2fff8704c7edef58c63cc8cbcc624e0d" + logic_hash = "162cf712c505520635388ec61c69165a2fff8704c7edef58c63cc8cbcc624e0d" score = 40 quality = 80 tags = "FILE" @@ -275147,7 +275633,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "df742850-e4b6-5d11-8b97-39811386aa97" + id = "3efdeeef-8fe7-57a7-9424-505b46fb75e4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275155,7 +275641,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f" hash = "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25" - logic_hash = "v1_sha256_f7a87edc0403a7b8273256805bb8c7aadadde8143db84be9b3968ef67cf3c1c4" + logic_hash = "f7a87edc0403a7b8273256805bb8c7aadadde8143db84be9b3968ef67cf3c1c4" score = 40 quality = 80 tags = "FILE" @@ -275178,7 +275664,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_7553 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "6227660d-cdc4-514e-9014-a6dd731be9bf" + id = "9880d118-943b-5532-8e6a-22f0a9d9b255" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275186,7 +275672,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ludashicom_Computerzsys_7553 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3" hash = "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66" - logic_hash = "v1_sha256_e60b387fe83bffdd1411f3b8fb491f0b60ff0de3eac87c9c5ee8c55ca6c48afc" + logic_hash = "e60b387fe83bffdd1411f3b8fb491f0b60ff0de3eac87c9c5ee8c55ca6c48afc" score = 40 quality = 80 tags = "FILE" @@ -275209,7 +275695,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - atillk64.sys" author = "Florian Roth" - id = "d69cee95-2073-5251-a56e-8e75fa221a3a" + id = "9b7e6787-abbf-5bfb-a833-a0b078566ed7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275217,7 +275703,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Overclockingtool_Atillksys_Overclockingtool_11A9 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f" hash = "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b" - logic_hash = "v1_sha256_07b8fb1b1b86b58a6fb7f18f3b1b70eee5826fa5c629a8cef1b97afbae7ea7c3" + logic_hash = "07b8fb1b1b86b58a6fb7f18f3b1b70eee5826fa5c629a8cef1b97afbae7ea7c3" score = 40 quality = 80 tags = "FILE" @@ -275240,14 +275726,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_2A62 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "53901741-8c99-5239-be62-811f2a3dc855" + id = "7c67b2a6-a2da-56ce-8ed4-017838ea7673" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7206-L7225" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8" - logic_hash = "v1_sha256_5fae0a4ba7d11e3714baab3417a1bdd9fff6275fa9347c0389d8627374533bbf" + logic_hash = "5fae0a4ba7d11e3714baab3417a1bdd9fff6275fa9347c0389d8627374533bbf" score = 40 quality = 80 tags = "FILE" @@ -275270,14 +275756,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_AAA3 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "79bddb71-e594-534d-9320-60a70602a084" + id = "9b0770d3-d004-552f-be65-6dcc14f06cc7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7228-L7247" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c" - logic_hash = "v1_sha256_bb87661658fa874985bbe1050c19eb8ea9136ec62c224d53cd4920866e6a6b1f" + logic_hash = "bb87661658fa874985bbe1050c19eb8ea9136ec62c224d53cd4920866e6a6b1f" score = 40 quality = 80 tags = "FILE" @@ -275300,14 +275786,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswvmmsys_Avastantivirus_3650 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswVmm.sys" author = "Florian Roth" - id = "8c297ed0-45f6-5f57-b263-67203c4f48b3" + id = "1b3abcb0-5317-58f0-bb7a-6bc1996483fa" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7250-L7269" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10" - logic_hash = "v1_sha256_afe8e12664ee9061c2b2ecdcaaef0c38ece604d050e31b46208f9a22545042ca" + logic_hash = "afe8e12664ee9061c2b2ecdcaaef0c38ece604d050e31b46208f9a22545042ca" score = 40 quality = 80 tags = "FILE" @@ -275330,14 +275816,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gdrv_FF67 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "bcb342e0-3326-52b0-ad66-accbb7b1aea4" + id = "b5062d65-a4bc-5d0e-9883-7c1fa54138e8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7272-L7291" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339" - logic_hash = "v1_sha256_18c40b7312d0b65d83287e452e8b9429eaed36245d17ef1b82ec04a968303a39" + logic_hash = "18c40b7312d0b65d83287e452e8b9429eaed36245d17ef1b82ec04a968303a39" score = 40 quality = 80 tags = "FILE" @@ -275360,14 +275846,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "ea33b41d-3612-5288-bdf3-d0af6bc6ae25" + id = "d5bbf94d-394a-599e-93f3-6f9d79cca02f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7294-L7313" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c" - logic_hash = "v1_sha256_b038dcb0a536e16d71035d11537757f529589a435616abacd94aadd5663c2a17" + logic_hash = "b038dcb0a536e16d71035d11537757f529589a435616abacd94aadd5663c2a17" score = 40 quality = 80 tags = "FILE" @@ -275390,14 +275876,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Rivetnetworksllc_Kfecodrvsys_Killertrafficcontro meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - KfeCo10X64.sys" author = "Florian Roth" - id = "ad5e1354-692e-5a72-a7a1-aa0c1aa62f6a" + id = "eff26fc8-a458-5c15-8a0b-86773f8f6289" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7316-L7335" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704" - logic_hash = "v1_sha256_d4f37a4c7014694cfcf57c11ee9d41edec1b6fa77a564341663c3411764dbcda" + logic_hash = "d4f37a4c7014694cfcf57c11ee9d41edec1b6fa77a564341663c3411764dbcda" score = 40 quality = 80 tags = "FILE" @@ -275420,14 +275906,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "a5dfecf5-009e-5b55-a17c-3edae7dac81a" + id = "1ffe9a5e-5cdc-5db4-8247-e9726ee15428" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7338-L7357" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2" - logic_hash = "v1_sha256_d52c104de520b575b404d320a8ec762a146da8cc0567b5f30dc8594b7a1742ef" + logic_hash = "d52c104de520b575b404d320a8ec762a146da8cc0567b5f30dc8594b7a1742ef" score = 40 quality = 80 tags = "FILE" @@ -275450,14 +275936,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_ED2F : F meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "df48d574-6cbb-5a5d-a4ed-af067bec9a1b" + id = "288ce092-a3f2-57d0-9d28-a0c4b6faa52f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7360-L7379" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39" - logic_hash = "v1_sha256_1da8ef4d1877ba9d2c31d994735f6395367de990be6c875c0cba37654ee39ad3" + logic_hash = "1da8ef4d1877ba9d2c31d994735f6395367de990be6c875c0cba37654ee39ad3" score = 40 quality = 80 tags = "FILE" @@ -275480,14 +275966,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibxsys_Ntiolib_09BE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "065693c2-0879-53e2-921a-85e5d9884a01" + id = "30b7487c-d5b7-52b1-a209-f6eb01f0f406" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7382-L7401" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1" - logic_hash = "v1_sha256_23f5a77bae75d686a980e65dd6efe4ad216a60d75631fed169a83cc88d64675e" + logic_hash = "23f5a77bae75d686a980e65dd6efe4ad216a60d75631fed169a83cc88d64675e" score = 40 quality = 80 tags = "FILE" @@ -275510,14 +275996,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_A802 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "752abddd-5171-5ae8-987a-156020619a87" + id = "9cb0be23-e1d9-5698-bde2-81a870f81f83" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7404-L7423" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e" - logic_hash = "v1_sha256_8ef06932883bbd5ad62bd5d975fb341277a83271f7a21fc77cdebc6b9f4a05a6" + logic_hash = "8ef06932883bbd5ad62bd5d975fb341277a83271f7a21fc77cdebc6b9f4a05a6" score = 40 quality = 80 tags = "FILE" @@ -275540,14 +276026,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "980e59fc-88fa-5c20-b0e1-85d21c2d8e1a" + id = "0328757c-e561-567c-b7ad-7e6bcba19bb5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7426-L7445" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8" - logic_hash = "v1_sha256_014039b9b1b4ea903b4c014ca3d3ff946b1b0f4759d8d78c1fcf825d11318e42" + logic_hash = "014039b9b1b4ea903b4c014ca3d3ff946b1b0f4759d8d78c1fcf825d11318e42" score = 40 quality = 80 tags = "FILE" @@ -275570,14 +276056,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_75 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" - id = "8edbc73b-716e-5f35-8eee-712f4adbe94b" + id = "5ccaf486-04c4-5066-b307-e76b6e484d01" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7448-L7467" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c" - logic_hash = "v1_sha256_dd40b144e403136b4359106d2efeb24335b83ffc13a62fdce7c9bd602dc45506" + logic_hash = "dd40b144e403136b4359106d2efeb24335b83ffc13a62fdce7c9bd602dc45506" score = 40 quality = 80 tags = "FILE" @@ -275600,14 +276086,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxc_1183 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" - id = "bd3354d7-34a6-5240-8350-3fa099e6e465" + id = "cd8eccb8-d106-514c-8b92-7d5016d9a182" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7470-L7489" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359" - logic_hash = "v1_sha256_5842fcb278bb2b659760677fea80cbb110347e495e9f1a39fc901f0927753b88" + logic_hash = "5842fcb278bb2b659760677fea80cbb110347e495e9f1a39fc901f0927753b88" score = 40 quality = 80 tags = "FILE" @@ -275630,14 +276116,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_478D : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "d3ecdce9-9b3e-5c82-808f-b3f12e5bec01" + id = "13ee4d76-b778-593e-85e6-8402d01352e8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7492-L7511" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0" - logic_hash = "v1_sha256_29a09ee10d391b3183052255622f7b96a0e2bf649acc30e10d57e1cb3b17b84f" + logic_hash = "29a09ee10d391b3183052255622f7b96a0e2bf649acc30e10d57e1cb3b17b84f" score = 40 quality = 80 tags = "FILE" @@ -275660,14 +276146,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Activeclean_A903 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "6e8f717e-cefa-51eb-9386-7125a22e9288" + id = "3142d323-869f-5e25-b860-da2c34f659ce" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7514-L7533" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e" - logic_hash = "v1_sha256_b79d850df65fa7a96642e4a1da2240e001c87d44d64c621c756face489c0eb6b" + logic_hash = "b79d850df65fa7a96642e4a1da2240e001c87d44d64c621c756face489c0eb6b" score = 40 quality = 80 tags = "FILE" @@ -275690,7 +276176,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "8f7473b8-a1cd-51d8-a751-7795564cec0c" + id = "ce58b5cb-437a-56b2-8ccb-9399ce2ef6c3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275698,7 +276184,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa" hash = "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675" - logic_hash = "v1_sha256_3035342ffaf651efc8de23d2da68540ee7d89b2bf2b5c2925094e7fe2a3f7c28" + logic_hash = "3035342ffaf651efc8de23d2da68540ee7d89b2bf2b5c2925094e7fe2a3f7c28" score = 40 quality = 80 tags = "FILE" @@ -275721,14 +276207,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_1B17 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "a2cda3b2-aadc-557b-9b3b-9618a1f43d09" + id = "f9c35fdf-7048-53b3-bff2-b30f283eadc6" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7559-L7578" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b" - logic_hash = "v1_sha256_cd8e28cc91da2da748b449b175c24f7271019fa6e9b475b8689183eb1866c59a" + logic_hash = "cd8e28cc91da2da748b449b175c24f7271019fa6e9b475b8689183eb1866c59a" score = 40 quality = 80 tags = "FILE" @@ -275751,14 +276237,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_6CF1 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "02debf9c-c224-58c5-b46a-59597a881a23" + id = "4226b41f-4828-558b-b990-fd63dbc5b2e3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7581-L7599" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259" - logic_hash = "v1_sha256_60fcd09b5ad2beef9a28c78590e6a935b5a2818db45175960527285a4a765ea5" + logic_hash = "60fcd09b5ad2beef9a28c78590e6a935b5a2818db45175960527285a4a765ea5" score = 40 quality = 80 tags = "FILE" @@ -275780,14 +276266,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_EAE5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" - id = "6371737e-7afd-5517-ba22-77a885545d6d" + id = "bd54bf19-8af7-5afb-b861-e1ecb145ca1a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7602-L7621" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed" - logic_hash = "v1_sha256_ea0bb86a2cc5f3349678d9a698e14301207ba1bf6c19f9caf91abd72e7794a8c" + logic_hash = "ea0bb86a2cc5f3349678d9a698e14301207ba1bf6c19f9caf91abd72e7794a8c" score = 40 quality = 80 tags = "FILE" @@ -275810,14 +276296,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "06789e44-0259-5dd5-aaf1-67749cf33b73" + id = "a101f69b-ca19-5aeb-a168-1a10dbd6ec12" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7624-L7643" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c" - logic_hash = "v1_sha256_c4310d622e5861f4c63d9e9c39ee94acbfb35d24a91f50158f1d695d1f0cf254" + logic_hash = "c4310d622e5861f4c63d9e9c39ee94acbfb35d24a91f50158f1d695d1f0cf254" score = 40 quality = 80 tags = "FILE" @@ -275840,14 +276326,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Databaseharborsoftware_Sysinfodetectorxsys_Sysin meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysInfoDetectorX64.sys" author = "Florian Roth" - id = "ead65fa3-faab-57fa-984f-76e05a61fa02" + id = "5d65c0b6-176b-5c11-996d-2caae24c95af" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7646-L7665" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271" - logic_hash = "v1_sha256_3c67bbee00427b7f8ed689a5ff83641bad2b62dc685b5155ea81f6dbba4377b0" + logic_hash = "3c67bbee00427b7f8ed689a5ff83641bad2b62dc685b5155ea81f6dbba4377b0" score = 40 quality = 80 tags = "FILE" @@ -275870,7 +276356,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "8cbc317d-26a4-5c31-9244-d5933984e9e0" + id = "adc55873-9711-5304-97d4-037174c036ff" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -275879,7 +276365,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7048 : FILE hash = "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6" hash = "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e" hash = "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17" - logic_hash = "v1_sha256_2768d499d0f387278553c77bd313337202b107474d44e41b8b59b22254680637" + logic_hash = "2768d499d0f387278553c77bd313337202b107474d44e41b8b59b22254680637" score = 40 quality = 80 tags = "FILE" @@ -275902,14 +276388,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_7837 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "5302c765-1611-5bc1-ab69-73aba8a84cf4" + id = "47963173-d9a8-5a16-9959-d99e6e8920f3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7692-L7711" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408" - logic_hash = "v1_sha256_0d0e3e2675e5d6b11369a388a6e7a947e603db2562aefb802c977728419bb667" + logic_hash = "0d0e3e2675e5d6b11369a388a6e7a947e603db2562aefb802c977728419bb667" score = 40 quality = 80 tags = "FILE" @@ -275932,14 +276418,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmelsys_Trendmicroearlylaunchantim meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Tmel.sys" author = "Florian Roth" - id = "261074ce-3752-570e-8725-d7a269a6eccf" + id = "03f8b653-0ecc-5161-935e-5f670fd54bb1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7714-L7733" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9" - logic_hash = "v1_sha256_7645c180f10ba31e259cdfa4904c16941ce777412416527c95fa9592ed76da8c" + logic_hash = "7645c180f10ba31e259cdfa4904c16941ce777412416527c95fa9592ed76da8c" score = 40 quality = 80 tags = "FILE" @@ -275962,14 +276448,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ncrcorporation_Radhwmgrsys_Ncrcorporationhardwar meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" - id = "3dde3830-6f15-58bf-b677-5021108fdf85" + id = "e5a0a70b-13ea-584f-a7f8-387ca23b9ecd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7736-L7755" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858" - logic_hash = "v1_sha256_2194da0b4589893a0884b9a8c0ed5a556b008152b9c03613074892001406fc21" + logic_hash = "2194da0b4589893a0884b9a8c0ed5a556b008152b9c03613074892001406fc21" score = 40 quality = 80 tags = "FILE" @@ -275992,14 +276478,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "b965c6dd-e349-5881-b284-c6f106e16660" + id = "9e448b85-4455-5a80-9147-e6c83b1427aa" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7758-L7777" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d" - logic_hash = "v1_sha256_e4e6178a894262ed52bd5ee6e0879f54d4cb81ec467f065f0b00d34ac55064b0" + logic_hash = "e4e6178a894262ed52bd5ee6e0879f54d4cb81ec467f065f0b00d34ac55064b0" score = 40 quality = 80 tags = "FILE" @@ -276022,14 +276508,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_BA40 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" - id = "de40c84a-c331-5b89-8e30-c55526740029" + id = "a932bccb-6c13-5d78-afab-ecca0d072815" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7780-L7799" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d" - logic_hash = "v1_sha256_ea4d6b524d8e4229b090890145a02617482c38ae077d5fd9a7fd46fa6e917b1a" + logic_hash = "ea4d6b524d8e4229b090890145a02617482c38ae077d5fd9a7fd46fa6e917b1a" score = 40 quality = 80 tags = "FILE" @@ -276052,14 +276538,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_828A : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "43b05f32-97ed-5373-ba96-939f254f32a7" + id = "0ff55ef5-4de8-53e9-b10e-2c3eda501fa7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7802-L7821" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2" - logic_hash = "v1_sha256_e5eb524d77c082acac68ea7b24bf10e445dd1afc9be97333980d8a8d580a6e98" + logic_hash = "e5eb524d77c082acac68ea7b24bf10e445dd1afc9be97333980d8a8d580a6e98" score = 40 quality = 80 tags = "FILE" @@ -276082,14 +276568,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sunmicrosystemsinc_Vboxusbmonsys_Virtualboxusbmo meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxUSBMon.sys" author = "Florian Roth" - id = "ae5debfc-eff4-579d-982f-1a1d73e486cd" + id = "f1c042e9-1bbe-5a21-9a46-519c93cb7b2c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7824-L7843" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145" - logic_hash = "v1_sha256_bf3569ba1652fc95c0752a4bf58586ecbe41db63d58ff6326cbd7ef6c2d5b65f" + logic_hash = "bf3569ba1652fc95c0752a4bf58586ecbe41db63d58ff6326cbd7ef6c2d5b65f" score = 40 quality = 80 tags = "FILE" @@ -276112,14 +276598,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Copyright_Advancedmalwareprotection_6F55 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amsdk.sys" author = "Florian Roth" - id = "acfec69c-87d3-5cb5-8f17-9d04a918253f" + id = "6eb82ac7-9544-5554-b7af-557dd843d29d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7846-L7864" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c" - logic_hash = "v1_sha256_4b5b303a3311ec88e1ebad890eb08fe3af13b3c6fdd7cf88421a9f7590661832" + logic_hash = "4b5b303a3311ec88e1ebad890eb08fe3af13b3c6fdd7cf88421a9f7590661832" score = 40 quality = 80 tags = "FILE" @@ -276141,14 +276627,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_0DC4 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "d2d44715-a44d-58b6-814b-d63da2315155" + id = "80f3a10e-1943-522d-a881-4e67bc908de3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7867-L7886" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c" - logic_hash = "v1_sha256_291aa7d4bd435f112fb6678d8b495d38df94b7a6256d71ac39dd055ab3c94719" + logic_hash = "291aa7d4bd435f112fb6678d8b495d38df94b7a6256d71ac39dd055ab3c94719" score = 40 quality = 80 tags = "FILE" @@ -276171,7 +276657,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_3670 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" - id = "f87b07e1-fc88-51be-90c9-70b3951c2425" + id = "0756f1e4-4cc4-5161-8792-c8b7cfe11965" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -276179,7 +276665,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_3670 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76" hash = "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180" - logic_hash = "v1_sha256_3ca3c8fe11a696ad5eaf4b806c277a903a665b3c16a5c8a86dbf8468a71ad9ee" + logic_hash = "3ca3c8fe11a696ad5eaf4b806c277a903a665b3c16a5c8a86dbf8468a71ad9ee" score = 40 quality = 80 tags = "FILE" @@ -276202,14 +276688,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_EEA5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "66457299-c4d9-52ef-9ade-bcb049ed045e" + id = "2942b5b0-7270-5b7a-98f7-beee11e7aa57" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7912-L7931" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b" - logic_hash = "v1_sha256_47bcbc01fc9d12d72613093da34efd44b9d45af700a83450e36aed9fa972ae9b" + logic_hash = "47bcbc01fc9d12d72613093da34efd44b9d45af700a83450e36aed9fa972ae9b" score = 40 quality = 80 tags = "FILE" @@ -276232,14 +276718,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9CA5 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "9fa312aa-97b8-5bc6-917d-6a9fae262c3b" + id = "41660c6a-2c4c-5362-94cc-f701eb939870" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7934-L7953" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340" - logic_hash = "v1_sha256_a666e2b5c53129dc1f82a945d828bb84fc31e54c1c69cc6666222e4b9a45ea39" + logic_hash = "a666e2b5c53129dc1f82a945d828bb84fc31e54c1c69cc6666222e4b9a45ea39" score = 40 quality = 80 tags = "FILE" @@ -276262,14 +276748,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_4E54 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "a0252b4b-b290-5c97-b092-6571fc61b363" + id = "d6f57b92-e6fe-5723-9fbf-ee7ccc3aa5a2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7956-L7975" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce" - logic_hash = "v1_sha256_81a80cb4cdeb79ba7b32cb981c4f6d986fc465a78566aded7d7bf3f06e3e027f" + logic_hash = "81a80cb4cdeb79ba7b32cb981c4f6d986fc465a78566aded7d7bf3f06e3e027f" score = 40 quality = 80 tags = "FILE" @@ -276292,14 +276778,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_2D2C : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "59c25307-9533-5155-a248-c1ef4ce10514" + id = "f2aefc0c-b851-5341-acee-20d02c838548" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L7978-L7997" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b" - logic_hash = "v1_sha256_991c554b098cc048d925ab989b0ca3950b07fd13e75ddcc0e8d8f4e24f6e58a6" + logic_hash = "991c554b098cc048d925ab989b0ca3950b07fd13e75ddcc0e8d8f4e24f6e58a6" score = 40 quality = 80 tags = "FILE" @@ -276322,14 +276808,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_F4EE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" - id = "93a15d9a-9dc9-51bd-b0e7-a286439bfc81" + id = "efacff94-b2cd-55b8-94ef-076b29aba00d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8000-L8019" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560" - logic_hash = "v1_sha256_7ad25b1c03c5f7aff57f6ae40fae6232a0649d643a4ccd6ed1eee886bfad7f68" + logic_hash = "7ad25b1c03c5f7aff57f6ae40fae6232a0649d643a4ccd6ed1eee886bfad7f68" score = 40 quality = 80 tags = "FILE" @@ -276352,14 +276838,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5CFA : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "23b1ddd6-9722-51ea-beb1-60dfb81b8234" + id = "a563b3de-1a05-55bf-ae93-03e84ef1cb26" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8022-L8041" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185" - logic_hash = "v1_sha256_772f33e1190458ffbe4f6636fc775fea47d4ab242cecc5a77d00ee34de4ecf86" + logic_hash = "772f33e1190458ffbe4f6636fc775fea47d4ab242cecc5a77d00ee34de4ecf86" score = 40 quality = 80 tags = "FILE" @@ -276382,7 +276868,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "adeaa3c8-55d0-5930-b7dd-c99ca1b7341e" + id = "fc239233-68cc-5e0c-94b3-fa78f95998b1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -276390,7 +276876,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Computerzsys_Ludashisystemdriver_898E : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289" hash = "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8" - logic_hash = "v1_sha256_8895375f8ce3efa2fec38f6b42d4401b64d5dbde4c1bd9eead31ecb442f72588" + logic_hash = "8895375f8ce3efa2fec38f6b42d4401b64d5dbde4c1bd9eead31ecb442f72588" score = 40 quality = 80 tags = "FILE" @@ -276413,7 +276899,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "6a6ebfd3-269f-5906-9751-3911dc5150c0" + id = "9a6e76da-aff1-5944-a5ce-a056f3f013c4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -276421,7 +276907,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3" hash = "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1" - logic_hash = "v1_sha256_c969121df4f2e873fbff32b00484550a8a80e4fcc0cd093a2c93c566c249977a" + logic_hash = "c969121df4f2e873fbff32b00484550a8a80e4fcc0cd093a2c93c566c249977a" score = 40 quality = 80 tags = "FILE" @@ -276444,7 +276930,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" - id = "3e9ede7c-1ece-57ea-91cd-926621513a55" + id = "b6d09923-9ea3-56a0-9692-ee2cf00545e7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -276452,7 +276938,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_6 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e" hash = "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91" - logic_hash = "v1_sha256_ceae34b4cd1698fc1d779b5860437b1017401c8f954d74804fcdbb13a5603186" + logic_hash = "ceae34b4cd1698fc1d779b5860437b1017401c8f954d74804fcdbb13a5603186" score = 40 quality = 80 tags = "FILE" @@ -276475,7 +276961,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" - id = "0ad1adda-80c7-5d31-9a8f-31cc383c1c3f" + id = "054d4045-5d8d-5bd9-aaba-3a0cbef517af" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -276484,7 +276970,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_ hash = "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b" hash = "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e" hash = "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16" - logic_hash = "v1_sha256_380ba354000358c8d9035f44b83c14b2d38bdfafbba7cc8b33d190884d43874a" + logic_hash = "380ba354000358c8d9035f44b83c14b2d38bdfafbba7cc8b33d190884d43874a" score = 40 quality = 80 tags = "FILE" @@ -276507,14 +276993,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Arthurliberman_Alsysiosys_Alsysio_119C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ALSysIO64.sys" author = "Florian Roth" - id = "a9e71f16-8f4d-5867-9ab8-ec8db7258954" + id = "abb75d3f-eeb2-5ae7-976a-3f9e8627d6ca" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8137-L8156" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280" - logic_hash = "v1_sha256_1ff636a8954a5f049c582d8436111ffe5a4e89e3f38870c9c8ac9706f0b1acd2" + logic_hash = "1ff636a8954a5f049c582d8436111ffe5a4e89e3f38870c9c8ac9706f0b1acd2" score = 40 quality = 80 tags = "FILE" @@ -276537,14 +277023,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_263E : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "d6ee4463-b6f0-5070-aaa4-2a62d5409106" + id = "2ff1ee8e-cd67-58e7-b301-e1f7712b6031" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8159-L8178" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24" - logic_hash = "v1_sha256_c4a5f4e6908dcf3280adcebb9d8c58fb58be06267b524cb37f15d99091eb4a98" + logic_hash = "c4a5f4e6908dcf3280adcebb9d8c58fb58be06267b524cb37f15d99091eb4a98" score = 40 quality = 80 tags = "FILE" @@ -276567,14 +277053,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_88FB : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx64.sys" author = "Florian Roth" - id = "728fa41e-5d99-5bb9-b283-7346d68d7d41" + id = "b97c6cc0-76f2-56a2-9725-672ac9f6aa9b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8181-L8200" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af" - logic_hash = "v1_sha256_9c38d3552116177e73a66e56d3f53f8f50ed698a8747cbc59ccbee3cfec0db0d" + logic_hash = "9c38d3552116177e73a66e56d3f53f8f50ed698a8747cbc59ccbee3cfec0db0d" score = 40 quality = 80 tags = "FILE" @@ -276597,14 +277083,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_E839 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "da85ce40-84d9-5d23-81b6-e9cb0a306dcc" + id = "8a7a82a3-f24e-5887-9d95-a997179616d9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8203-L8222" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa" - logic_hash = "v1_sha256_452a3eeb969ca2a3145b1f525401490911aeec23b29e88395f33dddb693417d0" + logic_hash = "452a3eeb969ca2a3145b1f525401490911aeec23b29e88395f33dddb693417d0" score = 40 quality = 80 tags = "FILE" @@ -276627,14 +277113,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Hilschergesellschaftfrsystemaoutomationmbh_Physm meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - physmem.sys" author = "Florian Roth" - id = "4b1585ca-6e06-5140-88ab-0a1fe68aaafe" + id = "1759efbf-dabf-5790-a624-9e344884f98c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8225-L8244" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d" - logic_hash = "v1_sha256_64d1a7c9772d6a627bd2cec5c466a2627fa28d4a640ebe7fac5b948a02f1ff2a" + logic_hash = "64d1a7c9772d6a627bd2cec5c466a2627fa28d4a640ebe7fac5b948a02f1ff2a" score = 40 quality = 80 tags = "FILE" @@ -276657,14 +277143,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tenasyscorporation_Rtifsys_Intime_4CE8 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtif.sys" author = "Florian Roth" - id = "35379a79-4996-51e4-8152-5a08a0941fa3" + id = "b9e35ec1-d960-5b7a-9461-93b206ded648" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8247-L8266" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0" - logic_hash = "v1_sha256_65d2d5a1727f55c5a09c2dac5472095b92316eaaabf6356224b175ffe6b7c5a3" + logic_hash = "65d2d5a1727f55c5a09c2dac5472095b92316eaaabf6356224b175ffe6b7c5a3" score = 40 quality = 80 tags = "FILE" @@ -276687,14 +277173,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" - id = "e2f7daf5-0f4b-5a3d-b669-5aa1bc5ef54b" + id = "f80640c2-ec8d-5350-ba26-4dc6974816f2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8269-L8288" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a" - logic_hash = "v1_sha256_9fc3405f0415b37f348f5a7ea83344a60a9a987acfa844663811e834927f234a" + logic_hash = "9fc3405f0415b37f348f5a7ea83344a60a9a987acfa844663811e834927f234a" score = 40 quality = 80 tags = "FILE" @@ -276717,14 +277203,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_ADA4 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "b4eae4f0-9e53-59e1-9d82-e0603e4ae8f4" + id = "55ef1733-e9e8-5c60-8461-233e4fa4f0ae" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8291-L8310" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47" - logic_hash = "v1_sha256_d102d9add684a93cec7f05196b3e3ca39ff470df7df1b5fd58001b460c0a2dfc" + logic_hash = "d102d9add684a93cec7f05196b3e3ca39ff470df7df1b5fd58001b460c0a2dfc" score = 40 quality = 80 tags = "FILE" @@ -276747,14 +277233,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_9B2F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "d81e9983-f03c-5d4b-b93c-be32b56f8c41" + id = "d2e1c8d4-b8a7-5a0d-817a-f68ddda1c652" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8313-L8332" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285" - logic_hash = "v1_sha256_156c30e23f3a22442c635c449290dfcfc5f02fb3b3a0a65f0966306bd1d71f7c" + logic_hash = "156c30e23f3a22442c635c449290dfcfc5f02fb3b3a0a65f0966306bd1d71f7c" score = 40 quality = 80 tags = "FILE" @@ -276777,7 +277263,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_F629 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "18e79fdf-02e3-5f82-86ea-b8b771ccdc8a" + id = "05b5dc1a-9507-512f-9f1c-42cd36a2666f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -276785,7 +277271,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_F629 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65" hash = "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2" - logic_hash = "v1_sha256_b4ad3eedff5e41aa07d42c46dd5ef97ef281c049ed676e6b93474f21e20da428" + logic_hash = "b4ad3eedff5e41aa07d42c46dd5ef97ef281c049ed676e6b93474f21e20da428" score = 40 quality = 80 tags = "FILE" @@ -276807,14 +277293,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cyreninc_Amp_Cyrenamp_CBB8 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amp.sys" author = "Florian Roth" - id = "4a2966d7-0b97-54e5-af61-d70556418f7b" + id = "a2b01649-d98b-5d99-9fb3-e9a648db62ad" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8357-L8376" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6" - logic_hash = "v1_sha256_79514ed74f7ca8fae3b4a36ae240d325fb70555cb8371e03a498b6fb9992b961" + logic_hash = "79514ed74f7ca8fae3b4a36ae240d325fb70555cb8371e03a498b6fb9992b961" score = 40 quality = 80 tags = "FILE" @@ -276837,14 +277323,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Netfiltersdkcom_Lgdcatchersys_Netfiltersdk_0C42 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - LgDCatcher.sys" author = "Florian Roth" - id = "92ec9951-692d-5540-8951-08d03941d71b" + id = "3659a46f-25cf-5f9f-9ac5-578e2ffa6e45" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8379-L8398" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5" - logic_hash = "v1_sha256_ca3a99d2b899c907450d0a975db142d391135f70d8f6e42f937e03e2b0c7a9ce" + logic_hash = "ca3a99d2b899c907450d0a975db142d391135f70d8f6e42f937e03e2b0c7a9ce" score = 40 quality = 80 tags = "FILE" @@ -276867,14 +277353,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Supermicrocomputerinc_Superbmc_Superbmc_F843 : F meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - superbmc.sys" author = "Florian Roth" - id = "60f7d602-2102-5584-8627-bc05e40ba9ce" + id = "bf870b5d-ab2d-587d-a7ce-da7a02960d2c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8401-L8420" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35" - logic_hash = "v1_sha256_a628c561060c20f97c03b11be8c6d475b390d10ee7bf8dff9cc05600d68b8fc8" + logic_hash = "a628c561060c20f97c03b11be8c6d475b390d10ee7bf8dff9cc05600d68b8fc8" score = 40 quality = 80 tags = "FILE" @@ -276897,14 +277383,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "60308c6f-98d7-5076-ace6-96d2689ea450" + id = "45f59f43-b8eb-5c58-a386-a7bb19a88253" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8423-L8442" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4" - logic_hash = "v1_sha256_5dd553f7a90a5680d1a250a951e0166a526690dbef5fe431fa37347b3a5f2078" + logic_hash = "5dd553f7a90a5680d1a250a951e0166a526690dbef5fe431fa37347b3a5f2078" score = 40 quality = 80 tags = "FILE" @@ -276927,7 +277413,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "ca963a33-6c3d-5b29-886d-f754bd698264" + id = "b2a52cf7-6f64-5409-8764-e26f7b9e45c8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -276935,7 +277421,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_F877 : FI license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54" hash = "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5" - logic_hash = "v1_sha256_65966a05952fcf57b8d722154fe6dcafba49fffa0494086e1ff2bf76229d0c78" + logic_hash = "65966a05952fcf57b8d722154fe6dcafba49fffa0494086e1ff2bf76229d0c78" score = 40 quality = 80 tags = "FILE" @@ -276958,14 +277444,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "852360fe-b17a-5da8-bdf7-8e9263ab164b" + id = "9c9c668c-f83c-5166-a4ae-717709df5e70" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8468-L8487" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156" - logic_hash = "v1_sha256_7ff6b127fcdbe2a1612d46fccdf23d0fbaa2f6a91a54b718658ebd2d3fea8bce" + logic_hash = "7ff6b127fcdbe2a1612d46fccdf23d0fbaa2f6a91a54b718658ebd2d3fea8bce" score = 40 quality = 80 tags = "FILE" @@ -276988,14 +277474,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Almicosoftware_Sfdrvxsys_Speedfan_X_AD23 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sfdrvx32.sys" author = "Florian Roth" - id = "cfef16a0-2111-5d5c-b9a7-d1e9d3d04d10" + id = "df1de7d1-dd2a-5c6c-980d-a080b343f4f7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8490-L8509" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b" - logic_hash = "v1_sha256_8cdd734afe9bdf25157395096e64bfa743e4f17e1bde796269d6b5c875147561" + logic_hash = "8cdd734afe9bdf25157395096e64bfa743e4f17e1bde796269d6b5c875147561" score = 40 quality = 80 tags = "FILE" @@ -277018,14 +277504,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Rtportsys_Windowsrddkdriver_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtport.sys" author = "Florian Roth" - id = "bb9f7ac3-1306-55fd-a4d2-750794345129" + id = "8ed20998-ff6a-56d1-aa40-b6b35f308cbd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8512-L8531" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0" - logic_hash = "v1_sha256_707ec81c9fb679a439f23e97e92c6d08b541cd433bfa4fa4296a664cabb403d0" + logic_hash = "707ec81c9fb679a439f23e97e92c6d08b541cd433bfa4fa4296a664cabb403d0" score = 40 quality = 80 tags = "FILE" @@ -277048,14 +277534,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_B205 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkiow8x64.sys " author = "Florian Roth" - id = "85754c15-fa64-5166-8efd-513dc5d7bc37" + id = "0246761e-08b5-557b-950c-598083488d4f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8534-L8553" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038" - logic_hash = "v1_sha256_8313ea1ab68c635fd99927884741a087ea5d93e3e2d3d3c9171609f17545d3cc" + logic_hash = "8313ea1ab68c635fd99927884741a087ea5d93e3e2d3d3c9171609f17545d3cc" score = 40 quality = 80 tags = "FILE" @@ -277078,14 +277564,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Filseclabcorporation_Filnk_Filseclabdynamicdefen meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filnk.sys" author = "Florian Roth" - id = "e1bb4f87-ca91-54c4-b389-6a16ce4d2d7a" + id = "cedb7acf-a1a9-566c-becd-f3e9952a9a3d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8556-L8575" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12" - logic_hash = "v1_sha256_36e491c2841bb77cfc3c07545a30af7edef940e4f36fffd33f6a35f5d8980c86" + logic_hash = "36e491c2841bb77cfc3c07545a30af7edef940e4f36fffd33f6a35f5d8980c86" score = 40 quality = 80 tags = "FILE" @@ -277108,14 +277594,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_CBF7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" - id = "4116be82-8d73-5169-9b5a-5d2f3e0877b3" + id = "b6cf6e40-1414-57a4-839a-7bd45e33b6c8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8578-L8597" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183" - logic_hash = "v1_sha256_4093b8e8e67632b5ee28b0e8843398e3e32c33b6fbb18c68730f4495d4c025ad" + logic_hash = "4093b8e8e67632b5ee28b0e8843398e3e32c33b6fbb18c68730f4495d4c025ad" score = 40 quality = 80 tags = "FILE" @@ -277138,14 +277624,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "43ff8ede-ede7-55d6-82dd-9a6e82fae80a" + id = "54901649-06c2-5bcb-a725-8a4d206dc00c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8600-L8619" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f" - logic_hash = "v1_sha256_212de91b3abdc9948aad64531983df3c75e36ff73e56a6b5e8a488571fc39465" + logic_hash = "212de91b3abdc9948aad64531983df3c75e36ff73e56a6b5e8a488571fc39465" score = 40 quality = 80 tags = "FILE" @@ -277168,7 +277654,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_66F8 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "43d7364e-3731-5b76-954a-327542e54b78" + id = "4ced2cc9-9068-5e5f-a9c6-f091b4550028" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277176,7 +277662,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtier_66F8 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e" hash = "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0" - logic_hash = "v1_sha256_bb8f360956167a6616fa3449f4dcbc78f938a69c979298d921757c6f1e779601" + logic_hash = "bb8f360956167a6616fa3449f4dcbc78f938a69c979298d921757c6f1e779601" score = 40 quality = 80 tags = "FILE" @@ -277198,14 +277684,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "8b88709f-0cbc-5da2-a26d-0283b1ef37ab" + id = "91f857f9-14eb-5b6d-8aed-41c2dae736e1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8644-L8663" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03" - logic_hash = "v1_sha256_3379ec91998a5850e3181784a43fa669817d2f3930bc790bf7b46857a2393d93" + logic_hash = "3379ec91998a5850e3181784a43fa669817d2f3930bc790bf7b46857a2393d93" score = 40 quality = 80 tags = "FILE" @@ -277228,7 +277714,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" - id = "5543f433-dd84-57f9-a5c9-04807435f4b1" + id = "a7b74018-53bc-5f36-b1cd-50d87c5928e0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277239,7 +277725,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_1A4F : hash = "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f" hash = "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece" hash = "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282" - logic_hash = "v1_sha256_46cf4eeb547c5924f29ba44a85da013b505732cea5f2ddc8e7e8645b793994a9" + logic_hash = "46cf4eeb547c5924f29ba44a85da013b505732cea5f2ddc8e7e8645b793994a9" score = 40 quality = 80 tags = "FILE" @@ -277262,14 +277748,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Filseclabcorporation_Filwfp_Filseclabfirewall_49 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - filwfp.sys" author = "Florian Roth" - id = "c8836b4c-9808-529b-a4a2-1a2c842efd6a" + id = "ca80dd10-59cc-576d-a077-01dff115016f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8692-L8711" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a" - logic_hash = "v1_sha256_722b36f80e7c899c75667c989390161a30d1336be397c771174e8753865a6f8c" + logic_hash = "722b36f80e7c899c75667c989390161a30d1336be397c771174e8753865a6f8c" score = 40 quality = 80 tags = "FILE" @@ -277292,14 +277778,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asrockincorporation_Asrautochkupddrvsys_Asrautoc meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsrAutoChkUpdDrv_1_0_32.sys" author = "Florian Roth" - id = "109542bd-db9a-504a-b065-d6590130914f" + id = "64fed65f-7b98-54a9-b84d-00401c4e4094" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8714-L8733" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe" - logic_hash = "v1_sha256_a07a0630526bf3b9d427a83b00269428059e640787a834ff129cdb23b4c4c245" + logic_hash = "a07a0630526bf3b9d427a83b00269428059e640787a834ff129cdb23b4c4c245" score = 40 quality = 80 tags = "FILE" @@ -277322,14 +277808,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_9E34 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" - id = "0fa0fcb8-25a8-507b-bafa-c39d17d138d9" + id = "17aba336-885e-556a-a05e-9cba2ddbf656" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8736-L8755" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c" - logic_hash = "v1_sha256_d07bb8afe8e9e55d9bbf5c96ab8be6bf1f3b65a08873f8956436b87ad3b826d8" + logic_hash = "d07bb8afe8e9e55d9bbf5c96ab8be6bf1f3b65a08873f8956436b87ad3b826d8" score = 40 quality = 80 tags = "FILE" @@ -277352,7 +277838,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WiseUnlo.sys" author = "Florian Roth" - id = "e59d1fa4-0a92-5ade-8fe5-18c7b6bde0a3" + id = "4b731a73-af46-5607-96c3-6aeeb7df9976" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277360,7 +277846,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Wisecleanercom_Wiseunlosys_Wiseunlo_9D53 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a" hash = "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4" - logic_hash = "v1_sha256_bdf3933b96f571ca3f07d9c3775847d5053f3f147b75068e7dad4a152480935e" + logic_hash = "bdf3933b96f571ca3f07d9c3775847d5053f3f147b75068e7dad4a152480935e" score = 40 quality = 80 tags = "FILE" @@ -277383,14 +277869,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_BCFC : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "49c6a25e-d7b6-5505-b710-fe51107efaad" + id = "aabd529a-516f-5e7f-85e2-b7fa207b89cd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8781-L8800" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f" - logic_hash = "v1_sha256_10b04a7ca71652632fb836bfb76f6be8b4c1d9e7e6566f623b52a850b3dbebde" + logic_hash = "10b04a7ca71652632fb836bfb76f6be8b4c1d9e7e6566f623b52a850b3dbebde" score = 40 quality = 80 tags = "FILE" @@ -277413,7 +277899,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "f3bd01bb-a84c-5014-b927-0c579c80bf12" + id = "e7e01116-2971-59fd-bada-ac22cdc17670" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277421,7 +277907,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrddkprovider_Gdrvsys_Windowsrddkdriver_F4 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b" hash = "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b" - logic_hash = "v1_sha256_e7ca103b49c11733154f9f4bf164be90f25d3534ea103312047d7f1a9c240131" + logic_hash = "e7ca103b49c11733154f9f4bf164be90f25d3534ea103312047d7f1a9c240131" score = 40 quality = 80 tags = "FILE" @@ -277444,14 +277930,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_DBC6 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "537a0163-7126-5a50-9fd9-163a190d53da" + id = "9a004873-765d-5db7-87e1-8796286635e3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8826-L8845" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed" - logic_hash = "v1_sha256_becd57b696fe37ea0ae1bd83aa1c00258d1a58fd83c80d9772bea625ad0d6afc" + logic_hash = "becd57b696fe37ea0ae1bd83aa1c00258d1a58fd83c80d9772bea625ad0d6afc" score = 40 quality = 80 tags = "FILE" @@ -277474,14 +277960,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" - id = "f77867e9-c16f-5e9c-82f8-99b4e5b015d6" + id = "ec067130-dde8-58a8-884f-eeda3c7adf57" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8848-L8867" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1" - logic_hash = "v1_sha256_ae01cd2b9b1c504298c0295fd4f3e54199df371787676f19ba0a3ad9340f0c56" + logic_hash = "ae01cd2b9b1c504298c0295fd4f3e54199df371787676f19ba0a3ad9340f0c56" score = 40 quality = 80 tags = "FILE" @@ -277504,14 +277990,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_4E37 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "f35a8c2a-b8a8-5d1c-b249-febc46d51618" + id = "c827a2fc-e533-5113-a7e5-8ae4f5718d63" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8870-L8889" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69" - logic_hash = "v1_sha256_cd104e4130ef7fcc525a31aacc1180933cd6fe99a7b0c10a54622c512d699364" + logic_hash = "cd104e4130ef7fcc525a31aacc1180933cd6fe99a7b0c10a54622c512d699364" score = 40 quality = 80 tags = "FILE" @@ -277534,14 +278020,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_ECD0 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "971b36d8-ba17-5a3a-b19f-fbe364019da9" + id = "f683f7c5-15cb-5e1b-9d6e-4261c85a581a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8892-L8911" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566" - logic_hash = "v1_sha256_48342828a25e7fdd6dad197bb079d58fc1937b9630f021067a7f197e53c912d9" + logic_hash = "48342828a25e7fdd6dad197bb079d58fc1937b9630f021067a7f197e53c912d9" score = 40 quality = 80 tags = "FILE" @@ -277564,14 +278050,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6701 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "552ae2da-fa73-5a39-8c5a-115dc79d8514" + id = "89f292a0-04cd-5c07-9c43-9fef78748ef4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8914-L8933" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c" - logic_hash = "v1_sha256_c6d8f88f83fffed54cd4adf0542a40531765b0cea0e963ed7ad5d646a7901f19" + logic_hash = "c6d8f88f83fffed54cd4adf0542a40531765b0cea0e963ed7ad5d646a7901f19" score = 40 quality = 80 tags = "FILE" @@ -277594,14 +278080,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Radiantsystemsinc_Radhwmgrsys_Radiantsystemsinch meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - RadHwMgr.sys" author = "Florian Roth" - id = "e3f0deb2-72dd-52e2-98f7-a633f6962a09" + id = "1903bced-7391-5d95-a71b-a2657286b5cd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8936-L8955" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c" - logic_hash = "v1_sha256_d5975b9f192b982cb0febc0314e9597f387830e6c1cc4bf0202918ce75c8ca33" + logic_hash = "d5975b9f192b982cb0febc0314e9597f387830e6c1cc4bf0202918ce75c8ca33" score = 40 quality = 80 tags = "FILE" @@ -277624,7 +278110,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_DEE3 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ComputerZ.Sys" author = "Florian Roth" - id = "503e52fc-13b9-54e9-a759-d90b2a27ec53" + id = "189bf93d-db65-50d7-8637-62877742ccae" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277632,7 +278118,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Cn_Computerzsys_DEE3 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233" hash = "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd" - logic_hash = "v1_sha256_106ecc5e36dbf66a7660d00bfcce40934528899d60bd2bb7711c56f515119fcc" + logic_hash = "106ecc5e36dbf66a7660d00bfcce40934528899d60bd2bb7711c56f515119fcc" score = 40 quality = 80 tags = "FILE" @@ -277655,14 +278141,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_36E3 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "a8d042bd-d5c7-5ebd-8437-8642b3fb63ab" + id = "6ea52f09-df49-5bc4-a3bc-34a80e78b739" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L8981-L9000" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289" - logic_hash = "v1_sha256_c8c776a3ef3f452b261c7348f0634f9bac7e00f5028eeb56af41461d240a5216" + logic_hash = "c8c776a3ef3f452b261c7348f0634f9bac7e00f5028eeb56af41461d240a5216" score = 40 quality = 80 tags = "FILE" @@ -277685,14 +278171,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_FDA9 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "1b4cdcb9-e37b-5ea1-be94-1ebf446ffca3" + id = "d405ca94-8b2c-57cd-b6da-8dbfd5f8d858" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9003-L9022" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280" - logic_hash = "v1_sha256_2548a054742e55e13e146fa3389c4fb17bdf4e7785bc824e5dd8be7d0cddd75a" + logic_hash = "2548a054742e55e13e146fa3389c4fb17bdf4e7785bc824e5dd8be7d0cddd75a" score = 40 quality = 80 tags = "FILE" @@ -277715,14 +278201,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_6E9E : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "ebbb990d-2bc4-59c4-bf25-0010fee7d025" + id = "8ec4875c-4f84-5706-81c8-9dd94dccb962" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9025-L9044" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094" - logic_hash = "v1_sha256_1a5841556e8589b9fda2167a5ad9c6ac0ec7bb9e9358220ebc18e9675fe6254b" + logic_hash = "1a5841556e8589b9fda2167a5ad9c6ac0ec7bb9e9358220ebc18e9675fe6254b" score = 40 quality = 80 tags = "FILE" @@ -277745,14 +278231,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_1228 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "f51fed91-1544-508e-941a-d6b4ba04f8f9" + id = "a46d53f7-ddac-5597-be0d-0e05232bbaec" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9047-L9066" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a" - logic_hash = "v1_sha256_6d10896a203562741de37cb97e858a1d70451ad5fc1341ad80d6aa4765b8de9a" + logic_hash = "6d10896a203562741de37cb97e858a1d70451ad5fc1341ad80d6aa4765b8de9a" score = 40 quality = 80 tags = "FILE" @@ -277775,14 +278261,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_D205 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_RCIO64.sys" author = "Florian Roth" - id = "6c56665d-0938-5a44-b40b-35e3b56a8d0f" + id = "ea90277d-696d-5674-b679-9a340359e853" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9069-L9088" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e" - logic_hash = "v1_sha256_8c88f91ab8ff231e4ab6e532b8d71ba810fa62e684dec7fff6b74c4f85a96f65" + logic_hash = "8c88f91ab8ff231e4ab6e532b8d71ba810fa62e684dec7fff6b74c4f85a96f65" score = 40 quality = 80 tags = "FILE" @@ -277805,7 +278291,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwindd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - amifldrv64.sys, amifldrv.sys" author = "Florian Roth" - id = "211b3781-8a0c-5dd1-88ca-7ed416ff1808" + id = "9c05031d-2062-53fb-982c-f874bf902b48" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277813,7 +278299,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Amifldrvsys_Windowsrwindd license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20" hash = "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f" - logic_hash = "v1_sha256_fb233e5c3cd88ab1450d3371b2f916af9dc8f0b5ffd145e47ad2f0678495b630" + logic_hash = "fb233e5c3cd88ab1450d3371b2f916af9dc8f0b5ffd145e47ad2f0678495b630" score = 40 quality = 80 tags = "FILE" @@ -277836,7 +278322,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - hwdetectng.sys" author = "Florian Roth" - id = "14ac0f00-6287-5ee9-ace1-ac7ceff973f3" + id = "861a355c-e883-5384-9d77-b572575905d1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277845,7 +278331,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Inferre_Hwdetectngsys_Hwdetectngsys_D456 : FILE hash = "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2" hash = "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee" hash = "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f" - logic_hash = "v1_sha256_8cf397f3b2c7d5b6a3517b40727839c9ab9a460375f0159f69c0d160a38cb470" + logic_hash = "8cf397f3b2c7d5b6a3517b40727839c9ab9a460375f0159f69c0d160a38cb470" score = 40 quality = 80 tags = "FILE" @@ -277868,14 +278354,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Adlicesoftware_Truesight_Truesight_BFC2 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - truesight.sys" author = "Florian Roth" - id = "b1b9b131-75f7-573f-82a0-0b48bedb6deb" + id = "89e4602a-9233-5955-9edb-c09fb2b01376" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9138-L9157" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c" - logic_hash = "v1_sha256_31bf547d77d003653090c31588635255d5983e179146bf53b5624dc3fdcf8422" + logic_hash = "31bf547d77d003653090c31588635255d5983e179146bf53b5624dc3fdcf8422" score = 40 quality = 80 tags = "FILE" @@ -277898,14 +278384,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "c663fc96-4a60-5aac-92a0-b9fa9f60fa51" + id = "3c2a3d3b-ec7f-509d-a00a-0bb1b73f50cf" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9160-L9179" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b" - logic_hash = "v1_sha256_e1bf0fb9255ba7cd386ac0d51ce1d22ffde535a0064683f2178fac388b6944a0" + logic_hash = "e1bf0fb9255ba7cd386ac0d51ce1d22ffde535a0064683f2178fac388b6944a0" score = 40 quality = 80 tags = "FILE" @@ -277928,7 +278414,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxs meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - inpoutx64.sys" author = "Florian Roth" - id = "a94e7840-b5e9-5a59-b0c6-c837364a17d7" + id = "2103d553-3e8a-5f81-b54e-c125aa7746ca" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -277937,7 +278423,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Highresolutionenterpriseswwwhighrezcouk_Inpoutxs hash = "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af" hash = "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b" hash = "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d" - logic_hash = "v1_sha256_ae7082fe90cf522f7bcbb615b751961972331147af1a56af961d35bf70e87f90" + logic_hash = "ae7082fe90cf522f7bcbb615b751961972331147af1a56af961d35bf70e87f90" score = 40 quality = 80 tags = "FILE" @@ -277960,14 +278446,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_12ED : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "293841b9-bad4-55d6-920b-8bbd6edffb40" + id = "d8599978-d388-5b67-99ff-d4bde156b433" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9206-L9225" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56" - logic_hash = "v1_sha256_9c43c1e37bcc87d616e8d7fa1a610b4d3f28b60d2203d0e466939a41b1a8a7d7" + logic_hash = "9c43c1e37bcc87d616e8d7fa1a610b4d3f28b60d2203d0e466939a41b1a8a7d7" score = 40 quality = 80 tags = "FILE" @@ -277990,14 +278476,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_FF1C : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "59e3ac0f-69b9-5ccc-99d6-2e557d3b46ff" + id = "2c04159c-312f-52a5-8a6c-3fc8346dda5e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9228-L9247" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5" - logic_hash = "v1_sha256_ee97df01a31ceb88274de9890887f6203bee9b173a2034ad4570a9bb92d13dd2" + logic_hash = "ee97df01a31ceb88274de9890887f6203bee9b173a2034ad4570a9bb92d13dd2" score = 40 quality = 80 tags = "FILE" @@ -278020,14 +278506,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_EBE2 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "23f1bc55-cd0f-5afb-a355-5fd4fdc31b7b" + id = "6d854b08-4675-53c5-9d7f-753c94310df0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9250-L9269" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3" - logic_hash = "v1_sha256_4f671c0023ef9bbb82a3fdd328709bb9c2a579fbef7f0a348b01fd4188ded3d4" + logic_hash = "4f671c0023ef9bbb82a3fdd328709bb9c2a579fbef7f0a348b01fd4188ded3d4" score = 40 quality = 80 tags = "FILE" @@ -278050,14 +278536,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_CA34 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nscm.sys" author = "Florian Roth" - id = "8ce5936a-b62b-5345-aec7-98aad4e40f34" + id = "326a5e40-0706-5daf-b1a5-8bcff8b3fcae" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9272-L9290" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d" - logic_hash = "v1_sha256_20276f0c10cef963957e6f868643166567862b89124d96371b80dfe217eab4b6" + logic_hash = "20276f0c10cef963957e6f868643166567862b89124d96371b80dfe217eab4b6" score = 40 quality = 80 tags = "FILE" @@ -278079,7 +278565,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_46D1 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rzpnk.sys" author = "Florian Roth" - id = "3a273c25-275b-5d7d-8626-b33c212b0495" + id = "af2cb913-c98c-5d29-9822-095df2e8c270" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -278089,7 +278575,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Razerinc_Rzpnk_Rzpnk_46D1 : FILE hash = "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53" hash = "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61" hash = "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757" - logic_hash = "v1_sha256_58fde74c3e542d3c0c05f60c92592cf5f9a3b217c0e3d3daf484e91684201564" + logic_hash = "58fde74c3e542d3c0c05f60c92592cf5f9a3b217c0e3d3daf484e91684201564" score = 40 quality = 80 tags = "FILE" @@ -278112,7 +278598,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CorsairLLAccess64.sys" author = "Florian Roth" - id = "8bc16fbe-0426-5ee6-9f20-0c796eec4b4d" + id = "50cf8320-c182-5f59-b2a7-750c618312bf" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -278120,7 +278606,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Corsairmemoryinc_Corsairllaccess_Corsairllaccess license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d" hash = "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b" - logic_hash = "v1_sha256_881222a52349787251b723640a42b468e4d3f8ee614329de61d7816b00beb9ff" + logic_hash = "881222a52349787251b723640a42b468e4d3f8ee614329de61d7816b00beb9ff" score = 40 quality = 80 tags = "FILE" @@ -278143,14 +278629,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_1C12 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "5d970335-095d-597b-9501-c9ed33c59789" + id = "14390895-6fae-5e00-9d0d-76347782873c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9341-L9360" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687" - logic_hash = "v1_sha256_d8f6326a34caddc2c91ac47e57ed022086bea7122203f166cd5e3176c369a3e4" + logic_hash = "d8f6326a34caddc2c91ac47e57ed022086bea7122203f166cd5e3176c369a3e4" score = 40 quality = 80 tags = "FILE" @@ -278173,14 +278659,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroaegis_4BC0 : F meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "94431089-c74d-5119-af11-b56db6f4a3a2" + id = "da911735-e7b3-5721-8254-958f25b0efa1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9363-L9382" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4" - logic_hash = "v1_sha256_1f138a336f979f9a4a75796cdd6cab5716a17f1ded02350db64a6ec618c7a1dd" + logic_hash = "1f138a336f979f9a4a75796cdd6cab5716a17f1ded02350db64a6ec618c7a1dd" score = 40 quality = 80 tags = "FILE" @@ -278203,14 +278689,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Iobitinformationtechnology_Iobitunlockersys_Unlo meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iobitunlocker.sys" author = "Florian Roth" - id = "579f91dc-9751-555a-aaf7-4f16e6febab1" + id = "a9cbfdc3-6c84-5c6f-98a9-8cf77cc32d9d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9385-L9404" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004" - logic_hash = "v1_sha256_1a7df58e346f6ae2224163302bbc14815c6d612c1414b59663d3d9f730925499" + logic_hash = "1a7df58e346f6ae2224163302bbc14815c6d612c1414b59663d3d9f730925499" score = 40 quality = 80 tags = "FILE" @@ -278233,14 +278719,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_C190 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - libnicm.sys" author = "Florian Roth" - id = "25ce1969-9f99-58e4-b325-6519891663a7" + id = "9a9903d6-bdab-5694-9e26-66a797e299d5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9407-L9425" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a" - logic_hash = "v1_sha256_44017c1fab02aec40335b310646d9760ce4db2da785d08a430442a5afe9d4887" + logic_hash = "44017c1fab02aec40335b310646d9760ce4db2da785d08a430442a5afe9d4887" score = 40 quality = 80 tags = "FILE" @@ -278262,14 +278748,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "5714b85a-7082-502b-a432-fa4ddf6bbf1f" + id = "8fc2f891-9898-551b-8a21-5222af319764" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9428-L9447" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4" - logic_hash = "v1_sha256_beca5e85d2b29d6a37e9d783facf37bb375095ae5d47a8a2eff663afbc22ffc3" + logic_hash = "beca5e85d2b29d6a37e9d783facf37bb375095ae5d47a8a2eff663afbc22ffc3" score = 40 quality = 80 tags = "FILE" @@ -278292,14 +278778,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "ab03e09d-47fd-5116-abee-85e11f011ff3" + id = "6c041a1a-b6f2-50f1-a079-1a4abc0c1f37" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9450-L9469" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea" - logic_hash = "v1_sha256_5c3addc4d27338e1ed76b65327198acef97969b13e6ac8284153fcc1fd992b4d" + logic_hash = "5c3addc4d27338e1ed76b65327198acef97969b13e6ac8284153fcc1fd992b4d" score = 40 quality = 80 tags = "FILE" @@ -278322,7 +278808,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "31f885f9-aa5c-521b-a811-5f6c6edf6fb1" + id = "69622a5d-bccf-51cc-8e8b-f1792c89275a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -278330,7 +278816,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_7337 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e" hash = "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4" - logic_hash = "v1_sha256_9f3772548952491a3c20cdecdba491017a7bb7c113360feae778426539e5d9b8" + logic_hash = "9f3772548952491a3c20cdecdba491017a7bb7c113360feae778426539e5d9b8" score = 40 quality = 80 tags = "FILE" @@ -278353,14 +278839,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_ADC1 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "02885b73-8ee4-5216-86b2-dd03cbf7fdef" + id = "77819373-6f49-56bc-8636-d25cd75491b7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9495-L9514" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee" - logic_hash = "v1_sha256_896055705d276e007082616e944be968d90087798e3c4cfcc35c3ecaf3a781b0" + logic_hash = "896055705d276e007082616e944be968d90087798e3c4cfcc35c3ecaf3a781b0" score = 40 quality = 80 tags = "FILE" @@ -278383,7 +278869,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosio meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" - id = "93d79f65-65fd-55ef-ae3b-b114db272e6b" + id = "e8515bb1-cf81-510a-9d48-7fd353c6c37a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -278391,7 +278877,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosio license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d" hash = "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0" - logic_hash = "v1_sha256_d9be90591690481e778ebb8a18c633d7ceccdaafa3989352d94bd1995e3470f4" + logic_hash = "d9be90591690481e778ebb8a18c633d7ceccdaafa3989352d94bd1995e3470f4" score = 40 quality = 80 tags = "FILE" @@ -278414,14 +278900,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecurit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "02e5fb06-b96f-5437-a7e7-ae0cb64ff5c5" + id = "1ac2562c-9d06-5372-bc45-e9491a7bfeea" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9540-L9559" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5" - logic_hash = "v1_sha256_45bd63fd965c9c40b0d687af623f58922c708608a25e58b2c1ad436312e6284d" + logic_hash = "45bd63fd965c9c40b0d687af623f58922c708608a25e58b2c1ad436312e6284d" score = 40 quality = 80 tags = "FILE" @@ -278444,14 +278930,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Fujitsulimited_Advdrvsys_Microsoftrwindowsropera meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ADV64DRV.sys" author = "Florian Roth" - id = "15f0471e-dcfb-5bea-9e5f-1d7f8d906e6e" + id = "fa878fd1-9d19-561e-bd01-b4693a48f480" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9562-L9580" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162" - logic_hash = "v1_sha256_7b98ca983166c65065b6fe146957ac438426c0ad2566016e0a61ca3be68f163e" + logic_hash = "7b98ca983166c65065b6fe146957ac438426c0ad2566016e0a61ca3be68f163e" score = 40 quality = 80 tags = "FILE" @@ -278473,14 +278959,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Amdryzenmasterdriversys_Amd meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDRyzenMasterDriver.sys" author = "Florian Roth" - id = "01923319-8e81-5e2d-b605-8a920405390a" + id = "aa757ead-9ab0-5c5f-ba50-f310130e3d08" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9583-L9602" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5" - logic_hash = "v1_sha256_d47eec2132d31ce4f4009456805e7b75e43054edf13c3f056416638cf3928e41" + logic_hash = "d47eec2132d31ce4f4009456805e7b75e43054edf13c3f056416638cf3928e41" score = 40 quality = 80 tags = "FILE" @@ -278503,14 +278989,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sunmicrosystemsinc_Vboxtapsys_Virtualboxhostinte meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" - id = "92426b70-2756-584b-8216-05c7cd98977d" + id = "657161e9-b714-5bd9-bbb7-5ad7df6a83c5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9605-L9624" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783" - logic_hash = "v1_sha256_1fefb271c505de9c1d08d558a53f8150cb8724b1b97ac2014f30d2c593f05f6b" + logic_hash = "1fefb271c505de9c1d08d558a53f8150cb8724b1b97ac2014f30d2c593f05f6b" score = 40 quality = 80 tags = "FILE" @@ -278533,7 +279019,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymac meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" - id = "c5ea99d0-cf9f-54f0-bf3d-96e7780e3225" + id = "c9951c04-1a18-53df-abaa-bfcd7c0a1aec" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -278541,7 +279027,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Generalelectriccompany_Gedevicedriver_Proficymac license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce" hash = "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc" - logic_hash = "v1_sha256_e9af30ff414f7c42b656519453924a90be7cf567c5d5ac6c29713d6799a369c1" + logic_hash = "e9af30ff414f7c42b656519453924a90be7cf567c5d5ac6c29713d6799a369c1" score = 40 quality = 80 tags = "FILE" @@ -278564,14 +279050,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_85FD : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "ec70cfc5-2b76-52e9-b4ff-cfcf4e3bf8bb" + id = "50552007-935f-5476-a596-6052030c08c4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9650-L9669" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3" - logic_hash = "v1_sha256_dd2e7c64c1f0139e2c365e8f726e026c66857334dbfd29eda3ebffa483677b5f" + logic_hash = "dd2e7c64c1f0139e2c365e8f726e026c66857334dbfd29eda3ebffa483677b5f" score = 40 quality = 80 tags = "FILE" @@ -278594,14 +279080,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_7CF7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "7ebbc989-ef76-554c-98f0-b02e04aceca4" + id = "7114725c-9cca-53c3-8902-79d83386fef4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9672-L9691" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0" - logic_hash = "v1_sha256_f6570bb8a690a21b67637f265f36dbe8a3adb63e30c025216c25df73099ad173" + logic_hash = "f6570bb8a690a21b67637f265f36dbe8a3adb63e30c025216c25df73099ad173" score = 40 quality = 80 tags = "FILE" @@ -278624,14 +279110,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_7795 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "b6b610f5-3c68-50e8-92f5-604397e60f6b" + id = "84866b07-19cc-5c75-acc3-7640adcf68e8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9694-L9713" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c" - logic_hash = "v1_sha256_f59507fdf64c5eca6139f149595b9919704fead73d4e66c93630ca6cf9582a82" + logic_hash = "f59507fdf64c5eca6139f149595b9919704fead73d4e66c93630ca6cf9582a82" score = 40 quality = 80 tags = "FILE" @@ -278654,14 +279140,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_B019 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SANDRA.sys" author = "Florian Roth" - id = "fb53fc6a-53d1-52dc-a36e-26e2820c100b" + id = "4edbf604-a98c-5877-8385-eff85575daa4" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9716-L9735" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a" - logic_hash = "v1_sha256_1ef6c4c199fad08babe5f4484444c157dfcfea891f392682689cf2df34088179" + logic_hash = "1ef6c4c199fad08babe5f4484444c157dfcfea891f392682689cf2df34088179" score = 40 quality = 80 tags = "FILE" @@ -278684,14 +279170,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevicesinc_Amdpowerprofilersys_Amdu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AMDPowerProfiler.sys" author = "Florian Roth" - id = "727b0291-4141-5d31-828c-0c4de40938a0" + id = "6475e885-711f-53ea-9ab6-cdb45b3a0917" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9738-L9757" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05" - logic_hash = "v1_sha256_ac1fd75b411624e0f4cd6d455a61e1ac3c08d421182c4f9eb90698ee29eff77a" + logic_hash = "ac1fd75b411624e0f4cd6d455a61e1ac3c08d421182c4f9eb90698ee29eff77a" score = 40 quality = 80 tags = "FILE" @@ -278714,14 +279200,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiosys_Realtekiodriver_074A : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "327f06fb-462c-5d50-b08e-8048e2e19626" + id = "2cb53106-382d-5645-a72c-28a64112bb47" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9760-L9779" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761" - logic_hash = "v1_sha256_b76e7a17aa7da3d6a1972a40fbcaa4ca63edb4220b07d807ee54fea649b13a6d" + logic_hash = "b76e7a17aa7da3d6a1972a40fbcaa4ca63edb4220b07d807ee54fea649b13a6d" score = 40 quality = 80 tags = "FILE" @@ -278744,14 +279230,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_98B7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "dcac7439-a118-571b-a53b-bf35e0479304" + id = "f827cf5e-23c7-5db8-9949-14382788bbdd" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9782-L9801" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8" - logic_hash = "v1_sha256_db97be0a54fc813022a609ffdabe0e0cff306ef894c560f75a43a4aa890590d5" + logic_hash = "db97be0a54fc813022a609ffdabe0e0cff306ef894c560f75a43a4aa890590d5" score = 40 quality = 80 tags = "FILE" @@ -278774,14 +279260,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Novellinc_Novellxtierforwindows_V_7A2C : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nicm.sys" author = "Florian Roth" - id = "f6d42d57-3227-5b27-ad4f-be1ed9b34301" + id = "eae98a64-3478-55fc-b839-7a1ec0f1521d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9804-L9822" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25" - logic_hash = "v1_sha256_01badc48c33814577b1a6000b4ff46473b48f85d8f8e8d6071d26b81d3cde22d" + logic_hash = "01badc48c33814577b1a6000b4ff46473b48f85d8f8e8d6071d26b81d3cde22d" score = 40 quality = 80 tags = "FILE" @@ -278803,14 +279289,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_9A95 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "759139e3-1a4b-5f0f-b3c2-689554f77a2e" + id = "de7c3f85-1101-58c2-882b-e7e59d95fdd8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9825-L9841" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c" - logic_hash = "v1_sha256_3b699e2afa7e4c4284d725cc159b46a609e4020703bc0efc7ba6563084d67f0e" + logic_hash = "3b699e2afa7e4c4284d725cc159b46a609e4020703bc0efc7ba6563084d67f0e" score = 40 quality = 80 tags = "FILE" @@ -278830,14 +279316,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_19BF : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "7b6e7a93-33ad-51ee-87ff-ab7b4f08231f" + id = "4e733353-21f8-5a32-b735-fccd3ffba831" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9844-L9863" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775" - logic_hash = "v1_sha256_b05c520a5816f2dc7a35319f7f5d11001c5d64cdee479e213ac95950acf26bfc" + logic_hash = "b05c520a5816f2dc7a35319f7f5d11001c5d64cdee479e213ac95950acf26bfc" score = 40 quality = 80 tags = "FILE" @@ -278860,14 +279346,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_2BBC : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "060c50f6-95fc-565b-9b87-5d85c0db2f9e" + id = "171ebc5a-3e8a-5771-8960-b623f6581759" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9866-L9882" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1" - logic_hash = "v1_sha256_d311a2d88741100de1ca65107b08418f0d5a3fc44e4e388faf3434f9fec77dcc" + logic_hash = "d311a2d88741100de1ca65107b08418f0d5a3fc44e4e388faf3434f9fec77dcc" score = 40 quality = 80 tags = "FILE" @@ -278887,14 +279373,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Logitechinc_Lvavsys_Logitechwebcamsoftware_E86C meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Lv561av.sys" author = "Florian Roth" - id = "1a859fce-ecf1-5f30-a4a2-7adbf98290cf" + id = "3402e3fc-82be-577d-a297-fcae7539bcfc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9885-L9904" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4" - logic_hash = "v1_sha256_ffab2936594602db403cd2aa85e7dffdcb10ec199fe857b947ae3214492106d4" + logic_hash = "ffab2936594602db403cd2aa85e7dffdcb10ec199fe857b947ae3214492106d4" score = 40 quality = 80 tags = "FILE" @@ -278917,14 +279403,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Getactechnologycorporation_Mtcbsvsys_Getacsystem meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GtcKmdfBs.sys" author = "Florian Roth" - id = "46e439c6-d5fa-552a-af83-8dafff9fdf05" + id = "8634c295-d4b3-5f35-8ed3-4b11936593f9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9907-L9926" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5" - logic_hash = "v1_sha256_bdd3eb671365ee774f50c3bbffc33aaffb3651f92101a133d1ddcc8b4a495e8f" + logic_hash = "bdd3eb671365ee774f50c3bbffc33aaffb3651f92101a133d1ddcc8b4a495e8f" score = 40 quality = 80 tags = "FILE" @@ -278947,14 +279433,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Hpinc_Hpportioxsys_Hpportio_C505 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HpPortIox64.sys" author = "Florian Roth" - id = "bcf86d5e-ffda-55e4-9bbd-d488ecf12cd3" + id = "2fb75598-3743-50c5-b9cf-d0e928f0c57c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9929-L9948" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5" - logic_hash = "v1_sha256_6174ef1374e0dfd523f7dcdbbdaab1002a95040c1a33f26bf5145d5dcbf87b08" + logic_hash = "6174ef1374e0dfd523f7dcdbbdaab1002a95040c1a33f26bf5145d5dcbf87b08" score = 40 quality = 80 tags = "FILE" @@ -278977,14 +279463,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_AB8F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "131d6e0f-7958-5ddf-a25e-f22ba4343bce" + id = "fd0941e8-747f-5337-aaf2-f819e32b8884" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9951-L9970" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89" - logic_hash = "v1_sha256_9be0907f77c5d4803a1ad7ac79cc42c15807a5b2d43e00a2448c6278ad5ea6c4" + logic_hash = "9be0907f77c5d4803a1ad7ac79cc42c15807a5b2d43e00a2448c6278ad5ea6c4" score = 40 quality = 80 tags = "FILE" @@ -279007,14 +279493,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpot_Avginternetsecurit meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "6f9faf45-9879-5d10-92b2-0910ed4a6fa8" + id = "e7cfd1c7-bd56-5fb1-8e6a-bc49b67b7c2c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9973-L9992" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1" - logic_hash = "v1_sha256_0ac2638aaea5a401222d1451281ba8dba8fe4ef43da24e5eecbdd6d57f7b1dbb" + logic_hash = "0ac2638aaea5a401222d1451281ba8dba8fe4ef43da24e5eecbdd6d57f7b1dbb" score = 40 quality = 80 tags = "FILE" @@ -279037,14 +279523,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Innotekgmbh_Vboxtapsys_Virtualboxhostinterfacene meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxTAP.sys" author = "Florian Roth" - id = "bf1eb5f4-1d86-5b12-b441-6dda4c055fe5" + id = "3e90f336-734c-53bd-bc82-5045a9eb1ed2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L9995-L10014" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4" - logic_hash = "v1_sha256_25e4171bb112adf44101ca24c7d88e8a11a487b3c41d1f9eed29129c5621456b" + logic_hash = "25e4171bb112adf44101ca24c7d88e8a11a487b3c41d1f9eed29129c5621456b" score = 40 quality = 80 tags = "FILE" @@ -279067,14 +279553,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_9254 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "248300de-8812-5c8b-8ceb-2b0af7bd75ab" + id = "ac7837d9-055e-502d-a497-fe96b0aa701d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10017-L10036" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b" - logic_hash = "v1_sha256_cfe16d39c54ccb7ceca1e0fc1033a4d67a0bc9c62c27dcefabe07b68b947e688" + logic_hash = "cfe16d39c54ccb7ceca1e0fc1033a4d67a0bc9c62c27dcefabe07b68b947e688" score = 40 quality = 80 tags = "FILE" @@ -279097,14 +279583,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "a8474b71-8e24-514f-8670-52f8d8e7e451" + id = "b44afa7f-6a0d-5cbd-ab2c-910d211f5cb0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10039-L10058" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb" - logic_hash = "v1_sha256_84d9015bf6ddbfcd60052a6ffcf4bfa6a2c2f8748b3b7f21ad65c1c8377dc3cb" + logic_hash = "84d9015bf6ddbfcd60052a6ffcf4bfa6a2c2f8748b3b7f21ad65c1c8377dc3cb" score = 40 quality = 80 tags = "FILE" @@ -279127,7 +279613,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iqvw64e.sys, iQVW64.SYS, NalDrv.sys" author = "Florian Roth" - id = "b4c5cc3d-085f-53b2-8dd0-e00fa0d88b3c" + id = "0ffa7a9b-5174-53df-a332-e8b9e460eb1b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -279135,7 +279621,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_4429 : FI license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b" hash = "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df" - logic_hash = "v1_sha256_3dd4326755957e11ca961eb87d0ccae5b63dc7ea4e9dc8e9c67e9c6d52bf894b" + logic_hash = "3dd4326755957e11ca961eb87d0ccae5b63dc7ea4e9dc8e9c67e9c6d52bf894b" score = 40 quality = 80 tags = "FILE" @@ -279158,14 +279644,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realtek_Rtkiowxsys_Realtekiodriver_32E1 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - rtkio.sys, rtkio64.sys, rtkiow8x64.sys, rtkiow10x64.sys" author = "Florian Roth" - id = "33ef1399-4db0-5db3-9566-1d7f7738da89" + id = "52d07201-6af3-5675-a5f0-9b6a7bb39b28" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10084-L10103" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993" - logic_hash = "v1_sha256_fd106f69d83d2b1aeb1fdaf16f5809b0fd0d200dec00292efd9bd62422e518a8" + logic_hash = "fd106f69d83d2b1aeb1fdaf16f5809b0fd0d200dec00292efd9bd62422e518a8" score = 40 quality = 80 tags = "FILE" @@ -279188,14 +279674,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Micsystechnologycoltd_Msiosys_Msiodriverversion_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - MsIo64.sys" author = "Florian Roth" - id = "80ab3381-355f-5211-adb2-bdae128ca696" + id = "6db1af54-b12d-5213-b184-7df7f628882e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10106-L10125" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89" - logic_hash = "v1_sha256_910724e7bac9c9c83e703be52e43f4cd88dda344127f2ebc7aee01981467e9e7" + logic_hash = "910724e7bac9c9c83e703be52e43f4cd88dda344127f2ebc7aee01981467e9e7" score = 40 quality = 80 tags = "FILE" @@ -279218,14 +279704,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "6f9c2a42-6b0b-511b-8f77-3c28b34ca853" + id = "30ef7f0d-e6f4-5a98-87c2-286ac64c3886" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10128-L10147" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c" - logic_hash = "v1_sha256_e565dcf1bdc8ebaf90c1e42bf3e72ce561cb95f5977809fb9082bb430353dd9b" + logic_hash = "e565dcf1bdc8ebaf90c1e42bf3e72ce561cb95f5977809fb9082bb430353dd9b" score = 40 quality = 80 tags = "FILE" @@ -279248,14 +279734,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Gigabytetechnologycoltd_Gdrvsys_Gigabytesoftware meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gdrv.sys" author = "Florian Roth" - id = "0fc2e4cc-0fd3-5989-898a-a7c834bedbaf" + id = "dba48ad5-9b35-555e-814e-73b74f157b66" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10150-L10169" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097" - logic_hash = "v1_sha256_2a6f460b66c7e94dfead7bdb3dc46a181ba2e33b40fca1812f0b412daf0a46c4" + logic_hash = "2a6f460b66c7e94dfead7bdb3dc46a181ba2e33b40fca1812f0b412daf0a46c4" score = 40 quality = 80 tags = "FILE" @@ -279278,7 +279764,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_0 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CP2X72C.SYS" author = "Florian Roth" - id = "0e544c1a-7816-5582-8f00-36861deb3c94" + id = "da7c0052-5ff9-5257-a65f-7856f772b4c6" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -279286,7 +279772,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Interfacecorporation_Cpxcsys_Gpcxcdiobmpcicpci_0 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686" hash = "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f" - logic_hash = "v1_sha256_485222f31dbe1e486e86c64b607de6742747b3ab2571adfc8c210205032b380b" + logic_hash = "485222f31dbe1e486e86c64b607de6742747b3ab2571adfc8c210205032b380b" score = 40 quality = 80 tags = "FILE" @@ -279309,14 +279795,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_CC68 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "d269f836-bb47-51ec-be80-525e019939bc" + id = "14971376-05dc-59c2-bce7-498eabb52678" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10195-L10214" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64" - logic_hash = "v1_sha256_26f1740a069d238aadb1922512e23184cb3cf34d9ef1ff1b942755a49fbd48b0" + logic_hash = "26f1740a069d238aadb1922512e23184cb3cf34d9ef1ff1b942755a49fbd48b0" score = 40 quality = 80 tags = "FILE" @@ -279339,14 +279825,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_A209 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt.sys" author = "Florian Roth" - id = "cf704146-fa15-51b4-8bcc-98a1ab161f9c" + id = "e38fec7b-bc36-5fa5-a32e-fd82aa05dd19" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10217-L10236" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641" - logic_hash = "v1_sha256_33238c8b189c5aabe45b238a44fde02b6f9436329c8700ff5b64505784438e69" + logic_hash = "33238c8b189c5aabe45b238a44fde02b6f9436329c8700ff5b64505784438e69" score = 40 quality = 80 tags = "FILE" @@ -279369,14 +279855,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrcodenamelonghornddkprovider_Cpudriver_Wi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WCPU.sys" author = "Florian Roth" - id = "681c955b-8143-5fdc-b390-923efd6e7605" + id = "4ca1b53c-7539-5e0e-8309-224a4a859480" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10239-L10258" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980" - logic_hash = "v1_sha256_e4bcd8644bcc82c63d9d963aeb9a0a4250d8b3be3fb1122156148f4582fe6d48" + logic_hash = "e4bcd8644bcc82c63d9d963aeb9a0a4250d8b3be3fb1122156148f4582fe6d48" score = 40 quality = 80 tags = "FILE" @@ -279399,14 +279885,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Proxydrvsys_Nn_0B20 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ProxyDrv.sys" author = "Florian Roth" - id = "c8525814-36d2-5bdd-be5a-abd45c1f9956" + id = "cf4d7446-a97e-58b5-aea7-c77516abacf5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10261-L10280" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94" - logic_hash = "v1_sha256_04460d4fa04b60519b0479baab3e07b389dfe255f43b3dcea3d13ca33dc84ded" + logic_hash = "04460d4fa04b60519b0479baab3e07b389dfe255f43b3dcea3d13ca33dc84ded" score = 40 quality = 80 tags = "FILE" @@ -279429,14 +279915,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Msi_Ntiolibsys_Ntiolib_1DDF : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NTIOLib.sys" author = "Florian Roth" - id = "2c5e089b-ddc7-5486-91a8-81e6fa29c68c" + id = "54f03573-22a0-51ea-b3cd-201d27459cf1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10283-L10302" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219" - logic_hash = "v1_sha256_23a5fb0826068df015769d604ff393d7d649b919efabd237a004c6946a358448" + logic_hash = "23a5fb0826068df015769d604ff393d7d649b919efabd237a004c6946a358448" score = 40 quality = 80 tags = "FILE" @@ -279459,14 +279945,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_654C : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "883e9019-f8cf-5e7a-9029-aa8f574ee553" + id = "c2883a08-8832-514d-a472-e53370fe9a88" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10305-L10324" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad" - logic_hash = "v1_sha256_f494a64914971b82f191becf020023de1139e5f466e5c1db9912d1d1edbdd0f2" + logic_hash = "f494a64914971b82f191becf020023de1139e5f466e5c1db9912d1d1edbdd0f2" score = 40 quality = 80 tags = "FILE" @@ -279489,7 +279975,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HW.sys" author = "Florian Roth" - id = "17fc87f3-9a35-5e58-9e14-d588fc43cd64" + id = "50ae31e8-41e0-5913-b04a-63b97aa9bbc2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -279497,7 +279983,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Marvintestsolutionsinc_Hwsys_Hw_FD38 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c" hash = "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5" - logic_hash = "v1_sha256_9307a3f6003f6b88d4384aad37803597d7444bcfae806a9f3d59c9a1e59d56e5" + logic_hash = "9307a3f6003f6b88d4384aad37803597d7444bcfae806a9f3d59c9a1e59d56e5" score = 40 quality = 80 tags = "FILE" @@ -279520,14 +280006,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "9abcd323-59e7-5202-8e2a-f54c960f1ad1" + id = "140374de-63f5-5ea2-9546-9356d697f971" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10350-L10369" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf" - logic_hash = "v1_sha256_79370b21c6049790a259feebf590222ef8c57bb1564401d68a960ae2c547639a" + logic_hash = "79370b21c6049790a259feebf590222ef8c57bb1564401d68a960ae2c547639a" score = 40 quality = 80 tags = "FILE" @@ -279550,14 +280036,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "44a0780b-4adc-5a23-872b-6a0b44db7c9f" + id = "c7b13c18-84a2-5362-bd10-a80c001c6efc" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10372-L10391" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1" - logic_hash = "v1_sha256_7fc1a629395b0558eecf2744dcb121a5b2cdbd51f4291a679f9526f21c4f21c0" + logic_hash = "7fc1a629395b0558eecf2744dcb121a5b2cdbd51f4291a679f9526f21c4f21c0" score = 40 quality = 80 tags = "FILE" @@ -279580,14 +280066,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Advancedmicrodevices_Aoddriversys_Amdoverdrivese meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AODDriver.sys" author = "Florian Roth" - id = "9e2f29bb-84b8-5ac5-9702-26283d23a45b" + id = "8ad51684-d220-51ff-ab94-3a4326f514ab" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10394-L10413" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05" - logic_hash = "v1_sha256_fc91d46473eecbc49e074df0c05a1dfee352d3607f9393a6836e37a1c071bdf6" + logic_hash = "fc91d46473eecbc49e074df0c05a1dfee352d3607f9393a6836e37a1c071bdf6" score = 40 quality = 80 tags = "FILE" @@ -279610,14 +280096,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Realixtm_Hwinfosys_Hwinfokerneldriver_EC9B : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - HWiNFO32.SYS" author = "Florian Roth" - id = "947fbafa-fcd2-5ce7-aa06-0f7ec515b737" + id = "a77a77da-6373-5298-86c3-88503aa6a7e5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10416-L10435" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe" - logic_hash = "v1_sha256_e16906686623895cf9d6e3c58701f32d44b50b1fe85b95dcf3a8978a62f06a3c" + logic_hash = "e16906686623895cf9d6e3c58701f32d44b50b1fe85b95dcf3a8978a62f06a3c" score = 40 quality = 80 tags = "FILE" @@ -279640,14 +280126,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_D7C7 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" - id = "1e3ae79b-3c0a-5f3e-b5dd-c0c4aff608bc" + id = "37c763dd-7375-518a-afc8-d3ca5623987e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10438-L10457" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3" - logic_hash = "v1_sha256_146b74a7750951a07d2e8b64d25e0c0371fc6295b2ee843cf6a7d67c272555a7" + logic_hash = "146b74a7750951a07d2e8b64d25e0c0371fc6295b2ee843cf6a7d67c272555a7" score = 40 quality = 80 tags = "FILE" @@ -279670,14 +280156,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorporation_Nvflash_Nvidiaflashdriver_AFDD meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvflash.sys" author = "Florian Roth" - id = "887e2fd4-22b3-5043-b76e-fa33a1c2311c" + id = "f8e2c69d-d3fb-58f8-bc03-3ad5ce67f0bf" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10460-L10479" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508" - logic_hash = "v1_sha256_f23537a1efc5e13efb9e145d6c04bb21c3dc7cd49d1913755528f08b94c316ac" + logic_hash = "f23537a1efc5e13efb9e145d6c04bb21c3dc7cd49d1913755528f08b94c316ac" score = 40 quality = 80 tags = "FILE" @@ -279700,14 +280186,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_F85E : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "b7eb1362-0dda-5735-beaf-2b59744071b1" + id = "43ea92d7-a820-5ccc-b37f-05b96ead1246" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10482-L10501" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439" - logic_hash = "v1_sha256_71bef9b60efad8f7bc149d93b94c37e59fd42f01ee01d7964c39ef0d79b997e0" + logic_hash = "71bef9b60efad8f7bc149d93b94c37e59fd42f01ee01d7964c39ef0d79b997e0" score = 40 quality = 80 tags = "FILE" @@ -279730,14 +280216,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublicb meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" - id = "7ca3b478-6cae-5a49-bd64-5fa52e16d0e2" + id = "1ee8489d-ef29-5d5b-80f5-8f0a206eda3f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10504-L10523" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712" - logic_hash = "v1_sha256_913dc412be3eaa31903d3fac94e07174789bb746bb382a5f1c08fea50541f6c6" + logic_hash = "913dc412be3eaa31903d3fac94e07174789bb746bb382a5f1c08fea50541f6c6" score = 40 quality = 80 tags = "FILE" @@ -279760,14 +280246,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_3C42 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "dfa0536c-7462-5854-b131-03f3288795f4" + id = "e4c649d8-941e-57d8-9193-a7e5c3de4671" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10526-L10545" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f" - logic_hash = "v1_sha256_b3e67939d8f6e6121c3d36dfe5ccb01c9cd2a2d5488053a9834c7cb147ac250e" + logic_hash = "b3e67939d8f6e6121c3d36dfe5ccb01c9cd2a2d5488053a9834c7cb147ac250e" score = 40 quality = 80 tags = "FILE" @@ -279790,7 +280276,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ATSZIO.sys" author = "Florian Roth" - id = "54817589-f1e3-5d03-a5be-c54a783e502e" + id = "3bd64a09-bfa9-5b87-8048-60e61c1a61f7" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -279798,7 +280284,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asustekcomputerinc_Atsziosys_Atsziodriver_55A1 : license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9" hash = "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc" - logic_hash = "v1_sha256_a6c5fd6c88e08f663479840ae853a0dd22427d0059f0c6aa961dcc1a395dacce" + logic_hash = "a6c5fd6c88e08f663479840ae853a0dd22427d0059f0c6aa961dcc1a395dacce" score = 40 quality = 80 tags = "FILE" @@ -279821,7 +280307,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosio meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SBIOSIO64.sys" author = "Florian Roth" - id = "f2ecb5d8-aeb5-5fad-b9a9-77dfcd1c0fb8" + id = "d2eed5da-ca7c-5ae3-ab44-2a49f43ec409" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -279829,7 +280315,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Sbiosiosys_Samsungrbiosio license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c" hash = "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243" - logic_hash = "v1_sha256_5bcc568a4f4edc03e51801c4b256b34ed7f7ae08b7e00ca3f4bd7559502e3c76" + logic_hash = "5bcc568a4f4edc03e51801c4b256b34ed7f7ae08b7e00ca3f4bd7559502e3c76" score = 40 quality = 80 tags = "FILE" @@ -279852,14 +280338,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sisoftware_Sandra_Sisoftwaresandra_1AAF : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - sandra.sys" author = "Florian Roth" - id = "f96fa9c1-ac47-57f0-8035-000a2e42e86e" + id = "9fc423bb-451b-52e8-ba81-7113cd1621c8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10594-L10613" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b" - logic_hash = "v1_sha256_e441204be274ce4379526096008b545e2a53b11c26c270c2df0c1f70b98d1e57" + logic_hash = "e441204be274ce4379526096008b545e2a53b11c26c270c2df0c1f70b98d1e57" score = 40 quality = 80 tags = "FILE" @@ -279882,14 +280368,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "9de85376-2389-5a3a-995f-536bb98bafc6" + id = "4be3fa3a-dec2-5906-99b0-024c8ed059a5" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10616-L10635" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3" - logic_hash = "v1_sha256_be362e0f19f3565a77b1dbd78ea04f85b7f56fd6889d8fa48ed9ded25134bc2e" + logic_hash = "be362e0f19f3565a77b1dbd78ea04f85b7f56fd6889d8fa48ed9ded25134bc2e" score = 40 quality = 80 tags = "FILE" @@ -279912,14 +280398,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Aegis_C901 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "b4fba7c5-1d37-5d4f-bd3e-0f6bc42dd2db" + id = "a1c33a78-bef9-59fc-8976-876c1fe68aff" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10638-L10657" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c" - logic_hash = "v1_sha256_2320a0cc02aa28c6495f553b2c7c9c0486599e510d8378dfb3f15b988ff90983" + logic_hash = "2320a0cc02aa28c6495f553b2c7c9c0486599e510d8378dfb3f15b988ff90983" score = 40 quality = 80 tags = "FILE" @@ -279942,14 +280428,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Symanteccorporation_Vproeventmonitorsys_Symantec meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VProEventMonitor.sys" author = "Florian Roth" - id = "1c10e551-82e0-583b-9cb6-cc2bac7e9d6c" + id = "84fa4df8-ac81-5de0-994d-9d754642a01e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10660-L10679" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca" - logic_hash = "v1_sha256_693ace66d01afcdd61fe23a3baa8b950153d38bdc386a43861005654c269cd3d" + logic_hash = "693ace66d01afcdd61fe23a3baa8b950153d38bdc386a43861005654c269cd3d" score = 40 quality = 80 tags = "FILE" @@ -279972,14 +280458,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Wj_Kprocesshacker_C725 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" - id = "e9ff0e0d-2fb6-5d12-8c6a-e6a30e6b4a2e" + id = "53a8740a-65a5-5eb5-afc5-b86058982071" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10682-L10700" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c" - logic_hash = "v1_sha256_78c3a92f79cbbc31d9191da527bf834e366454f1b5109600aca7954ca4e77226" + logic_hash = "78c3a92f79cbbc31d9191da527bf834e366454f1b5109600aca7954ca4e77226" score = 40 quality = 80 tags = "FILE" @@ -280001,14 +280487,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpot_Avastantivirus_7AD0 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "3f004f09-9550-5352-a415-e89ec9101211" + id = "e9db51b4-48a2-53a9-999d-5676d0a4aa91" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10703-L10722" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed" - logic_hash = "v1_sha256_2cfb950364b5259679e0dcc7ebe34fd6703ae376b5e1717428a88f0c2ba823f5" + logic_hash = "2cfb950364b5259679e0dcc7ebe34fd6703ae376b5e1717428a88f0c2ba823f5" score = 40 quality = 80 tags = "FILE" @@ -280031,14 +280517,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_83A1 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "ee773229-e594-5d0b-8d6f-45599b17ca54" + id = "5164ae7c-795d-55fd-837a-e45a054fdd3e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10725-L10744" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc" - logic_hash = "v1_sha256_16b76760cc8831b7e53cb5f12625cd1dcd059253aa195d763011ccc1cf48a2c5" + logic_hash = "16b76760cc8831b7e53cb5f12625cd1dcd059253aa195d763011ccc1cf48a2c5" score = 40 quality = 80 tags = "FILE" @@ -280061,14 +280547,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_C082 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "ed3ba1d8-7a83-5ed2-ac28-114db7d14a6a" + id = "36d4d011-edf0-53e8-9665-b75520140df3" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10747-L10766" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd" - logic_hash = "v1_sha256_de63522d95ff422588d388c3533e268bd09fcf895d60277b7f7470ca7b1e9a33" + logic_hash = "de63522d95ff422588d388c3533e268bd09fcf895d60277b7f7470ca7b1e9a33" score = 40 quality = 80 tags = "FILE" @@ -280091,14 +280577,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Creativetechnologyinnovationcoltd_Ctiiosys_Ctiio meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - CtiIo64.sys" author = "Florian Roth" - id = "217767ea-85d9-5e85-98be-56ff8457f8d1" + id = "3cc780a4-7b9c-516e-91a1-705f785922d2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10769-L10788" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109" - logic_hash = "v1_sha256_58b715cbea724f7d8f946f613ec35fc3bf29cc34c1e32ebc2910d73092f96d83" + logic_hash = "58b715cbea724f7d8f946f613ec35fc3bf29cc34c1e32ebc2910d73092f96d83" score = 40 quality = 80 tags = "FILE" @@ -280121,14 +280607,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Ssmartsoftwaresolutionsgmbh_Sysdrvs_Sysdrvs_0E53 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - SysDrv3S.sys" author = "Florian Roth" - id = "797c9b45-02c4-5821-b08a-bf2109256a0d" + id = "9ace902a-a3bf-56fa-8eb8-99a82c1adf0b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10791-L10810" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b" - logic_hash = "v1_sha256_4d165a6f340f31b18e62ae9f35dd1c5e278217b949e6162119f0e512a262dc38" + logic_hash = "4d165a6f340f31b18e62ae9f35dd1c5e278217b949e6162119f0e512a262dc38" score = 40 quality = 80 tags = "FILE" @@ -280151,14 +280637,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_14AD : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "75ddefec-fc03-5d9f-a507-61bd62a5e39f" + id = "0501fc8b-cc72-5c03-97cf-411051119ccf" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10813-L10832" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8" - logic_hash = "v1_sha256_157a559b87310d33a96c77208afd4ae9ceea23df99417408e413dee0be507dd3" + logic_hash = "157a559b87310d33a96c77208afd4ae9ceea23df99417408e413dee0be507dd3" score = 40 quality = 80 tags = "FILE" @@ -280181,7 +280667,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficy meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GEDevDrv.SYS" author = "Florian Roth" - id = "52da8e64-11b6-523e-93bc-02926e148e55" + id = "d90e2248-2b47-51d5-a3d2-06a7b61bc95d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -280189,7 +280675,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Geintelligentplatformsinc_Gedevicedriver_Proficy license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461" hash = "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb" - logic_hash = "v1_sha256_f3c26142b2f18490c79ea7a658397b9c029286a3040bf2159e3fcc76c4bbd788" + logic_hash = "f3c26142b2f18490c79ea7a658397b9c029286a3040bf2159e3fcc76c4bbd788" score = 40 quality = 80 tags = "FILE" @@ -280212,14 +280698,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrserverddkprovider_Cpuzsys_Windowsrserver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - cpuz_x64.sys" author = "Florian Roth" - id = "61831e1a-850f-5ebb-9c76-3685a641d87b" + id = "ddcb8217-640d-598d-9afd-a1c15d1bbb8c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10858-L10877" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3" - logic_hash = "v1_sha256_5613c77f79128bc7ac3bbe698dcd8be2fca2f59cb60a40ed97f0c80ba9aff690" + logic_hash = "5613c77f79128bc7ac3bbe698dcd8be2fca2f59cb60a40ed97f0c80ba9aff690" score = 40 quality = 80 tags = "FILE" @@ -280242,14 +280728,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Lowleveldriver_F941 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - GPU-Z.sys" author = "Florian Roth" - id = "a72df34d-3a95-51e5-b127-f0b5921a8634" + id = "a65168c0-5f0e-5871-867b-bab6f42b3c21" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10880-L10896" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd" - logic_hash = "v1_sha256_fdc81fdc11ac6db386f4c41c2c34ab9dbd8dd93836a6a91b9412288eca7f0411" + logic_hash = "fdc81fdc11ac6db386f4c41c2c34ab9dbd8dd93836a6a91b9412288eca7f0411" score = 40 quality = 80 tags = "FILE" @@ -280269,14 +280755,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_37C6 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "7a232ded-225b-528d-a0b3-099bb62c77a4" + id = "f4b17a75-3160-5a73-afe6-531c41fae197" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10899-L10918" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9" - logic_hash = "v1_sha256_7ab6c3fe4c9cd61c171a71d631a8efc34121bac85e1abf5f281b150f4b6a77a5" + logic_hash = "7ab6c3fe4c9cd61c171a71d631a8efc34121bac85e1abf5f281b150f4b6a77a5" score = 40 quality = 80 tags = "FILE" @@ -280299,14 +280785,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Toshibacorporation_Nchgbiosxsys_Toshibabiospacka meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - NCHGBIOS2x64.SYS" author = "Florian Roth" - id = "26a69296-5cc2-5bd4-8124-117db2ba81f2" + id = "c0a7d14e-65aa-51e1-a2c1-88a7c56dce57" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10921-L10940" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073" - logic_hash = "v1_sha256_ce2da14c74299d4ad3ab5b882de8bfe810444f21711f2417291bd0298a480e71" + logic_hash = "ce2da14c74299d4ad3ab5b882de8bfe810444f21711f2417291bd0298a480e71" score = 40 quality = 80 tags = "FILE" @@ -280329,7 +280815,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_5439 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "9eb03c5a-dae9-5685-b72b-d68c8e7234b3" + id = "f35db7b6-8a4b-5c26-9e00-da5c1c7780e8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -280337,7 +280823,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_5439 : FILE license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91" hash = "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd" - logic_hash = "v1_sha256_d43a364d3f39951140fa3b3395f1d74c306558a6c6946f665873e72377345949" + logic_hash = "d43a364d3f39951140fa3b3395f1d74c306558a6c6946f665873e72377345949" score = 40 quality = 80 tags = "FILE" @@ -280357,14 +280843,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "6bd5bb07-5228-5f64-b69e-4a24986b9c3e" + id = "cd4dd891-8d86-5afa-83ed-1ad0997608de" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10963-L10982" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb" - logic_hash = "v1_sha256_7e1f69495559ca298a05ef6fb3817799b09d66013bae574ec585d27ef89b4dcc" + logic_hash = "7e1f69495559ca298a05ef6fb3817799b09d66013bae574ec585d27ef89b4dcc" score = 40 quality = 80 tags = "FILE" @@ -280387,14 +280873,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Zemanaltd_Zam_DE8F : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - zam64.sys, zamguard32.sys, zamguard64.sys" author = "Florian Roth" - id = "63ee8a3a-766f-5e0c-a2c2-24f9dc69d2be" + id = "245da08c-d629-53cb-83fb-476f4fdd1512" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L10985-L11001" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c" - logic_hash = "v1_sha256_0cb5b26dd0cd26c77df642ea6bfffdcede293cdb1ecc15430241ab538f835162" + logic_hash = "0cb5b26dd0cd26c77df642ea6bfffdcede293cdb1ecc15430241ab538f835162" score = 40 quality = 80 tags = "FILE" @@ -280414,14 +280900,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Nvidiacorp_Nvoclocksys_Nvidiasystemutilitydriver meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - nvoclock.sys" author = "Florian Roth" - id = "79e65bf7-715f-5612-ac60-ea6844a7301f" + id = "00b4e2c2-cb2b-5de7-be7f-67fd1ed5bb1f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11004-L11023" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3" - logic_hash = "v1_sha256_be5fef829971251225d9cbb72d173affd394c8cce6116b0b705c4b02409b6096" + logic_hash = "be5fef829971251225d9cbb72d173affd394c8cce6116b0b705c4b02409b6096" score = 40 quality = 80 tags = "FILE" @@ -280444,14 +280930,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Supermicrocomputerinc_Phymem_Phymem_1963 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - phymem64.sys" author = "Florian Roth" - id = "6c8cdefd-8266-5407-989f-b8db694e1c72" + id = "19673477-eb54-52d7-886e-ebf3216aa77b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11026-L11045" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52" - logic_hash = "v1_sha256_8f4cdca4c4bc91f216ee3d89093d482d6e56623a159c3eae6debc388cb9d108f" + logic_hash = "8f4cdca4c4bc91f216ee3d89093d482d6e56623a159c3eae6debc388cb9d108f" score = 40 quality = 80 tags = "FILE" @@ -280474,7 +280960,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - procexp.Sys" author = "Florian Roth" - id = "c2216d09-777f-5c4e-8fc1-ebb9bd10c046" + id = "826ee893-06af-5dee-9436-ec3ea7ddd8d9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -280482,7 +280968,7 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sysinternalswwwsysinternalscom_Procexpsys_Proces license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1" hash = "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb" - logic_hash = "v1_sha256_ee91ed74d1577bc881a029a6790de6d41e0b9494bfeeceec4511b3d8b7c5cff2" + logic_hash = "ee91ed74d1577bc881a029a6790de6d41e0b9494bfeeceec4511b3d8b7c5cff2" score = 40 quality = 80 tags = "FILE" @@ -280505,14 +280991,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Vektortsecurityservice_Vboxdrv_Antidetectpublic_ meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" - id = "2c90c3b3-fc98-58bc-ba59-a508d9b4d09f" + id = "e80a43d2-d96f-5fed-a5e1-3e1ea617542a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11071-L11090" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40" - logic_hash = "v1_sha256_8611a572b8366722e237d622b3701072f564f13a73dd71899dbde6faeab73ef8" + logic_hash = "8611a572b8366722e237d622b3701072f564f13a73dd71899dbde6faeab73ef8" score = 40 quality = 80 tags = "FILE" @@ -280535,14 +281021,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Sunmicrosystemsinc_Vboxdrvsys_Sunvirtualbox_R_C8 meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" - id = "cf22bb03-c318-5af9-a778-5efaade8d35d" + id = "b4cef531-b146-5c20-b429-a90beaad5712" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11093-L11112" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada" - logic_hash = "v1_sha256_4f0a6ffa08a2c219e47c6ae13f6cc6914fe7d0dccb0273bf0905dd9a71eb439f" + logic_hash = "4f0a6ffa08a2c219e47c6ae13f6cc6914fe7d0dccb0273bf0905dd9a71eb439f" score = 40 quality = 80 tags = "FILE" @@ -280565,14 +281051,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Pinduoduoltdcorp_Vboxdrv_Pinduoduosecurevdi_9DAB meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - VBoxDrv.sys" author = "Florian Roth" - id = "6af081b9-d855-50ad-b349-1fb0fe119b37" + id = "44e2c561-b9f4-5840-9e0c-53ffee5a3bd1" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11115-L11134" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4" - logic_hash = "v1_sha256_894060011b20c84849499127305d8f1d45621c5893f74d59c9278067a329a4d2" + logic_hash = "894060011b20c84849499127305d8f1d45621c5893f74d59c9278067a329a4d2" score = 40 quality = 80 tags = "FILE" @@ -280595,14 +281081,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Tgsoftsas_Viragtsys_Viritagentsystem_18DE : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - viragt64.sys" author = "Florian Roth" - id = "41538b51-4abd-5703-a9a6-008c41660950" + id = "c3b0b3b0-9281-5d90-bf26-6c4c46c4143b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11137-L11156" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506" - logic_hash = "v1_sha256_d01aeb1783377e6067976e6955e63495706c96c8d6c113b393a47e6fe17992f0" + logic_hash = "d01aeb1783377e6067976e6955e63495706c96c8d6c113b393a47e6fe17992f0" score = 40 quality = 80 tags = "FILE" @@ -280625,14 +281111,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "947bfac2-1104-55d1-b3c1-3c84aa7a01af" + id = "4affbef6-26ac-5087-a881-32fad34fd192" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11159-L11178" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9" - logic_hash = "v1_sha256_5bc5d8a6cd02e9a684515ea333084c788353641cb29ff08f18a1066d533cf0ed" + logic_hash = "5bc5d8a6cd02e9a684515ea333084c788353641cb29ff08f18a1066d533cf0ed" score = 40 quality = 80 tags = "FILE" @@ -280655,14 +281141,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_D5C4 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "952977a1-2bd5-58cd-a13b-2b6ec566383e" + id = "9994e1c0-b86b-578d-8002-554584e1de2b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11181-L11200" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9" - logic_hash = "v1_sha256_d6ad094f2e26ff574917770a94af31110f2ed68e47ee082ad4adfcd7376679a5" + logic_hash = "d6ad094f2e26ff574917770a94af31110f2ed68e47ee082ad4adfcd7376679a5" score = 40 quality = 80 tags = "FILE" @@ -280685,14 +281171,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Wj_Kprocesshacker_7021 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - kprocesshacker.sys" author = "Florian Roth" - id = "229766ff-6505-593d-a6f5-48e01769587e" + id = "dd2a2bfd-12be-5cdb-8293-c51220015bd9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11203-L11221" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4" - logic_hash = "v1_sha256_e5d17a5b57183c3a27815b5b64014e9d95f49129cd451c62380ba8e1b4d25be6" + logic_hash = "e5d17a5b57183c3a27815b5b64014e9d95f49129cd451c62380ba8e1b4d25be6" score = 40 quality = 80 tags = "FILE" @@ -280714,14 +281200,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Trendmicroinc_Tmcommsys_Trendmicroeyes_76E8 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - TmComm.sys" author = "Florian Roth" - id = "a9732f6b-d0eb-5247-95d2-e7885bf66852" + id = "2d26b107-7fcb-5acd-94e4-ed18c399ad66" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11224-L11243" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524" - logic_hash = "v1_sha256_0a9822cd471bb7fdaab454e824e31e1dcd685f9226c4fa34af4f13dd228dc97b" + logic_hash = "0a9822cd471bb7fdaab454e824e31e1dcd685f9226c4fa34af4f13dd228dc97b" score = 40 quality = 80 tags = "FILE" @@ -280744,14 +281230,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_5148 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "38eb919c-2f53-59a2-bf7b-f20c15dfa863" + id = "8685ea34-689e-5b00-8aeb-8f15dd7b3f25" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11246-L11265" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292" - logic_hash = "v1_sha256_b36414a71e9bd69512ef0c702bf4f7b4bfdb812326a67a0e50f6f75f5c89c152" + logic_hash = "b36414a71e9bd69512ef0c702bf4f7b4bfdb812326a67a0e50f6f75f5c89c152" score = 40 quality = 80 tags = "FILE" @@ -280774,14 +281260,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Biostargroup_Iodriver_Biostariodriver_1D03 : FIL meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - BS_HWMIO64_W10.sys" author = "Florian Roth" - id = "e4629e40-87a9-5049-a042-74efbffff5cf" + id = "ea157129-3347-5ba0-a115-928b4aef345f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11268-L11287" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8" - logic_hash = "v1_sha256_26e886b28b40a920558a652197a0d7a31fc5f7b239d3886fdf0f44da4590dabb" + logic_hash = "26e886b28b40a920558a652197a0d7a31fc5f7b239d3886fdf0f44da4590dabb" score = 40 quality = 80 tags = "FILE" @@ -280804,14 +281290,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avgtechnologiesczsro_Aswarpotsys_Avginternetsecu meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "e9b1c524-fb9f-5737-9b41-816dd412f5fa" + id = "ec02c434-7918-5212-85f6-5ee417940b7c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11290-L11309" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6" - logic_hash = "v1_sha256_9f77c427b54f1a940547cfc206b8d1aed0288d0664a5a124785c7fcec7b90507" + logic_hash = "9f77c427b54f1a940547cfc206b8d1aed0288d0664a5a124785c7fcec7b90507" score = 40 quality = 80 tags = "FILE" @@ -280834,14 +281320,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "1f7a0222-f642-5fe4-a9d5-e357d5808092" + id = "d5d84ed9-f0c5-54a8-8a7d-0006c1c98f1d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11312-L11331" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71" - logic_hash = "v1_sha256_e1d35eb3ea6012cf8b742e97f08d797b4fd64bcc72bd7ebccb8ca33f11afad67" + logic_hash = "e1d35eb3ea6012cf8b742e97f08d797b4fd64bcc72bd7ebccb8ca33f11afad67" score = 40 quality = 80 tags = "FILE" @@ -280864,14 +281350,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Intelcorporation_Iqvwsys_Intelriqvwsys_5F69 : FI meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - iQVW64.SYS" author = "Florian Roth" - id = "cfc6b564-a1fe-59e8-af4e-b00406fecef9" + id = "04fdd9f7-605b-54ee-849d-44a50ef732d2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11334-L11353" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683" - logic_hash = "v1_sha256_0242a0398f90468dfc41eb04570a70d5072fe089b270feb1f5ab7fbd2c7a1ffc" + logic_hash = "0242a0398f90468dfc41eb04570a70d5072fe089b270feb1f5ab7fbd2c7a1ffc" score = 40 quality = 80 tags = "FILE" @@ -280894,14 +281380,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Ngiodriversys_Avastng_5E3B : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ngiodriver.sys" author = "Florian Roth" - id = "f514adc0-8f3c-5280-9a47-069b4e9afe34" + id = "f454f9bf-3dd3-5bb1-a5b5-c00f5356bd25" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11356-L11375" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea" - logic_hash = "v1_sha256_893fe9de3a164fd33483d139e76db4c213c402f276bd285c9acefd76da1d2f38" + logic_hash = "893fe9de3a164fd33483d139e76db4c213c402f276bd285c9acefd76da1d2f38" score = 40 quality = 80 tags = "FILE" @@ -280924,14 +281410,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Windowsrwinddkprovider_Dcprotectsys_Dcprotectrwi meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - DcProtect.sys" author = "Florian Roth" - id = "0c80b042-6c7e-588a-ac15-f06f31f3b0e5" + id = "38c59d28-a35d-57f5-ad0e-7822e3381b53" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11378-L11397" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504" - logic_hash = "v1_sha256_e7f65896009629498b16fdacd7dcdaafae8336365e621f791e880c108bbab75b" + logic_hash = "e7f65896009629498b16fdacd7dcdaafae8336365e621f791e880c108bbab75b" score = 40 quality = 80 tags = "FILE" @@ -280954,14 +281440,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_9679 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "8270cab5-6ca9-5652-af48-742b4c5250f5" + id = "a1b5efd0-2dd2-5c54-86b6-12684d6ea56b" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11400-L11419" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d" - logic_hash = "v1_sha256_fa486cd644c20c827abc8568933d8537c254cff445f2aef520775e119b6db067" + logic_hash = "fa486cd644c20c827abc8568933d8537c254cff445f2aef520775e119b6db067" score = 40 quality = 80 tags = "FILE" @@ -280984,14 +281470,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Elaboratebytesag_Elbycdio_Cdrtools_8137 : FILE meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - elbycdio.sys" author = "Florian Roth" - id = "d3239a14-4538-563e-8fcb-aad95a0713ac" + id = "0e696bff-b5da-5116-a5a7-341b6c3098b8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11422-L11441" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60" - logic_hash = "v1_sha256_cd4ace0ee1000ec8367bdca57423f311d0993d54359e4b3ca6a503738ba07b3b" + logic_hash = "cd4ace0ee1000ec8367bdca57423f311d0993d54359e4b3ca6a503738ba07b3b" score = 40 quality = 80 tags = "FILE" @@ -281014,14 +281500,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Asmediatechnologyinc_Asmiosys_Asmediapcidriver_E meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - AsmIo64.sys" author = "Florian Roth" - id = "5ef1a6c9-c049-5ec4-978f-388e494267ff" + id = "196ff2dc-bbf5-5728-bcc9-29fa774b1e84" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11444-L11463" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb" - logic_hash = "v1_sha256_93c9c472f0664eabf5aeba70babe66f974fd79eaf37b65987c396e35faea4d4b" + logic_hash = "93c9c472f0664eabf5aeba70babe66f974fd79eaf37b65987c396e35faea4d4b" score = 40 quality = 80 tags = "FILE" @@ -281044,14 +281530,14 @@ rule LOLDRIVERS_PUA_VULN_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0 : meta: description = "Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - aswArPot.sys, avgArPot.sys" author = "Florian Roth" - id = "21364cd9-bd24-5c67-ac56-3070a2f9ff6d" + id = "bde91bb0-9211-5fea-b725-d556c5a3ccc9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_vuln_drivers_strict.yar#L11466-L11485" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba" - logic_hash = "v1_sha256_c8f2c5a171d1a7192a2eaeae0ab70ce97956b93e68db7a41265e54480bd582f1" + logic_hash = "c8f2c5a171d1a7192a2eaeae0ab70ce97956b93e68db7a41265e54480bd582f1" score = 40 quality = 80 tags = "FILE" @@ -281074,7 +281560,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperat meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - windbg.sys" author = "Florian Roth" - id = "b6acdb61-b185-52d4-b7cb-ecf1c8affc96" + id = "05060e37-3c01-5b86-a3ee-6e141399164a" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281097,7 +281583,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Windbgsys_Microsoftwindowsoperat hash = "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d" hash = "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12" hash = "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df" - logic_hash = "v1_sha256_161f83c85ad516f3f06f3719a1d8ae0c841e818e50f985403133c2f77b7be894" + logic_hash = "161f83c85ad516f3f06f3719a1d8ae0c841e818e50f985403133c2f77b7be894" score = 70 quality = 80 tags = "" @@ -281120,7 +281606,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "daa94b74-94fc-5dc7-97c2-78b17ebe981b" + id = "57e5655e-1313-585f-931c-d892e8952d0e" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281166,7 +281652,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_AAF0 hash = "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96" hash = "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601" hash = "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875" - logic_hash = "v1_sha256_9566444b1d3adb2a8a5f48b45bbbdb5c9be3ce399ec091e3ffd13780a90227f1" + logic_hash = "9566444b1d3adb2a8a5f48b45bbbdb5c9be3ce399ec091e3ffd13780a90227f1" score = 70 quality = 80 tags = "" @@ -281189,7 +281675,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "85de279a-3938-5610-a39b-dcbc660e0494" + id = "0b38be06-60df-5b49-a748-eb175e1db33f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281210,7 +281696,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_DDF4 hash = "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39" hash = "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920" hash = "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6" - logic_hash = "v1_sha256_d20bfd9f05a7cdb031f3ada2801ee3b978a9d27407b4425c7aa7eb41b4549b18" + logic_hash = "d20bfd9f05a7cdb031f3ada2801ee3b978a9d27407b4425c7aa7eb41b4549b18" score = 70 quality = 80 tags = "" @@ -281233,7 +281719,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "b96a79ed-73b5-5222-ba8f-e3a9c1f4d090" + id = "0531a88d-cb21-5055-b365-a80b6e99a6e9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281253,7 +281739,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_0F58 hash = "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1" hash = "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3" hash = "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd" - logic_hash = "v1_sha256_ffa3eaf9032aa673119558217d212ff819ce91e99ab6c046f8801990d5826689" + logic_hash = "ffa3eaf9032aa673119558217d212ff819ce91e99ab6c046f8801990d5826689" score = 70 quality = 80 tags = "" @@ -281276,7 +281762,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "7f5e67b5-7d00-5c38-8392-23a6fffbf138" + id = "2bb58484-03d2-5ccc-b165-cfe405f60f03" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281305,7 +281791,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_7662 hash = "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be" hash = "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2" hash = "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e" - logic_hash = "v1_sha256_089f046e94a9cb4f576896e90375d6dbcaef61aa302af07f80230a74bc33ed18" + logic_hash = "089f046e94a9cb4f576896e90375d6dbcaef61aa302af07f80230a74bc33ed18" score = 70 quality = 80 tags = "" @@ -281328,7 +281814,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "d11c99fe-5d41-5fcf-8617-e994fe744a13" + id = "a9965f8f-4969-52ae-953f-a06d8fabe951" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281365,7 +281851,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_14B8 hash = "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad" hash = "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b" hash = "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852" - logic_hash = "v1_sha256_e4d4b0da09beff889931b8d90365c3a04ff4b5b410004fb820cb2551365cf63c" + logic_hash = "e4d4b0da09beff889931b8d90365c3a04ff4b5b410004fb820cb2551365cf63c" score = 70 quality = 80 tags = "" @@ -281388,7 +281874,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "77769469-db06-5916-987a-a78f95e9778b" + id = "8a8887dd-0f3d-5ab4-a945-b47966789b99" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281410,7 +281896,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_41AD hash = "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c" hash = "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55" hash = "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9" - logic_hash = "v1_sha256_a51e3e4c17122bf15b70b47693c3d24792cc7c7cbead1b26e501cb2907113968" + logic_hash = "a51e3e4c17122bf15b70b47693c3d24792cc7c7cbead1b26e501cb2907113968" score = 70 quality = 80 tags = "" @@ -281433,14 +281919,14 @@ rule LOLDRIVERS_MAL_Driver_Sensecorp_42B2 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" - id = "a31c24d0-b87a-532f-b5be-0aeeab239b3e" + id = "6b64ff77-866b-5d77-b2cf-5e507acc6cb9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L305-L321" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25" - logic_hash = "v1_sha256_72e213913bf4317fa0751775e6a1a82ba2706e79c52fcd3e2c8ca69050e3a9d7" + logic_hash = "72e213913bf4317fa0751775e6a1a82ba2706e79c52fcd3e2c8ca69050e3a9d7" score = 70 quality = 80 tags = "" @@ -281460,14 +281946,14 @@ rule LOLDRIVERS_MAL_Driver_Legalcorp_Pciexpressvideocapture_FD22 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - PcieCubed.sys" author = "Florian Roth" - id = "3f7bbef0-f5ef-5f21-9eb3-c562a570cc68" + id = "c9b28922-d4c7-5c09-9df8-b7b8d8ffc2e8" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L324-L342" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8" - logic_hash = "v1_sha256_4c47a159595f420c520e6924238bd260f49ccf163208713c72c62638b13756d9" + logic_hash = "4c47a159595f420c520e6924238bd260f49ccf163208713c72c62638b13756d9" score = 70 quality = 80 tags = "" @@ -281489,7 +281975,7 @@ rule LOLDRIVERS_MAL_Driver_Gmer_Gmersys_Gmer_0052 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - gmer64.sys, superman.sys" author = "Florian Roth" - id = "a71e7d8c-52e5-52ec-aaf6-c41be8ca8cbb" + id = "a2197304-4455-52bb-ac73-9218b310bb99" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281497,7 +281983,7 @@ rule LOLDRIVERS_MAL_Driver_Gmer_Gmersys_Gmer_0052 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3" hash = "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7" - logic_hash = "v1_sha256_1644a972cb9bde33e5e8ec078b0ee67b34b6a298504895f364260b96a453a3ba" + logic_hash = "1644a972cb9bde33e5e8ec078b0ee67b34b6a298504895f364260b96a453a3ba" score = 70 quality = 80 tags = "" @@ -281520,14 +282006,14 @@ rule LOLDRIVERS_MAL_Driver_Mimidrv_Mimidrvmimikatz_2FAF meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "196fc189-1664-5fbd-86ff-1f0d4012171d" + id = "0160f2aa-f60f-5590-be0a-6751487eab92" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L368-L384" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8" - logic_hash = "v1_sha256_e7b3f0a8f5a91896f7d487a39c622b12fc7488f9f80c80b6b551e7e5f6a67f18" + logic_hash = "e7b3f0a8f5a91896f7d487a39c622b12fc7488f9f80c80b6b551e7e5f6a67f18" score = 70 quality = 80 tags = "" @@ -281547,7 +282033,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "bdb44e4f-5108-5b51-adb6-dccc66587dfe" + id = "e77f1fc7-4700-5afe-908f-b0d206757365" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281556,7 +282042,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_2FD4 hash = "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21" hash = "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28" hash = "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553" - logic_hash = "v1_sha256_e24fab351505faf86bd12d6dd97662542c8cf5fca09d916b716af1478f3c9ddf" + logic_hash = "e24fab351505faf86bd12d6dd97662542c8cf5fca09d916b716af1478f3c9ddf" score = 70 quality = 80 tags = "" @@ -281579,7 +282065,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntope meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ntbios_2.sys" author = "Florian Roth" - id = "461b915a-2d7e-5c78-a5b4-0ece737db61c" + id = "f16b4b22-985a-5d39-ae51-709aa9a69d8d" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281587,7 +282073,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Ntbiosys_Microsoftrwindowsrntope license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c" hash = "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc" - logic_hash = "v1_sha256_74ad0b57644d82a77bc902786250156f5e3700671bdf9765055b5908dc345a67" + logic_hash = "74ad0b57644d82a77bc902786250156f5e3700671bdf9765055b5908dc345a67" score = 70 quality = 80 tags = "" @@ -281610,7 +282096,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoper meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" - id = "dab4619c-9b0c-5a80-a4e7-2b7ac6aaeff0" + id = "0bb182e8-e64b-5b01-9ca5-105212ebeb51" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281618,7 +282104,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Wintapixsys_Microsoftwindowsoper license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330" hash = "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e" - logic_hash = "v1_sha256_dd85f0dc471425fe692e5a51580a97facdaea45505c48b5e01dd6dbc975f2ffe" + logic_hash = "dd85f0dc471425fe692e5a51580a97facdaea45505c48b5e01dd6dbc975f2ffe" score = 70 quality = 80 tags = "" @@ -281641,7 +282127,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperati meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_6.sys" author = "Florian Roth" - id = "3b1f4168-e21a-599e-808e-83283fceeb27" + id = "5f883209-6887-5cb4-96bb-988898d47c09" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281651,7 +282137,7 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperati hash = "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3" hash = "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce" hash = "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4" - logic_hash = "v1_sha256_b4d12069a9a3a8d8d9bde9a4ed3f80f21f2654b6f96943d201933198678d01d9" + logic_hash = "b4d12069a9a3a8d8d9bde9a4ed3f80f21f2654b6f96943d201933198678d01d9" score = 70 quality = 80 tags = "" @@ -281674,7 +282160,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "d9c8c59e-d48a-5860-9926-2bac4ed92706" + id = "888de0dc-5643-5e55-8272-9363cc55bfcf" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" @@ -281682,7 +282168,7 @@ rule LOLDRIVERS_MAL_Driver_Gentilkiwibenjamindelpy_Mimidrv_Mimidrvmimikatz_30E0 license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2" hash = "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640" - logic_hash = "v1_sha256_e2c964f7e30da210778e8a2e5bb96d53485a0736cf3ff28bccbefacb6b46765a" + logic_hash = "e2c964f7e30da210778e8a2e5bb96d53485a0736cf3ff28bccbefacb6b46765a" score = 70 quality = 80 tags = "" @@ -281705,14 +282191,14 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperati meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_2.sys" author = "Florian Roth" - id = "e63ce419-82f3-5dce-bb58-65bbda1591ad" + id = "3bd8b888-8170-5da6-ba1c-f13c1ca27e6f" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L505-L524" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f" - logic_hash = "v1_sha256_9cde0a399b852038979993375be2a6d0f9f9f760381e94df0190256e8810949f" + logic_hash = "9cde0a399b852038979993375be2a6d0f9f9f760381e94df0190256e8810949f" score = 70 quality = 80 tags = "" @@ -281735,14 +282221,14 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Srvnetsys_Microsoftwindowsoperat meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - WinTapix.sys, SRVNET2.SYS" author = "Florian Roth" - id = "737bf776-7648-5263-82dc-1e99f715e670" + id = "3559718f-59d7-5bff-860c-6a073f4c05d9" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L527-L546" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d" - logic_hash = "v1_sha256_ab1aea5cec71668c0e35ea149b9e537c8468738c3b3e70382ebedf51bb8729d0" + logic_hash = "ab1aea5cec71668c0e35ea149b9e537c8468738c3b3e70382ebedf51bb8729d0" score = 70 quality = 80 tags = "" @@ -281765,14 +282251,14 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Wantdsys_Microsoftwindowsoperati meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - wantd_3.sys" author = "Florian Roth" - id = "c2589627-3f1b-542f-82be-d8dcab321873" + id = "43ae822a-c4c4-5525-bfd3-a05d1ec50bd0" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L549-L568" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1" - logic_hash = "v1_sha256_ec9e321bbc89bffb6243e3edde45e60dc06513e88dfb9a262768ef081db60c5b" + logic_hash = "ec9e321bbc89bffb6243e3edde45e60dc06513e88dfb9a262768ef081db60c5b" score = 70 quality = 80 tags = "" @@ -281795,14 +282281,14 @@ rule LOLDRIVERS_MAL_Driver_773B meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - mimidrv.sys" author = "Florian Roth" - id = "603aff8a-ed08-5fe4-af7e-bf1d261f28f4" + id = "f47ab2f1-86f6-5550-939e-4477ec1c367c" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L571-L585" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894" - logic_hash = "v1_sha256_5e01850384ac0dc0e9f33e3e217e0e824cfe3c2bb46feff94dffa070f2f7c9a0" + logic_hash = "5e01850384ac0dc0e9f33e3e217e0e824cfe3c2bb46feff94dffa070f2f7c9a0" score = 70 quality = 80 tags = "" @@ -281820,14 +282306,14 @@ rule LOLDRIVERS_MAL_Driver_Sensecorp_7F45 meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - Sense5Ext.sys" author = "Florian Roth" - id = "ff924271-36af-50d6-8871-2cf6e9bbe03c" + id = "6c1f5ba4-fd14-5069-9d99-e3072b2dbbc2" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L588-L604" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6" - logic_hash = "v1_sha256_dbef723d7e44da110675402fc13708c5b077eeb6a66c1772885f5879d795ec4e" + logic_hash = "dbef723d7e44da110675402fc13708c5b077eeb6a66c1772885f5879d795ec4e" score = 70 quality = 80 tags = "" @@ -281847,14 +282333,14 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsopera meta: description = "Detects malicious driver mentioned in LOLDrivers project using VersionInfo values from the PE header - ndislan.sys" author = "Florian Roth" - id = "891b8c5d-043a-58a5-b4ce-8c8aa9e8589f" + id = "c94adcf3-2ea6-5856-9327-2e5ed1c49b22" date = "2024-08-07" modified = "2024-08-07" reference = "https://github.com/magicsword-io/LOLDrivers" source_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/detections/yara/yara-rules_mal_drivers.yar#L607-L626" license_url = "https://github.com/magicsword-io/LOLDrivers//blob/23108d3a3a01afb30b93e1fd32d8f0a750159f4c/LICENSE" hash = "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427" - logic_hash = "v1_sha256_4b92b69636dea19a23172def47e9a1bbd4507075ec118b48db30fec377b8fbff" + logic_hash = "4b92b69636dea19a23172def47e9a1bbd4507075ec118b48db30fec377b8fbff" score = 70 quality = 80 tags = "" @@ -281872,13 +282358,23161 @@ rule LOLDRIVERS_MAL_Driver_Microsoftcorporation_Ndislansys_Microsoftwindowsopera condition: all of them } +/* + * YARA Rule Set + * Repository Name: SEKOIA + * Repository: https://github.com/SEKOIA-IO/Community + * Retrieval Date: 2024-12-23 + * Git Commit: 476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5 + * Number of Rules: 746 + * Skipped: 0 (age), 3 (quality), 0 (score), 0 (importance) + * + * + * LICENSE + * + * # Detection Rule License (DRL) 1.1 + +Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions: + +If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules: + +1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). + +2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable + +3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable + +If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules: + +1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated). + +THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES. + + */ +rule SEKOIA_Tool_3Proxy_Strings : FILE +{ + meta: + description = "Detects 3proxy based on strings" + author = "Sekoia.io" + id = "daf6cd97-8033-4bfd-88b5-41c06eb417b0" + date = "2024-03-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_3proxy_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f1d9bea9975af9bfa3f1a8cbf2c1d65fe1d39f303d5dbe6131887653cbbe7021" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "of 3proxy-" + $ = "-pPORT - service port to accept connections" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 500KB and all of them +} +rule SEKOIA_Hacktool_Fscan_Strings : FILE +{ + meta: + description = "Detects fscan based on strings" + author = "Sekoia.io" + id = "6bef80c3-370c-4168-9d88-3fac88f986b1" + date = "2023-12-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_fscan_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b1c88af2f90921fab4ac32ef65e226a652b8df2915abc62de0a28af9ad59811c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Plugins.RdpScan.func1" + $ = "Plugins.smb1AnonymousConnectIPC.func1" + $ = "WebScan/WebScan.go" + $ = "Plugins/CVE-2020-0796.go" + $ = "Plugins.SshConn.func4" + $ = "Plugins.PostgresScan" + $ = "Plugins.(*FCGIClient).Request.func1" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 30MB and 4 of them +} +rule SEKOIA_Apt_Oilrig_Saitama_Backdoor_May2022 : FILE +{ + meta: + description = "Detects tje Saitama backdoor" + author = "Sekoia.io" + id = "4ea8c27f-c441-4616-a29b-2b5dfdd3bd20" + date = "2022-05-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_saitama_backdoor_may2022.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b3876995fde9c26052c39859684cec05e8c1bc8e2a62946b49ed328e84499dc6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { 7E [4] 7E [4] 59 0A 02 8E 69 06 28 [4] D1 0B 02 16 7E [4] 7E [4] 07 } + $ = "systeminfo | findstr" wide + $ = "powershell -exec bypass -enc" wide + $ = "SendAndReceive : {0}" wide + $ = "SleepSecond : Start" wide + + condition: + uint16be( 0 ) == 0x4d5a and 2 of them +} +rule SEKOIA_Apt_Gamaredon_Htmlsmuggling_Attachment_Stage2 : FILE +{ + meta: + description = "Detects Gamaredon HTMLSmuggling attachment" + author = "Sekoia.io" + id = "e82335ea-48d5-409c-a270-cfd5a2197c44" + date = "2023-01-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_htmlsmuggling_attachment_stage2.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "42e637f628db6719342ae104c6c89bb80609c5f3f5c2586daccb31f7d688a2a1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ") == -1) die();" ascii + $ = "'data:application/x-rar-compressed;base64, ' +" ascii + $ = ".appendChild(img);" ascii + $ = "['Win32', 'Win64', 'Windows', 'WinCE'].indexOf(" ascii + $ = " = navigator[\"platform\"];" ascii + + condition: + 4 of them and filesize < 1MB +} +rule SEKOIA_Exploit_Linux_Eop_Ubuntu_Overlayfs_Local_Privesc_Strings : FILE +{ + meta: + description = "Detects Ubuntu OverlayFS Local Privesc exploit" + author = "Sekoia.io" + id = "5e0e73f5-4cb3-4a79-adac-578b17ed7660" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "48ff9d2a10eef1e9b9088ba4a53aa77f43324e5d51da65b65a5829276067f011" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "./ovlcap" + $ = "rm -rf '%s/'" + $ = "./ovlcap/work" + $ = "./ovlcap/lower" + $ = "./ovlcap/upper" + $ = "./ovlcap/merge" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 1MB and all of them +} +rule SEKOIA_Infostealer_Win_Acridrain_Mar23 : FILE +{ + meta: + description = "Finds AcridRain samples" + author = "Sekoia.io" + id = "049b502a-0fb6-4fa9-a1ce-f01a40269bdb" + date = "2023-03-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_acridrain_mar23.yar#L1-L40" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7fa1822acc6264a3a58fffef3fc572f8818d99037b20d5abb8bfb41f025949d4" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "\",\"r\":" ascii + $str02 = "\",\"s\":\"" ascii + $str03 = "\",\"p\":\"" ascii + $str04 = "\",\"a\":\"" ascii + $str05 = ",\"c\":" ascii + $str06 = ",\"g\" :" ascii + $str07 = "v7166637466625297979 t2537736810932639330 ath5ee645e0 altpriv cvcv=2 cexpw=1 smf=0" ascii + $str08 = "Content-Type: multipart/form-data; boundary=----974767299852498929531610575" ascii + $str09 = "\\Roaming\\Bitwarden\\data\\bitwarden.sqlite3" ascii + $ste01 = "\\Roaming\\Exodus\\exodus.wallet" ascii + $ste02 = "\\Roaming\\Electron Cash\\wallets" ascii + $ste03 = "\\Roaming\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb" ascii + $ste04 = "\\Local Extension Settings\\" ascii + $ste05 = "cnmamaachppnkjgnildpdmkaakejnhae" ascii + $ste06 = "ffnbelfdoeiohenkjibnmadjiehjhajb" ascii + $ste07 = "\\formhistory.sqlite" ascii + $ste08 = "\\logins.json" ascii + $ste09 = "encrypted_key" ascii + $ste10 = "\\Login Data" ascii + $enc01 = "bX5cVw8FKyAKZVxXXUAdSTUXCXdCV0FoOxoSF0ZEUEZS" ascii + $enc02 = "bX5cVw8FKywUaVVbRlkyPAQAFCB1U0dV" ascii + $enc03 = "bX5cVw8FKzQvUBFhRkYINSIWA3IRdlJADw==" ascii + $enc04 = "bX5cVw8FKzYWdUVcWl8iCBU5NXBERl1dBTUiFgNyEXZSQA8=" ascii + $enc05 = "bWBcVQMAGQI6UEJbGGgeGxgDD2xUQW9QCw8WEAp0" ascii + + condition: + uint16( 0 ) == 0x5A4D and 5 of ( $str* ) and 7 of ( $ste* ) and 1 of ( $enc* ) +} +rule SEKOIA_Tool_Gost_Tunnel_Strings : FILE +{ + meta: + description = "Detects GOST Go Tunnel, based on strings" + author = "Sekoia.io" + id = "2de7aae9-9cf8-4007-aa27-5caea4123713" + date = "2023-02-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_gost_tunnel_strings.yar#L1-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "eba1557acc1d9f16817a4bcd24631334a12357e45ad23f1c333de686f20f9291" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ".(*shadowUDPHandler).transportUDP" ascii + $ = ".(*quicCipherConn).decrypt" ascii + $ = ".(*socks4aConnector).ConnectContext.func1" ascii + $ = ".(*mtlsTransporter).Handshake" ascii + $ = ".(*FIFOStrategy).Apply" ascii + $ = ".dnsTCPExchanger" ascii + $ = ".dohResponseWriter" ascii + $ = ".tcpRemoteForwardListener" ascii + $ = ".shadowUDPPacketConn" ascii + $ = ".sshTunnelListener" ascii + $ = "/listener/rtcp/listener.go" ascii + $ = "/handler/unix/handler.go" ascii + $ = "/handler/tunnel/tunnel.go" ascii + $ = "/internal/net/proxyproto/listener.go" ascii + $ = "/internal/util/serial/conn.go" ascii + $ = "github.com/go-gost/x" ascii + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a or uint32be( 0 ) == 0xcefaedfe or uint32be( 0 ) == 0xcffaedfe or uint32be( 0 ) == 0xbebafeca ) and 5 of them +} +import "pe" + +rule SEKOIA_Backoor_Win_Tinyturla_Ng : FILE +{ + meta: + description = "Detect the TinyTurla-NG backdoor used by Turla" + author = "Sekoia.io" + id = "019043bb-0212-4b73-bc93-03e9a746d28d" + date = "2024-03-04" + modified = "2024-12-19" + reference = "https://blog.talosintelligence.com/tinyturla-next-generation/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backoor_win_tinyturla_ng.yar#L3-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a2fe2187e0cdd02fa31cbbecd600d044d4d12788ea6f76086aef7e77cbf232a0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b" + hash2 = "d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40" + + strings: + $ = "delkill /F /IM explENT_USER\\Softwar" + $ = "Set-PSReadLineOption -HistorySaveStyle SaveNothing" + $ = "changeshell" + $ = "chcp 437 > $null" + $ = "powershell.exe -nologo" + + condition: + uint16be( 0 ) == 0x4d5a and all of them or pe.imphash ( ) == "2240ae6f0dcbc0537836dfd9205a1f2b" +} +rule SEKOIA_Apt_Icepeony_Iceevent : FILE +{ + meta: + description = "Detects IceEvent Backdoor" + author = "Sekoia.io" + id = "7d1f8b90-fde4-4d5c-a8a3-375db8aa88a1" + date = "2024-10-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_icepeony_iceevent.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "07c291c9cea4430676c303128bbbb8e3" + hash = "489b573b37ab8bc74cca3704e723b895" + hash = "265f6cf778d26e62903fb295f89507e3" + hash = "f5eb28dd29c91cc84818b74d7f138ff6" + logic_hash = "8afe4a94513e9aa5d20849153c76cfe5c684c9a529710947930c76098a36540e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Created a process" ascii fullword + $ = "CreateProcess failed: %d" + $ = "bind error:" + $ = "Error creating pip: %d" + $ = "listen error:" + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them and filesize < 500KB +} +rule SEKOIA_Generic_Sharpshooter_Payload_4 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "b8327436-3f3d-441c-86b7-35cd30144dc2" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_4.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ee67eb7b51ff6f3882c6b3ad86c3581396ba02f616c29a0190d0a2ad3d2ea614" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Function RC4(byteMessage, strKey)" + $ = "Set EL = DM.createElement(" + $ = "decodeBase64 = EL.NodeTypedValue" + $ = "Execute plain" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Apt_Gelsemium_Wolfsbane_Rootkit : FILE +{ + meta: + description = "Detects Gelsemium's WolfsBane rootkit" + author = "Sekoia.io" + id = "e93f4515-62f5-4057-a464-aae11cbe0639" + date = "2024-11-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gelsemium_wolfsbane_rootkit.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "ba08e63ad65a9bdcdb1655f25d32c808" + logic_hash = "a7440e1b4c0bbff0d80d7152e3bfb0867abe9b0151b45f88aa656f3c9a55b303" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "__non_hooked_symbols" + $ = "__hidden_literals" + $ = "extract_type_2_socket_inode2" + $ = "/proc/%s/fd" + $ = "pluginkey" wide + $ = "mainpath" wide + $ = "hiderpath" wide + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 1MB and all of them +} +rule SEKOIA_Apt_Unk_Dex_China_Freedom_Trap_Spyware : FILE +{ + meta: + description = "Detects China Freedom Trap spyware dex file" + author = "Sekoia.io" + id = "3d66b6b8-8397-441a-a337-4a282df39591" + date = "2022-09-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_unk_dex_china_freedom_trap_spyware.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "ceb70fce74898ea64ded6880a978441c" + logic_hash = "f85f78a1a58fa8b2698637f8c540877ea1c5141ff7f74e8c2f2755f5aba5a599" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "INSTALL" base64 + $ = "FAILED" base64 + $ = "TEST" base64 + $ = "ONLY" base64 + $ = "INSTALL" base64 + $ = "INCONSISTENT" base64 + $ = "CERTIFICATES" base64 + $ = "Network country iso:" base64 + $ = "Network operator name:" base64 + $ = "SIM operator name:" base64 + $ = "SIM country iso:" base64 + $ = "SIM state:" base64 + $ = "PIN REQUIRED" base64 + $ = "PUK REQUIRED" base64 + + condition: + uint32be( 0 ) == 0x6465780A and filesize < 100KB and 4 of them +} +import "pe" + +rule SEKOIA_Implant_Win_Sliver_Dll : FILE +{ + meta: + description = "Detect the Sliver DLL based on export names (standalone and process/memory dumps)" + author = "Sekoia.io" + id = "41d83011-a08b-4245-b633-79fe6afaa4d2" + date = "2021-11-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_sliver_dll.yar#L3-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "251a123fe70338d18c9bc9fb9e0b0d542f2b94203bee8537244e62fa102f371b" + score = 75 + quality = 80 + tags = "FILE" + modification_date = "2021-12-22" + version = "1.1" + classification = "TLP:CLEAR" + + strings: + $a1 = "main.RunSliver" + $a2 = "main.DllInstall" + + condition: + ( filesize > 8MB and filesize < 11MB and uint16be( 0 ) == 0x4d5a and pe.characteristics & pe.DLL and pe.exports ( "RunSliver" ) and pe.exports ( "DllInstall" ) and pe.exports ( "VoidFunc" ) ) or ( true and ( uint32be( 0 ) == 0x4d444d50 or uint32be( 0 ) == 0x00000000 ) and $a2 in ( @a1 .. @a1 + 100 ) ) +} +rule SEKOIA_Apt_Badmagic_Commonmagic_Screenshot_Module : FILE +{ + meta: + description = "Detects CommonMagic related implants" + author = "Sekoia.io" + id = "d1ef0bd1-37dc-405f-b82b-288b1798455c" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_commonmagic_screenshot_module.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "caab57534a00620974f7d49c7b38a3f191aca596b69b3e4c499e3099023c2f9c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%s_%02d.%02d.%04d_%02d.%02d.%02d.%03d.%s" wide + $ = "Screenshot" wide + $ = "\\\\.\\pipe\\PipeDtMd" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and all of them +} +rule SEKOIA_Apt_Cloudatlas_Rtf_Shellcode_Cve_2018_0798 : FILE +{ + meta: + description = "CloudAtlas Shellcode for CVE_2018_0798 " + author = "Sekoia.io" + id = "6c602c66-df40-4436-800f-e548dacc1e81" + date = "2022-12-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a8c320ca81ef196b84a8fb08d9e02ef8cfb338024fa7e6776ff6c8c049b8e63c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "6060606061616161616161616161616161616161FB0B00004bE8FFFFFFFFC35F83C71B33C966B908010f0d00ddd8d97424f4668137" ascii nocase + + condition: + filesize < 8MB and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Implant_Win_Incontroller : FILE +{ + meta: + description = "Detect the INCONTROLLER implant " + author = "Sekoia.io" + id = "c346c6ea-c5c0-4e9f-a632-1e8ed0286fbc" + date = "2022-04-14" + modified = "2024-12-19" + reference = "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_incontroller.yar#L4-L49" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "69296ca3575d9bc04ce0250d734d1a83c1348f5b6da756944933af0578bd41d2" + logic_hash = "988e3004169817758a38dc7cd621ed351dac4de41e6dad03ab1cdfc07b8a6cac" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "AsRockDrv.sys" ascii + $ = "C:\\Users\\User1\\Desktop\\dev projects\\SignSploit1\\x64\\Release\\AsrDrv_exploit.pdb" ascii + $ = "found map in %.3f sec physical address : %016I64x" ascii + $ = "get physical regions error : %x!" + $ = "Device AsrDrv103 was opened successefuly!" ascii + $ = "Ioctl handler AsrDrv103 was found successefuly!" ascii + $ = "cant open the AsrDrv103!" ascii + $ = "can't read a unsigned driver ! " ascii + $ = "cant drop and load exploatable driver ! " ascii + $ = "please set unsigned driver as argument to program!" ascii + $ = "\\DosDevices\\AsrDrv103" wide + $t = "This program cannot be run in DOS mode." + + condition: + ( uint16( 0 ) == 0x5A4D and 4 of them and filesize < 800KB and #t == 2 ) or pe.imphash ( ) == "f139e860bc959a7e65a008399425c090" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "a2fe4d32d74354c391a283178f0291e6" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "c33f9caa68fe46c6996a928ba5a38fd6" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "d9a1f1a4d48906da1d9f33eae0f0eaef" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "76426b0209a87fa32ca28e9f2361be67" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "9e63a5064b755925598b8d72ace52dc9" ) or hash.md5 ( pe.rich_signature.clear_data ) == "140d7fb360dbebb03edab903b5d08285" +} +rule SEKOIA_Apt_Gamaredon_Ddrdoh_Vbs_Downloader : FILE +{ + meta: + description = "Detects the core of the VBS Gamaredon's Telegram Downloader" + author = "Sekoia.io" + id = "c934b95d-d81d-4f58-a752-1bb31ba8593d" + date = "2023-01-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "940635313b23e29ac98310fc0f20352405c96190d56cd36ef028bf4d6e77fa6b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $a1 = "==([0-9\\@]+)==" ascii + $a2 = "data\"\":\"\"(.*?)" ascii + $a3 = ", vbcr ,\"\")" ascii + $a4 = ", vblf ,\"\")" ascii + $a5 = ", \"&&\" ,\"\")" ascii + $a6 = "ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4" ascii + $b1 = "==([0-9\\@]+)==" base64 + $b2 = "data\"\":\"\"(.*?)" base64 + $b3 = ", vbcr ,\"\")" base64 + $b4 = ", vblf ,\"\")" base64 + $b5 = ", \"&&\" ,\"\")" base64 + $b6 = "ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4" base64 + + condition: + (4 of ( $a* ) or 4 of ( $b* ) ) and filesize < 50KB +} +rule SEKOIA_Backdoor_Lin_Bifrost : FILE +{ + meta: + description = "Detect the Bifrost backdor based on strings" + author = "Sekoia.io" + id = "9726b5f5-8cc3-4fad-950b-f20cac04d496" + date = "2024-03-05" + modified = "2024-12-19" + reference = "https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_lin_bifrost.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a3fd671c02c29f67cf5b8d2d0e857336da72f989688f2db19cd028398080c5e2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729" + hash2 = "2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05" + hash3 = "f2bef6bed27f4b527118dd62b4035003c14afaffa72729c8117f213623f644ec" + + strings: + $ = "%c2%s%c3%u%c4%u-%.2u-%.2u %.2u:%.2u" + $ = "%c1%s%c3D%c4%u-%.2u-%.2u %.2u:%.2u" + + condition: + uint32be( 0 ) == 0x7f454c46 and all of them +} +rule SEKOIA_Kimsuky_Konni_Dll : FILE +{ + meta: + description = "Rule based on structure offset and file extension" + author = "Sekoia.io" + id = "6a20c492-e932-41bd-ac4a-01d35bfb0c49" + date = "2022-09-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/kimsuky_konni_dll.yar#L1-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7099156decdfe35cde22958133d851479f12180fff7b5744af0c549ab8259636" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ext_1 = ".zip" wide ascii fullword + $ext_2 = ".cab" wide ascii fullword + $ext_3 = ".rar" wide ascii fullword + $ext_4 = ".ini" wide ascii fullword + $ext_5 = ".dat" wide ascii fullword + $offset_structure_1 = { 8d ?? 08 02 00 00 } + $offset_structure_2 = { 8d ?? 10 04 00 00 } + $offset_structure_3 = { 8d ?? 18 06 00 00 } + $offset_structure_4 = { 8d ?? 20 08 00 00 } + $offset_structure_5 = { 8d ?? 28 0a 00 00 } + $offset_structure_6 = { 89 ?? f8 11 00 00 } + $offset_structure_7 = { 8d ?? fc 11 00 00 } + $offset_structure_8 = { 89 ?? 0c 12 00 00 } + $offset_structure_9 = { 89 ?? 10 12 00 00 } + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 11MB and all of them +} +rule SEKOIA_Infostealer_Win_Nosu : FILE +{ + meta: + description = "Finds Nosu samples based on characteristic strings" + author = "Sekoia.io" + id = "9823af25-e30b-4514-a59c-02dd19fe368d" + date = "2022-12-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_nosu.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f18db2008aa9175fc423133fd6d5872c5750d011aad73c373505347443d5032c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "C:\\xampp\\htdocs\\nosu\\core\\release\\lilly.pdb" ascii + $str1 = "{\"gp\":\"%s\",\"app\":\"%S\"," ascii + $str2 = "stored in zip:\\%s" wide + + condition: + uint16( 0 ) == 0x5A4D and 1 of them and filesize < 1MB +} +rule SEKOIA_Tool_Swor : FILE +{ + meta: + description = "Detects swor" + author = "Sekoia.io" + id = "75ce2ed7-2972-4e04-98dc-451acf80c842" + date = "2024-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_swor.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "d3f92b3349109fc6de26f5e40800fec15308c27fa4fe81fe42af5030637a3a63" + logic_hash = "bcd1c0afece740b82b606aad8bdebcc88b72ae61df6513318215a217021efab4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $old_sword_s1 = "Failed to open payload file: " + $old_sword_s2 = "Failed to open config file: " + $sword_s1 = "open encrypted file error: " + $sword_s2 = "open config file error: " + $enum_calendar = "EnumCalendarInfo" + + condition: + uint16be( 0 ) == 0x4d5a and $enum_calendar and ( 2 of ( $old_sword_s* ) or 2 of ( $sword_s* ) ) and filesize < 1MB and true +} +rule SEKOIA_Hacktool_Socat_Strings : FILE +{ + meta: + description = "Detects socat" + author = "Sekoia.io" + id = "7c7e4085-39b2-445e-a9ff-52f21936e714" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_socat_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8f0c907fa2de4141c55073ea5b4a8174f50c716fc7a60d3e838115859a938084" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[options] " + $ = "version %s on %s" + $ = "socat_signal():" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 5MB and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Nukesped_Andariel +{ + meta: + description = "Detect the NukeSped variant type 1 used by Andariel in October 2023" + author = "Sekoia.io" + id = "a3601f0b-5782-4546-ac22-8a0514791f8f" + date = "2023-11-27" + modified = "2024-12-19" + reference = "https://asec.ahnlab.com/en/59073/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_nukesped_andariel.yar#L4-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d6421f3d0a3059e4104cfdceebb237269592f8ace7cc8d5bd613d239e4c010f4" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "4ce43c7e358e3951f4c4ebd050d570786cbb473ee353974fc7414e3d753da9f6" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "355485cbe2bec406d60a48d7d8d25c71d9ded3c508c87273d936a92b94720d9b" ) +} +import "hash" +import "pe" + +rule SEKOIA_Launcher_Win_Mistcloak : FILE +{ + meta: + description = "Detect the MISTCLOAK malware" + author = "Sekoia.io" + id = "3dbf5efa-d77c-436a-a080-9ac58a78425f" + date = "2022-12-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/launcher_win_mistcloak.yar#L4-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fc2731ec4e2917be1ad169908ed324931a93f6998aee606319750b5cc02715e2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "\\usb.ini" + $ = "autorun.inf\\Protection for Autorun\\System Volume Information" + $ = "G:\\project\\APT\\U" + $ = "\\new\\u2ec\\Release\\u2ec.pdb" + $ = "CheckUsbService" + + condition: + uint16( 0 ) == 0x5A4D and 3 of them or hash.md5 ( pe.rich_signature.clear_data ) == "0f5082fd7ddd1950fa332a8fa4df052f" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "0ceac625db1e8405efe45d47486e9e2d" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "6968e6ac7b9c1dfbf40a0b3c4f6f4157" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "e6ed2da41f74e948cba7a002c41c6af5" ) +} +rule SEKOIA_Loader_Win_Fudloader : FILE +{ + meta: + description = "Finds FUD-Loader samples based on specific strings" + author = "Sekoia.io" + id = "4c2ac614-89af-4449-9fd2-9f935e4c27b8" + date = "2023-09-25" + modified = "2024-12-19" + reference = "https://github.com/0day2/FUD-Loader/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_fudloader.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bf19169963cfcbcf41a2dc5f9447738e957878972590b2a8d310eed1c54f3676" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "set_WindowStyle" ascii + $str02 = "set_FileName" ascii + $str03 = "get_StartInfo" ascii + $str04 = "GetRandomFileName" ascii + $str05 = "DownloadFile" ascii + $str06 = "GetTempPath" ascii + $str07 = "ProcessStartInfo" ascii + $str08 = "System.Diagnostics" ascii + + condition: + uint16( 0 ) == 0x5a4d and all of them and filesize < 10KB +} +rule SEKOIA_Koi_Netstealer : FILE +{ + meta: + description = "Detects NET ofbuscated Stealer used loaded by KoiLoader" + author = "Sekoia.io" + id = "deb06e2a-848c-44b3-be95-017ebccf11f8" + date = "2024-03-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/koi_netstealer.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "814db1092820ff1ed9e592dc92c72ad73643eb6d68df9f593ed637434373e41b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $name_1 = "pg20" + $name_2 = "pg40" + $s1 = "Curve25519" + $s2 = "ConsoleApp" + $s3 = "e0d2eec7-eb14-48ba-8709-dcc9de65947d" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 150KB and any of ( $name_* ) and all of ( $s* ) +} +import "pe" + +rule SEKOIA_Loader_Win_Svcready_Imports : FILE +{ + meta: + description = "Finds samples of the SVCReady loader" + author = "Sekoia.io" + id = "e89aa736-acee-4881-b367-a9abfe9784ec" + date = "2022-06-08" + modified = "2024-12-19" + reference = "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_svcready_imports.yar#L3-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f210c5363d19dbc822b8476f8ecfd86184af8f1c36819a6c868f171152e7cb74" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "Svc:RunPEDllNative" ascii + $str1 = "RunPEDllNative::" ascii + + condition: + uint16( 0 ) == 0x5A4D and filesize > 200KB and filesize < 2MB and pe.imports ( "GDI32.dll" , "Ellipse" ) and pe.imports ( "GDI32.dll" , "SelectObject" ) and pe.imports ( "GDI32.dll" , "GetStockObject" ) and pe.imports ( "GDI32.dll" ) == 3 and all of them +} +rule SEKOIA_Loader_Win_Konni_Bat : FILE +{ + meta: + description = "Detect the BAT files (named trap.bat or yup.bat) used by KONNI" + author = "Sekoia.io" + id = "e8921336-6c91-4b46-bd3f-3cf4a9b31082" + date = "2023-09-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_konni_bat.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3476e41461692c3ccfc0ef47a4d5b8822c4940987755763d2a5913e27d9350d4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "del /f /q \"%~dp0\\*.zip\" > nul" + $ = "del /f /q \"%~dp0\\*.xml\" > nul" + $ = "del /f /q \"%~dp0\\wpnprv*.dll\" > nul" + $ = "del /f /q \"%~dp0\\*.bat\" > nul" + $ = "del /f /q \"%~dpnx0\" > nul" + $ = "echo %~dp0 | findstr /i \"system32\" > nul" + $ = "if %ERRORLEVEL% equ 0 (goto INSTALL) else (goto COPYFILE)" + $ = "if exist \"%ProgramFiles(x86)%\" (" + + condition: + 3 of them and filesize < 3KB +} +rule SEKOIA_Infostealer_Win_Blackcap : FILE +{ + meta: + description = "Finds BlackCap Grabber samples (Python code obfuscated using Py-Fuscate)" + author = "Sekoia.io" + id = "1aa1fadb-3413-46e2-b733-1ad2134f7be2" + date = "2023-03-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_blackcap.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b826c88d557ea0a516534946ad9531eda1a875cb9c4ddf92d9b98f8c7b86623e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $imp01 = "import asyncio, json, ntpath, random, re, shutil, sqlite3, subprocess, threading, winreg, zipfile, httpx, psutil, win32gui, win32con, pyperclip, base64, requests, ctypes, time" ascii + $imp02 = "from ctypes import windll, wintypes, byref, cdll, Structure, POINTER, c_char, c_buffer;from Crypto.Cipher import AES;from PIL import ImageGrab;from win32crypt import CryptUnprotectData" ascii + $pyf01 = "import marshal,lzma,gzip,bz2,binascii,zlib;exec(marshal.loads(binascii.a2b_base64(b'YwAAAAAA" ascii + + condition: + ($imp01 in ( 0 .. 500 ) and $pyf01 in ( @imp01 + 200 .. @imp01 + 1000 ) or $imp02 in ( 0 .. 1000 ) and $pyf01 in ( @imp02 + 100 .. @imp02 + 500 ) ) and filesize > 100KB and filesize < 500KB +} +rule SEKOIA_Tool_Yasso_Strings : FILE +{ + meta: + description = "Detects Yasso based on strings" + author = "Sekoia.io" + id = "31ec7510-6770-4fde-b835-e8b12f8f2b30" + date = "2023-06-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_yasso_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1d715b0962ba9ecbe11649ea85870a8f884f6dd7eda27b1f8eff0d7f5de8c765" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Yasso/cmd.setting" + $ = "Yasso/cmd.Client" + $ = "Yasso/cmd.IdentifyResult" + $ = "Yasso/cmd.RespLab" + $ = "Go build ID" + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 15MB and filesize < 20MB and all of them +} +rule SEKOIA_Implant_Mac_Rustbucket : FILE +{ + meta: + description = "Detect the RustBucket malware" + author = "Sekoia.io" + id = "fcbb745d-7f56-4c51-9db5-427da22a0c68" + date = "2023-04-24" + modified = "2024-12-19" + reference = "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_mac_rustbucket.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747" + logic_hash = "ab7bc706b0d3f0dcd739ffe7f8153ba7377892143d8d53ce1591519ffe4ae84f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "/Users/hero/" + $ = "PATHIpv6Ipv4Bodyslotpath" + $macho_magic = {CF FA ED FE} + $java_magic = {CA FE BA BE} + + condition: + ($macho_magic at 0 or $java_magic at 0 ) and all of them +} +rule SEKOIA_Tool_Sy_Runas : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "cb1f3707-6716-49b5-9fe0-45c5baf2e491" + date = "2023-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_sy_runas.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b606f921b0ff6adf0e6979d43be0ddf77e2967e703562f1dea4406d1f5b3f5fd" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Sy_Runas.exe" ascii wide + $s2 = "password *.exe" ascii wide + $s3 = "This tools just work on webshell" ascii wide + $s4 = "Code By slls124@gmail.com" ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 4MB and all of them +} +rule SEKOIA_Apt_Muddywater_Manifestation_Backdoor : FILE +{ + meta: + description = "Detects Muddys manifestation JScript backdoor" + author = "Sekoia.io" + id = "998fb0ab-73ed-41e5-b87e-f987b8f05a8c" + date = "2022-01-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_manifestation_backdoor.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "477ed53ccd337dd21ab84b7d36b995a653d0aad6676e02cbe5e9f581bface253" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "/^\\s+|\\s+$/g" ascii + $l2 = "while (1) {" ascii + $l3 = { 57 53 63 72 69 70 74 2e 73 6c 65 65 70 28 ?? ?? 20 2a 20 31 30 30 30 29 3b } + $s4 = ")+ key , false)" ascii + $s5 = ")+ data , false)" ascii + + condition: + filesize > 1000 and ( $l3 in ( @l2 .. @l2 + 300 ) ) and ( any of ( $s* ) ) +} +rule SEKOIA_Loader_Fakebat_Powershell_Fingerprint_May24 : FILE +{ + meta: + description = "Finds FakeBat PowerShell script fingerprinting the infected host." + author = "Sekoia.io" + id = "7efcf9cf-78fe-400e-abe3-6955c394e358" + date = "2024-06-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_fakebat_powershell_fingerprint_may24.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "04e5c888e5f71873c4fa2d732fbd8e40be3edf406300e65e489e1fa378028c5f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Get-WmiObject Win32_ComputerSystem" ascii + $str02 = "-Class AntiVirusProduct" ascii + $str03 = "status = \"start\"" ascii + $str04 = " | ConvertTo-Json" ascii + $str05 = ".FromXmlString(" ascii + $str06 = " = Invoke-RestMethod -Uri " ascii + $str07 = ".Exception.Response.StatusCode -eq 'ServiceUnavailable'" ascii + $str08 = "Invoke-WebRequest -Uri $url -OutFile " ascii + $str09 = "--batch --yes --passphrase-fd" ascii + $str10 = "--decrypt --output" ascii + $str11 = "Invoke-Expression \"tar --extract --file=" ascii + + condition: + 7 of them and filesize < 10KB and true +} +rule SEKOIA_Infostealer_Win_Vidar_Strings_Nov23 : FILE +{ + meta: + description = "Finds Vidar samples based on the specific strings" + author = "Sekoia.io" + id = "b2c17627-f9b8-4401-b657-1cce560edc76" + date = "2023-11-10" + modified = "2024-12-19" + reference = "https://twitter.com/crep1x/status/1722652451319202242" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_vidar_strings_nov23.yar#L1-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1a2fc421fb4058b78de28d97d69b126e685f7677b7998f5b6ae3cbcee0ef3f00" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "MachineID:" ascii + $str02 = "Work Dir: In memory" ascii + $str03 = "[Hardware]" ascii + $str04 = "VideoCard:" ascii + $str05 = "[Processes]" ascii + $str06 = "[Software]" ascii + $str07 = "information.txt" ascii + $str08 = "%s\\*" ascii + $str09 = "Select * From AntiVirusProduct" ascii + $str10 = "SELECT target_path, tab_url from downloads" ascii + $str11 = "Software\\Martin Prikryl\\WinSCP 2\\Configuration" ascii + $str12 = "UseMasterPassword" ascii + $str13 = "Soft: WinSCP" ascii + $str14 = "" ascii + $str15 = "Soft: FileZilla" ascii + $str16 = "passwords.txt" ascii + $str17 = "build_id" ascii + $str18 = "file_data" ascii + + condition: + uint16( 0 ) == 0x5A4D and 10 of ( $str* ) +} +rule SEKOIA_Apt_Apt10_Hui_Loader : FILE +{ + meta: + description = "Specific string for HUI Loader" + author = "Sekoia.io" + id = "97d17052-80d0-4f8e-8b3a-2e0d622522a9" + date = "2022-07-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt10_hui_loader.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "33df202599c6bceff2cf76acdc0096f7167acb69c541b3cfe4cdc34edc174005" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "HUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD" wide fullword + + condition: + ( uint16be( 0 ) == 0x4d5a ) and filesize > 30KB and filesize < 100KB and 1 of them +} +rule SEKOIA_Apt_Cerana_Keeper_Yk0130 : FILE +{ + meta: + description = "Detects YK0130 reverse shell" + author = "Sekoia.io" + id = "3da898a9-68e7-472f-8478-a0243840ec0a" + date = "2024-10-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cerana_keeper_yk0130.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "2554e4864294dc96a5b4548dd42c7189" + logic_hash = "4462c6b7f46520207f49275292a3be873540becb593176d771d3489fba6f4cb0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $pdb = "C:\\Users\\admin\\source\\repos\\YK0130" ascii fullword + + condition: + uint16be( 0 ) == 0x4d5a and all of them and filesize < 300KB +} +rule SEKOIA_Generic_Sharpshooter_Payload_2 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "02bc795f-b8e0-44d4-b475-310359867577" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_2.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c26779cd35d6430da3629df8b310356d663c05e82db0aca0fc974bc3a298c92e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "var e={},i,b=0,c,x,l=0,a,r=" + $ = "eval(plain);" + $ = "var plain = rc4(" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Hacktool_Ntdsdumpex_Strings : FILE +{ + meta: + description = "Detects NTDSDumpEx based on strings" + author = "Sekoia.io" + id = "9a0fe20a-49e9-4aaf-8f0e-d51800e0a6e0" + date = "2022-02-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_ntdsdumpex_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3295816133ca00aeaf3f4967135ed045ed64d20393f482eafbe4e74f0f63aa47" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Example : ntdsdumpex.exe -r" ascii wide + $ = "[x]can not open output file %s for write." ascii wide + $ = "[+]dump completed in %.3f seconds." ascii wide + $ = "[+]total %d entries dumped,%d" ascii wide + $ = "[x]can not get PEK!" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 200KB and 3 of them +} +rule SEKOIA_Rat_Lin_Gobrat_2023 : FILE +{ + meta: + description = "This rule detect samples that are downloaded on the GobRAT C2 URL path /a, /b and /c." + author = "Sekoia.io" + id = "ca36a586-f87f-445f-95dc-52d447c1d2a2" + date = "2023-06-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_lin_gobrat_2023.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b9831cefded9e48ef169aa56c18628a9871760ae613f75b232019b4798944e16" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "36cb17d9d118bd9692106c8aafab2462aacf1cdad3a6afb0e4f1de898a7db0e1" + hash2 = "28a714f7cec4445dbd507b85016c8e96ed5e378bcabe2e422c499975122b3f03" + hash3 = "1e80a084ab89da2375bc3cc2f5a37975edff709ef29a3fa2b4df4ccb6d5afe10" + + strings: + $s1 = "Z:/Go/awesomeProject3/main.go" wide ascii + + condition: + uint32( 0 ) == 0x464c457f and filesize < 4000KB and $s1 +} +rule SEKOIA_Rat_Win_Arrow_Str : FILE +{ + meta: + description = "Finds Arrow RAT samples based on the specific malware strings" + author = "Sekoia.io" + id = "69f6572c-91ed-4fb6-b886-5ad2dabef3d3" + date = "2022-08-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_arrow_str.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "faf66a14e563066bb86ceadc787c092a5a13a43f936f0d9d19fbe7d4352ea5d8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $hvnc01 = "DESKTOP_JOURNALRECORD" ascii + $hvnc02 = "DESKTOP_ENUMERATE" ascii + $hvnc03 = "DESKTOP_SWITCHDESKTOP" ascii + $hvnc04 = "DESKTOP_CREATEWINDOW" ascii + $hvnc05 = "StartHVNC" ascii + $str01 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c" wide + $str02 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath" wide + $str03 = "cvtres.exe" wide + $str04 = "qbkTHriRRbQjaArtJfF" wide + $str05 = "29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=" wide + $str06 = "Stub.exe" ascii wide + $str07 = "DePikoloData" ascii + + condition: + uint16be( 0 ) == 0x4d5a and 4 of ( $hvnc* ) and 5 of ( $str* ) +} +rule SEKOIA_Apt_Uac0099_Lonepage : FILE +{ + meta: + description = "Detects LonePage vbs malware" + author = "Sekoia.io" + id = "007f62f5-da5c-4df7-8b5c-5ed815ce6993" + date = "2024-01-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_uac0099_lonepage.yar#L1-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "479f438acb63c76e09722640b973e76d1f1924bf24db477ca6898d123091d5f8" + score = 75 + quality = 76 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s0 = "dim r, c" ascii fullword + $s1 = "= createobject(\"WScript.Shell\")" ascii fullword + $s2 = "r.Run c, 0, false" ascii fullword + $t1 = "GetHostAddresses" ascii fullword nocase + $t2 = "upgrade.txt" ascii fullword nocase + $t3 = "net.webclient" ascii fullword nocase + $t4 = "downloaddata" ascii fullword nocase + $t5 = "[System.Environment]::NewLine" ascii fullword nocase + $t6 = ".uploaddata('" ascii nocase + + condition: + true and filesize < 10KB and ( ( $s1 at 0x10 and $s0 at 0 and $s2 and 2 of ( $t* ) ) or ( all of ( $t* ) and any of ( $s* ) ) ) +} +rule SEKOIA_Backdoor_Sandman_Strings : FILE +{ + meta: + description = "Detect the Sandman backdoor based on strings" + author = "Sekoia.io" + id = "7bac7a1e-7d4a-4410-9ad4-1c85beb6faaf" + date = "2022-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_sandman_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "74ee1b73532d9050d5ed7ea0bed158322288a2f5b65255804ebf10dc1a4ea55b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "e9f7c24c-879d-49f2-b9bf-2477dc28e2ee" + $s2 = "System.Net.Sockets" + $s3 = "ntpServer" + $s4 = "payloadUrl" + $s5 = "keepRunning" + $s6 = "payloadSize" + $s7 = "defaultNtpMessageSize" + $s8 = "InjectShellcode" + + condition: + uint16be( 0 ) == 0x4d5a and 7 of them or $s1 +} +rule SEKOIA_Crime_Sload_Powershellarchiveexfiltrator_Strings : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "3934696a-2116-49cb-9f75-3740767ad6f3" + date = "2022-08-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crime_sload_powershellarchiveexfiltrator_strings.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7d6234ced7e5915a5b27ce2065772c74adb5c2398a8c972421fb5ec6b1b7771f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "if ($wr1 -or $wr2){" + $ = "if ($zp1 -or $zp2){" + $ = "-join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_});" + + condition: + all of them and filesize < 1KB +} +rule SEKOIA_Apt_Sandworm_Powergap_Apr2022 : FILE +{ + meta: + description = "Detects the POWERGAP malware" + author = "Sekoia.io" + id = "2a1c7f02-92b3-45b8-a710-253b1a28fe85" + date = "2022-04-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sandworm_powergap_apr2022.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f1532cce42ab1315d3ab7882fa43ad05255055da720a123bed034242d439da2a" + score = 75 + quality = 68 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Get-WmiObject Win32 ComputerSystem).Domain" nocase wide ascii + $ = "Write-Host \"Error1" nocase wide ascii + $ = "Write-Host \"Done\" -ForegroundColor Red" nocase wide ascii + $ = "sysvol\\$Domain\\Poicies\\$GpoGuid" nocase wide ascii + $ = "Function Start-work" nocase wide ascii + $ = "Domain: {0}\" -f $Domain)" nocase wide ascii + + condition: + filesize < 3KB and 5 of them +} +import "pe" + +rule SEKOIA_In2Al5D_P3In4Er_Loader : FILE +{ + meta: + description = "Invalid printer loader detection based on the XOR key" + author = "Sekoia.io" + id = "6dd3046d-55fb-4bcc-8735-dbc0add4d570" + date = "2023-04-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/in2al5d_p3in4er_loader.yar#L3-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fb7dadcd1e87c15cacfc046e76648b1fa29f1bce44fa0314b84746ca57eebaed" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $xor_key = "in2al5d p3in4er" ascii fullword + + condition: + all of them and ( filesize > 4MB and filesize < 7MB ) and pe.is_pe +} +import "hash" +import "pe" + +rule SEKOIA_Implant_Win_Magicrat : FILE +{ + meta: + description = "Detect Lazarus' MagicRAT" + author = "Sekoia.io" + id = "74973682-b214-48ee-98c3-f4b6bef76587" + date = "2022-09-13" + modified = "2024-12-19" + reference = "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_magicrat.yar#L4-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9abc223c5ae9300b06b9161cbd9f5a501b6aaf46970b0bb74d98168792b7e659" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592" + hash2 = "c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f" + hash3 = "f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332" + + condition: + uint16( 0 ) == 0x5A4D and filesize > 15MB and for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "39dfb9f035cba21ffd90973904f90469" and pe.sections [ i ] . name == ".qtmetad" ) +} +rule SEKOIA_Webshell_Icesword_Strings : FILE +{ + meta: + description = "Detects icesword webshell" + author = "Sekoia.io" + id = "2c6b3cec-4200-4386-8cd5-4004c9b5b96a" + date = "2024-11-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/webshell_icesword_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "0447352827e61696304a8e3d34e1d270" + hash = "f49cfcda0abdefa385eda7ec7e7a5411" + hash = "e1518388375ba772ed20503ec6dc6c8a" + hash = "ecf08cd6af127e01f913354529174a23" + logic_hash = "25ea8c1f4756595e63f09dfdfd1cb0e9bbf1d05e46150e22993de95d9f758385" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "&fsAction=rename&newName=" + $ = "&fsAction=copyto&dstPath=" + + condition: + 2 of them and filesize < 100KB +} +rule SEKOIA_Apt_Susp_Apt28_Uac0063_Malicious_Doc_Vba : FILE +{ + meta: + description = "Detects some suspected APT28 document vba" + author = "Sekoia.io" + id = "58040dbd-09ae-4f9e-940d-3a522e7ccfbb" + date = "2024-07-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_susp_apt28_uac0063_malicious_doc_vba.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "fceffb8ae94cef3af21b2943131e94db9e0e67073de48d9d32601a245448d067" + logic_hash = "c57676b765364c5c51d2bf231b5fe858129b45ba837ec6554b353177bb16bd8a" + score = 65 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 31 30 } + $ = "ThisDocument" wide + + condition: + uint32be( 0 ) == 0xd0cf11e0 and all of them +} +import "pe" + +rule SEKOIA_Apt_Win_Disabledefender +{ + meta: + description = "detects strings and imphash" + author = "Sekoia.io" + id = "a7b124ab-4c9d-47c0-a59e-211cc713b9b3" + date = "2022-09-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_win_disabledefender.yar#L3-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3b8c8d9144d9f97ee053c7cefc30d3920940bc33efcd1d7f5c61666217ef7896" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Restarting with privileges" + $ = "Windows defender is currently ACTIVE" + $ = "Windows defender is currently OFF" + $ = "Disabled windows defender" + $ = "Failed to disable defender..." + + condition: + 4 of them or pe.imphash ( ) == "74a6ef9e7b49c71341e439022f643c8e" +} +rule SEKOIA_Apt_Apt28_Powershell_Ntlm_Stealer : FILE +{ + meta: + description = "Detects the NTLM Stealer used by APT28 against UA energy sector" + author = "Sekoia.io" + id = "3fb5c472-6b1c-490e-b38f-4d4f1c472f43" + date = "2023-09-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt28_powershell_ntlm_stealer.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "29d039bf7d7018ebbae187ae0f057161c3f9256076324f06167872adc0accfa7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "'NTLM ' = [Convert]::ToBase64String" + $ = ".Prefixes.Add('http://localhost:8080/')" + $ = ".AddHeader('WWW-Authenticate', 'NTLM')" + $ = "GetValues('Authorization');" + $ = "[0] -split '\\s+';" + + condition: + 3 of them and filesize < 4000 +} +rule SEKOIA_Hacktool_Ntospy_Strings : FILE +{ + meta: + description = "Detects Ntospy based on strings" + author = "Sekoia.io" + id = "c3281666-6a31-4718-a9c0-82944c6fdcb0" + date = "2023-12-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_ntospy_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e5bd963419e515d65a03592051822fd801f4a21d54cdb18d408556c4bfef78f5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "NPGetCaps" + $ = "NPLogonNotify" + $ = {43 00 3A 00 5C 00 [10-150] 00 2E 00 6D 00 73 00 75} + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 300KB and all of them +} +rule SEKOIA_Hacktool_Win_Uknowseckeylogger : FILE +{ + meta: + description = "Detect the uknowsec keylogger based on strings" + author = "Sekoia.io" + id = "ab08136d-b1f3-4e64-b73c-e6344b610f91" + date = "2022-10-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_win_uknowseckeylogger.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "83a731a5b1853edcce963d458fc170206086305f3e43403c930c9633918e8ff1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "github.com/atotto/clipboard" ascii + $str1 = "github.com/TheTitanrain/w32" ascii + $str2 = "github.com/aliyun/aliyun-oss-go-sdk" ascii + $str3 = "golang.org/x/sys" ascii + $str4 = "golang.org/x/time" ascii + $str5 = "WSARecvWSASend[Print][Right][Shift][Sleep][debug][error]" ascii + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Manjusaka_Samples : FILE +{ + meta: + description = "Detects Manjusaka via protobuf struture names (Windows / Linux / implants / C2)" + author = "Sekoia.io" + id = "7aa8edb3-2e67-4632-af68-5b65c9aefe39" + date = "2022-08-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/manjusaka_samples.yar#L1-L41" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "58dcc406c87a8ec66c0904c4cf518cb38bca1aa9058196ce5d496f6269258200" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ".protos.AgentStatusR" ascii wide + $ = ".protos.AgentsR" ascii wide + $ = ".protos.FileActionR" ascii wide + $ = ".protos.FileEntryR" ascii wide + $ = ".protos.HttpFileActionR" ascii wide + $ = ".protos.HttpFileEntryR" ascii wide + $ = ".protos.PassResultR" ascii wide + $ = ".protos.PortResultR" ascii wide + $ = ".protos.PortResultR" ascii wide + $ = ".protos.PortResultR" ascii wide + $ = ".protos.ConfigH" ascii wide + $ = ".protos.AgentUpdateH" ascii wide + $ = ".protos.PluginExecH" ascii wide + $ = ".protos.PluginLoadH" ascii wide + $ = ".protos.ReqCwdH" ascii wide + $ = ".protos.ReqCmdH" ascii wide + $ = ".protos.ReqListFileH" ascii wide + $ = ".protos.ReqCatFileH" ascii wide + $ = ".protos.ReqNetStatH" ascii wide + $ = ".protos.ReqTaskListH" ascii wide + $ = ".protos.ReqScreenH" ascii wide + $ = ".protos.FileEventH" ascii wide + $ = ".protos.HttpFileEventH" ascii wide + $ = ".protos.PassGetEventH" ascii wide + $ = ".protos.FileGetEventH" ascii wide + $ = ".protos.AgentEventR" ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and 15 of them +} +rule SEKOIA_Backdoor_Opensource_Northstar_Strings : FILE +{ + meta: + description = "Detects the NorthStar Backdoor strings" + author = "Sekoia.io" + id = "6bf2f428-ec1a-4115-9c5e-258e9176969a" + date = "2022-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_opensource_northstar_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c4cf8935137c1420106807240de7583ca8f5c0b231f51bba279aedf672e25274" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "_SAMDUMP.zip" wide + $ = "northstar" wide + $ = "smanage.php?sid=" wide + $ = "File Not Exists" wide + $ = "" wide + $ = "getjuice.php" wide + + condition: + uint16be( 0 ) == 0x4d5a and 6 of them +} +rule SEKOIA_Infostealer_Win_Vidar_Str_Jul22 : FILE +{ + meta: + description = "Detect the Vidar infostealer based on specific strings" + author = "Sekoia.io" + id = "1dc18694-aaac-41e6-979a-c06d5d62f5ea" + date = "2022-07-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_vidar_str_jul22.yar#L1-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "394d148155d46753df188a252678c5ce9d0aa321da8907e74b844d5aa8494a47" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + modification_date = "2022-08-23" + classification = "TLP:CLEAR" + + strings: + $str01 = "vcruntime140.dll" ascii + $str02 = "\\screenshot.jpg" ascii + $str03 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor" ascii + $str04 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" ascii + $str05 = "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb" ascii + $str06 = "\\CC\\%s_%s.txt" ascii + $str07 = "\\Autofill\\%s_%s.txt" ascii + $str08 = "\\History\\%s_%s.txt" ascii + $str09 = "\\Downloads\\%s_%s.txt" ascii + $str10 = "Content-Disposition: form-data; name=" ascii + $str11 = "Exodus\\exodus.wallet" ascii + $str12 = "*%DRIVE_REMOVABLE%*" ascii + $opc = {55 8b ec 51 56 8b 75 ?? 33 c0 c7 46 14 ?? ?? ?? ?? 89 46 ?? 68 ?? ?? ?? ?? 8b ce 89 45 ?? 88 06 e8 1f b6 ff ff 8b c6 5e c9 c2 ?? ??} + + condition: + uint16( 0 ) == 0x5A4D and ( 7 of them or $opc ) +} +rule SEKOIA_Infostealer_Win_Enigma_Stealer_Module : FILE +{ + meta: + description = "Find stealer module of Enigma Stealer based on specific strings" + author = "Sekoia.io" + id = "664fe8de-b406-4d63-9a4b-1c350b444f02" + date = "2023-01-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_enigma_stealer_module.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "4d2fb518c9e23c5c70e70095ba3b63580cafc4b03f7e6dce2931c54895f13b2c" + logic_hash = "0a6615d65867a160e1c87fbcfe30090d44d7f5c25b3a904f8719be7b385b14bb" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $eni01 = "enigma.common" nocase ascii wide + $eni02 = "--ENIGMA STEALER--" wide + $str01 = "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')" wide + $str02 = "/C chcp 65001 && netsh wlan show profile | findstr All" wide + $str03 = "/C chcp 65001 && netsh wlan show networks mode=bssid" wide + $str04 = "[Open google maps]" wide + $str05 = "Stealerium.Target." ascii + $str06 = "--- ClipperBCH ---" wide + $str07 = "//setting[@name='Username']/value" wide + $str08 = "Stealer >> Failed recursive remove directory with passwords" wide + $str09 = "[a-zA-Z0-9]{24}\\.[a-zA-Z0-9]{6}\\.[a-zA-Z0-9_\\-]{27}|mfa\\.[a-zA-Z0-9_\\-]{84}" wide + $str10 = "^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$" wide + + condition: + uint16( 0 ) == 0x5A4D and 1 of ( $eni* ) and 4 of ( $str* ) +} +rule SEKOIA_Apt_Tortoiseshell_Wateringhole_Script : FILE +{ + meta: + description = "Detect's Tortoiseshell WH script" + author = "Sekoia.io" + id = "58c5ae66-fe09-497c-80bf-20feee4d95e7" + date = "2023-05-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_tortoiseshell_wateringhole_script.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8ad886443b1bd17048054b57650d38cda1ffccc10fedfac86283a41daf956dc2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "btoa(pluggin.toString())" + $ = "btoa(document.referrer)" + $ = "pluggin.push(navigator.plugins[i]" + $ = "navigator.language" + $ = "window.RTCPeerConnection" + $ = "sha256(canvas.toDataURL(" + $ = "canvas.getContext('2d" + $ = "noop = function() {}," + + condition: + 5 of them and filesize < 10000 +} +rule SEKOIA_Backdoor_Win_Warhawk +{ + meta: + description = "Detect the WarHawk backdoor used by the SideWinder intrusion-set" + author = "Sekoia.io" + id = "d0ec19a7-cb08-4bca-b153-d7b0358186b4" + date = "2022-10-24" + modified = "2024-12-19" + reference = "https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_warhawk.yar#L1-L56" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "09cd60f91c54da6ca051550c89629d11a55a89d5b0d5f6d5696232b4edfdd491" + score = 75 + quality = 58 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + hash_exe1 = "7d3574c62df44b74337fc74ec7877792b4ffa1486a49bb19668433c3ca8836b5" + hash_exe2 = "624c6b56ee3865f4a5792ad1946a8e86b876440a5af3bac22ac1dee92f1b7372" + hash_iso1 = "58b3686e4255d32dbcf7dee9dac1d5be6d4692d086cde167da1e1a5e0e1b315a" + hash_iso2 = "f97d5d3e1c2ceb3e9d23ae5b5d4e7c9857155df5acf7f67fee995cb041c797dc" + + strings: + $ = {7b205c226e616d655c223a205c2225735c222c205c2273697a655c223a205c225c222c205c226d6f645c223a205c2225735c222c205c22747970655c223a205c2246696c6520666f6c6465725c22207d2c} + $ = {7b20225f68776964223a20222573222c20225f636f6d7075746572223a20222573222c20225f757365726e616d65223a20222573222c20225f6f73223a2022257322207d} + $ = {7b5c226e616d655c223a205c2225735c222c205c22747970655c223a205c2225735c227d2c} + $ = {7b20225f68776964223a20222573222c20225f66696c656d67725f646f6e65223a202274727565222c20225f726573706f6e7365223a2022257322207d} + $ = {7b20225f68776964223a20222573222c20225f7461736b223a20227472756522207d} + $ = {7b20225f68776964223a20222573222c20225f7461736b5f646f6e65223a202274727565222c20225f6964223a2022257322207d} + $ = {7b20225f68776964223a20222573222c20225f636d64223a20227472756522207d} + $ = {7b20225f68776964223a20222573222c20225f636d645f646f6e65223a202274727565222c20225f726573706f6e7365223a2022257322207d} + $ = {7b20225f68776964223a20222573222c20225f66696c656d6772223a20227472756522207d} + $ = {7b20225f68776964223a2022257322207d} + $ = {7b20225f68776964223a20222573222c20225f70696e67223a20227472756522207d} + $ = "cmd.exe" + + condition: + all of them +} +import "elf" + +rule SEKOIA_Apt_Apt31_Rekoobe : FILE +{ + meta: + description = "Find Rekoobe sample via Trend Elf Hash (telfhash)" + author = "Sekoia.io" + id = "b1461a72-76ce-4cc5-ac84-3cc87454d288" + date = "2023-07-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt31_rekoobe.yar#L3-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "88a1a10f26ca355c4be3fd3aa914b1b1ea743018ce44c68a2f4d9e5a337d5c01" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 100KB and elf.telfhash ( ) == "t18fc080c7c6b56a34a7f32538ac7c407982035e1581561b207f50c955d93b408404c5ef" +} +rule SEKOIA_Observerstealer : FILE +{ + meta: + description = "detection based on the strings" + author = "Sekoia.io" + id = "52314870-c100-441d-9ccf-07588325a401" + date = "2024-02-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/observerstealer.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "690bd5a16e780884641a66f06256a4147c092788f155644a8589d38b70dc4acc" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "URLOpenBlockingStreamW" ascii + $s2 = "processGrabber" wide + $s3 = "grabbers" wide + $s4 = {2F 00 73} + $s5 = "UNKNOWN_HWID" ascii + $s6 = {48 00 57 00 49 00 44} + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 400KB and all of them +} +rule SEKOIA_Apt_Sugardump_Credentials_Stealer_Http : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "47d01ba8-9fdd-42d5-9f10-115f982dc133" + date = "2022-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sugardump_credentials_stealer_http.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8d1725da41704fd534d3438021a98d0fb9b9b5bfdc63cc3144c4957954be1870" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "\\Google\\Chrome\\User Data" wide + $ = "\\DebugLogWindowsDefender.txt" wide + $ = "Opera Software\\Opera Stable" wide + $ = "Microsoft\\Edge\\User Data" wide + $ = "\"encrypted_key\":\"(.*?)\\" wide + $ = "Url:" wide + $ = "Username:" wide + $ = "Password:" wide + $ = "Application:" wide + $ = "BCrypt.BCryptDecrypt" wide + $ = "C:\\Users\\User\\" wide + $ = "_CorExeMain" + $ = "http://" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 10 of them +} +rule SEKOIA_Apt_Gamaredon_Htmlsmuggling_Attachment : FILE +{ + meta: + description = "Detects Gamaredon HTMLSmuggling attachment" + author = "Sekoia.io" + id = "a39b6e67-9327-4c5b-902a-b9853cfefc8e" + date = "2023-01-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_htmlsmuggling_attachment.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e13da493404b27ef0c026ca32accbb30792981e810c099d633f5de225e241b4d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "['at'+'ob'](" ascii + $ = "['ev'+'al'](" ascii + $ = "document.querySelectorAll('[" ascii + $ = "[0].innerHTML.split(' ').join('')))" ascii + + condition: + filesize < 1MB and 2 of them +} +rule SEKOIA_Crime_Sload_Vbs_Downloader_Strings_2 : FILE +{ + meta: + description = "Detects an sLoad downloader based on strings" + author = "Sekoia.io" + id = "77ff0d21-9249-43b2-9a6d-87988a2dec3b" + date = "2022-08-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crime_sload_vbs_downloader_strings_2.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "06e4fcb6c48078c6c44d779820fc901b0f335b9495097ed28206826a959d0712" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "On Error Resume Next" + $ = {0A [4] 3D 41 72 72 61 79} + $ = { 2E 50 61 74 74 65 72 6E 20 3D 20 22 28 [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C } + + condition: + all of them and filesize < 20KB +} +rule SEKOIA_Apt_Lazarus_Dll_C2_Comms : FILE +{ + meta: + description = "Detects DLL communicating with the C2" + author = "Sekoia.io" + id = "9b379aa8-77ce-4c76-ab13-05e35ebfbdfe" + date = "2023-04-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_lazarus_dll_c2_comms.yar#L1-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b5ba5ae25822cf54d530d1a18c8196194d44e4fd76be1a0bf98c193772286282" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e" + hash2 = "bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9" + hash3 = "dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9" + hash4 = "69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf" + + strings: + $x1 = "vG2eZ1KOeGd2n5fr" ascii fullword + $s1 = "Windows %d(%d)-%s" ascii fullword + $s2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" wide fullword + $op1 = {B8 C8 00 00 00 83 FB 01 44 0F 47 E8 41 8B C5 48 8B B4 24 E0 18 00 00 4C 8B A4 24 E8 18 00 00 48 8B 8D A0 17 00 00 48 33 CC} + $op2 = {33 D2 46 8D 04 B5 00 00 00 00 66 0F 1F 44 00 00 49 63 C0 41 FF C0 8B 4C 84 70 31 4C 94 40 48 FF C2} + $op3 = {89 5C 24 50 0F 57 C0 C7 44 24 4C 04 00 00 00 C7 44 24 48 40 00 00 00 0F 11 44 24 60 0F 11 44 24 70 0F 11 45 80 0F 11 45 90} + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and ( filesize < 500KB and ( 1 of ( $x* ) or 2 of them ) or ( $x1 and 1 of ( $s* ) or 3 of them ) ) +} +rule SEKOIA_Backdoor_Powershellempire_Sharpire : FILE +{ + meta: + description = "Detect Sharpire version of Empire" + author = "Sekoia.io" + id = "fed21fbd-52ed-4649-a1ff-56eae57fc9ef" + date = "2022-04-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_powershellempire_sharpire.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a4da54a16ee1ac3dea3b3b5a5983638ea28fd1e6d580cd48db595f15a92817a1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "GetAgentID" ascii wide + $ = "SetAgentID" ascii wide + $ = "StartAgentJob" ascii wide + $ = "get_JobThread" ascii wide + $ = "GetStagerURI" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them and filesize < 1MB +} +rule SEKOIA_Backdoor_Win_Feedload : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "29cc46c4-7ed7-4a34-9749-a8ba8d37eb4c" + date = "2023-10-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_feedload.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "f251144f7ad0be0045034a1fc33fb896e8c32874e0b05869ff5783e14c062486" + logic_hash = "18eb3fc9b11ed21a76a2921c3d9681b09cf2f306263c2ece76c1bf4a65467777" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = " C:\\LibreSS5\\crypto\\" + + condition: + uint16be( 0 ) == 0x4d5a and #s1 > 200 +} +rule SEKOIA_Bot_Lin_Zerobot_Dec22 : FILE +{ + meta: + description = "Detect the linux Zerobot implant using specific strings" + author = "Sekoia.io" + id = "ce028297-a526-4a6a-95db-8762fb5895f6" + date = "2022-08-05" + modified = "2024-12-19" + reference = "https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/bot_lin_zerobot_dec22.yar#L1-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0f4faba9873fa360615b20bc637ecb40f56e6c7f65153f61a762e378320f94c1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "rm -rf " + $str02 = "wget http://" + $str03 = "curl -O http://" + $str04 = "tftp" + $str05 = "-c get" + $str06 = "ftpget -v -u anonymous -P" + $str07 = "chmod 777" + $str08 = "nohup" + $str09 = "/dev/null 2>&1 &" + $str10 = "zero." + $str11 = "ppc64le" + $str12 = "riscv64" + $str13 = "s390x" + $str14 = "rm -rf ~/.bash_history" + $str15 = "history -c" + + condition: + 11 of ( $str* ) and filesize < 10KB +} +rule SEKOIA_Apt_Toddycat_Toddybox_Strings : FILE +{ + meta: + description = "Detects ToddyCat's ToddyBox binary" + author = "Sekoia.io" + id = "fde3df24-ebd7-4327-998e-bddaa08835da" + date = "2023-11-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_toddycat_toddybox_strings.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b71fad12d4485268cbeff98b8a8d6067ac8f62164be60cdb61f3f37ab471a247" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Wait a while to upload the next file..." + $ = "[-] Error Msg: %s" + $ = "[-] Error Msg: Connect Errors or Proxy Errors" + $ = "[-] arg missing!" + $ = "[-] Get module dir failed!" + $ = "[-] Dir error!" + $ = "Auto Get Proxy %S" + $ = "Dropbox-API-Arg" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and all of them +} +rule SEKOIA_Generic_Bat_Script_Mock_Http_Services : FILE +{ + meta: + description = "Generic rule detecting BAT script using mock HTTP services (used by APT28)" + author = "Sekoia.io" + id = "1cfbe5ba-6304-476d-8308-928100a85c16" + date = "2023-09-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_bat_script_mock_http_services.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d34be59cfb054895381580e7852bba6b899cfb680882b7fd24a72438131c3bee" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $bat1 = "@echo off" + $bat2 = "chcp 65001" + $ps1 = "WebClient" + $ps2 = "UploadString" + $dom1 = "mockbin.org" + $dom2 = "webhook.site" + $dom3 = "mocky.io" + $dom4 = "pipedream.com" + + condition: + (1 of ( $bat* ) or 1 of ( $ps* ) ) and 1 of ( $dom* ) and filesize < 2000 +} +rule SEKOIA_Crime_Sload_Zip_Archives : FILE +{ + meta: + description = "Detects ZIP archives used by sLOad" + author = "Sekoia.io" + id = "5335ad65-bca5-4937-8634-46cbd7aa1b0e" + date = "2022-08-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crime_sload_zip_archives.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f2bc6464de008f2ce40acabd87ebbd91659d317f57e223118937ba51f70d0f7f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $pic = { 00 00 00 [6] 2E ( 70 6E 67 | 67 69 66 | 6a 70 67 | 6A 70 65 67 ) } + $pdf = { 00 00 00 [8] 2E 70 64 66 } + $vbs = { ( 4c 65 67 67 69 6d 69 | 66 69 73 63 ) 2e ( 77 73 66 | 76 62 73 ) } + + condition: + uint16be( 0 ) == 0x504B and filesize < 30KB and all of them +} +rule SEKOIA_Infostealer_Win_Titan : FILE +{ + meta: + description = "Finds samples of the Titan Stealer" + author = "Sekoia.io" + id = "0adbe616-0d91-4b05-b7a8-812cd79f9252" + date = "2023-01-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_titan.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "996dc320c83f57c47afe50ad032bac43ad1fbfbbd5a86e517089a062b0382993" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "/sendlog" ascii + $str1 = "/stealer/grabfiles.go" ascii + $str2 = "/stealer/installedsoft.go" ascii + $str3 = "/stealer/screenshot.go" ascii + $str4 = "/stealer/sendlog.go" ascii + $str5 = "/stealer/userinformation.go" ascii + $str6 = "C:/Program Files (x86)/Steam/config/" ascii + $str7 = "/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/" ascii + $str8 = "MAC Adresses:" ascii + $str9 = "/Coowon/Coowon/" ascii + $str10 = "_/C_/Users/admin/Desktop/stealer_v7/stealer" ascii + + condition: + uint16( 0 ) == 0x5A4D and 5 of them +} +rule SEKOIA_Apt_Konni_Check_Bat : FILE +{ + meta: + description = "Script used to performs check before executing Konni" + author = "Sekoia.io" + id = "f05e6ba2-c128-4c17-8f74-f7640103c859" + date = "2023-11-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_konni_check_bat.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "13a9dd6978985eb17960794c6de2ee2e6411e6afeb705ff95ced72bc0efb5d8c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ":64BIT" + $ = ":32BIT" + $ = ":INSTALL" + $ = ":EXIT" + $ = "netpp.dll" + $ = "wpns.dll" + $ = "netpp64.dll" + $ = "wpns64.dll" + $ = "rundll32" + + condition: + filesize < 1MB and 7 of them +} +rule SEKOIA_Malware_Venom_Admin_Strings : FILE +{ + meta: + description = "Detects Venom admin strings" + author = "Sekoia.io" + id = "4929340c-310b-4c59-a111-23409f973d22" + date = "2022-08-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_venom_admin_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "205f16b07f58290b2898de7a7dd1e20f3d7651d738f0b15bf810f9be66eedf3d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "/admin/admin.go" + $ = "/cli/interactive.go" + $ = "/cli/cli.go" + $ = "/dispather/sender.go" + $ = "/dispather/proxy.go" + $ = "/dispather/handler.go" + $ = "/dispather/forward.go" + $ = "/utils/reuse_port.go" + + condition: + filesize < 11MB and 6 of them +} +rule SEKOIA_Apt_Spikedwine_Malicious_Hta +{ + meta: + description = "Detects malicious HTA used by SPIKEDWINE" + author = "Sekoia.io" + id = "e4526142-d98a-bf35-9d2c-ca2e83638c4b" + date = "2024-02-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_spikedwine_malicious_hta.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "305896cde5d95c29de511541a961063730709d40d67a8788f084c17f181e3baf" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = " 300KB and filesize < 100MB +} +rule SEKOIA_Exploit_Linux_Eop_Pwnkit_Strings : FILE +{ + meta: + description = "Detects Pwnkit Local Privesc exploit" + author = "Sekoia.io" + id = "8637c602-62da-4983-bcb7-ba546fb2ed82" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_linux_eop_pwnkit_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9805cc7a6022f7a3372df5d74cef68c6fd0e51072154c82212415846f3603667" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "CHARSET=PWNKIT" + $ = "i/do/not/exists" + $ = "pwnkit/pwnkit.c" + $ = "/usr/bin/pkexec" + $ = "SHELL=pwnkit" + $ = "pwnkit.so" + $ = "./pwnkit/" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 1MB and 2 of them +} +rule SEKOIA_Apt_Andariel_Dorarat_Strings : FILE +{ + meta: + description = "Detects Dora RAT based on strings" + author = "Sekoia.io" + id = "30388291-a287-489f-a060-c90a16cda217" + date = "2024-06-17" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_andariel_dorarat_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "21e1c77d486cbf6ddaa2eca673275c7c21cc59fa9551c2eb02c526518ed5b217" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $x1 = "/encryption.go" ascii fullword + $x2 = "/handshake.go" ascii fullword + $x3 = "/trans_module.go" ascii fullword + $enc_rsc = { 14 02 72 14 D3 4C 4A 49 55 36 14 DF 8D 6F 2D CF } + + condition: + uint16be( 0 ) == 0x4d5a and ( all of ( $x* ) or $enc_rsc ) +} +import "hash" +import "pe" + +rule SEKOIA_Merlin_Win_Dll : FILE +{ + meta: + description = "Detects Merling agent (DLL)" + author = "Sekoia.io" + id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be5" + date = "2022-01-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/merlin_win_dll.yar#L4-L42" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "eefaed10bd3accc884673437a1cc6b8c503db4ef797e58bd95daec36a297c4be" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = ".CRT" ascii + $s2 = ".tls" ascii + $s3 = "github.com/Ne0nd0g/merlin" ascii + $s4 = "github.com/lucas-clemente" ascii + $s5 = "SendMerlinMessage" ascii + + condition: + uint16( 0 ) == 0x5A4D and pe.imphash ( ) == "da7f8acb6151c95be088a02465d68ef8" and for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "491d9a18aea3d0eb3653fdaf0b9b86bb" ) and for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "d41d8cd98f00b204e9800998ecf8427e" ) and for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "bf619eac0cdf3f68d496ea9344137e8b" ) and for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "ce7969c1e894363133e386361be064e5" ) and for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "c6179cdcd9ba0758a18a1280f98062eb" ) and all of them and $s1 at 712 and $s2 at 752 and filesize < 15MB +} +rule SEKOIA_Apt_Luckymouse_Rshell_Strings : FILE +{ + meta: + description = "Detects LuckyMouse RShell Mach-O implant" + author = "Sekoia.io" + id = "89f18013-ea3e-440f-821e-cef102a43b7b" + date = "2022-08-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_luckymouse_rshell_strings.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ffca47856d4c4d83312220cff23c0a556be0e675d59ac009c2f74fc0e39cb816" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { 64 69 72 00 70 61 74 68 + 00 64 6F 77 6E 00 72 65 + 61 64 00 75 70 6C 6F 61 + 64 00 77 72 69 74 65 00 + 64 65 6C } + $ = { 6C 6F 67 69 6E 00 68 6F + 73 74 6E 61 6D 65 00 6C + 61 6E 00 75 73 65 72 6E + 61 6D 65 00 76 65 72 73 + 69 6F 6E } + + condition: + ( uint32be( 0 ) == 0xCFFAEDFE or uint16be( 0 ) == 0x4d5a ) and filesize < 300KB and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Apt_Darkpink_Loader_Decryptionroutine : FILE +{ + meta: + description = "Detects decryption routine of dark pink loader" + author = "Sekoia.io" + id = "fefc7b2f-eecc-49dc-84bc-24c45e9ea8f0" + date = "2023-01-17" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_darkpink_loader_decryptionroutine.yar#L4-L49" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fe2726b77c293fc2aa19216025cfa2b4cd0c5194730cbc57a1fcceb6f6198977" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hashs = "3f38860d0f6f0ff1b65219379f8793383cba85b11de1c853192fb2d2ba99e481" + hashs = "b3f1d6366ebc184f634a240c838b39d729c28b8718b0b9ca6be988a7e446ec42" + + strings: + $chunk_1 = { + 8A 08 + 40 + 84 C9 + 75 ?? + 6A 00 + 2B C2 + 50 + 53 + 56 + E8 ?? ?? ?? ?? + 8A 88 ?? ?? ?? ?? + 30 0C 3E + 83 C6 01 + 83 D3 00 + 78 ?? + 7F ?? + 81 FE ?? ?? ?? ?? + 72 ?? + 55 + } + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 3MB and ( all of them or hash.md5 ( pe.rich_signature.clear_data ) == "950c0710dc4cbf6e2cd6b857d25da523" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "547e43dd8560fa8b0ca0be9f633bf62d" ) ) +} +import "pe" + +rule SEKOIA_Apt_Muddywater_Moriagent : FILE +{ + meta: + description = "Detects Muddy's Mori Agent implant" + author = "Sekoia.io" + id = "e7a83663-6a30-416a-8f29-87a6b9445ea4" + date = "2022-01-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_moriagent.yar#L3-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "21389d4e71e9a19a9d263b8ced740c337ea88ed4ac97199897b0aa3f5914594a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $mut = "0x50504060" ascii fullword + $cmd1 = "TType" ascii fullword + $cmd2 = "TPath" ascii fullword + $cmd3 = "TFileid" ascii fullword + $cmd4 = "TCommand" ascii fullword + $cmd5 = "TTimeout" ascii fullword + $cmd6 = "TFilter" ascii fullword + + condition: + uint16be( 0 ) == 0x4d5a and ( ( pe.number_of_exports == 2 and pe.exports ( "DllRegisterServer" ) and pe.exports ( "DllUnregisterServer" ) ) and ( 5 of them ) ) +} +import "pe" + +rule SEKOIA_Apt_Lazarus_Gopuram_Backdoor : FILE +{ + meta: + description = "Detects Gopuram Backdoor" + author = "Sekoia.io" + id = "947d4ee3-79fa-450b-8482-beafe607baae" + date = "2023-04-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_lazarus_gopuram_backdoor.yar#L3-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c019b65d28a7b0edf408a1a159a7535e7e14593bbd42c8df3201108ed02f96c0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7" + hash2 = "beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c" + + strings: + $x1 = "%s\\config\\TxR\\%s.TxR.0.regtrans-ms" + $xop = {D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE} + $opa1 = {48 89 44 24 ?? 45 33 C9 45 33 C0 33 D2 89 5C 24 ?? 48 89 74 24 ?? 48 89 5C 24 ?? 89 7C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? 4C 8D 4C 24 ?? 44 8D 43 ??} + $opa2 = {48 89 B4 24 ?? ?? ?? ?? 44 8D 43 ?? 33 D2 48 89 BC 24 ?? ?? ?? ?? 4C 89 B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 45 33 C0 33 D2 8B F8 E8 ?? ?? ?? ?? 8D 4F ?? E8 ?? ?? ?? ?? 4C 8B 4C 24 ?? 44 8D 43 ?? 48 8B C8 8B D7 48 8B F0 44 8B F7 E8 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ??} + + condition: + ( uint16( 0 ) == 0x4d5a and filesize < 2MB and pe.characteristics & pe.DLL and 1 of ( $x* ) ) or all of ( $opa* ) +} +rule SEKOIA_Loader_Win_Goshellcode : FILE +{ + meta: + description = "Finds GoShellcode samples based on the specific strings" + author = "Sekoia.io" + id = "61346225-325a-4067-a4d6-3b8c001dd380" + date = "2023-11-15" + modified = "2024-12-19" + reference = "https://github.com/yoda66/GoShellcode/blob/main/gosc.go" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_goshellcode.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "48ec87f284fbd14cbdb6b6b0f2e0fa6eb5ea19f112648660e0b8e525c562e3fc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "94445af999055bf7d7cddc0d1d5183ab2776d85285f0522a28fac6c5a6101906" + hash2 = "fdea8b01b2597ceafe6f08b5fd12cc603b1e3ce2037731c0b6defde6935b1ce0" + + strings: + $str01 = "main.VirtualAlloc" ascii + $str02 = "main.RtlMoveMemory" ascii + $str03 = "syscall.Syscall" ascii + $str04 = "syscall.NewLazyDLL" ascii + $str05 = "runtime.getGetProcAddress" ascii + $str06 = "runtime.useAeshash" ascii + + condition: + uint16( 0 ) == 0x5A4D and all of ( $str* ) and filesize < 8MB +} +import "elf" +import "hash" + +rule SEKOIA_Rootkit_Lin_Winnti : FILE +{ + meta: + description = "Rootkit used by Winnti" + author = "Sekoia.io" + id = "c800038e-7f8a-4f24-bf0b-06aba6a828cb" + date = "2024-05-22" + modified = "2024-12-19" + reference = "https://x.com/naumovax/status/1792902386295394629" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rootkit_lin_winnti.yar#L4-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d57f9190d2d0c65dad6378d705328c0e9ef679eb8dad75af77d4bbc4f9d0f8d9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "161344ae61278e09eacb1c76508cda45555eee109e6d6a031716a096ab5c84f3" + hash2 = "bb56e088739b281c9f56b4fa3fa4d285e45b32c4f9f06b647d7e8cb916054e1a" + hash3 = "777c1fda4008f122ff3aef9e80b5b5720c9f2dbc3d7e708277e2ccad1afd8cc5" + hash4 = "9c770b12a2da76c41f921f49a22d7bc6b5a1166875b9dc732bc7c05b6ae39241" + + strings: + $ = "[CDATA[%s]]>%o%o%s:%s%llu" + $ = "HideFile" + $ = "DownThread" + $ = "PortforwardThread" + $ = "HidePidPort" + $ = "DownFile" + $ = "ReadReConnConf" + $ = "DecRemotePort" + $ = "DecRemoteIP" + + condition: + uint32( 0 ) == 0x464c457f and 6 of them and for any i in ( 0 .. elf.number_of_sections -1 ) : ( hash.md5 ( elf.sections [ i ] . offset , elf.sections [ i ] . size ) == "7dea362b3fac8e00956a4952a3d4f474" ) +} +rule SEKOIA_Apt_Mustangpanda_Windows_Shellcode_Decryptionalgorithm : FILE +{ + meta: + description = "Decryption routine for Shellcode of MustangPanda" + author = "Sekoia.io" + id = "c9873a5f-97a6-477f-a1a0-650441c73444" + date = "2022-12-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a2ad3bd4dcbee3e23762b674ee8b6717e7ece712b0128145518bfa5d2e4bd66a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $chunk_1 = { + 7E ?? + 8B 55 ?? + 53 + 56 + 8B 75 ?? + 57 + 8B 7D ?? + 4F + 8D A4 24 ?? ?? ?? ?? + 8A 1C 11 + 30 1C 30 + } + + condition: + filesize < 8MB and all of them +} +rule SEKOIA_Loader_Win_Red0044_Powershell_May24 : FILE +{ + meta: + description = "Finds PowerShell scripts used in a malvertising campaign to deliver NetSupport RAT" + author = "Sekoia.io" + id = "ba3454b4-31cf-458d-8d78-c5cc5fa348ff" + date = "2024-05-03" + modified = "2024-12-19" + reference = "https://twitter.com/crep1x/status/1786150734121120075" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_red0044_powershell_may24.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "73939f65b93b320b9e220ee284ea524864a6b05c7608213009ac5f00b3faeedc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Start-Job -ScriptBlock" ascii + $str02 = "Get-WmiObject" ascii + $str03 = "-Class Win32_OperatingSystem" ascii + $str04 = "-Class AntiVirusProduct" ascii + $str05 = "$_.Exception.Message" ascii + $str06 = ".DownloadString" ascii + $str07 = "New-Object Net.WebClient" ascii + $str08 = "myUserAgentHere" ascii + $str09 = "GetFolderPath('Desktop'))\\document.pdf" ascii + $str10 = "Receive-Job -Job" ascii + $str11 = "Start-Process" ascii + + condition: + 8 of them and filesize < 20KB +} +rule SEKOIA_Clipper_Win_Cryptoclippy : FILE +{ + meta: + description = "Finds CryptoClippy samples" + author = "Sekoia.io" + id = "eaa98a8e-e29e-43a4-8b2d-2137d33d4116" + date = "2023-04-11" + modified = "2024-12-19" + reference = "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/clipper_win_cryptoclippy.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "057cb5bb957c2338a50c05cfa0177f75bcf263281ddcc5f365298bccafc64cb4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "C:\\mbedtls\\library\\" ascii + $str02 = "udp://8.8.8.8:53" ascii + $str03 = "Upgrade: websocket" ascii + $str04 = "%s\\%s.lnk" ascii + $str05 = "%s\\%s.ps1" ascii + $str06 = "%s\\%s.bat" ascii + $str07 = "set PSExecutionPolicyPreference=Unrestricted" ascii + $str08 = "schtasks /delete /tn \"%ls\" /f" ascii + $str09 = "SetClipboardData" ascii + $str10 = "SetWinEventHook" ascii + + condition: + uint16( 0 ) == 0x5A4D and 8 of them +} +rule SEKOIA_Crimeware_Njrat_Strings : FILE +{ + meta: + description = "Detects njRAT based on some strings" + author = "Sekoia.io" + id = "215807ae-fbcb-478d-8941-e0787b883669" + date = "2022-08-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crimeware_njrat_strings.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "47102adde81682c3c1c856c3495c6f98a9e39aa052eac2ab0a803dab44d19c26" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "set cdaudio door closed" wide + $ = "set cdaudio door open" wide + $ = "ping 0" wide + $ = "[endof]" wide + $ = "TiGeR-Firewall" wide + $ = "NetSnifferCs" wide + $ = "IPBlocker" wide + $ = "Sandboxie Control" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 5 of them +} +rule SEKOIA_Apt_Ta410_Flowcloud_Rtti : FILE +{ + meta: + description = "Detects FlowCloud via RTTI" + author = "Sekoia.io" + id = "c6a18c08-8b98-46d7-a6c3-dc171c7791ac" + date = "2022-10-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_ta410_flowcloud_rtti.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "97f052c409c9b5de025d34180979cd4c322e67bab9f894d3b56c928340a6859b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $RTTI_1 = ".?AVdllloader@@" ascii fullword + $RTTI_2 = ".?AVel_cryptowrapper@@" ascii fullword + $RTTI_3 = ".?AVAntiVirusCheck@@" ascii fullword + + condition: + uint16( 0 ) == 0x5A4D and filesize < 10MB and all of them +} +rule SEKOIA_Apt_Redhotel_Maliciouslnk_Strings : FILE +{ + meta: + description = "Detects RedHotel's malicious LNKs" + author = "Sekoia.io" + id = "df2f0002-7921-4378-a936-ea0de5fbfa5a" + date = "2024-09-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_redhotel_maliciouslnk_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "8e2c17040ec78cbcdc07bb2cf9dd7e01" + hash = "dc613a519e515ca817fdfb88f81fc9d7" + hash = "6f7d85c196c277a6a619f6d94b8f69b9" + hash = "b04d484d1e1d793b04af2a5fb88a8a57" + logic_hash = "c1d64b3eca5961d7eaab82a6934299642a70301ef791493a371ae5a29376225f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "desktop-" ascii + $ = ".\\1.docx" wide + $ = ".\\1.pdf" wide + $ = ".\\1.doc" wide + $ = ".\\1.ppt" wide + $ = ".\\1.pptx" wide + $ = "MACOS" wide + + condition: + uint32be( 0 ) == 0x4c000000 and 3 of them +} +rule SEKOIA_Hacktool_Mimikatz_Obfuscated : FILE +{ + meta: + description = "Detects Mimikatz on strings obfuscation" + author = "Sekoia.io" + id = "bac4bb61-d250-4fc3-95a5-edd4e3c7ff83" + date = "2022-07-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_mimikatz_obfuscated.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9f75e10122df0f57382e939d82b0ab4047d3d42f198c59faa22177d6d5d9afd7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $xor1 = "Benjamin Delpy" xor + $xor2 = "sekurlsa" xor wide + $xor3 = "minidumpfile.dmp" wide + $xor4 = "lsadump_dcsync" xor wide + $xor5 = "kuhl_m_lsadump_getSamKey" xor wide + $b1 = "Benjamin Delpy" base64 + $b2 = "sekurlsa" base64 wide + $b3 = "minidumpfile.dmp" base64 wide + $b4 = "lsadump_dcsync" base64 wide + $b5 = "kuhl_m_lsadump_getSamKey" base64 wide + + condition: + uint16be( 0 ) == 0x4d5a and 3 of them and filesize < 5MB +} +rule SEKOIA_Crypter_Win_Dotrunpex : FILE +{ + meta: + description = "Detect the dotRunpeX crypter based on strings" + author = "Sekoia.io" + id = "6fb4ffe0-3a5c-432c-8ae2-404bb5960c30" + date = "2023-06-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crypter_win_dotrunpex.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8a2b9e19b49ba17f976241bec5323121ba13d2ce39fdcf2777fd97a230211e75" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = {52 00 75 00 6e 00 70 00 65 00 58 00 2e 00 53 00 74 00 75 00 62 00 2e 00 46 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 2e 00 65 00 78 00 65} + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Hacktool_Rubeus_Strings : FILE +{ + meta: + description = "Detects Rubeus based on strings" + author = "Sekoia.io" + id = "048cab99-c288-44c2-9dc6-74eed02ef8f5" + date = "2022-02-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_rubeus_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "606c1b3c29dd4b609eba64bc5d02a81859bb574ee10bce8b0f355ac01d99689f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "includeComputerAccounts" ascii + $ = "passwordsOutfile" ascii + $ = "monitorIntervalSeconds" ascii + $ = "displayNewTickets" ascii + $ = "658c8b7f-3664-4a95-9572-a3e5871dfc06" ascii + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 4 of them +} +rule SEKOIA_Luckymouse_Sysupdate_Loader : FILE +{ + meta: + description = "Detects decryption routine prologue of sysupdate loader" + author = "Sekoia.io" + id = "6007e846-d467-4d07-b345-e25191b7c8bc" + date = "2022-08-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/luckymouse_sysupdate_loader.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9d46b74d8e5f94ecd844cffcd6d0d29eb662374c1d6fbe87acf3c877e5f963b3" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = { DB D4 33 C9 66 B9 ?? ?? E8 FF FF FF FF } + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and all of them +} +rule SEKOIA_Rootkit_Diamorphine_Strings : FILE +{ + meta: + description = "Detects Diamorphine linux rootkit based on strings" + author = "Sekoia.io" + id = "5a28be5c-9a57-4204-a7cc-42dfcaa2c2da" + date = "2024-10-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rootkit_diamorphine_strings.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "622675e83bab630adc0f1c6c46c4d6d1" + hash = "013b23213975d2646e2435f058afcacf" + hash = "f068e83721f10ad74bb6f386a4375a91" + hash = "ba9d6a6bbde602fd414cea09fcbd1aa0" + hash = "fdd86788e295010c4e61bf6b589f340e" + hash = "0d396c1763503b35a7f601831bd684de" + hash = "66b8955188a3bda7ecdcd51cfd360313" + hash = "1e4fd8c6bf0e381ac395d9bff1f98a31" + hash = "ce08ce2b8bc1718052f5d0316e3e71b7" + hash = "94982037875d4fdb17681866afc12ade" + hash = "4fa2fe9ccde3e6bd4956e2b93ca5fcb6" + hash = "644c4ce0bbe4f1f1e3aae537a111d5b8" + hash = "fb7d594621fbb4f9bdb0eb74f6090ecd" + hash = "9faf1493164e734f533f0ecfb1737a98" + hash = "33d48b6c66715ab67a059ab940d759ff" + logic_hash = "70e2e9155181a717f1c2483a748d5991488f0ba7371a2b3c9cfada2ecc5812f9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "LKM rootkit" ascii fullword + $ = "m0nad" + + condition: + uint32be( 0 ) == 0x7f454c46 and all of them +} +rule SEKOIA_Tool_Petitpotato : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "72808202-a124-478e-bc60-59d35824b948" + date = "2023-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_petitpotato.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "93a46c7765ad9f18c2176b98c91edf97827707ffdefcedc40078c87c30343508" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s2 = "set_FileName" ascii wide + $s3 = "VarFileInfo" ascii wide + $s4 = "PetitPotato.exe" ascii wide + $s5 = "0.0.0.0" ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 4MB and all of them +} +rule SEKOIA_Trojan_Android_Cerberus : FILE +{ + meta: + description = "Detect samples of the Android banking trojan Cerberus, or its family" + author = "Sekoia.io" + id = "3ea398bd-a80c-40f4-ad52-73b528add4ad" + date = "2022-01-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/trojan_android_cerberus.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "18109733d15c994015646e786a7c6177a1209200fd4c80042db3d48c97c02030" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "assets/neurax.txt" + $str1 = "assets/Card_UpPotency_UI.json" + $str2 = "assets/Card_SignetFoster_UI.json" + $str3 = "assets/Gene_EmpathyTrainer.png" + $bin0 = "assets/180417.bin" + $bin1 = "assets/180513.bin" + $bin2 = "assets/180527.bin" + $bin3 = "assets/180528.bin" + + condition: + uint32be( 0 ) == 0x504B0304 and filesize > 1MB and filesize < 4MB and 3 of ( $str* ) and 3 of ( $bin* ) +} +rule SEKOIA_Apt_Darkpink_Kamikakabot_Strings +{ + meta: + description = "Detects KamiKakaBot strings (.NET sample of Dark Pink)" + author = "Sekoia.io" + id = "0f5a7d72-81c8-4fdd-aefd-136bc6d48aa5" + date = "2023-02-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_darkpink_kamikakabot_strings.yar#L1-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0bc37c96b591d8edb1fd288ef874b3cc31879ce166b8734a3dd0e29644cbea55" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Execute" + $ = "f4869" + $ = "getIndentifyName" + $ = "getMessageAsync" + $ = "requestMessageID" + $ = "run_command" + $ = "sendFile" + $ = "sendMessage" + $ = "send_brw_data" + $ = "updateMessageID" + $ = "update_new_token" + $ = "update_new_xml" + $ = {53 00 74 00 61 00 72 00 74 00 65 00 64 00 20 00 75 00 70 00 20 00 72 00 75 00 6e} + $ = {20 00 72 00 65 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 65 00 64 00 21} + $ = {6e 00 65 00 77 00 20 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 65 00 64 00 21} + $ = {74 00 6f 00 6b 00 65 00 6e 00 20 00 75 00 70 00 64 00 61 00 74 00 65 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 21 00 21 00 21} + + condition: + 6 of them +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Andardoor : FILE +{ + meta: + description = "Detect the Andardoor backdoor used by Andariel" + author = "Sekoia.io" + id = "27f28f6e-b8fd-41dc-88a8-92f5a125a807" + date = "2023-09-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_andardoor.yar#L4-L34" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "631836634222f4e081d3070c92150a4e14f06bcdd462fbfdf0756aa1f2661b59" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = " : Deleted Dir" wide + $ = " : Not Exists" wide + $ = " : Deleted File" wide + $ = " : Closed." wide + $ = " : Opened." wide + $ = "GoodLuck!" wide + + condition: + uint16( 0 ) == 0x5A4D and all of them or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "9fea4972270c492ca304f3663913ae63" ) or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "34fde27c3c864efa6225e72016992d341f29cbbea638432a1c63ce05ca568300" ) +} +rule SEKOIA_Koiloader_Lnk : FILE +{ + meta: + description = "LNK file leading to deploy KoiLoader" + author = "Sekoia.io" + id = "e82975b9-94b7-4de8-8cd5-d594aa80cf02" + date = "2024-03-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/koiloader_lnk.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "49953c76796f671ed80afa21872aac500d706f2af4426a5ec2854e16b9d0e474" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "bat & schtasks /create" wide + $s2 = "/sc minute /mo 1" wide + $s3 = "c3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgLVVzZUJhc2ljUGFyc2luZyAnaHR0cHM6" wide + $s4 = " & certutil -f -decode " wide + + condition: + uint32( 0 ) == 0x0000004c and all of them +} +rule SEKOIA_Shell_Win_Danfuan : FILE +{ + meta: + description = "Detect the Danfuan malware" + author = "Sekoia.io" + id = "d1cf9988-270b-4a22-bdd5-f40b625715a8" + date = "2022-11-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/shell_win_danfuan.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "96929ef478a8773022233a4092b3c157867aae6ee185568a6327d033c05a68f1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "<%@ WebHandler Language=\"C#\" class=\"DynamicCodeCompiler\"%>" + $ = "CompilerResults compilerResults = compiler.CompileAssemblyFromSource(comPara, SourceText(txt))" + $ = "MethodInfo objMifo = objInstance.GetType().GetMethod(" + + condition: + filesize < 15KB and all of them +} +rule SEKOIA_Crime_Sload_Scheduledtask_Dropper_Strings +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "01c51da8-71a5-449f-a609-933c37bc2e63" + date = "2022-08-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crime_sload_scheduledtask_dropper_strings.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3a48009933d1de47314ec15c262375636574a7565016eab3792106fa2c0ba79f" + score = 75 + quality = 78 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$hh='hi'+'dd'+'en';" + $ = { 7D 65 6C 73 65 7B 0A 24 72 73 3D 30 3B 0A 7D 0A } + $ = { 6B 69 6C 6C 20 2D 6E 61 6D 65 20 2A 77 65 72 73 68 65 6C 2A } + + condition: + all of them +} +rule SEKOIA_Hacktool_Win_Processhacker : FILE +{ + meta: + description = "Detect ProcessHacker hacktool" + author = "Sekoia.io" + id = "1dffe8c9-2ab7-4265-965e-8673b80f17d5" + date = "2022-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_win_processhacker.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "cfcfaa7f3afc8b82ce0188d9ead63746a7effd40acb6ad504f8d70a45d8476d5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "Unable to uninstall KProcessHacker" wide + $str1 = "Process Hacker's settings file is corrupt. Do you want to reset it?" wide + $str2 = "Process Hacker uses the following components:" wide + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Apt_Shadowpad_First_Called_Function : FILE +{ + meta: + description = "Detects entrypoint of shadowpad" + author = "Sekoia.io" + id = "3ce1ffd3-5c30-4b36-b7cc-c9fa873ebc25" + date = "2023-01-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_shadowpad_first_called_function.yar#L1-L36" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a40db3fad01f4177973fd50bd489e5c4ff6d3592dfff063c2c31694007c31e0b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $chunk_1 = { + 48 83 EC 28 + 33 C9 + FF 15 ?? ?? ?? ?? + 8B 80 ?? ?? ?? ?? + 3B 05 ?? ?? ?? ?? + 74 ?? + E8 ?? ?? ?? ?? + E8 ?? ?? ?? ?? + EB ?? + 48 8B 0D ?? ?? ?? ?? + E8 ?? ?? ?? ?? + 8B C8 + FF 15 ?? ?? ?? ?? + 90 + B9 28 04 00 00 + FF 15 ?? ?? ?? ?? + 90 + 48 83 C4 28 + C3 + } + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Loader_Win_Squirrelwaffle : FILE +{ + meta: + description = "Detect the Squirrelwaffle DLL" + author = "Sekoia.io" + id = "bea3125e-6e84-435f-855b-fd3239a0deac" + date = "2021-09-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_squirrelwaffle.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ab1a95f09564d0417d5c06c578d4dc8d790ec09bc67716d8c9e5207262a0594d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ascii + $s2 = "c:\\equal\\True\\bird_Select\\780\\true.pdb" ascii + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Minibus : FILE +{ + meta: + description = "Detect the MINIBUS backdoor used by UNC1549 since August 2023" + author = "Sekoia.io" + id = "f88bcf15-9a9f-4d84-adc6-db1db55fe93c" + date = "2024-02-29" + modified = "2024-12-19" + reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_minibus.yar#L4-L41" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "57dabcc15c84c4497b3561f19a7e464fb0dfe93576f4caea88c7cd8534cb4bfd" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $dll_150_1 = "TorvaldsPersist.dll" + $dll_150_2 = "FileCoAuth.exe" + $dll_50_1 = "TorvaldInitial.dll" + $dll_50_2 = "\\essential.dat" + + condition: + ( uint16( 0 ) == 0x5A4D and all of ( $dll_150_* ) or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "2cf9797b1cfb5795d0fb892b7c371d506a5dd8b7c64fdc82975b3fde6d997df0" ) ) or ( uint16( 0 ) == 0x5A4D and all of ( $dll_50_* ) or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "de3fb5d4419eb6b943872dd6e3dd93d19584ef2b158aa3158b3b09f0a9b628ef" ) ) +} +rule SEKOIA_Apt_Cloudmensis_Downloader_Strings : FILE +{ + meta: + description = "Detects CloudMensis downloader" + author = "Sekoia.io" + id = "450cfa42-7b56-4d93-afe2-9cf5c1049217" + date = "2022-07-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudmensis_downloader_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9532530f9b6c39d64611354f5d3c95e7c8b9ebf917ab797c162c3b51945db1fc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "https://api.pcloud.com/getfilelink?path=%@&forcedownload=1" + $ = "python -c 'import os; print(os.confstr(65538))'" + $ = "getCmdResult:" + $ = "[pCloud DownloadFile:]" + + condition: + uint32be( 0 ) == 0xcafebabe and filesize < 1MB and all of them +} +rule SEKOIA_Apt_Uta0178_Javascript_Inclusion_Strings +{ + meta: + description = "Detects UTA0178 malicious inclusion strings" + author = "Sekoia.io" + id = "af816c35-1f00-47ea-86ee-c034607c625e" + date = "2024-01-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_uta0178_javascript_inclusion_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d3fedf49417178df374d6ae20e57ffcfa00cb68a647769964c049d9a8e0f4958" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s0 = ".value" + $s1 = "btoa(" + $s2 = "https://" + $s3 = "new XMLHttpRequest();" + $s4 = ".send(null);" + + condition: + @s0< @s1 and @s1 < @s2 and @s2 < @s3 and @s3 < @s4 and @s4- @s0 < 350 +} +rule SEKOIA_Apt_Evasive_Panda_Downloader_Certificate_Exe : FILE +{ + meta: + description = "Detects downloader used by Evasive Panda (certificate.exe)" + author = "Sekoia.io" + id = "1b40fca9-04b1-46b3-b48c-5a148a1b36b9" + date = "2024-03-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_evasive_panda_downloader_certificate_exe.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "38115b463378f58035a0ef0536a6af4adbec7c275164758d312e95300670b695" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = {C6 45 D4 44 C6 45 D5 74 C6 45 D6 7C C6 45 D7 74 C6 45 D8 79} + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Infostealer_Win_Daolpu_Str : FILE +{ + meta: + description = "Finds Daolpu Stealer samples based on specific strings." + author = "Sekoia.io" + id = "dde1cf12-48d8-45b6-b453-b7196e6b1271" + date = "2024-07-23" + modified = "2024-12-19" + reference = "https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_daolpu_str.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9372a88efcdca6ca57f354fb31569522e5458271cc51dfedf09c6178a47a5b67" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Content-Type: %s%s%s" ascii + $str02 = "Content-Disposition: %s%s%s%s%s%s%s" ascii + $str03 = "\\CocCoc\\Browser\\User Data\\Local State" ascii + $str04 = "\\Microsoft\\Edge\\User Data\\Default\\Login Data" ascii + $str05 = "\\Mozilla\\Firefox\\Profiles" ascii + $str06 = "No MAC Address Found" ascii + $str07 = "C:\\Windows\\Temp\\" ascii + $str08 = "C:\\Windows\\Temp\\result.txt" ascii + $str09 = "Privatekey@2211#$" ascii + $str10 = "CryptStringToBinaryA Failed to convert BASE64 private key." ascii + $str11 = "taskkill /F /IM chrome.exe" ascii + + condition: + uint16( 0 ) == 0x5A4D and 8 of them +} +rule SEKOIA_Apt_Emissarypanda_Web_Auto_Attack_Tool : FILE +{ + meta: + description = "Detect LuckyMouse's Web auto attack tool" + author = "Sekoia.io" + id = "c93eb792-a443-4c9a-8fcb-6015cc69f9b3" + date = "2022-08-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_emissarypanda_web_auto_attack_tool.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bc55758367ba0a6b5cf963bcb51b7770b2c7b1cf43b0b79e663b4110f6a7bba8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[192.168.1.1/24|192.168.1.1|192.168.1|@host.txt]" ascii + $ = "80,s443,8080,s8443,8000-8010" ascii + $ = "exploit When find module vul" ascii + $ = "\\s*(.*?)\\s*" ascii + $ = " 100MB and #s1 > 40 +} +rule SEKOIA_Trojan_Win_Bbtok_Dll1_Sep23 : FILE +{ + meta: + description = "Finds BBTok installation DLL file" + author = "Sekoia.io" + id = "eebed24b-24ec-4a85-852c-52d0acc9a698" + date = "2023-09-26" + modified = "2024-12-19" + reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/trojan_win_bbtok_dll1_sep23.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "5353956345206982af9bde55300fc405ba6e40722e8f51e8717c30ad32bc8f91" + logic_hash = "1b1e25f7d760d275d2ef01390c215edb1752ad65383c92a21d71d9e65da3c5f8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "C:\\Windows\\System32\\rundll32.exe" wide + $str02 = "C:\\ProgramData\\mmd.exe" wide + $str03 = "REG ADD HKCU\\Software\\Classes\\.pwn\\Shell\\Open\\command -ve /d" wide + $str04 = "C:\\ProgramData\\mmd.exe \\\\" wide + $str05 = "\\file\\Trammy.dll" wide + $str06 = "Dacl & REG DELETE HKCU\\Software\\Classes\\ms-settings /f" wide + $str07 = "REG DELETE HKCU\\Software\\Classes\\.pwn /f" wide + $str08 = "REG ADD HKCU\\Software\\Classes\\ms-settings\\CurVer -ve /d \".pwn\" /f" wide + $str09 = "timeout /t 3 >nul & start /MIN computerdefaults.exe" wide + $str10 = "set_StartInfo" ascii + $str11 = "set_WindowStyle" ascii + + condition: + uint16( 0 ) == 0x5a4d and 7 of them and filesize < 50KB +} +import "hash" +import "pe" + +rule SEKOIA_Ransomware_Win_Blackmatter +{ + meta: + description = "Detect Black matter ransomware (2021-07-23)" + author = "Sekoia.io" + id = "9b2d8ac3-b4d1-40f5-ac57-411547dcb2cf" + date = "2021-08-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_blackmatter.yar#L4-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5a407a9901314211e13bef30254f1d129cf3c731ea970abff8602f1ae40177cb" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "5e89d335de2021a2c268acf00ec513e5" ) +} +rule SEKOIA_Apt_Kimsuky_Sharptongue_C2_Source +{ + meta: + description = "Detects the PHP code of the SharpTongue C2" + author = "Sekoia.io" + id = "a2ccf773-511c-4088-8bcf-b923291d024b" + date = "2022-07-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_sharptongue_c2_source.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c301a99876cfe2863546c990654aa922f9327e0eb010968eaea43f1d8ced76da" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = " $value)" + $ = "$chk=$value" + $ = "base64_encode($ip)" + + condition: + all of them +} +rule SEKOIA_Backdoor_Powershellempire_Csharp : FILE +{ + meta: + description = "Detects CSharp version of Empire" + author = "Sekoia.io" + id = "952e8e9b-8e4d-4550-9cf4-7ffd2f9d0672" + date = "2022-04-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_powershellempire_csharp.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "536ef1167627c3dadb866d55e7eae2220c3fbd6961e2cfa71656656d984b9b90" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[-] Catastrophic .Net Agent Failure, Attempting Agent Restart:" ascii wide + $ = "[!] Upload failed - No Delimiter" ascii wide + $ = "SELECT * FROM Win32_IP4RouteTable" ascii wide + $ = "no shell command supplied" ascii wide + $ = "[-] CmdletInvocationException:" ascii wide + $ = "[*] File download of" ascii wide + $ = "Script successfully saved in memory" ascii wide + $ = "Invoke-Empire" ascii wide + $ = "website to reach:" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and 5 of them and filesize < 1MB +} +rule SEKOIA_Implant_Macos_Geacon : FILE +{ + meta: + description = "Finds Geacon samples based on specific strings" + author = "Sekoia.io" + id = "a7784bfa-66a7-47df-b88b-d98217d8cca5" + date = "2024-01-11" + modified = "2024-12-19" + reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_macos_geacon.yar#L1-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "284574d185d3777a373f4a19e0870eec5245fb8ea5ebd6124bc281f8c74e0998" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $gea01 = "geacon/config.init" ascii + $gea02 = "geacon_pro-master/config/config.go" ascii + $gea03 = "geacon_plus-main/config/config.go" ascii + $gea04 = "command type %d is not support by geacon now" ascii + $gea05 = "main/sysinfo.GeaconID" ascii + $str01 = "command.StealToken" ascii + $str02 = "command.MakeToken" ascii + $str03 = "command/misc.go" ascii + $str04 = "config/c2profile.go" ascii + $str05 = "crypt.AesCBCDecrypt" ascii + $str06 = "packet.File_Browse" ascii + $str07 = "packet.FirstBlood" ascii + $str08 = "packet.ParseCommandShell" ascii + $str09 = "packet.ParseCommandUpload" ascii + $str10 = "packet.PushResult" ascii + $str11 = "sysinfo.GetComputerName" ascii + $str12 = "sysinfo.IsOSX64" ascii + $str13 = "util..inittask" ascii + + condition: + uint32( 0 ) == 0xFEEDFACF and ( ( 1 of ( $gea* ) and 2 of ( $str* ) ) or 8 of ( $str* ) ) +} +rule SEKOIA_Apt_Apt41_Powershell_Exfiltration_Script : FILE +{ + meta: + description = "Detects PowerShell exfiltration script" + author = "Sekoia.io" + id = "9a15f845-c0af-4f1c-a033-b4f40232dc0d" + date = "2023-11-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt41_powershell_exfiltration_script.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0ba4118855d6bd54cbb3a35e3b5fc36484eeb1e742ed3480e6c967b078ec4881" + score = 75 + quality = 72 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$UPLOAD_PASSPORT" ascii wide nocase + $ = "$fileName=$singleFile.Name" ascii wide nocase + $ = "Upload-Passport" ascii wide nocase + $ = "$singleFile in $files" ascii wide nocase + + condition: + filesize < 10KB and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Wiper_Win_Dnwipe : FILE +{ + meta: + description = "Detect the dnWipe malware" + author = "Sekoia.io" + id = "522fdaa5-8fe6-4e37-aaf8-13e3a7787d21" + date = "2022-11-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/wiper_win_dnwipe.yar#L4-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "634ca80a168c9d98ce87a3a1a451769bddb7ae27e28b3682693b34ccce2c7ad4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "dnWIPE" + $ = "dnWIPE" wide + $ = "C:\\Users\\Admin1\\source\\repos\\dnWIPE\\dnWIPE\\obj\\Debug\\dnWIPE.pdb" + + condition: + uint16( 0 ) == 0x5A4D and all of them and filesize < 50KB or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "93290ef6447b0a16b92e50a1652ac3eb8f1237cc5f8005e080750fb58c19d230" ) +} +rule SEKOIA_Hacktool_Mimikat_Ssp_Strings : FILE +{ + meta: + description = "Detects mimikat_ssp" + author = "Sekoia.io" + id = "33b3620f-e02d-4d29-adcc-fea3b49ab780" + date = "2023-11-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_mimikat_ssp_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "06325bf495963db90b14fb16a5f3eafda9e4554f753d04405af51c6041a9b166" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[*] Building RPC packet" ascii + $ = "[*] Connecting to lsasspirpc RPC service" ascii + $ = "[*] Sending SspirConnectRpc call" ascii + $ = "[*] Sending SspirCallRpc call" ascii + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 500KB and all of them +} +rule SEKOIA_Generic_Sharpshooter_Payload_11 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "703d2eb2-c9fd-4891-ba95-f94a8313618e" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_11.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "00c0dcc244db608d3a0d7500cdebadcc69ba0d56091a0a1fd7d58c27d255861f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "decodeHex = EL.NodeTypedValue" + $ = "Private Function decodeHex(hex)" + $ = "serialized_obj = serialized_obj & " + $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)" + + condition: + all of them and filesize < 2MB +} +import "hash" +import "pe" + +rule SEKOIA_Apt_Mustang_Panda_Toneshell : FILE +{ + meta: + description = "Detect the TONESHELL implant used by Mustang Panda from specific functions" + author = "Sekoia.io" + id = "bf7c68a9-dddc-494a-a603-c2311ed712a4" + date = "2022-11-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustang_panda_toneshell.yar#L4-L160" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "192fb01817cc6361062999cf539c51616d1755a5cd8e9d6e37bee6f6d04b0721" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $func1 = { + 55 + 89 E5 + 64 A1 18 00 00 00 + A3 ?? ?? ?? ?? + 5D + C3 + } + $func2 = { + 55 + 89 E5 + 50 + 8B 45 ?? + 8B 45 ?? + 8B 45 ?? + 8B 45 ?? + 89 45 ?? + 8B 45 ?? + 89 C1 + 83 C1 FF + 89 4D ?? + 83 F8 00 + 0F 84 ?? ?? ?? ?? + 8B 45 ?? + 8A 08 + 8B 45 ?? + 88 08 + 8B 45 ?? + 83 C0 01 + 89 45 ?? + 8B 45 ?? + 83 C0 01 + 89 45 ?? + E9 ?? ?? ?? ?? + 8B 45 ?? + 83 C4 04 + 5D + C3 + } + $decryption_routine1 = { + 8B 45 ?? + C7 45 ?? 00 00 00 00 + 83 7D ?? 20 + 0F 8D ?? ?? ?? ?? + 8B 45 ?? + 8B 4D ?? + 0F BE 04 08 + 83 F0 ?? + 88 C2 + 8B 45 ?? + 8B 4D ?? + 88 14 08 + 8B 45 ?? + 83 C0 01 + 89 45 ?? + E9 ?? ?? ?? ?? + 83 C4 04 + } + $decryption_routine2 = { + 55 + 89 E5 + 83 EC 08 + 8B 45 ?? + 8B 45 ?? + 8B 45 ?? + 8B 45 ?? + C7 45 ?? 00 00 00 00 + C7 45 ?? 00 00 00 00 + 8B 45 ?? + 3B 45 ?? + 0F 8D ?? ?? ?? ?? + 8B 45 ?? + 8B 4D ?? + 0F BE 04 08 + 8B 4D ?? + 8B 55 ?? + 0F BE 0C 11 + 31 C8 + 88 C2 + 8B 45 ?? + 8B 4D ?? + 88 14 08 + 8B 45 ?? + 8B 4D ?? + 83 E9 01 + 39 C8 + 0F 85 ?? ?? ?? ?? + C7 45 ?? 00 00 00 00 + E9 ?? ?? ?? ?? + 8B 45 ?? + 83 C0 01 + 89 45 ?? + 8B 45 ?? + 83 C0 01 + 89 45 ?? + E9 ?? ?? ?? ?? + 83 C4 08 + 5D + C3 + } + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 8MB and for all i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) != "69f400d3ff4679294e63fb8a8ca97dbb" ) and 3 of them and true +} +rule SEKOIA_Apt_Granitetyphoon_Pingpulllinux_Strings : FILE +{ + meta: + description = "Detects PingPull Linux variant" + author = "Sekoia.io" + id = "ee213206-d9ad-47fa-bea1-61a9d2cfba58" + date = "2023-05-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_granitetyphoon_pingpulllinux_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "89c89bb24d1996c04fba0e6ebfd2aaf1544d8a9e6333b896c1855747fb979308" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "chkconfig --add %s" + $ = "chkconfig %s on" + $ = "update-rc.d %s enable" + $ = "service %s start" + $ = "respawn limit 10 10" + $ = "POST /%s HTTP/1.1" + $ = "PROJECT_%s_%s_%08X" + $ = "Description=The HTTP(S) Client" + $ = "exec %s -f" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 11MB and 7 of them +} +import "hash" +import "pe" + +rule SEKOIA_Downloader_Win_Fake_Tor_Browser +{ + meta: + description = "Detect fake TOR browser used to spy Chinese TOR users" + author = "Sekoia.io" + id = "6b070ba6-490b-43c2-9a01-65812d829eeb" + date = "2022-10-05" + modified = "2024-12-19" + reference = "https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_win_fake_tor_browser.yar#L4-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5fe60673e54a6904f4fd068b04b950b895b18e7766d2e7343eae2b1bba9591f9" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "7172f95f934574be95c0250fb42b8f51" ) +} +rule SEKOIA_Infostealer_Win_Solarmarker_Dll : FILE +{ + meta: + description = "Finds SolarMarker DLL based on characteristic strings" + author = "Sekoia.io" + id = "a2fe7f09-7134-4054-ba40-5ea66785a26c" + date = "2022-12-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_solarmarker_dll.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5be0a95adb7e486cdec5f0e8433afed41516fc1a990e1d1ba00db7e8fb32dbbb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $zka = "zkabsr" wide + $str0 = "set_PersistKeyInCsp" ascii + $str1 = "get_IV" ascii + $str2 = "get_MachineName" ascii + $str3 = "get_Current" ascii + $str4 = "ps_script" ascii + $str5 = "request_data" ascii + $str6 = "WindowsBuiltInRole" ascii + $str7 = "DllImportAttribute" ascii + $str8 = "get_BlockSize" ascii + $str9 = "GetRequestStream" ascii + + condition: + uint16( 0 ) == 0x5A4D and ( ( $zka and 3 of ( $str* ) ) or ( all of ( $str* ) ) ) and filesize < 1MB +} +rule SEKOIA_Ransomware_Win_Raworld +{ + meta: + description = "Detects files related to stage 1 of a campaign from the ransomware group RA World." + author = "Sekoia.io" + id = "a9ed9c5a-7a0e-4c2e-90f4-d52f5589b2b8" + date = "2024-07-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_raworld.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "583dd2ea8e20a87d0b67783d1dd59212eb133de1f945d5b4afad89e8a5017d35" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Loder.exe" ascii fullword + $s2 = "Stage2.exe" wide + $s3 = "SYSVOL" wide + $s4 = "Finish.exe" wide + $s5 = "Exclude.exe" wide + $s6 = "Stage3.exe" wide + $s7 = "Pay.txt" ascii fullword + $s8 = "RA World" ascii fullword + $s9 = "Stage1.exe" ascii fullword + + condition: + 4 of them +} +rule SEKOIA_Apt_Uta0218_Upstyle_Backdoor_Strings : FILE +{ + meta: + description = "Detects UPSTYLE backdoor" + author = "Sekoia.io" + id = "098fbad7-efaf-4198-83de-208c2ae16f89" + date = "2024-04-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_uta0218_upstyle_backdoor_strings.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bcba657b0b302f4b46f09bc4b815a581d22208b5d9f99e1233878f775241f92e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1_1 = "f.write(b'''import base64;exec(base64.b64decode(b" ascii + $s1_2 = "atime=os.path.getatime(" ascii + $s2_1 = "exec(base64.b64decode(functioncode))" ascii base64 + $s2_2 = "os.path.exists(systempth):" ascii base64 + $s2_3 = ".read().replace(b\"\\x00\",b\" \")" ascii base64 + $s3_1 = "if WRITE_FLAG:" ascii base64 + $s3_2 = "re.search(SHELL_PATTERN" ascii base64 + $s3_3 = "import threading,time,os,re,base64" ascii base64 + + condition: + filesize < 1500 and ( 2 of ( $s1_* ) or 2 of ( $s2_* ) or 2 of ( $s3_* ) ) +} +rule SEKOIA_Apt_Flightnight_Malicious_Lnk : FILE +{ + meta: + description = "Detects malicious LNK used by FlightNight" + author = "Sekoia.io" + id = "06f33ece-ac9f-4dd3-98fb-cd69305ee995" + date = "2024-04-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_flightnight_malicious_lnk.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3446852709fe425b2c053ffdb9c078cf20e442ef50fe20402d3b4c9e9d8b543a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s0 = "/c start /B " wide + $s1 = ".exe &" wide + $s2 = ".pdf" wide + $s3 = "%CD%" wide + + condition: + uint32be( 0 ) == 0x4c000000 and $s1 in ( @s0 .. @s2 ) and $s1 in ( @s0 .. @s0 + 100 ) and $s3 +} +rule SEKOIA_Apt_Polonium_Powershell_Creepydrive_Strings +{ + meta: + description = "Detects POLONIUM CreepyDrive Powershell implant" + author = "Sekoia.io" + id = "0ba196bd-9cd6-4553-b7bf-69989cdb8be4" + date = "2022-06-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_polonium_powershell_creepydrive_strings.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "28b8f10a36d13e97e606b082f20c50c3d48241409e7f1aca621e2af9d756dbe5" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "function Exec($comm)" base64 ascii wide + $ = "$comm = $comm + \"| outstring" base64 ascii wide + $ = "Invoke-Expression -Command:$comm" base64 ascii wide + $ = "microsoft.com" base64 ascii wide + $ = "$req = Invoke-WebRequest" base64 ascii wide + $ = "$j += $data" base64 ascii wide + $ = "$res = Exec($arr[$i])" base64 ascii wide + $ = "$arr = @(iex \"$req\")" base64 ascii wide + $ = "elseif ($req -cmatch" base64 ascii wide + $ = "graph.microsoft.com" base64 ascii wide + + condition: + 3 of them +} +rule SEKOIA_Tool_Sharphoundexecutable_Strings : FILE +{ + meta: + description = "Detects the SharpHound tool" + author = "Sekoia.io" + id = "2cf8046e-5b4d-4ff7-b4b2-7aaeaf58883b" + date = "2022-08-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_sharphoundexecutable_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1b28a2b9dd594f344a1a2a74fd9b30527a66dabb451b21afca40a0e6ec8d3553" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "BloodHoundLoopResults.zip" wide + $ = "[-] Removed PSRemote Collection" wide + $ = "Initializing SharpHound at {time} on {date}" wide + $ = "[SearchForest] Cross-domain enumeration may result in reduced data quality" wide + $ = "SharpHound Enumeration Completed at {Time} on {Date}! Happy Graphing!" wide + $ = "Consumer task on thread {id} completed" wide + + condition: + uint16be( 0 ) == 0x4d5a and 3 of them +} +import "pe" + +rule SEKOIA_Apt_Sofacy_Graphitemalware_Generic : FILE +{ + meta: + description = "Detects APT28 graphite malware based on strings" + author = "Sekoia.io" + id = "6b51cfa3-4a7d-4c2a-9fd9-f129b8a18466" + date = "2022-09-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sofacy_graphitemalware_generic.yar#L3-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f4c994c36768bae6d6e3b5aeefb634e485ab7b483a693781f29d5ff44c71996f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Microsoft Enhanced RSA and AES Cryptographic Provider" wide + $ = "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" wide + $ = "%s %04d sp%1d.%1d %s" + $ = "%s%c%s%c%s" + $ = "InternetReadFile" + $ = "ObtainUserAgentString" + $ = "CryptImportKey" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 100KB and ( all of them or pe.imphash ( ) == "c56c322548250651361aef7dacf93eaf" ) +} +rule SEKOIA_Apt_Oilrig_Saitama_Backdoor_May2022_2 : FILE +{ + meta: + description = "Detects Saitama backdoor variants" + author = "Sekoia.io" + id = "f885551a-d0f0-431d-aa4f-7caa93b1db6a" + date = "2022-05-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_saitama_backdoor_may2022_2.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "622c386d4b10b81a5c84f9c093d91add04497a707ba88e8395fda8587b5c3791" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "_CorExeMain" + $ = "GetAgentID" + $ = "ComputeStringHash" + $ = ".Agent.pdb" + $ = "TaskExecTimeout" + + condition: + uint16be( 0 ) == 0x4d5a and 5 of them +} +rule SEKOIA_Generic_Sharpshooter_Payload_8 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "e28a1cd3-f7b6-4a55-8229-484e0bbeb7cb" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_8.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "71e4eb41968818e1dd484a259af9eec30a517423b00da75ce21773bf695cbc7d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Private Function decodeHex(hex)" + $ = "Dim serialized_obj" + $ = "decodeHex = EL.NodeTypedValue" + $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)" + + condition: + all of them and filesize < 2MB +} +import "hash" +import "pe" + +rule SEKOIA_Loader_Win_Revil_Loader +{ + meta: + description = "Detect the REvil loader using DDL side loading. The detected ressource is a legitimate executable used to load the malicious .dll containing the ransomware" + author = "Sekoia.io" + id = "3c293e87-e2d7-475a-9536-8b991961fa11" + date = "2021-07-19" + modified = "2024-12-19" + reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_revil_loader.yar#L4-L34" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "15680c5e5d801d65e581869ad88d89863c8a51e3f94a3d2f37c02c5fd14df07f" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e" + hash2 = "50416e50797cf88a48d086e718c003e2d10c3847b1a251669d6f10f8d3546e03" + hash3 = "66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8" + hash4 = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471" + hash5 = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7" + hash6 = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e" + hash7 = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f" + hash8 = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e" + + strings: + $crypto = ".\\crypto\\" ascii + $dropped_name1 = "MsMpEng.exe" wide + $dropped_name2 = "mpsvc.dll" ascii + + condition: + all of ( $dropped_name* ) and #crypto > 100 and for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a" ) +} +rule SEKOIA_Apt_Kimsuky_Sharpext_Compromised_Securepreferences +{ + meta: + description = "Detects compromised Chrome SecurePreferences file" + author = "Sekoia.io" + id = "aeda5d15-82e1-4ffc-8252-1eb4fc78d024" + date = "2022-07-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_sharpext_compromised_securepreferences.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "662358fdb4c4cfa9984d06e391ade52e1c7a3d7b78724aea4fb0d6035fe2e7b2" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "\"devtools\", \"tabs\", \"webNavigation\", \"webRequest\", \"webRequestBlocking\"" + $ = "AppData\\\\Roaming" + $ = "https://*/*" + + condition: + all of them +} +rule SEKOIA_Apt_Apt41_Powershell_Collection_Script : FILE +{ + meta: + description = "Detects PowerShell collection script" + author = "Sekoia.io" + id = "55b6cc3e-24b2-4faa-a7fb-b4203a8e6d83" + date = "2023-11-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt41_powershell_collection_script.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8b0462636c9f6270baff2bf09638e94db6d5a0472b8216ddd1919a77b6a63aca" + score = 75 + quality = 70 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$yestoday.ToString(" ascii wide nocase + $ = "$m.LastAccessTime -" ascii wide nocase + $ = "$fmat=" ascii wide nocase + $ = "$computername" ascii wide nocase + $ = "Rar.exe" ascii wide nocase + + condition: + filesize < 10KB and all of them +} +rule SEKOIA_Tool_Powershell_Unicorn : FILE +{ + meta: + description = "Detects Unicorn Powershell" + author = "Sekoia.io" + id = "287c1669-2ee1-488e-bf66-a99bfe309c90" + date = "2022-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_powershell_unicorn.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8be79789cf77d4f304d9fef4ad6a2d2ac7686b015fff3301fb3e369f2f06230a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ").value.toString() ('JAB" ascii wide + $ = ").value.toString());powershell (" ascii wide + $ = "powershell /w 1 " ascii wide + + condition: + all of them and filesize < 100KB +} +rule SEKOIA_Unk_Quad7_Updtae_Reverse_Shell_Strings : FILE +{ + meta: + description = "Reverse shell used by Quad7 operators" + author = "Sekoia.io" + id = "02d5394e-734c-4744-b293-1bf96bf1518c" + date = "2024-08-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/unk_quad7_updtae_reverse_shell_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "40b5ac87ff87634c48fdd2cf64ccb66b" + hash = "4b8e97260d9ef6ca774675be682d9c8c" + logic_hash = "0e816716d4d7fd35617b1ac96ae99d68d5b96f64f8bef83d0f6aba2a3fbd9326" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "User-Agent: IOT" + $ = "/iot/post" + $ = "vender" + $ = "Response: %s" + $ = "cmdNum" + $ = "UPDTAE" + $ = "cmdResult" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 5MB and 4 of them +} +rule SEKOIA_Trojan_Win_Bbtok_Iso_Sep23 : FILE +{ + meta: + description = "Finds BBTok installation ISO file" + author = "Sekoia.io" + id = "6032853d-b872-4b2e-913d-366e7f3d0f32" + date = "2023-09-26" + modified = "2024-12-19" + reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/trojan_win_bbtok_iso_sep23.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "140e83d2e0d012cdd5625ea89c3b3af05a80877cfc8215bbe20823e7e88c80b1" + logic_hash = "efef1e4e50d84cd30c025c86beb751c73a996cca896f90729571f48259ffc110" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $iso = {43 44 30 30 31} + $str01 = "POWERISO" ascii + $str02 = "%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe" ascii wide + $str03 = ".pdf /Y & start" wide + $str04 = "\\MSBuild.exe -nologo \\\\" ascii wide + + condition: + all of them and filesize < 500KB +} +rule SEKOIA_Apt_Oilrig_Sc5Kv3_Strings : FILE +{ + meta: + description = "Detects SC5kv3 malware based on strings" + author = "Sekoia.io" + id = "885ea13b-47b0-4a6d-8136-9b31abc9064a" + date = "2023-12-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_sc5kv3_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ace8e227abd97d0ec21815cc58c24d46e4944f2b0e1987672be53f81356a7a57" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "no-reply this email!" ascii wide + $ = "The serial is " ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 5MB and all of them +} +rule SEKOIA_Stealer_Win_Demotryspy : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "70af0e40-b177-49a3-bff4-723f3f4aa375" + date = "2024-02-09" + modified = "2024-12-19" + reference = "https://paper.seebug.org/3115/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/stealer_win_demotryspy.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b7a910e4d394d2122e6b4fe76daa6691a642396e27f7a47d09232f4b7eb424ee" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $demotry1 = "DemoTry.exe" + $demotry2 = "DemoTry\\Release\\DemoTry.pdb" + $wide1 = "\\loc.tmp" wide + $wide2 = "\\log.tmp" wide + $wide3 = "\\Google\\Chrome\\User Data" wide + $wide4 = "\\Default\\Login data" wide + $wide5 = "\\Local State" wide + + condition: + uint16be( 0 ) == 0x4d5a and ( 1 of ( $demotry* ) or all of ( $wide* ) ) +} +rule SEKOIA_Keylogger_Win_Donot +{ + meta: + description = "Detect the DoNot's keylogger malware" + author = "Sekoia.io" + id = "4f67dda7-da68-4496-a8b4-a8a769ddd763" + date = "2023-03-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/keylogger_win_donot.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "eb935f84335e934346511b4108f70df469deef6ecaaba809c144197c04a28f64" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "iwrct2mTFAu0ew1nyqQgoaNtNo0+52R0XiTKbwy1W48Bn1b2YcNt0+tptyY6oGoAeLDGekM/yHcdikNGi8bLqkUQ8CIdkWeT3QiympOTfjs=" + $ = "ZmVwZW9kbWZ2c24ucHMuZ3h4LngweXBvdWpkYm1qcXE7YnFmVXp1LmZvb3VEcA==" + + condition: + 1 of them +} +rule SEKOIA_Loader_Win_Konni_Wpnprv : FILE +{ + meta: + description = "Detect the wpnprv DLLs used for KONNI for UAC bypass" + author = "Sekoia.io" + id = "02162533-4ace-42bf-8df0-38b140487f01" + date = "2023-09-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_konni_wpnprv.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "32178c97795aeead9c186e0b7fb508376045acb7534e6ce9e617c06fd399c3da" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "wpnprv.dll" + $ = "IIIIIIII" fullword + $ = "wusa.exe" wide + $ = "winver.exe" wide + $ = "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" wide + $ = "taskmgr.exe" wide + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +import "elf" +import "hash" + +rule SEKOIA_Merlin_Linux_Elf : FILE +{ + meta: + description = "Detects Merling agent (ELF)" + author = "Sekoia.io" + id = "d9c57f5e-26c3-43be-b2cf-10f5129d3be6" + date = "2022-01-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/merlin_linux_elf.yar#L4-L34" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f7edd517a575b54c9ee8acdc7a5ebac7c0c9eb286abc49e2962b02aad40e5973" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "github.com/Ne0nd0g/merlin" ascii + $s2 = "github.com/refraction-networking" ascii + $s3 = "SendMerlinMessage" ascii + + condition: + uint32( 0 ) == 0x464c457f and for any i in ( 0 .. elf.number_of_sections -1 ) : ( hash.md5 ( elf.sections [ i ] . offset , elf.sections [ i ] . size ) == "80199718ff1821a3fe914cd2279ab3a0" ) and for any i in ( 0 .. elf.number_of_sections -1 ) : ( hash.md5 ( elf.sections [ i ] . offset , elf.sections [ i ] . size ) == "7dea362b3fac8e00956a4952a3d4f474" ) and for any i in ( 0 .. elf.number_of_sections -1 ) : ( hash.md5 ( elf.sections [ i ] . offset , elf.sections [ i ] . size ) == "d41d8cd98f00b204e9800998ecf8427e" ) and for any i in ( 0 .. elf.number_of_sections -1 ) : ( hash.md5 ( elf.sections [ i ] . offset , elf.sections [ i ] . size ) == "91476dafa5ef669483350538fa6ec4cb" ) and all of them and filesize < 15MB +} +rule SEKOIA_Malware_Win_Lyceum_Maldoc_Macro_20220613 +{ + meta: + description = "Detect the macro contained in Lyceum maldoc to deploy its malware" + author = "Sekoia.io" + id = "3046bffd-261f-4d5b-9015-f2e5fc31c9c9" + date = "2022-06-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_win_lyceum_maldoc_macro_20220613.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a9f4957e8198b4cb2229913a405b3e0fc97cbd3598bb583dbfdaf56ca278d4cb" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "ActiveDocument.InlineShapes(i).PictureFormat.Brightness = 0.5" ascii + + condition: + all of them +} +rule SEKOIA_Tool_Rsockstun_Strings : FILE +{ + meta: + description = "Detects Rsockstun based on strings" + author = "Sekoia.io" + id = "94d8cb39-3421-441c-8404-62a591b86912" + date = "2023-12-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_rsockstun_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8faf1004ec56728f1e451734ed651e8f77a49faf7f232df82e0b4950a9f1d198" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "main.connectviaproxy" + $ = "main.connectForSocks" + $ = "main.listenForClients" + $ = "main.listenForSocks" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 10MB and all of them +} +rule SEKOIA_Bot_Lin_Lucifer_Strings : FILE +{ + meta: + description = "Catch Lucifer DDoS - lin version - malware based on strings" + author = "Sekoia.io" + id = "c341b6d0-bc22-4a85-aebb-ed323487f524" + date = "2024-09-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/bot_lin_lucifer_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "23276c627d27f36c1ec15b1779835b921652a8fcff898041f1920902262faf41" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "DealwithDDoS" ascii + $s2 = "DecryptData" ascii + $s3 = "They say I'm rude. I'm not rude at all, but I still want to say, fuck your mother" ascii + $s4 = "stratum+tcp://" ascii + $s5 = "gethostip" ascii + $s6 = "GetmyName" ascii + + condition: + uint32( 0 ) == 0x464c457f and all of them +} +rule SEKOIA_Apt_Gamaredon_Lnks_Farl139_Hostname : FILE +{ + meta: + description = "Detects some hostname used in Gamaredon LNKs" + author = "Sekoia.io" + id = "f8bb2e6b-e544-46b0-b61b-048fe84e1100" + date = "2023-01-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_lnks_farl139_hostname.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8be31a4fed363f0e2791efb96a229f6cdec5bfaeaf3e9cd880f8d25c9ae0435e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "desktop-farl139" + + condition: + uint32be( 0 ) == 0x4c000000 and all of them and filesize < 10KB +} +rule SEKOIA_Tool_Iodine_Strings : FILE +{ + meta: + description = "Detects iodine based on strings" + author = "Sekoia.io" + id = "029766cc-80fb-423d-adc5-8867c438c5d3" + date = "2024-02-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_iodine_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "049b5af42d204061bd7e0c0294bb0abea492647dce8ec63fa3f296d1a19cb246" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Sending DNS queries for %s to %s" + $ = "No tun devices found, trying utun" + $ = "iodine IP over DNS tunneling client" + $ = "topdomain is the FQDN that is delegated to the tunnel endpoint." + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 1MB and 3 of them +} +rule SEKOIA_Apt_Luckymouse_Rshell_Strings_All_Platform : FILE +{ + meta: + description = "Detects LuckyMouse RShell Mach-O implant" + author = "Sekoia.io" + id = "e79a5ee1-96b3-4643-ab11-0b1095e96488" + date = "2022-08-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_luckymouse_rshell_strings_all_platform.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ef923b6633a2b7dfa645a31c7c2d0e00872ebad6ec7748568c2b306c29b6b29b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { 6C 6F 67 69 6E 00 68 6F + 73 74 6E 61 6D 65 00 6C + 61 6E 00 75 73 65 72 6E + 61 6D 65 00 76 65 72 73 + 69 6F 6E } + + condition: + filesize < 1MB and all of them +} +rule SEKOIA_Exploit_Cve20191458_Strings : CVE_2019_1458 FILE +{ + meta: + description = "Detects compiled exploit for CVE-2019-1458 (Generic)" + author = "Sekoia.io" + id = "0be4a550-0f0a-4596-ab32-aafaececf919" + date = "2022-08-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_cve20191458_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8e22a79b3d7dc45d63062c71909faee61584c71b6ea7353ba0f40c00745a2075" + score = 75 + quality = 80 + tags = "CVE-2019-1458, FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[-] Failed to create SploitWnd window" + $ = "[+] ProcessCreated with pid %d!" + $ = "[!] Exploit fail, test:0x%p,tagWND:0x%p, error:0x%lx" + $ = "[*] tagWND: 0x%p, tagCLS:0x%p, gap:0x%llx" + $ = "[*] Simulating alt key press" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 200KB and 3 of them +} +rule SEKOIA_Generic_Sharpshooter_Payload_6 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "53506a3e-b0d8-4a1e-88d9-485e829f25cb" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_6.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "38919408d2d0a9f51822302f4f821bf5776f119bf0d1b54b71b1040c7ad59da5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "function ${rc4Function}(r,o){for(" + $ = "function ${b64AndRC4Function}(r,o){var" + $ = "Real-Time Scanning: No threats detected" + $ = "Please wait while your file is being downloaded..." + + condition: + 3 of them and filesize < 2MB +} +import "hash" +import "pe" + +rule SEKOIA_Wiper_Win_Nominatus_Toxicbattery : FILE +{ + meta: + description = "Detect the Nominatus_ToxicBattery malware" + author = "Sekoia.io" + id = "0262378f-f509-4ea4-a3eb-cd0183c4361d" + date = "2022-11-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/wiper_win_nominatus_toxicbattery.yar#L4-L42" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c226a4c3bcc451482eb782c1cb84f3e956be1e214368d1b315076078d3148955" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "DISK" + $ = "FileNaME" + $ = "FILNAME" + $ = "runCommand" + $ = "HAHAH" + $ = "Damage" + $ = "fastInfector" + $ = "d:\\again\\SharpDevelop Projects\\RInjector\\Virus.win32RozbehStrike\\obj\\Debug\\Nominatus_ToxicBattery.pdb" + $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide + $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" wide + $ = "\\Antivirus.bat" wide + $ = "\\Antivirus3.vbs" wide + $ = "vssadmin Delete Shadows /all /quiet" wide + + condition: + uint16( 0 ) == 0x5A4D and 10 of them or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "e7f35c173c34b7080d437a90ec90a982" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "2e25c5d3baba182f008a5a15c6f06403" ) or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "70b1c002e4c0c9782c7ce1ef4a13c58ec1da54a26fd06dd7821a71f29431da82" ) +} +rule SEKOIA_Apt_Gamaredon_Ddrdoh_Vbs_Downloader_Vbs : FILE +{ + meta: + description = "Detects malicious VBScript executed by LNK/mshta" + author = "Sekoia.io" + id = "cc29d5d9-58bd-4f68-8673-daa41abfc7be" + date = "2023-01-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c91e1ce26c0735e8c68fe39f2fbeda8aed51cd4f9a0b967b5d184843728dcef4" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "b24gZXJyb3IgcmVzd" ascii + $ = "BinaryStream.readtext" ascii nocase + $ = "createobject(\"msxml2.domdocument.3.0\").createelement(" ascii nocase + $ = "Dim cSecond, cMinute, CHour, cDay, cMonth, cYear" ascii nocase + $ = "tDate & \"T\" & tTime" + $ = "AutoOpen" ascii nocase + + condition: + 5 of them and filesize < 50KB +} +rule SEKOIA_Infostealer_Win_Blustealer : FILE +{ + meta: + description = "Detect the BluStealer infostealer based on characteristic strings" + author = "Sekoia.io" + id = "a56b3c12-9d83-4a0b-81e8-43332e64d599" + date = "2022-10-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_blustealer.yar#L1-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fc7c11a9ddd21228aa773da6054220211327727a87d48008b7edb202c48666d8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $cha01 = "@top\\LOGGERS\\DARKCLOUD" wide + $cha02 = "===============DARKCLOUD===============" wide + $cha03 = "#######################################DARKCLOUD#######################################" wide + $cha04 = "fireballsabadafirebricksfisherboat" ascii + $cha05 = "Moonchild Pro2ductions" wide + $str01 = "\\Microsoft\\Windows\\Templates\\credentials.txt" wide + $str02 = "\\NETGATE Technologies\\BlackHawK\\Profiles" wide + $str03 = "SysWOW64\\winsqlite3.dll" wide + $str04 = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*RD_" wide + $str05 = "Expiry Date;" wide + $str06 = "SELECT c0subject, c3author, c4recipients, c1body FROM messagesText_content" wide + $str07 = "http://www.mediacollege.com/internet/utilities/show-ip.shtml" wide + $str08 = "\\163MailContacts.txt" wide + $key_0 = {ba ?? ?? 40 00 8d 4?} + + condition: + uint16( 0 ) == 0x5A4D and 2 of ( $cha* ) and 4 of ( $str* ) and $key_0 +} +rule SEKOIA_Apt_Oilrig_Webshell : FILE +{ + meta: + description = "Detects a webshell used by OilRig" + author = "Sekoia.io" + id = "53955117-5176-4682-89ad-1503faba42aa" + date = "2024-10-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_webshell.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0e0879bafa1becf7e4aef008229a79ab8e0c50eda03232abd5cbb8fc59f482d3" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "string d = com;" + $ = "string p = fu;" + $ = "#@rt12!@$$$nnMF##" + $ = "messi(d)))" + + condition: + 2 of them and filesize < 80KB +} +rule SEKOIA_Apt_Unc4990_Explorer_Ps1 +{ + meta: + description = "Detects powershell script (explorer.ps1)" + author = "Sekoia.io" + id = "2e1abbbf-f9b7-4147-b7da-3544cbc4a5f1" + date = "2024-02-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_unc4990_explorer_ps1.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5085f738e23b801c7e36408d189755086d91c0bb266af6738c80510eb85e598f" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s0 = "$(get-location).Path" + $s1 = "+ \"\\Runtime Broker.exe" + $s2 = "Start-Process -FilePath" + $s3 = "-Wait;" + $s4 = "Start-Sleep -s" + + condition: + all of them and @s3- @s2 < 35 +} +rule SEKOIA_Rat_Win_Reverserat +{ + meta: + description = "Detect SideCopy's ReverseRAT v3 observed in January 2023" + author = "Sekoia.io" + id = "8fbd395f-f44e-46d5-a942-7c7e88f37127" + date = "2023-02-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_reverserat.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "b277a824b2671f40298ce03586a2ccc0fca2a081a66230c57a3060c2028f13ee" + hash = "8b87459483248d7b95424cd52b7d4f3031e89c6644adc2e167556e071d9ec3aa" + logic_hash = "13a5a916e084996ce4d7840581250f7630652acdcad0f66e21763cb3a9cbccc3" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "SELECT maxclockspeed, datawidth, name, manufacturer FROM Win32_Processor" wide + $ = "select * from Win32_PhysicalMemory" wide + $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide + + condition: + all of them +} +rule SEKOIA_Infostealer_Win_Bebra : FILE +{ + meta: + description = "Find samples of Bebra Stealer based on specific strings" + author = "Sekoia.io" + id = "e84d04a7-1232-47e5-b797-ac8e56066796" + date = "2023-02-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_bebra.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "7841746c54c53dbcafdf3f357c7a84b90fe3b089e07f30dea15ef6f7f15b0f00" + logic_hash = "588fa3091f0dc565123c60d59479202d036e092499eca6204d420395ddc332f9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "https://studio.youtube.com/youtubei/v1/att/esr?alt=json&key=" ascii + $str02 = "https://www.youtube.com/getAccountSwitcher" ascii + $str03 = "\"challenge\":\"" ascii + $str04 = "\"botguardResponse\":\"" ascii + $str05 = "\"continueUrl\":\"https://studio.youtube.com/reauth\"," ascii + $str06 = "\"flow\":\"REAUTH_FLOW_YT_STUDIO_COLD_LOAD\"," ascii + $str07 = "\"xguardClientStatus\":0" ascii + $str08 = "SAPISIDHASH" ascii + $str09 = "system32\\cmd.exe /C choice /C Y /N /D Y /T 0 &Del" ascii + $str10 = "/new.php" ascii + $str11 = "github.com/mattn/go-sqlite3" ascii + + condition: + uint16( 0 ) == 0x5A4D and 9 of them +} +rule SEKOIA_Tool_Koblas_Server_Strings : FILE +{ + meta: + description = "Detects Koblas server" + author = "Sekoia.io" + id = "ebd891da-69dd-474c-9e08-63d0b4cc654e" + date = "2024-05-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_koblas_server_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "590f3f71564c347be7b3b2a583606c3854744d0023cde464374cd7b61ec5a2d7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "sent {sent} bytes and received {received} bytes" wide ascii + $ = "connection denied" ascii + $ = "loaded {} users" ascii + $ = "listening on {}:{} for incoming connections" ascii + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and 3 of them +} +rule SEKOIA_Apt_Apt35_Iisraid_Strings : FILE +{ + meta: + description = "Detects APT35s ISSRaid implant" + author = "Sekoia.io" + id = "ee42f406-0c7e-4385-9098-409611dbe0a5" + date = "2023-05-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt35_iisraid_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "de2ebef5ab46136aa54b146dbd4198f69801f3414d1d239fc7983c5b3c0115c4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "CHttpModule::" + $ = "X-Forward-Verify" + $ = "X-Beserver-Verify" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 500KB and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Wiper_Win_Caddywiper : FILE +{ + meta: + description = "Detect CaddyWiper" + author = "Sekoia.io" + id = "869d44ff-79fc-403d-a45d-d33712da5bd0" + date = "2022-03-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/wiper_win_caddywiper.yar#L4-L37" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "01a9910b42f402398bbe84546074256f56b10fe0f8524a9a9723aebe43b26a14" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1_upx = "b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7" + hash1 = "ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72" + hash2 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea" + + strings: + $ = "NETAPI32.dll" ascii + $ = "DsRoleGetPrimaryDomainInformation" ascii + + condition: + uint16( 0 ) == 0x5A4D and filesize > 5KB and filesize < 20KB and pe.number_of_sections == 3 and pe.number_of_resources == 0 and all of them or pe.imphash ( ) == "ea8609d4dad999f73ec4b6f8e7b28e55" or pe.imphash ( ) == "bae2d138abe43164fb5e95f313de3d14" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "f0d4c11521fc3891965534e6c52e128b" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "6be6e878d1e8fed277c5feaf60b57a19" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "11f22fc72c3ca7dd6b874bda37c1fe82" ) +} +rule SEKOIA_Apt_Muddywater_Rotrot_Strings : FILE +{ + meta: + description = "Detects RotRot backdoor based on strings" + author = "Sekoia.io" + id = "f7bc195a-0e60-4495-b78a-78f101543700" + date = "2024-06-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_rotrot_strings.yar#L1-L36" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "425168003d0f14d791e7f46bf47c18652a1f6b66b9329155d2bca72cf0d8126b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "qsphsbnebub" + $s2 = "rtqitcofcvc" + $s3 = "surjudpgdwd" + $s4 = "tvskveqhexe" + $s5 = "uwtlwfrifyf" + $s6 = "vxumxgsjgzg" + $t1 = "MpbeMjcsbs" + $t2 = "NqcfNkdtct" + $t3 = "OrdgOleudu" + $t4 = "PsehPmfvev" + $t5 = "QtfiQngwfw" + $t6 = "RugjRohxgx" + $u1 = "UfsnjobufKpcPckfdu" + $u2 = "VgtokpcvgLqdQdlgev" + $u3 = "WhuplqdwhMreRemhfw" + $u4 = "XivqmrexiNsfSfnigx" + $u5 = "YjwrnsfyjOtgTgojhy" + $u6 = "ZkxsotgzkPuhUhpkiz" + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 100KB and filesize < 300KB and any of ( $s* ) and any of ( $t* ) and any of ( $u* ) +} +rule SEKOIA_Apt_Implant_Xdealer_Linux_Variant_Strings : FILE +{ + meta: + description = "Detects XDealer linux variant" + author = "Sekoia.io" + id = "42690513-753f-4296-b641-4d3b59a5e5e1" + date = "2024-03-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_implant_xdealer_linux_variant_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "400beb53d0f7b7727962175c7c4f8dfccdfed56bb3978d3e847147e8ad7644fb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "ls -l /proc/%s/exe" + $ = "Linux_%s_%s_%u" + $ = "chkconfig --add" + $ = "cmd over return [%s]" + $ = "touch -d" + $ = "%s can't be opened/n" + $ = "/proc/%s/status" + + condition: + uint32be( 0 ) == 0x7f454c46 and 3 of them and filesize < 1MB +} +rule SEKOIA_Emmenhtal_Strings_Hta_Exe : FILE +{ + meta: + description = "Emmenhtal Loader string" + author = "Sekoia.io" + id = "64e08610-e8a4-4edd-8f6b-d4e8d2b47d87" + date = "2024-09-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/emmenhtal_strings_hta_exe.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912" + logic_hash = "93f85a4ccb58c6aeb664c4c843ff80a4ab7b4308a944537f7ebe087515a61659" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $char = / = String\.fromCharCode\([a-zA-Z]{2,4},[a-zA-Z]{2,4},/ + $var = "var " + $eval = "eval(" + $script1 = "MZ" + + condition: + uint16be( 0 ) == 0x4d5a and all of them and $var in ( @script1 .. @script1 + 2000 ) and $char in ( @var .. @var + 100 ) +} +rule SEKOIA_Rat_Win_Asyncrat : FILE +{ + meta: + description = "Detect AsyncRAT based on specific strings" + author = "Sekoia.io" + id = "d698e4a1-77ff-4cd7-acb3-27fb16168ceb" + date = "2023-01-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_asyncrat.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5e35b034ba1761fae780429be377b70ae8ce62273670042ff067c38ed8bb5a9e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "get_ActivatePong" ascii + $str02 = "get_SslClient" ascii + $str03 = "get_TcpClient" ascii + $str04 = "get_SendSync" ascii + $str05 = "get_IsConnected" ascii + $str06 = "set_UseShellExecute" ascii + $str07 = "Pastebin" wide + $str08 = "Select * from AntivirusProduct" wide + $str09 = "Stub.exe" wide + $str10 = "timeout 3 > NUL" wide + $str11 = "/c schtasks /create /f /sc onlogon /rl highest /tn " wide + $str12 = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide + + condition: + uint16( 0 ) == 0x5A4D and 9 of them +} +rule SEKOIA_Apt_Evasive_Panda_Rphost_Dll : FILE +{ + meta: + description = "Detects DLL used by Evasive Panda" + author = "Sekoia.io" + id = "8d70639d-b736-4823-86ad-37f0e383b5f7" + date = "2024-03-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_evasive_panda_rphost_dll.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "fa44028115912c95b5efb43218f3c7237d5c349f" + logic_hash = "2132f1c69db8fd5793c858ada2443fdfa1f941e68d24cc337766df99f8b3a895" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "htks.ini" ascii fullword + $s2 = "MyDemo" wide fullword + + condition: + uint16be( 0 ) == 0x4d5a and all of them and filesize < 1MB +} +import "pe" + +rule SEKOIA_Infostealer_Win_Irontiger_Chrome_Stealer : FILE +{ + meta: + description = "Detect the chrome_stealer malware" + author = "Sekoia.io" + id = "8c5c3ed0-e1ea-4079-b330-ace8724bff2a" + date = "2023-03-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_irontiger_chrome_stealer.yar#L3-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "dfddebf9623661508e993541106d4dcbb2270b311b2902567bd309810aff58dd" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "passwords.txt" + $ = "CryptUnprotectData: 0x%08x" + $ = "cookies.txt" + $ = "decrypt to %s" + $ = ".\\chromedb_tmp" wide ascii + $ = "SELECT ORIGIN_URL,USERNAME_VALUE,PASSWORD_VALUE FROM LOGINS;" + $ = "decrypt successful!" + $ = "url: %s" + $ = "user: %s" + $ = "pass: %s" + $ = "aes key:" + $ = "\\Google\\Chrome\\User Data\\Default\\Login Data" wide + $ = "password file %s" wide + $ = "cookies file %s" wide + $ = "keyfile: %s" wide + + condition: + ( uint16( 0 ) == 0x5A4D and all of them ) or pe.imphash ( ) == "e862f5a6671f9dbd6f53d3d557e568f0" +} +import "pe" + +rule SEKOIA_Implant_Win_Knotweed_Jumplump : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "8f8cec7a-624b-4306-87f4-bde8ccc3a2d0" + date = "2022-07-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_knotweed_jumplump.yar#L3-L75" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a2637a8a082b6a23756da188808405046ae986a5973f64859462c92e9306e6c8" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "DllCanUnloadNow" + $s2 = "DllGetClassObject" + $s3 = "_initterm" + $s4 = "__C_specific_handler" + $s5 = "HeapFree" + $s6 = "EnterCriticalSection" + $s7 = "EventUnregister" + $s8 = "LeaveCriticalSection" + $s9 = "WaitForSingleObject" + $s10 = "GetCurrentThreadId" + $s11 = "GetLastError" + $s12 = "CloseHandle" + $s13 = "HeapAlloc" + $s14 = "EventRegister" + $s15 = "GetProcAddress" + $s16 = "DeleteCriticalSection" + $s17 = "GetCurrentProcessId" + $s18 = "GetProcessHeap" + $s19 = "DisableThreadLibraryCalls" + $s20 = "Sleep" + $s21 = "RtlCaptureContext" + $s22 = "RtlLookupFunctionEntry" + $s23 = "RtlVirtualUnwind" + $s24 = "UnhandledExceptionFilter" + $s25 = "SetUnhandledExceptionFilter" + $s26 = "GetCurrentProcess" + $s27 = "TerminateProcess" + $s28 = "QueryPerformanceCounter" + $s29 = "GetSystemTimeAsFileTime" + $s30 = "GetTickCount" + $s31 = "CoCreateInstance" + $s32 = "RegCloseKey" + $s33 = "GetModuleFileNameW" + $s34 = "RegCreateKeyExW" + $s35 = "RegSetValueExW" + $s36 = "LocalFree" + $s37 = "RegOpenKeyExW" + $s38 = "OLEAUT32.dll" + $s39 = "memcpy" + $s40 = "memcmp" + $s41 = "memset" + $s42 = "LoadLibraryW" + $s43 = "OpenProcessToken" + $s44 = "DllRegisterServer" + $s45 = "DllUnregisterServer" + $s46 = "040904B0" wide + $api_hash1 = {5D 44 11 FF} + $api_hash2 = {4C 77 D6 07} + $api_hash3 = {38 68 0D 16} + $api_hash4 = {40 DE CE 72} + $api_hash5 = {08 87 1D 60} + $api_hash6 = {26 C6 0B 1B} + $api_hash7 = {0C DC 67 55} + $api_hash8 = {AA C5 E2 5D} + $api_hash9 = {C6 96 87 52} + $api_hash10 = {F8 8E C2 92} + + condition: + uint16( 0 ) == 0x5A4D and pe.number_of_sections == 7 and all of ( $s* ) and 1 of ( $api_hash* ) +} +rule SEKOIA_Infostealer_Win_Agrat : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "472effe8-5044-4ca1-88e0-3e19d445b9d1" + date = "2022-06-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_agrat.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5b02880dbc75d9e4d95ec55c8e8630a47198ee4cc25e3ff79c93e9fe634fadca" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str00 = "Vault.txt" wide + $str01 = "Credman.txt" wide + $str02 = "[Networks] {0}" wide + $str03 = "[Screenshot] {0}" wide + $str04 = "[Twitch] {0}" wide + $str05 = "Servers.txt" wide + $str06 = "[WindscribeVPN] {0}" wide + $str07 = "[{0}] Thread finished!" wide + $str08 = "[ERROR] Unable to enumerate vaults. Error (0x" wide + $str09 = "snowflake-ssh" wide + $str10 = "//setting[@name='Password']/value" wide + $str11 = "MakeScreenshot" ascii + $sys = "System.Collections.Generic.IEnumerator 10 +} +rule SEKOIA_Apt_Dark_Pink_Pdb_Path : FILE +{ + meta: + description = "Detects PDB path of some Dark Pink sample" + author = "Sekoia.io" + id = "695586dc-66de-4f9d-814a-2d81261a7357" + date = "2023-01-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_dark_pink_pdb_path.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f67e0d50975697424313acc77a9c86e1c2b41fde1663e4f5d8f4765acb997775" + score = 75 + quality = 76 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "C:\\Users\\hoang\\source\\repos\\Cucky\\Cucky\\obj\\Release\\net46\\Cucky.pdb" wide ascii + $s2 = "C:\\Users\\build\\source\\repos\\CtealWebCredential\\Release\\CtealWebCredential.pdb" wide ascii + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 5MB and any of them +} +import "hash" +import "pe" + +rule SEKOIA_Backoor_Win_Gobear +{ + meta: + description = "Detect the GoBear backdoor used by Kimsuky" + author = "Sekoia.io" + id = "f922bf1b-652e-4a2f-91e9-76ecd2e3bf6a" + date = "2024-02-13" + modified = "2024-12-19" + reference = "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backoor_win_gobear.yar#L4-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8ca2699058ded62cbf4b78040985a4e5ebce0a1ff94034206c81a4c8e91f479b" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "668031f53390dc749971888029911c12d4171534f77c17a962e698bf121d0e20" ) +} +rule SEKOIA_Rat_Win_Asbit : FILE +{ + meta: + description = "Finds Asbit samples based on characteristic strings" + author = "Sekoia.io" + id = "b2d60eff-3dc8-4857-a0ea-d4fcd34c40bc" + date = "2022-09-19" + modified = "2024-12-19" + reference = "https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_asbit.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1362ebe89a4d2645eb687d92510daa355a16f05da7f5513817f8439f29722827" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "/build?project=libexpat&_={0}" wide + $str02 = "/resolve?name={0}&short=true&_={1}" wide + $str03 = "/c ping 127.0.0.1 & del {0} /q & del /a:H {0} /q" wide + + condition: + uint16( 0 ) == 0x5A4D and 1 of them +} +rule SEKOIA_Tool_Win_Lightrail : FILE +{ + meta: + description = "Detect the LIGHTRAIL tunneler used by UNC1549" + author = "Sekoia.io" + id = "39259f2c-11fe-4edd-8a9e-f36920132272" + date = "2024-02-29" + modified = "2024-12-19" + reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_win_lightrail.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "84491bf7e955930c04e96f63ffb8c8f35ad02d9a917eceb727bf87c9ed3d831e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "e7ddab967b0487827db069833221aa2fe4ca05f7cda976cbc528ecb306a22774" + hash2 = "4ecd511d9654f7fd66a61eb4ab6d7153040b5092d1594ff39935f01fbdbd4914" + hash3 = "3472bc8ed6182eb17811c97ada7ebd48034ad09b6a7062b341fe09818d7a309f" + hash4 = "ec7b97092278123f0c0613c5f9252eeccf55265d4aa5f2cfed57a63ebf3530ac" + hash5 = "8f3757b8f5888a1303af71cbc1a106927d3d6c45552ee192c3ed0347804c2194" + hash6 = "8b47b5ed1ed7afcc9194e1350d4e1996bd91ca3204747b586f309f4609a1a4cc" + + strings: + $s1 = "lastenzug.dll" + $s2 = "Lastenzug.dll" + $azure = ".cloudapp.azure.com" wide + + condition: + uint16be( 0 ) == 0x4d5a and 1 of ( $s* ) and $azure +} +rule SEKOIA_Hacktool_Win_Cookiekatz : FILE +{ + meta: + description = "Finds ChromeKatz (CookieKatz version) standalone samples based on the strings" + author = "Sekoia.io" + id = "a32769bb-4ec4-46c7-9402-21afdf8d4293" + date = "2024-10-30" + modified = "2024-12-19" + reference = "https://github.com/Meckazin/ChromeKatz" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_win_cookiekatz.yar#L1-L36" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "fef9fc33a788489af44b2f732c450d4ef018fbaced7f5471230b282dfd6f1169" + logic_hash = "a030f551d0f3dedf0f19e22b415aa87dd1c43ab2242db8b5cad14ae6b7695b3a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "CookieKatz.exe" ascii + $str02 = "--utility-sub-type=network.mojom.NetworkService" wide + $str03 = "chrome.dll" wide + $str04 = "msedge.dll" wide + $str05 = "msedgewebview2.exe" wide + $str06 = "Failed to read cookie struct" wide + $str07 = "Failed to read the root node from given address" wide + $str08 = "Error reading left node" wide + $str09 = "By Meckazin" ascii + $str10 = "By default targets first available Chrome process" ascii + $str11 = "Kittens love cookies too!" ascii + $str12 = "Attempting to read the cookie value from address: 0x%p" ascii + $str13 = "szCookieMonster" ascii + $str14 = "[*] Targeting Chrome" ascii + $str15 = "[*] Targeting Edge" ascii + $str16 = "[*] This Cookie map was empty" ascii + $str17 = "[+] Found browser process: %d" ascii wide + $str18 = "[*] Targeting process PID: %d" wide + $str19 = "[*] Found CookieMonster on 0x%p" wide + $str20 = "[*] CookieMap should be found in address 0x%p" wide + + condition: + uint16( 0 ) == 0x5A4D and 8 of them +} +rule SEKOIA_Pe_Stealer_Scarletstealer_Strings : FILE +{ + meta: + description = "ScarletStealer strings" + author = "Sekoia.io" + id = "ca930851-513f-44e5-abb4-ca0edfde3428" + date = "2023-12-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/pe_stealer_scarletstealer_strings.yar#L1-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "308055cbe960614112682585b5709a62c2639752df07661d6b2bb13e390b3b08" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Scarlet Client" wide + $s2 = "] PC NAME: (" wide + $s3 = "] IP: (" wide + $s4 = " - Wallets -" wide + $s5 = "] Exodus: (" wide + $s6 = "] Electrum: (" wide + $s7 = "] Atomic: (" wide + $s8 = "] Guarda: (" wide + $s9 = "] Coinomi: (" wide + $s10 = "] Monero: (" wide + $s11 = "] Ledger: (" wide + $s12 = "] Bitbox: (" wide + $s13 = "] Trezor: (" wide + $s14 = ") Support: PointX@exploit.im - @isPointX" wide + $a2 = "/config/tk.txt" wide + $a3 = "/config/chatid.txt" wide + $a1 = "telebyt.com" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 50KB and filesize < 2MB and 13 of ( $s* ) and 2 of ( $a* ) +} +rule SEKOIA_Apt_Gamaredon_Gammaload_Malicioushta : FILE +{ + meta: + description = "Detects Gamaredon's GammaLoad HTA" + author = "Sekoia.io" + id = "e5e502db-7f37-40f2-9ba3-81e158e767db" + date = "2022-08-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_gammaload_malicioushta.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e41ce63e7c6df2edb548ddc57d51af914dab9200e37eb12463169d587205aa7a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "platform = window.navigator?.userAgentData?.platform" ascii fullword + $s2 = "'Win32', 'Win64', 'Windows', 'WinCE'" ascii + $s3 = "dcreate.download =" + $s4 = "dcreate.href = 'data:application/x-rar-compressed;base64" + $s5 = "= \"UmFyI" + + condition: + uint32be( 0 ) == 0x3c68746d and filesize < 400KB and filesize > 50KB and 4 of them +} +rule SEKOIA_Apt_Yemen_Apk_Guardzoo : FILE +{ + meta: + description = "Detects Dex files containing GuardZoo strings." + author = "Sekoia.io" + id = "f4004e7c-2904-46ea-a3e6-2bdd3e704fea" + date = "2024-08-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_yemen_apk_guardzoo.yar#L1-L40" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "3afad114c68489e2d294720339baf570" + hash = "c59d0f5c8d00485199f147b96c5abca0" + hash = "75c58948725133160085dc1cfdf602ec" + hash = "d76a39ee85263900f7e6eaacb804f5e2" + hash = "51356c95dfe1221c0f4ca2475bc787f8" + hash = "1d0dd8201c051d9c8d2c945c8b31a48c" + hash = "b7b6be5e8eec44dd13e1df1f3908fcf0" + hash = "229984f004578a8fa643afb881d81e8c" + hash = "f3f1ccb3912c49a0a6ea710a0bd856de" + hash = "a3f8365bfa5f8185e8c7eba8efc63165" + hash = "7392deaf81ddf50b8a6f2179538f7e81" + hash = "c40d56e1586f9fa382c688d624d25525" + hash = "629fb04b91c4db4ea282440e20317dab" + hash = "bcebc41628196f8bd119f72e1e8eb47c" + hash = "f1cfdc9e91c3a20563246cf366b94f10" + hash = "a75ffb11adbace40a7c59128adba43ad" + logic_hash = "7d98aefa4c2ee7316e0ff47a67d9f19913852d1a451ef38ccb77709394e4ba73" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $classes_1 = "GuardZoo.java" + $classes_2 = "com/animals" + $path_1 = "&Password=" + $path_2 = "&Coordinates=" + $path_3 = "&Data=" + $path_4 = "&Device=" + $path_5 = "&ISPICTURE=" + $path_6 = "&Phone_Number=" + $path_7 = "&Provider=" + + condition: + uint32be( 0 ) == 0x6465780a and filesize < 10MB and ( ( any of ( $classes_* ) ) and ( 3 of ( $path_* ) ) ) +} +rule SEKOIA_Truesightkiller_Avkiller_Strings : FILE +{ + meta: + description = "TrueSightKiller based on string" + author = "Sekoia.io" + id = "8f249ac4-5181-4169-9eb2-7d73ec4fd68d" + date = "2024-10-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/truesightkiller_avkiller_strings.yar#L1-L45" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "891202963430a4b1dea2dc5b9af01dc5" + hash = "367af202029bf51fc347a8f414fa2a5c" + hash = "64439836d69084b129c2dc4264176149" + hash = "6e69b890b1c228fa4225776b185b5af7" + hash = "daaf7bdf1e7fd882c0bfb89450ec0ab2" + hash = "dcf36765ed9386c169eb2695d26f6a6f" + logic_hash = "829d144023569f332a27b7f2344d2da7be59ae5044a13c299c5da50d896288ed" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[+] Process PID: " wide + $ = "[-] OpenSCManager failed" wide + $ = "[+] Creating service: truesight" wide + $ = "[+] Full path: " wide + $ = "[-] Error getting current directory." wide + $ = "[-] CreateService failed" wide + $ = "[!] Service is already running" wide + $ = "[-] QueryServiceStatus failed" wide + $ = "[-] StartService failed" wide + $ = "[+] Driver loaded successfully!" wide + $ = "[-] OpenService failed" wide + $ = "[-] ControlService failed" wide + $ = "[-] DeleteService failed" wide + $ = "Welcome to EDR/AV Killer using truesight driver!" wide + $ = "This is a PoC, use it at your own risk!" wide + $ = "[-] Failed to set CTRL+C handler. Exiting..." wide + $ = "ntdll.dll" wide + $ = "\\\\.\\TrueSight" wide + $ = "[-] CreateFileA failed" wide + $ = " not running" wide + $ = "[-] Process name: " wide + $ = "[+] Terminating PID: " wide + $ = "[-] DevicesIoControl failed" wide + $ = "[!] Stoping and Deleting trueSight Service!" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and filesize > 20KB and 20 of them +} +rule SEKOIA_Generic_Sharpshooter_Payload_9 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "e4283d6e-d829-4f21-ba60-9e6232519e54" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_9.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "deb0773e6300ed0f4c099359731812216390017eaf8de678b2a5ed237906f03f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "shell.Environment(\"Process\").Item(\"COMPLUS_Version\")" + $ = "(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)" + $ = "DebugPrint Err.Description" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Apt_Unk_Hrserv_Webshell_Strings : FILE +{ + meta: + description = "Detects HrServ web shell based on strings" + author = "Sekoia.io" + id = "684fd41c-9ea6-4f4e-8db4-82325a2ff80b" + date = "2023-11-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_unk_hrserv_webshell_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b5650e08227bbdb82c635bd67abae57e3107be9126639619809bfbe2a7ffee89" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "open file error!" + $ = "create file error!" + $ = "[!] CreatePipe failed." + $ = "[!] CreateProcess failed." + $ = "[!] CreateProcess success,no result return." + $ = "; cadataIV=" + $ = "cadataKey=" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 300KB and 5 of them +} +rule SEKOIA_Apt_Apt28_Document_Phishing_Webpage : FILE +{ + meta: + description = "Detects APT28 document phishing webpage" + author = "Sekoia.io" + id = "585a8e23-c302-41d3-938f-eda60c82ef28" + date = "2024-04-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt28_document_phishing_webpage.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b64888c1d8568cf9d8f4dfcd2e18093db8635966d88abaa368dc46a1e4453782" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "webhook.site" + $ = "document.createElement('img')" + $ = "brightness(15%) blur(7.0px)" + $ = "This document is not available from mobile devices." + $ = "Capture2.PNG" + $ = ">CLICK TO VIEW DOCUMENT<" + $ = "window.location.href = 's" + $ = ".oast." + + condition: + 4 of them and filesize < 20KB +} +rule SEKOIA_Apt_Cloudatlas_Powertunnel : FILE +{ + meta: + description = "Detects PowerTunnel DLL of CloudAtlas" + author = "Sekoia.io" + id = "04981493-de8b-4662-ae81-8866c182f8b2" + date = "2022-11-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_powertunnel.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "aadb2739957d17c7e82e3abf7a178ab7b6e4a598fbbdb1a06d0c0531656d4ef6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "BeginGetHostEntry" + $ = "get_AddressList" + $ = "time_stop_delay_seconds" + $ = "{0}" + $ = "_CorDllMain" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and all of them +} +rule SEKOIA_Tool_Paexec_Strings : FILE +{ + meta: + description = "Detects PAExec based on strings" + author = "Sekoia.io" + id = "c48b897c-0d88-4fa9-b64b-0e14a38a62d7" + date = "2022-09-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_paexec_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9c3bae822fd317bdc89c07542b05f6255d6af214071194570500eb2a12924ff6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "\\\\%s\\%s\\PAExec_Move%u.dat" wide + $ = "PAExec_Move%u.dat" wide + $ = "Usage: PAExec [\\\\computer[,computer2[,...]]" wide + $ = "PAExec returning exit code %d" wide + + condition: + uint16be( 0 ) == 0x4d5a and 3 of them and filesize < 500KB +} +rule SEKOIA_Tool_Soaphound_Strings : FILE +{ + meta: + description = "Detects SOAPHound based on strings" + author = "Sekoia.io" + id = "adf48506-f07d-445a-83cc-0aed3b6b55eb" + date = "2024-11-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_soaphound_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "b2a953590d75213388473fb51e6b5f2f" + logic_hash = "14ff92230d0999a39a6e1042f5c42b5ae275d90ece3d74727e5da44c569a93eb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Output files generated in" wide + $ = "(&(cn=*)(!(cn=a*))(!(cn=b*))" wide + $ = "unicodePassword" wide + $ = "net.tcp://localhost:9389/ActiveDirectoryWebServices/" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 2MB and all of them +} +rule SEKOIA_Ransomware_Mallox : FILE +{ + meta: + description = "Rule to detect mallox ransomware samples." + author = "Sekoia.io" + id = "7e2edc94-26e4-4024-8bc0-8e90d76f5a96" + date = "2023-02-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_mallox.yar#L1-L38" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c9300de42ee9eb3e820f49aa979234ff61c33dc6bf5d65bcb26e45b7126aafec" + score = 75 + quality = 54 + tags = "FILE" + version = "1.0" + modification_date = "2023-05-24" + classification = "TLP:CLEAR" + hash1 = "2a549489e2455a2d84295604e29c727dd20d65f5a874209840ce187c35d9a439" + hash2 = "3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673" + hash3 = "4075d6e02c022ee45e0cd1c826abf749200639ee8ebc42375dac2430abafb5d6" + hash4 = "4db69a0643f6ec795e5450a0563605e91293f233aa60715ae09ed8effa3b7267" + hash5 = "77fdce66e7f909300e4493cbe7055254f7992ba65f9b7445a6755d0dbd9f80a5" + hash6 = "8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22" + hash7 = "a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525" + hash8 = "df64e87ecb30f4cadf54f2c1b3d3cba8cc2d315db0fd4af2d11add57baa56f6a" + hash9 = "e7e00e0f817fcb305f82aec2e60045fcdb1b334b2621c09133b6b81284002009" + + strings: + $s1 = "C:\\HOW TO RECOVER !!.TXT" wide ascii nocase + $s2 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\Raccine" wide ascii nocase + $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vssadmin.exe" wide ascii nocase + $s4 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wmic.exe" wide ascii nocase + $s5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wbadmin.exe" wide ascii nocase + $s6 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\bcdedit.exe" wide ascii nocase + $s7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\powershell.exe" wide ascii nocase + $s8 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\diskshadow.exe" wide ascii nocase + $s9 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\net.exe" wide ascii nocase + $s10 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskkill.exe" wide ascii nocase + $s11 = "bcdedit /set {current} recoveryenabled no" wide ascii nocase + $mallox_fargo = ".FARGO" wide ascii nocase + $mallox_mallox = ".mallox" wide ascii nocase + $mallox_exploit = "newexploit@tutanota.com" + + condition: + uint16be( 0 ) == 0x4d5a and all of ( $s* ) and 1 of ( $mallox_* ) +} +rule SEKOIA_Apt_Uac0154_Powershell_Infection_Chain_2 : FILE +{ + meta: + description = "UAC-0154 Infection chain" + author = "Sekoia.io" + id = "6fe37d52-9bd3-4aa8-83ba-15399bd1b66c" + date = "2023-10-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_uac0154_powershell_infection_chain_2.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "029d88971030a377b3c93ba4c986668e53b01ee03ba94a0a4ceb54b20b72ff2d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "files.catbox.moe" + $ = "$pse = $pse.Replace" + $ = "start -WindowStyle Hidden -FilePath $p" + $ = "-bxor $xorMask" + $ = "SysctlHost" + + condition: + 4 of them and filesize < 100KB +} +rule SEKOIA_Apt_Andariel_Nestdoor_Variants_Strings : FILE +{ + meta: + description = "Detects Nestdoor based on (weak) strings" + author = "Sekoia.io" + id = "dcfc48ad-f17b-4224-912b-b01740080fea" + date = "2024-06-17" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_andariel_nestdoor_variants_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bc01138d1fc079c2b778175742e121f10cb47f29cc4eb04d38b4f0f5740f05a4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $v_11 = "Error occurs while reading" wide + $v_12 = "{DECIMAL}" wide + $v_13 = "lnk_" wide + $v_21 = "Cannot connect with your ip and your operating system." wide + $v_22 = "del /q /f %1" ascii + $v_23 = "/f /tn %2" ascii + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and ( all of ( $v_1* ) or all of ( $v_2* ) ) +} +rule SEKOIA_Miner_Lin_Xmrig_Strings : FILE +{ + meta: + description = "Detects XMRig ELF" + author = "Sekoia.io" + id = "2f99020b-424c-4433-860c-5e9ab4e1f1de" + date = "2022-09-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/miner_lin_xmrig_strings.yar#L1-L36" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4946e5099d7d342c8cf6644146ffec8506e786a1d4de0b05ef039bcf2b0fdad2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + modification_date = "2024-01-04" + classification = "TLP:CLEAR" + + strings: + $ = "XMRig " + $ = "pool_wallet" + $ = "IP Address currently banned" + $ = "rigid" + $ = "diff_current" + $ = "shares_good" + $ = "shares_total" + $ = "avg_time" + $ = "avg_time_ms" + $ = "hashes_total" + $ = "pool address" + $ = "ping time" + $ = "connection time" + $ = "daemon+wss://" + $ = "daemon+https://" + $ = "daemon+http://" + $ = "socks5://" + $ = "stratum+ssl://" + $ = "stratum+tcp://" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 10MB and 7 of them +} +rule SEKOIA_Rat_Win_Xworm_V2 : FILE +{ + meta: + description = "Finds XWorm v2 samples based on characteristic strings" + author = "Sekoia.io" + id = "6cf06f52-0337-415d-8f29-f63d67e228f8" + date = "2022-11-07" + modified = "2024-12-19" + reference = "https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_xworm_v2.yar#L1-L38" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "58a2dbfbd453855021942902a6d55d150eee3acba67a294da24448cfca4f811e" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "XWorm.exe" wide ascii + $str02 = "ngrok" wide ascii + $str03 = "Mutexx" ascii + $str04 = "FileManagerSplitFileManagerSplit" wide + $str05 = "InstallngC" wide + $str06 = "downloadedfile" wide + $str07 = "creatfile" wide + $str08 = "creatnewfolder" wide + $str09 = "showfolderfile" wide + $str10 = "hidefolderfile" wide + $str11 = "txtttt" wide + $str12 = "\\root\\SecurityCenter2" wide + $str13 = "[USB]" wide + $str14 = "[Drive]" wide + $str15 = "[Folder]" wide + $str16 = "HVNC" wide + $str17 = "http://exmple.com/Uploader.php" wide + $str18 = "XKlog.txt" wide + $str19 = "Select * from AntivirusProduct" wide + $str20 = "runnnnnn" wide + $str21 = "RunBotKiller" wide + $str22 = "bypss" wide + $str23 = "" wide + + condition: + uint16( 0 ) == 0x5A4D and 12 of them +} +rule SEKOIA_Apt_Toneshell_Shellcode : FILE +{ + meta: + description = "Detects first bytes of ToneShell used to call the shellcode or the code to check the MagicNumber (0x17 0x03 0x03)" + author = "Sekoia.io" + id = "5ac8d2e9-dbeb-42f9-8343-1281510d4411" + date = "2024-10-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_toneshell_shellcode.yar#L1-L34" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0e164677681dce2aa75d3621d9f3df1449c3e67a3551817693856d80ccc48eca" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $code = {55 8b ec 83 ec 0c e8 85 00 00 00 6a 00 6a 00 6a 02 6a 00 6a 00 68 00 00 00 10} + $MagicNumberParser = { + B8 01 00 00 00 + 6B C8 00 + 8B 55 ?? + 0F BE 04 0A + 83 F8 17 + 75 ?? + B9 01 00 00 00 + C1 E1 00 + 8B 55 ?? + 0F BE 04 0A + 83 F8 03 + 75 ?? + B9 01 00 00 00 + D1 E1 + 8B 55 ?? + 0F BE 04 0A + 83 F8 03 + } + + condition: + any of them and filesize < 1MB +} +rule SEKOIA_Apt_Globalshadow : FILE +{ + meta: + description = "Detects the GLOBALSHADOW malware" + author = "Sekoia.io" + id = "2fef6192-25a6-4d6a-8e19-53ad51617d90" + date = "2024-09-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_globalshadow.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "68c16b6f178c88c12c9555169887c321" + logic_hash = "034a994be5d5b00fc7d1a43a0cb0b5b576358cea26f3354fd574132560ca0ae3" + score = 75 + quality = 30 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $command1 = "time to rest" wide + $command2 = "pw" wide + $command3 = "pr" wide + $command4 = "dnld" wide + $step1 = "step1-" wide + $step2 = "step2-" wide + $step3 = "step3-" wide + $step4 = "step4-" wide + $step5 = "step5-" wide + $step6 = "step6-" wide + $delim = "]#@#[" wide + + condition: + uint16be( 0 ) == 0x4d5a and 2 of ( $command* ) and 3 of ( $step* ) and $delim and true +} +rule SEKOIA_Apt_Sandworm_Orcshred_Apr2022 : FILE +{ + meta: + description = "Detects the ORCSHRED script" + author = "Sekoia.io" + id = "1a88800c-29e1-4e2c-8374-f5a93dd9fd91" + date = "2022-04-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sandworm_orcshred_apr2022.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "de38cf43fa5cc756c26ae241f2e60636c2aabbe4254fdeca2340c62873498de7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "find /etc -name os-release >" + $ = "/bin/bash /var/" + $ = "crontab -l >" + $ = ".sh & disown" + + condition: + 3 of them and filesize < 2KB +} +rule SEKOIA_Implant_Mul_Alchimist : FILE +{ + meta: + description = "Detect the Alchimist implant based on strings" + author = "Sekoia.io" + id = "66330cc6-a7da-4717-9977-0cede48f46f5" + date = "2022-10-18" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_mul_alchimist.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d4a5338c502b145a1d7ad9f35779e24d66ee2d11bf760d498aab39e2c62fbeb4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "POST /users/loginpage.html HTTP/1.1" ascii + $str02 = "pm3/apps/Insekt/main.go" ascii + $str03 = "generate new insekt err" ascii + $str04 = "[SHELLCODE][filesize]:[scan]" ascii + $str05 = "\\Device\\NamedPipe\\cygwinbad" ascii + $str06 = "pm3/utils.GetTmpDir" ascii + $str07 = "os/exec.Command" ascii + + condition: + ( uint16( 0 ) == 0x5A4D or uint32( 0 ) == 0x464C457F ) and 5 of them +} +rule SEKOIA_Rule_Lazarus_Generic_Downloader_7C3F94702Fa7 : FILE +{ + meta: + description = "Detects a Generic Downloader used by Lazarus" + author = "Sekoia.io" + id = "eb0f0a91-5e72-4358-91a3-7c3f94702fa7" + date = "2022-08-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rule_lazarus_generic_downloader_7c3f94702fa7.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1ee58eb760fb74ef089f7d3eb423f314fe1c22e8c85b01eba0e965dea8c846ce" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%s%s%s%s = %s%s%s%s" + $ = "sec-ch-ua-mobile: ?0" + $ = "%s>%s" + $ = "d$f92&^$#FESAfaSDage#FDa" + $ = "Sec-Fetch-User: ?1" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 200KB and 3 of them +} +rule SEKOIA_Apt_Emissarypanda_Sysupdate_Removing_Tool : FILE +{ + meta: + description = "Detects the SysUpdate removing tool" + author = "Sekoia.io" + id = "711d059c-6229-49ef-aa20-a04d505838dc" + date = "2022-08-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_emissarypanda_sysupdate_removing_tool.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6a23fac99f26f4b0f9099e435ad53d9e83bf1322d190c565abf0c06dceeeaf34" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "KsWAYYYXXsFUCK" wide + $ = "remove Services:%s %d" wide + $ = "remove dir:%s %d" wide + $ = "remove reg %d" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 11MB and 2 of them +} +rule SEKOIA_Ransomware_Win_Blackcat : FILE +{ + meta: + description = "Detect the BlackCat ransomware (Windows version)" + author = "Sekoia.io" + id = "873355f7-3942-4171-9df7-f524bb6b6903" + date = "2022-01-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_blackcat.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8a60fd14835f9e8683c3e60a19f23bc00020ccd22e74bffbc8ed19fcb8d0e39a" + score = 75 + quality = 80 + tags = "FILE" + classification = "TLP:CLEAR" + version = "1.1" + + strings: + $s1 = "desktop_image::set_desktop_wallpaper=" ascii + $s2 = "C:\\Users\\Public\\All Usersdeploy_note_and_image_for_all_users=" ascii + $s3 = "propagate::none" ascii + $s4 = "propagate::failed=" ascii + $s5 = "propagate::ok=" ascii + $s6 = "query_status_process::ok=" ascii + $s7 = "enum_dependent_services::ok=" ascii + $s8 = "enum_dependent_services::error=" ascii + $s9 = "try_stop=" ascii + $s10 = "try_stop::ok=" ascii + $s11 = "try_stop::failed=" ascii + $s12 = "stop=" ascii + $s13 = "dependent_service_name=" ascii + $s14 = "kill_all=" ascii + $s15 = "detach=" ascii + + condition: + uint16( 0 ) == 0x5A4D and filesize > 2MB and filesize < 4MB and all of them +} +rule SEKOIA_Ransomware_Win_Fonix : FILE +{ + meta: + description = "Detect the Fonix / XINOF ransomware by spotting its specific debug path" + author = "Sekoia.io" + id = "b28467d5-69a0-4a8b-8938-8fdac2ae8d19" + date = "2021-10-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_fonix.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "2085fae62c07f63723a417566c204b0a9942de35ed80272d1486dc2c96ca0037" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Ransomware\\Fonix" ascii + $s2 = "Release\\Fonix.pdb" ascii + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Downloader_Kimsuky_Lnk +{ + meta: + description = "Detect Kimsuky LNK" + author = "Sekoia.io" + id = "3831d115-7874-4bc9-aeb4-d2cb9bc2b5c9" + date = "2024-07-16" + modified = "2024-12-19" + reference = "https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_kimsuky_lnk.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3512c8c21203a015b316c2a993db1a8c10420df06ea97d84a6e350550a628230" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "3065b8e4bb91b4229d1cea671e8959da8be2e7482067e1dd03519c882738045e" + hash2 = "d912f49d24792aa7197509f76e2097ac3858cde23199e1b40f2516948d39c589" + hash3 = "e936445935c4a636614f7113e4121695a5f3e4a6c137b7cdcceb6f629aa957c4" + hash4 = "fe156159a26f8b7c140db61dd8b136e1c8103a800748fe9b70a3a3fdf179d3c3" + + strings: + $ = "AType: Text Document" wide + $ = "Size: 5.23 KB" wide + $ = "Date modified: 01/02/2020 11:23" wide + + condition: + all of them +} +rule SEKOIA_Apt_Gamaredon_Htmlsmuggling_2024 : FILE +{ + meta: + description = "Detects HTML Smuggling webpages of Gamaredon used in 2024" + author = "Sekoia.io" + id = "8fa1f80b-2261-4d63-92d8-7c360be73fe2" + date = "2024-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_htmlsmuggling_2024.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "ab2807824e68d5efb4c896e1af82e693" + hash = "926b7e65d0d61cd6ba9e085193ae8b1d" + logic_hash = "9cd82f497fd7b82f02fec4ce1d131cd2685861c7c02aaae992e07a7d8bd30595" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "').innerHTML;window['" ascii fullword + $ = "='at'+'ob';" + $ = "]('*','');" + $ = "display:none" + $ = "0px;\" onerror=\"" + $ = "'ev'+'" + $ = " 100KB and filesize < 1MB +} +rule SEKOIA_Infostealer_Win_Whitesnake_Xor_Rc4_July12 : FILE +{ + meta: + description = "Detects WhiteSnake Stealer XOR and RC4 version" + author = "Sekoia.io" + id = "f2ebfcbd-9667-459a-a543-ce0be62c0dc4" + date = "2023-07-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_whitesnake_xor_rc4_july12.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f14b95e5cb6ffaab14d0890847fe6e9dcfc3ee0b884c34d24d786420e2411a80" + score = 75 + quality = 76 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $1 = {FE 0C 00 00 FE 09 00 00 FE 0C 02 00 6F ?? 00 00 0A FE 0C 03 00 61 D1 FE 0E 04 00 FE} + $2 = {61 6e 61 6c 2e 6a 70 67} + $3 = {73 68 69 74 2e 6a 70 67} + $4 = {FE 0C ?? 00 20 00 01 00 00 3F ?? FF FF FF 20 00 00 00 00 FE 0E ?? 00 38 ?? 00 00 00 FE 0C} + $5 = "qemu" wide + $6 = "vbox" wide + + condition: + ($1 and $2 and filesize < 600KB ) or ( $3 and $4 and $5 and $6 and filesize < 300KB ) +} +rule SEKOIA_Apt_Sandworm_Notpetya_Strings : FILE +{ + meta: + description = "Detects NotPetya worm" + author = "Sekoia.io" + id = "c6021638-1b59-4d20-a29d-95cabf256a28" + date = "2022-04-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sandworm_notpetya_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5600071de4b4022a71c48fbcd4b5e47ff6dfa291cc5eac65720bbf763068a6e3" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "wevtutil cl Security &" wide + $ = "wevtutil cl System &" wide + $ = "u%s \\%s -accepteula -s" wide + $ = "\\\\%ws\\admin$\\%ws" wide + $ = "\\\\%s\\admin$" wide + $ = "C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1" wide + + condition: + uint16be( 0 ) == 0x4d5a and 3 of them +} +rule SEKOIA_Apt_Konni : FILE +{ + meta: + description = "Rule based on structure offsets and file extension" + author = "Sekoia.io" + id = "6a20c492-e932-41bd-ac4a-01d35bfb0c49" + date = "2022-09-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_konni.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8f178421fd0968f4ce809054022579c7fc8dede5f6514e89966d13acb83d75d9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ext_1 = ".zip" wide ascii fullword + $ext_2 = ".cab" wide ascii fullword + $ext_3 = ".rar" wide ascii fullword + $ext_4 = ".ini" wide ascii fullword + $ext_5 = ".dat" wide ascii fullword + $offset_structure_1 = { 8d ?? 08 02 00 00 } + $offset_structure_2 = { 8d ?? 10 04 00 00 } + $offset_structure_3 = { 8d ?? 18 06 00 00 } + $url = "%s/dn.php?name=%s&prefix=%s" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 3MB and 3 of ( $ext_* ) and all of ( $offset_structure_* ) and $url +} +rule SEKOIA_Apt_Badmagic_Generic_Pshscript : FILE +{ + meta: + description = "Detects BadMagic generic powershell script (Possible FPs)" + author = "Sekoia.io" + id = "82cda554-3c2b-4c04-b9f9-b5ba50c53271" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_generic_pshscript.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f442e1ba815cc7eae0c627db5ad1917021d69b8ce37155923a0f19776aeba95d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$ExecutablePath" + $ = "Start-Sleep -Second 2" + + condition: + all of them and filesize < 1KB +} +rule SEKOIA_Hacktool_Stowaway_Strings : FILE +{ + meta: + description = "Detects Stowaway based on strings" + author = "Sekoia.io" + id = "a952b45a-269b-4075-bf72-16d6d863e97c" + date = "2023-11-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_stowaway_strings.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "10d28637e47d43497923a192c9e3a8bb35b480a314c71132866bdf0e49c2c460" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "agent.CloseLowConn" + $ = "agent.CloseListener" + $ = "agent.SimpleNodeInit" + $ = "agent.HandleConnToLowerNode" + $ = "agent.HandleConnFromLowerNode" + $ = "common.NewPassToLowerNodeData" + $ = "agent.HandleSimpleNodeConn" + $ = "agent.HandleConnToUpperNode" + $ = "agent.HandleConnFromUpperNode" + $ = "agent.StartSocks" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and all of them +} +rule SEKOIA_Loader_Win_Purecrypter : FILE +{ + meta: + description = "Detect the PureCrypter loader" + author = "Sekoia.io" + id = "500b4d9e-55f8-41d1-ad4f-d587bbeb4507" + date = "2022-09-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_purecrypter.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5d0d733a4f8447d2d51656a20640fc9482581e19ba1d53fed7d98e85bb748763" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $hex01 = /http:\/\/[^\s]{5,90}_[A-Z][a-z]{7}\.(bmp|jpg|png)/ wide + $hex02 = "WrapNonExceptionThrows" ascii + + condition: + uint16( 0 ) == 0x5A4D and ( $hex02 in ( @hex01 .. @hex01 + 1000 ) or $hex01 in ( @hex02 .. @hex02 + 1000 ) ) +} +rule SEKOIA_Apt_Gamaredon_Gammaload_Maliciouslnk : FILE +{ + meta: + description = "Detects Gamaredon's GammaLoad LNK" + author = "Sekoia.io" + id = "2612e6c6-0bda-4bfa-a840-aa0a0b4c945b" + date = "2022-08-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_gammaload_maliciouslnk.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "94ba156cd6697a9999b6a4f78c4356ea3382b7b3e7a1af79d488aa34df2c3b40" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $mshta = "System32\\mshta.exe" + $trait = { 0D 0A ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0D 0A } + + condition: + uint32be( 0 ) == 0x4c000000 and #trait > 100 and $mshta and filesize > 100KB and filesize < 300KB +} +rule SEKOIA_Apt_Apt31_Pakdoor : FILE +{ + meta: + description = "Detects APT31 ORB implant - 2019/2021" + author = "Sekoia.io" + id = "463b8d0d-30f4-45ed-8f19-4b32436fbbf0" + date = "2021-10-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt31_pakdoor.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2" + logic_hash = "ef001e31b34761688f32ec767082d9d7f9fc4e4368d567eb64b66583bcb7fc78" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + version = "1.0" + + strings: + $s1 = "mv -f %s %s ;chmod 777 %s" + $s2 = "GET /plain HTTP/1.1" + $s3 = "exc_cmd time out" + $s4 = "exc_cmd pipe err" + $s5 = { 2e 2f [1-10] 20 20 64 65 6c } + + condition: + int32be ( 0 ) == 0x7f454c46 and filesize < 800KB and filesize > 400KB and 4 of ( $s* ) +} +rule SEKOIA_Apt_Sandworm_Olympicdestroyer : FILE +{ + meta: + description = "Detects OlympicDestroyer malware" + author = "Sekoia.io" + id = "6820eb32-fea2-4a00-a5a2-672ba09f8206" + date = "2022-04-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sandworm_olympicdestroyer.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a68a96ab036e69a32e173b2d2fa6a81ab872032f89bfdfc3cd4446305a33921b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "cmd.exe /c (ping 0.0.0.0 > nul)" wide + $ = "if exist %programdata%\\evtchk.txt" wide + $ = "\\\\.\\pipe\\%ls" wide + $ = "%ProgramData%\\%COMPUTERNAME%.exe" wide + $ = "(exit 5) else ( type nul >" wide + $ = "Select * From Win32_ProcessStopTrace" nocase + + condition: + uint16be( 0 ) == 0x4d5a and 3 of them +} +rule SEKOIA_Ta410_Control_Flow_Obfuscation : FILE +{ + meta: + description = "Detects control flow obfuscation used by TA410 in XXXModule_dlcore0" + author = "Sekoia.io" + id = "2a784f9b-3624-4c5d-8a64-db7d3c33a8f7" + date = "2022-10-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ta410_control_flow_obfuscation.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "6cf78943728286d0bddd99049d81065673ab7f679029cdd5f5dc69f90197136e" + logic_hash = "3ee6ee07e7a7be285290ec91de649afff3e5dc222bcfc58709b642d4dd53dc41" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $chunk_1 = { + E8 ?? ?? ?? ?? + 83 C0 10 + 3D 00 00 00 80 + 7D 01 + EB ff + } + $chunk_2 = {83 C0 10 3D 00 00 00 80 7d 01 eb ff e0 50 c3 75} + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 10MB and any of them +} +rule SEKOIA_Hacktool_Lazagne_Strings : FILE +{ + meta: + description = "Detects LaZagne hacktool based on strings" + author = "Sekoia.io" + id = "5a5e7a07-1252-48cc-ada5-46e796c4e00e" + date = "2022-02-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_lazagne_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a6db351fee9a28b1a6d82c2ce063088a1050ee8379cc13ca3cf8cc2038043951" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $w1 = "lazagne.softwares" + $w2 = "pypykatz.lsadecryptor" + $l0 = "PyModule_GetDict" + $l1 = "softwares.sysadmin.filezilla" + $l2 = "softwares.walle" + $l3 = "softwares.databases.sqldeveloper" + $l4 = "softwares.wifi.wpa_supplicant" + + condition: + ( uint32be( 0 ) == 0x7f454c46 and all of ( $l* ) ) or ( uint16be( 0 ) == 0x4d5a and all of ( $w* ) ) and filesize < 40MB +} +rule SEKOIA_Ransomware_Win_Dodo_2023 : FILE +{ + meta: + description = "Rule to detect Dodo ransomware samples." + author = "Sekoia.io" + id = "190977d4-5a7a-4e15-8f90-085f82ec56c8" + date = "2023-02-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_dodo_2023.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "01924360ef4bbecd220439290eba22838a3977793fdebd0ef0be74c342c0d152" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "aee45cc2540d49a28e765c30f1c4d0b853c1a74ea2260bd7614ece8e54c3bcb3" + + strings: + $s1 = "DODOCRYPTER" ascii wide + $s2 = "dodov2" ascii wide + $s3 = "dodov2SPREAD.exe" ascii wide + $s4 = "dodov2_readit.txt" ascii wide + $s5 = "WELCOME, DODO has returned" ascii wide + $s6 = "Monero Address: 442n8nf9zojie1JdkZqxDQJFDumBEgZmVZozLdYd5jVPSMws2oUPvNLJKca6JKojyA7zDCZCnMyYnKbY1JLNsbzWK6HNNqW" ascii wide + $s7 = "The price for the software is $15. Payment can be made in Bitcoin or XMR." ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them +} +rule SEKOIA_Luckymouse_Sysupdate_Payload : FILE +{ + meta: + description = "Detects decryption routine prologue of sysupdate samples" + author = "Sekoia.io" + id = "97df4700-de35-49a0-869e-ed89a6d9cbdd" + date = "2022-08-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/luckymouse_sysupdate_payload.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e8501a50c65330153e613ae5bd6bbfbe4372d85175c3ed81d202ec5f177a94be" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = { DB ?? ?? C9 66 B9 ?? ?? E8 FF FF FF FF } + + condition: + filesize < 1MB and all of them +} +rule SEKOIA_Dropper_Win_Konni_Cab : FILE +{ + meta: + description = "Detect the CAB files used to drop the KONNI malware" + author = "Sekoia.io" + id = "87a209d5-667a-4a81-837a-660ab98c33c8" + date = "2023-09-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/dropper_win_konni_cab.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b49bb875d5ddd4b815da5bd184ec7f1d23cfb7ad316760c9a9876607245d0a95" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $magic = "MSCF" + $file2 = "check.bat" + $file3 = "wpnprv64.dll" + $file4 = "wpnprv32.dll" + + condition: + $magic at 0 and all of ( $file* ) +} +rule SEKOIA_Malicious_Lnk_Exploiting_Webdav_Share_Generic : FILE +{ + meta: + description = "Detects some malicious LNK" + author = "Sekoia.io" + id = "b228643c-ab23-46e1-b170-3da6bcb2dd23" + date = "2024-11-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malicious_lnk_exploiting_webdav_share_generic.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "cffb40e13e3aa6761330090b42314c36" + logic_hash = "8179ef8ac43cb67a1b70baf7824452834f498d988df84e138c857ac0ef164b4b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "powershell.exe" wide + $ = "-Name explorer; \\\\" wide + $ = "@80\\" + $ = "desktop-tcrdu4c" + + condition: + uint32be( 0 ) == 0x4c000000 and 2 of them +} +rule SEKOIA_Ransomware_Linux_Icefire_2023 : FILE +{ + meta: + description = "Rule to detect Linux IceFire ransomware samples." + author = "Sekoia.io" + id = "b04964f4-3fdc-4745-9f4a-95a5a79bc7e1" + date = "2023-02-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_linux_icefire_2023.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "25033bd33311b070809d150f60803f32011d78a6a74d6b5f620a3216f0f95a6e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b" + + strings: + $string01 = "********************Your network has been infected!!!********************" + $string02 = "IMPORTANT : DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED!!!" + $string03 = "username:" + $string04 = "password:" + $string05 = ".cfg.o.sh.img.txt.xml.jar.pid.ini.pyc.a.so.run.env.cache.xmlb" + $string06 = "./boot./dev./etc./lib./proc./srv./sys./usr./var./run" + $string07 = "/iFire-readme.txt" + $string08 = ".iFire" + $string09 = "iFire.pid" + + condition: + uint32be( 0 ) == 0x7F454C46 and all of them +} +rule SEKOIA_Apt_Gamaredon_Stealer_Obfuscation_1 : FILE +{ + meta: + description = "Matches the Gamaredon Stealer obfuscation" + author = "Sekoia.io" + id = "a6197d16-8ed1-410b-8814-d7eff9a8096c" + date = "2022-02-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_stealer_obfuscation_1.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7f6a5f8af73c4eb7debbadfd22232ad4e3f44e3aae36c3d624ce7a1a050e8782" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = { 76 61 72 20 [5-30] 3d 20 6e 65 77 20 6f 62 6a 65 63 74 5b 5d 20 7b 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 20 7d 3b } + $s2 = { 66 6f 72 28 69 6e 74 20 [5-30] 20 3d 20 30 3b 20 [5-30] 20 3c 20 31 30 3b 20 [5-30] 2b 2b 29 } + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 100MB and ( #s1 > 100 or #s2 > 100 ) +} +rule SEKOIA_Hacktool_Credentialkatz : FILE +{ + meta: + description = "Finds ChromeKatz (CredentialKatz version) standalone samples based on the strings" + author = "Sekoia.io" + id = "4795d131-2625-40ca-bca6-02aac5030b55" + date = "2024-10-30" + modified = "2024-12-19" + reference = "https://github.com/Meckazin/ChromeKatz" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_credentialkatz.yar#L1-L34" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "2762e066128e186526c5ff272fc9184c0262d81d8c513e6515c25c189418931c" + logic_hash = "dbfc0a6e8ad6701a071cb76564a2aeb9924ff7f13306f5dca1e1045c51f07ae7" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Don't use your cat's name as a password!" ascii + $str02 = "[-] Failed to parse command line argument /pid!" ascii + $str03 = "[*] Targeting process: %ls on PID: %lu" ascii + $str04 = "CredentialStore: NotSet" ascii + $str05 = "CredentialStore: AccountStore" ascii + $str06 = "CredentialStore: ProfileStore" ascii + $str07 = "[*] Number of available credentials: %zu" ascii + $str08 = "[+] Found browser process: %d" ascii + $str09 = "Failed to read credential struct" wide + $str10 = "Error reading right node" wide + $str11 = "Failed to read the root node from given address" wide + $str12 = "Error reading first node" wide + $str13 = "chrome.dll" wide + $str14 = " Domain:" ascii + $str15 = " Password:" ascii + $str16 = "Found %ls main process PID: %lu" ascii + $str17 = "---------------" ascii + $str18 = "CredentialKatz" ascii wide + + condition: + uint16( 0 ) == 0x5A4D and 5 of them +} +rule SEKOIA_Infostealer_Win_Spacestealer : FILE +{ + meta: + description = "Detects SpaceStealer based on specific strings" + author = "Sekoia.io" + id = "aceae3b3-1f5a-48b4-84cb-d0ba68d26df5" + date = "2022-11-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_spacestealer.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "94edfd0606816ff01d1345357a852cab4321d8881921e51ba96d8d2d4cb893b5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "spacestealerxD" ascii + $str02 = "\\spacex" ascii + $str03 = "@~$~@spacex-" ascii + $str04 = "StealerClient" ascii + $str05 = "kill-process-by-name" ascii + $str06 = "\\BetterDiscord\\data\\betterdiscord.asar" ascii + $str07 = "api/webhooks" ascii + $str08 = "discordPath" ascii + $str09 = "SELECT host_key, name, encrypted_value FROM cookies" ascii + $str10 = "SELECT origin_url, username_value, password_value FROM logins" ascii + $str11 = "SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards" ascii + $str12 = "Cookies don't found." ascii + $str13 = "/api/cookies?auth=" ascii + $str14 = "/api/passwords?auth=" ascii + $str15 = "/api/autofill?auth=" ascii + $str16 = "/api/creditcards?auth=" ascii + $str17 = "\\Yandex\\YandexBrowser\\User Data\\Guest Profile\\Network\\" ascii + + condition: + uint16( 0 ) == 0x5A4D and filesize > 10MB and 13 of them +} +rule SEKOIA_Tool_Sharphoundpowershell_Strings : FILE +{ + meta: + description = "Detects SharpHound Powershell" + author = "Sekoia.io" + id = "f27a0bdc-1a8c-43f9-843c-6c8506726f37" + date = "2022-08-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_sharphoundpowershell_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "29756acb0afd8aabac170ca8288f1dcffcb2e601c9bdba1cc7a30b8b415661f6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "function Invoke-BloodHound" + $ = "$vars.Add($RealDNSName)" + $ = "$vars.Add($Jitter)" + $ = "CmdletBinding(PositionalBinding = $false)" + $ = ").Invoke($Null, @(,$passed))" + $ = "$EncodedCompressedFile =" + + condition: + filesize < 2MB and 4 of them +} +rule SEKOIA_Malware_Remcom_Strings : FILE +{ + meta: + description = "Detects RemCom based on strings" + author = "Sekoia.io" + id = "7a56d55a-2f35-41ef-b7af-259baf215a62" + date = "2022-08-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_remcom_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a46bb87bf4722303d33707afb19c8d4f209b98a88552363363520536911469ae" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "RemComSvc" + $ = "RemCom_stderr" + $ = "RemCom_stdin" + $ = "\\\\.\\pipe\\%s%s%d" + $ = "RemCom_stdout" + $ = "\\\\.\\pipe\\RemCom_communicaton" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 4 of them +} +rule SEKOIA_Loader_Fakebat_Initial_Powershell_May24 : FILE +{ + meta: + description = "Finds FakeBat initial PowerShell script downloading and executing the next-stage payload." + author = "Sekoia.io" + id = "adf0e4fc-fa98-470b-9535-bd30d0bdb3aa" + date = "2024-05-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_fakebat_initial_powershell_may24.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6a699df361b0cb2baf1d0b128f795aa9918ebe11daaeb1fa49aebf9320add762" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + modification_date = "2024-06-21" + classification = "TLP:CLEAR" + + strings: + $str01 = "='http" wide + $str02 = "=(iwr -Uri $" wide + $str03 = " -UserAgent $" wide + $str04 = " -UseBasicParsing).Content; iex $" wide + + condition: + 3 of ( $str* ) and filesize < 1KB and true +} +rule SEKOIA_Tool_Tokenplayer_Strings : FILE +{ + meta: + description = "Detects TokenPlayer based on strings" + author = "Sekoia.io" + id = "74ed8812-f113-47a9-9ff2-6cbe2746ee11" + date = "2024-11-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_tokenplayer_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "f01eae4ee3cc03d621be7b0af7d60411" + logic_hash = "e419fa8c690816cd0e449f0a1d66d170e8806b38a99758631719b239363e330e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[*]Spawning Process as user: %s\\%s" wide + $ = "[-]Target isn't vulnerable!" + $ = "[+]Process spawned!" + $ = "[+]Process Spawned" + $ = "[+]OpenProcessToken() success!" + $ = "CreateProcessWithLogonW() error : % u" + $ = "[+]CreateProcessWithLogonW() succeed!" + $ = "TokenPlayer.pdb" + + condition: + uint16be( 0 ) == 0x4d5a and 5 of them and filesize < 500KB +} +rule SEKOIA_Hacktool_Earthworm_Strings : FILE +{ + meta: + description = "Detects Mac/Win/Linux EarthWorm based on strings" + author = "Sekoia.io" + id = "6c9b0225-8c41-49f9-9745-245bc7ef942f" + date = "2022-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_earthworm_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0460c62fefc3d594ca758a37fbe1716182ffdca2920fedd32a707f7117702176" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "the read url is %s" + $ = "--> %3d <-- (close)used tunnel %d , unused tunnel %d" + $ = "ssocksd 0.0.0.0:%d <--[%4d usec]--> socks server" + $ = "could not create one way tunnel" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a or uint32be( 0 ) == 0xcffaedfe ) and filesize < 100KB and 3 of them +} +rule SEKOIA_Generic_Python_Reverse_Shell : FILE +{ + meta: + description = "Detects simple reverse shell written in Python" + author = "Sekoia.io" + id = "ab25f8db-e39d-4aa4-b431-cf5cd2e038e5" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_python_reverse_shell.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ced9923ef8018796545d93d9ac8ba3138dd7d4e79db742eb3babcd94c8d3c304" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "import pty" + $ = "lhost =" + $ = "os.dup2(s.fileno(),0)" + $ = "os.putenv(\"HISTFILE\",'/dev/null')" + + condition: + filesize < 1KB and all of them +} +rule SEKOIA_Dropper_Win_Selfau3 +{ + meta: + description = "Finds SelfAU3 Dropper samples based on specific strings" + author = "Sekoia.io" + id = "2d005a54-b013-40e9-b88a-30454e4b22af" + date = "2024-02-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/dropper_win_selfau3.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5f69457127ae6cb84b04f72dd30393dbcf32b4ba26ec6d529eebcc03191cbed3" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $sfx = "!Require Windows" ascii + $ins01 = ";!@Install@!UTF-8!" ascii + $set = {53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 3d 22 [1-15] 3d ?? 22} + $run = "RunProgram=\"hidcon:c" ascii + $ins02 = ";!@InstallEnd@!" ascii + + condition: + $sfx at 77 and $set in ( @ins01 .. @ins01 + 500 ) and #set > 5 and $run in ( @set .. @set + 1000 ) and $ins02 in ( @run .. @run + 500 ) +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Mgbot_Main +{ + meta: + description = "Detect MgBot main.dll file" + author = "Sekoia.io" + id = "528baa11-58d5-470a-bd6d-963d4ac75d97" + date = "2024-03-20" + modified = "2024-12-19" + reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_mgbot_main.yar#L4-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "61b335c88ce8bc56396b597c7c6f27b1d431941682401f0b3950c80edf7d8403" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36" + hash2 = "017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7" + + condition: + pe.imphash( ) == "8e1ee04a99c77bd54c6dc55214ffa2e3" or hash.md5 ( pe.rich_signature.clear_data ) == "67e8e8b75b981b5c8ff31149dc2c61b2" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "7c6adf9987e6dfbf19b5f156b0314798" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "46fa9f5a035c8ae8de1a0d14150bd5ef" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "f7895f9456f8d51125e6744960c38133" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "5d82bb8a7ef37c417615381b446f715c" ) or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "d7808c6662f098e685040f7c61bc033d9e73002f674de7cf2ffcd6230d60d429" ) +} +import "hash" +import "pe" + +rule SEKOIA_Launcher_Win_Bluehaze : FILE +{ + meta: + description = "Detect the BLUEHAZE malware" + author = "Sekoia.io" + id = "ccfe0593-0a9f-4369-952e-5cef2f459bb3" + date = "2022-12-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/launcher_win_bluehaze.yar#L4-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "56a9d6d713a5744e77c8d34ad28983bb3b2aded1abff47dbf2d887724bd3ed4e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Libraries\\CNNUDTV" + $ = "cmd.exe /C wuwebv.exe -t -e" + $ = "cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v ACNTV /t REG_SZ /d \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL" + + condition: + uint16( 0 ) == 0x5A4D and 3 of them or pe.imphash ( ) == "1b3d8fae6035e34f91baa59643746efe" or hash.md5 ( pe.rich_signature.clear_data ) == "44022b7cefeae4d55edcceb5b9bcd295" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "1cdcb493593f8793b10e109f6b5b2993" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "276d668ed7d1b46e101425e02a16460f" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "f6a474220add335b5696256235ce8c9c" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "82bccb3330d50080f86ab1aa566cae8e" ) +} +rule SEKOIA_Clipper_Win_Atlas_Strings +{ + meta: + description = "Detects Atlas Clipper" + author = "Sekoia.io" + id = "f08c6af6-c325-4f7d-8686-575b25550d6a" + date = "2023-07-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/clipper_win_atlas_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c8ad062b69dfe996a488ee9c79f0e7e0016f57f5b54fc39aeb4e207d2a42aa75" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "C:/Users/box/Desktop/ATLAS/ATLAS/main.go" ascii + $s2 = "ATLAS Clipper" ascii + $s3 = "Victim: %s" ascii + $s4 = "Attacker: %s" ascii + $s5 = "Install Path: %s" ascii + $s6 = "HWID: %s" ascii + $s7 = "Install Date: %s" ascii + $s8 = "https://t.me/atlasclipper_channel" ascii + + condition: + all of them +} +rule SEKOIA_Ransomware_Win_Lorenz : FILE +{ + meta: + description = "Detect the Lorenz ransomware" + author = "Sekoia.io" + id = "6936cc61-efe5-4d13-b76f-e808ab331457" + date = "2022-02-10" + modified = "2024-12-19" + reference = "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_lorenz.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "355de0f172c9e877bbca7f75c0bfb07d83ae7f43e7674a7f84c4e4d519dfa7c0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.1" + classification = "TLP:CLEAR" + + strings: + $s1 = ".onion" ascii + $s2 = "---===Lorenz. Welcome. Again. ===--" ascii + $s3 = ".Lorenz.sz40" ascii + $url1 = "egypghtljedbs3x3ui45tfhosakzb376epl7baq2ruzfyewcypswhgqd.onion" ascii + $url2 = "lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion" ascii + $url3 = "vsoonropylvbfqnq2urk7uhaxn7afiwgldnj3ntc743awigojm4p7lid.onion" ascii + $url4 = "kpb3ss3vwvfejd4g3gvpvqo6ad7nnmvcqoik4mxt2376yu2adlg5fwyd.onion" ascii + $url5 = "vldkrmiqriwlgm2wuxg42nvc6kqsdzsdhsybn27hyn34d66465fxz7id.onion" ascii + + condition: + uint16( 0 ) == 0x5a4d and filesize > 900KB and filesize < 1200KB and ( all of ( $s* ) or 1 of ( $url* ) ) +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Blackrat : FILE +{ + meta: + description = "Detect Andariel's Black RAT malware" + author = "Sekoia.io" + id = "3a5a6290-6344-45ce-8929-ea5a4451840f" + date = "2023-09-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_blackrat.yar#L4-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4edf1335e357ebc02e4abb51cd8d808ae39e649cf19cdb3ec667c9cf313181a9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c" + + strings: + $s1 = "I:/01___Tools/02__RAT/Black/Client_Go/Client.go" + $s2 = "I:/01___Tools/02__RAT/Black/Client_Go/Define.go" + $s3 = "I:/01___Tools/02__RAT/Black/Client_Go/Screenshot.go" + $x1 = "RAT/Black/Client" + + condition: + uint16be( 0 ) == 0x4d5a and ( all of ( $s* ) or #x1 >= 3 ) or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "74c4cdc9d33fc63aee7ae9659b6f8d24" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "298948afbe85985025e176605ee21176" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "e5ca54c5def3c7a950e6d4034dc86277" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "440ae899aea859458df5b6de7dbc5b34" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "98e46f76b965ffb58f6cd53ff8dc91c0" ) +} +rule SEKOIA_Generic_Sharpshooter_Payload_13 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "2d61d7b8-5348-4cc8-9d41-61799b573e3b" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_13.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fb6b71bf1e89abf872fb3ef02a228f370f0fcc10d5aab70418fe8735283165da" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Private Function decodeHex(hex)" + $ = "EL.Text = hex " + $ = "serialized_obj = serialized_obj & " + $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Apt_Gamaredon_Gamaredon_Lnk_Usb_Spreader +{ + meta: + description = "Detects Gamaredon LNK USB Spreader" + author = "Sekoia.io" + id = "a0972e30-bfc5-48ff-b04b-382db8c08a54" + date = "2023-06-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_gamaredon_lnk_usb_spreader.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "2aee8bb2a953124803bc42e5c42935c92f87030b65448624f51183bf00dd1581" + logic_hash = "3adb2433eda559d9b32316f4733741b0fc8c576937b1decede8bc7d23b203a0e" + score = 75 + quality = 64 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ".CREatesHoRTCUt(" nocase ascii wide + $ = "cOPY-Item $enV:UsErprOfilE" nocase ascii wide + $ = "-dEsTInaTioN $Env:" nocase ascii wide + $ = " = GET-ChilDITem $drivE.nAMe" nocase ascii wide + $ = "STArt-SLEeP" nocase ascii wide + $ = "-eq [SYsTEM.Io.fILeaTTrIbuTES]::DIRecToRy" nocase ascii wide + $ = "drIvETYPe='2'" nocase ascii wide + $ = ".iConloCaTiON = " nocase ascii wide + + condition: + 7 of them +} +rule SEKOIA_Trojan_And_Keepspy : FILE +{ + meta: + description = "Finds KeepSpy samples based on specific strings" + author = "Sekoia.io" + id = "9390e7c8-a996-45cc-b642-c23d4b7dcf34" + date = "2023-06-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/trojan_and_keepspy.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "03a954a5585a9a80fdc5a0cd2644a819c540d43b260e040b627530ca88ee08fa" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Characters entered %1$d of %2$d" ascii + $str02 = "com.google.android.material.behavior.HideBottomViewOnScrollBehavior" ascii + $str03 = "com/j256/ormlite/core/VERSION.txt" ascii + $str04 = "res/raw/empty.wav" ascii + $str05 = "res/mipmap/ic_launcher.png" ascii + $str06 = "res/interpolator/fast_out_slow_in.xml" ascii + $str07 = "OnePixelActivity" ascii + + condition: + uint32be( 0 ) == 0x504B0304 and 6 of them and filesize > 2MB +} +rule SEKOIA_Infostealer_Win_Blackguard_Mar23 : FILE +{ + meta: + description = "Finds BlackGuard samples based on specific strings (March 2023, version 5)" + author = "Sekoia.io" + id = "65804d31-2a0c-4b22-a8d9-8cbe1497f155" + date = "2023-03-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_blackguard_mar23.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "63d77808036478da0c8d38a6d3581ccd2d4e46ae16ec9e817f09f8b633b01843" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "================== 5.0 ==============" wide + $str02 = "/concerts/disk.php" wide + $str03 = "/concerts/memory.php" wide + $str04 = "/loader_v2.txt" wide + $str05 = "io.solarwallet.app\\Local Storage\\leveldb" wide + $str06 = "costura.dotnetzip.dll.compressed" ascii wide + $str07 = "set_Laskakakaska" ascii + $str08 = "get_Yliana" ascii + $str09 = "set_Illeona" ascii + $str10 = "set_Gyttettfd" ascii + + condition: + uint16( 0 ) == 0x5A4D and 4 of them +} +rule SEKOIA_Trojan_Android_Xenomorph : FILE +{ + meta: + description = "Detect samples of the Android banking trojan Xenomorph" + author = "Sekoia.io" + id = "ec65ca1b-e71f-4772-8be0-2a2b6a690987" + date = "2022-02-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/trojan_android_xenomorph.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d44e5742449cd9c19b50ab23f452378d5627e19140554d12086994d820df9c64" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ass0 = "assets/shadows/knife_shadow_" + $ass1 = "assets/knife_" + $ass2 = "okhttp3" + + condition: + uint32be( 0 ) == 0x504B0304 and filesize > 1MB and filesize < 4MB and #ass0 > 10 and #ass1 > 10 and $ass2 +} +rule SEKOIA_Tool_Masky_Strings : FILE +{ + meta: + description = "Detects Masky tool" + author = "Sekoia.io" + id = "542670ee-9f2e-4148-853d-a3f055bd584c" + date = "2022-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_masky_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "35dc536879d9464919028ace6b65b225455621035184d7b58468d259ccda62aa" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "caa1aa2e-8a2a-4f98-bc51-b7cf10663fa9" ascii + $s2 = "Masky" ascii + $s3 = "\\Windows\\Temp\\" wide + $s4 = "Length must be non-negative" wide + $s5 = "CSP does not contain a private key" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 4 of them or $s1 +} +rule SEKOIA_Apt_Kimsuky_Toddlershark_Strings : FILE +{ + meta: + description = "Detects Kimsuky TODDLERSHARK vbs malware" + author = "Sekoia.io" + id = "2db1a424-9e83-4168-8ebf-d3b415b6a576" + date = "2024-03-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_toddlershark_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "dee9d03f498437dd6d8399975cd91ec44307067ac4642b9ff31df1a6d6b10468" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "On Error Resume Next" + $ = ".open \"POST\", \"http" + $ = ".setRequestHeader" + $ = ".send" + $ = "Execute(" + $ = ".responseText)" + + condition: + all of them and filesize < 450 +} +rule SEKOIA_Apt_Cloudatlas_Powershower_Variant : FILE +{ + meta: + description = "Detects PowerShower" + author = "Sekoia.io" + id = "416d0cb0-bc59-47ae-8a98-d7b39f8108ab" + date = "2023-12-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_powershower_variant.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7bcfafd5a52d685fe33715c8c3725d95947c65863902fde05cf85685a6bfeab8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "[System.Text.Encoding]::" ascii wide + $s2 = "{8}{9}{10}{11}{12}{13}{14}{15}{16}{17}{18}{19}{20}" ascii wide + + condition: + filesize < 10KB and all of them +} +rule SEKOIA_Infostealer_Win_Edgeguard : FILE +{ + meta: + description = "Finds EdgeGuard Stealer samples based on specific strings" + author = "Sekoia.io" + id = "bbdb362f-d235-48f8-8fa5-d340d4e3e3f0" + date = "2023-08-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_edgeguard.yar#L1-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "11396aea2e166456ec8311f95a8037aac41f69caf3158f8c19cb0c38327842d6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "main.downloadnecessary" ascii + $str02 = "main.extractchromepasswords" ascii + $str03 = "main.extracttasksch" ascii + $str04 = "main.BrowserDownloadsViewExtract" ascii + $str05 = "main.stealmetamask" ascii + $str06 = "main.stealexoduswallet" ascii + $str07 = "main.moveatomic" ascii + $str08 = "main.movefirefoxcookies" ascii + $str09 = "main.movepasswords" ascii + $str10 = "main.FinallyZIPIPFolder" ascii + $str11 = "edgeguard.business" ascii + $str12 = "/License.XenArmor" ascii + $str13 = "/TaskSchedulerView.exe" ascii + $str14 = "/BrowsingHistoryView.exe" ascii + $str15 = "/outlookfiles/starter.exe" ascii + $str16 = "/outlookfiles/External.zip" ascii + $str17 = "/outlookfiles/XenManager.dll" ascii + $str18 = "/outlookfiles/EmailPasswordRecoveryPro.exe" ascii + + condition: + uint16( 0 ) == 0x5a4d and 10 of ( $str* ) +} +rule SEKOIA_Downloader_Win_Search : FILE +{ + meta: + description = "'Search.exe' script used by APT42" + author = "Sekoia.io" + id = "8094ddda-6294-4dee-93cb-de79aaed1ec6" + date = "2024-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_win_search.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "a29fa85ecfc0e5554c21f3b9db185de97b3504517403f4aa102adbd2c46dc1bf" + hash = "f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060" + logic_hash = "1b25f04d1d2c9b7bdc7e0bd17d2f2876c27f9c4acb3a2afca6a4df531e769740" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "C:\\Users\\pc\\source\\repos\\Search\\Search\\obj\\Debug\\Search.pdb" + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Apt_Lazarus_Vhd_Ransomware_Downloader : FILE +{ + meta: + description = "Detects VHD ransomware downloader" + author = "Sekoia.io" + id = "edcc9df8-650c-437a-adb8-a671e8b75e64" + date = "2022-11-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_lazarus_vhd_ransomware_downloader.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "042ab0029d170937af9b9ee6a8e499843532c84cf99faed3d2d47cb18a1500ac" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "rundll32.exe %s #1 %S" wide + $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide + $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide + $ = "curl -A cur1-agent -L %s -s -d da" + $ = "curl -A cur1-agent -L %s -s -d dl" + + condition: + filesize < 2MB and 3 of them +} +rule SEKOIA_Tool_Htran_Strings : FILE +{ + meta: + description = "Detects HTran based on strings" + author = "Sekoia.io" + id = "0184937e-eefa-4c6d-ae00-9b0af80dc7db" + date = "2022-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_htran_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6a414cec8ad623c735779b9005074f88b07d88b29b23918d98a541a2612a3fa0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "-slave " + $ = "-tran " + $ = "-listen " + $ = "[-] There is a error...Create a new connection." + $ = "[+] Start Transmit (%s:%d <-> %s:%d) ......" + $ = "[+] Accept a Client on port %d from %s" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 3 of them +} +rule SEKOIA_Apt_Oilrig_Clipog_Strings : FILE +{ + meta: + description = "Detects OilRig's Clipog stealer" + author = "Sekoia.io" + id = "0ac40fd9-f67d-41fa-a774-77a3a1b7cac3" + date = "2023-10-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_clipog_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "16f3fef59db9c58025a4a977de944b628e9dc850f87c1bb22e2f2f97601e5107" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[ClipBoard=" wide + $ = "[NUMPAD .]" wide + $ = "[SPACE]" wide + $ = "GetClipboardData" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 350KB and all of them +} +rule SEKOIA_Bot_Lin_Kinsing_Strings : FILE +{ + meta: + description = "Catch Kinsing malware based on strings" + author = "Sekoia.io" + id = "ce41b6d0-bc22-4a85-a3bb-ed3234871524" + date = "2023-11-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/bot_lin_kinsing_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "164b22734541d43047a2ea868cf0a269efe69c64a6392030168f4d391b1be777" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "MinerUrl" ascii + $s2 = "main.masscan" ascii + $s3 = "redisBrute" ascii + $s4 = "ActiveC2CUrl" ascii + $s5 = "main.getKi" ascii + $s6 = "main.getMu" ascii + $s7 = "tryToRunMiner" ascii + $s8 = "main.kiLoader" ascii + $s9 = "main.downloadAndExecute" ascii + + condition: + uint32( 0 ) == 0x464c457f and all of them +} +rule SEKOIA_Apt_Badmagic_Listfiles_Pshscript : FILE +{ + meta: + description = "Detects BadMagic ListFiles powershell script" + author = "Sekoia.io" + id = "55f1c409-234e-4feb-91a3-9bf5c41ec2b8" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_listfiles_pshscript.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4401d31e4b0484776aab51c161a301fc4ee3e944a1669df763bd274014178368" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$env:USERPROFILE" + $ = "-Include *.jpg, *.odt, *.doc, *.docx" + + condition: + all of them and filesize < 1KB +} +rule SEKOIA_Hacktool_Gtunnel_Strings : FILE +{ + meta: + description = "Detects Go gTunnel based on strings" + author = "Sekoia.io" + id = "f20a4400-8ae6-4954-b643-0a8847f037f0" + date = "2023-04-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_gtunnel_strings.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "76a67f0487fea7b890863bef06a48f665b611f7659eb374cd83cd4be01b812ab" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $repo = "github.com/hotnops/gTunnel/" ascii fullword + $s1 = "common.(*Tunnel).GetControlStream" + $s2 = "common.(*Tunnel).handleIngressCtrlMessages" + $s3 = "client..inittask" + $s4 = "client.file_client_proto_rawDescGZIP." + $s5 = "common.(*SocksServer).Start." + $s6 = "client.(*TunnelControlMessage).GetConnectionId" + $s7 = "protobuf/reflect/protoreflect.ProtoMessage" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a or uint32be( 0 ) == 0xfeedface or uint32be( 0 ) == 0xfeedfacf or uint32be( 0 ) == 0xcafebabe ) and #repo > 200 or 5 of ( $s* ) +} +import "pe" + +rule SEKOIA_Apt_Mustangpanda_Maliciousdll_Loading_Plugx_Strings +{ + meta: + description = "Detects MustangPanda malicious DLL" + author = "Sekoia.io" + id = "2296ac6e-63f5-4cff-aeb7-2c5205e6f559" + date = "2023-12-18" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_maliciousdll_loading_plugx_strings.yar#L3-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859" + logic_hash = "667901d36585248a891b90ff8ed7006030151fbbbe0d4a85570944a94edba7f8" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "VirtualAlloc" + $ = "VirtualFree" + $ = "VirtualProtect" + $ = "VirtualQuery" + $ = "GCC: (MinGW-W64" + + condition: + pe.exports( "MsiProvideQualifiedComponentW" ) and all of them +} +import "pe" + +rule SEKOIA_Plugx_Final_Payload : FILE +{ + meta: + description = "Detects encrypted plugx config with a specific size" + author = "Sekoia.io" + id = "a4047324-81a7-4c17-be84-c0fa479d2f89" + date = "2023-07-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/plugx_final_payload.yar#L3-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bf5035eb7ed620edcf7a0e8e8be220451ce268fc49310f28059b60576d8c5182" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = {30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 88 13 00 00 60 ea 00 00 ?? ?? ?? ?? 00 00 00 00} + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 8MB and for any i in ( 0 .. pe.number_of_sections -1 ) : ( pe.sections [ i ] . name == ".data" and $s1 in ( pe.sections [ i ] . raw_data_offset..pe.sections [ i ] . raw_data_offset + pe.sections [ i ] . raw_data_size ) ) +} +rule SEKOIA_Loader_Win_Gcleaner : FILE +{ + meta: + description = "Detect the GCleaner loader using specific strings" + author = "Sekoia.io" + id = "0c085da3-ec77-4141-a927-bef1578a6dee" + date = "2022-10-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_gcleaner.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f38aaab2911e4e901780bb6df2c58f02fa80d3e39fb56f60072285d0a929ba23" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "G-Cleaner can clean unneeded files, settings, and Registry entries" ascii + $str02 = "3. Click \"Run G-Cleaner\"" ascii + $str03 = "Garbage_Cleaner" ascii + $str04 = "GCleaner.Properties" ascii + $str05 = "SOFTWARE\\GCleaner\\Install" wide + $str06 = "SOFTWARE\\GCleaner\\Trial" wide + $str07 = "SOFTWARE\\GCleaner\\License" wide + $str08 = "G-Cleaner activation" wide + + condition: + uint16( 0 ) == 0x5A4D and 6 of them +} +rule SEKOIA_Koiloader_Powershell_Reflective_Loading : FILE +{ + meta: + description = "Powershell script loading service.exe (related to Koi Loader)" + author = "Sekoia.io" + id = "9bbe4cea-3e64-4377-bf93-def9fb629734" + date = "2024-03-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/koiloader_powershell_reflective_loading.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "27deec01027a73129c6c8057eff1b48190c89ac18dcd7c390fc177d82a897290" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "[Byte[]]$image" ascii fullword + $s2 = "function GDT" + $s3 = "function GPA" + $s4 = "GDT @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])" + $s5 = "$marshal::GetDelegateForFunctionPointer($CTAddr, $CTDeleg)" + + condition: + $s1 at 0 and 4 of them +} +import "hash" +import "pe" + +rule SEKOIA_Tool_Win_Blackfly_Proxy_Config : FILE +{ + meta: + description = "Detect Blackfly proxy configuration tool" + author = "Sekoia.io" + id = "c8a8be5d-bd28-4306-9466-ad582e53fede" + date = "2023-02-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_win_blackfly_proxy_config.yar#L4-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a421d933209f3a81f7430f1b933074701a1fc965c1b4bc321cc7b4e89802f483" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "c:\\ProgramData\\l.dat" + $ = "C:\\ProgramData\\b.dat" + $ = "winmm_DotNetfile.dll" + + condition: + pe.imphash( ) == "ff47f65286cc51a1328bc94efbf4007f" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "f5923d4331f7e84fbbbd6fd84b6d3e6a" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "56acc10233c711a4eba9ca9aeab47e30" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "824dcebe93ac83bf5c95c781a60b3578" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "ec716a08b5e647f5c00c5dfc079dfa62" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "5cb63f7392c9e05c22e89cd86bd7f718" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "ee04e245066e25edd3062d823f15deda" ) or ( uint16( 0 ) == 0x5A4D and 1 of them ) +} +rule SEKOIA_Apt_Gamaredon_Ddrdoh_Powershell_Backdoor : FILE +{ + meta: + description = "Detects GAMAREDON's DDRDOH PowerShell Backdoor" + author = "Sekoia.io" + id = "3413dedd-e3ec-4231-8af7-c7f709ab82d7" + date = "2023-01-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_ddrdoh_powershell_backdoor.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "32d088affb65d410b2715fde28227792ea9f406e324de4a2e204e9850f0b81ce" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "hidden iex $env:" ascii wide + $ = ".substring(0,4) -eq \"http" ascii wide + $ = ".split('!')[1];" ascii wide + $ = " -bxor $key[$i % $key.Length]" ascii wide + $s = "Filter $fil | Select-Object VolumeSerialNumber" ascii wide + + condition: + uint8( 0 ) == 0x24 and 4 of them and filesize < 10KB +} +import "hash" +import "pe" + +rule SEKOIA_Apt_Mustang_Panda_Toneins : FILE +{ + meta: + description = "Detect the TONEINS implant used by Mustang Panda" + author = "Sekoia.io" + id = "f178217a-ff28-4dd7-9395-f19f3e2e934c" + date = "2022-11-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustang_panda_toneins.yar#L4-L44" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b71932f16ffb1d8d1780b6f9b4db2f0c98d1c770829a4d2284e78c19d37e54bb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $rtti1 = ".?AVDNameNode@@" + $rtti2 = ".?AVcharNode@@" + $rtti3 = ".?AVpcharNode@@" + $rtti4 = ".?AVpDNameNode@@" + $rtti5 = ".?AVDNameStatusNode@@" + $rtti6 = ".?AVpairNode@@" + $s1 = "DefWindowProcW1222_test" wide ascii + $s2 = "schtasks /create /sc minute /mo 2 /tn" wide ascii + $fnv_CreateFile = {CE C9 CA BD} + $fnv_GetFileSize = {18 81 ED 44} + $fnv_ReadFile = {43 C9 FC 54} + $fnv_CloseHandle = {65 00 BA FA} + $fnv_WriteFile = {4A C4 07 7F} + $fnv_CreateEventA = {E2 DD D2 F9} + $fnv_TerminateProcess = {59 EE 4E F8} + $fnv_GetCurrentProcess = {45 A8 D8 6D} + $fnv_CreateProcessA = { 09 0A 7C 4A} + + condition: + uint16be( 0 ) == 0x4d5a and 4 of ( $rtti* ) and filesize < 8MB and ( for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "69f400d3ff4679294e63fb8a8ca97dbb" ) or ( all of ( $s* ) and 5 of ( $fnv* ) ) ) +} +rule SEKOIA_Tool_Exploit_Badpotato_Strings : FILE +{ + meta: + description = "Detects BadPotato compiled exploit" + author = "Sekoia.io" + id = "079aabbc-6978-4d71-92d2-d2a7ce1cc915" + date = "2022-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_exploit_badpotato_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a45935ea5877a4b81468cbe0e1a4a7232b955771442f84bb3b88b7992ed23937" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "RpcStringBindingCompose failed with status 0x" wide + $ = "RpcBindingFromStringBinding failed with status 0x" wide + $ = "RpcBindingSetAuthInfoEx failed with status 0x" wide + $ = "RpcBindingSetOption failed with status 0x" wide + $ = "\\\\.\\pipe\\{0}\\pipe\\spoolss" wide + $ = "[*] {0} Success! ProcessPid:{1}" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 5 of them +} +rule SEKOIA_Koi_Powershell_Loading_Obfuscatednet +{ + meta: + description = "Powershell script loading obfuscated .NET Koi module" + author = "Sekoia.io" + id = "75a7460d-cc28-470e-9841-da8e46ee0101" + date = "2024-03-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/koi_powershell_loading_obfuscatednet.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "82f30c04474ea77af5169771a2c0e75ba792fd32dc559b8c29172b73ace4ef10" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "# [Net.ServicePointManager]::SecurityProtocol +='tls12'" + $s2 = "$binary[$i] = $binary[$i] -bxor $k[$i % $k.Length]" + $s3 = "\").Split('|')" + $s4 = "$ep.Invoke($null, " + + condition: + $s3 and 3 of them +} +rule SEKOIA_Apt_Mustangpanda_Malicious_Lnk_Worm : FILE +{ + meta: + description = "Detects MustangPanda infected ThumbDrive" + author = "Sekoia.io" + id = "e7cc5ecc-2369-49ff-9e35-c9faeb69acda" + date = "2023-09-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_malicious_lnk_worm.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ca19a925af695cbbb41fdfbb161dceafeb8aae6d42000cc09bb07e1dbdfdb9e5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "RECYCLER.BIN\\1\\CEFHelper.exe" wide + + condition: + uint32be( 0 ) == 0x4C000000 and 1 of them +} +rule SEKOIA_Infostealer_Win_Raccoon_Str_Takemypainback : FILE +{ + meta: + description = "Detect Raccoon based on specific strings" + author = "Sekoia.io" + id = "2148636e-47c7-4bf2-8d1e-df68faf65111" + date = "2022-10-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_raccoon_str_takemypainback.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "50d30828dab7e197619eeac4ebd2ab6692a9ac40a5091e23642cd1bdde8e9910" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "\\ffcookies.txt" wide + $str1 = "TakeMyPainBack" wide + $str2 = "wallet.dat" wide + $str3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide + $str4 = "Network\\Cookies" wide + + condition: + uint16( 0 ) == 0x5a4d and 4 of them +} +rule SEKOIA_Apt_Oilrig_Maliciousdocument_May2022 : FILE +{ + meta: + description = "Detects OilRig Malicious Document" + author = "Sekoia.io" + id = "cb4ab310-e24c-4edc-8804-0c49c30124fb" + date = "2022-05-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_maliciousdocument_may2022.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d4aa960d4471ddf66ec6f98a5c883177763771ba9960b749509311a05384d9a7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "InteractiveToken" + $s2 = "Select * From Win32_PingStatus Where Address" + $s3 = "She@et1" + $s4 = "_VBA_PROJECT" wide + $s5 = "This program cannot be run in DOS mode." base64 + $s6 = ".Agent.pdb" base64 + $s7 = "GetAgentID" base64 + + condition: + uint32be( 0 ) == 0xD0CF11E0 and 3 of them +} +rule SEKOIA_Trojan_Win_Grandoreiro : FILE +{ + meta: + description = "Finds Grandorerio samples based on the specific strings" + author = "Sekoia.io" + id = "e48c86a1-e34f-4945-817a-9c85198a77bb" + date = "2022-08-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/trojan_win_grandoreiro.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7424478b0cdfe922c2f98bf42e505f22fb0700cfeb54912630ce404c59b05c5e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $mut = "ZTP@11" wide + $reg01 = "Software\\Embarcadero\\Locales" wide + $reg02 = "Software\\CodeGear\\Locales" wide + $reg03 = "Software\\Borland\\Locales" wide + $reg04 = "Software\\Borland\\Delphi\\Locale" wide + $reg05 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" wide + $str01 = "SELECT * FROM AntiVirusProduct" wide + $str02 = "GetTickCount64" wide + $str03 = "C:\\Program Files (x86)\\Embarcadero\\Studio\\20.0\\lib\\Clever Internet Suite" wide + $str04 = "{43826D1E-E718-42EE-BC55-A1E261C37BFE}" wide + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Infostealer_Win_Mars_Stealer_Xor_Routine : FILE +{ + meta: + description = "Detect Mars Stealer based on a specific XOR routine" + author = "Sekoia.io" + id = "3e2c7440b2fc9e4b039e6fa8152ac8ff" + date = "2022-04-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_mars_stealer_xor_routine.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c7e65550a225431552e8a81bbce81dd66350021b6444c94fe7a37aa96712e9b1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $xor = {8b 4d ?? 03 4d ?? 0f be 19 8b 55 ?? 52 e8 ?? ?? ?? ?? 83 c4 ?? 8b c8 8b 45 ?? 33 d2 f7 f1 8b 45 ?? 0f be 0c 10 33 d9 8b 55 ?? 03 55 ?? 88 1a eb be} + + condition: + uint16( 0 ) == 0x5A4D and $xor +} +rule SEKOIA_Apt_Lazarus_Dangerouspassword_Lnk : FILE +{ + meta: + description = "Detects Lazarus DangerousPassword LNKs" + author = "Sekoia.io" + id = "32533880-7f75-4682-a7ae-9868d0b5174b" + date = "2022-07-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_lazarus_dangerouspassword_lnk.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "79731450c4623f614c55d8c08d879579e21fd38c85d2a288724b6e9470de6e29" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = {6D 00 73 00 68 00 2A} + $s2 = {25 00 70 00 75 00 62 00 6C 00 69 00 63 00 25} + $s3 = {44 00 4F 00 20 00 73 00 74 00 61 00 72 00 74} + $b1 = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 2F 00 62 00 20 00 6D 00 73 00 68 00 74 00 61} + $c1 = {68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F 00 62 00 69 00 74 00 2E 00 6C 00 79 00 2F} + + condition: + uint32be( 0 ) == 0x4C000000 and filesize > 1KB and filesize < 40MB and ( all of ( $s* ) or $b1 or ( $s1 and $c1 ) ) +} +rule SEKOIA_Apt_Gamaredon_Lnk : FILE +{ + meta: + description = "Detects lnk file used by Gamaredon" + author = "Sekoia.io" + id = "bfa69d84-433c-4f37-93b7-5b1b11677fbb" + date = "2024-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_lnk.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "be73ffca4b88f11e33532cf9a179743508bfa7a60c6f4de98c245b350b5fb910" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "-windowstyle hidden $(gc " wide + $s2 = "|out-string)|powershell -noprofile -" wide + + condition: + uint32be( 0 ) == 0x4c000000 and any of them and filesize < 100KB +} +rule SEKOIA_Apt_Badmagic_Reco_Pshscript : FILE +{ + meta: + description = "Detects BadMagic Reco powershell script" + author = "Sekoia.io" + id = "7a1b2d31-03b7-4a43-8f4e-ed38ba8e118e" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_reco_pshscript.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "86369267545241f33c6fc7dab11eb06f71641d8e9cd0365ddcc676d4f4c9739b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$headers = @{};" + $ = "==ARP Cache==" + $ = "ipconfig.me" + $ = "-ComputerName $env:computername;" + + condition: + all of them and filesize < 1KB +} +rule SEKOIA_Apt_Sugardump_Credentials_Stealer_Smtp : FILE +{ + meta: + description = "Detects SUGARDUMP SMTP version" + author = "Sekoia.io" + id = "bf028ebc-bfaa-45b3-9a3f-8949a5efbb73" + date = "2022-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sugardump_credentials_stealer_smtp.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1f423f38ff323e67667e35af5603e608cba6eaf8d98633467b0292c5f81c8d1c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "<<<<<<<< ------ Passwords Total: {0} --------- >>>>>>>>" wide + $ = "Url = {0} , Count = {1}" wide + $ = "smtp." wide + $ = "encrypted_key\":\"(.*?)\"" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and all of them +} +rule SEKOIA_Guloader_Powershell_1 : FILE +{ + meta: + description = "Powershell downloading decoy and delivering GuLoader" + author = "Sekoia.io" + id = "28c68991-db8b-4f00-b3a3-17286418a4ed" + date = "2024-02-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/guloader_powershell_1.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9fd2d0e31f939e7e96444eaa4802c9c33407c5fb77067670d8ce2d3796199961" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "powershell -win hidden" + $s2 = "=iex($" + $s3 = ".Replace('" + $s4 = "$(Get-ChildItem -Include *.lnk -Name));" + + condition: + all of them and filesize < 10KB and #s3 > 3 +} +rule SEKOIA_Tool_Edrsandblast_Strings : FILE +{ + meta: + description = "Detects EDRSandblast strings" + author = "Sekoia.io" + id = "7059b89c-80b5-4768-b3eb-02f173f628b0" + date = "2024-01-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_edrsandblast_strings.yar#L1-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8528c4c440734ba97b98b6e0857d95f38a91eaf9120ba2eacff292c864fb86a5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[!] Cred Guard bypass failed: obtained invalid" wide + $ = "[!] Cred Guard bypass non fatal error:" wide + $ = "[+] Successfully overwrote wdigest's g_fParameter_UseLogonCredential" wide + $ = "[!] ERROR: could not allocate memory for the handl" wide + $ = "[+] [ProcessProtection] Found the handle of the current" wide + $ = "[+] [ProcessProtection] Found self process EPROCCES struct at" wide + $ = "ETW Threat Intel ProviderEnableInfo address could not be found." wide + $ = "The ETW Threat Intel provider was successfully" wide + $ = "[+] [NotifyRountines]" wide + $ = "[callback addr: 0x" wide + $ = "EDR / security products driver(s)" wide + $ = "Object callback offsets not loaded ! Aborting..." wide + $ = "No more space to store object callbacks !!" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 3 of them +} +rule SEKOIA_Infostealer_Win_Mars_Stealer_Variant_Llcppc1 : FILE +{ + meta: + description = "Detect Mars Stealer variand llcppc1" + author = "Sekoia.io" + id = "3e2c7440b2fc9e4b039e6fa8152ac8fe" + date = "2022-03-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_mars_stealer_variant_llcppc1.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f9d92338fa31c38648b72d7f9a953201c7e498237bc9d02d6247d1882d1e3432" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $a = {ff 15 ?? ?? ?? ?? 89 45 ?? 6a 14 68 ?? ?? ?? ?? ff 75 ?? e8 23 00 00 00 ff 75 ?? ff 75 ?? ff 75 ?? e8 5c 00 00 00} + + condition: + uint16( 0 ) == 0x5A4D and $a +} +rule SEKOIA_Guloader_Unpacker_Decoded : FILE +{ + meta: + description = "GuLoader Unpacker b64 decoded" + author = "Sekoia.io" + id = "ca3f4fce-b3a1-4672-a2ca-29ea347eb23d" + date = "2024-02-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/guloader_unpacker_decoded.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5de4a147b2dea8a144905b7f1786199bfeef3006ac58179409cfd3dcaa116725" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $jumps = {71 01 9b 71 01 9b} + $s1 = "([String]$" + $s2 = "For($" + $s3 = ",[Parameter(Position = 1)] [Type] $" + + condition: + filesize < 500KB and @jumps < 1000 and 2 of ( $s* ) +} +import "pe" + +rule SEKOIA_Rat_Win_Nighthawk : FILE +{ + meta: + description = "Detects Nighthawk RAT" + author = "Sekoia.io" + id = "91bc3c5b-83fd-47f8-9652-df0f6a70b693" + date = "2022-11-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_nighthawk.yar#L3-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9a0c72de5b097f74d3c44586b8355c410470992f37d9a09c5f6db36ad6286d70" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + hash1 = "0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988" + hash2 = "9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8" + hash3 = "38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf" + hash4 = "f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e" + hash5 = "b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94" + classification = "TLP:CLEAR" + + strings: + $pattern1 = { 48 8d 0d ?? ?? ?? ?? 51 5a 48 81 c1 ?? ?? ?? ?? 48 81 c2 ?? ?? ?? ?? ff e2 } + $pattern2 = { 66 03 D2 66 33 D1 66 C1 E2 02 66 33 D1 66 23 D0 0F B7 C1 } + + condition: + uint16( 0 ) == 0x5A4D and filesize < 2MB and ( ( 1 of them ) or ( pe.section_index ( ".profile" ) and pe.section_index ( ".detourc" ) ) ) +} +rule SEKOIA_Apt_Cottonsandstorm_Win_Implant : FILE +{ + meta: + description = "Detects a simple win implant used by Cotton Sandstorm" + author = "Sekoia.io" + id = "04a5255c-f9bb-4612-b0e2-ed0326867055" + date = "2024-11-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cottonsandstorm_win_implant.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "f797d71ed07d6e05556300e4ce0f2927" + logic_hash = "dcb25ee236ca52f23cc6bfdbcedcbc6d407e88f06341e684f202a59954733ade" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "DIR =>" wide + $ = "type=machines&md5=" wide + $ = "File =>" wide + $ = "&ip=" wide fullword + $ = "&un=" wide fullword + $ = "&cp=" wide fullword + $ = "myFile\";filename=" ascii + $ = "ifB75BcjsRBhy2et" ascii + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them and filesize < 500KB +} +import "hash" +import "pe" + +rule SEKOIA_Implant_Win_Mysterysnail : FILE +{ + meta: + description = "Detect the MysterySnail using section hashes" + author = "Sekoia.io" + id = "dfd2eba8-eb9c-411a-b5e0-663593453e3d" + date = "2021-10-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_mysterysnail.yar#L4-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "37c02a5916ad7ce3190ce926d576365d1e17fee0f10e9b31619ea4b6fee29ae6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + uint16( 0 ) == 0x5A4D and ( pe.imphash ( ) == "de0c9e6aec27d278ccdb6718b3e96e32" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "a41b6fb1cc34d6393e30c13a58f6ecd4" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "f263a2be76694feab7e2ce79ecf8b724" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "e9056ae96619d7aa18daa973da592afc" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "3e38e89e9e8329f5cff8a7022d88fff7" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "ce78f8599167c63e8f1c8d3e789c4a60" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "456d4f1096bf5c72cd6e1e3eb9980ec6" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "37e2bff637001fc64566fe651757f66e" ) or hash.md5 ( pe.rich_signature.clear_data ) == "e4116fffa240ba6d91b400541ce85182" ) +} +rule SEKOIA_Malware_Valleyrat_1Ststage_Strings : FILE +{ + meta: + description = "Detects ValleyRat 1stage" + author = "Sekoia.io" + id = "6628ba47-37ad-4bdb-bbc0-7286d777000e" + date = "2024-06-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_valleyrat_1ststage_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "78c45b8bd9241646512483d179d48b0e42e97fa1c18d6afd1af4423f7b7ce3c6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%016llX.DLL" wide + $ = "%s\\%s" wide + $ = "%016llX\\%s" wide + $ = "connection already in progress" + $ = "SleepConditionVariableSRW" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 4MB and all of them +} +rule SEKOIA_Apt_Qnapworm_Loader_May2022 : FILE +{ + meta: + description = "Detects the QNAPWorm loader" + author = "Sekoia.io" + id = "c6e87a55-73ea-4df4-ab61-b5d34968d741" + date = "2022-05-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_qnapworm_loader_may2022.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d31fdaaacd417a4191e79e3a287e84c55109158eaacc789b2129e2ba94e443f6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = { + 66 C1 C0 05 + 0F B7 D8 + 81 C3 85 D0 FF FF + 66 C1 C3 02 + 0F B7 C3 + 0F B6 9A ?? ?? ?? ?? + 33 D8 + 88 1C 11 + 42 + 0F B6 D2 + 81 FA ?? 00 00 00 + } + + condition: + uint16be( 0 ) == 0x4d5a and all of ( $s* ) +} +rule SEKOIA_Generic_Sharpshooter_Payload_7 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "de8069bb-59d7-4753-974a-f77c4b9e9bae" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_7.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "27b5f3d24f7269e80b628be044d828d365fdba25891a5a1ecc973c419cf1dc6c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "ms.Write(ba, 0, (length / 4) * 3)" + $ = "var serialized_obj = " + $ = "var n = fmt.SurrogateSelector;" + $ = "var o = d.DynamicInvoke(al.ToArray())" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Apt_Reaper_2Fa_Phishing_Webpage +{ + meta: + description = "Detects Reaper 2FA phishing webpage" + author = "Sekoia.io" + id = "348ca2ad-c8f9-4aed-8a27-95caa3a34f4b" + date = "2023-03-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_reaper_2fa_phishing_webpage.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3f0ae0b35ea181b4712feeb34e866519921917179297148982e5298df9f133a9" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "setTimeout(checkUpload," + $ = "commChannel.addListener(" + $ = "else if(commType ==" + $ = "?dir=DOWN&method=READ&id=" + $ = "Content : base64_encode(upload_data)" + $ = "$.post(upHttpRelayer" + $ = "var ablyUpData = {" + $ = "initComm();" + $ = "function Next(arg) {" + + condition: + 3 of them +} +rule SEKOIA_Ursnif : FILE +{ + meta: + description = "Ursnif Payload" + author = "Sekoia.io" + id = "ac392af3-c344-453c-9427-5bb46223e01c" + date = "2024-12-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ursnif.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fd3c3be5ede0a980b44560cfb9b8c4c1ee322091fa86bc9143f30dc900053c2b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $crypto64_1 = {41 8B 02 ?? C1 [0-1] 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D?} + $crypto64_2 = {44 01 44 24 10 FF C1 41 8B C0 D1 64 24 10 33 C3 41 8B D8 FF 4C 24 10 41 33 C3 01 44 24 10 D3 C8 01 44 24 10 41 89 02 49 83 C2 04 83 C2 FF 75 C3} + $crypto64_3 = {33 C6 ?? C7 [0-1] 49 83 C2 04 33 C3 8B F1 8B CF D3 C8 89 02 48 83 C2 04 41 83 C3 FF 75 ?? 45 85 C9 75 ?? 41 83 E0 03} + $crypto64_4 = {41 8B 02 41 8B CB 41 83 F3 01 33 C3 41 8B 1A C1 E1 03 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 C6} + $decrypt_config64 = {44 8B D9 33 C0 45 33 C9 44 33 1D ?? ?? ?? 00 ?? ?? D2 ?? ?? D2 74 ?? 4C 8D 42 10 45 3B 0A 73 2? 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12} + $crypto32_1 = {01 45 FC D1 65 FC FF 4D FC 33 C1 33 45 0C 01 45 FC 43 8A CB D3 C8 8B CE 01 45 FC 89 02 83 C2 04 FF 4D 08 75 CD} + $crypto32_2 = {33 C1 33 44 24 10 43 8A CB D3 C8 8B CE 89 02 83 C2 04 FF 4C 24 0C 75 D9} + $decrypt_config32 = {8B ?? 08 5? 33 F? 3B [1-2] 74 14 A1 0? ?? ?? ?? 35 ?? ?? ?? ?? 50 8B D? E8 ?? D? 00 00 EB 02 33 C0 ?B ?? ?? ?? ?? ?? ?? ?? 74 14 8D 4D ?? ?? ?? 50 FF D? 85 C0 74 08} + + condition: + true and uint16( 0 ) == 0x5A4D and ( ( $decrypt_config64 and any of ( $crypto64* ) ) or ( $decrypt_config32 and any of ( $crypto32* ) ) ) +} +rule SEKOIA_Apt_Susp_Apt28_Uac0063_Malicious_Doc : FILE +{ + meta: + description = "Detects some suspected APT28 document" + author = "Sekoia.io" + id = "2b9d597a-a6cd-49df-8938-7103342a1d06" + date = "2024-07-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_susp_apt28_uac0063_malicious_doc.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "93322be0785556e627d2b09832c18e39c115e6a6fbff64b1e590e1ddcf8f6a43" + logic_hash = "27aeadbb76dd4e670a85e8fcd1e885b69845537dd937aacc1808902e75008848" + score = 65 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Sub pop() : : End Sub" ascii fullword + $ = "%localappdata%\\Temp" ascii fullword + $ = "rthedbv" ascii fullword + + condition: + 2 of them and filesize < 1MB +} +rule SEKOIA_Hacktool_Defendercontrol_Strings : FILE +{ + meta: + description = "Detects DefenderControl based on strings" + author = "Sekoia.io" + id = "c6587a46-5f9b-4bf0-9231-9d2505293557" + date = "2022-03-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_defendercontrol_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8372ab6f922471c28b528d908527f52d393cf6e6308d6acad882d6d5862df43c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "www.sordum.org All Rights Reserved." wide + $ = "dControl.exe" wide + $ = "By BlueLife" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 600KB and all of them +} +rule SEKOIA_Infostealer_Mac_Realst : FILE +{ + meta: + description = "Finds Realst Stealer samples based on specific strings" + author = "Sekoia.io" + id = "16a89317-c92d-4e13-94d3-a85a915f52e5" + date = "2023-09-11" + modified = "2024-12-19" + reference = "https://iamdeadlyz.gitbook.io/malware-research/july-2023/fake-blockchain-games-deliver-redline-stealer-and-realst-stealer-a-new-macos-infostealer-malware#realst-stealer-macos" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_mac_realst.yar#L1-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "72e694e5c32cbaeb7dff7913fde671619e2c8d892e552546dd1682e38f6804c5" + score = 75 + quality = 30 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str00 = "realst@" ascii + $str01 = "IP:" ascii + $str02 = "OS:" ascii + $str03 = "PC PASSWORD:" ascii + $str04 = "Cookies:" ascii + $str05 = "Wallets:" ascii + $str06 = "Apps:" ascii + $str07 = "USERNAME: ]" ascii + $str08 = "FILENAME:" ascii + $str09 = "multipart/form-data; boundary=" ascii + $str10 = "src/browsers/firefox/modules/decryptors.rs" ascii + $str11 = "{\"event_id\":\"" ascii + $str12 = "..browsers..firefox..modules..data_stealers.." ascii + $str13 = "..browsers..chromium..modules..key_stealers.." ascii + $str14 = "..browsers..firefox..modules..decryptors.." ascii + $str15 = "url: , login: , password:" ascii + + condition: + ( uint32( 0 ) == 0xfeedface or uint32( 0 ) == 0xcefaedfe or uint32( 0 ) == 0xfeedfacf or uint32( 0 ) == 0xcffaedfe or uint32( 0 ) == 0xcafebabe or uint32( 0 ) == 0xbebafeca ) and 13 of ( $str* ) +} +rule SEKOIA_Recotool_Adfind_Strings : FILE +{ + meta: + description = "Detects Adfind utility based on strings" + author = "Sekoia.io" + id = "afca88ef-756a-4b2b-91d7-d18d730e7074" + date = "2022-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/recotool_adfind_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "cc1e1dceff28136082f19cebc7584ba08c9006b964e37fc3fda91bc0b41906dc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Find all person objects on cn=ab container of local ADAM instance" + $ = "IPv6 IP address w/ port is specified [address]:port" + $ = "Search Global Catalog (port 3268)." + $ = "~~~ADCSV~~~" + $ = "adfind -b dc=" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 5MB and 4 of them +} +rule SEKOIA_Tool_Win_Sharpshares : FILE +{ + meta: + description = "Finds sharpshares EXE based on strings" + author = "Sekoia.io" + id = "ef90d573-12f8-4216-9a9e-96e7d1e841d0" + date = "2024-06-10" + modified = "2024-12-19" + reference = "https://github.com/mitchmoser/SharpShares/releases" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_win_sharpshares.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6aa96d7c24638451bde98497cc7c844c87612d81cc7826113729c80bd5180442" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "b__0" ascii + $str02 = "b__0_0" ascii + $str03 = "get_AccessControlType" ascii + $str04 = "get_IdentityReference" ascii + $str05 = "get_PropertiesToLoad" ascii + $str06 = "SharpShares\\obj\\Release\\SharpShares.pdb" ascii + $str07 = "/filter:SYSVOL,NETLOGON,IPC$,PRINT$" wide + $str08 = "/threads:50 /ldap:servers" wide + $str09 = "SharpShares.exe" ascii wide + $str10 = "[+] LDAP Search Results:" wide + $str11 = "[+] Finished Enumerating Shares" wide + + condition: + uint16( 0 ) == 0x5A4D and 6 of them +} +rule SEKOIA_Apt_Polonium_Megacreep_Strings : FILE +{ + meta: + description = "Tries to detect POLONIUM's MegaCreep implant" + author = "Sekoia.io" + id = "4d62d5bc-2ec9-58ef-bfe7-c0b04fa73b6f" + date = "2022-10-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_polonium_megacreep_strings.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f4881e15854b082d8e6b8a28a7eb1518c559577b1b3ce76e404d67b1fe723fde" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + orig_id = "927c5fd6-0574-43bf-8db9-6ecc328estrin56c7" + + strings: + $ = "[#!#]" ascii wide + $ = "[$$%$$]" ascii wide + $ = ".e##x##e" ascii wide + $ = "WHLib.dll" ascii wide + $ = "TestService.txt" ascii wide + $ = "X = Stop" ascii wide + $ = "Sess.dll" ascii wide + $ = "filepathOnTarget" ascii wide + $ = "FileNameOnMega" ascii wide + $ = "Missing Parameter.. Format of command:" ascii wide + $ = "Your Old K##E##Y is Wronge" ascii wide + $ = "Your Upgrage Is Success" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 2MB and 3 of them +} +rule SEKOIA_Apt_Badmagic_Installpzz_Pshscript : FILE +{ + meta: + description = "Detects BadMagic InstallPZZ powershell script" + author = "Sekoia.io" + id = "d01bc217-9e14-498b-a92a-17f6aedec269" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_installpzz_pshscript.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "58256cffd1d5060769f304393c22b6488abe9515eb7df2a967ba2fed85a9ec9a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "start-job -ScriptBlock $script;" + $ = "Start-Sleep -Second 1;" + $ = "Write-Output \"$url$j" + $ = "Start-Sleep -Second 2;" + + condition: + all of them and filesize < 1KB +} +rule SEKOIA_Storm_1811_Files_Dat +{ + meta: + description = "Detects files used in a campaign performed by the intrusion set Storm-1811" + author = "Sekoia.io" + id = "8b14f276-0c39-422b-9b19-d96b139a7ae8" + date = "2024-06-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/storm_1811_files_dat.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d1d5b76671cefe8b876ca8df50205a04ebbcd973f115919b901f6a7946492904" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "RuntimeBroker" ascii fullword + $s2 = "InstallSpamFilters" ascii fullword + $s3 = "newfile333.txt" ascii fullword + $s4 = "Installing spam filter kb_outlook" ascii fullword + $s5 = "s.zip" ascii fullword + $s6 = "Update completed" ascii fullword + $s7 = "Updates installed" ascii fullword + $s8 = "update_log.tgz uploaded ok" ascii fullword + $s9 = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii fullword + $s10 = "runtimebroker_connect" ascii fullword + + condition: + 5 of them +} +import "dotnet" + +rule SEKOIA_Dotnet_Injector_New_Payload : FILE +{ + meta: + description = "New dotnet injector" + author = "Sekoia.io" + id = "b0a1d471-5381-4fa8-8563-7e72ecd15bed" + date = "2022-12-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/dotnet_injector_new_payload.yar#L3-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8b5e2f6e7947471e10e0ec85eef1cebe1904c2e77b7cfe92e578ebe306041842" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $f1 = "DownloadFile" ascii + $f2 = "StreamReader" ascii + $f3 = "ReadToEnd" ascii + $f4 = "Reverse" ascii + $f5 = "Load" ascii + $f6 = "StringToByteArray" ascii + $s1 = "Admin" wide + $s2 = "User" wide + $p1 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" wide + $p2 = ".lnk" wide + + condition: + filesize < 300KB and all of ( $f* ) and all of ( $s* ) and all of ( $p* ) and dotnet.is_dotnet +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Ketrum2 +{ + meta: + description = "Detect Ke3chang's Ketrum backdoor version 2" + author = "Sekoia.io" + id = "afcc349a-d44b-4b66-b86f-c62e700fa899" + date = "2022-10-19" + modified = "2024-12-19" + reference = "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_ketrum2.yar#L4-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5317b133337ad333c97bbfa6c9d62aea5fd81f3b570f1d6b1ac93ea82062ef61" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "271384a078f2a2f58e14d7703febae8a28c6e2d7ddb00a3c8d3eead4ea87a0c0" + hash2 = "aa467945dd7b9b095e592fc96384bb385f2c95d00d5424e42bb6ab09827cb0ce" + hash3 = "aacaf0d4729dd6fda2e452be763d209f92d107ecf24d8a341947c545de9b7311" + hash4 = "ac5cb6e17f094068686225075251153e3eb21dc2d1ae744a97ab113cab034a36" + + strings: + $ = "powershell.exe" wide + $ = "cmd.exe" wide + $ = "%s\\adult.sft" wide + $ = "%s\\Notice" wide + $ = "%s\\Message" wide + $ = "\\Microsoft\\Media Player" wide + $ = "Windows\\CurrentVersion\\Explorer\\Shell Folders" wide ascii + $ = "Windows\\CurrentVersion\\Internet Settings" wide ascii + + condition: + all of them and for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e" ) +} +rule SEKOIA_Unknown_Quad7_Wildcard_Login : FILE +{ + meta: + description = "Detects the (x|r|a)login bind shells" + author = "Sekoia.io" + id = "01510244-0795-4299-aa66-056a2b4682e7" + date = "2024-07-18" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/unknown_quad7_wildcard_login.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "4d9067e7cf517158337123a30a9bd0e3" + hash = "43ea387b8294cc4d0baaef6d26ff7c72" + hash = "777d6f907da38365924a0c2a12e973c5" + hash = "8542a3cbe232fe78baa0882736c61926" + hash = "1b08725acc371f6b7d05bb72d0c2d759" + logic_hash = "72de6fe656313bdd4f4b092ceca7248c67b8047c224104cd569dff7af1d86135" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $string1 = { 2f 62 69 6e 2f 73 68 00 2f 74 6d 70 2f 6c 6f 67 69 6e } + $string2 = { 2f 62 69 6e 2f 73 68 00 2d 63 00 65 78 69 74 20 30 } + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 180KB and @string2 - @string1 < 3400 +} +rule SEKOIA_Apt_Aptk47_Maliciouslnk : FILE +{ + meta: + description = "Detects APT-K-47 malicious LNK" + author = "Sekoia.io" + id = "2ccc8777-26fe-4018-9646-4ea91394fe78" + date = "2024-11-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_aptk47_maliciouslnk.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "6a405d4e88b4acb9706e19a83aad9cf6" + logic_hash = "865bb08f57affb3795853aa3c9f49577efb74df9b32e7760263b9fb08246a3ab" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[/c for /f" wide + $ = "2^>nul') do copy" wide + $ = "%F in ('where /r %Temp%" wide + + condition: + uint32be( 0 ) == 0x4c000000 and all of them +} +rule SEKOIA_Tool_Exploit_Comahawk_Strings : FILE +{ + meta: + description = "Detects COMahawk exploit compiled binaries" + author = "Sekoia.io" + id = "cc0d10ae-1a14-48c1-9c45-d65fac15f8f1" + date = "2022-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_exploit_comahawk_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a80fed3fd64562dd3e2fa197ca3d2aaf8e33783729b725c71f7eb8931af70d82" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "sc config UsoSvc binpath=" wide + $ = "binpath= \"cmd.exe /c net localgroup administrators /add" + $ = "[+] Command executed." + $ = "Release\\COMahawk.pdb" + $ = " is added as an admin." + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 3 of them +} +rule SEKOIA_Apt_Granitetyphoon_Sword2023_Strings : FILE +{ + meta: + description = "Detects Sword2023 malware based on strings" + author = "Sekoia.io" + id = "417b355f-9eb8-40ae-bc3b-f7f23b5ca63e" + date = "2023-05-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_granitetyphoon_sword2023_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8644547f093295eeac30c9040796329a3e2222c06a942d14899545726c8bed78" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "TERM=linux" + $ = ";echo" + $ = "sh:time out" + $ = "sh:read stdout error" + $ = "/proc/sys/kernel/random/uuid" + + condition: + ( uint32be( 0 ) == 0x7f454c46 ) and filesize < 100KB and all of them +} +rule SEKOIA_Backdoor_Powershellempire_Gen : FILE +{ + meta: + description = "Detects EmpirePowershell" + author = "Sekoia.io" + id = "36050a5b-bdca-45cd-8e26-7129fdcbf1e8" + date = "2022-04-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_powershellempire_gen.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "21f255bcfb6da2aa996ed61ff5fb29a9355de6169095f7c3141a1b7f3cea5c2d" + score = 75 + quality = 76 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%{$J=($J+$S[$_]+$K[$_%$K.COUNt])%256;" nocase wide ascii + $ = "($IV+$K))|IEX" nocase wide ascii + + condition: + all of them and filesize < 1MB +} +rule SEKOIA_Apt_Scanbox_Obfuscated_Versions : FILE +{ + meta: + description = "Detects obfuscated versions of the scanbox framework" + author = "Sekoia.io" + id = "2866cead-7f16-4895-80ef-aad6fb66e864" + date = "2022-09-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_scanbox_obfuscated_versions.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0395d1ac9a593aa8249f6d16c485e431349cecf2f379d2b5bac466541f71968c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$_$_$_$__$_____$__$_$_$_$__$" + $ = "NztCm_NcDkh" + $ = "____$_$__$__$_______w____$_$__$__$_____i____$_$__$__$_____" + $ = "391,379,398,381,386" + $ = "plguinurl" + $ = "plugin_timeout*1000" + + condition: + 2 of them and filesize < 500KB +} +rule SEKOIA_Malware_Sugargh0St_Strings : FILE +{ + meta: + description = "Detects SugarGh0st based on strings" + author = "Sekoia.io" + id = "51930498-b04a-4f13-8d14-ee975a28126e" + date = "2023-12-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_sugargh0st_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b878b5d3b3f62952d79c0ea5811838f4e79302b85f25494e91dc730dec8e1d8d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%sd.%s /c \"%s\"" wide + $ = "[Num Lock]" wide + $ = "#32770" wide + $ = "]%s (%4d-%02d-%02d %02d:%02d:%02d)" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 100KB and all of them +} +rule SEKOIA_Rat_Win_Babylon : FILE +{ + meta: + description = "Finds Babylon RAT samples based on specific strings" + author = "Sekoia.io" + id = "ba9ab80a-ad7e-4746-aff2-9328440cbb25" + date = "2023-08-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_babylon.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "142f10e519561d6552c9cb8d267280b9ede203a2f4723d904ab07217b0565bd1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "ParadoxRAT_Client" ascii + $str02 = "*** in database %s ***" ascii + $str03 = "\\drivers\\etc\\HOSTS" ascii + $str04 = "Babylon RAT Client" wide + $str05 = "ClipBoard.txt" wide + $str06 = "a,ccs=UTF-16LE" wide + $str07 = "[%02d/%02d/%d %02d:%02d:%02d] [%s] (%s):" wide + $str08 = "Update Failed [OpenProcess]..." wide + $str09 = "DoS Already Active..." wide + $str10 = "File Download and Execution Failed..." wide + $str11 = "LgDError33x98dGetProcAddress" wide + $str12 = "FriendlyName" wide + $str13 = "@SPYNET" wide + + condition: + uint16( 0 ) == 0x5a4d and 8 of ( $str* ) +} +rule SEKOIA_Malware_Win_Mex : FILE +{ + meta: + description = "Detect the MEX malware" + author = "Sekoia.io" + id = "57fe8525-4bab-4078-ac6f-635f0f7963ec" + date = "2022-07-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_win_mex.yar#L1-L57" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1335a212d1af0087cd0e0402f3d6c864d1aafd3df3f1e4bb3851c96c3ff403cb" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "MEX: In-memory execution of offensive tradecraft (Version:" wide + $ = "Available Options:" wide + $ = "-meh " wide + $ = "-mep " wide + $ = "-mec " wide + $ = "Execution examples:" wide + $ = "mex.exe -mep sharphound" wide + $ = "mex.exe -mep sharphound -mec -arg1" wide + $ = "mex.exe -mep get_version" wide + $ = "mex.exe -mep list_plugins" wide + $ = "Available plugins:" wide + $ = "Payload to execute:" wide + $ = "No payload arguments were provided" wide + $ = "Payload arguments:" wide + $ = "MEX - About to execute payload %s with command line arguments: %s" wide + $ = "MEX - About to execute payload %s with no command line arguments" wide + $ = "Execution of payload %s just finished. Quitting now." wide + $ = "There was a problem executing payload %s. Quitting now." wide + $ = "chisel" wide + $ = "enum_script" wide + $ = "eop_script" wide + $ = "mexecatz" wide + $ = "scshell" wide + $ = "shares_script" wide + $ = "internalmonologue" wide + $ = "inveigh" wide + $ = "pingcastle" wide + $ = "rubeus" wide + $ = "seatbelt" wide + $ = "sharpexec" wide + $ = "sharphound3" wide + $ = "spoolsample" wide + $ = "standin" wide + $ = "grouper2" wide + $ = "lockless" wide + $ = "sharpoxidresolver" wide + $ = "sharpprinter" wide + $ = "list_plugins" wide + $ = "get_version" wide + $ = "Current version is %s" wide + $ = "Supported plugins:" wide + + condition: + uint16( 0 ) == 0x5A4D and filesize > 10MB and 15 of them +} +rule SEKOIA_Pe_Stealer_Axilestealer_Strings : FILE +{ + meta: + description = "AxileStealer strings" + author = "Sekoia.io" + id = "412bfc3e-6bb7-4b0d-8bb3-96eae0cc9782" + date = "2023-12-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/pe_stealer_axilestealer_strings.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "829b80c07ed4d9439d66956dbb106aa0cc9961dd2e5c05ffbe6c67e516613590" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "http://ip-api.com/line/?fields=query,country,countryCode,city,regionName,zip,isp" wide + $s2 = "Axile.su" wide + $s3 = "Unknown Tokens.txt" wide + $a1 = "[ General ]" wide + $a2 = "[ Browsers ]" wide + $a3 = "[ Wallets ]" wide + $a4 = "[ Messengers ]" wide + $a5 = "[ Applications ]" wide + $a6 = "[ Games ]" wide + $a7 = "[ Mails ]" wide + $a8 = "[ VPNs ]" wide + $a9 = "[ FTPs ]" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 50KB and filesize < 200KB and 2 of ( $s* ) and 7 of ( $a* ) +} +rule SEKOIA_Downloader_Win_Curl_Agent +{ + meta: + description = "Detect the downloader used by Bluenoroff to install it CurlAgent" + author = "Sekoia.io" + id = "ddeb2d8f-1b10-4a33-b768-d19412e8551a" + date = "2023-05-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_win_curl_agent.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b34375ec051c969adec82901c1130b0a389261912559d70c652ee826cb2d4107" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%s\\marcoor.dll" wide + $ = "curl -A cur1-agent -L %s -s -d dl" + $ = "curl -A cur1-agent -L %s -s -d da" + $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide + $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide + + condition: + 3 of them +} +rule SEKOIA_Tool_Generic_Python_Reverse_Shell_Strings : FILE +{ + meta: + description = "Detects reverse shell" + author = "Sekoia.io" + id = "5b926d15-4f21-428c-a9fa-ee085a98d42b" + date = "2024-04-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_generic_python_reverse_shell_strings.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bb4fcef595f4be035815f536786987ac1343727f16c0560a1cb593e854ba8f17" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "import sys,socket,os,pty;" + $ = "[os.dup2(s.fileno(),fd) for fd in (0,1,2)]" + + condition: + all of them and filesize < 1000 +} +rule SEKOIA_Downloader_Mac_Smooth_Operator : FILE +{ + meta: + description = "Detect the Smooth_Operator malware" + author = "Sekoia.io" + id = "c132b3f0-f536-4a66-bcf8-2a95c258c414" + date = "2023-07-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_mac_smooth_operator.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "031f766d6ab7d94ed7ba4324d4bdfa3fbc11986fba35487a88a1ee3aba090c82" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%s/.main_storage" + $ = "%s/UpdateAgent" + + condition: + uint32be( 0 ) == 0xcafebabe and all of them +} +rule SEKOIA_Implant_Win_Geacon : FILE +{ + meta: + description = "Finds Geacon samples based on specific strings" + author = "Sekoia.io" + id = "064eabe0-aee5-4e5e-9f5e-69b32b1ba0da" + date = "2024-01-11" + modified = "2024-12-19" + reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_geacon.yar#L1-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "74b0d2fbb8b7f6666543ba4fdfd9f9d2064d3a89d21c90d794b57f0009199fea" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $gea01 = "geacon/config.init" ascii + $gea02 = "geacon_pro-master/config/config.go" ascii + $gea03 = "geacon_plus-main/config/config.go" ascii + $gea04 = "command type %d is not support by geacon now" ascii + $gea05 = "main/sysinfo.GeaconID" ascii + $str01 = "command.StealToken" ascii + $str02 = "command.MakeToken" ascii + $str03 = "command/misc.go" ascii + $str04 = "config/c2profile.go" ascii + $str05 = "crypt.AesCBCDecrypt" ascii + $str06 = "packet.File_Browse" ascii + $str07 = "packet.FirstBlood" ascii + $str08 = "packet.ParseCommandShell" ascii + $str09 = "packet.ParseCommandUpload" ascii + $str10 = "packet.PushResult" ascii + $str11 = "sysinfo.GetComputerName" ascii + $str12 = "sysinfo.IsOSX64" ascii + $str13 = "util..inittask" ascii + + condition: + uint16( 0 ) == 0x5A4D and ( ( 1 of ( $gea* ) and 2 of ( $str* ) ) or 8 of ( $str* ) ) +} +rule SEKOIA_Ransomware_Win_Honkai_Jan2023 : FILE +{ + meta: + description = "Rule to detect Honkai ransomware samples." + author = "Sekoia.io" + id = "6ef91cb5-e122-4f91-bc15-3813b8f91cbf" + date = "2023-02-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_honkai_jan2023.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "19f831f77e043f11b790b7f24e9f585e4986d9af6580bae7c344b7960f2f0965" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "989cf96da60d9ebfb6f364717b4f0cae1667fdc7f9d89f77acc254ab47d439e6" + + strings: + $s1 = "DP_Main.exe" ascii wide + $s2 = "DP_MainForm" ascii wide + $s3 = "DP_Main" ascii wide + $s4 = "#DECRYPT MY FILES#.html" ascii wide + $s5 = "/api/Encrypted.php" ascii wide + $s6 = "http://upload.paradisenewgenshinimpact.top:2095" ascii wide + $s7 = "main@paradisenewgenshinimpact.top" ascii wide + $s8 = ".honkai" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and 6 of them +} +import "pe" + +rule SEKOIA_Stealer_Win_Luca : FILE +{ + meta: + description = "Detect Luca stealer. Open source Rust stealer." + author = "Sekoia.io" + id = "d2cc1442-0ba5-4e81-9fea-e9e078903eed" + date = "2022-07-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/stealer_win_luca.yar#L3-L49" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3694db49d84f92c70c51e4fe6f126fd56b3d7d8ed26619137fd55b0adb97865e" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "cookies" + $ = "creditcards" + $ = "/Default/Network/CookiesUser Data/Default/Network/Cookies_cookies" + $ = "/Default/Web DataUser Data/Default/Web Data_webdata" + $ = "SELECT action_url, username_value, password_value FROM loginsSELECT card_number_encrypted, name_on_card, expiration_month, expiration_year FROM credit_cardsSELECT host_key, name, encrypted_value, path, expires_utc, is_secure FROM cookiesLOCALAPPDATA" + $ = "\\logsxc\\passwords_.txt" + $ = " Name:" + $ = "User: " + $ = "Installed Languages: " + $ = "Operating System: " + $ = "Used/Installed RAM: GB " + $ = "Cores available: " + $ = "\\screen-.png" + $ = "Username: " + $ = "Computer name: " + $ = "OS: " + $ = "Language: " + $ = "Hostname: " + $ = "=> networks: B" + $ = "=> system:total memory: KB" + $ = "used memory : " + $ = "total swap : " + $ = "used swap : " + $ = "NB CPUs: " + $ = "Passwords: " + $ = "Wallets: " + $ = "Files: " + $ = "Credit Cards: " + $ = "sensfiles.zip" + + condition: + uint16( 0 ) == 0x5A4D and filesize > 4000KB and pe.rich_signature.toolid ( 0 , 0 ) and pe.number_of_resources == 0 and 15 of them +} +rule SEKOIA_Stealer_Win_Mgbot_Credential_Stealer : FILE +{ + meta: + description = "Detect MgBot credential stealer plugin" + author = "Sekoia.io" + id = "e06501c1-c842-43f7-a429-9026bc0a4fd4" + date = "2024-03-20" + modified = "2024-12-19" + reference = "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/stealer_win_mgbot_credential_stealer.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "27f1b0ac818753804f0e67ac158d9376ab6beff8613ef94a1aa6cf8dd6815d49" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841" + hash2 = "cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5" + + strings: + $ = "Software\\Aerofox\\Foxmail\\Indenties" wide + $ = "Software\\Aerofox\\FoxmailPreview" wide + $ = "IMAP Password" wide + $ = "POP3 Password" wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Infostealer_Win_Stealerium : FILE +{ + meta: + description = "Detects Stealerium based on specific strings" + author = "Sekoia.io" + id = "165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5" + date = "2022-12-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_stealerium.yar#L1-L36" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f420848164ad4b6966f2a776a58d90b7d70c8b151a42d6f56b654f1700b5e564" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $stl = "Stealerium" ascii wide + $str01 = "Processe: " wide + $str02 = "Compname: " wide + $str03 = "Language: " wide + $str04 = "SandBoxie: " wide + $str05 = "== System Info ==" wide + $str06 = "== Hardware ==" wide + $str07 = "== Domains ==" wide + $str08 = "WEBCAMS COUNT: " wide + $str09 = "[Virtualization]" wide + $str10 = "[Open google maps](" wide + $str11 = "Remember password: " wide + $str12 = "Target.Browsers.Firefox" ascii + $str13 = "Modules.Keylogger" ascii + $str14 = "ClipperAddresses" ascii + $str15 = "ChromiumPswPaths" ascii + $str16 = "DetectedBankingServices" ascii + $str17 = "DetectCryptocurrencyServices" ascii + $str18 = "CheckRemoteDebuggerPresent" ascii + $str19 = "GetConnectedCamerasCount" ascii + $str20 = "costura.discord-webhook-client.dll.compressed" ascii wide + + condition: + uint16( 0 ) == 0x5A4D and filesize > 1MB and ( ( #stl > 5 and 2 of ( $str* ) ) or 15 of ( $str* ) ) +} +rule SEKOIA_Spyware_And_Fastfire : FILE +{ + meta: + description = "Detect the FastFire malware" + author = "Sekoia.io" + id = "93c0ffd5-faa5-4ead-8848-1c44b459dc29" + date = "2022-11-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/spyware_and_fastfire.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "2600fc0a8fc6279936decf80256be1fc8cb581a59ef6646fe48b5885e104365e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $funct1 = {22 00 87 18 70 20 f3 ae 40 00 6e 10 f4 ae 00 00 0c 04 1f 04 16 19 13 00 28 23 6e 20 e3 ae 04 00 12 10 6e 20 e5 ae 04 00 1a 00 25 19 6e 20 ea ae 04 00 28 05 0d 00 6e 10 ef ae 00 00 6e 10 da ae 04 00 6e 10 e1 ae 04 00 0a 00 13 01 c8 00 32 10 20 00 1c 00 ea 17 6e 10 73 ad 00 00 0c 00 22 01 60 18 70 10 5d ae 01 00 1a 02 ff 50 6e 20 69 ae 21 00 6e 10 e1 ae 04 00 0a 04 6e 20 64 ae 41 00 6e 10 72 ae 01 00 0c 04 71 20 1d 09 40 00} + $funct2 = {22 00 77 00 1a 01 88 56 70 20 f1 02 10 00 15 01 00 10 6e 20 f4 02 10 00 1a 01 80 8d 6e 20 32 ae 13 00 0a 01 38 01 0b 00 1a 01 25 76 71 10 b3 06 01 00 0c 01 6e 20 22 03 10 00 1a 01 56 61 6e 20 32 ae 13 00 0a 01 38 01 0b 00 1a 01 23 76 71 10 b3 06 01 00 0c 01 6e 20 22 03 10 00 1a 01 55 66 6e 20 32 ae 13 00 0a 03 38 03 0b 00 1a 03 24 76 71 10 b3 06 03 00 0c 03 6e 20 22 03 30 00 13 03 64 00 15 01 00 08 71 40 07 02 32 10 0c 03 11 03} + $s0 = "TokenResult{token=" + $s1 = "[-] Send Resp Code =" + $s2 = "/report_token/report_token.php?token=" + $s3 = "naver" + $s4 = "daum" + $s5 = "facebook" + + condition: + uint32be( 0 ) == 0x6465780A and ( 1 of ( $funct* ) or all of ( $s* ) ) +} +rule SEKOIA_Tool_Cheat_Engine : FILE +{ + meta: + description = "Detects Cheat Engine driver" + author = "Sekoia.io" + id = "51d4246c-f7a1-4589-8f97-bd85d1fe4a0e" + date = "2024-07-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_cheat_engine.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "2a70016be13c4eff7f7381fd0e34c345c95f09d4cd8b754ea68d59adfe3fe4b6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "ObOpenObjectByName" wide + $s2 = "PsGetProcessImageFileName" wide + $s3 = "PsRemoveCreateThreadNotifyRoutine" wide + $s4 = "PsSuspendProcess" wide + $s5 = "PsResumeProcess" wide + $s6 = "\\device\\physicalmemory" wide + $log = "%sCPU%d.trace" wide + $ioctl_code = {04 E1 22 00} + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 200KB and all of them +} +rule SEKOIA_Apt_Cerana_Keeper_Dropboxflop : FILE +{ + meta: + description = "Detects DropboxFlop malware" + author = "Sekoia.io" + id = "e077901f-3847-45f3-82cb-d52724cd3fb5" + date = "2024-10-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cerana_keeper_dropboxflop.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "2b65b74e52fbf25cb400dbdfcd1a06a7" + logic_hash = "5b2dfdf0c35f574e7006bb3e6eafa10d0e7fc7d980d443b31d4d6d6b7cec2fce" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = " 60KB and filesize < 120KB +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Winordll64 +{ + meta: + description = "Detect the WinorDLL64 backdoor" + author = "Sekoia.io" + id = "86a32538-bc69-47ea-9842-4af360588c27" + date = "2023-02-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_winordll64.yar#L4-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "30e6f01f30d6ef11c75e133d309cebc87b69ede8eb38aa14d237760e99b52c54" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + hash.md5( pe.rich_signature.clear_data ) == "d16713cbfe04151b3a9e832c8afd55df" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "3f638774c2565594029fb52ceb67db7a" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "f9416bfb43b2c70837927e43e7591a2a" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "6eede2cebaef39eec5bd1c24c809e3dc" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "1177658fb0469cd5982102c9f3cd2eea" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "658d877d1bf0d2928b2c3efec9ec06cf" ) or pe.imphash ( ) == "d6b6f8cdffb06f469e06c7af9639897c" +} +rule SEKOIA_Backdoor_Mul_Sparkrat : FILE +{ + meta: + description = "Detect SparkRAT using string found in the source code" + author = "Sekoia.io" + id = "cd818207-f8ec-41fa-abef-c29d481c7897" + date = "2023-01-30" + modified = "2024-12-19" + reference = "https://github.com/XZB-1248/Spark" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_mul_sparkrat.yar#L1-L59" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "377fc647e9a7ee6d5ad69370d5a2264302215401417951432f904c25e26169b9" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "2006/01/02 15:04:05" wide ascii + $ = "can not find secret header" wide ascii + $ = "${i18n|COMMON.UNKNOWN_ERROR}" wide ascii + $ = "/api/client/update" wide ascii + $ = "application/octet-stream" wide ascii + $ = "${i18n|COMMON.OPERATION_NOT_SUPPORTED}" wide ascii + $ = "no IP address found" wide ascii + $ = "failed to read network io counters" wide ascii + $ = "failed to read cpu info" wide ascii + $ = "PING" wide ascii + $ = "OFFLINE" wide ascii + $ = "LOCK" wide ascii + $ = "LOGOFF" wide ascii + $ = "HIBERNATE" wide ascii + $ = "SUSPEND" wide ascii + $ = "RESTART" wide ascii + $ = "SHUTDOWN" wide ascii + $ = "SCREENSHOT" wide ascii + $ = "TERMINAL_INIT" wide ascii + $ = "TERMINAL_INPUT" wide ascii + $ = "TERMINAL_RESIZE" wide ascii + $ = "TERMINAL_PING" wide ascii + $ = "TERMINAL_KILL" wide ascii + $ = "FILES_LIST" wide ascii + $ = "FILES_FETCH" wide ascii + $ = "FILES_REMOVE" wide ascii + $ = "FILES_UPLOAD" wide ascii + $ = "FILE_UPLOAD_TEXT" wide ascii + $ = "PROCESSES_LIST" wide ascii + $ = "PROCESS_KILL" wide ascii + $ = "DESKTOP_INIT" wide ascii + $ = "DESKTOP_PING" wide ascii + $ = "DESKTOP_KILL" wide ascii + $ = "DESKTOP_SHOT" wide ascii + $ = "COMMAND_EXEC" wide ascii + $ = "DEVICE_UPDATE" wide ascii + $ = "${i18n|COMMON.INVALID_PARAMETER}" wide ascii + $ = "${i18n|EXPLORER.FILE_OR_DIR_NOT_EXIST}" wide ascii + $ = "SPARK COMMIT: " wide ascii + $ = "${i18n|COMMON.DISCONNECTED}" wide ascii + $ = "${i18n|DESKTOP.NO_DISPLAY_FOUND}" wide ascii + $ = "/api/bridge/push" wide ascii + $ = "${i18n|COMMON.OPERATION_NOT_SUPPORTED}" wide ascii + + condition: + 17 of them and filesize > 4MB +} +import "pe" + +rule SEKOIA_Infostealer_Win_Aurora_Str : FILE +{ + meta: + description = "Finds Aurora botnet samples based on characteristic strings." + author = "Sekoia.io" + id = "1f4391b8-700f-4702-9ef6-68ce3d55a176" + date = "2022-07-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_aurora_str.yar#L3-L34" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "745443bb58f00cb09a1f323f530219913eaaf0d0e71c9a25af2072006f8c5f92" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Logs.tar" ascii + $str02 = "*main.StealerData" ascii + $str03 = "AppData\\Roaming\\Armory" ascii + $str04 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" ascii + $str05 = "github.com/TheTitanrain/w32" ascii + $str06 = "github.com/mattn/go-sqlite3" ascii + $str07 = "ScreenShot" ascii + $str08 = "*sql.stmtConnGrabber" ascii + $str09 = "Default\\Network\\Cookies" ascii + $str10 = "BuildID" ascii + $str11 = "Clipper" ascii + $str12 = "GeoPos" ascii + $str13 = "AppData\\Roaming\\Exodus\\exodus.wallet" ascii + $str14 = "FileGrabber\\Documents" ascii + $str15 = "193.233.48." ascii + $str16 = "ShellExecute" ascii + $str17 = "crypto/aes.(*aesCipherGCM).Encrypt" ascii + $str18 = "File-Download" ascii + + condition: + uint16( 0 ) == 0x5A4D and ( 14 of them or pe.imphash ( ) == "8ee5c1c09f740fbe63e8b35dac5d6f70" or pe.imphash ( ) == "369b4f5b6c99674f15070689e1f675af" ) +} +rule SEKOIA_Apt_Kimsuky_Toddlershark_Obfuscated : FILE +{ + meta: + description = "Detects obfuscated version of Kimsuky TODDLERSHARK vbs malware" + author = "Sekoia.io" + id = "9ab82466-4f38-4597-b75b-13252e180c70" + date = "2024-03-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_toddlershark_obfuscated.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5f067ce32e7fee5cf481d82bb98f4ae10bd7187078bc111b08fc58d043954152" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = { 3a 20 [3-10] 20 3d 20 22 [3-30] 22 3a } + $s2 = { 45 78 65 63 75 74 65 28 [3-15] 28 22 } + $s3 = { 50 72 69 76 61 74 65 20 46 75 6e 63 74 69 6f 6e 20 [3-15] 28 42 79 56 61 6c 20 [3-15] 29 3a } + $s4 = "& Chr(\"&H\" & Mid(" + + condition: + #s4== 1 and #s3 == 1 and #s2 == 1 and #s1 > 20 and filesize < 1MB +} +rule SEKOIA_Apt_Spynote_Android_Dex_Strings : FILE +{ + meta: + description = "Detects Android SpyNote DEX file" + author = "Sekoia.io" + id = "87fb8b7a-bfac-4003-b618-50b4a7863928" + date = "2022-08-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_spynote_android_dex_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "474617628afe110d9e7ea2acef57c5e560139b57aa7e497bf9e111af239e9588" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "is not file found" + $ = "Can not access" + $ = "PANG !!" + $ = "On Start!!" + + condition: + uint32be( 0 ) == 0x6465780A and filesize < 1MB and all of them +} +rule SEKOIA_Tinyfluff_Nodejs : FILE +{ + meta: + description = "Detect TinyFluff backdoor by OldGremlin" + author = "Sekoia.io" + id = "ca8cbd90-f275-4442-8354-b8b069e2efc3" + date = "2022-04-20" + modified = "2024-12-19" + reference = "https://blog.group-ib.com/oldgremlin_comeback" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tinyfluff_nodejs.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "bd0a6a3628f268a37ac9d708d03f57feef5ed55e" + hash = "bd0a6a3628f268a37ac9d708d03f57feef5ed55e" + logic_hash = "7fa07b6ea32b914887bdcada0f9fda086bc29a44bfdf27e7433ef589192f4b82" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "TinyFluff.pdb" fullword ascii + $s2 = "node.exe" fullword wide + + condition: + filesize < 500KB and uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Apt_Apt29_Wineloader_Malicious_Pdf : FILE +{ + meta: + description = "Detects malicious PDF used by APT29 to drop Wineloader" + author = "Sekoia.io" + id = "b1db731e-471e-493a-b76c-38d2808ccac9" + date = "2024-03-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt29_wineloader_malicious_pdf.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "9712217ff3597468b48cdf45da588005de3a725ba554789bb7e5ae1b0f7c02a7" + hash = "3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9" + logic_hash = "784f5ab2602e2185e8253b5b8d9a084ede0604457b0a0674fceffbcb226e3ba1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "< 3MB and filesize < 4MB and 4 of them +} +rule SEKOIA_Apt_Mustangpanda_Tonedrop : FILE +{ + meta: + description = "TONEDROP strings" + author = "Sekoia.io" + id = "39df631c-5766-4804-838f-6c9b800c0cc9" + date = "2023-06-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_tonedrop.yar#L1-L43" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "97f9138810fbc56fa1cab671865b3234f63fcd0f9a15ba012dfe76e86c6dbd48" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $window1 = "PROCMON_WINDOW_CLASS" ascii wide + $window2 = "OLLYDBG" ascii wide + $window3 = "WinDbgFrameClass" ascii wide + $window4 = "OllyDbg - [CPU]" ascii wide + $window5 = "Immunity Debugger - [CPU]" ascii wide + $errormsg1 = "Unable to open file %s for writing" ascii wide + $proc_01 = "cheatengine-x86_64.exe" ascii wide + $proc_02 = "ollydbg.exe" ascii wide + $proc_03 = "ida.exe" ascii wide + $proc_04 = "ida64.exe" ascii wide + $proc_05 = "radare2.exe" ascii wide + $proc_06 = "x64dbg.exe" ascii wide + $proc_07 = "procmon.exe" ascii wide + $proc_08 = "procmon64.exe" ascii wide + $proc_09 = "procexp.exe" ascii wide + $proc_10 = "processhacker.exe" ascii wide + $proc_11 = "pestudio.exe" ascii wide + $proc_12 = "systracerx32.exe" ascii wide + $proc_13 = "fiddler.exe" ascii wide + $proc_14 = "tcpview.exe" ascii wide + $opcodes_check_PEsize = {C7 85 94 FD FF FF 2C 02} + $opcodes_ShellExecute_1 = {C7 45 BC 53 68 65 6C} + $opcodes_ShellExecute_2 = {C7 45 C0 6C 45 78 65} + $opcodes_ShellExecute_3 = {C7 45 C4 63 75 74 65} + $opcodes_ShellExecute_4 = {66 C7 45 C8 41 00} + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 8MB and 3 of ( $window* ) and $errormsg1 and 10 of ( $proc_* ) and 3 of ( $opcodes* ) +} +rule SEKOIA_Apt_Tealkurma_Snappytcp_Strings : FILE +{ + meta: + description = "Detects TealKurma SnappyTCP shell script" + author = "Sekoia.io" + id = "6bbee6d6-f490-4550-bd61-a643f93a8788" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_tealkurma_snappytcp_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b91adef3332850d952cace104fc05e1b09e6175a27ae991905defc46de608e88" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "#!/bin/bash" ascii + $s2 = "2>&1>/dev/null&" ascii + $s3 = "PATH=$PATH:$PWD;" ascii + + condition: + $s1 at 0 and $s2 at filesize -16 and $s3 and filesize < 300 +} +rule SEKOIA_Apt_Andariel_Siennablue : FILE +{ + meta: + description = "Detects SiennaBlue based routine names" + author = "Sekoia.io" + id = "ab3f8b49-0851-47a8-ac77-98d4e26f448e" + date = "2023-11-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_andariel_siennablue.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0876deb2e76098ac8d304737243d3a76e9741b2ca1570034bec51fea5a40818d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "main_cryptAVPass" + $ = "main_DecryptString" + $ = "main_DisableNetworkDevice" + $ = "main_DeleteSchTask" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize > 4MB and filesize < 15MB and all of them +} +rule SEKOIA_Apt_Apt37_Chinotto_Powershell_Variant +{ + meta: + description = "Detects APT37 Chinotto Powershell Variant" + author = "Sekoia.io" + id = "fa42b225-58fe-4e00-b84b-df37491d8fdd" + date = "2023-03-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt37_chinotto_powershell_variant.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b4d17467f15d52bd615e335fa8bc31381ec273b67dabb74655f47179f04f631f" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$env:COMPUTERNAME + '-' + $env:USERNAME;" ascii wide + $ = "while($true -eq $true)" ascii wide + $ = "Start-Sleep -Seconds" ascii wide + $ = " -ne 'null' -and $" ascii wide + $ = "= 'R=' + [System.Convert]::" ascii wide + $ = "[string]$([char]0x0D) + [string]$([char]0x0A);" ascii wide + + condition: + 4 of them +} +rule SEKOIA_Killfloor_Avkiller_Strings : FILE +{ + meta: + description = "Kill-Floor strings" + author = "Sekoia.io" + id = "ae6908c3-27d4-4d2c-af21-a9548dfcd487" + date = "2024-10-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/killfloor_avkiller_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "9f16176ac20f7855fa960d321e156d69" + hash = "4b019e9ed2de734e242602abce06f7c1" + hash = "81ae32d9de8fd21acfc61d62f3292277" + hash = "7cb2c4560e02c25463ec70e222ad0018" + logic_hash = "e89d0936612104f98b7f56dca09702f31f07868f239c2d11dd738e015e757b3a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "sc create aswArPot.sys type=kernel binpath=%s" ascii + $ = "sc start aswArPot.sys" ascii + $ = "[*] Enumerating target processes" ascii + $ = "[*] Entering main loop... " ascii + $ = "aswArPot.pdb" ascii + $ = "SeConvertStringSecurityDescriptorToSecurityDescriptor" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and filesize > 20KB and 6 of them +} +rule SEKOIA_Apt_Apt_K_47_Walkershell : FILE +{ + meta: + description = "Detects WalkerShell used by APT-K-47" + author = "Sekoia.io" + id = "201f8415-32d4-4af1-ba80-734554ced728" + date = "2024-02-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt_k_47_walkershell.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0dffd8e4d6c244a4faea0f8b8cda1e544a732ad9982e7963b21d5f71080f8f5d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "\\n kuskure" ascii wide + $s2 = "col.log.txt" ascii wide + $s3 = "polor" ascii wide + $s4 = "emit" ascii wide + $s5 = "delta" ascii wide + $s6 = "under process" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 4MB and all of them +} +rule SEKOIA_Infostealer_Win_Fwit_Strings : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "332e89ad-d1fe-4da6-9354-0978ef173e78" + date = "2023-06-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_fwit_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4e28b6d67e2087b2f28817b19812b8bd56227175cd3d9c7037290127d4ec05a5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "C:\\ProgramData\\Temp" wide + $s2 = "{:08x}" wide + $s3 = "CURL_SSLVERSION" ascii + + condition: + ( uint16be( 0 ) == 0x4d5a ) and all of them +} +rule SEKOIA_Apt_Apt41_Javascript_Dropper : FILE +{ + meta: + description = "Detects Earth Lusca JS dropper" + author = "Sekoia.io" + id = "fde70806-af50-4706-9daf-d39ad0564fc7" + date = "2024-02-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt41_javascript_dropper.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3e34af7141e41044c3d3e099e8b8deafc7441ea47ccbd8af7ffe686f10bb18a2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "eval(function(p, a, c, k, e, r) {" + $s2 = "|4d53" + $s3 = "ActiveXObject" + $x1 = " -F:* %1%" + $x2 = "&I /r c:\\" + $x3 = "ActiveXObject" + + condition: + filesize < 2MB and ( all of ( $s* ) or all of ( $x* ) ) +} +rule SEKOIA_Win_Malware_Statc_Downloader : FILE +{ + meta: + description = "Statc Downloader powershell script. Base64 powershell" + author = "Sekoia.io" + id = "4a2e9607-635b-4cd8-ba27-d70e0c76fd45" + date = "2023-08-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/win_malware_statc_downloader.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "173ea5af2e71b6ed70abd52a5d2f4de040393a6d2ff4978bbb6e73d96742b010" + logic_hash = "a99970a6ace88234e5e2bda009f8d87e6a0dc8c1a4655cca128e30292a21502c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $powershell = "powershell.exe" + $a1 = "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8A" + $a2 = "gATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwAHMAOgAvA" + $a3 = "oAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAZgBpAGwAZQAoACIAaAB0AHQAcABzADoALw" + $b1 = "aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAAIgAkAGUAbgB2ADoAVABFAE0AUABc" + $b2 = "kAbgB2AG8AawBlAC0AZQB4AHAAcgBlAHMAcwBpAG8AbgAgACIAJABlAG4AdgA6AFQARQBNAFAAX" + $b3 = "pAG4AdgBvAGsAZQAtAGUAeABwAHIAZQBzAHMAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAF" + $c1 = "MQAgADEAIgA7ACAAIgBPAEsAIgA7" + $c2 = "EAIAAxACIAOwAgACIATwBLACIAO" + $c3 = "xACAAMQAiADsAIAAiAE8ASwAiAD" + + condition: + $powershell at 0 and 1 of ( $a* ) and 1 of ( $b* ) and 1 of ( $c* ) and filesize < 1MB +} +rule SEKOIA_Apt_Muddywater_Powgoop_Decoded : FILE +{ + meta: + description = "Detects decoded PowGoop malware" + author = "Sekoia.io" + id = "194cb9ef-da96-42b6-a3b5-b0aee7495f2c" + date = "2022-01-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_powgoop_decoded.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6654d8107bb2ad6344f1fa03c6525ed9a0b8e49627787355efe857e80a02eca4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $h1 = "[System.Net.WebRequest]::Create(" ascii wide + $h2 = "Headers.Add('Authorization'" ascii wide + $h3 = "Headers.Add('Cookie',('value=' + $ec + ';')" ascii wide + $h4 = ".GetResponse()" ascii wide + $h5 = "GetResponseStream()" ascii wide + $c1 = "return (65..90) + (97..122) | Get-Random -Count" ascii wide + $c2 = "% {[char]$_}" ascii wide + + condition: + filesize > 1KB and filesize < 1MB and ( $h2 in ( @h1 .. @h5 ) and $h3 in ( @h1 .. @h5 ) and $h4 in ( @h1 .. @h5 ) ) or ( $c2 in ( @c1 .. @c1 + 50 ) ) and true +} +rule SEKOIA_Webshell_Wso_Webshell_Strings +{ + meta: + description = "Detects the WSO webshells" + author = "Sekoia.io" + id = "84340792-73a4-4d61-9957-6cfa1f6444a7" + date = "2022-04-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/webshell_wso_webshell_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4d6966a34dc8e7390913857144da106affea14668d1c2c11a05be62a6e625c8f" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "decrypt($str,$pwd){$pwd=base64_encode($pwd);" + $ = "prototype(md5($_SERVER['HTTP_HOST'])" + $ = "$_COOKIE[md5($_SERVER['HTTP_HOST'])." + $ = "set(a,c,p1,p2,p3,charset)" + $ = "(($p & 0x0008) ? (($p & 0x0400)" + $ = "gcc','lcc','cc','ld','make','php" + + condition: + 3 of them +} +rule SEKOIA_Apt_Kimsuky_Klogexe : FILE +{ + meta: + description = "Detects KLogExe, a keylogger used by Kimsuky" + author = "Sekoia.io" + id = "f6e3b1a5-43b6-4dac-83c2-a365c41de38d" + date = "2024-09-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_klogexe.yar#L1-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "e1d683ee1746c08c5fff1c4c2b3b02f0" + hash = "90946c6358eacd119fe1eb36ec7a0a18" + hash = "9760f489a390665b5e7854429b550c83" + logic_hash = "4b616908ceacd85c5d8b527cd1a718082c709071dc1fa9c9ccc96e71dc4e7449" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $event = "Norton_BreakHelper" ascii wide + $log = "------ %d/%d/%d : %d/%d ------" ascii wide + $keylog_1 = "[RM+]" + $keylog_2 = "[Tab+]" + $keylog_3 = "[Home+]" + $keylog_4 = "[End+]" + $keylog_5 = "[clip_s]: %s " + $keylog_6 = "%s[Too many clip_tail]" + $keylog_7 = "%s[F%d]" + $user_agent = "Chrome/31.0." wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 600KB and 8 of them +} +rule SEKOIA_Apt_Gamaredon_Flash_Infostealer : FILE +{ + meta: + description = "Detects the Gamaredon's Flash InfoStealer" + author = "Sekoia.io" + id = "f060fe4b-74fd-4ef3-ac86-916e2113ff24" + date = "2023-01-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_flash_infostealer.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5a3ee8c2c3c377bea7de1993e5ef744796130643575bcce1b6181d68190aafb7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $a1 = "Content-Type: multipart/form-data; boundary=----%s" ascii + $a2 = "Content-Disposition: form-data; name=\"p\"" ascii + $a3 = "Content-Type: application/octet-stream" + $w1 = "%s||%s||%s||%s" wide + $w2 = "Pragma: no-cache" wide + $w3 = { 64 00 6F 00 63 00 00 00 00 00 2E 00 64 00 6F 00 63 00 78 00 } + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 500KB and 2 of ( $a* ) and 2 of ( $w* ) +} +rule SEKOIA_Apt_Aptc36_Vbs_Maldoc : FILE +{ + meta: + description = "Find VBS file used by the threat actor APT-C-36" + author = "Sekoia.io" + id = "f0ca061f-e94b-4f70-bbd1-8a15193652d3" + date = "2022-02-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_aptc36_vbs_maldoc.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "cf448731378e97d740d42aa19d1bb81330c3998f07e94ce57bd8d82fc39c6428" + score = 75 + quality = 51 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $dim = "dim " wide ascii + $hea = "::::::::::::::::::::::::::::::::::::::::::::::::" wide ascii + $str0 = "update" wide ascii nocase + $str1 = "On Error Resume Next" wide ascii + $str2 = "CreateObject" wide ascii + $str3 = "WScript" wide ascii + + condition: + #dim> 5 and #hea > 10 and 2 of ( $str* ) and filesize > 10KB and filesize < 1MB +} +rule SEKOIA_Apt_Cloudatlas_Powertunnel_Loader +{ + meta: + description = "Detects the Powershell loader of the PowerTunnel dll" + author = "Sekoia.io" + id = "f2333b8a-99e9-4f28-b0d8-4f7dc4c648c5" + date = "2022-11-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_powertunnel_loader.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "742374ad22d9333ef071fe95058f28ae00325cca833b557481ef5d453b3a4977" + score = 75 + quality = 55 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "New-Object System.IO.Compression.GzipStream(" ascii fullword + $ = "[System.Reflection.Assembly]::Load(" + $ = ".ReadBytes(" + $ = ".Service]::StartMain" + + condition: + uint8be( 0 ) == 0x24 and all of them +} +rule SEKOIA_Apt_Mustangpanda_Zpakage : FILE +{ + meta: + description = "Detect obfuscation seen in ZPAKAGE" + author = "Sekoia.io" + id = "a4767d12-5058-4a26-be62-0cec685917bd" + date = "2023-03-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_zpakage.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "711c0e83f4e626a7b54e3948b281a71915a056c5341c8f509ecba535bc199bee" + logic_hash = "52ad51589ca154fbf6e5829a2c80a9b811809288bed6995820a0ca8aa218d8ef" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $chunk_1 = { + 88 94 1D ?? ?? ?? ?? + 8A 84 1D ?? ?? ?? ?? + 83 ?? ?? + 88 84 1D ?? ?? ?? ?? + 8A 84 1D ?? ?? ?? ?? + 83 ?? ?? + 88 84 1D ?? ?? ?? ?? + 8A 84 1D ?? ?? ?? ?? + 83 ?? ?? + 88 84 1D ?? ?? ?? ?? + 0F BE 8C 1D ?? ?? ?? ?? + 0F BE 84 1D ?? ?? ?? ?? + } + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 1MB and filesize < 11MB and #chunk_1 > 20 +} +rule SEKOIA_Tool_Rathole_Strings : FILE +{ + meta: + description = "Detects RATHole based on strings" + author = "Sekoia.io" + id = "39d11285-a3bf-46c3-901d-ab46601a9066" + date = "2024-05-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_rathole_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f7c42328a38b2c101ea2d179b6adf9cf3d842d9e1c91e85fc6e684ee4f82458f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "rathole\\src\\" ascii + $ = "\\\\?\\\\\\?\\UNC\\" wide + $ = "rathole::" ascii + $ = "src/server.rs" + $ = "`[server]` or `[client]" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a or uint32be( 0 ) == 0xfeedface or uint32be( 0 ) == 0xfeedfacf or uint32be( 0 ) == 0xcafebabe or uint32be( 0 ) == 0xCFFAEDFE ) and 3 of them +} +rule SEKOIA_Apt_Unk_Hrserv_Memory_Commands_Strings +{ + meta: + description = "Detects HrServ web shell memory commands" + author = "Sekoia.io" + id = "1b5f442a-e758-4bd5-a612-8b504a542d29" + date = "2023-11-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_unk_hrserv_memory_commands_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a87c35658ded301c098f9ee8ee5886a54e89537eabd145cf82b0286c703a77d2" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "list all the process" ascii wide + $ = "equal with cmd /c tasklist" ascii wide + $ = "start target service by name" ascii wide + $ = "query local process information by wmi." ascii wide + $ = "upload local shellcode to" ascii wide + + condition: + all of them +} +rule SEKOIA_Apt_Boldmove_Strings : FILE +{ + meta: + description = "Detects BOLDMOVE via strings" + author = "Sekoia.io" + id = "0458e282-f92f-4600-964a-de6b66b4a82d" + date = "2023-01-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_boldmove_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "71649451b88629da1779c0856b2f1f60f87501962c69556f7943b049688a2d96" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "cwd=%s" ascii wide + $s2 = "executable=%s" ascii wide + $s3 = "curl/6.12.34" ascii wide + $s4 = "www.example.com" ascii wide + $s5 = "GET /ws HTTP/1.1" ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 4MB and 4 of them +} +rule SEKOIA_Rootkit_Win_Purplefox_360_Tct : FILE +{ + meta: + description = "Detects Purple Fox payloads used during end-2021 and 2022 campaigns based on characteristics shared by TrendMicro details." + author = "Sekoia.io" + id = "e992d574-6a44-4bea-97e2-6d5579ce8d01" + date = "2022-03-28" + modified = "2024-12-19" + reference = "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rootkit_win_purplefox_360_tct.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6b4ca65bc05ea1e8036140a62b94c8b75afe30a5e37cae9a5ae2a9c828cd6275" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $rar = "Rar!" + $str0 = "svchost.txt" + $str1 = "rundll3222.exe" + $str2 = "ojbkcg.exe" + + condition: + $rar at 0 and all of ( $str* ) and filesize > 800KB and filesize < 2800KB +} +rule SEKOIA_Rat_Win_Xworm_V3 : FILE +{ + meta: + description = "Finds XWorm (version XClient, v3) samples based on characteristic strings" + author = "Sekoia.io" + id = "5fb1cbd3-1e37-43b9-9606-86d896f2150b" + date = "2023-03-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_xworm_v3.yar#L1-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "0016647c3c7031e744c0af6f9eadb73ab5cab1ca4f8ce7633f4aa069b62755cd" + hash = "07e747a9313732d2dcf7609b6a09ac58d38f5643299440b827ec55f260e33c12" + hash = "de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147" + logic_hash = "9a50f41f6c295f48597f6db3f5d9141345b3711ef110a0f925c881f3a75580ca" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "$VB$Local_Port" ascii + $str02 = "$VB$Local_Host" ascii + $str03 = "get_Jpeg" ascii + $str04 = "get_ServicePack" ascii + $str05 = "Select * from AntivirusProduct" wide + $str06 = "PCRestart" wide + $str07 = "shutdown.exe /f /r /t 0" wide + $str08 = "StopReport" wide + $str09 = "StopDDos" wide + $str10 = "sendPlugin" wide + $str11 = "OfflineKeylogger Not Enabled" wide + $str12 = "-ExecutionPolicy Bypass -File \"" wide + $str13 = "Content-length: 5235" wide + + condition: + uint16( 0 ) == 0x5A4D and 8 of them +} +rule SEKOIA_Apt_Muddywater_Powershell_Reverse_Secure_Proxy +{ + meta: + description = "Detects PowerShell Reverse Secure Proxy" + author = "Sekoia.io" + id = "b255f327-cb56-41b7-82f7-83ee23f791a5" + date = "2023-11-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_powershell_reverse_secure_proxy.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6507bc030d60af5559492bbb02bc619646306ab06c9bd9d3f78ae6ce55307bda" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$CS.Read($buff,4,2) | Out-Null" ascii wide + $ = "$DP = $buff[2]*256 + $buff[3]" ascii wide + $ = "$PS3.BeginInvoke() | Out-Null" ascii wide + + condition: + all of them +} +rule SEKOIA_Apt_Blackwood_Nspx30_Plugin : FILE +{ + meta: + description = "Detects plugins of NSPX30 backdoor based on RTTI and rundll32 string" + author = "Sekoia.io" + id = "ef8e0d51-c78c-426b-8008-910e27546f23" + date = "2024-01-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_blackwood_nspx30_plugin.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "cf7c232a5a817ff5c0da04744abf99ed2fcea587e3e6f6e8bf3aef7ca8f2b51b" + score = 75 + quality = 76 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = {2E 3F 41 56 43 43 61 62 69 6E 65 74 40 40} + $s2 = {2E 3F 41 56 43 45 6E 63 6F 64 65 72 40 40} + $s3 = "rundll32.exe \"%hs\",#1" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and all of them +} +rule SEKOIA_Bumblebee_Loader : FILE +{ + meta: + description = "Detect the BUMBLEBEE loader" + author = "Sekoia.io" + id = "8fd795c7-6896-498c-a892-de9da6427b60" + date = "2022-05-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/bumblebee_loader.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "73c0195c51b5f8c36ab6d7a0e783f1229709d51fc42e2486c02fa65bbbdf955b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = { 5a 00 3a 00 5c 00 68 00 6f 00 6f 00 6b 00 65 00 72 00 32 00 5c 00 43 00 6f 00 6d 00 6d 00 6f 00 6e 00 5c 00 6d 00 64 00 35 00 2e 00 63 00 70 00 70 00 } + $str1 = "/gate" ascii + $str2 = "3C29FEA2-6FE8-4BF9-B98A-0E3442115F67" wide + $str3 = "BLACK" ascii + + condition: + uint16be( 0 ) == 0x4d5a and 3 of them +} +rule SEKOIA_Apt_Apt28_Wayzgoose_Exploit_String : FILE +{ + meta: + description = "Detects APT28's Wayzgoose exploit strings" + author = "Sekoia.io" + id = "23d9e09e-202c-47f5-abf7-6b5085e44400" + date = "2024-04-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt28_wayzgoose_exploit_string.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "804de275f7e8c43fe5690c0bd9338b134c0c47f845f1c3b3a747c3765815084c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "wayzgoose.dll" + $ = "wayzgoose_get_version" + $ = "NtSetInformationFile" + $ = "ZwDuplicateObject" + $ = "ZwClose" + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them and filesize < 500KB +} +rule SEKOIA_Apt_Luckymouse_Compromised_Electronapp : FILE +{ + meta: + description = "Detects compromised ElectronApp" + author = "Sekoia.io" + id = "7702217d-771f-47af-8eaa-d5acf1e14f4d" + date = "2022-08-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_luckymouse_compromised_electronapp.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "939546b75d5f7161bb8eb1fd838a9a7c0c88cb58a0f01f67e687523e5b31b0aa" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s = "module.exports=function(t){eval(function(p,a,c,k,e,r)" + + condition: + $s at 0 and filesize < 100KB +} +rule SEKOIA_Tool_Bore_Rust_Any_Platform : FILE +{ + meta: + description = "Detects bore tunneling tool" + author = "Sekoia.io" + id = "c0ec0d72-de8e-4b96-9db6-a7a4e2f693f1" + date = "2023-07-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_bore_rust_any_platform.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c51d75088897aaffef904d560f750d780a0c814b89bf433a05189fbf7bb3285c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "bore_cli::" ascii + $ = "server handshake failed" ascii + $ = "server listening" ascii + $ = "connected to server" ascii + $ = "server requires authentication, but no client secret was provided" ascii + $ = "client port number too low" ascii + $ = "forwarding connection" ascii + $ = "Address of the remote server to expose local ports" ascii + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint32be( 0 ) == 0xfeedface or uint32be( 0 ) == 0xfeedfacf or uint32be( 0 ) == 0xcafebabe or uint16be( 0 ) == 0x4d5a ) and filesize < 15MB and 5 of them +} +rule SEKOIA_Apt_Unk_Malicious_Lnk : FILE +{ + meta: + description = "Detects a malicious LNK used by an APT" + author = "Sekoia.io" + id = "d2248803-7ddf-4cde-ab6a-78b20e760919" + date = "2024-09-06" + modified = "2024-12-19" + reference = "https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_unk_malicious_lnk.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "a8d7e56eb01a8cf576533db9af2e92ec" + logic_hash = "993411ceba45d1212a4840e6a35b72b52e64e78cbb2599ebc5c70c2fd3b8e552" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ".pdf.lnkPK" + $ = ".jfifPK" + $ = ".batPK" + $ = ".pdfPK" + + condition: + uint32be( 0 ) == 0x504b0304 and all of them +} +import "pe" + +rule SEKOIA_Apt_Apt28_Susp_Graphite_Downloader : FILE +{ + meta: + description = "Matches the routine which decrypts the RSA key blob in the Graphite downloader" + author = "Sekoia.io" + id = "9c9da5fe-ffd6-4c45-8ce1-9a6cf4fa2fda" + date = "2022-01-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt28_susp_graphite_downloader.yar#L3-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ca5aa7ea995aca9003fd98da2fba7bbec1e049d979a6b05e07b80876bab5a1c9" + score = 65 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $gen = { 33 D2 + 8B C1 + 6A ?? + 5E + F7 F6 + 8A 82 ?? ?? ?? ?? + 30 81 ?? ?? ?? ?? + 41 + 81 F9 94 04 00 00 + 72 E2 } + + condition: + uint16be( 0 ) == 0x4d5a and $gen and pe.number_of_exports == 1 +} +rule SEKOIA_Apt_Lazarus_Lambload_Timecheck : FILE +{ + meta: + description = "Detects timeCheck routine in LambLoad" + author = "Sekoia.io" + id = "8807c752-c34e-4c3b-9194-3a9bd2575a88" + date = "2023-11-27" + modified = "2024-12-19" + reference = "https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_lazarus_lambload_timecheck.yar#L1-L67" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "019e559f3596cf83f7e7ada05f6550b50b2d45d577600fa549470b98af93e23b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $chunk_1 = { + 0F 85 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? + 50 + E8 ?? ?? ?? ?? + 83 C4 ?? + 83 78 ?? ?? + 0F 85 ?? ?? ?? ?? + 8B 48 ?? + 83 F9 ?? + 0F 8C ?? ?? ?? ?? + 83 F9 ?? + 0F 8D ?? ?? ?? ?? + 8B 40 ?? + 83 F8 ?? + 0F 8C ?? ?? ?? ?? + 83 F8 ?? + 0F 8D ?? ?? ?? ?? + 53 + 57 + 68 ?? ?? ?? ?? + 8D 85 ?? ?? ?? ?? + 6A ?? + 50 + C7 85 ?? ?? ?? ?? ?? ?? ?? ?? + } + + condition: + uint16be( 0 ) == 0x4d5a and any of them +} +rule SEKOIA_Apt_Cloudatlas_Powershower_Module : FILE +{ + meta: + description = "Detects CloudAtlas PowerShower module" + author = "Sekoia.io" + id = "dd688058-3d5d-46a7-8380-fe961c3327cd" + date = "2022-11-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_powershower_module.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7542eb882ee44203d806ad936126be2476b6e3a85ad8c93b6fd6c8226fe82617" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$env:temp" ascii wide + $ = "foreach($item in $zip.items" ascii wide + $ = "echo $result" ascii wide + $ = "pass.txt" ascii wide + + condition: + all of them and filesize < 10000 +} +rule SEKOIA_Apt_Malware_Pocoproxy : FILE +{ + meta: + description = "Detects strings in PocoProxy" + author = "Sekoia.io" + id = "8b37e37f-339e-4f8b-b792-435096f56af0" + date = "2024-08-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_malware_pocoproxy.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "2b89f15012512002c656ff821bbbeca0" + hash = "8d850fed6bb1f3b60365ed656c6791c5" + logic_hash = "217f4eabb5ff4534878b6dd192ae446e651d8510f03ceb501eb33e91199c15a8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "-listen" ascii fullword + $ = "-connect" ascii fullword + $ = "-proxy" ascii fullword + $ = "%d-%d-%d %d:%d:%d" ascii fullword + $ = "%S://%S:%u%S" wide + $ = "\\r\\n[%u(%u/%u/%u/%u)]==> %S %S>> %S:%d connect ok." wide + $ = "\\r\\nnconnect to %S:%d faild." wide + $ = "\\r\\nI'm listen %S:%d,welcome..." wide + + condition: + uint16be( 0 ) == 0x4d5a and 5 of them +} +rule SEKOIA_Apt_Ta428_Tmanger_Strings : FILE +{ + meta: + description = "Detects Tmanger malware" + author = "Sekoia.io" + id = "f600404d-3f93-4e3f-bba7-9f519f67c6cb" + date = "2022-09-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_ta428_tmanger_strings.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e045f38367fa7f3cdcc908e60de4386889c7878c95b1a40f63fd70683699b0f1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "sock_hmutex" wide ascii + $ = "cmd_hmutex" wide ascii + $ = "%s_%d.bmp" wide ascii + $ = "WSAStartup Error!" wide ascii + $ = "4551-8f84-08e738aec" wide ascii + $ = "Init failed!" wide ascii + $ = "GetLanIP error!" wide ascii + $ = "chcp & exit" wide ascii + $ = "GetHostname error!" wide ascii + $ = "[Num Lock]" wide ascii + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 200KB and 4 of them +} +rule SEKOIA_Apt_Mustangpanda_Tinynote : FILE +{ + meta: + description = "Detects strings in TinyNote backdoor" + author = "Sekoia.io" + id = "a2b9bea4-a211-456f-8a3f-0f31733e8b29" + date = "2023-06-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_tinynote.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "20723b449d057ddf09fa34aa7511275939f98c6c84593af64d99f980c679b2c1" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "bypassSMADAV" ascii fullword + $s2 = "excuteCmdLine" ascii fullword + $s3 = "/Create1953125" ascii + $s4 = "MINUTEMonday" ascii + $s5 = "WndProc" ascii + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 8MB and all of them +} +rule SEKOIA_Apt_Cloudatlas_Init_Module_Virtualalloc : FILE +{ + meta: + description = "Find init module of CloudAtlas with params passed to VirtualAlloc" + author = "Sekoia.io" + id = "299ed681-9d1f-4b47-8389-ff5a608f49d4" + date = "2023-09-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_init_module_virtualalloc.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "31ffaeccc0b8fe36eea3b3a8200eff6a420b1a3937fd439dc84121654fcea502" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "02a1a9582f5ccf421b08c41c35049416b9cdefc9228daf6b38d95e9b0930cc5a" + hash2 = "c7f19c7c295c86867ea7fa4597ba0cebe12f751753866e7298fd5d84676facc3" + + strings: + $chunk_1 = { + 6A 40 + 68 00 30 10 00 + 8B 8D ?? ?? ?? ?? + 8B 51 50 + 52 + 6A 00 + FF 15 ?? ?? ?? ?? + } + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and $chunk_1 and filesize < 3MB +} +rule SEKOIA_Bot_Lin_Xorddos_Strings : FILE +{ + meta: + description = "Catch XORDDoS strings" + author = "Sekoia.io" + id = "2f5c70a3-fe3f-4091-905d-d779bd0cb2cd" + date = "2023-11-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/bot_lin_xorddos_strings.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b91cfeeaddffe98ac1649c5d88a2091cf7ab8ff65b232f09c323d23684cb2a2d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)" ascii fullword + $s2 = "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab" ascii fullword + $s3 = "for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done" + + condition: + uint32( 0 ) == 0x464c457f and filesize > 600KB and filesize < 700KB and 3 of them +} +rule SEKOIA_Tool_Rubeus_Strings : FILE +{ + meta: + description = "Detects Rubeus" + author = "Sekoia.io" + id = "df1860d0-ec34-4c2d-bd83-5f16b26d075c" + date = "2024-03-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_rubeus_strings.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "adc6a5207bb15c8020ca170564ea9066b2c0b0e09839d6838744c623f59153cf" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ".Ndr.RPC_DISPATCH_TABLE32" + $ = ".Ndr.RPC_PROTSEQ_ENDPOINT32" + $ = ".Ndr.RPC_SERVER_INTERFACE32" + $ = ".Ndr.NDR_EXPR_DESC32" + $ = "$krb5tgs${0}$*{1}${2}${3}*${4}${5}" wide + $ = "$krb5asrep$23${0}@{1}:{2}" wide + $ = "Unable to decrypt the EncTicketPart using key:" wide + $ = "[*] Target service : {0:x}" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 5 of them +} +rule SEKOIA_Apt_Aridviper_Rustsysjoker : FILE +{ + meta: + description = "Detects Rust Sysjoker variant via PDB path or key and Rust string" + author = "Sekoia.io" + id = "14ff3f76-0371-4b45-9864-bf69c74e60aa" + date = "2023-11-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_aridviper_rustsysjoker.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "cb3c5d37095c27aa169a6aa61fa12972ff71877c615eaa254c3906ef10c662a9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $Rust = "called `Option::unwrap()` on a `None` value" + $Key = "QQL8VJUJMABL8H5YNRC9QNEOHA" + $PDB = "C:\\Code\\Rust\\RustDown-Belal\\target\\release\\deps\\RustDown.pdb" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and ( $PDB or ( $Rust and $Key ) ) +} +rule SEKOIA_Botnet_Lin_Tsunami : FILE +{ + meta: + description = "Catch tsunami botnet based on string" + author = "Sekoia.io" + id = "65d2ff89-064f-489a-a215-33197926a62d" + date = "2024-09-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/botnet_lin_tsunami.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "536a28db011459d841652e25a852ccf2" + logic_hash = "8678ead4c863b2bc6bbb5e0023dee10f4e9f031bd0c8f515ad30d6145755ccaa" + score = 75 + quality = 53 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $n = "NOTICE %s" ascii + $t = "TSUNAMI" ascii nocase + $s1 = "NICK" ascii fullword + $s2 = "GETSPOOFS" ascii fullword + $s3 = "IRC" ascii fullword + $s4 = "PONG" ascii + + condition: + uint32( 0 ) == 0x464c457f and #n > 40 and #t > 3 and 3 of ( $s* ) +} +rule SEKOIA_Infostealer_Win_Xehook_Str : FILE +{ + meta: + description = "Finds XehookStealer standalone samples based on specific strings." + author = "Sekoia.io" + id = "fa76988d-f0a2-4fc2-a122-c104fd585f34" + date = "2024-06-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_xehook_str.yar#L1-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "543ec3b523e5f00d3c285e453c8d11f3d5c7778b2986b7fe03f2d62ff18c2778" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "xehook" ascii + $str02 = "Classes.LogRecord" ascii + $str03 = "__ _____| |__ ___ ___ | | __" wide + $str04 = "\\ \\/ / _ \\ '_ \\ / _ \\ / _ \\| |/ /" wide + $str05 = " > < __/ | | | (_) | (_) | <" wide + $str06 = "/_/\\_\\___|_| |_|\\___/ \\___/|_|\\_\\" wide + $str07 = "https://t.me/xehook" wide + $str08 = "About PC.txt" wide + $str09 = "Browser: {4} v{5} ({6})" wide + $str10 = "http://ip-api.com/json/?fields=11827" wide + $str11 = "{0}gate.php?id={1}&build={2}&passwords={3}&cookies={4}" wide + $str12 = "getjson.php?id=" wide + $com01 = "CheckRemoteDebuggerPresent" ascii + $com02 = "get_CurrentThread" ascii + $com03 = "get_InstalledInputLanguages" ascii + $com04 = "get_Ticks" ascii + $com05 = "System.Security.Cryptography" ascii + + condition: + uint16( 0 ) == 0x5A4D and 2 of ( $str* ) and 4 of ( $com* ) +} +rule SEKOIA_Rat_Win_Millenium : FILE +{ + meta: + description = "Finds MilleniumRAT samples based on the specific strings" + author = "Sekoia.io" + id = "91320924-5c74-457a-8601-29c4e4034761" + date = "2023-11-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_millenium.yar#L1-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bcf4158b9bfee65cd9bd74163ac108ea1de8ec0e9ad066e77bec788ae6fb7283" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Millenium RAT, version:" wide + $str02 = "Coded by @shinyenigma" wide + $str03 = "*gift*** - gift this bot to another user, his telegram bot has to be started" wide + $str04 = "*historyForce - grab more browser history by killing browser processes, use carefully" wide + $str05 = "*download - victim`s PC downloads a file attached to this message, if it is a picture it should also be attached as a file" wide + $str06 = "No keylogs recorded!" wide + $str07 = "Successfully added RAT to startup" wide + $str08 = "You`ve gifted gifted a bot:" wide + $str09 = "Incorrect agrument, please enter 0/90/180/270" wide + $str10 = "SELECT action_url, username_value, password_value FROM logins" wide + $str11 = "Yandex\\YandexBrowser\\User Data\\Default" wide + $str12 = "Millenium-rat-CSharp (main project)" ascii + $str13 = "get_BatteryLifePercent" ascii + $str14 = "get_ExpirationMonth" ascii + $str15 = "sqlite3_extension_init " ascii + + condition: + uint16( 0 ) == 0x5A4D and 10 of ( $str* ) +} +rule SEKOIA_Apt_Unknown_Sessionmanageriis_Strings : FILE +{ + meta: + description = "Detects the IIS SessionManager backdoor" + author = "Sekoia.io" + id = "7d55dd82-509f-444d-a1ba-6417b51f392f" + date = "2022-07-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_unknown_sessionmanageriis_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b1058b07c8e40431f8f3841b5ad49b4d6ead21a91d014f24c083f37eeacc5ac5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Wokring OK" + $ = "Delete File Success :" + $ = "Delete File Error :" + $ = "SM_SESSION=" + $ = "SM_SESSIONID" + $ = "attachment; filename =" + $ = "CHttpModule::" + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 100KB and filesize < 400KB and 4 of them +} +rule SEKOIA_Strongpity_Malware : FILE +{ + meta: + description = "Detects obfuscation used by StrongPity" + author = "Sekoia.io" + id = "f19a685c-599d-42cf-a5d8-7a2375102f97" + date = "2024-02-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/strongpity_malware.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "14be5eccb4e754d6dad69cda51a924241cc75f5d758bc2d746acfe41e1684b3a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $rand_edi = {E8 ?? ?? ?? ?? 8B F8 81 E7 07 00 00 80 79 ?? 4F 83 CF F8 47 83 C7 02} + $rand_esi = {E8 ?? ?? ?? ?? 8B F0 81 E6 07 00 00 80 79 ?? 4E 83 CE F8 46 83 C6 02} + $rand_eax = {E8 ?? ?? ?? ?? 25 07 00 00 80 79 ?? 48 83 C8 F8 40 83 C0 02} + + condition: + uint16be( 0 ) == 0x4d5a and #rand_edi + #rand_esi + #rand_eax > 20 +} +rule SEKOIA_Apt_Apt29_Wineloader_Malicious_Hta +{ + meta: + description = "Detects malicious HTA used by APT29 to drop Wineloader" + author = "Sekoia.io" + id = "5a17d854-0564-4830-a0e5-7867b99716c2" + date = "2024-03-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt29_wineloader_malicious_hta.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "efafcd00b9157b4146506bd381326f39" + logic_hash = "0cc4692e5ff3f258c287f28030147f725d6a534c4f2f7a2a4ff49a305b7fd13d" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Number of running processes:" wide + $str06 = "Installed FireWall: " wide + $str07 = "~[Panel_Receiving_Data]~ Incorrect data when receiving data on the panel" wide + $str08 = "ProcessInfo_Log.txt" wide + $str09 = "Installed_Software_Log.txt" wide + $str10 = "Detect Data ClipBoard] - [ {DateTime.Now:MM.dd.yyyy - HH:mm:ss}]" wide + $str11 = "VPN/ProtonVPN_Log.txt" wide + $str12 = "VPN/Nord_Log.txt" wide + $str13 = "Steam/SteamID_Log.txt" wide + + condition: + uint16( 0 ) == 0x5A4D and 6 of them +} +rule SEKOIA_Win_Loader_Astasialoader_Strings : FILE +{ + meta: + description = "AstasiaLoader strings" + author = "Sekoia.io" + id = "8dfabf28-4b5a-43db-87e9-5b9080541ec3" + date = "2023-08-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/win_loader_astasialoader_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "44b6f7508a82ff6a4d65defc189303eeee393b5fd498de73d74d0a2c75c87401" + logic_hash = "02a7bed506865d761ec03b8de4b7fc636b71f48c62e933013f2ffa23deabb62e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "newuploaders" wide + $s2 = "\\infected.exe" wide + $s3 = "AstasiaLoader" wide + $s4 = "Astasia.pdb" ascii + $s5 = "ip-api.com/line/?fields=hosting" wide + $s6 = "https://api.telegram.org/bot" wide + $s7 = "currentscript.txt" wide + $s8 = "sessionlog.txt" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 50KB and filesize < 1MB and 5 of them +} +rule SEKOIA_Tool_Printnotifypotato : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "8dde175f-025a-4c27-bcc6-d0016dd7238c" + date = "2023-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_printnotifypotato.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5d4b7d1582c2b3f53ca5e1ff6e7ff97a677fe8870e94415f7328ea0a0387049c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "PrintNotifyPotato.exe" ascii wide + $s2 = "BeichenDream" ascii wide + $s3 = "interactive" ascii wide + $s4 = "DuplicateTokenEx" ascii wide + $s5 = "CurrentUser" ascii wide + $s6 = "FakeIUnknown" ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 8MB and all of them +} +rule SEKOIA_Apt_Oilrig_Powerexchange : FILE +{ + meta: + description = "Detects OilRig's PowerExchange backdoor" + author = "Sekoia.io" + id = "cb6b370f-7b05-480b-865e-ac81ded4a2a4" + date = "2023-10-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_powerexchange.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5e505e9bbb17500f7e9a316b66bccb62089172582478230e0bda736bbefa1fd6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "($h.value).PadRight((($h.value).Length+($h.value).Length%4),'='" ascii wide + $ = "(($h.value).Length%4 -ne 0)" ascii wide + $ = "-match \"@@(.*)@@\"" ascii wide + $ = "[Environment]::NewLine+$_.Exception.Message | Out-File -FilePath" ascii wide + $ = "ContainsSubjectStrings.Add(\"@@\")" ascii wide + + condition: + 2 of them and filesize < 50KB +} +import "hash" +import "pe" + +rule SEKOIA_Wiper_Win_Isaacwiper +{ + meta: + description = "Detect the IsaacWiper using multiple methods + ReversingLab rule's condition" + author = "Sekoia.io" + id = "b081e3a3-612e-46ae-93af-82e7ee98fcf7" + date = "2022-03-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/wiper_win_isaacwiper.yar#L4-L45" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0338e11ece112b6f7d88db49cfc703a4431d7ee54f4b9ff0b9e2ea50d39cab4f" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "getting drives..." wide + $s2 = "physical drives:" wide + $s3 = "-- system physical drive" wide + $s4 = "-- physical drive" wide + $s5 = "logical drives:" wide + $s6 = "-- system logical drive:" wide + $s7 = "-- logical drive:" wide + $s8 = "start erasing physical drives..." wide + $s9 = "-- FAILED" wide + $s10 = "-- start erasing logical drive" wide + $s11 = "start erasing system physical drive..." wide + $s12 = "system physical drive -- FAILED" wide + $s13 = "start erasing system logical drive" wide + + condition: + pe.imphash( ) == "a4b162717c197e11b76a4d9bc58ea25d" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "06d63fddf89fae3948764028712c36d6" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "48f101db632bb445c21a10fd5501e343" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "5efc98798d0979e69e2a667fc20e3f24" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "9676f7c827fb9388358aaba3e4bd0cc6" ) or hash.md5 ( pe.rich_signature.clear_data ) == "ec862d3013903478c2ff8dce2792815f" or all of ( $s* ) +} +rule SEKOIA_Generic_Sharpshooter_Payload_12 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "b69186cf-9825-4d90-be20-7caa9e7de61f" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_12.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5c9692337c0dd533c7e49bd3850feedad93b256bc2fba45af6121f50ad83f4cc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "ms.Write(ba, 0, (length / 4) * 3);" + $ = "var serialized_obj = " + $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);" + $ = "var sc =" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Latrodectus_Br4_Js_Dropper +{ + meta: + description = "Detect the JS script used to drop Latrodectus" + author = "Sekoia.io" + id = "042a598d-66fa-4994-a793-228355abd5dd" + date = "2024-06-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/latrodectus_br4_js_dropper.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a835bd9a9ad68fd2f285ec5c04a5c78ba5ca85381ff30048ac375bef220fd72f" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = " installer.InstallProduct(msiPath);" ascii + $s2 = "new ActiveXObject(\"WindowsInstaller.Installer\");" ascii + + condition: + all of them +} +import "hash" +import "pe" + +rule SEKOIA_Loader_Win_Dodgebox +{ + meta: + description = "Detect the DodgeBox malware using several criteria" + author = "Sekoia.io" + id = "8d5f94f3-1add-4f34-ba9e-f8f576c4e5b8" + date = "2024-07-15" + modified = "2024-12-19" + reference = "https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_dodgebox.yar#L4-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e859da15a065454d273c4040b4e3409c3046cbcee135497bdcce6cff620c3cfb" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db" + hash2 = "33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49" + + condition: + pe.imphash( ) == "aeea1135af87e6b6b23fa7da995967ea" or hash.md5 ( pe.rich_signature.clear_data ) == "1c850cf955b35f60ee6c12d01161d95d" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "4a80edcce2a5ac85c3f849172ee89c0f" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "53781057440f51882c38d3a9ef611775" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "801b286d84a97fe919721843ab77210d" ) +} +rule SEKOIA_Rat_Win_Ratel_Strings : FILE +{ + meta: + description = "Detect RATel based on characteristic strings" + author = "Sekoia.io" + id = "d0c8b89b-c811-47aa-9e03-717998c40d91" + date = "2023-04-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_ratel_strings.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ff5640b03ec3e535cdb86c2a0feb52d0c472928ff88a36ec9f66ac8aa07c9f69" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "[-] Error when changing folder." ascii + $s2 = "cmd.exe" wide + $s3 = "back slash find: " ascii + $s4 = "MOD_ALL:" wide + $s5 = "MOD_PERSISTENCE" wide + $s6 = "MOD_DESTRUCTION:" wide + $s7 = "MOD_RECONNECT" wide + $s8 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide + $s9 = "powershell.exe -command \"([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')\"" wide + $s10 = "The command was executed successfully but no data was returned." + $s11 = "[-] TIMEOUT IN CREATEPROCESS, but all the processes in the name of: " ascii + $s12 = "we were well and truly killed." ascii + + condition: + ( uint16be( 0 ) == 0x4d5a ) and filesize > 500KB and filesize < 3MB and 8 of them +} +rule SEKOIA_Apt_Ta410_Flowcloud_Loader : FILE +{ + meta: + description = "Detects FlowCloud Loader" + author = "Sekoia.io" + id = "0a11dfa0-5a59-477b-baf6-6a777d020860" + date = "2024-05-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_ta410_flowcloud_loader.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "450cfdfbd9a42b623fc1acb55f3ea309ae54282b480edcb9495f4d45874d3922" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $decryption_function = {8A C8 80 C1 26 32 D1 30 14 38} + $derivation_key = {6B 04 00 00 F7 ?? 81 c2 a8 01 00 00} + $new_pattern_1 = {50 33 c0 58 74 01 e8} + $new_pattern_2 = {89 44 24 fc 58 8D 64 + 24 fc 81 fc 00 10 00 + 00 77 06 81 c4 ?? ?? + ?? ?? 8B 44 24 FC} + $patch_bytes = {68 78 56 34 12 C3 90 90 90 90 90 00} + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 4MB and 2 of them +} +rule SEKOIA_Rat_Win_Atharvan +{ + meta: + description = "Detect Atharvan RAT" + author = "Sekoia.io" + id = "61347490-d281-4892-adba-89cf6187545f" + date = "2023-02-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_atharvan.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fee9a5a684b3e9bd629a0e87bdf63ba0c1fc1e970ca3b7fec8d7a4f2f60a355a" + score = 75 + quality = 78 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = {44 3a 5c 72 61 6e 67 5c 54 4f 4f 4c 5c 33 52 41 54} + + condition: + all of them +} +rule SEKOIA_Apt_Reaper_Malicious_Lnk : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "8f055d1b-5727-4d77-9671-cdbb1ea69d5f" + date = "2023-09-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_reaper_malicious_lnk.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8cec5819dd7b01b3993acae056f5640fa28ffe76b05d2d9e59779a73eb00bd6e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "*rshell.exe" wide + $ = "/od') do call" wide + + condition: + uint32be( 0 ) == 0x4c000000 and all of them +} +rule SEKOIA_Tool_Pivotnacci_Webshell : FILE +{ + meta: + description = "Detects pivotnacci webshell" + author = "Sekoia.io" + id = "729b6381-b59d-46fe-9ad4-b8b68fb0ceea" + date = "2024-04-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_pivotnacci_webshell.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a57792915b4c888547ebe0b08b928e4bc32b3526c98a3ccc9fca0193cedee20a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "if (cmd == SEND_OPERATION) {" + $ = "Response.BinaryWrite(newBuff)" + $ = "Request.Headers.Get(ID_HEADER)" + $ = "[$READ_BUFFER_SESSION_KEY . $connection_id]" + $ = "extract_session_readbuf($conn_id" + $ = "Failed connecting to target $addr:$port : $errstr" + $ = "void handle_post(String cmd)" + $ = "SocketChannel socketChannel = this.get_socket(socket_id" + $ = "this.get_svc().compareTo(this.get_hostname())" + + condition: + 3 of them and filesize < 10KB +} +rule SEKOIA_Loader_Win_Aresloader : FILE +{ + meta: + description = "Finds AresLoader samples based on characteristic strings" + author = "Sekoia.io" + id = "bf5070fc-c8ca-4458-8702-cd1830667b7a" + date = "2023-05-02" + modified = "2024-12-19" + reference = "https://blog.cyble.com/2023/04/28/citrix-users-at-risk-aresloader-spreading-through-disguised-gitlab-repo/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_aresloader.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "2edbb625394506e865580373d5c3454b4fa201183c84d247b4373f24e25f5fd4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "{\\\"ip\\\": '%s', \\\"UID\\\": '%s', \\\"geo\\\": '%s', \\\"service\\\": '%s', \\\"owner_token\\\": '%s'}" ascii + $str02 = "AresLdr_v_3" ascii + $str03 = "https://ipinfo.io/ip" ascii + $str04 = "C:\\Users\\%s\\AppData\\Roaming\\%s\\%s" ascii + $str05 = "/manager/payload" ascii + $str06 = "/manager/loader" ascii + $str07 = "/manager/legit" ascii + $str08 = "/manager/hvnc" ascii + $str09 = "C%p %d V=%0X w=%ld %s" ascii + $str10 = "rundll32.exe %s,%s" ascii + $str11 = "%startinfo" ascii + $str12 = "%managedapp" ascii + $str13 = "%has_cctor" ascii + + condition: + uint16( 0 ) == 0x5A4D and 5 of them +} +rule SEKOIA_Ransomware_Win_Wing : FILE +{ + meta: + description = "Finds Wing ransomware samples based on specific strings" + author = "Sekoia.io" + id = "c2fe8321-8013-4aa4-91a6-c0face3e6b52" + date = "2024-01-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_wing.yar#L1-L52" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c9f373c12f4fb5efc29d0f293a2e0b46cf03c1abe124e9dd4118bef6c6e3f731" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $fun01 = "LockBIT" ascii fullword + $fun02 = "BigEncrypt" ascii + $fun03 = "RunEncrypt" ascii + $fun04 = "AesEncrypt" ascii + $fun05 = "KeyGenerator" ascii + $fun06 = "GetUniqueKey" ascii + $fun07 = "SearchFolder" ascii + $fun08 = "ThreadFolders" ascii + $fun09 = "ContainsKeyword" ascii + $fun10 = "ReadMeMaker" ascii + $fun11 = "StopAndConfigureSqlServices" ascii + $fun12 = "WipeRecycleBin" ascii + $fun13 = "TelSender" ascii + $str01 = "AnyDesk" wide + $str02 = "firebird" wide + $str03 = "Acronis" wide + $str04 = "config \"" wide + $str05 = " start= demand" wide + $str06 = "' stopped and configured to start automatically." wide + $str07 = "Error processing service '" wide + $str08 = "$RECYCLE.BIN" wide + $str09 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide + $str10 = "UniqueID:" wide + $str11 = "PersonalID:" wide + $ran01 = "C:\\Readme.txt" wide + $ran02 = "C:\\LockBIT\\systemID" wide + $ran03 = "Your system has been encrypted by our team, and your files have been locked using our proprietary algorithm !" wide + $ran04 = "* Please read this message carefully and patiently *" wide + $ran05 = "* If you use any tools, programs, or methods to recover your files and they get damaged, we will not be responsible for any harm to your files !" wide + $ran06 = "* Note that your files have not been harmed in any way they have only been encrypted by our algorithm." wide + $ran07 = "Your files and your entire system will return to normal mode through the program we provide to you. No one but us will be able to decrypt your files !" wide + $ran08 = "* To gain trust in us, you can send us a maximum of 2 non-important files, and we will decrypt them for you free of charge." wide + $ran09 = "Please put your Unique ID as the title of the email or as the starting title of the conversation." wide + $ran10 = "* For faster decryption, first message us on Telegram. If there is no response within 24 hours, please email us *" wide + + condition: + uint16( 0 ) == 0x5a4d and ( ( 5 of ( $fun* ) and 5 of ( $str* ) and 2 of ( $ran* ) ) or 12 of ( $fun* ) or 10 of ( $ran* ) or 8 of ( $ran* ) ) +} +rule SEKOIA_Apt_Badmagic_Startrevsocks_Pshscript : FILE +{ + meta: + description = "Detects BadMagic DLL Loader powershell script" + author = "Sekoia.io" + id = "a6c96aee-9e78-47d2-afe3-f3c5246a9370" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_startrevsocks_pshscript.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6a4615afb836330634cde9559dacfff50daef44a370f6191c6771a2066074a31" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$ExecutablePath" + $ = "Start-Sleep -Second 2" + $ = "recn -15 -rect 15" + + condition: + all of them and filesize < 1KB +} +import "hash" +import "pe" + +rule SEKOIA_Ransomware_Win_Eking_Rich_Header +{ + meta: + description = "Detect Eking ransomware using its rich header" + author = "Sekoia.io" + id = "9fe76f89-f27a-4a47-a61c-2d767a1a8acb" + date = "2021-10-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_eking_rich_header.yar#L4-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0028200fc2e929dba6fcc4ddf5d8e07825842e2f65c69ad94ebd032ae3748c90" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + hash.md5( pe.rich_signature.clear_data ) == "256b60751602028612562b73ecdb163c" +} +rule SEKOIA_Apt_Kimsuky_Powershell_Dropper_Strings : FILE +{ + meta: + description = "Detects a PowerShell dropper used by Kimsuky" + author = "Sekoia.io" + id = "8b346e05-215b-46c0-82bf-fce3a65440f3" + date = "2024-06-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_powershell_dropper_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e98f23ddf02049126786e9300e7b6661b2a74817b36e2f3a661b07b24ef4402d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "try { " ascii wide + $s2 = "); } catch(e){} } if (" + $s3 = "WScript.Sleep(" + $s4 = " } catch(e) { }" + + condition: + filesize > 500KB and $s1 at 0 and $s2 in ( filesize -1000 .. filesize ) and $s3 in ( filesize -1000 .. filesize ) and $s4 in ( filesize -1000 .. filesize ) +} +rule SEKOIA_Implant_Win_Havoc_Default_Strings : FILE +{ + meta: + description = "Finds Havoc implants based on the embedded default strings" + author = "Sekoia.io" + id = "955c2211-4502-4258-ba4c-0d96a5624283" + date = "2022-10-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_havoc_default_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "dbf17e579071f265961657d73c6a2e51630b23e80376491df2e631cee5ffb1b4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "C:\\Windows\\System32\\notepad.exe" ascii + $str02 = "C:\\Windows\\SysWOW64\\notepad.exe" ascii + $str03 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" ascii + $str04 = "POST" wide + $str05 = "\\??\\C:\\Windows\\System32\\ntdll.dll" wide + $str06 = "X-Havoc: true" ascii + $str07 = "X-Havoc-Agent: Demon" ascii + $str08 = "/text.gif" ascii + $str09 = "SeImpersonatePrivilege" ascii + + condition: + uint16( 0 ) == 0x5A4D and 6 of them +} +rule SEKOIA_Hacktool_Iox_Tunneling : FILE +{ + meta: + description = "Detects IOX tunneling tool" + author = "Sekoia.io" + id = "45b31d67-95e9-405d-88ea-3f2006ef160a" + date = "2022-10-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_iox_tunneling.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e15df032864799e282ee89402d22b82e5d4b8f469ec292575a1bcb78d24db012" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "iox/operate.Local2Remote" + $ = "iox/operate.Local2Local" + $ = "iox/operate.Remote2Remote" + $ = "iox/operate.ProxyLocal" + $ = "iox/operate.ProxyRemote" + $ = "iox/operate.ProxyRemoteL2L" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 5MB and all of them +} +rule SEKOIA_Apt_Uac0154_Malicious_Html_Smuggling : FILE +{ + meta: + description = "UAC-0154 Infection chain" + author = "Sekoia.io" + id = "923d11e5-6332-456d-8aff-ae7fb76193a8" + date = "2023-10-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_uac0154_malicious_html_smuggling.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ba37b076ac29edcb9af7792420b527b0d64e7838e0237b39afe98a817eafdf7e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Microsoft® HTML Help Workshop 4.1" + $ = "var a=['" + $ = ")+b('0x" + + condition: + all of them and filesize < 100KB +} +rule SEKOIA_Tool_Ssf_Strings : FILE +{ + meta: + description = "Detects SSF based on strings" + author = "Sekoia.io" + id = "47fc3df8-a153-4045-a5f0-ed30df662984" + date = "2024-05-31" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_ssf_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a6fa09a25c90e00466a2b59f8c604084996224c93021ad72ed8705bf05da5d97" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "could NOT read SSF reply" + $ = "SSF reply NOT ok {}" + $ = "SSF reply OK" + $ = "SSF protocol error {}" + $ = "SSF reply ok" + $ = "SSF version NOT read {}" + $ = "SSF version {}" + $ = "SSF version NOT supported {}" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and 4 of them +} +rule SEKOIA_Apt_Kimsuky_Powershell : FILE +{ + meta: + description = "Powershell scripts used by Kimsuky. If size < 3KB ok. If between 3 and 15, a check is needed" + author = "Sekoia.io" + id = "b7f812e0-d08b-40fe-908a-dc5765d6bc66" + date = "2024-09-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_powershell.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "6babb53d881448dc58dd7c32fcd4208a" + hash = "29ec7a4495ea512d44d33c9847893200" + hash = "fde68771cebd7ecd81721b0dff5b7869" + hash = "0c3fd7f45688d5ddb9f0107877ce2fbd" + hash = "1a1723be720c1d9cd57cf4a6a112df79" + logic_hash = "7436d8cba8a8caaf95786c38c4ceee4426dc7e36ae3eeed5d3162310cd76091d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ".ToCharArray();[array]::Reverse(" ascii + $ = ");$res = -join ($bytes -as [char[]]);Invoke-Expression $res;" ascii + + condition: + all of them and filesize < 15KB +} +rule SEKOIA_Nomercy : FILE +{ + meta: + description = "Detect NoMercy sample version up to 1.1.0" + author = "Sekoia.io" + id = "2591f74b-8ab8-45ef-ba64-62a93df305c1" + date = "2022-07-11" + modified = "2024-12-19" + reference = "https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/nomercy.yar#L1-L61" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "175bc58f1b34bb60f6cacc15747e944cbbdd58fe287ff46abed969eaa39870db" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + hash1 = "9ecc76d4cda47a93681ddbb67b642c2e1f303ab834160ab94b79b47381e23a65" + hash2 = "557acce8b787aba87c8eeb939438b52c5ca953f28ad680a7faeb2b3046d3fda0" + classification = "TLP:CLEAR" + + strings: + $debug1 = "Posted uid and version" wide ascii + $debug2 = "Posted cli info to server" wide ascii + $debug3 = "Posted other info to server" wide ascii + $debug4 = "Sending screenshot..." wide ascii + $debug5 = "Sent screenshot" wide ascii + $debug6 = "Listening to Microphone..." wide ascii + $debug7 = "Collecting other info..." wide ascii + $url1 = "/a?uid=" wide ascii + $url2 = "/c?uid=" wide ascii + $url3 = "/d?uid=" wide ascii + $url4 = "/e?uid=" wide ascii + $url5 = "/b?sysinfoother=" wide ascii + $url6 = "/b?sysinfocli=" wide ascii + $info1 = "PUBLIC IP:" wide ascii + $info2 = "HWID:" wide ascii + $info3 = "RAM:" wide ascii + $info4 = "GPU:" wide ascii + $info5 = "MEDIA ACCESS CONTROL ADDRESS:" wide ascii + $info6 = "PRIVATE IP:" wide ascii + $info7 = "OS VERSION:" wide ascii + $info8 = "ANTIVIRUS:" wide ascii + $info9 = "KEYBOARD LANGUAGE:" wide ascii + $info10 = "CLIPBOARD: {0}{1}{2}" wide ascii + $info11 = "RUNNING PROCESSES:" wide ascii + $info12 = "WINDOW TITLE:" wide ascii + $cmd1 = "/c whoami /all" wide ascii + $cmd2 = "/c whoami" wide ascii + $cmd3 = "/c arp -a" wide ascii + $cmd4 = "/c ipconfig /all" wide ascii + $cmd5 = "/c net view /all" wide ascii + $cmd6 = "/c net share" wide ascii + $cmd7 = "/c route print" wide ascii + $cmd8 = "/c netstat -nao" wide ascii + $cmd9 = "/c net localgroup" wide ascii + $cmd10 = "/c systeminfo" wide ascii + $inv1 = "http://api.ipify.org" wide ascii + $inv2 = "NoMercy" wide ascii + + condition: + uint16be( 0 ) == 0x4d5a and 3 of ( $debug* ) and 8 of ( $info* ) and 2 of ( $url* ) and 6 of ( $cmd* ) and 1 of ( $inv* ) and filesize > 700KB and filesize < 3000KB +} +rule SEKOIA_Apt_Sidecopy_Cheex : FILE +{ + meta: + description = "Detects PDB path of Cheex" + author = "Sekoia.io" + id = "e9b57f15-e703-4367-b501-fa8a873e4455" + date = "2024-08-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sidecopy_cheex.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "825c7a1603f800ff247c8f3e9a1420af" + logic_hash = "e5561466b616c746b33c0c4a46e8bdb0859e55aef8896bc1b14e54838c1661ee" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "C:\\Users\\Dead Snake\\source\\repos\\cheex" ascii fullword + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Apt_Sandworm_Caddywiper_Stacked_Strings : FILE +{ + meta: + description = "Detects stacked strings used in the wiper." + author = "Sekoia.io" + id = "7750c4b6-5781-4b1c-8200-cbce9f18aa56" + date = "2022-04-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sandworm_caddywiper_stacked_strings.yar#L1-L74" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e8c94e8611a50080368785d2b341a95d5359d1d814e1d665553324118700ed10" + score = 75 + quality = 80 + tags = "FILE" + version = "2.0" + classification = "TLP:CLEAR" + + strings: + $ = { C6 45 ?? 6E + C6 45 ?? 65 + C6 45 ?? 74 + C6 45 ?? 61 + C6 45 ?? 70 + C6 45 ?? 69 + C6 45 ?? 33 + C6 45 ?? 32 + C6 45 ?? 2E + C6 45 ?? 64 + C6 45 ?? 6C + C6 45 ?? 6C } + $ = { C6 45 ?? 44 + C6 45 ?? 65 + C6 45 ?? 76 + C6 45 ?? 69 + C6 45 ?? 63 + C6 45 ?? 65 + C6 45 ?? 49 + C6 45 ?? 6F + C6 45 ?? 43 + C6 45 ?? 6F + C6 45 ?? 6E + C6 45 ?? 74 + C6 45 ?? 72 + C6 45 ?? 6F + C6 45 ?? 6C } + $ = { C6 45 ?? 5C + C6 45 ?? 00 + C6 45 ?? 5C + C6 45 ?? 00 + C6 45 ?? 2E + C6 45 ?? 00 + C6 45 ?? 5C + C6 45 ?? 00 + C6 45 ?? 50 + C6 45 ?? 00 + C6 45 ?? 48 + C6 45 ?? 00 + C6 45 ?? 59 + C6 45 ?? 00 + C6 45 ?? 53 + C6 45 ?? 00 + C6 45 ?? 49 + C6 45 ?? 00 + C6 45 ?? 43 + C6 45 ?? 00 + C6 45 ?? 41 + C6 45 ?? 00 + C6 45 ?? 4C + C6 45 ?? 00 + C6 45 ?? 44 + C6 45 ?? 00 + C6 45 ?? 52 + C6 45 ?? 00 + C6 45 ?? 49 + C6 45 ?? 00 + C6 45 ?? 56 + C6 45 ?? 00 + C6 45 ?? 45 } + + condition: + uint16be( 0 ) == 0x4d5a and 2 of them +} +import "hash" +import "pe" + +rule SEKOIA_Rat_Win_Romcom_Payload +{ + meta: + description = "Detect the RomCom malware" + author = "Sekoia.io" + id = "c391f84c-f0cb-42d8-a8d8-d59725bf74c2" + date = "2022-11-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_romcom_payload.yar#L4-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "56f016df8e9165522e18f34bdb7c3044ee8927f53dd6818fa2b3d6424191d8e0" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "160ed1cdf6e9321cef19cfed6a63b4b5557dd35e174b821bf8a81c4146fa6536" ) +} +rule SEKOIA_Infostealer_Win_Enigma_Initial_Loader : FILE +{ + meta: + description = "Find initial loader of Enigma Stealer based on specific strings" + author = "Sekoia.io" + id = "664fe8de-b406-4d63-9a4b-1c350b444f00" + date = "2023-01-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_enigma_initial_loader.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23" + logic_hash = "b7687a480a2a633e7cc9a60d62f3392011712bd018ed634927419cfb4edb4a78" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "/getFile?file_id=" ascii + $str02 = "/file/bot" ascii + $str03 = "?file_id=" ascii + $str04 = "pInternetSetOptionA failed" wide + $str05 = "list_messages[file_path] failed" wide + $str06 = "iE&xit" wide + $str07 = "[GetTgFileById][GetTgRequest] reply is NULL" wide + $str08 = "Telegram request failed" wide + $str09 = "bot getted" wide + + condition: + uint16( 0 ) == 0x5A4D and 4 of them +} +rule SEKOIA_Hacktool_Mimilite : FILE +{ + meta: + description = "Detects Mimilite" + author = "Sekoia.io" + id = "abb92a9d-0978-4ef2-b2cc-53ce6e83e3e4" + date = "2023-12-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_mimilite.yar#L1-L37" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "504bc58e1c4143cc2322d564b637b0e014a4ead44f56a75fe1202b0d0a2e8bbc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $chunk = { + FF C7 + 48 63 D7 + 46 0F B6 04 22 + 41 03 F0 + 81 E6 ?? ?? ?? ?? + 7D ?? + FF CE + 81 CE ?? ?? ?? ?? + FF C6 + 48 63 CE + 42 0F B6 04 21 + 42 88 04 22 + 46 88 04 21 } + $imp1 = "CryptGetHashParam" + $imp2 = "CryptDestroyHash" + $imp3 = "CryptHashData" + $imp4 = "CryptReleaseContext" + $imp5 = "CryptCreateHash" + $imp6 = "CryptAcquireContextA" + $imp7 = "VirtualAlloc" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 200KB and all of ( $imp* ) and $chunk +} +rule SEKOIA_Apt_Tortoiseshell_Imaploader : FILE +{ + meta: + description = "Detects IMAPLoader malware" + author = "Sekoia.io" + id = "e1706b59-5c94-4fbf-8560-0022ca631d1d" + date = "2023-11-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_tortoiseshell_imaploader.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "93f57940ed69145064e5153cc9b099fb9456116cae808acfb4e6f7f14003dde7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "yandex.com" + $s2 = "saveImapMessage.pdb" + $s3 = "downloader" + $s4 = "MailServer.Auth" + + condition: + filesize < 1MB and 3 of them +} +import "pe" + +rule SEKOIA_Apt_Menupass_Maliciouslibvlc_Dll +{ + meta: + description = "Detects the malicious LibVLC variants used by MenuPass" + author = "Sekoia.io" + id = "8b6b56f3-33b5-41cf-8bcb-e653c98718bd" + date = "2022-04-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_menupass_maliciouslibvlc_dll.yar#L3-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "de56e112a477d3a77146f1b84c8aa3e66a382a87f1492dd50aa1de9458b33717" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + pe.DLL and pe.number_of_exports < 15 and for all i in ( 0 .. pe.number_of_exports - 1 ) : ( pe.export_details [ i ] . name contains "libvlc_" ) +} +rule SEKOIA_Downloader_Win_Donot +{ + meta: + description = "Detect the DoNot's downloader malware. There are big binaries in downloader strings." + author = "Sekoia.io" + id = "31b153cc-a4b9-40a0-8bcb-ce1370645b4b" + date = "2023-03-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_win_donot.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f6a03e6cfda74c1fbb1e8939a66735498d604a821b8b51492c2c5c6a46a38b6e" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "001100000011000100110001001100000011000000110000001100010011000100110000001100010011000100110000001100010011000100110000001100010011" + $ = "01010011011011110110011001110100011101110110000101110010011001010101110001001101011010010110001101110010011011110111001101101111011001100111010001011100010101110110100101101110011001000110111101110111011100110101110001000011011101010111001001110010011001010110111001110100010101100110010101110010011100110110100101101111011011100101110001010101011011100110100101101110011100110111010001100001011011000110110000000000" + $ = "0101110001110011011110010111001101110100011001010110110100110011001100100101110001110010011101010110111001100100011011000110110000110011001100100010111001100101011110000110010100000000" + + condition: + 1 of them +} +rule SEKOIA_Apt_Gamaredon_Getlogicaldrive_Hunting : FILE +{ + meta: + description = "Detects gamaredon powershell stuff" + author = "Sekoia.io" + id = "18958ee8-7eb8-43b5-8ad2-be93bb39aa80" + date = "2023-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_getlogicaldrive_hunting.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4ec19e4d5723bc33d6f11598ce538403678e906bc416b58fea6e1b10cd26e5b6" + score = 50 + quality = 60 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "VolumeSerialNumber" ascii wide nocase + $ = "Get-WmiObject" ascii wide nocase + $ = "]::ToUInt32(" ascii wide nocase + $ = "DeviceID" ascii wide nocase + $ = "UploadValues" ascii wide nocase + $ = "UploadString" ascii wide nocase + + condition: + 5 of them and filesize < 500KB +} +rule SEKOIA_Infostealer_Win_Leaf : FILE +{ + meta: + description = "Find samples of Leaf Stealer based on specific strings" + author = "Sekoia.io" + id = "17d8e384-1092-4f27-b4f7-c0c0f7efcaa3" + date = "2023-02-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_leaf.yar#L1-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f8c0ff694c9f7a02613000d85a40f6b400dcca60711e589f7ccd3546f571aea6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Leaf $tealer" ascii + $str02 = "KiwiFolder" ascii + $str03 = "key_wordsFiles" ascii + $str04 = "**[Click to copy](https://superfurrycdn.nl/copy/" ascii + $str05 = "Early_Verified_Bot_Developer" ascii + $str06 = "getCookie.." ascii + $str07 = "C:\\Program Files (x86)\\Steam\\config" ascii + $str08 = "[crunchyroll](https://crunchyroll.com)" ascii + $str09 = "-m pip install" ascii + $str10 = "taskkill /im " ascii + $str11 = "/loginusers.vdf" ascii + $str12 = "mot_de_passe" ascii + $str13 = "Interesting files found on user PC" ascii + $str14 = "NationsGlory/Local Storage/leveldb" ascii + $str15 = "wppassw.txt" ascii + $str16 = "wpcook.txt" ascii + $str17 = "ProcesName < 1 >" ascii + $str18 = "Metamask_" ascii + + condition: + uint16( 0 ) == 0x5A4D and 10 of them +} +rule SEKOIA_Loader_Win_Operationmagalenha_Vbs +{ + meta: + description = "Finds VBS file loading the PeepingTitle backdoor" + author = "Sekoia.io" + id = "b1f705d1-de3e-4ce6-9bb7-0e39b6e79add" + date = "2023-05-31" + modified = "2024-12-19" + reference = "https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_operationmagalenha_vbs.yar#L1-L39" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "bb1c48ea6a4d9f0bc04df558837f2d448b38eac920cb4030e01b915a4e442708" + score = 75 + quality = 78 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "'Skip to content" ascii + $str02 = "'Search" ascii + $str03 = "'Sign in" ascii + $str04 = "'Sign up" ascii + $str05 = "'Code" ascii + $str06 = "'Terms" ascii + $str07 = "'Privacy" ascii + $str08 = "'Security" ascii + $str09 = "'Status" ascii + $str10 = "'Docs" ascii + $str11 = "'Contact GitHub" ascii + $str12 = "'Pricing" ascii + $str13 = "'API" ascii + $str14 = "'Training" ascii + $str15 = "'Blog" ascii + $str16 = "'About" ascii + $vbs01 = "WScript.Sleep" ascii nocase + $vbs02 = "Set obj" ascii nocase + $vbs03 = "Dim obj" ascii nocase + $vbs04 = "https://tinyurl.com" ascii nocase + $vbs05 = "C:\\Users\\Public" ascii nocase + $vbs06 = "CreateObject(\"WScript.Shell\")" ascii nocase + $vbs07 = ".SaveToFile" ascii nocase + + condition: + 10 of ( $str* ) and 5 of ( $vbs* ) +} +rule SEKOIA_Exploit_Linux_Eop_Rationallove_Strings : FILE +{ + meta: + description = "Detects RationalLove Local Privesc exploit" + author = "Sekoia.io" + id = "e71e026e-ca2c-42b7-b552-b3fd013676db" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_linux_eop_rationallove_strings.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "84a53a1d4f08e178a5cf1c968b3b98ae8624c3d052760517ec88bddd25833108" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/" + $ = "Detected OS version: %s" + $ = "Content-Type: text/plain; charset=UTF-8" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 1MB and all of them +} +rule SEKOIA_Apt_Lazarus_Pondrat : FILE +{ + meta: + description = "Detects PondRAT via mangled command names" + author = "Sekoia.io" + id = "a957c158-a79a-4d7a-8473-b6960cf02d9b" + date = "2024-09-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_lazarus_pondrat.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "b62c912de846e743effdf7e5654a7605" + hash = "61d7b2c7814971e5323ec67b3a3d7f45" + hash = "ce35c935dcc9d55b2c79945bac77dc8e" + hash = "f50c83a4147b86cdb20cc1fbae458865" + hash = "05957d98a75c04597649295dc846682d" + hash = "33c9a47debdb07824c6c51e13740bdfe" + logic_hash = "49c5f635e3873a145479bb164838043921d012eef7dc8ad6373c43c8cf1f14e0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $cmd_PondRAT1 = "_Z7MsgDownP11_TRANS_INFO" ascii + $cmd_PondRAT2 = "_Z5MsgUpP11_TRANS_INFO" ascii + $cmd_PondRAT3 = "_Z6MsgRunP11_TRANS_INFO" ascii + $cmd_PondRAT4 = "_Z6MsgCmdP11_TRANS_INFO" ascii + + condition: + 3 of them and filesize < 4MB +} +rule SEKOIA_Backdoor_Lin_Bpfdoor : FILE +{ + meta: + description = "Detect the BPFDoor backdoor used by the Chinese TA Red Menshen" + author = "Sekoia.io" + id = "1776ff6f-6fbb-4a81-bcad-c43b5117c67c" + date = "2022-05-05" + modified = "2024-12-19" + reference = "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_lin_bpfdoor.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c917bd12731d761645adea72bc68c50927a0c2b0c31b2109f7065a992d338329" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 } + $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? } + $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 } + $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee } + + condition: + uint32( 0 ) == 0x464c457f and filesize > 10KB and filesize < 50KB and ( all of ( $op* ) ) +} +rule SEKOIA_Apt_Apt28_Ukrnet_Phishing_Page : FILE +{ + meta: + description = "Detects APT28 Phishing page" + author = "Sekoia.io" + id = "053158d8-aac0-486f-8432-834a06f41ed2" + date = "2024-09-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt28_ukrnet_phishing_page.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "20dc3a5beb8e3a7801e010b4113efef1" + hash = "5f1462144d7704101cd71c679ea0322b" + logic_hash = "3d077a7ce35094bcbda763c131d4564ffbcea0373f5cbd30406ada4e9db36529" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "baseurl+\"/captcha\"" + $ = "(\"sessionID\", sessionID" + $ = ".responseJSON['origin" + $ = "var baseurl=" + $ = "(req.responseText.includes(" + $ = "else if (req.responseText=='FAIL')" + $ = "|| document.getElementById('confpwd" + $ = "/master/dist/text-security-disc.woff" + + condition: + 4 of them and filesize < 500KB +} +rule SEKOIA_Apt_Susp_Apt28_Uac0063_Hatvibe +{ + meta: + description = "Detects some suspected UAC-0063/APT28 HTA loader" + author = "Sekoia.io" + id = "c4e04671-e75f-40a4-a489-79c2ce91cf7a" + date = "2024-07-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_susp_apt28_uac0063_hatvibe.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725" + logic_hash = "41e1f97e45bc42ad3057cc173d036806687223782e54997e7803c888ee394b09" + score = 65 + quality = 28 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "& temp(Mid(" ascii fullword + $ = ".InnerHTML =" ascii fullword + $ = "peceert" ascii fullword + $ = "window.setTimeout" ascii fullword + $ = "cmdline = Split(" ascii fullword + + condition: + 3 of them +} +import "pe" + +rule SEKOIA_Apt_Nobelium_Nativezone_Gen : FILE +{ + meta: + description = "Detects NativeZone used in 2022" + author = "Sekoia.io" + id = "e16cac97-38dd-4145-95f5-cf641940a19b" + date = "2022-02-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_nobelium_nativezone_gen.yar#L3-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "63ad9fc510541f98237fa5b254dc4a147539cbf485b2889d97bf3b619c3db3ae" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $rich = { 52 69 63 68 [4] 00 } + $obs = { C7 85 [8] C7 85 } + $nobs = { C7 85 [6] 00 00 C7 85 } + + condition: + pe.DLL and filesize < 2500KB and pe.number_of_exports > 20 and pe.number_of_imports < 30 and ( pe.imports ( "kernel32.dll" , "VirtualAlloc" ) and pe.imports ( "kernel32.dll" , "VirtualProtect" ) ) and for any i in ( 0 .. pe.number_of_sections - 1 ) : ( pe.sections [ i ] . name == ".rdata" and pe.sections [ i ] . raw_data_size > 300000 ) and #obs > 300 and #nobs < 150 and not $rich +} +rule SEKOIA_Apt_Badmagic_Commonmagic_Main : FILE +{ + meta: + description = "Detects CommonMagic related implants" + author = "Sekoia.io" + id = "99983df5-89d6-4fac-81e6-16e5ab20bde3" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_commonmagic_main.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9bcfd6e9e150399c7f11abc41205119ddf24ea0fef5816ed905cd9b1e9ec5c1e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "graph.microsoft.com" ascii wide + $ = "children?select=name,size" ascii wide fullword + $ = "\\\\.\\pipe\\PipeCrDtMd" ascii wide fullword + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and all of them +} +rule SEKOIA_Apt_Buhtrap_Maldocx +{ + meta: + description = "Detect the malicious DOCX used by Buhtrap" + author = "Sekoia.io" + id = "4aaba2f1-fafd-4e3f-8b18-7beda11464d1" + date = "2022-02-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_buhtrap_maldocx.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "69968fa6836a71cd835f40c5168d197d3b5fc13b62791279f48a6bdeb4709bd5" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = " 3MB +} +rule SEKOIA_Rat_Win_Lilith +{ + meta: + description = "Detect the Lilith malware" + author = "Sekoia.io" + id = "944637e6-c4e4-423f-9f4c-a26b4fce3729" + date = "2023-02-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_lilith.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ac2ad9e68616e6e7d07e105293545c96b72c956dbcf3c3bf317460cafc13be48" + score = 75 + quality = 76 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = {55 6d 56 6e 55 58 56 6c 63 6e 6c 57 59 57 78 31 5a 55 56 34 51 51 3d 3d} + $ = {67 65 74 61 64 64 72 69 6e 66 6f 3a 20 25 73} + + condition: + all of them +} +rule SEKOIA_Apt_Scanbox_Framework_Not_Obfuscated : FILE +{ + meta: + description = "Detects the non obfuscated version of ScanBox" + author = "Sekoia.io" + id = "4790f122-89de-4f7b-a25f-9ac7b1af8333" + date = "2022-09-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_scanbox_framework_not_obfuscated.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "52779571eb4e68442542a1c4cff58d5b00a264bb567396126cd93dc4ec4eda45" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "php?m=a&data=" + $ = "php?m=p&data=" + $ = ".fun.split_data = function" + $ = ".php?data=" + $ = ".php?m=b" + $ = "basic.apipath" + $ = ".info.seed =" + $ = "loadjs =" + $ = "info.color = screen.colorDepth" + + condition: + 5 of them and filesize < 500KB +} +rule SEKOIA_Tool_Nping_Strings : FILE +{ + meta: + description = "Detects NPing" + author = "Sekoia.io" + id = "fcfd9539-b224-45b4-9252-0b4d56a40be4" + date = "2022-08-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_nping_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0c7216438e9c974d889e4ccc8cdb99ab18d1dc403820d60914b80ff9bc4528fa" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "http://nmap.org/nping" + $ = "nping scanme.nmap.org" + $ = "Bogus target structure passed to %s" + $ = "Packet too short." + $ = "read_arp_reply_pcap" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and 3 of them and filesize < 1MB +} +rule SEKOIA_Generic_Perl_Reverse_Shell : FILE +{ + meta: + description = "Detects simple reverse shell written in Perl" + author = "Sekoia.io" + id = "4eb2ef0d-3ada-4566-bd82-8c75d6931acc" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_perl_reverse_shell.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d0a23db712746bac4684d6b4508dd891caf06d72af153b1a0ab489a93edbfaf4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "open(STDIN,\">&S\");" + $ = "open(STDERR,\">&S\");" + $ = "use Socket;$i=" + + condition: + filesize < 300 and all of them +} +rule SEKOIA_Backdoor_Win_Volgmer : FILE +{ + meta: + description = "Detect the NukeSped variant called Volgmer used by Andariel" + author = "Sekoia.io" + id = "9468a66d-787c-488f-937b-22617c7a2ded" + date = "2023-09-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_volgmer.yar#L1-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "700fcfcc3df1d81af99db38e305f64ca87f8368fc0149c9ad64d75c2917ec1f3" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061" + hash2 = "7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b" + hash3 = "8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f" + hash4 = "1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1" + + strings: + $ = "Fixed" wide + $ = "CDRom" wide + $ = "Removable" wide + $ = "%.2fGB" wide + $ = "\\*.*" wide + $ = "Folder" wide + $ = "%.1fKB" wide + $ = "%.1fMB" wide + $ = "%s\\*.*" wide + $ = "%s\\%s\\%s" wide + $ = "%s\\%s%s" wide + $ = "Remote PC" wide + $ = "%s|%s|%s|%s|%s|%s|" wide + $ = "%s\\cmd.exe" wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Malware_Venom_Agent_Strings : FILE +{ + meta: + description = "Detects Venom agent strings" + author = "Sekoia.io" + id = "87633510-8b39-4eb1-b95b-4ebff21f3bba" + date = "2022-08-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_venom_agent_strings.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "66dd1cb7bd66fcf78c8eaad8aaab7cfd624b898b7b479e571bacf5c4e48edac9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "dispather.handleDownloadCmd" + $ = "dispather.handleUploadCmd" + $ = "dispather.handleShellCmd" + $ = "dispather.handleSocks5Cmd" + $ = "dispather.handleLForwardCmd" + $ = "dispather.localLForwardServer" + $ = "dispather.handleRForwardCmd" + $ = "dispather.AgentHandShake" + $ = "dispather.AgentParseTarget" + $ = "dispather.PipeWhenClose" + $ = "dispather.handleSshConnectCmd" + $ = "node.(*NetworkTopology).InitNetworkMap" + $ = "node.CopyNet2Node" + $ = "node.(*Node).CommandHandler.func1" + $ = "node.(*Buffer).WriteLowLevelPacket" + $ = "protocol.(*Packet).ResolveDat" + $ = "netio.InitTCP.func2" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 10MB and 6 of them +} +rule SEKOIA_Apt_Turla_Kazuar_Variant_2023 : FILE +{ + meta: + description = "New variant of Kazuar observed in 2023" + author = "Sekoia.io" + id = "51e9de6a-5d8a-4627-8063-b70f78e78726" + date = "2023-11-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_turla_kazuar_variant_2023.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "98207fef906c922ff09f72b0dea7103c0fb86c5ec4712a23ecba6840b79b0ad5" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Started from file '" ascii wide + $s2 = "Zombifying user's" ascii wide + $s3 = "Result #{0:X16} already exists in {1}" ascii wide + + condition: + uint16( 0 ) == 0x5a4d and 2 of them +} +rule SEKOIA_Apt_Queueseed : FILE +{ + meta: + description = "Detects strings of Queueseed/Kapeka malware" + author = "Sekoia.io" + id = "35f7ffd5-4f6f-4b31-8d60-c713a15d14e8" + date = "2024-04-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_queueseed.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "80d1135d63a351cabf45d2266c0ffc770e11669103107cd40caf00eb62c836ed" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = {2D 00 6F 00 00 00} + $ = {2D 00 62 00 63 00 00 00} + $ = {20 00 00 00 00 00 00 00} + $ = {20 00 2D 00 77 00 00 00} + $ = {35 00 3A 00 20 00 00 00} + $ = {34 00 3A 00 20 00 00 00} + $ = {33 00 3A 00 20 00 00 00} + $ = {32 00 3A 00 20 00 00 00} + $ = {31 00 3A 00 20 00 00 00} + $ = {50 00 49 00 44 00 20 00 3A 00 20 00 00 00 00 00} + $ = "ExitCode : " wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them and filesize < 200KB +} +rule SEKOIA_Rat_Win_Borat : FILE +{ + meta: + description = "Detect the Borat RAT besed on specific strings" + author = "Sekoia.io" + id = "9f8badb3-ee8b-45d9-8515-c847351bb1f5" + date = "2022-04-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_borat.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "53d6d9fe6b3218d97079e624379863d927d0b783b24acbda359b18daafb5162e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "BoratRatMutex_Sa8XOfH1BudX" ascii + $str1 = "BoratRat.exe" ascii + $str2 = "BoratRat" ascii + $str3 = "CN=BoratRat" wide + $str4 = "Sending plugun to " wide + $str5 = "Save recorded file fail " wide + $str6 = "Sa8XOfH1BudX" wide + $str7 = "Alert when process activive." wide + $str8 = "disableDefedner" wide + $str9 = "bin\\Ransomware.dll" wide + $str10 = "disableDefedner" wide + + condition: + uint16( 0 ) == 0x5A4D and 7 of them +} +rule SEKOIA_Bot_Lin_Enemybot_April22 : FILE +{ + meta: + description = "Detect enemybot based on command line observed in strings" + author = "Sekoia.io" + id = "5778c653-39ce-4f5d-b10b-1503b74e5041" + date = "2022-04-14" + modified = "2024-12-19" + reference = "https://twitter.com/3xp0rtblog/status/137520616938452173://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/bot_lin_enemybot_april22.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "18ea06e60259f8d7d639b0e4659f0f5e166e9589d617f5766c06968af5e56aa6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $cmd0 = "wget http://%s/update.sh" ascii + $cmd1 = "busybox wget http://%s/update.sh" ascii + $cmd2 = "curl http://%s/update.sh" ascii + $cmd3 = "chmod 777 update.sh" ascii + $cmd4 = "rm -rf update.sh" ascii + $str0 = "ENEMEYBOT" ascii xor + $str1 = "KEKSEC" ascii xor + $str2 = "/tmp/.pwned" ascii xor + $str3 = "echo -e \"\x65\x6e\x65\x6d\x79" + + condition: + ( uint32( 0 ) == 0x464c457f or uint32( 0 ) == 0xfeedfacf ) and ( 4 of ( $cmd* ) or 2 of ( $str* ) ) +} +rule SEKOIA_Implant_Win_Flagpro : FILE +{ + meta: + description = "Detect the Flagpro malware used by Blacktech" + author = "Sekoia.io" + id = "08dd2de4-b359-424f-af04-7f294d519363" + date = "2022-04-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_flagpro.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "eb1aba9924af474d6d890572a9bf72e0d1aa5dc31dd4cc34648195b0207ab4d6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "" ascii + $ = "" ascii + $ = "" ascii + $ = "
" ascii + $ = "TODO: Place controls here." ascii + $ = "" ascii + $ = "   " ascii + $about_loader = /About V[0-9]+\.[0-9]+_Loader.../ wide + $path = "f:\\dd\\vctools\\vc7libs\\ship\\atlmfc\\include\\" wide + $regitry = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\" wide + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Apt_37_Chinotto : FILE +{ + meta: + description = "Detects obfuscation and string of APT37 stealer" + author = "Sekoia.io" + id = "eff8fd11-dc7a-4011-b083-181d0cca8790" + date = "2023-02-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_37_chinotto.yar#L1-L50" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a721f102b4c9568379649f8004fa4eb460240145ab829d8ce3740dafb52d13c8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "feab7940559392bbf38f29267509340569160e0a3b257fd86e5c65ae087ea014" + hash2 = "c9d2c8b6011a53e68e4a6c6e51142cef3348951d0b379e49b1a65a1891538df5" + hash3 = "2f5be3773e7e3a2f6806cdef154adfabc454c0e57a49e437c5889ce09b739302" + hash4 = "5bf170c95ca0e2079653d694f783b5bcd38f274ea875f67f0b60db4ac552a66c" + hash5 = "6fad04c836bc923f12ebaec8d8fb0c7091b044bf6f5c97e36d7bf46b8494f978" + hash6 = "64fe964f342acca6d85d247c4f67503e4222a58dfc5c644dedc2006a4b356d39" + hash7 = "6e216b265ea391f71f2a609df995f36b9ba8b17c8859f6d8e4ce4a076d351efd" + hash8 = "70dcc03cde3dd5c5ec6a6a240190cfb51667aaba9c867e20281e8dfc43afa891" + hash9 = "5053390bde150b771f8efe344b692c6c5718ba9203a4b23f5323af1ee9060ff2" + hash10 = "089e4dfd8b25afe596eff05baae86156a4e3243c84faa15416cff31a5120e107" + hash11 = "37e096338a78cb06d6236cb5a04cf125f191871ded3c9421f08a37890a095eb8" + hash12 = "b90a2b0249407b271a5d849fe82cbf4e9a31c2c6259caf515c9be3897e327414" + hash13 = "8f4751ed22619b04009c4b85ec45c8140b570835ca4c638c9e6019e7b7eb66c7" + + strings: + $chunk_1 = { + C7 85 ?? ?? ?? ?? ?? ?? ?? 00 + C7 85 ?? ?? ?? ?? ?? ?? ?? 00 + 33 C0 + EB 03 + 8D 49 00 + 8B 8C 85 ?? ?? ?? ?? + 3B 8C 85 ?? ?? ?? ?? + } + $chunk_2 = { + C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00 + C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00 + 33 C0 + EB 0D + 8D A4 24 00 00 00 00 + 8D 9B 00 00 00 00 + 8B 8C 84 ?? ?? ?? ?? + 3B 8C 84 ?? ?? ?? ?? + } + $movs_zip_dir_start = { C7 45 ?? 5A 69 70 20 C7 45 ?? 44 69 72 20 C7 45 ?? 53 74 61 72 C7 45 ?? 74 20 2D 20} + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 1MB and ( $chunk_1 or $chunk_2 ) and $movs_zip_dir_start +} +rule SEKOIA_Infostealer_Win_Aurora : FILE +{ + meta: + description = "Finds Aurora samples based on characteristic strings" + author = "Sekoia.io" + id = "22ae81b4-647f-4b46-9b2a-dd96e0615d65" + date = "2022-11-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_aurora.yar#L1-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e88cbb012ffb65aa8a70b76163a834c0bc4615b0effc93945c6d915e33c04549" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str00 = "I'm a teapot" ascii + $str01 = "wmic cpu get name" ascii + $str02 = "wmic path win32_VideoController get" ascii + $str03 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones" ascii + $str04 = "Exodus\\exodus.wallet" ascii + $str05 = "PaliWallet" ascii + $str06 = "cookies.sqlite" ascii + $str07 = "Startup\\Documents\\User Data" ascii + $str08 = "atomic\\Local Storage\\leveldb" ascii + $str09 = "com.liberty.jaxx\\IndexedDB" ascii + $str10 = "Guarda\\Local Storage\\leveldb" ascii + $str11 = "AppData\\Roaming\\Telegram Desktop\\tdata" ascii + $str12 = "Ethereum\\keystore" ascii + $str13 = "Coin98" ascii + $str14 = ".bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml.zip" ascii + $str15 = "type..eq.main.Grabber" ascii + $str16 = "type..eq.main.Loader_A" ascii + $str17 = "type..eq.net/http.socksUsernamePassword" ascii + $str18 = "powershell" ascii + $str19 = "start-process" ascii + $str20 = "http/httpproxy" ascii + + condition: + uint16( 0 ) == 0x5A4D and 15 of them and filesize > 4MB +} +rule SEKOIA_Spyware_And_Strongpity_Mobile_Backdoor : FILE +{ + meta: + description = "Detect the mobile backdoor using the name used in the certificate" + author = "Sekoia.io" + id = "58ceb85b-d94f-47b2-86e4-59bd41f4fea8" + date = "2023-01-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/spyware_and_strongpity_mobile_backdoor.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9005fe938433223f32642f6bbf7c4c58f0b927a006e283c8b12f79103ec02cfc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Elizabeth Mckinsen0" + + condition: + all of them and filesize > 2MB +} +rule SEKOIA_Infostealer_Win_Stealc_Str_Oct24 : FILE +{ + meta: + description = "Finds Stealc standalone samples (or dumps) based on the strings" + author = "Sekoia.io" + id = "7448fafe-206c-4f9c-b5a3-cbabec12a45b" + date = "2024-10-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_stealc_str_oct24.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4f7fece81c3fe1e56b57aed4030b48331b53443a200799046fe84c895b591a71" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "-nop -c \"iex(New-Object Net.WebClient).DownloadString(" ascii + $str02 = "Azure\\.IdentityService" ascii + $str03 = "steam_tokens.txt" ascii + $str04 = "\"encrypted_key\":\"" ascii + $str05 = "prefs.js" ascii + $str06 = "browser: FileZilla" ascii + $str07 = "profile: null" ascii + $str08 = "url:" ascii + $str09 = "login:" ascii + $str10 = "password:" ascii + $str11 = "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" ascii + $str12 = "ChromeFuckNewCookies" ascii + $str13 = "/c timeout /t 10 & del /f /q \"" ascii + + condition: + uint16( 0 ) == 0x5A4D and 9 of them +} +rule SEKOIA_Tool_Pivotnacci +{ + meta: + description = "Detects Pivotnacci" + author = "Sekoia.io" + id = "31ecb08a-fc92-4cbe-a865-7ce869a5fa6a" + date = "2024-04-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_pivotnacci.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b0e4bc997775fb5ff258a23e07a58b4897a2ce9d3fffab86e93919857e566d18" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $pivotnacci = "pivotnacci" + $s1 = "Socks server => %s:%s" + $s2 = "The default listening address" + $s3 = "Socks server for HTTP agents" + $s4 = "Message returned by the agent web page" + $s5 = "Password to communicate with the agent" + $s6 = "To specify agent type in case is not automatically detected." + + condition: + $pivotnacci and 3 of ( $s* ) +} +rule SEKOIA_Hacktool_Dnscat2_Strings : FILE +{ + meta: + description = "Detects DNSCat2 based on strings" + author = "Sekoia.io" + id = "9655cdd7-c7fe-4033-bdd9-bdfcfd2bf827" + date = "2022-02-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_dnscat2_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "40d906ca3a00f7d3e2f8d043dbbc77a2a57fd133f4812b863aec6d5a0f57a8c9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Creating a exec('%s') session!" + $ = "RROR parsing --dns" + $ = "Got a ping request! Responding!" + $ = "[Tunnel %d] Received %zd bytes" + $ = "[Tunnel %d] connection to %s:%d" + $ = "You'll need to use --dns server=" + $ = "Setting delay between packets to %dms" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and 3 of them +} +rule SEKOIA_Apt_Gobrat_2 : FILE +{ + meta: + description = "Detects GobRat related files" + author = "Sekoia.io" + id = "6b7e38f5-00bc-49c8-b34d-3e878bf426d8" + date = "2024-09-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gobrat_2.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9f2fdbe2cc39c91b2ac8904fb29a0142bf770859d17590017920203641860a13" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "thisisweird" ascii + $ = "ZzZzZzZzZzZz" + + condition: + all of them and uint32be( 0 ) == 0x7f454c46 +} +rule SEKOIA_Apt_Apt33_Falsefont : FILE +{ + meta: + description = "FalseFont backdoor" + author = "Sekoia.io" + id = "d77c1f5b-9898-456f-954a-ac1f0907a2ba" + date = "2024-03-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt33_falsefont.yar#L1-L38" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "2eafe15d8e0df1b63b32463c4b44a9dc1d4251d01c15be20e4285c31e75b8348" + score = 75 + quality = 53 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s0 = "Agent.Core.WPF" + $s1 = "data2.txt" wide fullword + $s2 = "data.txt" wide fullword + $s3 = "Loginvault.db" wide fullword + $command1 = "ExecUseShell" ascii + $command2 = "ExecAndKeepAlive" ascii + $command3 = "CMD" ascii + $command4 = "PowerShell" ascii + $command5 = "KillByName" ascii + $command6 = "KillById" ascii + $command7 = "Download" ascii + $command8 = "Upload" ascii + $command9 = "Delete" ascii + $command10 = "GetDirectories" ascii + $command11 = "ChangeTime" ascii + $command12 = "SendAllDirectory" ascii + $command13 = "UpadateApplication" ascii + $command14 = "Restart" ascii + $command15 = "GetProcess" ascii + $command16 = "SendAllDirectoryWithStartPath" ascii + $command17 = "GetDir" ascii + $command18 = "GetHard" ascii + $command19 = "GetScreen" ascii + $command20 = "StopSendScreen" ascii + + condition: + uint16be( 0 ) == 0x4d5a and 15 of ( $command* ) and 3 of ( $s* ) +} +rule SEKOIA_Apt_Cloudatlas_Powershower_Obfuscated : FILE +{ + meta: + description = "Detects obfuscated version of PowerShower" + author = "Sekoia.io" + id = "f76ab9d8-7753-4a17-aedd-fc9c3b8cd322" + date = "2022-11-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_powershower_obfuscated.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fdb1edb3982eb5356cdf5fd1fa9fcc41d5048848b2a05589e87836ac0b05ec7a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "{0}{1}{2}{3}{4}{5}{6}{7}{8}" ascii wide + $s2 = "{000}{001}{002}{003}{004}{005}{006}{007}{008}" ascii wide + $s3 = "::Unicode.GetString([System.Convert]::FromBase64String(" ascii wide + + condition: + ($s1 in ( 0 .. 100 ) or $s2 in ( 0 .. 100 ) ) and $s3 in ( filesize -200 .. filesize ) +} +rule SEKOIA_Apt_Apt37_Malicious_Hta_File : FILE +{ + meta: + description = "Detects malicious APT37 files" + author = "Sekoia.io" + id = "22a98c27-8ff4-4760-b505-f8eacf4dabda" + date = "2023-03-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt37_malicious_hta_file.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "85289bea86641ea9c359c361d075783449d453017485170abc87c47872792210" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "" nocase + $s2 = " UwB0AGEAcgB0AC0AUwBs" ascii + $s3 = "= new ActiveXObject(" ascii + $s4 = "\", \"\", \"open\", 0);" ascii + $s5 = ".moveTo(" ascii + $s6 = "self.close();" + + condition: + $s1 at 0 and all of them and filesize < 1MB +} +rule SEKOIA_Apt_Gamaredon_Vbs_Downloader : FILE +{ + meta: + description = "Detects small VBS loader" + author = "Sekoia.io" + id = "13b63570-2f18-4b35-8087-9ab15c58a0d1" + date = "2023-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_vbs_downloader.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e3ae516ea18f2912b7f0fb7864542ae609167fb29751b87cbf6f9cd34ec858ba" + score = 75 + quality = 68 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "on error resume next" nocase ascii wide + $s2 = "String('http" nocase ascii wide + $s3 = "send()" nocase ascii wide + $s4 = ")|Invoke-Expression" nocase ascii wide + $s5 = "'); Invoke-Expression $" nocase ascii wide + $s6 = "');Invoke-Expression $" nocase ascii wide + + condition: + $s1 and ( $s2 or $s3 ) and ( $s4 or $s5 or $s6 ) and filesize < 1KB +} +rule SEKOIA_Infostealer_Win_Phoenixwave : FILE +{ + meta: + description = "Detect the PhoenixWave infostealer based on specific strings" + author = "Sekoia.io" + id = "67c05ea8-2f1b-4c60-b108-e05d7d0c6508" + date = "2022-04-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_phoenixwave.yar#L1-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "efeffb2f0df4c2f8156c401bac5f44c415c4c3e02e84e8db55dad68488f39fea" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "##################################################\n Information\n##################################################\n" wide + $str1 = "Specify a single character: either D or F" wide + $str2 = "// This SFX source file was generated by DotNetZip " wide + $str3 = "aHR0cDovL2lwLWFwaS5jb20vanNvbg==" wide + $str4 = "TG9jYWxBcHBEYXRh" wide + $str5 = "UGhvZW5peFdhdmU=" wide + $str6 = "virustotal" wide + $str7 = "SELECT * FROM win32_operatingsystem" wide + $str8 = "SELECT * FROM Win32_VideoController" wide + $app0 = "\\discordcanary\\Local Storage\\leveldb" wide + $app1 = "\\discordptb\\Local Storage\\leveldb" wide + $app2 = "\\discorddevelopment\\Local Storage\\leveldb" wide + $app3 = "\\D877F783D5D3EF8C\\" wide + $app4 = "\\IndexedDB\\file__0.indexeddb.leveldb" wide + $app5 = "\\Steam\\Games.txt" wide + $app6 = "nkbihfbeogaeaoehlefnkodbefgpgknn" wide + $app7 = "fhbohimaelbohpjbbldcngcnapndodjp" wide + $app8 = "fnjhmkhhmkbjkkabndcnnogagogbneec" wide + $app9 = "\\Opera Software\\Opera GX Stable" wide + + condition: + uint16( 0 ) == 0x5A4D and 7 of ( $str* ) and 8 of ( $app* ) +} +rule SEKOIA_Tool_Enum4Linux_Strings +{ + meta: + description = "Detects enum4linux based on strings" + author = "Sekoia.io" + id = "6b3094fe-1292-4da3-a1ed-9e255be531da" + date = "2024-02-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_enum4linux_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d3f7ddbdfb679b34777298aec84464d55fac7600b855526a7f13d8c8f17ab888" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "my $os_info = `$command`;" + $ = "($global_workgroup) = $os_info =~" + $ = "sub enum_groups {" + $ = "if ($shares =~ /NT_STATUS_ACCESS_DENIED/) {" + $ = "Can't open share list file $shares_file" + $ = "my $users = `$command`;" + $ = "my @shares = ;" + $ = "foreach my $grouptype (\"builtin\", \"domain\") {" + + condition: + 6 of them +} +rule SEKOIA_Crime_Sload_Mainpowershellimplant : FILE +{ + meta: + description = "Detects the main PowerShell implant" + author = "Sekoia.io" + id = "09d268e7-d688-4390-856e-9e9ed47aec04" + date = "2022-08-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crime_sload_mainpowershellimplant.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "37ec263dddf7719d03a3d58b4b196597737a1e28f8072f3933cdf954f2b696cd" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $c1 = "priority FOREGROUND" + $c2 = "app|Services|RuntimeBroker|Search|host" + $c3 = "([wmiclass]\"win32_Process\").create(" + $c4 = "Start-Sleep -seconds" + $c5 = "while($e -eq 1){ $dCnt++;" + $d1 = "112,114,105,111,114,105,116,121,32,70,79,82,69,71,82,79,85,78,68" + $d2 = "97,112,112,124,83,101,114,118,105,99,101,115,124,82,117,110,116,105,109,101,66,114,111,107,101,114,124,83,101,97,114,99,104,124,104,111,115,116" + $d3 = "40,91,119,109,105,99,108,97,115,115,93,34,119,105,110,51,50,95,80,114,111,99,101,115,115,34,41,46,99,114,101,97,116,101,40" + $d4 = "83,116,97,114,116,45,83,108,101,101,112,32,45,115,101,99,111,110,100,115" + $d5 = "119,104,105,108,101,40,36,101,32,45,101,113,32,49,41,123,32,36,100,67,110,116,43,43,59" + $b1 = "priority FOREGROUND" base64 + $b2 = "app|Services|RuntimeBroker|Search|host" base64 + $b3 = "([wmiclass]\"win32_Process\").create(" base64 + $b4 = "Start-Sleep -seconds" base64 + $b5 = "while($e -eq 1){ $dCnt++;" base64 + + condition: + 3 of ( $c* ) or 3 of ( $d* ) or 3 of ( $b* ) and filesize < 30KB +} +rule SEKOIA_Loader_Amadey_Stealer_Plugin : FILE +{ + meta: + description = "Finds Amadey's stealer plugin based on characteristic strings" + author = "Sekoia.io" + id = "50154e39-98b3-40e5-8986-18bbb7b15647" + date = "2023-05-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_amadey_stealer_plugin.yar#L1-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0410492f9424797b670a14f43ce063458e59d7958e213c07c3d488a40bf370e6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "STEALERDLL.dll" ascii + $str02 = "?wal=1" fullword ascii + $str03 = "Content-Disposition: form-data; name=\"data\"; filename=\"" ascii + $str04 = "tar.exe -cf \"" ascii + $str05 = "SELECT origin_url, username_value, password_value FROM logins" ascii + $str06 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii + $str07 = "\\SputnikLab\\Sputnik\\User Data\\Default\\Login Data" ascii + $str08 = "\\Mozilla\\Firefox\\Profiles\\" ascii + $str09 = "\"hostname\":\"([^\"]+)\"" ascii + $str10 = "\"encryptedUsername\":\"([^\"]+)\"" ascii + $str11 = "\"encryptedPassword\":\"([^\"]+)\"" ascii + $str12 = "&cred=" fullword ascii + $str13 = "D:\\Mktmp\\Amadey\\StealerDLL\\x64\\Release\\STEALERDLL.pdb" ascii + + condition: + uint16( 0 ) == 0x5A4D and 7 of them +} +rule SEKOIA_Apt_Badmagic_Ld_Dll_Loader_Pshscript : FILE +{ + meta: + description = "Detects BadMagic DLL Loader powershell script" + author = "Sekoia.io" + id = "d4a23afc-693f-4fab-b2c4-15eecba047f7" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_ld_dll_loader_pshscript.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8482521fe1f90c008948e551df35448b870145cf8b58f3c5019cafb66bb0ae36" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$ModulePath = \"$folder_path\\$name" + $ = "$ModuleExport =" + $ = "start-job -ScriptBlock $ScriptBlock" + $ = "Invoke-WebRequest -Uri" + + condition: + all of them and filesize < 1KB +} +rule SEKOIA_Apt_Gamaredon_Lnk_Spreader : FILE +{ + meta: + description = "Detects LNK generated by Gamaredon LNK spreader" + author = "Sekoia.io" + id = "2866ca1d-c094-49ba-b1de-ff9a60680e28" + date = "2023-06-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_lnk_spreader.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "7d6264ce74e298c6d58803f9ebdb4a40b4ce909d02fd62f54a1f8d682d73519a" + logic_hash = "e8a82fd4cdce7bc888184ccf8d182ab5bb53e30de04b02b7c63379bae5d21b1f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "windoWSTYLE hiDdEn -NOlOgo iEX" wide nocase + $ = "(IeX (geT-coNtEnT" wide nocase + + condition: + uint32be( 0 ) == 0x4C000000 and filesize < 3KB and all of them +} +rule SEKOIA_Tool_Ladon_Strings : FILE +{ + meta: + description = "Detects Ladon based on strings" + author = "Sekoia.io" + id = "7f06f755-a103-4e74-a9df-136355775233" + date = "2024-06-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_ladon_strings.yar#L1-L61" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6f2a34bddea2a2370c0a45cde888f51632689973373e3c6ba739a34dc220bfa1" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $a1 = ".GetType('Ladon.Scan')" + $a2 = "= New-object Byte[](" + $a3 = "([IO.MemoryStream][Convert]::FromBase64String(" + $b1 = "DeflateStream([IO.MemoryStream][Convert]::FromBase64String(" + $b2 = "))}}}}}}}}}" + $b3 = "::Main(@($" + $b4 = "))} else {If(" + $b5 = "= [Reflection.Assembly]::Load(" + $c1 = "ChatLadon.Form1.resources" + $c2 = "ChatLadon.Properties.Resources.resources" + $c3 = "WebClientUploadEvent" + $c4 = "WebClientDownloadEvent" + $c5 = "K8robot" + $c6 = "K8IPselect" + $d1 = "loadASM" + $d2 = "ConsoleApp1.exe" + $d3 = "K8Ladon" + $e1 = "get_network_16px_1219919_easyicon_net" + $e2 = "K8gege" + $e3 = "LadonExpBuild" + $f1 = "Ladon url.txt CitrixVer" + $f2 = "Ladon MssqlCmd" + $f3 = "Example: Ladon " + $f4 = "k8gege.org" + $f5 = "K8crack" + $g1 = "LadonStudy.exe" + $g2 = "LadonStudy.frmMain.resources" + $g3 = "LadonStudy.Properties.Resources.resources" + $g4 = "K8gege" + $h1 = "LadonShell.exe" wide + $h2 = "ForceRemove" + $h3 = "GetUserObjectInformationA" + + condition: + ( all of ( $a* ) or all of ( $b* ) or all of ( $c* ) or all of ( $d* ) or all of ( $e* ) or all of ( $f* ) or all of ( $g* ) or all of ( $h* ) ) and filesize < 5MB +} +import "hash" +import "pe" + +rule SEKOIA_Installer_Win_Minibus : FILE +{ + meta: + description = "Detect MINIBUS installer" + author = "Sekoia.io" + id = "0f7f600d-d93b-4b5a-aa0e-7d91038409e6" + date = "2024-04-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/installer_win_minibus.yar#L4-L27" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "24326c9f5dcb7e66d47b65bf6bec6fe78be18c8d41a3039fbd09b453568a3f8f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "26ca51cb067e1fdf1b8ad54ba49883bc5d1945952239aec0c4840754bff76621" + hash2 = "90fa29cc98be1d715df26d22079bdb8ce1d1fd3ce6a4efb39a4c192134e01020" + + strings: + $ = "\\essential.dat" + $ = "TorvaldInitial.dll" + + condition: + uint16be( 0 ) == 0x4d5a and 1 of them or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "de3fb5d4419eb6b943872dd6e3dd93d19584ef2b158aa3158b3b09f0a9b628ef" ) +} +rule SEKOIA_Loader_Win_Jinxloader_Strings : FILE +{ + meta: + description = "Finds JinxLoader samples based on the specific strings" + author = "Sekoia.io" + id = "fd2f7e8c-f4a8-4452-bbc6-e03790f8ed89" + date = "2023-12-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_jinxloader_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "816cb6019cba1aa2e229ab476fcdf378348981920cbe17d3dfb875f8b2dcbf81" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "JinxV2" ascii + $str02 = "main.main.func1" ascii + $str03 = "go.shape.struct" ascii + $str04 = ".glob..func" ascii + + condition: + uint16( 0 ) == 0x5A4D and all of them and #str04 > 100 and filesize > 8MB +} +rule SEKOIA_Apt_Unc3524_Quietexit_Strings : FILE +{ + meta: + description = "Detect the QUIETEXIT malware used by UNC3524" + author = "Sekoia.io" + id = "1bfa9baa-40a3-4ad7-83dc-f9340fbed180" + date = "2022-05-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_unc3524_quietexit_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9f8bc7516fdefd94c6bddaf77ea3ac1ba8a3a6380530118c4b28d74b42eaae54" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Child connection from %s:%s" ascii + $ = "Failed to run %s" ascii + $ = "add %s %s %s" ascii + $ = "/usr/bin/xauth -q" ascii + $ = "/tmp/dropbear-%" ascii + $ = "cron" ascii + $ = { DD E5 D5 97 20 53 27 BF F0 A2 BA CD 96 35 9A AD 1C 75 EB 47 } + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize > 1MB and 5 of them +} +rule SEKOIA_Tool_Webshell_B374K_Strings : FILE +{ + meta: + description = "Detects b374k webshell" + author = "Sekoia.io" + id = "f53fc668-e1fc-4b85-b850-59aceefb6418" + date = "2024-09-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_webshell_b374k_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "1d27b23fceecbb9e854c41f6a8fb878e" + hash = "71fd853a3f3efc3dc2846e866187ee59" + hash = "187e001c32487d0d68197ddb7e7796c3" + hash = "6eac497dfc1020a8475e95542fad197e" + hash = "61c6a0bc15efa442853f04bb276ac96e" + logic_hash = "b085a50d50fc1fd06d6f75397cf1fa6fa1bc4a0d18b56ed3458990f4abde0632" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$func('$x','ev'.'al'.'(" + $ = "(ba'.'se'.'64'.'_de'.'co'.'de($x)))" + + condition: + 2 of them and filesize < 1MB +} +rule SEKOIA_Backdoor_Win_Spacecolon : FILE +{ + meta: + description = "Finds Spacecolon samples based on specific strings (ScHackTool component)" + author = "Sekoia.io" + id = "ae09f0e2-e913-44d5-abe1-715170368cc8" + date = "2023-08-25" + modified = "2024-12-19" + reference = "https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_spacecolon.yar#L1-L39" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1251df19c521e9ee9da307d56eea265265f2bee4a8e7eec099e4ebfb4e2bd7a2" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Before Work" ascii + $str02 = "DEFENDER OFF" ascii + $str03 = "Stop Service" ascii + $str04 = "Kill All (Default)" ascii + $str05 = "Keyboard EN" ascii + $str06 = "After Work" ascii + $str07 = "Del Shadow Log" ascii + $str08 = "Kill OSK" ascii + $str09 = "PWGEN" ascii + $str10 = "Character :" ascii + $str11 = "PW GEN" ascii + $str12 = "Cobian UI Pass" ascii + $str13 = "Credssp" ascii + $str14 = "Username :" ascii + $str15 = "Password :" ascii + $str16 = "TSpeedButton" ascii + $str17 = "Ab1q2w3e!" ascii + $str18 = "PC Details" ascii + $str19 = "Mimi Dump" ascii + $str20 = "MIMI Dump" ascii + $str21 = "powershell -ExecutionPolicy Bypass -File \"" wide + $str22 = "lastlog.txt" wide + $str23 = "$AdminGroupName = (Get-WmiObject -Class Win32_Group -Filter 'LocalAccount = True AND SID = \"S-1-5-32-544\"').Name" wide + $str24 = "net localgroup $AdminGroupName " wide + + condition: + uint16( 0 ) == 0x5a4d and 17 of them +} +rule SEKOIA_Guloader_Lnk_File : FILE +{ + meta: + description = "LNK file delivering Guloader" + author = "Sekoia.io" + id = "ecc07753-0910-445b-bf84-911b17195894" + date = "2024-02-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/guloader_lnk_file.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d69038a8b26c7fc7ba7b0968c7c91b589b25512dcf7e3ad5ee56453a4654a1ab" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "$PSHOME" wide + $s2 = "&(${" wide + $s3 = "}::ToString(" wide + $s4 = "$([TYPE]${" wide + + condition: + uint32be( 0 ) == 0x4c000000 and all of them +} +rule SEKOIA_Apt_Kimsuky_Malicious_Gotopwsh_Lnk : FILE +{ + meta: + description = "Detects malicious LNK used by Kimsuky" + author = "Sekoia.io" + id = "cfe9adf5-2c06-4d04-8006-c4eea0dab549" + date = "2023-09-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_malicious_gotopwsh_lnk.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1537ea232e745b1ed9e4b7f6b9ba779a3498f5edf0c46bdccfdc511137b2bb3a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = {67 00 6f 00 74 00 6f 00 26 00 70 00 5e 00 6f 00 77 00 5e 00 65 00 5e 00 72 00 73 00 5e 00 68 00 65 00 5e 00 6c 00 5e 00 6c} + + condition: + uint32be( 0 ) == 0x4c000000 and all of them +} +rule SEKOIA_Infostealer_Win_Ducklogs : FILE +{ + meta: + description = "Detects DuckLogs based on specific strings" + author = "Sekoia.io" + id = "165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5" + date = "2022-12-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_ducklogs.yar#L1-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5db1a5595ec41488da620606bbcb36d0d686f9d6b7a0479439c53625df0886a0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $dck = "DuckLogs" ascii wide + $str01 = "CheckRemoteDebuggerPresent" ascii + $str02 = "MozGlueNotFound" ascii + $str03 = "get_DecryptedPassword" ascii + $str04 = "get_Extension" ascii + $str05 = "set_UseShellExecute" ascii + $str06 = "FirefoxPasswords" ascii + $str07 = "GetAllGeckoCookies" ascii + $str08 = "GetAllBlinkDownloadsBy" ascii + $str09 = "Grabbers" ascii + $str10 = "Utility" ascii + $str11 = "Persistance" ascii + $str12 = "Clipboard" ascii + $str13 = "WaterfoxGrabber" ascii + $str14 = "AvastGrabber" ascii + + condition: + uint16( 0 ) == 0x5A4D and ( ( #dck > 4 and 2 of ( $str* ) ) or 12 of them ) +} +rule SEKOIA_Apt_Kimsuky_Sharptongue_Vbslauncher_Strings : FILE +{ + meta: + description = "Detects VBS Launchers used by SharpTongue" + author = "Sekoia.io" + id = "82bd648c-2961-4945-950e-8fb1e4650338" + date = "2022-07-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_sharptongue_vbslauncher_strings.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9e1383a71b4ab5ca1de5016061f0e9c83e6f3e1a41eef25dae15cd1aab8b581f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "powershell" ascii wide + $ = "On Error Resume Next" ascii wide + $ = "oShell.run(tmp0,0" ascii wide + + condition: + all of them and filesize < 10KB +} +rule SEKOIA_Xworm_Dotnet_Injector +{ + meta: + description = ".NET injector used by XWorm TA" + author = "Sekoia.io" + id = "50581a9d-afc3-43da-9e34-3a553cbd01b4" + date = "2022-12-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/xworm_dotnet_injector.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4777edacf4719e602ae1fb7204ea97cd594277faa1c2b7ad430066ad82b40768" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $first_payload = "jBGIcSr2fKhj1ZT2YNLBTcYYeAw/vWUT98dCA/H6hpI+dY+lkoSe1ATx7XEIXKtAdTSwl1PKhNROoxstXsnsHTZbS2ikRLv6lmHd5v09DltsPeXIOA789wZC8qR1OScJFohGxuWQSQ8K2TAFUQAntIFdX+Om1QZUARdDnb4f+P8VFucU9avWD75yK1IcTDDDEYwvm/rwUYTqWitcrfIY+aFcgQwyvEzkN7Pbsah4Kts+XmK0C3TzlnDd2mz6TdsPphGbBxcbBdZGMTyzunZUEKRYea7xM6u+az9v7m6a1G6vhsSqz4C/nleDmzL2dIVnVR6Ni6+0hlExcP" wide + $rijndael_key1 = { e5 a0 b1 e8 89 be e8 8e 8e e4 bb a3 e5 ba b5 e9 85 8d e7 89 b9 e6 b0 8f e5 85 8b e9 9b 99 e8 89 be e5 8b 92 e6 8b 89 e6 a1 83 e9 ad 9a e6 88 91 e6 96 af e6 a1 83 e5 ba 95 e5 be b7 } + $rijndael_key2 = { e7 9b 9f e7 91 aa e6 a1 83 e9 87 91 e5 90 89 e9 97 95 e5 a0 b1 e9 9b 99 e9 97 95 e5 96 ac e5 ba 95 e5 a0 b1 e5 be b7 e6 8b 89 e5 92 8c e7 a0 b4 e7 88 be e9 a6 ac e6 88 91 e5 8a a0 } + $rijndael_key3 = { e6 9b b2 e6 b0 8f e5 ba b5 e5 a3 ab e9 97 95 e5 be b7 e6 96 af e8 9b 8b } + $s1 = "fullofdick" + $s2 = "holdmeback" + $s3 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" wide + + condition: + ($first_payload and all of ( $rijndael_key* ) ) or 2 of ( $s* ) +} +rule SEKOIA_Win_Malware_Janelarat_Strings : FILE +{ + meta: + description = "Detect the JanelaRAT malware" + author = "Sekoia.io" + id = "891f182e-8a7a-4d0c-a481-62c198bb901b" + date = "2023-08-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/win_malware_janelarat_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "00df0a1f037e24ff1528d524fb7398735e2c3e0a9995a9f95a5293b04748f06e" + logic_hash = "cf2ca92cf790211f69ea9645f1c1b865d5503d14a1dcce535b4a69c735ea3dad" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s2 = {4d 58 4e 4f 42 55 47 4d 41 47} + $s1 = "block.blq" wide + + condition: + ( uint16be( 0 ) == 0x4d5a ) and filesize > 100KB and filesize < 1MB and 2 of them +} +rule SEKOIA_Ransomware_Win_Agenda : FILE +{ + meta: + description = "Finds Agenda ransomware (aka Qilin) samples based on characteristic strings" + author = "Sekoia.io" + id = "b0ea8e69-8f29-452f-95f7-67ee0e545b66" + date = "2022-12-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_agenda.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7e315f639c4d785639bf7ed3bd805551366b4da10a664a42bf801c54c6f7bd2d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str00 = "\"note\": \"-- Qilin" ascii + $str01 = "README-RECOVER-.txt" ascii + $str02 = "\"file_black_list\": [" ascii + $str03 = "\"file_pattern_black_list\": [" ascii + $str04 = "Encrypted files have new extension." ascii + $str05 = "We have downloaded compromising and sensitive data from you system/network" ascii + $str06 = "Employees personal dataCVsDLSSN." ascii + $str07 = "ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion" ascii + $str08 = "cmdvssadmin.exe delete shadows /all /quiet" ascii + $str09 = "[WARNING] Removing shadows failed." ascii + $str10 = "[INFO] Shadow copies removed" ascii + $str11 = "[WARNING] net sahre enum failed with:" ascii + + condition: + uint16( 0 ) == 0x5A4D and 2 of them +} +import "hash" +import "pe" + +rule SEKOIA_Apt_Apt33_Tickler : FILE +{ + meta: + description = "Detects APT33 Tickler malware" + author = "Sekoia.io" + id = "e9ecf678-350c-47d2-ab4c-522974c70a45" + date = "2024-08-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt33_tickler.yar#L4-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "8bd712b0a49f4fecd39d30ebd121832c" + hash = "3f29429fce0168748d7cc75e1478aedc" + logic_hash = "97b858819a1920e6dcdd1a9489754a948de8e6e39b4282e7fe4f6431617a9849" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + uint16be( 0 ) == 0x4d5a and ( hash.md5 ( pe.rich_signature.clear_data ) == "2fe65623e6b22577516a4cd051ec3baa" or pe.imphash ( ) == "a5accd1a0d3eaf2c131bc662dd7ff8ea" ) +} +rule SEKOIA_Merlin_Crossplatform : FILE +{ + meta: + description = "Detects Merlin agent cross platform" + author = "Sekoia.io" + id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be6" + date = "2022-01-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/merlin_crossplatform.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "975cc4fe0d89383188f9fd3c516d1e853dd6070d7703c0b5b5874dc1e7e6f32a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = ".CRT" ascii + $s2 = ".tls" ascii + $s3 = "github.com/Ne0nd0g/merlin" ascii + $s4 = "github.com/refraction-networking" ascii + $s5 = "SendMerlinMessage" ascii + $s6 = "ifconfigH9" ascii + + condition: + ( uint16( 0 ) == 0x5a4d or uint16( 0 ) == 0x457f ) and all of them and filesize > 5MB and filesize < 15MB +} +rule SEKOIA_Backdoor_Mul_Supershell_Client : FILE +{ + meta: + description = "Detect the Supershell client (unpacked) by looking for github references" + author = "Sekoia.io" + id = "3498ca9e-a165-4dda-bc15-2e5d6d43d9c1" + date = "2024-04-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_mul_supershell_client.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "93490f4a16fb7dcde671b82e3187341abf4fc95e965219233ca7689f3cd3855f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "a42906f8b392089fa1fe3ea264f6cb549ce5437b5ea253d9e1b8dd94bf115dad" + hash2 = "d97b41e8cd6b63cd55c9a4f99ccadf5a9141088319bc9eb467d96e54080f3c85" + hash3 = "2b54d1c064892a22f48b5742ba6da55bf62b73e5b1e0649e8b7880b286498735" + hash4 = "0dedab2ef8d44f9beef782a29dd8f628dd0218b90f23f729b315660437019ccd" + hash5 = "2484de7944889d784b8229f4fd756d3930e55c91654921019db4437877e30ab7" + + strings: + $ = "github.com/NHAS/reverse_ssh/internal/client/" + $ = "golang.org" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Apt_Windows_Wip19_Screencap : FILE +{ + meta: + description = "Detects ScreenCap resource" + author = "Sekoia.io" + id = "ebf5d2c5-81c9-45c3-aa61-05870f800f6b" + date = "2022-10-18" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_windows_wip19_screencap.yar#L4-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "02479f0c8199b31f089608da0f44f1487b75790cb31c77bb65ca1fb0fd57ac0d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "89f4d0e3f7f3318270aa9c8345c1402202b1a02ffefc03c7a86636e297aa0ffc" ) and filesize < 2MB +} +rule SEKOIA_Tool_Sharpsecdump : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "359bf48b-81c8-4d12-ac02-777d4865411a" + date = "2023-06-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_sharpsecdump.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f183069d843767daa97bc81385e5e1b3a19c556f8171f28f8806aebe7a226176" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "SharpSecDump" + $s2 = "e2fdd6cc-9886-456c-9021-ee2c47cf67b7" + $s3 = "Md4Hash2" + $s4 = "RidToKey" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 1MB and all of them +} +rule SEKOIA_Guloader_Vbscript : FILE +{ + meta: + description = "visual basic script delivering GuLoader" + author = "Sekoia.io" + id = "3472e403-b1e6-4fdf-9770-af42d505b556" + date = "2024-02-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/guloader_vbscript.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d0398b19ec57cff8afd52b06dc9da18788b1eefdf6be70650138e9b342d91d24" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = " = CreateObject(\"WScript.Shell\")" + $s2 = " = Join(" + $s3 = ",vbnullstring)" + + condition: + filesize < 20KB and all of them and #s1 > 1 and @s3- @s2 < 16 +} +rule SEKOIA_Tool_Nssm_Strings : FILE +{ + meta: + description = "Detects nssm tool" + author = "Sekoia.io" + id = "fab99d44-6494-4bfc-80c0-67c45bad0425" + date = "2024-09-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_nssm_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "beceae2fdc4f7729a93e94ac2ccd78cc" + logic_hash = "ca883f3ed9f510cbcd9b96ad167e9d6725341c311b023f22edcba721e801f07d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "nssm start " wide + $ = "nssm stop " wide + $ = "nssm restart " wide + $ = "nssm status " wide + $ = "nssm rotate " wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them and filesize < 500KB +} +rule SEKOIA_Loader_Win_Bumblebee : FILE +{ + meta: + description = "Detect BUMBLEBEE based on specific strings" + author = "Sekoia.io" + id = "ff36f512-c700-4f52-bc89-68ab9c69462c" + date = "2022-04-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_bumblebee.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "97755e8d593acbc9acc8ce7f1a82a345fc7eea049addbb96577f6abc1b6d5fd6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "Z:\\hooker2\\Common\\md5.cpp" wide + $str1 = "3C29FEA2-6FE8-4BF9-B98A-0E3442115F67" wide + $str2 = "bumblebee" ascii + + condition: + uint16( 0 ) == 0x5A4D and 2 of them +} +rule SEKOIA_Apt_Mustangpanda_Downloader : FILE +{ + meta: + description = "Detects the MustangPanda Downloader" + author = "Sekoia.io" + id = "54850ffd-f93b-4082-b3ca-8e1d60b35422" + date = "2022-03-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_downloader.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0bff0ee2960ecfa29939720e7efacaa35359f4fe555ae160c674efebf29bf61e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Windows Api" wide nocase + $ = "200 OK" wide + $ = "200 ok" wide + $ = "mscoree.dll" wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Apt_Muddywater_Manifestation_Backdoor_Obfuscated : FILE +{ + meta: + description = "Detects obfuscated Muddys manifestation JScript backdoor" + author = "Sekoia.io" + id = "58df72a1-822c-4b82-904d-1c0124dc7bc1" + date = "2022-01-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_manifestation_backdoor_obfuscated.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8610f0895fafd2bc9a19bbff816754b563565ba6b105cc3d0a32b80bf5ebdc47" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $m = { 76 61 72 20 5f 30 78 [4-6] 3d 5b } + $w = {57 53 63 72 69 70 74 5b 5f 30 78 [4-6] 28 30 78 [2-3] 29 5d 28 30 78 [2-3] 2a 30 78 [2-3] 29 2c } + $t = "subkeys(key));}" + + condition: + $m at 0 and ( $t at ( filesize -16 ) or $w in ( filesize -200 .. filesize ) ) +} +rule SEKOIA_Apt_Apt28_Htmlsmuggling +{ + meta: + description = "Detects some kind of HTMLSmuggling used by APT28" + author = "Sekoia.io" + id = "2e20c992-d971-4c0f-99b3-a7d528c7055a" + date = "2023-09-11" + modified = "2024-12-19" + reference = "https://www.zscaler.com/blogs/security-research/steal-it-campaign" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt28_htmlsmuggling.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "47cca1d0a0843c8df43661ee8188dae86cce06e1f3982973871863728d328e89" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "click();" ascii + $s2 = "window.location.replace(" + + condition: + $s1 in ( @s2 .. @s2-100 ) +} +rule SEKOIA_Hafnium_Tarrask_Malware +{ + meta: + description = "Hunting rule to look for Tarrask malware" + author = "Sekoia.io" + id = "6f1728d6-dc9b-4ea7-8656-2b069ee269a0" + date = "2022-04-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hafnium_tarrask_malware.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f9309707d25cfe6bccf050f24e14c42b53f3d017916a02eaada74c4782efdd5c" + score = 50 + quality = 76 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "delete sd success" wide ascii nocase + $s2 = "Task successfully registered." wide ascii nocase + + condition: + all of them +} +rule SEKOIA_Hacktool_Ligolo_Relay_Strings : FILE +{ + meta: + description = "Detects Ligolo Relay based on strings" + author = "Sekoia.io" + id = "1e32f2e5-b66b-4b55-9dd4-1402b2f627ed" + date = "2022-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_ligolo_relay_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "57150b394cc7af9ae786b63d83acc29529fa037f0a52afde0e12a2eef93bf6c8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "ligolo/cmd/localrelay" + $ = "main.LigoloRelay.Start" + $ = "main.LigoloRelay.startRelayHandler" + $ = "main.LigoloRelay.startLocalHandler" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize > 2MB and filesize < 5MB and 3 of them +} +rule SEKOIA_Apt_Cloudmensis_Spyagent_Strings : FILE +{ + meta: + description = "Detects CloudMensis SpyAgent" + author = "Sekoia.io" + id = "c2df8373-6698-4b23-9d77-8e7968bd69f0" + date = "2022-07-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudmensis_spyagent_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ad858b1b78fb4ac6efee093b11fde14956d63bc6b300ef37bf1f2a3356cf4402" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[control_thread loop_DirStructure:]" + $ = "[screen_keylog getScreenShotData]" + $ = "[screen_keylog loop_usb]" + $ = "[Management UploadFilebyPath:destination:]" + $ = "[control_thread loop_pwd:]" + + condition: + uint32be( 0 ) == 0xcafebabe and filesize < 2MB and all of them +} +rule SEKOIA_Apt_Gelsemium_Wolfsbane_Launcher : FILE +{ + meta: + description = "Detects Gelsemium's WolfsBane launcher" + author = "Sekoia.io" + id = "26fbf4df-aa08-47b6-a73c-e8f80a408454" + date = "2024-11-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gelsemium_wolfsbane_launcher.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "87e437cf74ce4b1330b8af9ff71edae2" + logic_hash = "9ecc3a8cb82f6183c263dde03a14f721d2e3aeb2338afc28e0368c323e5d51a9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "rm -f /dev/shm/sem*%s" + $ = "/etc/ld.so.preload" + $ = "kill -9 %d 2>/dev/null" + $ = "/,1d' %s 2>/dev/null" + + condition: + uint32be( 0 ) == 0x7F454C46 and filesize < 500KB and all of them +} +rule SEKOIA_Apt_Backdoordiplomaty_Custommerlinagent_Strings : FILE +{ + meta: + description = "Detects custom variant of Merlin agent used by BackdoorDiplomaty" + author = "Sekoia.io" + id = "965693ba-93b8-4c52-9292-957884411968" + date = "2024-06-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_backdoordiplomaty_custommerlinagent_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "31d13e234dc3f68f6826a5310ac38693750f896318249d04a31c5e6c8d5eba91" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "agent.GetSpecificID" + $ = "agent.ExecuteCommand" + $ = "agent.getClient" + $ = "agent.SignalListen" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 10MB and all of them +} +rule SEKOIA_Infostealer_Win_Xfiles : FILE +{ + meta: + description = "Detect the X-FILES infostealer based on specific strings" + author = "Sekoia.io" + id = "3ad3ee19-6be8-484b-943c-05813cdcbd18" + date = "2022-02-03" + modified = "2024-12-19" + reference = "https://twitter.com/3xp0rtblog/status/1375206169384521730" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_xfiles.yar#L1-L50" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "404ee02fa1905f49c3c3ca525cfb3c5ba1d2ec46554239035c1891d21f547a2c" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $xfi0 = "Telegram bot - @XFILESShop_Bot" wide + $xfi1 = "Telegram support - @XFILES_Seller" wide + $brw0 = "\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" wide + $brw1 = "\\Chromium\\User Data\\Default\\Cookies" wide + $brw2 = "\\Slimjet\\User Data\\Default\\Cookies" wide + $brw3 = "\\Vivaldi\\User Data\\Default\\Cookies" wide + $brw4 = "\\Opera Software\\Opera GX Stable\\Cookies" wide + $brw5 = "\\Opera Software\\Opera Stable\\Cookies" wide + $crp00 = "Tronlink" wide + $crp01 = "NiftyWallet" wide + $crp02 = "MetaMask" wide + $crp03 = "MathWallet" wide + $crp04 = "Coinbase" wide + $crp05 = "BinanceChain" wide + $crp06 = "GuardaWallet" wide + $crp07 = "EqualWallet" wide + $crp08 = "BitAppWallet" wide + $crp09 = "iWallet" wide + $crp10 = "Wombat" wide + $crp11 = "Zcash" wide + $crp12 = "Armory" wide + $crp13 = "Bytecoin" wide + $crp14 = "Jaxx" wide + $crp15 = "Exodus" wide + $crp16 = "Ethereum" wide + $crp17 = "AtomicWallet" wide + $crp18 = "Guarda" wide + $crp19 = "Coinomi" wide + $crp20 = "Litecoin" wide + $crp21 = "Dash" wide + $crp22 = "Bitcoin" wide + + condition: + uint16( 0 ) == 0x5A4D and any of ( $xfi* ) or 5 of ( $brw* ) and 20 of ( $crp* ) +} +rule SEKOIA_Rat_Win_Hiddenz : FILE +{ + meta: + description = "Lazy rule to detect Hiddenz's HVNC sample based on te malware name contained in numerous samples" + author = "Sekoia.io" + id = "4e582cda-4c50-4554-8e26-9d26206a02ee" + date = "2022-08-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_hiddenz.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "92f62c893d8a081cd52deaaac93d622fbb1c8e9c7df214e34c6b8066be72a424" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $name0 = "Hiddenz's HVNC" wide ascii + $name1 = "Hiddenzs_HVNC_DLL" wide ascii + $name2 = "HiddenzHVNC" wide ascii + + condition: + uint16( 0 ) == 0x5A4D and 1 of ( $name* ) +} +rule SEKOIA_Storm_1811_Screenconnect_Update +{ + meta: + description = "Detects files used in a campaign performed by the intrusion set Storm-1811" + author = "Sekoia.io" + id = "252ef24a-14dc-41e8-ba91-dcb9b6deb428" + date = "2024-06-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/storm_1811_screenconnect_update.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ad61e28566375fd3c029df79e1b608aac921ab8121a43bd01314c9112197c32e" + score = 75 + quality = 55 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "upd100.appspot.com/update/u.zip" ascii fullword + $s2 = "Unzip ok" ascii fullword + $s3 = "Installing update" ascii fullword + $s4 = "Administrators" ascii fullword + $s5 = "I am not admin" ascii fullword + $s6 = "I am admin" ascii fullword + $s7 = "ScreenConnect.ClientSetup.exe" ascii fullword + $s8 = "for %%x in (%IPS%) do (" ascii fullword + + condition: + 6 of them +} +rule SEKOIA_Apt_Susp_Apt28_Uac0063_Hta_Loader +{ + meta: + description = "Detects some suspected APT28 HTA loader" + author = "Sekoia.io" + id = "8e1889c1-c6ac-4048-9d3a-99ccbbd5435f" + date = "2024-07-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_susp_apt28_uac0063_hta_loader.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725" + logic_hash = "494331a8088d350e4e49e67fe64041d451886e501775413f908bd9b3faa98aeb" + score = 65 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = " 100KB +} +rule SEKOIA_Ursnif_Ldr4 +{ + meta: + description = "Ursnif LDR4" + author = "Sekoia.io" + id = "73e63481-8a89-4342-87f0-8dc7ad459396" + date = "2024-12-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ursnif_ldr4.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6fe237c6370a1b99bddb7bee4170d29cbb780dc445f5d5039201ddbaf05c63db" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str1 = "LOADER.dll" fullword + $str2 = "DllRegisterServer" fullword + $str3 = ".bss" fullword + $x64_code1 = { 3D 2E 62 73 73 74 0A 48 83 C7 28 } + $x64_code2 = { 8B 17 48 83 C7 04 8B CA 8b C2 23 CB 0B C3 F7 D1 23 C8 41 2B CA 44 8B D2 41 89 08 41 8B CB 49 83 C0 04 83 E1 07 FF C1 41 D3 C2 41 83 EB 04 79 } + $x64_code3 = { 41 0F B6 01 49 FF C1 8B C8 8B D0 83 E1 03 C1 E1 03 D3 E2 44 03 C2 41 83 C2 FF 75 } + $x64_code4 = { 45 8D 45 08 48 8D 8C 24 [4] BA 30 00 FE 7F E8 } + $x64_code5 = { 48 8D 8C 24 [4] BA 30 00 FE 7F 41 B8 08 00 00 00 E8 } + $x86_code1 = { 81 F9 2E 62 73 73 74 09 83 C6 28 } + $x86_code2 = { 8B 06 8B D0 23 55 0C 8B D8 0B 5D 0C F7 D2 23 D3 2B D1 8A 4D 08 80 E1 07 83 C6 04 89 17 83 C7 04 FE C1 D3 C0 83 6D 08 04 8B C8 79 } + $x86_code3 = { 8A 0E 0F B6 D1 8B CA 83 E1 03 C1 E1 03 D3 E2 46 03 C2 4F 75 } + $x86_code4 = { 6A 08 8D 45 F8 68 30 00 FE 7F 50 E8 } + + condition: + true and 5 of them +} +rule SEKOIA_Loader_Amadey_Standalone_May23 : FILE +{ + meta: + description = "Finds standalone samples of Amadey based on characteristic strings" + author = "Sekoia.io" + id = "5013586c-5ac3-4c1a-a82e-edce4889eedc" + date = "2023-05-17" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_amadey_standalone_may23.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "40d2d7a52066ca4e1a65c82ebfa882a77616a1c68f1d315946ab14467787d468" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "\\Amadey\\Release\\Amadey.pdb" ascii + $hex01 = { 6E 74 64 6C 6C 2E 64 6C 6C 00 00 00 72 75 6E 61 73 } + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Infostealer_Win_Phoenix : FILE +{ + meta: + description = "Finds Phoenix Stealer samples based on specific strings" + author = "Sekoia.io" + id = "d63a8fcf-f897-4c36-a6ce-4bd4ae0154e5" + date = "2023-06-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_phoenix.yar#L1-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c8a3a9a36c978cfc28fc6e21af10894161279dfd2e2ad665c3296fda10f6303d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii + $str02 = "Discord\\Tokens.txt" ascii + $str03 = "SOFTWARE\\OpenVP" ascii + $str04 = "config_dir" ascii + $str05 = "| Last Login:" ascii + $str06 = "| Games:" ascii + $str07 = "| Host:" ascii + $str08 = "| Port:" ascii + $str09 = "| User:" ascii + $str10 = "| Pass:" ascii + $str11 = "Grabber.rar" ascii + $str12 = "\\GHISLER\\wcx_ftp.ini" ascii + $str13 = "Clipboard.txt" ascii + $str14 = "PROCESSOR_ARCHITECTURE" ascii + $str15 = "PROCESSOR_IDENTIFIER" ascii + $str16 = "Log.txt" ascii + $str17 = "xXxXxXxXxXx" ascii + $str18 = "hq101ejedmwcvvasd02kw" ascii + + condition: + uint16( 0 ) == 0x5a4d and 15 of them and filesize > 500KB +} +rule SEKOIA_Loader_Win_Erbium : FILE +{ + meta: + description = "Detect the Erbium loader based on specific user-agent and URI" + author = "Sekoia.io" + id = "d1e5be62-5677-4ef4-9f10-65baf36ab619" + date = "2022-09-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_erbium.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e93e9dbf0e5412afa4640b4cf5d94374c4df38f8044d44c375e86508c0d4190a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36" wide + $str02 = "cloud/getHost.php?method=getstub&bid=" wide + $str03 = "api.php?method=getstub&bid=" wide + $api = "WinHttp" ascii + + condition: + uint16( 0 ) == 0x5A4D and 2 of ( $str* ) and #api > 6 +} +rule SEKOIA_Tool_Ehole : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "7d30ffd0-fada-4ef4-98c3-5572a4e1e140" + date = "2023-06-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_ehole.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "df937417b2f8e12f80fbe2edaa0863de6ed7862c117dff2a21255cb7d1d9ad3d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "main.http400" + $s2 = "main.fofa_c" + $s3 = "main.Jsjump" + $s4 = "main.StandBase64" + $s5 = "main.fofa_http" + $s6 = "main.fofa_seach" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 11MB and all of them +} +rule SEKOIA_Infostealer_Win_Whitesnake_Stealer_Feb23 : FILE +{ + meta: + description = "Finds WhiteSnake samples (stealer module)" + author = "Sekoia.io" + id = "68ae7fbc-4486-4b60-af5e-f37ddc58f170" + date = "2023-03-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_whitesnake_stealer_feb23.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "90007c38c644b79b2a60d9a252bd95071c5be57c649d73b66a73a1158cddc2fb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $fun01 = "Ibhiyptxjhiacrnxomvqjb" ascii + $fun02 = "Irwcvmgzsduiiizaabbczm" ascii + $whi = "WhiteSnake.Properties.Resources" ascii + $str01 = "get_UtcNow" ascii + $str02 = "get_IPAddress" ascii + $str03 = "get_Ticks" ascii + $str04 = "set_commands" ascii + $str05 = "set_Information" ascii + $str06 = "set_filedata" ascii + $str07 = "get_Jpeg" ascii + $str08 = "set_Culture" ascii + $str09 = "MakeScreenshot" ascii + + condition: + uint16( 0 ) == 0x5A4D and ( ( all of ( $fun* ) or $whi ) and 3 of ( $str* ) or 7 of ( $str* ) ) and filesize < 100KB +} +rule SEKOIA_Apt_Sidecopy_Malicious_Macro : FILE +{ + meta: + description = "Detects malicious macro used by SideCopy" + author = "Sekoia.io" + id = "4b90c33e-48d4-48b6-87a7-c35686e7e913" + date = "2023-05-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sidecopy_malicious_macro.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b1d9d7af8507b478b2a8d34a4a5ca3714b219a42d5b3f9d5026d98351294e1cf" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "htmlFile$" + $ = "Gecko/20100101 Firefox/91.0" + $ = "Start Menu\\Programs\\Startup\\" + $ = "Document_Close" + $ = "ThisDocument" wide + $ = "ServerXMLHTTP.6.0" + + condition: + uint32be( 0 ) == 0xD0CF11E0 and all of them +} +rule SEKOIA_Trojan_Android_Brata : FILE +{ + meta: + description = "Detect samples of the Android banking trojan BRATA" + author = "Sekoia.io" + id = "fde9b82e-c677-44ed-b512-b225a3aba201" + date = "2022-01-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/trojan_android_brata.yar#L1-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0c94e5e0c01d4fa9bf28603787029938a3159f468dd3876e7d25646e93dd68b8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $goo0 = "Google Play services error" + $goo1 = "Error de Serveis de Google Play" + $goo2 = "Fehler bei Zugriff auf Google Play-Dienste" + $goo3 = "Erro nos servizos de Google Play" + $goo4 = "Fout met Google Play-services" + $goo5 = "Virhe Google Play -palveluissa" + $goo6 = "Erro do Google Play Services" + $goo7 = "Error de Google Play Services" + $res0 = "res/xml/device_admin.xml" + $res1 = "res/xml/windowchangedetectingservice.xml" + $res2 = "res/xml-v22/windowchangedetectingservice.xml" + + condition: + uint32be( 0 ) == 0x504B0304 and filesize > 2MB and filesize < 6MB and 7 of ( $goo* ) and 2 of ( $res* ) +} +rule SEKOIA_Exploit_Linux_Eop_Dirtypipe_Strings : FILE +{ + meta: + description = "Detects DirtyPipe Local Privesc exploit" + author = "Sekoia.io" + id = "712d8a01-576e-4f43-a930-63dcdc535d93" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_linux_eop_dirtypipe_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0abb8de541acea57ced20f66c0aad7b010fea647996039809d36e94555dee204" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[+] hijacking suid binary.." + $ = "[+] dropping suid shell.." + $ = "[+] restoring suid binary.." + $ = "[+] popping root shell.." + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 1MB and all of them +} +rule SEKOIA_Launcher_Win_Romcom_Launcher : FILE +{ + meta: + description = "Detect the launcher of RomCom malware" + author = "Sekoia.io" + id = "e8fa8239-a763-4be2-8f34-8e112e65b35e" + date = "2022-11-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/launcher_win_romcom_launcher.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "7d94f187c3fb85cbfe961dd3b292dc1abd36a8cee7c9ff9ec08c4c1e23d38588" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = {43 3a 5c 55 73 65 72 73 5c 31 32 33 5c 73 6f 75 72 63 65 5c 72 65 70 6f 73 5c 69 6e 73 5f 61 73 69 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 73 65 74 75 70 2e 70 64 62} + + condition: + uint16( 0 ) == 0x5A4D and all of them +} +rule SEKOIA_Apt_Mustangpanda_Xoreddll : FILE +{ + meta: + description = "Detects xored DLL from MustangPanda embedding a document" + author = "Sekoia.io" + id = "73d13624-01df-41ab-b449-86db43dc6c55" + date = "2022-07-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_xoreddll.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "685be191cf187c0d5bfd00354400c47a961c9d047aa7e65e4cfc2201ec5eb1bc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $clear = "This program cannot be run in DOS mode" + $stub = "This program cannot be run in DOS mode" xor + $res1 = "5w>w9wR'31Z" xor + $res2 = "r0y0~0KlBD" xor + $res3 = "d&o&h&öé7Æ" xor + $res4 = "9{2{5{+0" xor + + condition: + $stub and any of ( $res* ) and not $clear and filesize < 3MB +} +rule SEKOIA_Tool_Quarkspwdump : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "859823f9-6d47-4b0f-844b-d3af7bad498b" + date = "2023-06-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_quarkspwdump.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4799e1d1c749a536d7920e3c333d69f7130376c6a0f0e0ca8f0b61e438266adb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "quarks-pwdump.exe" + $s2 = "--------------------------------------------- BEGIN DUMP --------------------------------------------" + $s3 = "%s_hist%d:\"\":\"\":%s:%s" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 1MB and all of them +} +rule SEKOIA_Exploit_Ez_Pwnkit_Strings : FILE +{ + meta: + description = "Detects ez-pwnkit exploit" + author = "Sekoia.io" + id = "24301f35-8174-4e0d-b14a-fc7e45a29b26" + date = "2024-01-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_ez_pwnkit_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "36ec579f6c2dfeaf4ae6f6559d565d418a1f31199102eaa390ca36493f5b18cd" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "go.buildid" + $s2 = "github.com/OXDBXKXO/ez-pwnkit" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 5MB and $s1 and #s2 > 5 +} +rule SEKOIA_Tool_Multidump_Strings : FILE +{ + meta: + description = "Detects MultiDump" + author = "Sekoia.io" + id = "4897c898-01dd-40d2-bf28-266231c88f8a" + date = "2024-03-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_multidump_strings.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "8d98cf89d56f5a949023364f94c8d55f8875408b082fb52e118f99d46533124d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "--nodump\tDisable LSASS dumping" + $ = "-r 192.168.1.100:5000" + $ = "Path to save procdump.exe" + $ = "[!] CreateFileW [R] Failed With Error" + $ = "LSASS is Running, Continuin" + $ = "Dumping LSASS Using ProcDump" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 3 of them +} +rule SEKOIA_Apt_Implant_Xdealer_Vbs_Launcher_Strings : FILE +{ + meta: + description = "Detects XDealer VBS Launcher" + author = "Sekoia.io" + id = "ebfc8a33-70dc-44d5-bc4a-07afc56f8254" + date = "2024-03-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_implant_xdealer_vbs_launcher_strings.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e206189fd21ed7b3bf48a51d955df9055b7f7aa502b7fac52b274cc414adea0d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Dim objws" + $s2 = "Set objws=" + $s3 = "objws.Run \"\"\"C:\\ProgramData\\" + + condition: + $s1 at 0 and all of them and filesize < 200 +} +rule SEKOIA_Infostealer_Win_Banditstealer : FILE +{ + meta: + description = "Finds BanditStealer samples based on specific strings" + author = "Sekoia.io" + id = "d1e45a5c-c06d-4161-8d30-fa94bcf0ea7a" + date = "2023-07-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_banditstealer.yar#L1-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "64d4860dd8a783be10541dd5c939dcd2a2b08309a7cd17b9dbbda1ba8b26485d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $spe01 = "Banditstealer" ascii + $spe02 = "BANDIT STEALER" ascii + $spe03 = "Location: Geolocation: " ascii + $spe04 = "awesomeProject2/core.GetWallets" ascii + $spe05 = "awesomeProject2/core.GetCreditCards" ascii + $spe06 = "awesomeProject2/core.GetCookies" ascii + $spe07 = "awesomeProject2/core.KillProcessByName" ascii + $spe08 = "main.sendZipToTelegram" ascii + $str01 = "json:\"city\"" ascii + $str02 = "UAC disabled" ascii + $str03 = "\\OpenVPN Connect\\profiles\\" ascii + $str04 = "\\Documents\\Monero\\wallets\\" ascii + $str05 = "cookies.sqlite" ascii + $str06 = "creditcard.txt" ascii + $str07 = "vmware.exe" ascii + $str08 = "aeachknmefphepccionboohckonoeemg" ascii + $str09 = "\\Documents\\NetSarang\\Xftp\\Sessions\\" ascii + $str10 = "\\WhatsApp\\Local Storage\\leveldb\\" ascii + $str11 = "Visited Time: %s" ascii + $str12 = "\\Google\\Chrome\\User Data\\Telegram Desktop\\tdata\\" ascii + + condition: + uint16( 0 ) == 0x5a4d and 2 of ( $spe* ) and 6 of ( $str* ) +} +rule SEKOIA_Loader_Amadey_Clipper_Plugin : FILE +{ + meta: + description = "Finds Amadey's clipper plugin based on characteristic strings" + author = "Sekoia.io" + id = "487b6657-8834-45ee-8fd4-03df9c0dd7be" + date = "2023-05-16" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_amadey_clipper_plugin.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6f5a2fa9c687f0fb2423ca97540d0173551dd04b31d092e4d47d6d7d22dfb965" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "CLIPPERDLL.dll" ascii + $str02 = "??4CClipperDLL@@QAEAAV0@$$QAV0@@Z" ascii + $str03 = "??4CClipperDLL@@QAEAAV0@ABV0@@Z" ascii + $str04 = "Main" ascii fullword + $str05 = "OpenClipboard" ascii + $str06 = "GetClipboardData" ascii + $str07 = "D:\\Mktmp\\Amadey\\ClipperDLL\\Release\\CLIPPERDLL.pdb" ascii + + condition: + uint16( 0 ) == 0x5A4D and 5 of them +} +rule SEKOIA_Infostealer_Win_Monster_Stub : FILE +{ + meta: + description = "Finds Monster Stealer stub (Python payload) based on specific strings." + author = "Sekoia.io" + id = "10d27d49-79ae-4edc-8c30-35506bdf2c42" + date = "2024-08-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_monster_stub.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d6362c54b1f56ffa878423fbb1a3f57508d20e06b573c732f892494178a49200" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "https://t.me/monster_free_cloud" ascii + $str02 = "MonsterUpdateService" ascii + $str03 = "Monster.exe" ascii + $str04 = "schtasks /create /f /sc daily /ri 30 /tn" ascii + $str05 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\" ascii + $str06 = "banned_uuids" ascii + $str07 = "banned_computer_names" ascii + $str08 = "banned_process" ascii + $str09 = "register_X_browsers" ascii + $str10 = "register_payload" ascii + $str11 = "tiktok_sessions.txt" ascii + $str12 = "spotify_sessions.txt" ascii + $str13 = "network_info.txt" ascii + $str14 = "lolz.guru" ascii + $str15 = "echo ####System Info####" ascii + $str16 = "echo ####Firewallinfo####" ascii + $str17 = "/injection/main/injection.js" ascii + + condition: + uint16( 0 ) == 0x5A4D and 10 of them +} +rule SEKOIA_Unk_Quad7_Netd_Strings : FILE +{ + meta: + description = "Matches netd binary" + author = "Sekoia.io" + id = "3f527f0e-c101-4356-9024-fc61aea644d1" + date = "2024-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/unk_quad7_netd_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "cdb37db4543dde5ca2bd98a43699828f" + logic_hash = "abd59c5fa0c4c73a2cd9a2263d5573d896c6c0d71d96bd59167b1e2d7fbf108e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "./netd.dat" + $ = "./sys.dat" + $ = "--conf" + $ = "--init" + $ = "--nobg" + $ = "Url is NULL." + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 1MB and 4 of them +} +rule SEKOIA_Apt_Emberbear_Credpump_Strings : FILE +{ + meta: + description = "Detects CredPump backdoor" + author = "Sekoia.io" + id = "c9898e34-4ab8-49d6-9c8a-3fce592449e2" + date = "2023-02-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_emberbear_credpump_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6f2c96fe3f314221626b4c053658af0e7231f151886f10eb1d69e07ea3e5c634" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "User=%s Pass=%s Host=%s" + $ = "/etc/rc0.d/.rc0.d" + $ = "pam_get_authtok" + $ = "Password:" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 200KB and all of them +} +rule SEKOIA_Apt_Tealkurma_Snappytcp_Reverse_Shell_Strings : FILE +{ + meta: + description = "Detects TealKurma SnappyTCP reverse shell" + author = "Sekoia.io" + id = "e842825c-546c-475a-bc94-7e97aea4e9e0" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_tealkurma_snappytcp_reverse_shell_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "feb24cafcf5b080c91dab42bf8d78fbdb0b7fae9395c7513f02aa90a25663d2c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "2>&1>/dev/null&" ascii + $ = ".php HTTP/1.1" ascii + $ = "GET /" ascii + $ = "Hostname: %s" ascii + $ = "bash -c \"./" ascii + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 3MB and 3 of them +} +rule SEKOIA_Hacktool_Duplicatedump_Strings : FILE +{ + meta: + description = "Detects Duplicate Dump" + author = "Sekoia.io" + id = "081d0124-4afe-418b-9767-3d987c0107ca" + date = "2023-11-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_duplicatedump_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "feff083ed432781884941fc02eee6d6ce54f70f1b85d24db2f3e1d0147a81a7a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "7d872e921a4b4b1b8b295395099b0209" wide ascii + $ = "[+] Named pipe connected and replying with current PID" wide ascii + $ = "[X] Named pipe connection error:" wide ascii + $ = "[X] Error occur while compressing file:" wide ascii + $ = "[+] Dump file saved to" wide ascii + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 500KB and 4 of them +} +rule SEKOIA_Apt_Badmagic_Startngrok_Pshscript : FILE +{ + meta: + description = "Detects BadMagic StartNgrok powershell script" + author = "Sekoia.io" + id = "94d64482-3033-4531-8530-58546364ac06" + date = "2023-05-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_startngrok_pshscript.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f15f9dc2c35f3f7cd816aa539c03b857254c3628c9b14eacca1110bb85b1a24c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "$ExecutablePath http \"\"file:///$Disk" + $ = "write \"$ExecutablePath not found" + $ = "$ng_proxy_string =" + $ = "$ng_auth_token =" + $ = "$env:ALLUSERSPROFILE\\$NGrokFolderName" + + condition: + all of them and filesize < 1KB +} +rule SEKOIA_Implant_Lin_Geacon : FILE +{ + meta: + description = "Finds Geacon samples based on specific strings" + author = "Sekoia.io" + id = "ad71522e-270b-47d0-9c01-081f05a2b72a" + date = "2024-01-11" + modified = "2024-12-19" + reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_lin_geacon.yar#L1-L35" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c6fa5815bf618eb588d511f18231042944dee20c1b13096c44910d43ca552bfa" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $gea01 = "geacon/config.init" ascii + $gea02 = "geacon_pro-master/config/config.go" ascii + $gea03 = "geacon_plus-main/config/config.go" ascii + $gea04 = "command type %d is not support by geacon now" ascii + $gea05 = "main/sysinfo.GeaconID" ascii + $str01 = "command.StealToken" ascii + $str02 = "command.MakeToken" ascii + $str03 = "command/misc.go" ascii + $str04 = "config/c2profile.go" ascii + $str05 = "crypt.AesCBCDecrypt" ascii + $str06 = "packet.File_Browse" ascii + $str07 = "packet.FirstBlood" ascii + $str08 = "packet.ParseCommandShell" ascii + $str09 = "packet.ParseCommandUpload" ascii + $str10 = "packet.PushResult" ascii + $str11 = "sysinfo.GetComputerName" ascii + $str12 = "sysinfo.IsOSX64" ascii + $str13 = "util..inittask" ascii + + condition: + uint32( 0 ) == 0x464C457F and ( ( 1 of ( $gea* ) and 2 of ( $str* ) ) or 8 of ( $str* ) ) +} +rule SEKOIA_Apt_Mustang_Panda_Nupakage : FILE +{ + meta: + description = "Detects NUPAKAGE malware (only PDB, too much false positives)" + author = "Sekoia.io" + id = "bd62c220-addc-48e9-bd01-2eff687ac3ce" + date = "2023-03-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustang_panda_nupakage.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "255c77af714b1b66275f3973fb112994ccb028d5d60562bbde30df5a761f03d3" + score = 50 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "D:\\Project\\NEW_PACKAGE_FILE\\Release\\NEW_PACKAGE_FILE.pdb" ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 1MB and all of them +} +rule SEKOIA_Hacktool_Ipmipwner_Strings : FILE +{ + meta: + description = "Detects ipmiPwner script" + author = "Sekoia.io" + id = "2ac736b5-33bb-477f-a98c-57cc2744d251" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_ipmipwner_strings.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "122311e1791d018f08f3d5ecdf2e0efe3aa5bb913b2c1ce6a3797e8ceb2676eb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "{status} Using the list of users that the {lgcyan}script" + $ = "--host 192.168.1.12 -p 624 -uW /opt/SecLists/Usernames/" + + condition: + all of them and filesize < 10KB +} +rule SEKOIA_Apt_Kimsuky_Validator_Strings : FILE +{ + meta: + description = "Detects Kimsuky validator" + author = "Sekoia.io" + id = "e055f2d4-8318-4342-812e-0f621d7886b4" + date = "2024-06-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_validator_strings.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a627dae8c12f0f6f8472bc12b8e1a85137f92f6e389f817ab9023c90720a42b0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "%s%sc %s >%s 2>&1" wide + $ = "%s%sc %s 2>%s" wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Kimsuky : FILE +{ + meta: + description = "Detect the backdoors used by Kimsuky based on specific PE ressources" + author = "Sekoia.io" + id = "db927d1c-34cf-4501-a6ce-3e8ecdefc5a3" + date = "2024-06-04" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_kimsuky.yar#L4-L38" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ba40427f7e305a6e6cec6bb0165b49e6ce215ecf66fc2e05954c10e4d9acf9b0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7" + hash2 = "cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d" + + condition: + uint16be( 0 ) == 0x4d5a and for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "ac9ed305c6dac749163db359736e7d92fca9173ff5c9e1f021d500b306e3c5ec" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "0ca965ccf7324b098da617909d38986c1e6aae3e12d9629975f1815ed4ed3907" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "25d79e59a6b625e5c22ccb55cc49373d38cc6f20cb75504b0df1bc0804bb1247" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "ce5619ffe04ec569bf2565e0964156378bda7c42eb646bedbac2191a5af7bebf" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "ce10e65f7bf105fc06005340f0a8eaea9b351f3750d2818c1cf2ca25a7f495be" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "5a9e2a392c530ab8b38ff917ae0f28496107f1bde94e89515931fd29a0bfb2e5" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "19f4f3a05b809d8e33bb0004f62899ca5f9eac7e4cdba68dfd5c0a6f2d71bec3" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "b9c208b9bada7bac4d5bfe53992f570e34e0b4d5cfa0862de9847ddf5630ab9a" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "ac9ed305c6dac749163db359736e7d92fca9173ff5c9e1f021d500b306e3c5ec" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "0ca965ccf7324b098da617909d38986c1e6aae3e12d9629975f1815ed4ed3907" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "25d79e59a6b625e5c22ccb55cc49373d38cc6f20cb75504b0df1bc0804bb1247" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "ce5619ffe04ec569bf2565e0964156378bda7c42eb646bedbac2191a5af7bebf" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "ce10e65f7bf105fc06005340f0a8eaea9b351f3750d2818c1cf2ca25a7f495be" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "5a9e2a392c530ab8b38ff917ae0f28496107f1bde94e89515931fd29a0bfb2e5" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "19f4f3a05b809d8e33bb0004f62899ca5f9eac7e4cdba68dfd5c0a6f2d71bec3" or hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "b9c208b9bada7bac4d5bfe53992f570e34e0b4d5cfa0862de9847ddf5630ab9a" ) +} +rule SEKOIA_Tool_Revsocks_Strings : FILE +{ + meta: + description = "Detects revsocks client" + author = "Sekoia.io" + id = "f5f34e74-0795-4c81-a385-218a8197a0b7" + date = "2024-03-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_revsocks_strings.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f1702aaaebc1ba720f688f0694a69fef55a2556b1f07dd4b846be1ae32ff5529" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "reverse socks5 server/client by kost" ascii fullword + $ = "github.com/kost/" + $ = "revsocks -listen" + $ = "Start on the DNS server: revsocks -dns" + $ = "crypto/aes." + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a or uint32be( 0 ) == 0xfeedface or uint32be( 0 ) == 0xfeedfacf or uint32be( 0 ) == 0xcafebabe or uint32be( 0 ) == 0xCFFAEDFE ) and 3 of them +} +rule SEKOIA_Apt_Gamaredon_Doc_External_Template : FILE +{ + meta: + description = "Detects malicious templates used by Gamaredon" + author = "Sekoia.io" + id = "5f6bbf92-2fdf-428d-af49-2d3e754c29d7" + date = "2023-01-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_doc_external_template.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "51412081fa7e62fa342b0ed6da18009b39e3952286f2bd319fbe10e0b1761e02" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "USERPROFILE" ascii + $ = "msxml2" ascii + $ = "T24gRXJyb3IgUmVzdW1lIE5leHQ" ascii + + condition: + uint32be( 0 ) == 0xd0cf11e0 and filesize < 100KB and all of them +} +rule SEKOIA_Launcher_Win_Stealthmutant_Bat_Launcher : FILE +{ + meta: + description = "StealthMutant/StealthVector bat launcher" + author = "Sekoia.io" + id = "7452291f-2244-469e-bb7c-5eff1ca17aa2" + date = "2021-08-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/launcher_win_stealthmutant_bat_launcher.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "06ae4bc3ed938738dfca10c182a6a2363aa6aa70e730aefd41f6fe73c675785d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "set \"WORK_DIR=" ascii + $s2 = "set \"DLL_NAME=" ascii + $s3 = "set \"SERVICE_NAME=" ascii + $s4 = "set \"DISPLAY_NAME=" ascii + $s5 = "set \"DESCRIPTION=" ascii + $start = "@echo off" ascii + $end = "net start \"%SERVICE_NAME%\"" ascii + + condition: + uint16( 0 ) != 0x5A4D and all of ( $s* ) and filesize < 2KB and $start at 0 and $end in ( filesize -30 .. filesize ) +} +import "hash" +import "pe" + +rule SEKOIA_Downloader_Win_Apt33_Tickler : FILE +{ + meta: + description = "Detect the downloader used by APT33 to diwnload Tickler" + author = "Sekoia.io" + id = "e1f704d6-d527-479a-8311-d286c06768ac" + date = "2024-08-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_win_apt33_tickler.yar#L4-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e6fff291b73812e5a999fbc566e8f7181dcdf01b849a9664ba05fe0a2bc982fe" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + uint16be( 0 ) == 0x4d5a and pe.imphash ( ) == "e43c58659b5b3082387307603478881a" or hash.md5 ( pe.rich_signature.clear_data ) == "d30bd7875b225709ecf95bf68dbd435f" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "d7d2079d0a656c06a03f2c277bb08bda" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "61a1425e6a0d28e29c6fd3d451ac3717" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "916bf96ed3274ce8322d9f370432844f" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "3fab9d4ae989d53cecb2f443b8ce88d0" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "e0967483e074da72ceff4dea3bc17530" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "b4a571736b6646765155ffbd57c27c83" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "35c88ba521887f8fe1b2501f8cd8bd98" ) or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "636dc666c7496cb3382b029fed53473f181cdc24405886c468e51a103d78b4d4" ) +} +rule SEKOIA_Tool_Win_Forkplayground : FILE +{ + meta: + description = "Detect the ForkPlayground malware" + author = "Sekoia.io" + id = "ec9af403-7647-447d-af17-c6931363a166" + date = "2023-02-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_win_forkplayground.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "23d93b7eef978f76c9aa6c0bc28a661d160b0a871fd320442b6c27bc92bc279e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Failed to open dump file %s with the last error %i." + $ = "Successfully dumped process %i to %s" + $ = "ForkPlayground" + $ = "Second attempt at taking a snapshot of the target failed. It is likely that there is a difference in process privilege or the handle was stripped." + $ = "Failed to take a snapshot of the target process. Attempting to escalate debug privilege..." + $ = "Failed to escalate debug privileges, are you running ForkDump as Administrator" + + condition: + uint16( 0 ) == 0x5A4D and 1 of them +} +rule SEKOIA_Rat_Win_Remcos : FILE +{ + meta: + description = "DEPRECATED : Find Remcos RAT samples based on specific strings" + author = "Sekoia.io" + id = "011132f5-c5d9-4e97-bfed-0b94c9a30481" + date = "2023-01-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_remcos.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "259f31d745449dc81cde698bb0ae4a20b4bbf050a1c818fbb5a891f26ca2e856" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + modification_date = "2024-01-08" + classification = "TLP:CLEAR" + + strings: + $str01 = "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f" ascii + $str02 = "Disconnection occurred, retrying to connect..." ascii + $str03 = "[Following text has been pasted from clipboard:]" ascii + $str04 = "[Following text has been copied to clipboard:]" ascii + $str05 = "[Chrome StoredLogins found, cleared!]" ascii + $str06 = "PING 127.0.0.1 -n 2" ascii + $str07 = "Remcos_Mutex_Inj" ascii + $str08 = " * REMCOS v" ascii + $str09 = "Connected to C&C!" ascii + $str10 = "[Cleared all cookies & stored logins!]" ascii + + condition: + uint16( 0 ) == 0x5A4D and 3 of them +} +rule SEKOIA_Apt_Mustangpanda_Payload : FILE +{ + meta: + description = "Decryption routine of mustang panda payload" + author = "Sekoia.io" + id = "ce7ddf20-e13f-4b5f-8fff-4b1387b29568" + date = "2022-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_payload.yar#L1-L42" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "734d42aed4574de620773f1f2d08c6b1fc206efd1b576f0f3679edcc0b2ce91d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $chunk_1 = { + 89 74 24 ?? + B9 ?? ?? ?? ?? + 8B 44 24 ?? + 3D ?? ?? ?? ?? + B8 ?? ?? ?? ?? + 0F 4C C1 + E9 ?? ?? ?? ?? + B8 ?? ?? ?? ?? + 31 DB + 31 ED + 31 FF + E9 ?? ?? ?? ?? + 8B 44 24 ?? + B9 ?? ?? ?? ?? + 3B 44 24 ?? + B8 ?? ?? ?? ?? + 0F 42 C1 + E9 ?? ?? ?? ?? + 88 5C 24 ?? + 89 6C 24 ?? + 89 7C 24 ?? + B9 ?? ?? ?? ?? + 8B 44 24 ?? + 3D ?? ?? ?? ?? + B8 ?? ?? ?? ?? + 0F 4C C1 + } + + condition: + filesize < 8MB and all of them +} +rule SEKOIA_Hacktool_Win_Powertool : FILE +{ + meta: + description = "Detect PowerTool based on strings" + author = "Sekoia.io" + id = "ab8355b8-322d-41a4-82f0-43896c96b9bc" + date = "2022-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_win_powertool.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "aeccba821e528ca03abc8b50362d450ba2c12ab443454faf5b2809aecd163648" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "C:\\dev\\pt64_en\\Release\\PowerTool.pdb" ascii + $str1 = "Chage language nedd to restart PowerTool" ascii + $str2 = "(http://twitter.com/ithurricanept && https://www.linkedin.com/in/powertool)" wide + $str3 = "Infected=Before Fix, whether to back up the drive files will be fixed?" wide + $str4 = "Infected?-Are you sure to Fix the Infected Driver File?" wide + $str5 = "shellex\\ContextMenuHandlers\\PowerTool" wide + $str6 = "[PowerTool] name=%s, size=%d, %d" ascii + + condition: + uint16( 0 ) == 0x5A4D and any of them +} +import "pe" + +rule SEKOIA_Crybercrime_Prophetspider_Proxy : FILE +{ + meta: + description = "Detects the Winntaa decryption loop or imphash" + author = "Sekoia.io" + id = "b7637fc3-bf81-40c4-869c-1c283574e0a7" + date = "2022-02-17" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/crybercrime_prophetspider_proxy.yar#L3-L41" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "711ef3fc6ac488200415b7178c7f639ad9f6c72077bbebac2e6d5e0bed7120dd" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { 56 + 57 + 48 8D 95 F0 FE FF FF + 31 C0 + 66 21 02 + 48 89 CE + AC + 48 89 D7 + 4C 89 C2 + 88 D4 + 30 C2 + 0F B6 CA + 48 89 95 E8 FE FF FF + AC + 30 E0 + AA + E2 FA + 88 C8 + AA + 48 8D 85 F0 FE FF FF + 48 8B 95 E8 FE FF FF + 5F + 5E + C3 } + + condition: + uint16be( 0 ) == 0x4d5a and ( all of them or pe.imphash ( ) == "55e0b8e5b4d787c680ada4e450789a4d" ) +} +import "pe" + +rule SEKOIA_Yara_Runascs : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "1720f042-2cc6-4ef1-b66c-fe8a4214366a" + date = "2023-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/yara_runascs.yar#L3-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fe9b02704d07b5ebe6ad94283e4c1ec2846a54f5c1fb2115a1f6411cf8c19059" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "RunasCs" ascii wide + $s2 = "LOGON32_LOGON_INTERACTIVE" ascii wide + $s3 = "LOGON32_LOGON_NETWORK" ascii wide + $s4 = "LOGON32_LOGON_BATCH" ascii wide + $s5 = "LOGON32_LOGON_SERVICE" ascii wide + $s6 = "dwLogonProvider" ascii wide + $s7 = "LogonUser" ascii wide + $s8 = "CreateProcessAsUser" ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 4MB and all of them and not ( pe.version_info [ "OriginalFilename" ] == "Atera.AgentPackages.CommonLib.dll" and for any sig in pe.signatures : ( sig.subject contains "CN=Atera Networks Ltd" and sig.issuer contains "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" ) ) +} +rule SEKOIA_Tool_Inswor_Strings : FILE +{ + meta: + description = "Detects In-Swor based on strings" + author = "Sekoia.io" + id = "99aaad33-510a-41b9-9022-800588c18d6d" + date = "2024-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_inswor_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "c393128a143b2a3397100b4a30c75112" + logic_hash = "b25072e6a9fa5728c24c91056a221778f5fbc9d8ba7a78a6684cd6755761373e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "open encrypted file error:" ascii + $ = "open config file error:" ascii + $ = "payload.ini" ascii + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Apt_Kimsuky_Fpspy : FILE +{ + meta: + description = "Detects FPSpy, a backdoor used by Kimsuky" + author = "Sekoia.io" + id = "75d41851-a7a6-4068-8ea5-6a3e6e62a965" + date = "2024-09-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_fpspy.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "6d6c1b175e435f5564341cc1f2c33ddf" + hash = "54c58b72f98cb63c44e7694add551e9d" + logic_hash = "65904b77a30b2e2a25f8d80ab32742f0ad931f07c034ae576a4fbde7e1fd999c" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Chrome/31.0." wide + $ = "%srundll32.exe %s, %s %%1" wide + $ = "MazeFunc" wide + $ = "sys.dll" wide + $ = "KLog" wide + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them +} +rule SEKOIA_Downloader_Mac_Rustbucket : FILE +{ + meta: + description = "RustBucket fake PDF reader" + author = "Sekoia.io" + id = "5a003b68-ad9a-47f9-b157-dd898181dac2" + date = "2023-04-24" + modified = "2024-12-19" + reference = "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/downloader_mac_rustbucket.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1b9e9a3f4fb4804eb94ab8d3573781d67f96d180b258cfc10be384eec44509ed" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880" + hash2 = "bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49" + hash3 = "7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407" + hash4 = "e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c" + + strings: + $down_exec1 = "_down_update_run" nocase + $down_exec2 = "downAndExec" nocase + $encrypt1 = "_encrypt_pdf" + $encrypt2 = "_encrypt_data" + $error_msg1 = "_alertErr" + $error_msg2 = "_show_error_msg" + $view_pdf1 = "-[PEPWindow view_pdf:]" + $view_pdf2 = "-[PEPWindow viewPDF:]" + $macho_magic = {CF FA ED FE} + $java_magic = {CA FE BA BE} + + condition: + ($macho_magic at 0 or $java_magic at 0 ) and 5 of them and filesize > 50KB +} +rule SEKOIA_Backdoor_Lin_Sysupdate : FILE +{ + meta: + description = "Detect the SysUpdate malware" + author = "Sekoia.io" + id = "9cb806cf-4ca1-44d8-809a-58cc5f364fb8" + date = "2023-03-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_lin_sysupdate.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "93e17cd535444e9cabc7440b1226526e67ddb81a84eb6377689a62f268b9dfee" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "generate guid path=%s" + $ = "3rd/asio/include/asio/detail/posix_event.hpp" + $ = "expires_at" + $ = "%s -f %s" + $ = "expires_after" + $ = "-run" + + condition: + uint32( 0 ) == 0x464c457f and all of them +} +rule SEKOIA_Infostealer_Win_Solarmarker_Powershell : FILE +{ + meta: + description = "Finds SolarMarker PowerShell script based on characteristic strings" + author = "Sekoia.io" + id = "a2fe7f09-7134-4054-ba40-5ea66785a26d" + date = "2022-12-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_solarmarker_powershell.yar#L1-L25" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "32267cf7e03ed65da969aeeff5ef5d7291e47446ea11a4b391f085967e8aa67d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $fun = "function " ascii + $ps0 = "return -join (0..(10..30|Get-Random)|%{[char]((65..90)+(97..122)|Get-Random)})" ascii + $ps1 = /new-item -path \$[a-zA-Z0-9_]* -itemtype registrykey -force;/ + $ps2 = /set-item -path \$[a-zA-Z0-9_]* -value \$[a-zA-Z0-9_]*;/ + $str0 = "[IO.File]::WriteAllText($" ascii + $str1 = "CreateShortcut($env:appdata+" ascii + $str2 = "Registry::HKEY_CURRENT_USER\\Software\\Classes\\" ascii + $str3 = "New-Object System.Security.Cryptography.AesCryptoServiceProvider" ascii + $str4 = "[Convert]::FromBase64String([IO.File]::ReadAllText(" ascii + + condition: + $fun at 0 and 1 of ( $ps* ) and 2 of ( $str* ) +} +rule SEKOIA_Apt_Rusticweb_Stealer : FILE +{ + meta: + description = "Detects stealer used by RusticWeb" + author = "Sekoia.io" + id = "813072e0-28de-4cb7-b2cc-71d77a1e8508" + date = "2024-01-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_rusticweb_stealer.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "68f802ef442e68cbcca789eae2bb8a4395af86699320e5a8101c07469e7555fb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "-FTT=@" + $s2 = "https://oshi.at" + $s3 = "curl-T" + $s4 = "upload/upload.php" + $s5 = "cargo" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 4MB and 3 of them +} +rule SEKOIA_Apt_Polonium_Deepcreep_Strings : FILE +{ + meta: + description = "Tries to detect POLONIUM's DeepCreep implant" + author = "Sekoia.io" + id = "b04af229-2bea-4ee8-9e17-8e4befa06e3a" + date = "2022-10-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_polonium_deepcreep_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "60724d2eb964e2c3681b72bdb732ca640b603af7dc94b4eb6608c77cddb94011" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ";Invoke-Expression -Command '$shortcut =" ascii wide + $ = "CreateShortcut($c1" ascii wide + $ = "svchostdp.exe" ascii wide + $ = "HNlIC91IA==" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 3MB and 3 of them +} +import "pe" + +rule SEKOIA_Wiper_Hermeticwiper_Variants +{ + meta: + description = "Matches HermeticWiper and possible variants" + author = "Sekoia.io" + id = "102ecf15-167e-49e4-932c-6334e3cdcc69" + date = "2022-02-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/wiper_hermeticwiper_variants.yar#L3-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "d0c358517b0a6334d430d3bd75d6c58243ce84e0f90afe48a5069a1e1954119c" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "SeLoadDriverPrivilege" wide + $ = "\\\\.\\PhysicalDrive" wide + $ = "::$INDEX_ALLOCATION" wide + $ = "CrashDumpEnabled" wide + + condition: + 2 of them and pe.characteristics and pe.number_of_signatures == 1 and pe.number_of_resources > 2 and for 2 i in ( 0 .. pe.number_of_resources - 1 ) : ( uint32be( pe.resources [ i ] . offset + 15 ) == 0x4D5A9000 and uint16be( pe.resources [ i ] . offset ) == 0x535A ) +} +rule SEKOIA_Infostealer_Win_Whitesnake_Loader_Feb23 : FILE +{ + meta: + description = "Finds WhiteSnake samples (loader module, bat file)" + author = "Sekoia.io" + id = "f81a8a96-6fd2-4f5c-8a56-ff66ff1a80d3" + date = "2023-03-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_whitesnake_loader_feb23.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c9d4414fb17c28a3ea2e75837732e1657bdc7b2df4a7ab34e458d659441759e8" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "echo Please wait... a while Loading data ...." ascii + $str02 = "CERTUTIL -f -decode" ascii + $str03 = "%Temp%\\build.exe" ascii + $crt = "-----BEGIN CERTIFICATE-----" ascii + $mz = "TVqQAAMAAAAEAAAA" ascii + + condition: + ($str01 in ( 0 .. 200 ) or $str02 in ( 0 .. 200 ) or $str03 in ( 0 .. 200 ) ) and $mz in ( @crt .. @crt + 50 ) and filesize < 100KB +} +rule SEKOIA_Apt_Konni_Dropper : FILE +{ + meta: + description = "Detects Konni dropper used when distributed via malicious document" + author = "Sekoia.io" + id = "0783a55e-1d1e-40ca-a661-2c5dec6d78d6" + date = "2023-11-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_konni_dropper.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6d1b1f5ccbdc20908891e5f40ceb85c251b1ca2a395fa4b106e63718c6393a22" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "UnzipAFile" + $ = "check.bat" + $ = "FOF_SILENT" + $ = "fLieObj" + + condition: + filesize < 1MB and 3 of them +} +rule SEKOIA_Apt_Oilrig_Odagent_Strings : FILE +{ + meta: + description = "Detects ODAgent malware based on strings" + author = "Sekoia.io" + id = "1c5c0eb5-7c6f-4a34-b2e2-4a7c6d7030d6" + date = "2023-12-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_oilrig_odagent_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "14a1399ff3519632e3bbb6eea0d44e9908cfc03728bd26f610ab75fff6a8d2c6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "application/x-www-form-urlencoded" ascii wide + $ = "dly>" ascii wide + $ = "DELETE" ascii wide + $ = "nok!" ascii wide + $ = ".c:/content" ascii wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 5MB and all of them +} +rule SEKOIA_Apt_Sidecopy_Reverserat_Strings : FILE +{ + meta: + description = "Detects SideCopy's ReverseRAT" + author = "Sekoia.io" + id = "383397c9-fd4a-4255-a8f2-27683bdbb7f7" + date = "2023-05-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sidecopy_reverserat_strings.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "be657405b5703dc402b53350aa7ef18529bda3dc44c759585c4cfa1bc1eb76ff" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "downloadexe" wide + $ = "creatdir" wide + $ = "regnewkey" wide + $ = "reglist" wide + $ = "regdelkey" wide + $ = "clipboardset" wide + $ = "shellexec" wide + $ = "SELECT maxclockspeed, datawidth, name, manufacturer FROM Win32_Processor" wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Infostealer_Win_Lighting : FILE +{ + meta: + description = "Detect the Lighting infostealer based on specific strings" + author = "Sekoia.io" + id = "3c160c16-f417-4fa2-aa44-fb7b981fb2b3" + date = "2022-04-07" + modified = "2024-12-19" + reference = "https://blog.cyble.com/2022/04/05/inside-lightning-stealer/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_lighting.yar#L1-L40" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1c1d39ce886a433a352c55bf436b959ef528ad7ce38027243ed5b5f1ac79822f" + score = 75 + quality = 78 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "\\logins.json" wide + $str1 = "key3.db" wide + $str2 = "\\key4.db" wide + $str3 = "cert9.db" wide + $str4 = "\\places.sqlite" wide + $str5 = "7D78CB380BF5EFB7B851409CA6A875F77DECF09D19B9149DA17A3EBF674BC0F9" ascii + $str6 = "potentiallyVulnerablePasswords" wide + $dll0 = "\\mozglue.dll" wide + $dll1 = "\\nss3.dll" wide + $dll2 = "SbieDll.dll" wide + $app00 = "\\discord\\Local Storage\\leveldb\\" wide + $app01 = "Software\\Valve\\Steam" wide + $app02 = "Telegram Desktop\\tdata" wide + $app03 = "\\Wallets\\Armory\\" wide + $app04 = "\\Wallets\\Atomic\\Local Storage\\leveldb\\" wide + $app05 = "\\Exodus\\exodus.wallet\\" wide + $app06 = "\\Wallets\\Zcash\\" wide + $app07 = "uCozMedia\\Uran" wide + $app08 = "Comodo\\IceDragon" wide + $app09 = "8pecxstudios\\Cyberfox" wide + $app10 = "NETGATE Technologies\\BlackHaw" wide + $app11 = "Moonchild Productions\\Pale Moon" wide + + condition: + uint16( 0 ) == 0x5A4D and 6 of ( $str* ) and all of ( $dll* ) and 10 of ( $app* ) +} +import "pe" + +rule SEKOIA_Tool_Pchunter_And_Related_Certificate : FILE +{ + meta: + description = "Detects PCHunter and associated binairies & drivers" + author = "Sekoia.io" + id = "757c7738-4ee8-4b4e-bdda-0c5b0c010f40" + date = "2022-09-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_pchunter_and_related_certificate.yar#L3-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "924a85b2eaec73b628e705b3bb2e464582a71c19317d2023b1422b1b8ad97a51" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + uint16be( 0 ) == 0x4d5a and for any i in ( 0 .. pe.number_of_signatures ) : ( pe.signatures [ i ] . serial contains "05:51:bc:8c:6a:a2:ca:03:2b:c6:71:38:30:d8:49:a3" ) and filesize > 400KB and filesize < 20MB +} +rule SEKOIA_Apt_3Cx_Payload_Stealer : FILE +{ + meta: + description = "Detects stealer used in 3CX campaign" + author = "Sekoia.io" + id = "1ca0605d-101f-4d1d-a476-9dfd93e74b4c" + date = "2023-03-31" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_3cx_payload_stealer.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "17630ab86a3da3408e29765c0c30f14c76b870b88fea634b998392fe5d46cfa2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "******************************** %s ******************************" wide + $s2 = "\\3CXDesktopApp\\config.json" wide + $s3 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\":" wide + $s4 = "%s.old" wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 8MB and all of them +} +rule SEKOIA_Apt_Kimsuky_Sharpext_Devps1_Strings : FILE +{ + meta: + description = "Detects strings of Dev.ps1" + author = "Sekoia.io" + id = "f2ad32a4-bfca-40b2-964e-b8562538a6f2" + date = "2022-07-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_sharpext_devps1_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "32e96440838bf63679b2a05ce4e6c226bed515ceb5180e3cf079206e21a0c0c5" + score = 75 + quality = 55 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "keybd_Event(" ascii fullword + $s2 = "Sleep" ascii fullword + $s3 = "CreateDev" ascii fullword + + condition: + filesize < 10KB and #s1 == 6 and #s2 == 6 and $s3 +} +rule SEKOIA_Tool_Gsocket_Strings : FILE +{ + meta: + description = "Detects Gsocket based on strings" + author = "Sekoia.io" + id = "55fb2f2b-1074-4b6d-9113-48eaeb0e1e27" + date = "2024-06-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_gsocket_strings.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c54308293a9f64b571282eac9fba01e4671ba6b0cd45936fab92d4d9af904bbb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "proxy. It allows multiple gs-netcat clients to (securely) relay" + $ = "GS-NETCAT(1) General Commands Manual GS-NETCAT(1)" + $ = "-T Use TOR. The gs-netcat tool will connect via TOR to the GSRN." + $ = "-D Daemon & Watchdog mode. Start gs-netcat as a background process" + $ = "gs-netcat [-rlgvqwCTSDiu] [-s secret] [-k keyfile] [-L logfile] [-d IP]" + $ = "The gs-netcat utility is a re-implementation of netcat." + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a or uint32be( 0 ) == 0xfeedface or uint32be( 0 ) == 0xcffaedfe or uint32be( 0 ) == 0xcafebabe ) and filesize > 2MB and filesize < 6MB and 2 of them +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Headertip : FILE +{ + meta: + description = "Detect HeaderTip backdoor used by the Chinese threat actor Scarab. This backdoor has its hardcoded C2 in strings" + author = "Sekoia.io" + id = "82899406-4ec3-41d2-bcc1-bdd1ee440e77" + date = "2022-03-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_headertip.yar#L4-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "289764df590cd2719d4d4e0dd66f7d8ebb4714d42eea4bb76c47a2b867a113de" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "e1523185eac41a615b8d2af8b7fd5fe07b755442df2836041be544dff6881237" + hash2 = "da8a98d9b9a3c176ba44fb69ad0a820a971950e05f1eb0c4bbbf6c2fbb748bdc" + hash3 = "63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1" + + strings: + $post = "POST" wide + $ua = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" wide + + condition: + ( uint16( 0 ) == 0x5A4D and $post at 7256 and $ua at 7304 and filesize < 10KB ) or pe.imphash ( ) == "60d01115d6baa0f214990c6e19339133" or hash.md5 ( pe.rich_signature.clear_data ) == "48f9cf422144c033e2ca183f72587910" +} +rule SEKOIA_Apt_Muddywater_Powgoop_Loader : FILE +{ + meta: + description = "Detects the loader of PowGoop malware" + author = "Sekoia.io" + id = "716b45e1-9f17-4546-a003-a7c78340d623" + date = "2022-01-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_powgoop_loader.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "70f20928d2bbe081f0595ecdbb6dbe58a2f0807032598d88d829513e6d75287f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "$d.Add($in[$i]);" ascii wide + $s2 = "[System.Text.Encoding]::UTF8.GetString($o);" ascii wide + $s3 = "$i+=(1+1)" ascii wide + $t = { 24 ?? 3d [1-15] 20 24 ?? 3b ?? ?? ?? 20 24 ?? 3b } + + condition: + filesize < 50KB and ( 3 of ( $s* ) or $t in ( filesize -50 .. filesize ) ) +} +rule SEKOIA_Radx_Stealer : FILE +{ + meta: + description = "detection of RADX stealer based on function named in the .NET payload" + author = "Sekoia.io" + id = "bf2aae08-169c-4bc9-a1ac-80f4b79ef6d7" + date = "2023-12-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/radx_stealer.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b83ca089bb0ea7ad8b0f372de9a95ea9d35514f6a063b63986e6fd25bdc07095" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "get_FileName" ascii fullword + $s2 = "set_FileName" ascii fullword + $f1 = "TripleDESCryptoServiceProvider" ascii fullword + $f2 = "SendBase64ToServer" ascii fullword + $f3 = "SendCommandOutputToServer" ascii fullword + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize > 500KB and all of them +} +rule SEKOIA_Apt_Ir_Sugarush_Implant : FILE +{ + meta: + description = "Detects the SUGARUSH implant" + author = "Sekoia.io" + id = "bcf057cc-272c-4cb6-bb76-928788675282" + date = "2022-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_ir_sugarush_implant.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0d249552013c29ce1eb66dca2d93e5cde0a1b0fb80aae55469bec3bda224be91" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "You are offline at " wide + $ = "\\Logs\\ServiceLog_" wide + $ = "Service is recall at" wide + $ = "add_OutputDataReceived" ascii + $ = "get_CurrentDomain" ascii + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 100KB and all of them +} +rule SEKOIA_Apt_Kimsuky_Sharpext_Devtoolmodule_Strings : FILE +{ + meta: + description = "Detects the DevTool module used by SharpExt" + author = "Sekoia.io" + id = "6f589a9c-344a-4ddc-929e-f123a2c3c187" + date = "2022-07-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_kimsuky_sharpext_devtoolmodule_strings.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "61007801d28636c6d88b14225f34910d03e82337520257637a5017d58600b2bc" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "packetProc = function" ascii fullword + $ = "var url = request.request.url" ascii fullword + $ = "https://mail" ascii fullword + + condition: + all of them and filesize < 50KB +} +rule SEKOIA_Malware_Win_Passlib : FILE +{ + meta: + description = "Detect the Passlib malware" + author = "Sekoia.io" + id = "609999e2-a644-4bf3-bce2-b0e1b0e7094b" + date = "2022-07-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_win_passlib.yar#L1-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5e76f7c40a00182ee076720b4c19a45e82a8ce11740fdd8e9419f9d9e93cdb41" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Passlib test utility - Version %s" wide + $ = "-l (arbitrary dll injection into LSASS)" wide + $ = "-u (arbitrary dll uninjection from LSASS)" wide + $ = "DLL %s injection was successful requested!" wide + $ = "DLL %s uninjection was successful requested!" wide + $ = "Process %s was succesfully created with full privileges and system integrity!" wide + $ = "full_path_to_volatile_payload_dll" wide + $ = "%s: [%s]:[%s] (http_only:%d)" wide + $ = "LEX server has been deployed at lsass." wide + $ = "LEX client is using volatile payload at: %s" wide + $ = "LEX client is using permanent payload at: %s" wide + $ = "Passlib execution finished" wide + $ = "Running on Passlib version %ws" wide + $ = "There was a problem initializing passlib manager interface." wide + $ = "Passlib running without high integrity" wide + $ = "About to dump passwords through passlib manager interface" wide + + condition: + uint16( 0 ) == 0x5A4D and filesize > 1500KB and all of them +} +rule SEKOIA_Hacktool_Nbtscan_Strings : FILE +{ + meta: + description = "Detects NBTScan hacktool based on strings, ELF & PE variants" + author = "Sekoia.io" + id = "8883b56c-a085-459c-9ec6-a139ad5a2671" + date = "2022-02-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_nbtscan_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "87e4f5dd16ee29dfd23b70dccbc41b0ef40c2db28f42fbd7fd84e5e93ca5c943" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "CHT:nfp:bt:vw:mVO:1P" + $ = "usage: %s [options] target [targets...]" + $ = "Targets are lists of IP addresses, DNS names, or address" + $ = "net bits [%d] must be 1..32" + $ = "subnet /%d is too large (%d max)" + $ = "[%s] is invalid IP address" + $ = "[%s] is an invalid target (bad IP/hostname)" + + condition: + uint16be( 0 ) == 0x4d5a and 5 of them +} +rule SEKOIA_Water_Sigbin_Group +{ + meta: + description = "Detects IOCs related to the 8220 Mining group." + author = "Sekoia.io" + id = "c49728e8-db7e-4d83-97d2-7d56b51f8a52" + date = "2024-06-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/water_sigbin_group.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "dd51945bf79e37b50d377eda3641eb32438dcb5a1c55fb4a9b66a5b5a8b5ed0d" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "Z12A3" ascii fullword + $s2 = "FromBase64String" ascii fullword + $s3 = "Start-Process" ascii fullword + $s4 = "WriteAllBytes" ascii fullword + + condition: + all of them +} +rule SEKOIA_Tool_Dynamicwrapper_Strings : FILE +{ + meta: + description = "Detects DynamicWrapperX" + author = "Sekoia.io" + id = "bbfad0a8-8b86-47c7-bf70-0a3f6859d64b" + date = "2023-12-01" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_dynamicwrapper_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fad5fec74dc3efdd7fc67ef1c6373957df4ee564f3fe6333b924b236ea7458d9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Software\\Classes\\DynamicWrapperX" ascii + $ = "DllRegisterServer" ascii + $ = "GoLink, GoAsm" ascii + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 100KB and all of them +} +import "pe" + +rule SEKOIA_Hacktool_Win_Gmer : FILE +{ + meta: + description = "Dtect the GMER hacktool based string and UPX usage" + author = "Sekoia.io" + id = "d2f1aba1-4222-45e5-95bd-4d7f08595cea" + date = "2022-09-09" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_win_gmer.yar#L3-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "dbd4e97c343dcb14c6e814afa820a9fbb5aa4290c7ddf9d864029bb35bb96dbf" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $pac = "IDI_GMER" wide + $str0 = "---- Processes - GMER %s ----" ascii + $str1 = "E:\\projects\\cpp\\gmer\\Release\\gmer.pdb" ascii + + condition: + uint16( 0 ) == 0x5A4D and ( ( $pac and for any i in ( 0 .. pe.number_of_sections -1 ) : ( pe.sections [ i ] . name == "UPX0" ) ) or any of ( $str* ) ) and filesize < 900KB +} +rule SEKOIA_Infostealer_Win_Meduzastealer : FILE +{ + meta: + description = "Finds MeduzaStealer samples based on specific strings" + author = "Sekoia.io" + id = "1276f485-aa5d-491b-89d8-77f98dc496e1" + date = "2023-06-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_meduzastealer.yar#L1-L26" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e81a5a9611662422eb7a87c0c1a370cee6f138fd6169225d969b669337d91a06" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "emoji" ascii + $str02 = "%d-%m-%Y, %H:%M:%S" ascii + $str03 = "[UTC" ascii + $str04 = "user_name" ascii + $str05 = "computer_name" ascii + $str06 = "timezone" ascii + $str07 = "current_path()" ascii + $str08 = "[json.exception." ascii + $str09 = "GDI32.dll" ascii + $str10 = "GdipGetImageEncoders" ascii + $str11 = "GetGeoInfoA" ascii + + condition: + uint16( 0 ) == 0x5a4d and 8 of them and filesize > 500KB +} +rule SEKOIA_Guerrilla_Lemongroup : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "df635b5a-a19a-48ab-9a3a-9723e265c71d" + date = "2023-05-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/guerrilla_lemongroup.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "b644cb537a42217f2549f37bfe07ae0b7ba39fc248ab3d5fd870384c7684683b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $dex = { 64 65 78 0A 30 33 ?? 00 } + $odex = { 64 65 79 0A 30 33 ?? 00 } + $s2 = "data response code===" ascii + $s3 = "httpCon:" ascii + $s4 = "processName :" ascii + $s5 = "startListTasks......" ascii + $s6 = "url==" ascii + $s7 = "java core run ZYGOTE_PROCESS" ascii + $api1 = "/api.php" ascii + $api2 = "/event.php" ascii + $api3 = "/apiRS.php" ascii + + condition: + ($dex at 0 or $odex at 0 ) and filesize > 100KB and filesize < 5MB and 5 of ( $s* ) and 1 of ( $api* ) +} +rule SEKOIA_Hacktool_Ligolo_Strings : FILE +{ + meta: + description = "Detects ligolo based on strings" + author = "Sekoia.io" + id = "5013256b-eda3-417e-ac72-959055b01c7e" + date = "2022-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_ligolo_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "12609bed61ef4d86737bc652a75c74f01e4a251466129ff56da0d7e002566d50" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Restarting Ligolo..." + $ = "Ligolo starts a socks5 proxy server" + $ = "main.startSocksProxy" + $ = "main.handleRelay" + $ = "main.StartLigolo" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize > 2MB and filesize < 5MB and 3 of them +} +rule SEKOIA_Apt_Muddywater_Muddyc2Go_Dll_Launcher_Strings : FILE +{ + meta: + description = "Detects MuddyC2Go DLL launcher" + author = "Sekoia.io" + id = "59756195-d842-4038-8fbf-43d26f4353bc" + date = "2024-03-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_muddyc2go_dll_launcher_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca" + logic_hash = "b91653e313258ebd2073a398d0467800056ac94adab02c3a83aa8a379710e4e6" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "-Method GET -ErrorAction Stop;Write-Output $response.Content;iex $response.Content;" + $ = "GetCurrentProcess" + $ = "TerminateProcess" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 50KB and all of them +} +import "hash" +import "pe" + +rule SEKOIA_Icebot_Exported_Function : FILE +{ + meta: + description = "Detects the IceBot RAT used by FIN7 based on the exported function" + author = "Sekoia.io" + id = "1a1fb651-6ce3-4751-be23-c27a3d8dabde" + date = "2022-01-17" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/icebot_exported_function.yar#L4-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "c029693f555726d28375717fe459ccf4521d2d63fc7053032bbafd60129848f0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "5ee5b869689686d9352c73173304627bb424b8d0a8510e6f16726ac84fdec79d" + hash2 = "0f76768f65775329d7a0ddb977ea822d992d086ce48a23679cef66e3b4d2f4ed" + hash3 = "f06c7f1b91fb2f64e1f38df6eaf2b52a74b16cc958d74c4401fdaf180deb595a" + hash4 = "cbed0cf3273ce544a7e4e316d5c8f5e9c9ac6deaefa485a6afad2654fe75ff1e" + + strings: + $a = {cc cc cc 48 89 4c 24 ?? 53 55 56 57 41 54 41 55 41 56 41 57 ?? ?? ?? ?? 33 f6 44 8b ee 48 89 74 24 ?? 8b ee 48 89 b4 24 ?? ?? ?? ?? 44 8b f6 48 89 74 24 ?? 44 8b e6 e8 bf ff ff ff 4c 8b f8 8d 5e ?? b8 ?? ?? ?? ?? 66 41 39 07 75 1b 49 63 57 ?? 48 8d 4a ?? 48 81 f9 ?? ?? ?? ?? 77 0a 42 81 3c 3a ?? ?? ?? ?? 74 05 4c 2b fb eb d5 65 48 8b 04 25 ?? ?? ?? ?? bf ?? ?? ?? ?? 4c 89 bc 24 ?? ?? ?? ?? 48 8b 48 ?? 4c 8b 59 ?? 4c 89 9c 24 ?? ?? ?? ?? 4d 85 db 0f 84 d5 01 00 00 41 b9 ff ff 00 00 49 8b 53 ?? 48 8b c6 45 0f b7 43 ?? 0f b6 0a c1 c8 ?? 80 f9 ?? 72 04 48 83 c0 ?? 48 03 c1 48 03 d3 66 45 03 c1 75 e5 3d ?? ?? ?? ?? 0f 85 d2 00 00 00 49 8b 53 ?? 41 bb ff ff 00 00 48 63 42 ?? 8b b4 10 ?? ?? ?? ?? 44 8b 54 16 ?? 8b 5c 16 ?? 4c 03 d2 48 03 da 45 33 c9 45 8d 79 ?? 45 8b 02 41 8b c9 4c 03 c2 41 8a 00 4d 03 c7 c1 c9 ?? 0f be c0 03 c8 41 8a 00 84 c0 75 ee 81 f9 ?? ?? ?? ?? 74 10 81 f9 ?? ?? ?? ?? 74 08 81 f9 ?? ?? ?? ?? 75 44 44 8b 4c 16 ?? 44 0f b7 03 4c 03 ca 81 f9 ?? ?? ?? ?? 75 09 47 8b 2c 81 4c 03 ea eb 20 81 f9 ?? ?? ?? ?? 75 09 43 8b 2c 81 48 03 ea eb 0f 81 f9 ?? ?? ?? ?? 75 07 47 8b 34 81 4c 03 f2 66 41 03 fb 45 33 c9 49 83 c2 ?? 48 83 c3 ?? 66 85 ff 0f 85 75 ff ff ff 4c 8b 9c 24 ?? ?? ?? ?? 33 f6 48 89 ac 24 ?? ?? ?? ?? 4c 89 6c 24 ?? e9 8d 00 00 00 3d ?? ?? ?? ?? 0f 85 90 00 00 00 4d 8b 43 ?? 41 bf ?? ?? ?? ?? 41 0f b7 ff bd ff ff 00 00 49 63 40 ?? 42 8b 9c 00 ?? ?? ?? ?? 46 8b 4c 03 ?? 46 8b 54 03 ?? 4d 03 c8 4d 03 d0 41 8b 11 8b ce 49 03 d0 8a 02 49 03 d7 c1 c9 ?? 0f be c0 03 c8 8a 02 84 c0 75 ef 81 f9 ?? ?? ?? ?? 75 16 42 8b 4c 03 ?? 41 0f b7 12 49 03 c8 44 8b 24 91 4d 03 e0 66 03 fd 49 83 c1 ?? 49 83 c2 ?? 66 85 ff 75 ba 48 8b ac 24 ?? ?? ?? ?? 4c 89 64 24 ?? 41 b9 ff ff 00 00 bf ?? ?? ?? ?? 49 8b df 4d 85 ed 74 0f 48 85 ed 74 0a 4d 85 f6 74 05 4d 85 e4 75 14 4d 8b 1b 4c 89 9c 24 ?? ?? ?? ?? 4d 85 db 0f 85 39 fe ff ff 4c 8b bc 24 ?? ?? ?? ?? 49 63 6f ?? 33 c9 49 03 ef 89 b4 24 ?? ?? ?? ?? 41 b8 00 ?? ?? ?? 48 89 6c 24 ?? 4c 8b e6 44 8d 49 ?? 8b 55 ?? 41 ff d6 44 0f b7 45 ?? 48 8b f8 44 0f b7 55 ?? 49 83 c0 ?? 4d 85 d2 74 4f 4c 03 c5 41 8b 00 4c 2b d3 45 8b 48 ?? 41 8b 48 ?? 48 03 cf 49 8d 14 07 41 03 c1 89 84 24 ?? ?? ?? ?? 48 8b c1 48 2b c2 4d 85 e4 49 0f 45 c4 4c 8b e0 4d 85 c9 74 0f 8a 02 48 03 d3 88 01 48 03 cb 4c 2b cb 75 f1 49 83 c0 ?? 4d 85 d2 75 b4 8b 85 ?? ?? ?? ?? 41 be ?? ?? ?? ?? 85 c0 0f 84 e8 00 00 00 48 8d 1c 07 8b 43 ?? 85 c0 0f 84 d9 00 00 00 48 8b ac 24 ?? ?? ?? ?? 8b c8 48 03 cf 41 ff d5 44 8b 7b ?? 33 c9 8b 33 4c 03 ff 48 03 f7 4c 8b e8 49 39 0f 74 7d 48 85 f6 74 31 48 39 0e 7d 2c 49 63 45 ?? 0f b7 16 42 8b 8c 28 ?? ?? ?? ?? 42 8b 44 29 ?? 42 8b 4c 29 ?? 48 2b d0 49 03 cd 8b 04 91 49 03 c5 49 89 07 33 c9 eb 2a 4d 8b 37 49 8b cd 49 83 c6 ?? 4c 03 f7 49 8b d6 ff d5 33 c9 49 89 07 41 38 0e 74 0e 8d 41 ?? 41 88 0e 4c 03 f0 41 38 0e 75 f5 49 83 c7 ?? 48 8d 46 ?? 48 85 f6 48 0f 44 c6 48 8b f0 49 39 0f 75 89 41 be ?? ?? ?? ?? 8b 43 ?? 48 03 c7 33 f6 eb 06 40 88 30 49 03 c6 40 38 30 75 f5 8b 43 ?? 48 83 c3 ?? 4c 8b 6c 24 ?? 85 c0 0f 85 3c ff ff ff 48 8b 6c 24 ?? 4c 8b bc 24 ?? ?? ?? ?? 4c 8b cf 4c 2b 4d ?? 39 b5 ?? ?? ?? ?? 0f 84 b5 00 00 00 8b 95 ?? ?? ?? ?? 48 03 d7 8b 42 ?? 85 c0 0f 84 a1 00 00 00 41 bf ?? ?? ?? ?? bb ff ?? ?? ?? 45 8d 6f ?? 44 8b 02 4c 8d 5a ?? 44 8b d0 4c 03 c7 49 83 ea ?? 49 d1 ea 74 62 41 be ?? ?? ?? ?? 41 0f b7 0b 4d 2b d6 0f b7 c1 66 c1 e8 ?? 66 83 f8 ?? 75 09 48 23 cb 4e 01 0c 01 eb 34 66 41 3b c5 75 09 48 23 cb 46 01 0c 01 eb 25 66 41 3b c6 75 11 48 23 cb 49 8b c1 48 c1 e8 ?? 66 42 01 04 01 eb 0e 66 41 3b c7 75 08 48 23 cb 66 46 01 0c 01 4d 03 df 4d 85 d2 75 a7 8b 42 ?? 48 03 d0 8b 42 ?? 85 c0 0f 85 7a ff ff ff 4c 8b bc 24 ?? ?? ?? ?? 44 8d 70 ?? 8b 5d ?? 45 33 c0 33 d2 48 83 c9 ff 48 03 df ff 54 24 ?? e8 21 fb ff ff 4d 85 e4 74 13 48 85 c0 74 0e 4a 8d 0c 20 4c 8b e6 e8 67 00 00 00 eb 3b 8b 94 24 ?? ?? ?? ?? c1 ea ?? 89 b4 24 ?? ?? ?? ?? eb 1d 48 63 84 24 ?? ?? ?? ?? 41 89 34 87 8b 84 24 ?? ?? ?? ?? 41 03 c6 89 84 24 ?? ?? ?? ?? 8b 84 24 ?? ?? ?? ?? 3b c2 72 d8 4c 8b 84 24 ?? ?? ?? ?? ba ?? ?? ?? ?? 48 8b cf ff d3 49 8d 04 3c ?? ?? ?? ?? 41 5f 41 5e 41 5d 41 5c 5f 5e 5d 5b c3} + + condition: + uint16( 0 ) == 0x5A4D and $a or pe.imphash ( ) == "37af5cd8fc35f39f0815827f7b80b304" or hash.md5 ( pe.rich_signature.clear_data ) == "b857cf76a54ce175c225eaaae66547a2" +} +rule SEKOIA_Unknown_7777_Xlogin : FILE +{ + meta: + description = "Detects the xlogin bind shell and its variants" + author = "Sekoia.io" + id = "ce0beffc-f957-43ef-a739-f4a1099a7a67" + date = "2024-07-18" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/unknown_7777_xlogin.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "4d9067e7cf517158337123a30a9bd0e3" + hash = "43ea387b8294cc4d0baaef6d26ff7c72" + hash = "777d6f907da38365924a0c2a12e973c5" + hash = "8542a3cbe232fe78baa0882736c61926" + logic_hash = "1c38d8019734affdebac32050097bbcf89e9069fb2145a976588eca04ecc78df" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $string1 = { 2f 62 69 6e 2f 73 68 00 2f 74 6d 70 2f 6c 6f 67 69 6e } + $string2 = { 2F 64 65 76 2F 6E 75 6C 6C [1-3] 2F 62 69 6E 2F 73 68 00 2D 63 } + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 180KB and ( ( @string2 - @string1 < 3400 ) ) +} +rule SEKOIA_Apt_Gamaredon_Powerrevshell : FILE +{ + meta: + description = "Detects Powershell reverse shell" + author = "Sekoia.io" + id = "b5161c23-c607-4096-9f4a-1be516a0a614" + date = "2023-02-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_gamaredon_powerrevshell.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fc5abcdf47641c1e7978cf076550f38987305bb2171b3e65f7865102a065af43" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "iex $enc.GetString(" + $ = "$stream.Write" + $ = ".).FullName" + $ = "Sockets.TcpClient" + $ = "\">\";" + + condition: + all of them and filesize < 3000 +} +rule SEKOIA_Builder_Win_Royalroad_Rtf : FILE +{ + meta: + description = "Detects RoyalRoad weaponized RTF documents" + author = "Sekoia.io" + id = "065e798b-eadd-4aac-a444-de61b75f0273" + date = "2022-06-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/builder_win_royalroad_rtf.yar#L1-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "831962105248e33422344d1431b90f2b567439b54252668f9294ea388f405b41" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "{\\object\\objocx{\\objdata" + $ = "ods0000" + + condition: + uint32be( 0 ) == 0x7B5C7274 and all of them +} +rule SEKOIA_Apt_Ivanti_Krustyloader : FILE +{ + meta: + description = "Detects KrustyLoader used in the Ivanti campaign" + author = "Sekoia.io" + id = "617fdd5f-7555-49e8-b0ec-2199f017dc40" + date = "2024-01-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_ivanti_krustyloader.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fe982dffcff4bec78593080d7745aeb32bc2e3b7e0df373bbbd53bc6f53cfcbf" + score = 75 + quality = 30 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "/proc/self/exe" ascii fullword + $s2 = "||||||||||||||" + $s3 = "/tmp/" + $xor = {40 80 f5} + $chunk_1 = { + 66 0F EF D0 + 66 0F 6F C3 + 66 0F 73 F8 0C + 66 0F EF C1 + 66 0F EF C2 + 66 0F EF C3 + } + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 2MB and all of them and #xor > 2 and #chunk_1 > 6 and @s3 < @s2 and @s2 < @s3 + 300 +} +rule SEKOIA_Tool_Scanline_Strings : FILE +{ + meta: + description = "Detects scanline (non-packed)" + author = "Sekoia.io" + id = "65677b81-d077-4d01-8398-cbb06ce49edf" + date = "2024-09-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_scanline_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e02ae30451aa5eaffb588e92ecc221bf6ed07097bc493c6a55cf688da8b76151" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Resolve IP addresses to hostnames" + $ = "Randomize IP and port scan order" + $ = "?bhijnprsT" + $ = "sl -bht" + + condition: + uint16be( 0 ) == 0x4d5a and 3 of them +} +rule SEKOIA_Rat_Win_Tutclient : FILE +{ + meta: + description = "Detect the open-source RAT TutClient" + author = "Sekoia.io" + id = "2bd2d61f-3654-4acd-9773-8d3617c67ee0" + date = "2024-02-09" + modified = "2024-12-19" + reference = "https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_win_tutclient.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f780948ab03dd0cd64d023367186a88c9eaa566170142e34aaa08788d9a684eb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Clipboard Data Not Retrived!" wide + $ = "Remote Cmd stream reading failed!" wide + $ = "PasswordFox" wide + $ = "[Right Click, Position: x = ; y = ]" wide + $ = "SendCommand" + $ = "HandleCommand" + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Infostealer_Win_Acrstealer_Str : FILE +{ + meta: + description = "Finds ACR Stealer standalone samples based on specific strings." + author = "Sekoia.io" + id = "63b4d6ff-0cab-44ec-9d53-bb2612371a48" + date = "2024-04-22" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_acrstealer_str.yar#L1-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "53d313857577b39b51a3e396c078d39a8b8ab803295b689357c3e8ea94cac9f7" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "ref.txt" ascii + $str02 = "Wininet.dll" ascii + $str03 = "Content-Type: application/octet-stream; boundary=----" ascii + $str04 = "POST" ascii + $str05 = "os_c" ascii fullword + $str06 = "en_k" ascii fullword + $str07 = "MyApp/1.0" ascii + $str08 = "/Up/b" ascii + $str09 = "Hello, World!" ascii + $str10 = "/ujs/" ascii + $str11 = "/Up/" ascii fullword + $str12 = "ostr" ascii fullword + $str13 = "brCH" ascii fullword + $str14 = "brGk" ascii fullword + $str15 = "https://steamcommunity.com/profiles/" ascii + + condition: + uint16( 0 ) == 0x5A4D and 10 of them +} +import "hash" +import "pe" + +rule SEKOIA_Implant_Win_Graphiron_Downloader : FILE +{ + meta: + description = "Detect the downloader of Graphiron" + author = "Sekoia.io" + id = "c50c4bd2-3828-43bf-b45c-8e911c298536" + date = "2023-02-10" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_win_graphiron_downloader.yar#L4-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f0aa0541cbf3f93ee136cf3235a4935f1c0588b5cdb21203abee9f61baf3f4f2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63" + hash2 = "878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db" + + condition: + for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "1b614f8d813125f56d2e772ed0ca5dae" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "5c6496d33de5a35bd38ddb12d8b42e03" ) and filesize > 3MB and filesize < 6MB +} +rule SEKOIA_Ransomware_Win_Karma : FILE +{ + meta: + description = "Detect the Karma ransomware payload" + author = "Sekoia.io" + id = "efd87a17-7c99-404a-8ea6-2f5c2121f9f2" + date = "2021-08-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_karma.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ef272be7ae5fea084120db95f7b002e9061d72442836e836ca43ddc7b461be4e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $a1 = "KARMA" ascii + $u1 = "KARMA" wide + $u2 = "-ENCRYPTED.txt" wide + $u3 = "Encrypting directory:" wide + $u4 = "Encrypting file:" wide + $u5 = "Trying to import ECC public key..." wide + + condition: + uint16( 0 ) == 0x5A4D and filesize < 150KB and all of them +} +rule SEKOIA_Exploit_Linux_Eop_Cve202121974_Exploit_Strings : CVE_2021_21974 FILE +{ + meta: + description = "Detects CVE-2021-21974 Local Privesc exploit" + author = "Sekoia.io" + id = "8e1fbbe5-7d51-48b4-80d5-90abff8cab9e" + date = "2023-12-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_linux_eop_cve202121974_exploit_strings.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a2e6e2660fcbf6ffa80809c02ca78fae85d27f6cd8d2c83bb2645a86124ca7f2" + score = 75 + quality = 80 + tags = "CVE-2021-21974, FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = ".name.replace('Thread','SLP Client'" + $ = "print('[' + name + '] recv: ', d)" + $ = "requests[28].put(connect())" + $ = "[+] stack enviorn address:" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 1MB and all of them +} +rule SEKOIA_Malware_Valleyrat_Downloader_Strings : FILE +{ + meta: + description = "Detects ValleyRat downloader" + author = "Sekoia.io" + id = "12985f34-f894-402b-80d1-5d6b2486d730" + date = "2024-06-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_valleyrat_downloader_strings.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "321683ac5bdec626cf140cb50507fb03aea2a32635eb6cec884a3fa43c1a9d91" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { 43 00 3a 00 5c [0-30] + 5c 00 4e 00 54 00 55 + 00 53 00 45 00 52 00 + 2e 00 44 00 58 } + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 2MB and all of them +} +rule SEKOIA_Spyware_And_Bahamut +{ + meta: + description = "Detect Bahamut's spyware based on common information gathering function names" + author = "Sekoia.io" + id = "d416997e-baf1-412c-bf39-905a6e19b65e" + date = "2022-11-23" + modified = "2024-12-19" + reference = "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/spyware_and_bahamut.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5f44c938fed9b32eaf183be979a67e0c7fde409e72875359105ad7ffb393893d" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "c51dc2132c830c560aaeae4bf48e5f0d28c84b36d27840b5c2ba170d87f4afa5" + hash2 = "d7e2cf642b236dba9ba0cbe5a9dc28baf22477973d5ce163e21ec40f5f26e078" + + strings: + $ = "FbDao" + $ = "SignalDao" + $ = "conionDao" + + condition: + all of them +} +rule SEKOIA_Rootkit_Win_Purplefox_Svchost_Txt : FILE +{ + meta: + description = "Detects Purple Fox payloads used during end-2021 and 2022 campaigns based on characteristics shared by TrendMicro details." + author = "Sekoia.io" + id = "e992d574-6a44-4bea-97e2-6d5579ce8d02" + date = "2022-03-28" + modified = "2024-12-19" + reference = "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rootkit_win_purplefox_svchost_txt.yar#L1-L22" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "a1de949cb2e898ed031f5c796f7152af12dfae5431dfaf269f25ebe72f0ae004" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "C:\\ProgramData\\dll.dll,luohua" wide + $str1 = "C:\\ProgramData\\7z.exe" wide + $str2 = "F:\\hidden-master\\x64\\Debug\\QAssist.pdb" ascii + $str3 = "F:\\Root\\sources\\MedaiUpdateV8\\Release\\MedaiUpdateV8.pdb" ascii + $str4 = "cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255" ascii + $str5 = "del /s /f %appdata%\\Mozilla\\Firefox\\Profiles\\*.db" ascii + + condition: + 4 of ( $str* ) and filesize > 7000KB and filesize < 9500KB +} +rule SEKOIA_Tool_Safetykatz : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "90f93244-38a7-4574-87c6-15d494e9173b" + date = "2023-06-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_safetykatz.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f443dd5be1e15f8385427d965f8c8476c5f1b57b7c9ab53d9e13eb47735e09d3" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "SafetyKatz" ascii fullword + $s2 = "get_mimikatz" ascii fullword + $s3 = "$8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii fullword + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 1MB and all of them +} +rule SEKOIA_Tool_Chisel_Strings : FILE +{ + meta: + description = "Detects Chisel" + author = "Sekoia.io" + id = "667a8aa3-772b-45f1-8c89-acb7b976888d" + date = "2024-03-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_chisel_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "fe389d9d0ae73c79f1040274e21135d4df645c5ac672fc824923f0a5a085be8a" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "tunnel.(*Tunnel).handleSSHChannel." + $ = "server.(*Server).handleWebsocket" + $ = "tunnel.(*udpHandler)" + $ = "server.(*Server).tlsLetsEncrypt" + $ = "cnet.(*wsConn).SetPingHandler.(*Conn)" + $ = "tunnel.(*udpConns).dial." + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 15MB and 3 of them +} +rule SEKOIA_Apt_Lazarus_Vhd_Ransomware_Loader : FILE +{ + meta: + description = "Detects VHD ransomware x64 loader " + author = "Sekoia.io" + id = "377f3ec5-fa2a-431e-93d2-6a1eb9e01d28" + date = "2022-11-28" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_lazarus_vhd_ransomware_loader.yar#L1-L30" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "33000fd79b5aae59dcbf445bb4d0d65cf5f939f376a4e3d9e23e14b11ca297da" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { B8 64 [8] B8 75 [8] B8 6D [8] B8 70 [8] B8 2E [8] B8 62 [8] B8 69 [8] B8 6E } + $ = { 48 63 ?? ?? ?? + 48 8B ?? ?? ?? + 0F BE ?? ?? + B9 ?? ?? ?? ?? + 48 6B ?? ?? + 48 8B ?? ?? ?? + 0F BE ?? ?? + ?? ?? + 48 63 ?? ?? ?? + 48 8B ?? ?? ?? + 88 ?? ?? + EB } + $ = { 25 00 73 00 5c [3-15] 25 00 64 00 25 00 64 00 2e 00 62 00 69 00 6e } + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 200KB and 2 of them +} +rule SEKOIA_Tool_Edrsandblast_Api_Strings : FILE +{ + meta: + description = "Detects EDRSandblast API strings" + author = "Sekoia.io" + id = "8a5dc171-dce8-4b5a-96e9-53dd1855e8c1" + date = "2024-01-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_edrsandblast_api_strings.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "cd6afe68cf04e4949add323e0b5af5ea577b3dca07743e312e8236bf5c937672" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[!] Required driver file not present at" wide + $ = "[!] New uninstall / install attempt failed" wide + $ = "[!] Kernel offsets are missing from the CSV" wide + $ = "[+] Downloading wdigest offsets from the MS Symbol Server" wide + $ = "[+] Check if EDR callbacks are registered on process" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 4 of them +} +rule SEKOIA_Implant_Any_Sliver_Not_Stripped : FILE +{ + meta: + description = "Rule which detects non stripped Sliver PE/Dlls/ELFs/MAC-O." + author = "Sekoia.io" + id = "35543c7c-c39b-4f96-b37c-1d27736e40fc" + date = "2021-11-08" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/implant_any_sliver_not_stripped.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5240f3ea1fb421697eeb12eb17d0b31c036b53f39c3a590473d87065b5d28e3e" + score = 75 + quality = 80 + tags = "FILE" + modification_date = "2021-12-22" + version = "1.1" + classification = "TLP:CLEAR" + + strings: + $a1 = "github.com/bishopfox/sliver/implant/sliver/" + + condition: + ( uint16be( 0 ) == 0x4d5a or uint32be( 0 ) == 0x7f454c46 or uint32be( 0 ) == 0xcffaedfe ) and filesize < 11MB and filesize > 8MB and #a1 > 200 +} +rule SEKOIA_Apt_Mustangpanda_Mqsttang_Qmagent : FILE +{ + meta: + description = "Detects specifics string of MQsTTang, also known as QMAGENT" + author = "Sekoia.io" + id = "bcf6f961-0d9b-4fbc-81d2-f5d00c68d4d5" + date = "2023-03-27" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_mustangpanda_mqsttang_qmagent.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "4e7aa53e561cad512b031240bce6ad207b80ff7438eee39cd05bb92412aaa632" + score = 75 + quality = 30 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "iot/server" + $s2 = "QMQTT::Message" + $s3 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" + $command1 = "c_topic" + $command2 = "Alive" + $command3 = "msg" + $command4 = "ret" + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 8MB and all of them +} +rule SEKOIA_Apt_Icepeony_Icecache : FILE +{ + meta: + description = "Detects IceCache backdoor" + author = "Sekoia.io" + id = "3135c70e-c925-4d26-beed-09424fc0c153" + date = "2024-10-21" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_icepeony_icecache.yar#L1-L46" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "38708c33dafb5625ddde1030a7efa7db" + hash = "1e102c8909b2bf71c626b81f7526ee01" + hash = "34bc3c586a48f836b00aff59fe891b30" + hash = "cd906f4cef84dddeb644b06777474b2e" + hash = "add23fedfbf238f51173796f3feb12af" + hash = "25b8daaa5e9c5f8820261d7ebf79f3cd" + hash = "7fd45cc1de1230c916d5f547a9fc725c" + hash = "e6e4060e838d7af5f13ad64258d5db0c" + hash = "87dfc911885420380bea0cf74c8160d3" + hash = "bd15103b300cad635191972330913d17" + hash = "a8119b7803a6e0b8aed6bc74d9062b7f" + hash = "e1bc3efc33b57c9e1e6d37e5011228f2" + hash = "e1233a5f613aafec2c28133e810f536d" + hash = "fe88a5b91841b25b4bafa08d42faab22" + logic_hash = "db82489e1a1eb55960b7a8fd3e6f52db526295ed4e5b90ddea826c5be5f9a1c4" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Source Response Empty!" + $ = "Source Response Len:" + $ = "GetFromSource:" + $ = "Failed add header!" + $ = "Failed receive response:" + $ = "Error: Status Code :" + $ = "WinHttpAddRequestHeaders" + $ = "X-FORWARDED-HOST:" + $ = "PROXY_DEL_CONTENT" + $ = "PROXY_CLEAR_CONTENT" + $ = "PROXY_SET_JS" + $ = "PROXY_GET_JS" + $ = "PROXY_ALLOW_PC" + $ = "Parse IP failed :" + $ = "Clear Proxy Contents Success!" + $ = "FILE_UPLOAD" + $ = "FILE_DOWNLOAD" + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 1MB and 6 of them +} +import "hash" +import "pe" + +rule SEKOIA_Backdoor_Win_Sidewinder_Cobaltstrike_2022_09 +{ + meta: + description = "Detect the SideWinder malware" + author = "Sekoia.io" + id = "b5e8f87a-4a2c-49bb-aa98-bf3fb5056b23" + date = "2022-10-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_win_sidewinder_cobaltstrike_2022_09.yar#L4-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "f2b719170783c1bfaa4c4772e5cff73797be3056204566844c236d1857869e4c" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = {65004e004500560045005200200047004f004e004e00410020004700490056004500200059004f0055002000550050002100} + + condition: + $s1 or pe.imphash ( ) == "b1e345b2d78e4b82617d995d18100790" or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "ac989507d4af352fa354560efef99ba6" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "8090b29a44c750b7b21287f9639fe747" or hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "ea8693d6bacf3e7876f717a3d8abc433" ) +} +rule SEKOIA_Generic_Sharpshooter_Payload_3 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "57b3ca9a-59c5-4b28-8eb9-36ff5b3633c2" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_3.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ef62075c804080c0450f856b768da84a32f20e2f1ce5714e477b3e6f01d60503" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Function RC4(byteMessage, strKey)" + $ = "Sub Run()" + $ = "plain = RC4(decoded, " + $ = "Dim plain" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Hacktool_Pplblade_Strings : FILE +{ + meta: + description = "Detects PPLBlade" + author = "Sekoia.io" + id = "1a443621-fc95-4a70-873e-c1389943d4ab" + date = "2023-11-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/hacktool_pplblade_strings.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e853e109dbf5dfcba465f61cb689f261df5156e98297d3d00f700e20491de66e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "shirou/gopsutil/internal/" + $ = ".miniDumpWriteDump" + $ = ".DRIVER_FULL_PATH" + + condition: + uint16be( 0 ) == 0x4d5a and filesize > 4MB and filesize < 6MB and all of them +} +rule SEKOIA_Ransomware_Win_Scransom : FILE +{ + meta: + description = "Finds ScRansom samples based on specific strings" + author = "Sekoia.io" + id = "ea799295-1332-49c6-9816-035b91fc9b4f" + date = "2023-08-24" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_scransom.yar#L1-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3b8034bc5e0919d6c05dd2f2079c40836f241f2db02c1baf70ecb530db90847f" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "TIMATOMAFULL" wide + $str02 = ".Encrypted" wide + $str03 = ".Encrypting" wide + $str04 = "File Name :" wide + $str05 = "File size :" wide + $str06 = "TIMATOMA#" wide + $str07 = "Already Encrypted" wide + $str08 = "HOW TO RECOVERY FILES.TXT" wide + $str09 = "%d folder(s) searched and %d file(s) found - %.3f second(s)" wide + $str10 = "Search cancelled -" wide + $str11 = "note.txt" wide + $str12 = "Cannot sort the list while a search is in progress." wide + $str13 = "Cancelling search, please wait..." wide + $str14 = "Error showing process list" wide + $str15 = "[System Process]" wide + $str16 = "taskkill /f /im" wide + $str17 = "kill.bat" wide + + condition: + uint16( 0 ) == 0x5a4d and 15 of them +} +import "hash" +import "pe" + +rule SEKOIA_Loader_Win_Jennlog +{ + meta: + description = "Jennlog loader used to deliver the Apostle ransomware" + author = "Sekoia.io" + id = "a69088e5-207f-494f-876b-766b8050e8c2" + date = "2021-10-04" + modified = "2024-12-19" + reference = "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_jennlog.yar#L4-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "0ffcd1f35570b28a1bd6f9a0361f8f921942f7345dcb2896fc092bb92f7d4d6d" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + pe.timestamp== 3140259112 or for any i in ( 0 .. pe.number_of_sections -1 ) : ( hash.md5 ( pe.sections [ i ] . raw_data_offset , pe.sections [ i ] . raw_data_size ) == "4c4577276ff0323d9aedcc39ecf2c964" ) or for any i in ( 0 .. pe.number_of_resources -1 ) : ( hash.sha256 ( pe.resources [ i ] . offset , pe.resources [ i ] . length ) == "8476a7fca587f1e5d3ae076293b9fbcccbebc4bd4f7b783228ad5da39305a3d9" ) +} +rule SEKOIA_Rat_Darkvision_String : FILE +{ + meta: + description = "DarkVision RAT based on string" + author = "Sekoia.io" + id = "ab698a79-42ee-452a-a3ba-1a9872d5e2bc" + date = "2024-09-17" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/rat_darkvision_string.yar#L1-L28" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "8ec5526cecc596e0711c82e39cd4f2ce" + hash = "2dd476464e46d91ffe68483cb478d9b4" + hash = "20de7547d79d3637430b6a0787e59df5" + hash = "60d1e02316e6f22e078f9aa710790912" + hash = "e136e51efc22b0e071c11e7d652ea3be" + hash = "f466be81310147fcdd9a7886735a3786" + hash = "5065134cf4ba765bd97bb2edb61c5869" + hash = "6ed21c4f507e8cc830141ff732bd5acc" + hash = "40b2641150f291ca07bd08ab629fe1ed" + hash = "3f20cd14137e0abfa84b39e29a277350" + hash = "7dc8427be8b4d26a49fd380ad40d3b96" + logic_hash = "63ed3b1a991dc07bd06678a58449e0a67dd9453b358c0ac82a9c38235394122b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "DarkVision Installation" wide + $ = "You are about to install DarkVision Remote Access Tool." wide + + condition: + uint16be( 0 ) == 0x4d5a and 2 of them +} +rule SEKOIA_Unk_Quad7_Fsynet_Strings : FILE +{ + meta: + description = "Matches node-r-control, asr_node, node-relay" + author = "Sekoia.io" + id = "897b2421-c177-48c0-8f5b-82d8434208cb" + date = "2024-08-20" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/unk_quad7_fsynet_strings.yar#L1-L33" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "f42849076e24b7827218f7a25bc11ccc" + hash = "b3b09819f820a4ecd31f82f369000af2" + hash = "92093dd7ba6ae8fe34a215c4c4bd1cd4" + hash = "e6f6a6de285d7c2361c32b1f29a6c3f6" + hash = "408152285671bbd0e6e63bd71d6abaaf" + hash = "5efc7d824851be9ec90a97d889a40d23" + logic_hash = "960119a025dedae7c5dfdf872cd515e2b6cf2999179ba84374d547047316caa2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "prev_hop_port" + $ = "next_hop_port" + $ = "back_hop_port" + $ = "next_tsn_port" + $ = "prev_hop_ip" + $ = "next_hop_ip" + $ = "back_hop_ip" + $ = "next_tsn_ip" + $ = "ikcp_" + $ = "/tmp/log_r" + $ = "total_hop" + + condition: + uint32be( 0 ) == 0x7f454c46 and filesize < 5MB and 6 of them +} +rule SEKOIA_Tool_Realblindingedr_Strings : FILE +{ + meta: + description = "Detects RealBlindingEDR based on strings" + author = "Sekoia.io" + id = "505dcbee-ae37-47c1-a322-2c52d10e68d7" + date = "2024-09-11" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_realblindingedr_strings.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "cb6219e2b6577b8d4a18114d595e10d7" + hash = "d0a251709c24a8f4c26d456dea22d90f" + logic_hash = "7b6a54c935bb40bd1be1d25be452d7185fd6f9dacbd7cbcde7cb37dfea09775e" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "Unload Driver Error 1" + $ = "Failed to create pipe. Error %d" + $ = "icacls \"%s\" /grant Everyone:(F)" + $ = "Register MiniFilter Callback driver:" + $ = "The driver's certificate has been revoked," + $ = "[Success] Killed %s(%s)." + $ = "ntoskrnl.exe base address not found." + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them +} +rule SEKOIA_Apt_Sandworm_Awfulshred_Obfuscation_Apr2022 : FILE +{ + meta: + description = "Detects the AWFULSHRED wiper used by Sandworm" + author = "Sekoia.io" + id = "52317e6b-7f2c-4c2a-bcfc-ebb4ab4c728e" + date = "2022-04-12" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_sandworm_awfulshred_obfuscation_apr2022.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "3e1eed3a4b638893828289f928a75b855bc9e1e29444ffa81c0461fdc1277cad" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $h = "#!/bin/bash" + $s = { 64 65 63 6c 61 72 65 20 2d 72 20 [8] 3d } + + condition: + $h at 0 and #s > 15 +} +rule SEKOIA_Ransomware_Win_Masons_Jan2023 : FILE +{ + meta: + description = "Rule to detect Masons ransomware samples." + author = "Sekoia.io" + id = "cf2af08b-b4a8-4245-9308-242e15aeb346" + date = "2023-02-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/ransomware_win_masons_jan2023.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "05badf0364c6f61cd081a3ae64bc92b48e6f59c026a5d6b5b68acd5a8987cf91" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "7826978642c568f975e2b65d1575fdf92e634f7c80db2c86c9d7c8066e8955b8" + + strings: + $s1 = "Masons" wide + $s2 = "@mineralIaha/@root_king1" wide + $s3 = "Glory @six62ix" wide + + condition: + uint16be( 0 ) == 0x4d5a and all of them +} +rule SEKOIA_Backdoor_Oyster +{ + meta: + description = "Detects files related to the Oyster backdoor." + author = "Sekoia.io" + id = "f95f98ea-1e52-45ae-8abf-a986f95d4ab2" + date = "2024-08-29" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/backdoor_oyster.yar#L1-L16" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ffd84d0c7064bcd69121aa606bc642ff2b5c9927ba622260a02a9689c7ab8878" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "CleanUp30.dll" ascii fullword + $s2 = "MSTeamsSetup_c_l_.exe" ascii fullword + + condition: + all of them +} +rule SEKOIA_Tool_Efspotato : FILE +{ + meta: + description = "No description has been set in the source file - SEKOIA" + author = "Sekoia.io" + id = "4440ea37-d7d0-4107-867c-576c6e2f4f7e" + date = "2023-08-23" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_efspotato.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "cbfd72a16f02903b1ad6fdf3e25f6c5508145d6be4c1776bb77f1ccd6c1954b3" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "usage: EfsPotato [pipe]" ascii wide + $s2 = "Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability)." ascii wide + $s3 = "Part of GMH's fuck Tools, Code By zcgonvh." ascii wide + + condition: + ( uint32be( 0 ) == 0x7f454c46 or uint16be( 0 ) == 0x4d5a ) and filesize < 4MB and all of them +} +rule SEKOIA_Exploit_Win_Cloudatlas_Cve_2018_0798 : CVE_2018_0798 FILE +{ + meta: + description = "Detect RTF files used by CloudAtlas to exploit CVE-2018-0798" + author = "Sekoia.io" + id = "fcff4bc7-fe88-4546-bb5b-f2a1c2f8b0a5" + date = "2022-11-15" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/exploit_win_cloudatlas_cve_2018_0798.yar#L1-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1ed1009d77835f60834c20e61158b00ce7416ade8aa86c3314f4d8d1f6742fa0" + score = 75 + quality = 80 + tags = "CVE-2018-0798, FILE" + version = "1.0" + classification = "TLP:CLEAR" + hash1 = "c2064c7f4826c46bc609c472597366fd" + hash2 = "e2281402c63d4b544b81678250d24e61" + hash3 = "a97fa135d7e42886bcfdacca0d96c047" + + strings: + $ = "6060606061616161616161616161616161616161" ascii nocase + $ = "FB0B00004bE8FFFFFFFFC35F83C71B33C966B908" ascii nocase + $ = "010f0d00ddd8d97424f4668137" ascii nocase + + condition: + uint32be( 0 ) == 0x7b5c7274 and all of them +} +import "pe" + +rule SEKOIA_Latrodectus_Exports : FILE +{ + meta: + description = "detection based on the exports" + author = "Sekoia.io" + id = "29076cf5-f391-42f2-918f-e1c929bd368d" + date = "2024-07-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/latrodectus_exports.yar#L3-L15" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "01385f31b1f2fc94453a2ead136a1f7fb253a72bee95f74d755acfa97abdb26d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + (pe.exports ( "stow" ) or pe.exports ( "homq" ) or pe.exports ( "scub" ) ) and pe.number_of_exports >= 3 and uint16( 0 ) == 0x5a4d +} +rule SEKOIA_Infostealer_Win_Lumma_Strings_Aug23 : FILE +{ + meta: + description = "Finds Lumma samples based on the specific strings" + author = "Sekoia.io" + id = "728f7825-a463-4b19-b2d3-3460e4c06dc9" + date = "2023-09-14" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_lumma_strings_aug23.yar#L1-L23" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "704a31b0f7c30602305768f13bf6108ebaf08c62451833731d2f2f020efce386" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str01 = "lid=%s&j=%s&ver" ascii + $str02 = "%s (%d.%d.%d)" ascii + $str03 = "- Screen Resoluton:" ascii + $str04 = "- Physical Installed Memory:" ascii + $str05 = "Content-Type: attachment/x-object" ascii + $str06 = "Content-Type: application/x-www-form-urlencoded" ascii + $str07 = "Content-Type: multipart/form-data; boundary=%s" wide + $str08 = "SysmonDrv" wide + $str09 = "TeslaBrowser/5.5" wide + + condition: + uint16( 0 ) == 0x5A4D and 6 of them +} +rule SEKOIA_Dropper_Mac_Lazarus_Manuscrypt : FILE +{ + meta: + description = "MacOS Manuscrypt dropped by TraderTraitor" + author = "Sekoia.io" + id = "6138bd0c-1fcf-4586-b2b6-29955c7d6266" + date = "2022-04-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/dropper_mac_lazarus_manuscrypt.yar#L1-L21" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156" + hash = "9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa" + logic_hash = "dbe75a34f91906fc275c04af0fc068923993bab37a7574b3fe38733d87f31835" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "networksetup -getwebproxy '%s'" ascii + $ = "Cookie: _ga=%s%02d%d%d%02d%s" ascii + $ = "networksetup -listallnetworkservices" ascii + $ = "gid=%s%02d%d%03d%s" ascii + + condition: + uint32( 0 ) == 0xFEEDFACF and all of them +} +rule SEKOIA_Apt_Toneshell_Loader : FILE +{ + meta: + description = "Detects loader of ToneShell (exception based)" + author = "Sekoia.io" + id = "b4bf284b-cab6-455e-a1c1-ad341d43bfdd" + date = "2024-10-02" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_toneshell_loader.yar#L1-L40" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "41e0d172d900344a3692b88fff7527d9" + hash = "782cf7183735935f3f7aad041cec3184" + hash = "97c1f436028c58b51d4c92ee9c9ce424" + hash = "d6c771f2afd8ce35e8727f95f3a3c6c4" + hash = "b8520c5bad88ade394086cb7b1b7b631" + hash = "0b3e8571e70a32490da19f6b3283151c" + hash = "f6784c65ee115a9ae4c0fb03e0045285" + hash = "38888696e5223c77f5f8680922396123" + hash = "b52d0707e4e5d5c0d5fd5f5a177ba712" + hash = "fd54c6d17ff91640b377ff41353efdaa" + hash = "a6efe263acc794a212647a96e52ddf1f" + hash = "6e8c80c5f2f9a1da504618e984d2a56c" + hash = "0839666697ccc562a9c1fe77d6755931" + hash = "f367f2fe580e556176b60da202c742a5" + hash = "e8b2fcc14494ada2f28d1f6ecd2521a2" + hash = "c08589e10812cc7d636dcbe2a36d43b4" + hash = "fa848a05cfecc0c25cd21364c9516584" + hash = "be231f7879d8d2159b67b7f277527268" + hash = "2acd8b48202dcc30d88a871370c4f37a" + hash = "72963bfc2837695f038680471d4f061c" + logic_hash = "40e1b918a4d83a4918260d8b1cc56e5097665a366f94bd5068e4ae519e3a681b" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $exception = {00 00 00 00 2e 44 00 00} + $code = {02 00 00 00 66 89 96} + $kernel32 = "Kernel32.dll" wide + $outputdbgstr = "OutputDebugStringA" + $content = "ResetEvent" + + condition: + uint16be( 0 ) == 0x4d5a and all of them and filesize < 2MB +} +rule SEKOIA_Generic_Sharpshooter_Payload_10 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "477f8b92-e231-460c-8660-487d0a97f0e2" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_10.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "6ded3f5b7e9c7f2c09e3bc0869e41775e4bb31a39e6fef8209f50f5091e8d2e2" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "length = enc.GetByteCount_2(b);" + $ = "ms.Write(ba, 0, (length / 4) * 3);" + $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);" + + condition: + all of them and filesize < 2MB +} +rule SEKOIA_Apt_Coathanger_Files : FILE +{ + meta: + description = "Detects COATHANGER files" + author = "Sekoia.io" + id = "615f5ac1-14bc-4f5b-a02e-7b13cd179917" + date = "2024-02-07" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_coathanger_files.yar#L1-L24" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "5406d8a99e16f08f1ffca548ea1dd1e27e7707506e796e0fc263bcdbb681632d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "/data2/" + $ = "/httpsd" + $ = "/preload.so" + $ = "/authd" + $ = "/tmp/packfile" + $ = "/smartctl" + $ = "/etc/ld.so.preload" + $ = "/newcli" + $ = "/bin/busybox" + + condition: + ( uint32( 0 ) == 0x464c457f or uint32( 4 ) == 0x464c457f ) and filesize < 5MB and 4 of them +} +rule SEKOIA_Apt_Apt29_Quarterrig +{ + meta: + description = "Detects QUARTERRIG" + author = "Sekoia.io" + id = "e370ed7e-5e12-4add-95f3-3773ea8e2d03" + date = "2023-04-19" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_apt29_quarterrig.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "9628418789a9bc24c7e44dbc9106ffa6316aefebe33b91c749b54cb5462b1309" + score = 75 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str_dll_name = "hijacker.dll" + $str_import_name = "VCRUNTIME140.dll" + $op_resolve_and_call_openthread = { 48 [6] 48 [6] 8B D8 E8 [4] [3] 33 D2 B9 FF FF 1F 00 FF D0 } + $op_resolve_and_call_suspendthread = { E8 [4] 48 8B CB FF D0 83 F8 FF } + + condition: + all of them +} +rule SEKOIA_Tool_Edrsandblast_Kernelcallbacks : FILE +{ + meta: + description = "Detects EDRSandblast KernelCallbacks strings" + author = "Sekoia.io" + id = "74cf4444-5bd6-4167-930a-5dbf2e529f92" + date = "2024-11-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/tool_edrsandblast_kernelcallbacks.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ffb1185dca42c5b2b273c3a48f3ba86204a3474a9a045f72dbdb0ba7c9e89c7d" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[+] '%s' service ACL configured to for Everyone" wide + $ = "%s callback of EDR driver \"%s\" [callback addr: 0x%I64x" wide + $ = "[!] Could not resolve %s kernel module's address" wide + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 3MB and 3 of them +} +import "pe" + +rule SEKOIA_Apt_Badmagic_Modules +{ + meta: + description = "Detect the modules used by the CloudWizard framework" + author = "Sekoia.io" + id = "e4f1f706-4a46-4a09-b598-e4e8d80f2c4b" + date = "2023-05-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_badmagic_modules.yar#L3-L20" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "no hash has been found on 2023-05-25 to test the rule" + logic_hash = "6f8bc35dbf0fd4083a8d93b04b55b2e0e215cd23350243ddd7ba9dd4745c4496" + score = 50 + quality = 80 + tags = "" + version = "1.0" + classification = "TLP:CLEAR" + + condition: + pe.DLL and pe.exports ( "Start" ) and pe.exports ( "Stop" ) and pe.exports ( "Whoami" ) and pe.exports ( "GetResult" ) and pe.exports ( "GetSettings" ) +} +rule SEKOIA_Apt_Stripedfly : FILE +{ + meta: + description = "Detects string relative to Stripedfly malware" + author = "Sekoia.io" + id = "81968d34-3247-4965-ba44-55747370c90e" + date = "2023-11-30" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_stripedfly.yar#L1-L17" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "ded64ae30cf994162d4af649a34eadd4b8619cbced4392a6684129f8cf906136" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "{\"id\":%d,\"jsonrpc\":\"2.0\",\"method\":\"%s\",\"params\":%s}" + $s2 = "{\"login\":\"%s\",\"pass\":\"%s\",\"agent\":\"\"}" + $s3 = "(tcp|ssl)://([A-Za-z0-9\\.\\-]+):([0-9]+)" + + condition: + filesize < 3MB and 2 of them +} +rule SEKOIA_Apt_Muddywater_Powgoop_Decode_Loop : FILE +{ + meta: + description = "Detects the loop used in PowGoop and its loader" + author = "Sekoia.io" + id = "644ed1c4-e0e1-496e-9efc-7d9e15565f7b" + date = "2022-01-13" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_muddywater_powgoop_decode_loop.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "1d60f53014fb1934a85a573856244431c8f565c2f024511991817e6235566815" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $s1 = "System.Collections.Generic.List[System.Object]" ascii wide + $s2 = "$d.Add($in[$i]);" ascii wide + $s3 = "[System.Convert]::FromBase64String(" ascii wide + + condition: + filesize < 1MB and $s2 in ( @s1 .. @s1 + 400 ) and $s3 in ( @s1 .. @s1 + 400 ) +} +import "hash" +import "pe" + +rule SEKOIA_Loader_Win_Stealthvector : FILE +{ + meta: + description = "Detect the StealthVector malware, updated in July 2024" + author = "Sekoia.io" + id = "ecf6421a-f492-43c4-9ed7-eb4724d24779" + date = "2021-08-26" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/loader_win_stealthvector.yar#L4-L32" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "71ea017462bbb1891ef306d1e56dece5864885f5c8db5c50431ab085d37bda03" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + modification_date = "2024-07-15" + classification = "TLP:CLEAR" + hash1 = "166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107" + hash2 = "ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf" + hash3 = "0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0" + hash4 = "1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3" + hash5 = "ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74" + + strings: + $s1 = "Global\\kREwdFrOlvASgP4zWZyV89m6T2K0bIno" ascii + $s2 = "Global\\v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw" ascii + + condition: + uint16( 0 ) == 0x5A4D and 1 of them or pe.imphash ( ) == "0cd7b92b97ccc7e255df1f46b5299986" or pe.imphash ( ) == "be777e91e3c42ac62471cfb7239be471" or hash.md5 ( pe.rich_signature.clear_data ) == "fcc67611d136cce0e785029bbb879b45" +} +rule SEKOIA_Apt_Cloudatlas_Powershower_Clean : FILE +{ + meta: + description = "Detects clean version of PowerShower" + author = "Sekoia.io" + id = "4a7c37df-3f53-4190-a86f-94bba3df628e" + date = "2022-12-05" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_cloudatlas_powershower_clean.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "24ea6ec0cd8dbcebdf7e42dbd48319562d8682fefd5d0d464a3a5c4b90be40f3" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "[io.file]::WriteAllBytes($zipfile" ascii wide + $ = "System.IO.File]::Exists($p_t" ascii wide + $ = "HttpRequestP" ascii wide + $ = "$http_request.getOption(2)" ascii wide + $ = "HttpRequestP($url)" ascii wide + + condition: + uint8( 0 ) == 0x24 and filesize < 4000 and 4 of them +} +rule SEKOIA_Malware_Swordldr : FILE +{ + meta: + description = "Detects Swordldr. Maybe chunk_1 is too restrictive" + author = "Sekoia.io" + id = "4068c007-50f4-4913-a352-4a40dd4e452b" + date = "2024-09-25" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/malware_swordldr.yar#L1-L29" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + hash = "d0cc758082e303275cbb8cd6b2048eff" + hash = "7aa57da44718cd88f7d37b33a5d3ad74" + logic_hash = "9e408181b9122925c0ff9efdaed688e659596b58b9108c0f280d9bc1624d73cb" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = { CC CC CC CC B0 01 C3 CC CC CC CC } + $ = { CC CC CC CC B0 02 C3 CC CC CC CC } + $ = { CC CC CC CC B0 03 C3 CC CC CC CC } + $ = { CC CC CC CC B0 04 C3 CC CC CC CC } + $ = { CC CC CC CC B0 05 C3 CC CC CC CC } + $ = { CC CC CC CC B0 06 C3 CC CC CC CC } + $ = { CC CC CC CC B0 07 C3 CC CC CC CC } + $ = { CC CC CC CC B0 08 C3 CC CC CC CC } + $ = { CC CC CC CC B0 09 C3 CC CC CC CC } + $chunk_1 = { + 48 63 44 24 40 44 8B 44 86 04 48 63 44 24 40 45 23 ?? 45 03 C0 8B 54 86 04 48 63 44 24 40 41 2B D0 41 03 ?? 89 54 86 04 + } + + condition: + uint16be( 0 ) == 0x4d5a and 4 of them and #chunk_1 > 5 +} +import "pe" + +rule SEKOIA_Infostealer_Win_Eternity : FILE +{ + meta: + description = "Detect the Eternity infostealer based on specific strings" + author = "Sekoia.io" + id = "0ed8d4bd-d57f-40a8-a709-d69531d59847" + date = "2022-03-23" + modified = "2024-12-19" + reference = "hxxp://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.]onion/threads/62331/" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/infostealer_win_eternity.yar#L3-L31" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "06f0f7f51100278160f5bc4f588bb6a9d749be308f879bd5704666bf90764bf9" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $str0 = "Sending info to Eternity.." wide + $str1 = "Debug mode, dont share this stealer anywhere." wide + $str2 = "\\Growtopia.exe" wide + $str3 = "Software\\Growtopia" wide + $str4 = "Corrupting Growtopia.." wide + $str5 = "Disabling Task Manager.." wide + $str6 = "Deleting previous file from startup and copying new one." wide + $str7 = "Hiding file in Startup folder.." wide + $str8 = "Initializing File watcher.." wide + $str9 = "Decoder: Failed to delete temp login. No problem, continuing.." wide + $str10 = "dcd.exe" wide + + condition: + uint16( 0 ) == 0x5A4D and ( for any i in ( 0 .. pe.number_of_sections -1 ) : ( pe.sections [ i ] . name == ".eter0" ) and for any i in ( 0 .. pe.number_of_sections -1 ) : ( pe.sections [ i ] . name == ".eter1" ) ) or 4 of ( $str* ) +} +rule SEKOIA_Apt_Backdoordiplomaty_Phantomnet : FILE +{ + meta: + description = "Detects PhantomNet based on strings" + author = "Sekoia.io" + id = "bbcc0664-ef2b-47db-a546-b5e0aa2a1e9a" + date = "2024-06-06" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/apt_backdoordiplomaty_phantomnet.yar#L1-L19" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "e4be9b9e092dcaa368650b7f696ca532f89752bdbe6b5fd09b4285a643c20b86" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "memory load plugin failed!" wide + $ = "Event eee!!!" ascii + $ = "LoadWin32_x64.pdb" ascii + + condition: + uint16be( 0 ) == 0x4d5a and filesize < 2MB and 2 of them +} +rule SEKOIA_Generic_Sharpshooter_Payload_1 : FILE +{ + meta: + description = "Detects payload created by SharpShooter" + author = "Sekoia.io" + id = "82fd284a-47c2-4d29-9c80-f3affaa61a13" + date = "2023-02-03" + modified = "2024-12-19" + reference = "https://github.com/SEKOIA-IO/Community" + source_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/yara_rules/generic_sharpshooter_payload_1.yar#L1-L18" + license_url = "https://github.com/SEKOIA-IO/Community/blob/476fd01a852246b8aeaa3e4e3a1f8b762c61bbc5/LICENSE.md" + logic_hash = "20e42042bd03bde3d0eec42f81d560896e8ec9e67ad64611dc4bc21152db3ff0" + score = 75 + quality = 80 + tags = "FILE" + version = "1.0" + classification = "TLP:CLEAR" + + strings: + $ = "rc4 = function(key, str)" + $ = "var e={},i,b=0,c,x,l=0,a,r=" + $ = "var plain = rc4(" + $ = "